By Waqas
Cyber Warfare Takes Flight: Geopolitics Fuel Attacks on Airlines - Dark Web Tool Aims at E-commerce!
This is a post from HackRead.com Read the original post: Dark Web Tool Arms Ransomware Gangs: E-commerce & Aviation Industries Targeted

Cybersecurity researchers have published two concerning reports where the first report highlights the surge in cyber attacks against the aviation and aerospace industries – And the second report exposes a dark web tool called TMChecker fueling attacks against E-commerce platforms.

Recent cyber incidents targeting the aerospace and aviation sectors have raised concerns about the industry’s vulnerability to malicious attacks, according to a report by Resecurity. The report highlights the critical need for strong cybersecurity risk assessments to protect airports and aviation infrastructure.

The aerospace sector, including the design, manufacturing, and maintenance of aircraft and spacecraft, has become a prime target for cyberattacks due to its reliance on interconnected digital infrastructures and global supply chains.

The integration of Industrial Internet of Things (IIoT) technologies has further strengthened this threat, making aerospace organizations more vulnerable and susceptible to cyber attacks.

Credit: Resecurity

****Ransomware Attacks & The Aviation Industry****

Ransomware emerges as a top threat facing the aviation industry, with a 600% increase in occurrences reported by Boeing Chief Security Officer Richard Puckett at the 2023 Aviation Week MRO Americas Conference.

The European Organisation for the Safety of Air Navigation (Eurocontrol) also highlighted ransomware as the sector’s leading attack trend in 2022, accounting for 22% of all malicious incidents. Some of the examples highlighted in the report include the LockBit ransomware gang’s attack on Boeing in November 2023, which the aviation giant later confirmed.

****Geopolitical tensions & The Aviation Industry****

According to Resecurity’s blog post titled “The Aviation And Aerospace Sectors Face Skyrocketing Cyber Threats,” geopolitical tensions and the designation of aerospace and aviation as critical infrastructure by the U.S. government have fueled cyberattacks targeting the industry.

Threat actors, including hacktivist collectives, are increasingly targeting aviation organizations to advance political agendas or disrupt operations. One such example is the hacktivist group Anonymous Sudan which targeted FlyDubai, an Emirati government-owned airline in Dubai, United Arab Emirates in February 2024 citing the company’s alleged support to the Rapid Support Forces (RSF) in Sudan.

Other recent cyberattacks targeting the aerospace sector include Distributed Denial of Service (DDoS) attacks by groups such as Mysterious Team Bangladesh (MTB) against Saudi Arabian airports and ALTOUFAN TEAM against Gulf Air.

> In stand with our steadfast Palestinian people in Gaza Strip in their brave and honorable resistance,ALTOUFAN TEAM targets companies normalized with the Zionist entity , Bahrain International Airport and the Bahraini national carrier “Gulf Air” servers and website…… pic.twitter.com/OKOhR12M3S
> 
> — ALTOUFAN TEAM (@altoufanteam) November 22, 2023

Additional incidents involve ransomware attacks on airlines like Air Albania and Continental Aerospace Technologies, compromising critical data and disrupting operations.

**T**MChecker – Dark Web Tool Targeting Remote Access and E-Commerce Platforms****

In another report published on March 13, 2024, Resecurity detailed a new cybersecurity threat named TMChecker that has surfaced on the Dark Web, posing a notable risk to remote-access services and popular e-commerce applications.

Developed by an actor known as “M762” on the Russian language XSS cybercrime forum, TMChecker is a sophisticated tool that combines corporate access login (log) checking capabilities with a brute-force attack kit. Available for a monthly subscription fee of $200, TMChecker has garnered attention for its ability to target a wide range of VPN gateways, email servers, and e-commerce platforms.

Credit: Resecurity

TMChecker stands out from similar tools like ParanoidChecker due to its focus on corporate remote access gateways, which are often primary targets for ransomware attacks and other malicious activities. The tool supports 17 solutions, including Cisco VPN, Citrix VPN, Office 365, WordPress, Magento, and cPanel, among others, making it a versatile and powerful weapon.

Cybercriminals exploit TMChecker to identify compromised data containing valid credentials for corporate VPN and email accounts. In one observed incident, threat actors used TMChecker to target the email server of a government organization in Ecuador, demonstrating the tool’s real-world impact.

M762 operates a Telegram channel with over 3,270 subscribers, potentially indicating a sizable user base for TMChecker. The addition of such tools aligns with a concerning trend highlighted in recent Microsoft research, which noted a significant increase in human-operated ransomware attacks.

These attacks often involve the abuse of remote monitoring and management tools, leaving behind less evidence compared to automated attacks delivered through malicious documents.

As TMChecker and similar tools lower the barriers to obtaining remote access credentials, the risk of destructive ransomware attacks and other malicious campaigns amplifies. This threat is particularly acute in the context of mergers and acquisitions, where cybercriminals target vulnerable organizations to exploit for financial gain.

1.  Cl0p ransomware gang hits Aviation giant Bombardier
2.  Hackers Uncover Airbus EFB App Flaws, Risking Aircraft Data
3.  Israeli: Hackers Targeted EL AL Flights in Mid-Air Hijack Attempt
4.  Military Satellite Access Sold on Russian Hacker Forum for $15,000
5.  Hackers posing as LinkedIn recruiters to scam military, aerospace firms

Dark Web Tool Arms Ransomware Gangs: E-commerce & Aviation Industries Targeted

By Deeba Ahmed
Mikhail Vasiliev, a Russian-Canadian citizen faces four years in a Canadian prison and is likely to be extradited to the US after completing his sentence.
This is a post from HackRead.com Read the original post: LockBit Affiliate Sentenced to 4 Years in Canada, Faces Extradition

Mikhail Vasiliev was also fined $860,000 for his involvement in the LockBit gang’s attacks. This case highlights the international effort to combat cybercrime and the severe consequences awaiting perpetrators.

A Russian-Canadian citizen, Mikhail Vasiliev, has been sentenced to nearly four years in prison for his involvement in the notorious **LockBit ransomware operation**. Vasiliev will also pay $860,000 in restitution to his Canadian victims.

Vasiliev’s lawyer reportedly argued that he turned to cybercrime due to financial difficulties during the **COVID-19 pandemic**.  However, Justice Michelle Fuerst rejected this justification, calling Vasiliev a _Cyber Terrorist_ whose actions were motivated by _greed_ and his crimes were “_far from_ _victimless crimes_.”

Investigations revealed Vasiliev’s role as a key member of the LockBit ransomware gang, involved in a significant number of cyberattacks with ransom demands ranging between €5m-€70 million. Vasiliev took responsibility for his actions, as confirmed by his lawyer Louis Strezos.

Vasiliev, 34, was arrested in October 2022 from his residence in Bradford, Ontario where he had moved from Moscow 20 years ago. He pleaded guilty in February 2024 to stealing victims’ computer data and using it for extortion.

Moreover, according to Canadian media **reports**, he admitted targeting at least three Canadian organizations, encrypting their data, and seeking ransom payments between 2021-2022, making $100 million in ransom demands for the gang from around 1,000 cyberattacks on victims in the U.S. and globally,

Vasiliev primarily targeted businesses in Saskatchewan, Montreal, and Newfoundland. His attacks likely caused significant disruptions and financial losses to the targeted businesses.

In November 2022, the US Department of Justice announced separate charges for his involvement in LockBit attacks. Vasiliev is set to be extradited to the U.S. for facing these additional charges

**LockBit, active since 2020**, operates under a ransomware-as-a-service (RaaS) business model, where affiliates exploit intrusions and deploy ransomware in exchange for some percentage of ransom payment.

In 2023, the gang gained significant profits from targeting companies like Boeing and Allen & Overy and exploited the **Citrix bleed security flaw** tracked as CVE-2023-4966 (CVSS score: 9.4).

LockBit’s infrastructure was **dismantled** by the law enforcement authorities in February 2024 as part of Operation Cronos with the seizure of 34 servers and 200 cryptocurrency accounts. Just a week after its seizure, LockBit **reemerged** with new leak sites, but RaaS is unlikely to recover. It claimed Operation Cronos was successful due to its negligence in updating PHP settings.

So far, Authorities have arrested six suspects in connection to LockBit, including Vasiliev, Ruslan Magomedovich Astamirov who was arrested **in June 2023**, two Russian nationals Artur Sungatov and Ivan Kondratyev, alias Bassterlord, and two others **arrested** in Ukraine and Poland.

Vasiliev’s potential extradition is a sign of growing international cooperation in combating cybercrime and serves as a warning to other gangs involved in such activities.

1.  Ragnar Locker Ransomware Dismantled, Key Suspect Arrested
2.  Alcasec Hacker, aka “Robin Hood of Spanish Hackers,” Arrested
3.  Operator of Proxy Botnet ‘IPStorm’ Arrested, Pleads Guilty in US
4.  LockBit ransomware blames victim for DDoS attack on its website
5.  Multimillion-Dollar Vishing Scam Busted: Czech-Ukrainian Gang Arrested

LockBit Affiliate Sentenced to 4 Years in Canada, Faces Extradition

By Waqas
Another day, another cyber attack on a local council in England!
This is a post from HackRead.com Read the original post: Leicester City Council’s IT System and Phones Down Amid Cyber Attack

Leicester City Council grapples with a cyber attack, causing major disruption to residents. IT systems and phone lines remain down as authorities work to restore crucial services. Recovery is expected by midweek.

Leicester City Council continues to face disruption after a cyber attack forced them to shut down IT systems and phone lines last Thursday (March 7, 2024). While the nature of the attack remains undisclosed, officials are working alongside cybersecurity specialists and law enforcement to assess the damage and restore functionality.

“This incident highlights the growing vulnerability of local authorities to cyber threats,” said Richard Sword, strategic director of city developments and neighbourhoods at Leicester City Council. “Our priority is to minimize disruption to critical services and get our systems back online as swiftly as possible.”

The council anticipates a phased recovery process, prioritizing the restoration of essential services by midweek. Residents seeking urgent assistance can utilize the emergency phone lines established on the council’s website.

****Limited Services and Public Frustration****

The shutdown has caused significant inconvenience for residents. Essential services like council tax payments and license renewals are currently unavailable. Local Green Party councillor Patrick Kitterick expressed concern, stating the prolonged outage poses a serious challenge, especially considering the council’s role in civil emergency response.

****Ransomware Attack or Not?****

Since it’s not clear whether the incident was a ransomware attack or a DDoS attack, we reached out to William Wright, CEO of Closed Door Security, for his insights. Given the history of cyber attacks on local councils, William cautioned that this might turn out to be a costly and disruptive ransomware attack.

“We don’t know what type of attack Leicester City Council is suffering from but given the recent spate of ransomware attacks targeting public authorities, it’s likely to be ransomware,” William said.

He warned that the government must take action to tackle the vulnerable situation. “Earlier this week, the government responded to a report from a Parliamentary Committee on ransomware, which said it was not doing enough to keep the country safe from the threat, but the government didn’t agree with the findings, maybe this latest attack on Leicester City Council will act as a wake-up call.”

****Further Developments Expected****

Leicester City Council is expected to provide updates on the situation as progress is made. Residents are encouraged to visit the council’s website for the latest information and alternative contact methods.

This attack comes amidst a concerning trend targeting local government bodies across the UK. The incident also goes on to show the need for basic cybersecurity measures including employee training to protect critical infrastructure from sophisticated cyber threats.

1.  Freecycle Data Breach Impacts 7 Million Users
2.  UK Power and Data Manufacturer Volex Hit by Cyberattack
3.  Anonymous Sudan DDoS Attack on London Internet Exchange
4.  Hackers Attack UK’s Nuclear Waste Services Through LinkedIn
5.  Contractor Database Leaks Irish Police Vehicle Seizure Records

Leicester City Council’s IT System and Phones Down Amid Cyber Attack

By Deeba Ahmed
In June 2023, Xplain, a Swiss IT services provider, fell victim to a cyberattack claimed by the Play ransomware group.
This is a post from HackRead.com Read the original post: Xplain Hack Aftermath: Play Ransomware Leaks Sensitive Swiss Government Data

The Play ransomware group leaked around 65,000 documents belonging to the federal government, including classified documents and login credentials, which were published on its dark web leak site on 14 June 2023.

Following the cyberattack on Swiss IT service provider, Xplain, details of the leaked data have been disclosed in a press release from the Swiss National Center for Cybersecurity (NCSC) – The Federal Office for Cybersecurity (BACS) has also taken part in the investigation.

The department analyzed the data leaked stolen by the Play ransomware group from Xplain, which is a “major provider of IT services to national and cantonal authorities,” the department confirmed.

****Background****

Back in May 2023, hackers exploited a vulnerability to target Xplain servers hosting applications for cantonal services, blocking access until a key or unblocking tool is sent in exchange for ransom. The attack, carried out by the Play ransomware group, had far-reaching consequences, impacting the Federal Office of Police, the Federal Office of Customs and Border Protection, Swiss Federal Railways and Aargau cantonal authorities.

In June 2023, Swiss federal government websites and the Swiss Federal Railways’ online portal were targeted in DDoS attacks, causing several websites to be unavailable. The finance ministry reported on 12 June 2023 that a pro-Russian group, “NoName,” claimed responsibility for the attack on its Telegram channel and that no data was lost in the attack. This group was also involved in the attack on the Swiss parliament website earlier in June 2023.

The Play ransomware group leaked around 65,000 documents belonging to the federal government, including classified documents and login credentials, which were published on its dark web leak site on 14 June 2023.

As per NCSC’s press release published earlier today, the BACS then took over the coordination of incident response within the federal administration and analysis of leaked data. A policy strategy crisis team was formed on 28 June and an administrative investigation was launched officially on 23 August to find out details of data leak at Xplain.

Official dark web leak site on the Play ransomware group (Screenshot: Hackread.com)

****Report Details****

The BACS emphasized that the report focuses on data types and analysis challenges, not the content of leaked data. Around 70% (around 47,413) of files belong to Xplain and 14% (9,040) to the Federal Administration.  Hackers have leaked 95% of the 9040 files belonging to the Swiss federal government, mainly from the Federal Department of Justice and Police, Federal Office of Justice, Federal Office of Police, State Secretariat for Migration, and ISC-FDJP. 

Around half of the Federal Administration’s files contain sensitive content like personal data, technical information, classified information, and passwords, with 4,779 files containing personal data, and 278 files containing technical information. 121 objects were dubbed classified under the Information Protection Ordinance with 4 of them containing readable passwords.

The department aims to collaborate with authorities and Xplain to address potential consequences. This investigation is expected to be completed in March 2024.

****About Play Ransomware Group****

The Play ransomware group is believed to be based in Russia and is responsible for around 300 successful attacks on businesses and critical infrastructure in North America, South America, and Europe from June 2022 to October 2023. The group uses a double extortion model, ranging from unauthorized access to external services like RDP and VPN.

1.  Ransomware Attack Disrupts Services in 18 Romanian Hospitals
2.  LockBit Ransomware Gang Returns, Taunts FBI, Vows Data Leaks
3.  LoanDepot Ransomware Attack Leads to Data Breach; 17M Impacted
4.  Schneider Electric Energy Giant Confirms Cactus Ransomware Attack
5.  TeamViewer Exploited to Obtain Remote Access, Deploy Ransomware

Xplain Hack Aftermath: Play Ransomware Leaks Sensitive Swiss Government Data

By Deeba Ahmed
Another day, another Linux malware!
This is a post from HackRead.com Read the original post: New Linux Malware Alert: ‘Spinning YARN’ Hits Docker, Other Key Apps

Linux Users Beware: “Spinning YARN” Malware Campaign Targets Misconfigured Servers Running on Apache Hadoop YARN, Docker, Confluence and Redis.

Cado Security Labs has discovered an emerging Linux malware campaign dubbed Spinning Yarn targeting misconfigured servers running Apache Hadoop YARN, Docker, Confluence, and Redis web-facing services. 

The emergence of the new Linux malware shouldn’t come as a surprise, given the recent surge in threats targeting Linux devices and servers. Just a couple of days ago, an old Linux malware known as Bifrost RAT resurfaced with a new variant that mimics VMware domains.

According to Cado Security’s research research shared with Hackread.com ahead of publication on Wednesday, Spinning Yarn is a malicious campaign that exploits weaknesses in popular Linux software used by businesses across various sectors. 

These services are crucial components in organizations’ IT infrastructure. Docker is critical for developing, deploying, and managing containerized applications. Apache Hadoop allows distributed processing of large datasets. Redis, a widely used in-memory data store, helps in caching real-time applications, and Confluence allows collaboration and knowledge management.

By compromising these applications, attackers can gain unauthorized access to systems, steal sensitive data, disrupt operations, or deploy ransomware, posing a significant threat to servers and critical infrastructure.

In Spinning Yarn, threat actors have used several unique payloads, including four Golang binaries that automate the discovery and infection of hosts and let them exploit code. They use Confluence to exploit common misconfigurations and vulnerabilities, launching Remote Code Execution (RCE) attacks and infecting new hosts.

The attackers exploit CVE-2022-26134, an n-day vulnerability in Confluence, and deploy a container for the Docker compromise. The vulnerability has been exploited since 2022, including by Mirai malware variant V3G4 against IoT devices for DDoS attacks

Further probing revealed a series of shell scripts and standard Linux attack techniques used to deliver a cryptocurrency miner, spawn a reverse shell, and enable persistent access to compromised hosts. They also deploy an instance of the Platypus open-source reverse shell utility to maintain access.

In an attempt to evade detection, multiple user-mode rootkits are deployed. Researchers observed that the shell script payloads employed in this campaign share similarities with those used in previous cloud attacks.

In their blog post, Cado Security Labs detailed initial access activity on a docker Engine API honeypot on this IP address: 47966971. The attacker spawned a new container using Alpine Linux and created a bind mount for the underlying server’s root directory. This technique is common in Docker attacks, allowing attackers to write files to the host and execute a job for the Cron scheduler eventually achieving RCE.

In this campaign, the attacker wrote an executable and registered a Cron job to execute base64-encoded shell commands. Such extensive attack on Linux applications demonstrates attackers’ growing sophistication in targeting web-facing services in cloud environments, keeping abreast of vulnerabilities.

To mitigate the risks from campaigns like Spinning Yarn, regularly update software, enable strong passwords, educate employees on cybersecurity best practices, segment your network to limit potential damage, and deploy security solutions like endpoint security solutions and firewalls to detect and prevent malware infections. This will help protect against known vulnerabilities and ensure a secure environment.

1.  New Linux Malware “Migo” Exploits Redis for Cryptojacking
2.  Free Download Manager Site Pushed Linux Password Stealer
3.  Malicious Ads Infiltrate Bing AI Chatbot in Malvertising Attack
4.  Hamas Hackers Hit Israelis with New BiBi-Linux Wiper Malware
5.  Mirai-based NoaBot Botnet Hits Linux Systems with Cryptominer

New Linux Malware Alert: ‘Spinning YARN’ Hits Docker, Other Key Apps

By Waqas
Logged out of your Meta Platform services?
This is a post from HackRead.com Read the original post: Meta Platforms Face Outage: Facebook, Instagram, Messenger, Threads Down

You are not alone, Facebook, Instagram, Messenger and Threads are down worldwide.

Users of Meta Platforms’ services, including Facebook, Instagram, Messenger, and Threads, are currently experiencing difficulties accessing their accounts. Reports indicate a widespread outage impacting individuals globally.

Starting around 4:30 PM GMT, a surge in user reports on Downdetector, a platform tracking online outages, signaled login issues across all four platforms. Users attempting to log in have encountered error messages, with some being logged out unexpectedly. The problem appears to be affecting users on both desktop and mobile applications.

Instagram error (screenshot: Hackread.com)

Meta Platforms has yet to acknowledge the outage on its official communication channels officially, but it’s expected that the company is actively investigating the cause of the issue.

The full extent of the outage remains unclear, but it’s evident that it’s not limited to just Facebook. Downdetector is currently swamped with user reports for all four affected platforms, suggesting a significant disruption to Meta’s services.

Here’s what we know so far:

*   **The outage began around 4:30 PM GMT.**
*   **Both desktop and mobile platforms seem to be affected.**
*   **Meta Platforms has not yet officially acknowledged the issue.**
*   **Users across the globe are facing problems accessing Facebook, Instagram, Messenger, and Threads.**

This is a developing story, and we will update this article as more information becomes available. We advise users to monitor Meta’s official channels for further updates and avoid attempting repeated logins to prevent potential account security issues.

1.  Video Chat Website Omegle Permanently Shuts Down
2.  ChatGPT Down? Anonymous Sudan Claims Responsibility
3.  ChatGPT Down? OpenAI Blames Outages on DDoS Attacks

Meta Platforms Face Outage: Facebook, Instagram, Messenger, Threads Down

Red Hat Security Advisory 2024-0269-03 - An update for run-once-duration-override-container, run-once-duration-override-operator-bundle-container, and run-once-duration-override-operator-container is now available for RODOO-1.1-RHEL-9. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0269.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: Run Once Duration Override Operator for Red Hat OpenShift 1.1.0 for RHEL 9  
Advisory ID:        RHSA-2024:0269-03  
Product:            Run Once Duration Override Operator  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0269  
Issue date:         2024-02-28  
Revision:           03  
CVE Names:          CVE-2023-39325  
====================================================================

Summary: 

An update for run-once-duration-override-container, run-once-duration-override-operator-bundle-container, and run-once-duration-override-operator-container is now available for RODOO-1.1-RHEL-9.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The Run Once Duration Override Operator for Red Hat OpenShift is an optional  
operator that makes it possible to override activeDeadlineSecondsOverride  
field during pod admission.

Security Fix(es):

* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)

* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

* golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests (CVE-2023-39326)

* golang: crypto/tls: Timing Side Channel attack in RSA based TLS key exchanges. (CVE-2023-45287)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-39325

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003  
https://bugzilla.redhat.com/show_bug.cgi?id=2242803  
https://bugzilla.redhat.com/show_bug.cgi?id=2243296  
https://bugzilla.redhat.com/show_bug.cgi?id=2253193  
https://bugzilla.redhat.com/show_bug.cgi?id=2253330  
https://issues.redhat.com/browse/OCPBUGS-25123  
https://issues.redhat.com/browse/WRKLDS-897

Red Hat Security Advisory 2024-0269-03

By Waqas
LoanDepot identified the ransomware attack on January 4, 2024
This is a post from HackRead.com Read the original post: LoanDepot Ransomware Attack Leads to Data Breach; 17 Million Impacted

LoanDepot suffered a ransomware attack exposing the sensitive data of nearly 17 million individuals including PII data – Now, the company is offering credit monitoring and working to mitigate potential damage.

A major ransomware attack leading to a massive data breach at LoanDepot, a leading mortgage lender, has exposed the personal information of nearly 17 million individuals. In a **data breach notification** to Maine’s attorney general’s office, the company confirmed that the breach took place on January 3, 2024, and was discovered a day later on January 4.

****The Breach:****

Details surrounding the attack remain limited, but LoanDepot acknowledges unauthorized access to their systems, potentially compromising sensitive customer data. While the specific types of information exposed haven’t been confirmed, the letter sent to the **victims of the data breach** suggests it could include their full name, address, email address, financial account numbers, social security number, phone number, and date of birth.

****Impact on Individuals:****

LoanDepot estimates that approximately 16.9 million (16,924,071) individuals have been affected. This includes current and former customers, as well as individuals who inquired about loan products but ultimately did not pursue them.

The company has begun notifying affected parties through letters and emails, outlining the potential scope of the breach and offering resources to help them protect themselves.

****LoanDepot’s Response:****

LoanDepot took immediate action to contain the attack and secure their systems. They launched an investigation in collaboration with cybersecurity experts and notified law enforcement authorities. Additionally, the company has offered one year of complimentary credit monitoring and identity theft protection services to all impacted individuals.

****Uncertainties and Concerns:****

The full extent of the damage caused by this attack remains unclear. The potential for **identity theft** and financial fraud is a significant concern for millions of individuals.

LoanDepot is urging affected individuals to remain alert and take proactive steps to safeguard their personal information, including being cautious of suspicious emails or phone calls, monitoring credit reports for unauthorized activity, and considering placing a freeze on their credit files.

****Regulatory and Legal Ramifications:****

The LoanDepot data breach is likely to attract scrutiny from regulators and may lead to legal repercussions. The Federal Trade Commission (**FTC**) is responsible for enforcing data privacy regulations, and they may investigate the incident to determine if LoanDepot followed appropriate data security practices. Further, affected individuals may have legal recourse against LoanDepot for failing to protect their personal information.

For insights into the LoanDepot data breach, we reached out to **Javvad Malik**, Lead Security Awareness Advocate at KnowBe4 who stated “This breach at LoanDepot is a reminder of the far-reaching consequences of ransomware attacks and it’s concerning to see the scale and sensitivity of the data involved, particularly the inclusion of Social Security numbers, which opens up Pandora’s box of identity theft and financial fraud possibilities.”

Javvad emphasised the importance of employee training within the organisations especially those responsible for data handling. “This incident highlights the critical need for organizations, especially those handling vast amounts of personal information, to invest in strong cybersecurity measures, including threat detection, response strategies, and most importantly, providing employees with timely and relevant security awareness and training.”

****Ransomware Gangs****

While the LoanDepot data breach was confirmed in January 2024, the specific ransomware group responsible for the attack hasn’t been officially disclosed by the company or law enforcement agencies as of today, February 26, 2024.

Nevertheless, ransomware is one of the most prevalent threats to organizations of all sizes. While the United States has **vowed** to take strict measures against ransomware groups, with LockBit ransomware’s recent **demise** and **resurrection**, it is obvious that these groups are here to stay and plan to cause long-term damage.

****Moving Forward:****

While the immediate aftermath of the LoanDepot data breach is concerning, the company’s commitment to transparency and its efforts to mitigate the damage are positive steps. Individuals must remain informed, take appropriate precautions, and actively monitor their financial information to minimize the potential impact of this incident.

1.  **5 Biggest Ransomware Attacks of All Time**
2.  **Kaspersky Reveals Alarming IoT Threats, Dark Web DDoS Boom**
3.  **Ransomware Attack Disrupts Services in 18 Romanian Hospitals**
4.  **Schneider Electric Energy Giant Confirms Cactus Ransomware Attack**
5.  **Hackers Leak 2.5M Private Plane Owners’ Data in LA Intl. Airport Breach**

LoanDepot Ransomware Attack Leads to Data Breach; 17 Million Impacted

By Waqas
You are not alone, an AT&T outage is happening across the United States, and the company is working…
This is a post from HackRead.com Read the original post: AT&T Outage Disrupts Service for Millions of Users Across US

You are not alone, an AT&T outage is happening across the United States, and the company is working to bring back service to normal.

Millions of AT&T customers across the United States woke up to widespread service disruptions on Thursday, February 22nd, 2024. The outage, which began early in the morning, has impacted mobile phone service, leaving users unable to make and receive calls, text messages, and access data.

Reports from users and outage tracking websites like Downdetector indicate the issue is nationwide, affecting major cities like New York, Los Angeles, Chicago, Dallas, and Atlanta. Social media is flooded with complaints from frustrated customers, many unable to connect with loved ones or conduct essential business activities.

The cause of the outage remains unclear. AT&T has yet to officially comment on the issue, leaving users in the dark about the root cause and expected resolution timeframe. This lack of communication is further adding to the frustration of affected customers.

**Cyber Attack?**

The cause behind the widespread outage affecting AT&T services across the United States remains uncertain, with conflicting reports suggesting it could be either a cyber attack or technical issues. Users across various regions have reported difficulties accessing wireless services, prompting concerns about the extent and nature of the disruption.

****AT&T is Aware!****

Although some users are reporting on social media that their service has been restored, on X (formerly Twitter), AT&T stated, “Some of our customers are experiencing wireless service interruptions. We are working urgently to restore service to all who are impacted.” It is worth noting that the company also provided a link to visit and keep an eye on updates.

Ironically, that link was also down and showing an error message to visitors. However, according to a live outage map from Down Detector, a platform that monitors internet outages, AT&T is still facing service issues across the United States.

The potential impact of this outage is significant. Disruptions to mobile phone service can hinder communication, impact emergency services for some, and cause inconvenience for countless individuals and businesses relying on their mobile devices for daily activities.

While AT&T is working to restore service, no estimated time for resolution has been announced. In the meantime, users are advised to:

*   **Use Wi-Fi calling:** If available, utilize Wi-Fi calling to make and receive calls over a Wi-Fi network.
*   **Stay informed:** Check the AT&T website and social media for updates on the outage.
*   **Consider alternative communication methods:** Explore options like text messaging apps or social media to connect with others if unable to use your phone.

This latest outage highlights the critical role of reliable mobile phone service in today’s interconnected world. It also underscores the importance of clear and timely communication from service providers during such disruptions to minimize inconvenience and ensure user safety.

As the situation unfolds, we will continue to monitor developments and provide updates on this evolving story.

1.  **ChatGPT Down? OpenAI Blames Outages on DDoS Attacks**
2.  **Amazon Web Services suffer outage taking popular sites down**
3.  **Facebook down with Messenger, Instagram, WhatsApp disruption**

AT&T Outage Disrupts Service for Millions of Users Across US

By Deeba Ahmed
Migo Malware Campaign: User-Mode Rootkit Hides Cryptojacking on Linux Systems.
This is a post from HackRead.com Read the original post: New Linux Malware “Migo” Exploits Redis for Cryptojacking, Disables Security

New “Migo” malware targets Linux servers, exploiting Redis for cryptojacking. Using a user-mode rootkit, hides its activity, making detection difficult. Secure your Redis servers and stay alert!

A sophisticated Linux malware campaign has been discovered **targeting Redis**, a popular data store system, to gain initial access using “System Weakening Commands,” revealed Cado Security Labs.

Cado researchers disclosed that the malware, dubbed Migo, exploits Redis for **cryptojacking**. The attackers execute commands on their target’s Redis servers to disable configuration options and make them vulnerable before deploying the payload.

The primary payload, Migo, is a Golang ELF binary that retrieves an **XMRig installer** from GitHub. Redis system weakening commands are used to disable configuration options, such as protected mode and replica-read-only, using CLI commands to execute malicious payloads from external sources like **Pastebin** to mine cryptocurrency in the background.

For your information, Protected mode is a Redis server operating mode introduced in version 3.2.0 to mitigate potential network exposure. It only accepts connections from the loopback interface and is likely disabled at initial access to allow attackers to send additional commands.

Conversely, the replica-read-only feature in Redis prevents accidental writes to replicas that may result in out-of-sync. Cado researchers report exploitation of this feature for malicious payload delivery, with Migo attackers likely disabling it for future Redis server exploitation.

Migo uses compile-time obfuscation and a user-mode rootkit ‘libprocesshider,’ to hide processes and artefacts, making it difficult for security analysts to detect and mitigate the threat. Once the miner is installed, Migo sets XMRig’s configuration to query system information, including logged-in users and resource limits.

“It also sets the number of Huge Pages available on the system to 128, using the vm.nr\_hugepages parameter. These actions are fairly typical for cryptojacking malware,” Matt Muir, Cado Security’s security researcher noted in a **blog post**.

It executes shell commands to copy the binary, disable SELinux, identify uninstallation scripts, execute the miner, kill competing processes, register persistence, and prevent outbound traffic to specific IP addresses and domains.

Moreover, Migo relies on systemd service and timer for persistence and the developers have obfuscated symbols and strings in the pclntab structure to complicate the malware analysis process. The involvement of a user-mode rootkit also complicates post-incident forensics of compromised hosts, and libprocesshider hides on-disk artefacts.

Migo’s emergence shows that cloud-focused attackers are continually refining their techniques and focused on exploiting web-facing services. They used Redis system weakening commands to disable security features, a move not previously reported in campaigns exploiting Redis for initial access, researchers concluded.

****RELATED ARTICLES****

1.  **Hackers behind Mirai botnet & DYN DDoS attacks plead guilty**
2.  **Hackers behind Mirai botnet to avoid jail for working with the FBI**
3.  **Tiny Mantis Botnet Can Launch Powerful DDoS Attacks Than Mirai**
4.  **Reaper malware outshines Mirai; hits millions of IoT devices worldwide**
5.  **Mirai Variant ‘OMG’ Turns IoT Devices into Proxy Servers for Cryptomining**

Tag

#ddos