cyberveille.decio.ch
UNC4393 Goes Gently into the SILENTNIGHT
In mid-2022, Mandiant's Managed Defense detected multiple intrusions involving QAKBOT, leading to the deployment of BEACON coupled with other pre-ransomware indicators. This marked Mandiant's initial identification of UNC4393, the primary user of BASTA ransomware. Mandiant has responded to over 40 separate UNC4393 intrusions across 20 different industry verticals. While healthcare organizations have not traditionally been a focus for UNC4393, several breaches in the industry this year indicate a possible expansion of their interests. However, this represents only a fraction of the cluster's victims, with the Black Basta data leak site purporting over 500 victims since inception. Over the course of this blog post, Mandiant will detail the evolution of UNC4393's operational tactics and malware usage throughout its active lifespan, with a focus on the period following the QAKBOT botnet takedown. We will highlight the cluster's transition from readily available tools to custom malware development as well as its evolving reliance on access brokers and diversification of initial access techniques.
Don’t Let Your Domain Name Become a “Sitting Duck”
More than a million domain names -- including many registered by Fortune 100 firms and brand protection companies -- are vulnerable to takeover by cybercriminals thanks to authentication weaknesses at a number of large web hosting providers and domain registrars,…
Risk assessment report on cyber resilience on EU’s telecommunications and electricity sectors
EU Member States, with the support of the European Commission and ENISA, the EU Agency for Cybersecurity, published the first report on the cybersecurity and resilience of Europe’s telecommunications and electricity sectors.
Certificate Revocation Incident
DigiCert will be revoking certificates that did not have proper Domain Control Verification (DCV). Before issuing a certificate to a customer, DigiCert validates the customer’s control or ownership over the domain name for which they are requesting a certificate using one of several methods approved by the CA/Browser Forum (CABF). One of these methods relies on the customer adding a DNS CNAME record which includes a random value provided to them by DigiCert. DigiCert then does a DNS lookup for the domain and verifies the same random value, thereby proving domain control by the customer..
'Fortune 50' Company Made Record-Breaking $75M Ransomware Payment
A major company made a staggering $75 million ransomware payment to hackers earlier this year, according to cybersecurity vendor Zscaler. Zscaler made the claim in a Tuesday report examining the latest trends in ransomware attacks, which continue to ensnare companies, hospitals, and schools across the country.
Nouvelles vagues de vandalisme sur les fibres optiques : Internet perturbé en France - Next
Cette nuit, de nouveaux actes de vandalisme viennent perturber l’accès à Internet cette fois-ci. Selon nos informations, des fibres « longhaul » (longues distances, généralement plusieurs centaines de kilomètres) sont coupées à plusieurs endroits, provoquant des perturbations au niveau national. Les fibres relient des grandes villes – Paris, Lille, Strasbourg, Marseille, Lyon… – et servent d’artères pour Internet.
CrowdStrike is sued by shareholders over huge software outage
CrowdStrike (CRWD.O), opens new tab has been sued by shareholders who said the cybersecurity company defrauded them by concealing how its inadequate software testing could cause the July 19 global outage that crashed more than 8 million computers. In a proposed class action filed on Tuesday night in the Austin, Texas federal court, shareholders said they learned that CrowdStrike's assurances about its technology were materially false and misleading when a flawed software update disrupted airlines, banks, hospitals and emergency lines around the world.
'Error' in Microsoft's DDoS defenses amplified Azure outage
o you have problems configuring Microsoft's Defender? You might not be alone: Microsoft admitted that whatever it's using for its defensive implementation exacerbated yesterday's Azure instability. No one has blamed the actual product named "Windows Defender," we must note. According to Microsoft, the initial trigger event for yesterday's outage, which took out great swathes of the web, was a distributed denial-of-service (DDoS) attack. Such attacks are hardly unheard of, and an industry has sprung up around warding them off.
IBM: Cost of a breach reaches nearly $5 million, with healthcare being hit the hardest
Businesses that fall victim to a data breach can expect a financial hit of nearly $5 million on average — a 10% increase compared to last year — according to IBM’s annual report on cybersecurity incidents.
Cyberattack hits blood-donation nonprofit OneBlood
A cyberattack has hit a blood-donation nonprofit that serves hundreds of hospitals in the southeastern US. The hack, which was first reported by CNN, has raised concerns about potential impacts on OneBlood’s service to some hospitals, multiple sources familiar with the matter said, and the incident is being investigated as a potential ransomware attack.
CrowdStrike's Impact on Aviation
Just after midnight Eastern Time on July 19, 2024, the enterprise cybersecurity company CrowdStrike YOLOed a software update to millions of Windows machines. Or as they put it: On July 19, 2024 at 04:09 UTC, as part of ongoing operations, CrowdStrike released a sensor configuration update to Windows systems. That sensor configuration update caused the largest IT outage in history.
Ransomware operators exploit ESXi hypervisor vulnerability for mass encryption | Microsoft Security Blog
Microsoft researchers have uncovered a vulnerability in ESXi hypervisors being exploited by several ransomware operators to obtain full administrative permissions on domain-joined ESXi hypervisors. ESXi is a bare-metal hypervisor that is installed directly onto a physical server and provides direct access and control of underlying resources. ESXi hypervisors host virtual machines that may include critical servers in a network. In a ransomware attack, having full administrative permission on an ESXi hypervisor can mean that the threat actor can encrypt the file system, which may affect the ability of the hosted servers to run and function. It also allows the threat actor to access hosted VMs and possibly to exfiltrate data or move laterally within the network.