Search Results for “Bleeping Computer”


March 9, 2020
Lawrence Abrams / Bleeping Computer

Lawrence Abrams / Bleeping Computer  
City of Durham, North Carolina Shuts Down Computer Network Following Ryuk Ransomware Attack

After suffering a Ryuk ransomware attack over the weekend, the city of Durham, North Carolina, has shut down its network. To stop the spread of the malware, the City of Durham has “temporarily disabled all access into the DCI Network for the Durham Police Department, the Durham Sheriff’s Office, and their communications center.”

April 8, 2020
Brian Krebs / Krebs on Security

Brian Krebs / Krebs on Security  
Microsoft Buys Domain Corp.Com to Protect Countless Windows Computers from Criminals, Owner Had Been Asking $1.7 Million for It

Microsoft has agreed to buy the domain Corp.com in a bid to keep it out of the hands of those who might abuse its power. The domain can give the owner access to a constant stream of passwords, email, and other sensitive data from hundreds of thousands of Microsoft Windows PCs at major companies around the globe. Mike O’Connor, who bought corp.com 26 years ago, was asking for $1.7 million for the prized domain, which decades ago was used as an internal Microsoft company domain as part of Microsoft’s innovation called Active Directory. Many companies adopted the Microsoft setting that used corp.com without modifying it to use a domain they controlled. Hundreds of millions of laptops probably still attempt to access that internal domain, leaving them ripe for abuse by whichever entity owns it. So Microsoft bought it, although terms of the deal were not disclosed.

May 1, 2020
Lawrence Abrams / Bleeping Computer

Lawrence Abrams / Bleeping Computer  
Hackers Allegedly Affiliated With the Maze Ransomware Gang Broke Into the Network of Costa Rica’s Banco BCR Twice, Claim to Have Stolen 11 Million Credit Card Credentials and Other Data

A hacking attack allegedly conducted by the operators of the Maze ransomware allowed to attackers to gain access to the network of Banco BCR, the state-owned Bank of Costa Rica, and steal 11 million credit card credentials along with other data. On their data leak site, the hackers claim to have gained access to Banco BCR’s network in August 2019, but did not proceed with encrypting the devices as “the possible damage was too high.” They said the bank never secured their networks, allowing them to hack in again in February 2020. Of the eleven million, four million are said to be unique ,and 140,000 allegedly belong to people from the USA. The hackers told Bleeping Computer that they have tried to contact the bank multiple times with a ransom demand and may sell the data on the dark web.

April 22, 2020
Lawrence Abrams / Bleeping Computer

Lawrence Abrams / Bleeping Computer  
City of Torrance Hit by DoppelPaymer Ransomware According to Malware’s Web Page, Hackers Leak Alleged Files and Claim to Have Encrypted 150 Servers, 500 Workstations

The City of Torrance, California, a suburb of Los Angeles, has allegedly been attacked by the DoppelPaymer Ransomware, having unencrypted data stolen and devices encrypted, according to an updated site created by the ransomware purveyors called Dopple Leaks. That site has created a page titled “City of Torrance, CA,” containing numerous leaked file archives allegedly stolen from the City during the ransomware attack. The attackers are demanding a 100 bitcoin ($689,147) ransom for a decryptor, to take down files that have been publicly leaked, and not to release more stolen files. In an email to Bleeping Computer, the DoppelPaymer operators stated that in an attack on March 1st, they erased the City’s local backups and then encrypted approximately 150 servers and 500 workstations.

May 22, 2020
Lawrence Abrams / Bleeping Computer

Lawrence Abrams / Bleeping Computer  
RagnarLocker Ransomware Now Evades Detection By Using Virtual Machines to Execute Ransomware and Encrypt Files

A relatively new ransomware called RagnarLocker that targets corporate networks is deploying Windows XP virtual machines to encrypt victim’s files while evading detecting from security software installed on the host, researchers at Sophos say. Best known for its attack on energy giant Energias de Portugal (EDP), RagnarLocker has a history of utilizing novel methods to evade detection when deploying their ransomware on a network. Not only does RagnarLocker terminate security programs before encrypting, but it also stops managed service providers (MSP) utilities to prevent them from detecting and stopping an attack. To accomplish this task, it uses VirtualBox Windows XP virtual machines to execute the ransomware and encrypt files so that they are not recognized by security software running on the host.

Related: DataBreachToday.com, Infosecurity Magazine, Cybersecurity Insiders, Pocket-lint, TechNadu, ZDNet Security, Sophos, Underground Tradecraft, TechTarget, SC Magazine, Naked Security

Tweets:@bleepincomputer @bleepincomputer


March 19, 2020
Lawrence Abrams / Bleeping Computer

Lawrence Abrams / Bleeping Computer  
TrickBot and Emotet Trojans Exploit Coronavirus Fears by Wrapping Themselves in Text From Legit News Stories

The TrickBot and Emotet Trojans have started to wrap themselves in text from coronavirus news stories to attempt to bypass security software using artificial intelligence and machine learning to detect malware using a ‘crypter’ to obfuscate or encrypt the malicious code. The goal of this masquerade is to make the malware appear to be harmless and thus FUD (Fully UnDetectable) to antivirus software. TrickBot and Emotet samples seen by BleepingComputer utilizes strings taken from CNN news stories as part of the malware’s file description.

April 13, 2020
Lawrence Abrams / Bleeping Computer

Lawrence Abrams / Bleeping Computer  
New MBRLockers That Wipe Machines Via Free Software and Crack Sites Aim to Tarnish the Reputations of Two Respected Security Researchers

A malware distributor has decided to play a malicious prank by locking victim’s computers before they can start Windows and then blaming the infection on two well-known and respected security researchers, Vitali Kremez and MalwareHunterTeam, who have nothing to do with the malware. After downloading and installing software from what appears to be free software and crack sites, victims suddenly find that they are locked out of their computer before Windows starts through the use of an MBRLocker, which replaces the master boot record of a computer. Another variant calling itself “SentinelOne Labs Ransomware” is being distributed targets only Vitali Kremez and discloses his email addresses and phone numbers.

April 17, 2020
Sergiu Gatlan / Bleeping Computer

Sergiu Gatlan / Bleeping Computer  
GitHub Users Are Targets of ‘Sawfish’ Phishing Campaign Designed to Steal Credentials, Take Over Accounts

GitHub’s Security Incident Response Team (SIRT) said that GitHub users are currently being targeted by a phishing campaign dubbed Sawfish specifically designed to collect and steal their credentials via landing pages mimicking GitHub’s login page. Aside from taking over their accounts, the attackers are also immediately downloading the contents of private repositories, including but not limited to “those owned by organization accounts and other collaborators.” Once the attackers take over the accounts, they may quickly create GitHub personal access tokens or authorize OAuth applications on the account to preserve access if the user changes their password, GitHub warns. The campaign targets users working for tech companies from multiple countries using email addresses obtained from public commits, with the emails delivered from legitimate domains, either using previously-compromised email servers or with the help of stolen API credentials for legitimate bulk email service providers. GitHub users are advised to reset their passwords immediately, reset their two-factor recovery codes, review their personal access tokens, and take any other necessary steps to protect their accounts.

April 2, 2020
Sergiu Gatlan / Bleeping Computer

Sergiu Gatlan / Bleeping Computer  
Hackers Are Brute-Forcing Vulnerable Microsoft SQL Servers to Install Cryptominers, Backdoors in ‘Vollgar’ Campaign

Hackers have been brute-forcing between 2,000 and 3,000 vulnerable Microsoft SQL (MSSQL) servers daily to install cryptominers and remote access Trojans (RATs) since May 2018, researchers at Guardicore report.  The campaign has been dubbed Vollgar because the crypto-mining scripts it deploys on compromised MSSQL will mine for Monero (XMR) and Vollar (VDS) cryptocurrency. The affected MSSQL servers are mostly those with weak credentials. Guardicore, therefore, advises users not to expose MSSQL database servers to the Internet, as well as to use segmentation and whitelist access policies to make them accessible only to specific machines on an organization’s network.

Related: The Hacker News, Security Affairs, CSO Online, Decrypt, GuardiCore

Tweets:@OphirHarpaz


May 7, 2020
Lawrence Abrams / Bleeping Computer

Lawrence Abrams / Bleeping Computer  
Hacker Is Selling Account Information For 22 Million Users of India’s Largest Online Learning Platform Unacademy Following Breach

India’s largest online learning platform Unacademy has suffered a data breach after a hacker gained access to their database and started selling the account information for close to 22 million users, researchers at Cyble discovered. The database includes usernames, SHA-256 hashed passwords, date joined, last login date, email addresses, first and last names, and whether the account is active, a staff member, or a superuser. The hacker most likely hacked Unacademy’s systems around January 26th, 2020. Numerous accounts using corporate emails exist in the database as well, including accounts from Wipro, Infosys, Cognizant, Google, and Facebook. In a conversation seen by BleepingComputer, the hackers state that they have stolen much more than just the user database. Unacademy users are strongly advised to change their passwords.