AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 09/10/2021

REvil Ransomware Group is Back as “Happy Blog” Returns

An infamous ransomware group that appeared to shutter its operations following a major supply chain attack on IT software provider Kaseya seems to be back in business. The REvil/Sodinokibi variant has been used by countless affiliates to extort money from companies as diverse as now-defunct Travelex, Jack Daniels-maker Brown-Forman and meat processing giant JBS. Last year it claimed to have amassed a fortune of $100m through its efforts. However, widespread condemnation following the July Kaseya attack, which impacted thousands of downstream customers, including schools, appeared to have forced the group offline. The attack itself garnered attention from the very top level of the US government, with President Biden ordering his intelligence agencies to investigate. Some speculated that it was simply lying low and would likely return with different branding. However, that doesn’t appear to be the case, with the group’s “Happy Blog” site now back up and running, according to Recorded Future. The site is where it publishes data exfiltrated from its victims in order to force them to pay up.


This is the perfect ransomware victim, according to cybercriminals

Researchers have explored what the perfect victim looks like to today’s ransomware groups. On Monday, KELA published a report on listings made by ransomware operators in the underground, including access requests — the way to gain an initial foothold into a target system — revealing that many want to buy a way into US companies with a minimum revenue of over $100 million. Initial access is now big business. Ransomware groups such as Blackmatter and Lockbit may cut out some of the legwork involved in a cyberattack by purchasing access, including working credentials or the knowledge of a vulnerability in a corporate system. When you consider a successful ransomware campaign can result in payments worth millions of dollars, this cost becomes inconsequential — and can mean that cybercriminals can free up time to strike more targets. 


Hackers are leaking children’s data — and there’s little parents can do

Most don’t have bank passwords. Few have credit scores yet. And still, parts of the internet are awash in the personal information of millions of schoolchildren. The ongoing wave of ransomware attacks has cost companies and institutions billions of dollars and exposed personal information about everyone from hospital patients to police officers. It’s also swept up school districts, meaning files from thousands of schools are currently visible on those hackers’ sites. NBC News collected and analyzed school files from those sites and found they’re littered with personal information of children. In 2021, ransomware gangs published data from more than 1,200 American K-12 schools, according to a tally provided to NBC News by Brett Callow, a ransomware analyst at the cybersecurity company Emsisoft.


UN Computer Networks Breached by Hackers Earlier This Year

Hackers breached the United Nations’ computer networks earlier this year and made off with a trove of data that could be used to target agencies within the intergovernmental organization. The hackers’ method for gaining access to the UN network appears to be unsophisticated: They likely got in using the stolen username and password of a UN employee purchased off the dark web. “We can confirm that unknown attackers were able to breach parts of the United Nations infrastructure in April of 2021,” Stéphane Dujarric, spokesman for the UN Secretary-General, said in a statement on Thursday. “The United Nations is frequently targeted by cyberattacks, including sustained campaigns. We can also confirm that further attacks have been detected and are being responded to, that are linked to the earlier breach.” The credentials belonged to an account on the UN’s proprietary project management software, called Umoja. From there, the hackers were able to gain deeper access to the UN’s network, according to cybersecurity firm Resecurity, which discovered the breach. The earliest known date the hackers obtained access to the UN’s systems was April 5, and they were still active on the network as of Aug. 7.


Microsoft indefinitely delays office return

Microsoft announced Thursday that it is indefinitely delaying its full return to the office amid uncertainty with COVID-19. The company had previously set Oct. 4 as the earliest date for total reopening but is now telling employees that it will not establish a set return. Instead, offices in the U.S. will open when able to do so safely based on public safety guidance. Employees will be notified 30 days before their local worksites will reopen. “[T]he evolving Delta variant is compelling many of us to adjust plans for reopening worksites,” Jared Spataro, a corporate vice president, wrote in a blog post. “It’s a stark reminder that this is the new normal. Our ability to come together will ebb and flow.” The company last month announced that proof of vaccination will be required for all employees returning to offices. Microsoft is one of the first major tech companies to not set a return date amid the surge in cases driven by the delta variant of the coronavirus. Google, Facebook and Apple have all recently pushed their office returns to January.

Related Posts