-- Leo's gemini proxy
-- Connecting to gemini.tuxmachines.org:1965...
-- Connected
-- Sending request
-- Meta line: 20 text/gemini;lang=en-GB
Tux Machines
Posted by Roy Schestowitz on Aug 23, 2023
> In large metropolitan areas, tourists are often easy to spot because they’re far more inclined than locals to gaze upward at the surrounding skyscrapers. Security experts say this same tourist dynamic is a dead giveaway in virtually all computer intrusions that lead to devastating attacks like data theft and ransomware, and that more organizations should set simple virtual tripwires that sound the alarm when authorized users and devices are spotted exhibiting this behavior.
> At the beginning of July, an Estonian healthcare institution notified CERT-EE of a [successful] cyber attack.
> "The file server of the hospital had been wiped of data relating to the day-to-day operations and administration of the institution, but the health records of patients remained intact," RIA said.
> The ransomware group known as BlackCat and ALPHV has now taken credit for the attack and has started leaking files apparently taken from Seiko systems after the victim refused to respond to its extortion attempts.
> The cybercriminals claim to have stolen 2 Tb worth of files, including employee information, production technology details, video and audio recordings of management meetings, emails, and copies of passports belonging to employees and foreign visitors.
> Following initial reporting on HiatusRAT, the threat actor changed tactics and, in attacks observed in June 2023, shifted focus to performing reconnaissance against a US military procurement system and to targeting Taiwan-based organizations.
> Despite our prior reporting, this group continued with their operations nearly unabated; in a truly brazen move, they recompiled malware samples for different architectures that contained the previously identified C2 servers. The actor then hosted this newly compiled malware on different procured virtual private servers (VPSs). One of which was used almost exclusively to target entities across Taiwan, including commercial firms and at least one municipal government organization. We subsequently observed a different VPS node performing a data transfer with a U.S. military server used for contract proposals and submissions. Given that this website was associated with contract proposals, we suspect the threat actor could gather publicly available information about military requirements, or search for organizations involved in the Defense Industrial Base (DIB).
-- Response ended
-- Page fetched on Fri Jun 14 18:31:50 2024