For the second time in just over a year, the city of Baltimore has been hit by a ransomware attack, affecting its computer network and forcing officials to shut down a majority of its computer servers as a precaution.
Ransomware works by encryption files and locking them up so users can’t access them. The attackers then demand a ransom amount, typically in Bitcoin digital currency, in exchange for the decryption keys use to unlock the files.
The ransomware attack on the Baltimore City Hall took place on Tuesday morning and infected the city’s technology systems with an unknown ransomware virus, which according to government officials, is apparently spreading throughout their network.
Read more »
Binance, one of the largest cryptocurrency exchanges in the world, confirmed today that the company lost nearly $40 million in Bitcoin in what appears to be its largest hack to date.
In a statement, Binance’s CEO Changpeng Zhao said the company discovered a “large scale security breach” earlier on May 7, as a result of which hackers were able to steal roughly 7000 bitcoins, which worth 40.6 million at the time of writing.
News of the hack comes just hours after Zhao tweeted that Binance has “to perform some unscheduled server maintenance that will impact deposits and withdrawals for a couple of hours.”
Read more »
National CSIRT-CY would like to inform the general public about a new Phishing campaign which sends emails containing a WORD document file where it pretends to be a scanned document by XEROX Color Multifunction machine.
The sender’s e-mail is: email@example.com with an IP address 188.8.131.52.
If you have received the following email, please DO NOT open the attached file because it contains malicious code. If the attached file has been opened, please contact us as soon as possible.
Read more »
A new ransomware has been discovered called MegaCortex that is targeting corporate networks and the workstations on them. Once a network is penetrated, the attackers infect the entire network by distributing the ransomware using Windows domain controllers.
In a new report, Sophos has stated that they have seen customers in the United States, Italy, Canada, France, the Netherlands, and Ireland being infected with this new ransomware.
As this is a fairly new ransomware, not much is currently known about its encryption algorithms, exactly how attackers are gaining access to a network, and whether ransom payments are being honored.
The MegaCortex Ransomware
As Sophos has found that the Emotet or Qakbot Trojans have been present on networks that have also been infected with MegaCortex, it may suggest that the attackers are paying Trojan operators for access to infected systems in a similar manner as Ryuk.
“Right now, we can’t say for certain whether the MegaCortex attacks are being aided and abetted by the Emotet malware, but so far in our investigation (which is still ongoing as this post goes live), there seems to be a correlation between the MegaCortex attacks and the presence on the same network of both Emotet and Qbot (aka Qakbot) malware.”
While it is not 100% clear how bad actors are gaining access to a network, victims have reported to Sophos that the attacks originate from a compromised domain controller.
On the domain controller, Cobolt Strike is being dropped and executed to create a reverse shell back to an attacker’s host.
Using this shell, the attackers remotely gain access to the domain controller and configure it to distribute a copy of PsExec, the main malware executable, and a batch file to all of the computers on the network. It then executes the batch file remotely via PsExec.
Read more »
Attackers are targeting GitHub, GitLab, and Bitbucket users, wiping code and commits from multiple repositories according to reports and leaving behind only a ransom note and a lot of questions.
The targets who had their repos compromised use multiple Git-repository management platforms, with the only other connection between the reports besides Git being that the victims were using the cross-platform SourceTree free Git client [1, 2, 3, 4].
One user supposedly received a statement from Atlassian, the company behind Bitbucket and SourceTree, saying that:
“Within the past few hours, we detected and blocked an attempt — from a suspicious IP address — to log in with your Atlassian account. We believe that someone used a list of login details stolen from third-party services in an attempt to access multiple accounts.”
Read more »