Tag Archive for: warn

CISA, Partners Warn Organizations of Akira Ransomware Attacks

/in


The Cybersecurity and Infrastructure Security Agency and its U.S. and international partners have released a joint cybersecurity advisory, or CSA, warning organizations against the Akira ransomware that has targeted critical infrastructure entities in North America, Europe and Australia.

The CSA outlines known tactics, techniques and procedures used by Akira ransomware operators and indicators of compromise to help organizations respond to ransomware attacks, CISA said Thursday.

According to the advisory, Akira threat actors have deployed a Linux variant targeting VMware ESXi virtual machines after initially focusing on Windows systems.

As of January, the ransomware group has targeted more than 250 organizations and gained approximately $42 million in ransomware proceeds.

In August 2023, Akira attacks started using Megazord, using Rust-based code, and Akira ransomware written in C++ and encrypted files.

CISA and its partners encourage organizations to implement the mitigations outlined in the CSA to reduce the impact of Akira ransomware attacks.

Source…

🚪 These video doorbells have terrible security, consumer experts warn

/in


On a recent Thursday afternoon, a Consumer Reports journalist received an email containing a grainy image of herself waving at a doorbell camera she’d set up at her back door.

If the message came from a complete stranger, it would have been alarming. Instead, it was sent by Steve Blair, a CR privacy and security test engineer who had hacked into the doorbell from 2,923 miles away.

Blair had pulled similar images from connected doorbells at other CR employees’ homes and from a device in our Yonkers, N.Y., testing lab. While we expected him to gain access to these devices, it was still a bit shocking to see photos of the journalist’s deck and backyard. After all, video doorbells are supposed to help you keep an eye on strangers at the door, not let other people watch you.

Blair was able to capture those images because he and fellow test engineer David Della Rocca had found serious security flaws in this doorbell, along with others sold under different brands but apparently made by the same manufacturer. The doorbells also lack a visible ID issued by the Federal Communications Commission (FCC) that’s required by the agency’s regulations, making them illegal to distribute in the U.S.

Thousands of these video doorbells are sold each month on Amazon and other online marketplaces, including Walmart, Sears, and the globally popular marketplaces Shein and Temu. Experts say they’re just a drop in the flood of cheap, insecure electronics from Chinese manufacturers being sold in the U.S.

Previously, regulators have asserted that thousands of unsafe products, including potentially dangerous children’s sleepwear, carbon monoxide detectors and dietary supplements, have been widely available on Amazon.

“Big e-commerce platforms like Amazon need to take more responsibility for the harms generated by the products they sell,” said Justin Brookman, director of technology policy for CR. “There is more they could be doing to vet sellers and respond to complaints. Instead, it seems like they’re coasting on their reputation and saddling unknowing consumers with broken products.”

Consumer Reports warn of security flaws in certain doorbell cameras (Copyright 2024 by WKMG ClickOrlando -…

Source…

US cyber and law enforcement agencies warn of Phobos ransomware attacks

/in


US cyber and law enforcement agencies warn of Phobos ransomware attacks

Pierluigi Paganini
March 02, 2024

US CISA, the FBI, and MS-ISAC issued a joint CSA to warn of attacks involving Phobos ransomware variants observed as recently as February 2024

US CISA, the FBI, and MS-ISAC issued a joint cyber security advisory (CSA) to warn of attacks involving Phobos ransomware variants such as Backmydata, Devos, Eight, Elking, and Faust.

The attacks were observed as recently as February 2024, they targeted government, education, emergency services, healthcare, and other critical infrastructure sectors.

Phobos operation uses a ransomware-as-a-service (RaaS) model, it has been active since May 2019.

Based on information from open sources, government experts linked multiple Phobos ransomware variants to Phobos intrusions due to observed similarities in Tactics, Techniques, and Procedures (TTPs). Phobos intrusions also involved the use of various open-source tools, including Smokeloader, Cobalt Strike, and Bloodhound. These tools are widely available and user-friendly across different operating environments, contributing to the popularity of Phobos and its associated variants among various threat actors.

Threat actors behind Phobos attacks were observed gaining initial access to vulnerable networks by leveraging phishing campaigns. They dropped hidden payloads or used internet protocol (IP) scanning tools, such as Angry IP Scanner, to search for vulnerable Remote Desktop Protocol (RDP) ports or by leveraging RDP on Microsoft Windows environments.

“Once they discover an exposed RDP service, the actors use open source brute force tools to gain access. If Phobos actors gain successful RDP authentication in the targeted environment, they perform open source research to create a victim profile and connect the targeted IP addresses to their associated companies. Threat actors leveraging Phobos have notably deployed remote access tools to establish a remote connection within the compromised network.” reads the joint CSA. “Alternatively, threat actors send spoofed email attachments that are embedded with hidden payloads such as SmokeLoader, a backdoor trojan that is often used in…

Source…

Someone is hacking 3D printers to warn owners of a security flaw

/in


Do you have an Anycubic Kobra 2 Pro/Plus/Max 3D printer?  Did you know it has a security vulnerability?

If you answered “yes” to both those questions, then chances are that I can guess just how you found out your 3D printer was vulnerable to hackers.

My bet is that you might have learnt about the problem after seeing a strange message displayed on your device, claiming that it had been hacked.

As multiple posts on Reddit confirm, owners of the 3D printers have had an unusual message pop up on their devices.

The message contains ASCII art of a worm and claims to be “harmless” – but warns of a “critical vulnerability” in the printer, posing a “significant threat”. It advises affected users to disconnect their printer from the internet to avoid being hacked.

In the message, someone calling themselves “printer god” bemoans Anycubic’s lax security and warns that a malicious attack could have caused damage.

The warning message in the file hacked_machine_readme.gcode can be safely deleted from the printer’s screen or USB drive.  The author claims to have sent it to over 2.9 million vulnerable printers.

The hack seems to be connected to a post in an online forum earlier this week by a user called “Dump”.  “Dump” claimed to have tried to communicate with Anycubic for two months about “two critical security vulnerabilities” – with one described as “catastrophic if found to be malicious.”

Anycubic has now confirmed the existence of a “security issue”, which it claims was “caused by a third party using a security vulnerability of the MQTT server to access users’ printers.”

Anycubic says that it is enhancing its cloud server security and will release new firmware to users on March 5, 2024.

This isn’t the first time that printers have been hijacked through security vulnerabilities to spread messages. For instance, in 2018, thousands of printers were seized to print out a message promoting PewDiePie’s YouTube channel.

Source…