This major criminal hacking group just switched to ransomware attacks

A widespread hacking operation that has been targeting organisations around the world in a phishing and malware campaign which has been active since 2016 has now switched to ransomware attacks, reflecting how successful ransomware has become a money-making tool for cyber criminals.

Dubbed FIN11, the campaign has been detailed by cybersecurity researchers at FireEye Mandiant, who describe the hackers as a ‘well-established financial crime group’ which has conducted some of the longest running hacking campaigns.

The group started by focusing attacks on banks, retailers and restaurants but has grown to indiscriminately target a wide range of sectors in different locations around the world, sending thousands of phishing emails out and simultaneously conducting attacks against several organisations at any one time.

For example, in just one week, Mandiant observed concurrent campaigns targeting pharmaceuticals, shipping and logistics industries in both North America and Europe.

But despite attacks targeting a wide variety of organisations around the world, many of the initial phishing campaigns are still customised on a target by target basis for the maximum possible chance of encouraging a victim to download a malicious Microsoft Office attachment which says macros must been enabled.

This starts an infection chain which creates multiple backdoors into compromised systems, as well as the ability to grab admin credentials and move laterally across networks.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) 

FIN11 campaigns initially revolved around embedding themselves into networks in order to steal data, with researchers noting that the hacking group commonly deployed BlueSteal, a tool used to steal banking information from Point-of-Sale (POS) terminals.

With finances being the focus of the group, it’s likely FIN11 sold this information to other cyber criminals on the dark web, or simply exploited the details for their own gain.

WISeKey’S AIoT SOLUTIONS OFFER THE BEST PROTECTION AGAINST CYBER ATTACKS ON CONNECTED CARS

WISeKey’S AIoT SOLUTIONS OFFER THE BEST PROTECTION AGAINST CYBER ATTACKS ON CONNECTED CARS

Geneva, October 13, 2020 – WISeKey International Holding Ltd. (“WISeKey” NASDAQ: WKEY; SIX Swiss Exchange: WIHN), cybersecurity delivering AIoT Integrated Security Platforms, today announced that its cybersecurity offering (hardware and software platform) for connected cars addresses safety and security issues arising from system vulnerabilities. 

WISeKey entered the connected cars security segment in 2019 when Daimler AG started to use its technology to validate the authenticity of different vehicle components, protect onboard communication between vehicle components and provide over-the-air software updates. The automotive industry is facing a major cybersecurity challenge due to digitalization: Big Data coming from multiple connected sources in the car including its operating system is only getting larger and more complex, making it increasingly difficult for connected cars manufacturers to analyze and protect the connected car against cyber threats. The best way to cut through the data clutter and identify potential attacks is by leveraging AI for behavioral analysis of the data.

Additionally, WISeKey PKI’s authentication certificates are used by employees, dealers and suppliers to access car components to diagnose mechanical/technical issues and update software, from any location. The WISeKey PKI platform also allows users to securely interact with a car’s smart features using smartphones and other devices that includes the integration of WISeKey IoT and PKI with the manufacturer’s connected car solutions allowing them to authenticate legitimate car components and enable owners to securely interact with the car’s smart features.

“As the connected car industry continues to evolve, essentially becoming software on a metal shield, cars are vulnerable to the very same threats and attacks as home computers, laptops and smartphones.  Unless appropriate cybersecurity measures are implemented, hackers can remotely access the vehicle’s computer system, manipulate the brakes, engine, and transmission.  Our tamperproof

Ransomware operators now outsource network access exploits to speed up attacks

Ransomware operators are now turning to network access sellers in their droves to cut out a difficult step in the infection process. 

On Monday, Accenture’s Cyber Threat Intelligence (CTI) team released new research on emerging cybersecurity trends, including an investigation into the nature of relationships between ransomware operators and exploit sellers. 

According to Accenture senior security analysts Thomas Willkan and Paul Mansfield, buying network access points and already compromised ways to infiltrate a target system are rising in popularity, including the purchase of stolen credentials and vulnerabilities. 

During attacks, ransomware operators must first find an entry point into a network. Compromised employee accounts, misconfigurations in public-facing systems, and vulnerable endpoints may all be used to deploy this particular family of malicious code, leading to the encryption of files, disks, and a demand for payment in return for a decryption key. 

See also: COVID-19 pandemic delivers extraordinary array of cybersecurity challenges

It is hard to estimate how many successful ransomware attacks have taken place this year. Europol believes that these specific attacks often go unreported, with only major incidents — such as the recent death of a woman in need of urgent care who was forced to divert from Duesseldorf hospital due to a ransomware infection — becoming public knowledge. 

Paying a ransom these days can reach six-figure sums, or more, depending on the target and their estimated worth. Now, ransomware groups are seeking to cut out the initial access stage of an attack, speeding up the process — and potentially the opportunity for illicit revenue.

Network access sellers typically develop an initial vulnerability and then sell their work in underground forums for anywhere between $300 and $10,000. 

The majority of network access offerings in the underground will include the target by industry and the type of access, ranging from Citrix

Flightradar24 website Hit By Three Suspected DDoS Attacks In 48 Hours Prompting Wild Conspiracy Theories

Someone hiding in the long shadows of the Internet has taken against the world’s most popular flight tracking website, Flightradar24.

The Swedish company hasn’t confirmed it suffered a Distributed Denial of Service (DDoS) attack but that seems the most likely explanation for a series of outages and general instability that affected the site from the early afternoon of September 27 ET.

After subscribers took to forums to muse on odd communication errors and empty maps on the mobile app, the company’s Twitter feed initially put the issue down to “network problems.”

Cue further problems and a flurry of updates over the following 24 hours and suddenly the feed’s explanation turned from gremlins in the data center to something more significant:

“For the third time in two days Flightradar24 is under attack. Our engineers are working to mitigate the attack as quickly as possible and we hope to be back tracking flights soon. We appreciate your patience and apologize for the inconvenience.”

The good news is that by Tuesday, September 29, the site was available again without issues.

DDoS attacks aren’t a surprise – frankly it’d be more of a surprise if a day passed without a large site not experiencing some form of traffic issue – but potentially suffering three in rapid succession large enough to disrupt a popular service always stands out.

For those unfamiliar with the joys of Flightradar24, it is used by its two million fan base across the globe to track 180,000 aircraft movements per day in real time, complete with airspeed, altitude, flight heading, aircraft type, registration number, and airline identifier.

In late 2018, aviation enthusiasts were even able to use it to unmask President Trump’s unscheduled trip to Iraq on call sign Air Force One, after