Tag Archive for: wipes

Ransomware Attack Wipes Out Four Months of Sri Lankan Government Data

/in


Investigations have begun into a massive ransomware attack that has affected Sri Lanka’s government cloud system, Lanka Government Cloud (LGC).

The investigation is being conducted by the Sri Lanka Computer Emergency Readiness Team and Coordination Center (CERT|CC). Sri Lanka’s Information and Communication Technology Agency (ICTA) confirmed the attack to several local news outlets on September 11, 2023.

The attack likely started on August 26, 2023, when a gov[dot]lk domain user said they had received suspicious links over the past few weeks and that someone may have clicked one.

LGC services and the backup systems were quickly encrypted. Mahesh Perera, CEO at ICTA, estimated all 5000 email addresses using the “gov[dot]lk” email domain, including those used by the Cabinet Office, were affected.

The system and the backup were restored within 12 hours of the attack.

However, since the system didn’t have any backup available for the data spanning May 17 to August 26, 2023, all affected accounts have permanently lost data covering this period.

Concerning Security Failings

Perera told the press that LGC was introduced in 2007 and first used Microsoft Exchange Version 2003, but was updated to Microsoft Exchange Version 2013 in 2014.

“This was in use till the attack. But that version is now obsolete, outdated and vulnerable to various types of attacks,” he said.

Although the Agency had planned to upgrade LGC to the latest version (currently Exchange Server 2019 CU11 Oct21SU) from 2021, the decisions had been delayed due to “fund limitations and certain previous board decisions.,” Perera added.

Following the attack, ICTA has started taking measures to enhance its security, including initiating daily offline backup routines and upgrading the relevant email application to the latest version.

The Sri Lanka CERT|CC is also helping ICTA to retrieve the lost data.

The Sri Lankan government had previously been criticized for failing to efficiently promote serious cybersecurity measures within its public administrations and its private sector.

The country ranks 83rd out of 175 countries in the Estonia-based e-Governance Academy Foundation’s National Cyber…

Source…

Android malware BRATA wipes your device after stealing data

/in


android

The Android malware known as BRATA has added new and dangerous features to its latest version, including GPS tracking, the capacity to use multiple communication channels, and a function that performs a factory reset on the device to wipe all traces of malicious activity.

BRATA was first spotted by Kaspersky back in 2019 as an Android RAT (remote access tool) that mainly targeted Brazilian users.

In December 2021, a report by Cleafy underscored the emergence of the malware in Europe, where it was seen targeting e-banking users and stealing their credentials with the involvement of fraudsters posing as bank customer support agents.

Analysts at Cleafy continued to monitor BRATA for new features, and in a new report published today, illustrate how the malware continues to evolve.

Tailored versions for different audiences

The latest versions of the BRATA malware now target e-banking users in the UK, Poland, Italy, Spain, China, and Latin America.

Each variant focuses on different banks with dedicated overlay sets, languages, and even different apps to target specific audiences.

BRATA variants circulating different countries
BRATA variants circulating different countries
Source: Cleafy

The authors use similar obfuscation techniques in all versions, such as wrapping the APK file into an encrypted JAR or DEX package.

This obfuscation successfully bypasses antivirus detections, as illustrated by the VirusTotal scan below.

Detection rate of newest samples
Detection rate of newest samples
Source: Cleafy

On that front, BRATA now actively seeks signs of AV presence on the device and attempts to delete the detected security tools before proceeding to the data exfiltration step.

AV tools removed by BRATA
AV tools removed by BRATA
Source: Cleafy

New features

The new features spotted by Cleafy researchers in the latest BRATA versions include keylogging functionality, which complements the existing screen capturing function.

Although its exact purpose remains a mystery to the analysts, all new variants also have GPS tracking.

The scariest of the new malicious features is the performing of factory resets, which the actors perform in the following situations:

  1. The compromise has been completed successfully, and the fraudulent transaction is over (i.e. credentials have been exfiltrated).
  2. The…

Source…

VFEmail suffers ‘catastrophic’ attack, as hacker wipes email service’s primary and backup data

/in
VFEmail suffers 'catastrophic' attack, as hacker wipes email service's primary and backup data

There will be many angry customers of VFEmail who will be distraught at the thought that years’ worth of irreplaceable personal and business correspondence may have been wiped out. It’s understandable that some might turn their fury towards VFEmail.

But VFEmail is a victim too.

Graham Cluley

Computer crash wipes out years of Air Force investigation records »

/in

Defense One:

The U.S. Air Force has lost records concerning 100,000 investigations into everything from workplace disputes to fraud.

A database that hosts files from the Air Force’s inspector general and legislative liaison divisions became corrupted last month, destroying data created between 2004 and now, service officials said. Neither the Air Force nor Lockheed Martin, the defense firm that runs the database, could say why it became corrupted or whether they’ll be able to recover the information.

Apparently they did have backups, but ermm… the backups are corrupted too.

Remember folks, there’s no point making backups of your data if you don’t sometimes test that the backups actually work. That’s perhaps timely advice given the prevalence of ransomware right now.

(There’s no indication that the US Air Force’s database corruption is due to malicious meddling, by the way).

Update: Good news. The US Air Force says it has managed to achieve a “full recovery” of its data.

Graham Cluley