Millions of Americans have been caught up in a Chinese hacking ploy which has resulted in seven Chinese men being charged with conspiracy to commit computer intrusions and wire fraud.

Yesterday (Mar. 25) the indictment setting out the charges was announced via a press release from the Office of Public Affairs.

The seven men are said to be involved in a People’s Republic of China-based hacking group that has spent around 14 years targeting U.S. and foreign critics, businesses and political officials.

More than 10,000 ‘malicious’ emails were said to be sent within the hacking community known as Advanced Persistent Threat 31. Some of this activity resulted in compromises of peoples’ networks, email accounts, cloud storage accounts and telephone call records.

Court documents say the group’s activities have potentially compromised work and personal email accounts, cloud storage accounts and telephone call records belonging to millions of Americans.

Many of the emails were under the guise of news articles that were sent to the target. These emails contained hidden tracking links and once opened the hackers would then gain access to and information about the recipient. The group then used this information to engage in more direct targeted hacking.

People working in the White House, at the Departments of Justice, Commerce, Treasury, and State, the U.S. Senators and Representatives of both political parties were targeted.

Deputy Attorney General Lisa Monaco says: “The Department of Justice will relentlessly pursue, expose, and hold accountable cyber criminals who would undermine democracies and threaten our national security.”

Both the UK and New Zealand’s governments have also accused China of being responsible for cyber campaigns. A spokesperson for the Chinese embassy in Washington DC said: “without valid evidence, relevant countries jumped to an unwarranted conclusion” and “made groundless accusations.”

Embassy Spokesperson on the UK’s hype-up of so-called cyber attacks by China pic.twitter.com/TqACY7NSqq

— Chinese Embassy in UK (@ChineseEmbinUK) March 26, 2024

The international community responds to Chinese hacking allegations

The UK Government has now formally accused China of being behind cyber attacks against Members of Parliament and the Electoral Commission. As a result, sanctions have been imposed.

Two Chinese nationals and a company named Wuhan Xiaoruizhi Science and Technology Company Ltd have been sanctioned, resulting in a freezing of assets and a travel ban stopping them from entering or remaining in the UK. UK citizens and businesses have been barred from handling their funds or resources too.

The government says the company is affiliated with Advanced Persistent Threat Group 31.

Authorities in New Zealand have also accused China of targeting its parliamentary network in 2021.

Featured image: Ideogram

The post ‘Millions of Americans affected by Chinese hacking plot’ appeared first on ReadWrite.

Microsoft has detailed an update on the ongoing cyber attack it has been subjected to from suspected Russian state-sponsored hackers.

Using information obtained during a hit last year, the group known as Midnight Blizzard has targeted Microsoft’s internal systems, the tech giant said in an official blog post.

The company has also shared the latest information with the US Securities and Exchange Commission, in a fresh filing posted on Friday.

“In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access,” Microsoft wrote.

“This has included access to some of the company’s source code repositories and internal systems. To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised.”

What was the initial Midnight Blizzard cyber attack on Microsoft?

In a targeted recon mission, Midnight Blizzard (also known as Nobelium) was able to access a legacy system account using a password-spraying attack.

Although the malicious activity was discovered on 12 January, it is believed the cyberattack commenced in late November 2023, leaving the American multinational tech giant to play catch-up on the serious incident.

Now, Microsoft is facing further intrusion with the hackers “ attempting to use secrets of different types it has found,” as the company detailed an increase in the volume of the attacks. It stated password sprays had increased almost 10-fold in February, beyond the significant rate experienced in January this year.

This is a sophisticated, organized cyber attack that shows no sign of abating, as detailed in the statement.

“Midnight Blizzard’s ongoing attack is characterized by a sustained, significant commitment of the threat actor’s resources, coordination, and focus. It may be using the information it has obtained to accumulate a picture of areas to attack and enhance its ability to do so.”

“This reflects what has become more broadly an unprecedented global threat landscape, especially in terms of sophisticated nation-state attacks.”

Microsoft has insisted it remains committed to the ongoing investigation of Midnight Blizzard’s activities.

The hacker collective is believed to be working at the behest of Russia’s Foreign Intelligence Service, known by its native initials, SVR.

Featured image: Pexels

The post Microsoft details update on Russian-sponsored “ongoing attack” appeared first on ReadWrite.

Update: Epic have sent us the following statement:

“We are investigating but there is currently zero evidence that these claims are legitimate. Mogilevich has not contacted Epic or provided any proof of the veracity of these allegations. When we saw these allegations, which were a screenshot of a darkweb webpage in a Tweet from a third party, we began investigating within minutes and reached out to Mogilevich for proof. Mogilevich has not responded. The closest thing we have seen to a response is this Tweet, where they allegedly ask for $15k and ‘proof of funds’ to hand over the purported data.”

So it seems hopefully that the hacking group might be trying to pull a fast one, but it was always doomed to failure unless they can provide evidence.

If we get any more we will update this page further, the advice below of making sure your account has a new password and 2FA enabled still stands as good practice.

Original story below:

News is breaking that Epic Games, the publisher of Fortnite is being held to a ransomware attack by a little-known hacking group Mogilvich. While at this stage the hack is unverified according to Cyberdaily, overnight the group posted details on its darknet leak site.

The group claims to have nearly 200GB of data including, the gang says,  “email, passwords, full name, payment information, source code, and many other data,“  this could turn out to be a real security threat for many people as the data is currently up for sale for an unknown amount.

Mogilvich says, “We have quietly carried out an attack to [sic] Epic Games’ servers, If you are an employee of the company or someone who would like to buy the data, click on me.”

A deadline to purchase the data outright, including Epic, is set as the 4th of March but as yet there is zero proof that they have data at all.

Generally, as with the Rhysida attack on Insomniac last year, we would expect to get file examples of just what exactly they have got and an indication of what is at stake.

Epic Games holds a lot of payment data, due to having its own Games Store and just because of the size of games like Fortnite, so this could turn into a real headache for a lot of people.

As yet, Epic has not commented but we will keep you up to date with developments.

How to secure your Epic Games account

We should take this take seriously at this stage and get ahead of the game, even without any proof, and if you have an Epic Games account, you could start by changing your password and enabling 2FA (two-factor authorization) if you haven’t already for it. Even if this attack turns out to be false, your account will be more secure, so you really should do it anyway. 

As ever, and we are sure you already know, it is extremely bad practice to use the same password on multiple sites, so if your Epic password is the same as everywhere else, it might be time to spend an hour or so tightening up your personal password policy.

Who is Mogilevich?

Cyberdaily lists Mogilevich as a new threat and the Epic hack would be only its fourth, having previously hit Infiniti USA, a subsidiary of Nissan just over a week ago,

The post Epic Games hack update – Epic has no evidence that hack is not a hoax appeared first on ReadWrite.

It is believed the ongoing cyber attack on US health tech giant Change Healthcare is the work of the ‘Blackcat’ ransomware gang.

The targeted hit has caused significant disruption to the health system in recent days with hospitals and pharmacies impacted, as reported by Reuters.

Owned by parent company UnitedHealth, Change operates a major health payment system, connecting care providers and patients across the states. Headquartered in Nashville, Tennessee, the company posted revenues of almost $3.5 billion in 2022.

Last week, hackers obtained access to Change Healthcare’s IT infrastructure with immediate knock-on effects at pharmacies to the detriment of of patients.

Whilst there was no immediate comment from UnitedHealth or Blackcat (also known as ALPHV) in the aftermath of the breach, Reuters has now briefed on the latter’s responsibility for the attack.

Inevitable outcome

This latest development comes after the parent company of Change Healthcare attributed an earlier incident to a “suspected nation-state associated cybersecurity threat actor,” but an industry expert has played down that line of enquiry.

“I am not aware of any links between ALPHV and a nation state,” said Brett Callow, a threat analyst at the cybersecurity firm Emsisoft. “As far as I am aware they are financially motivated cybercriminals and nothing more.”

In December, Blackcat was the target of an international law enforcement response led by US authorities to take down its websites and digital assets, with a relative degree of success. In response, the cyber criminals threatened to retaliate by going after critical infrastructure concerning hospitals and providers.

On this outcome, Callow added law enforcement activity was important but unlikely to completely eradicate the problem.

“It’s inevitable that if you have a group that’s making millions of bucks, they are going to attempt to make a comeback,” he said.

Blackcat is an infamous ransomware gang, one of the most prolific groups of online attackers which has previously targeted the likes of MGM Resorts International and Caesars International.

Image: Tima Miroshnichenko/Pexels

The post ‘Blackcat’ ransomware hit on Change Healthcare impacts hospital and pharmacy systems appeared first on ReadWrite.

Leaked files reveal a variety of services available for purchase, including information obtained from targets across the globe. According to a significant data leak from a Chinese cybersecurity company, state security agents are paying tens of thousands of pounds to gather data on targets, including foreign governments. Meanwhile, hackers are gathering massive amounts of data on any individual or organization that could be of interest to their potential clients.

It’s believed that over 500 files have been leaked worldwide

Cybersecurity experts believe the cache of over 500 leaked files from the Chinese company I-Soon, which was uploaded on the Github developer website, to be authentic. NATO and the UK Foreign Office are a couple of the suggested targets.

More than a year ago, in an unprecedented joint address, the FBI and MI5 leaders warned about the issue of Chinese spying, asking for upgraded security measures. At that time, the two agencies said that they were voicing a new concern about the Chinese government and informing corporate executives that Bejing was intent on stealing their technology in order to obtain a competitive advantage.

The files, a collection from chat logs, business prospectuses, and data samples, show the scope of China’s intelligence-collecting activities and the challenges that the nation’s commercial hackers face in the competitive market. China is currently experiencing a downturn in its economy.

I-Soon and Chengdu 404 have been in dispute over one company using the other company’s tools to hack

I-Soon seems to have collaborated with Chengdu 404, another Chinese hacking group, and became involved in a business dispute with them later. The US Department of Justice has charged Chengdu 404’s hackers for using their tools to launch cyberattacks against US companies and pro-democracy activists in Hong Kong, among other targets.

The other targets mentioned in the I-Soon disclosures are the British research tank Chatham House, the Association of Southeast Asian Nations (ASEAN) countries’ foreign affairs ministries, and public health bureaus. While some of this data appears to have been collected indiscriminately, other instances involve specific contracts with the Chinese Public Security Bureau to collect particular kinds of data.

“We are aware of this data coming to light and are naturally concerned,” a Chatham House spokeswoman stated. We have precautions in place to protect you, including technological ones that are regularly examined and updated.

“The alliance faces persistent cyberthreats and has prepared for this by investing in extensive cyber defenses,” a NATO official stated. NATO examines each allegation of a cyberthreat. However, the UK Foreign Office chose not to respond,

I-Soon provides a wide range of services. In one instance, Shandong City’s public security department paid about £44,000 to gain a year’s worth of access to the email accounts of ten targets. The I-Soon business also asserted that it could breach many operating systems, including Mac and Android, access personal data from Facebook, hijack accounts on X, and obtain data from corporate databases.

Featured Image Credit: Photo by Yaroslav Shuraev; Pexels

The post China’s hired hackers: a massive cybersecurity breach exposing China’s operations appeared first on ReadWrite.

Security experts have raised alarms over a critical vulnerability in ConnectWise ScreenConnect, a widely used remote access tool, which they describe as “trivial and embarrassingly easy” to exploit. According to TechCrunch, this flaw, with the highest severity rating, poses a significant risk as it allows for an authentication bypass that could enable attackers to remotely access and steal sensitive data or deploy malware on affected systems. As confirmed by the ConnectWise, the software’s developer, malicious hackers are actively exploiting this flaw, posing a significant threat to data security and system integrity.

Despite initial assurances of no public exploitation, the company later confirmed incidents of compromised accounts following an investigation by their incident response team. ConnectWise has also identified and shared IP addresses linked to the attackers.

The vulnerability, impacting a tool essential for IT providers and technicians to offer remote support, was first reported to ConnectWise on February 13, with the company disclosing it in a security advisory on Feb. 19. Although the exact number of affected customers remains undisclosed, ConnectWise spokesperson Amanda Lee mentioned “limited reports” of suspected intrusions, adding that 80% of their cloud-based customer environments were patched automatically within 48 hours.

Huntress, a cybersecurity firm, published an analysis indicating ongoing exploitation of this flaw, with adversaries deploying Cobalt Strike beacons and even installing ScreenConnect clients on compromised servers. Huntress CEO Kyle Hanslovan highlighted the severity of the situation, estimating that thousands of servers controlling numerous endpoints remain vulnerable, potentially leading to a surge in ransomware attacks.

ConnectWise has issued a patch for the vulnerability and is urging users, especially those with on-premise ScreenConnect installations, to apply the update promptly. The company also addressed a separate vulnerability in its remote desktop software but has not observed any exploitation of this flaw.

The post Hackers actively targeting severe authentication bypass flaw in ConnectWise software appeared first on ReadWrite.

A Federal Appeals court has overturned a 2019 verdict on Cox Communications and the internet provider’s ability to halt illegally downloaded items.

The verdict that was handed down by a jury was first filed by major music and license-holding heavyweights such as Sony Music Entertainment, Warner Bros. Records Inc. and Universal Music Corp.

Cox Communications had been held responsible for the thousands of songs and other licensed items that users had pirated over peer-to-peer connections.

Sony and the other Plaintiffs had believed that Cox Communications hadn’t exercised stringent enough measures to ban or limit the attempts of those using the service to share and harvest their licensed materials.

Judge overturns ruling

Judge Pamela A. Harris and Senior Circuit Judge Henry F. Floyd joined the opinion written by Judge Allison Jones Rushing in overturning the decision.

Judge Rushing’s opinion stated that “Federal law protects internet service providers from monetary liability for copyright infringement committed by users of their networks, but only if those service providers reasonably implement a policy to terminate repeat infringers in appropriate circumstances. In a prior case, our Court held that Cox had failed to reasonably implement an anti-piracy program and therefore did not qualify for the statutory safe harbor.”

This ‘safe harbour’ was implemented after Congress agreed the Digital Millennium Copyright Act (DMCA) in 1998.

The Judge would go on to say that the initial decision of “wilful contributory infringement” would be affirmed by the Court, but “But we (the Fourth Circuit Court) reverse the vicarious liability verdict and remand for a new trial on damages because Cox did not profit from its subscribers’ acts of infringement, a legal prerequisite for vicarious liability.”

“The continued payment of monthly fees for internet service, even by repeat infringers, was not a financial benefit flowing directly from the copyright infringement itself,” Rushing said. “Indeed, Cox would receive the same monthly fees even if all of its subscribers stopped infringing,” she would add.

The Court would still uphold Cox Communication’s part in the continuation of licensed items being pirated and the company’s lack of action in terminating such offenders would lead to them being partially responsible for these infringements.

Judge Rushing also said that the internet service provider’s part “accords with principles of aiding and abetting liability in the criminal law. Lending a friend a hammer is innocent conduct; doing so with knowledge that the friend will use it to break into a credit union ATM supports a conviction for aiding and abetting bank larceny.”

This means that Cox Communications would not escape some form of a fine for their part in the case under the aforementioned “wilful contributory infringement.”

The three-judge panel has asked the US District Court for the Eastern District of Virginia to set a new date to potentially award damages after vacating the initial damages award from 2019.

These damages will most likely be reduced substantially, but Cox Communications will be held accountable for its part in this copyright saga.

Image credit:  Ideogram

The post US Federal Court overturns huge $1bn piracy ruling appeared first on ReadWrite.

One of the most prolific hacker organizations has been significantly compromised by an international multi-agency investigation, including the FBI and the UK National Crime Agency.

LockBit was the group targeted, shutting down numerous websites used for ransomware payments.

Overall, law enforcement authorities from 11 different countries were involved in the sting which obtained 11,000 domains operated by LockBit and their associates as part of their criminal enterprise.

On Monday, a statement on Lockbit’s website read: “This site is now under the control of the National Crime Agency of the UK, working in close cooperation with the FBI and the international law enforcement task force, ‘Operation Cronos’.”

Ransomware is malicious software that locks files on the computers and online spaces of victims, leading to demands of payment for access to be returned. LockBit is known to be a specialist in this form of nefarious activity, with significant financial gains received from the hacking extortion.

Millions of ransom attacks

The same group was responsible for the November 2023 hit on the US operation of Industrial & Commercial Bank of China, a catalyst for significant disruption to the US Treasury market. The world’s largest lender by assets was forced to instruct its clients to make trades via alternate means after the cyber strike rendered their systems unable to clear a large volume of transactions.

They also targeted a website used by Boeing to sell aircraft parts and software.

Under the name of LockBit 1.0, the hacker group gained significant exposure and recognition in 2021, due to the threat they posed. The name changed to LockBit 2.0 then we had LockBit Green, its most recent identity.

Last month, their victim was Equilend, a major trading platform that processes transactions worth trillions of dollars each month, with an incident that impacted the company’s automated lending facility.

The FBI has estimated LockBit has impacted 1600 victims in the US, and 2000 around the world. Most of those involved are active within the private sector, with the FBI adding it is monitoring 144 million ransoms related to the hackers’ actions.

Featured image: AI generated via Ideogram. 

The post LockBit hacker gang compromised in FBI, international law enforcement sting appeared first on ReadWrite.

The U.S. Justice Department has claimed it stopped a major Russian intelligence-controlled hacking network.

The FBI worked with international partners to disrupt the hacking operation that had infiltrated over 1,000 home and small business internet routers in the U.S. and abroad.

According to the Justice Department’s announcement on Thursday (Feb.15), Russian intelligence was collaborating with cybercriminals to create a network of hacked routers that could be used to spy on military, security, and private sector targets.

“The Justice Department is accelerating our efforts to disrupt the Russian government’s cyber campaigns against the United States and our allies, including Ukraine,” said Attorney General Merrick B. Garland.

He continued: “We will continue to disrupt and dismantle the Russian government’s malicious cyber tools that endanger the security of the United States and our allies.”

Russian hacking efforts

Just a day prior, the Biden administration notified Congress that intelligence suggests Russia is developing a space-based nuclear weapon aimed at U.S. satellites.

FBI Christopher Director Wray warned that Russia continues reconnaissance on critical infrastructure like underwater cables and industrial controls in the U.S. energy sector. He stated that “once access is established, a hacker can switch from information gathering to attack quickly and without notice.”

Wray also remarked: “The cyber threat posed by the Chinese government is massive. China’s hacking program is larger than that of every other major nation combined.”

The recent actions highlight what U.S. officials describe as an escalating pace of cyberattacks from major adversaries like Russia, China, and Iran.

In November, a  Kremlin-affiliated hacker group unleashed a USB-based cyber threat targeting primarily Ukrainian organizations. While in January, the U.S. government thwarted a sophisticated Chinese hacking campaign that posed a serious threat to critical American infrastructure networks.

As the war in Ukraine continues, Russian hacking efforts are expected to intensify.

Featured image:

The post US thwarts Russian hacking network infiltrating American homes appeared first on ReadWrite.

Southern Water, a leading water utility company in the South East of England, has announced a significant data breach, potentially impacting between 235,000 and 470,000 of its customers. The breach, which occurred in January, saw hackers accessing sensitive customer information during a cyberattack.

The company, serving millions across the region, disclosed that “5 to 10 percent” of its customer base might have had their personal data compromised. This estimate, based on ongoing forensic investigations, leaves room for the possibility that the number of affected individuals could rise.

Details of the stolen data, as reported by BBC News, include customers’ dates of birth, national insurance numbers, bank account details, and reference numbers. Southern Water has yet to confirm the specifics of the compromised information.

In addition to customer data, Southern Water revealed plans to inform all current and some former employees about the breach. The utility firm, employing around 6,000 individuals, is still investigating the full extent of the incident.

The cyberattack was claimed by the Black Basta ransomware group, known for its links to Russia and previous attacks on major organizations like the U.K. outsourcing giant Capita. Shortly after the attack, Black Basta listed Southern Water on its dark web leak site, threatening to release 750 gigabytes of sensitive corporate and customer data unless a ransom was paid. The leak site’s listing included screenshots of stolen documents, such as employee passports and identity cards.

As of now, Southern Water’s name has been removed from Black Basta’s website, a move often seen after victim companies comply with ransom demands. However, Southern Water has not disclosed whether it paid any ransom.

According to TechCrunch, in response to the breach, Southern Water stated it is collaborating with cybersecurity experts to monitor the dark web for any signs of the stolen data being published. So far, the company reports no evidence of the compromised data appearing online.

The incident has been reported to the U.K.’s Information Commissioner’s Office, as Southern Water continues to assess the breach’s impact and work on bolstering its cybersecurity measures to prevent future attacks.

The post Southern Water reports major data breach impacting hundreds of thousands appeared first on ReadWrite.

Ransomware hackers extorted $1bn across 2023, according to data insights company and blockchain platform.

The company published a report showing the extent of malicious hacking and developing trends affecting entities across the last year.

Chainanalysis provides data, software, services, and research to government agencies and companies across seventy countries.

”Our data powers investigation, compliance, and market intelligence software that has been used to solve some of the world’s most high-profile criminal cases and grow consumer access to cryptocurrency safely,” says the company site.

The report details a staggering increase of $433 million in ransom taken from victims compared to 2022, growing to the highest-ever rate of $1bn in 2023.

Report shows biggest ransomware attack of 2023

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI) released a Cybersecurity Advisory (CSA) in June of last year highlighting the MOVEit vulnerability, carried out by the CL0P Ransomware Gang.

This would be one of the biggest reported ransomware attacks recorded and was the spike point of 2023’s issue with ‘Zero-Day’ exploits.

What is a Zero-Day?

The report details this as a ‘Zero-Day’ vulnerability that compromised multiple institutions simultaneously. The attack is given this name as it gives the developers zero days to respond to it as it exploits an existing crack in the defenses they were unaware of.

The MOVEit hack was like finding all the keys to multiple company lockboxes in one big digital bank vault.

The hack hit several established institutions and exploited a vulnerability in the file transfer system. The software owner would announce that the service had been compromised with sensitive data, including personal details, and in some cases, banking information was in the hands of hackers.

Sony, the BBC, and Flagstar Bank were a few of those affected. The Maine Attorney General documented that 837,390 users had their data violated, with the report stating, “Information Acquired — Name or other personal identifiers in combination with Social Security Number.”

The Japanese tech giant, Sony, would also send letters to those affected stating that the company wanted to “provide you with information about a cybersecurity event related to one of our IT vendors, Progress Software, that involved some of your personal information.”

“This event was limited to Progress Software’s MOVEit Transfer platform and did not impact any of our other systems.”

This would extort massive amounts of data and considerably damage Progress Software’s reputation.

U.S. Federal forces and companies across the globe will be hoping that the number of attacks and the amount extorted will fall across 2024.

The post U.S. insights company shows ransomware hackers drew in $1bn across 2023 appeared first on ReadWrite.

Iranian state-backed hackers, identified as part of the Islamic Revolutionary Guards, recently disrupted TV streaming services in the United Arab Emirates, according to a recent Guardian report. They broadcasted a deepfake newsreader delivering a fabricated report on the war in Gaza, as reported by Microsoft analysts. This operation, dubbed “For Humanity” by the hackers, involved an AI-generated news anchor presenting unverified images purportedly showing Palestinians harmed by Israeli military actions in Gaza. The Iranian-backed hackers, known as Cotton Sandstorm, showcased their intrusion into three online streaming services on the Telegram messaging platform, interrupting news channels with the fake broadcaster.

In one instance, Dubai residents using a HK1RBOXX set-top box encountered a message claiming the necessity of hacking to deliver a message, followed by the AI-generated anchor introducing “graphic” footage and a ticker detailing casualties in Gaza. The disruptions extended to Canada and the U.K., affecting channels including the BBC, though the BBC itself was not directly hacked.

This incident marks the first time Microsoft has detected an Iranian influence operation leveraging AI as a significant component of its messaging. It represents a notable escalation in the scope of Iranian operations since the onset of the Israel-Hamas conflict, reaching audiences in the UAE, U.K., and Canada.

Deepfakes and election disruption

The rise of generative AI, capable of producing convincing text, voice, and images from simple prompts, has led to an increase in deepfake content online. Such technology poses a risk of being used to disrupt elections, including the upcoming 2024 U.S. presidential election. Iran’s history of targeting the 2020 U.S. election with cyber-campaigns, including impersonating American extremists and spreading disinformation about voting infrastructure, underscores the potential threat posed by these capabilities.

Microsoft’s report highlights the broad range of cyber-attacks and online influence operations launched by Iranian state-backed actors since the Hamas attacks on Oct. 7. These tactics have included exaggerating the impact of cyber-attacks, leaking personal data from an Israeli university, and targeting pro-Israel countries like Albania and Bahrain, as well as the U.S.

The post Iranian hackers broadcast deepfake news in cyber attack on UAE streaming services appeared first on ReadWrite.

The Cybersecurity & Infrastructure Security Agency, National Security Agency, and the Federal Bureau of Investigation released a joint advisory this week stating that China-backed hackers Volt Typhoon have maintained persistent access to some critical USA infrastructure for “at least five years.”

The advisory states that cybersecurity hackers backed by the People’s Republic of China (PRC) are positioning themselves on the IT networks of American infrastructure systems so they can launch “disruptive or destructive” cyberattacks if the USA faces any major crisis or conflict.

In the advisory, it is stated that Volt Typhoon are state-sponsored and backed by the Chinese government. They are known to exploit vulnerabilities in critical infrastructure such as routers, firewalls, and VPNs, targeting key industries such as water, communications, transport, and energy. The exploitations have been found across the continental and non-continental United States, including Guam.

According to the advisory, Volt Typhoon’s activities differ significantly from traditional cyber espionage or intelligence-gathering activity. The agencies behind the advisory believe they are positioning themselves ready for a lateral move into disruptive activities.

Volt Typhoon’s methods have relied heavily on stolen administrator passwords and insufficiently secure front-end security. It has enabled them to take control of some camera surveillance systems to gain a further upper hand. They have been known to use “living off the land” attacks to hide their activities.

What are “living off the land” attacks?

“Living off the land” (LOTL) attacks help cyber attackers go unnoticed. Whereas many attacks use files and leave traces behind, LOTL attacks use legitimate tools on the target system to conduct malicious activities. This makes it very hard to detect using traditional security measures which look for scripts and files as the signature of attacks.

Cybersecurity is constantly evolving and it’s vital to keep systems updated with the latest security measures. Research into the benefits of artificial intelligence (AI) in cybersecurity is ongoing but AI will likely have more success against techniques such as LOTL due to their enhanced analytical powers.

Featured image credit: Pixabay via Pexels

The post Chinese hackers Volt Typhoon had critical US infrastructure access for 5 years appeared first on ReadWrite.

China-backed hackers have been infiltrating major U.S. critical infrastructure sectors for “at least five years,” an intelligence advisory revealed today. This campaign, detailed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the NSA, and the FBI, underscores a bold shift in China’s cyber operations strategy, extending beyond traditional espionage to potentially seizing control of vital U.S. systems.

The advisory sheds light on the activities of the China-associated hacking group, Volt Typhoon, which has systematically targeted and gained prolonged access to networks within critical sectors, including water, transportation, energy, and communications. By exploiting vulnerabilities in routers, firewalls, and VPNs, and leveraging stolen administrator credentials, Volt Typhoon has not only infiltrated but also maintained its foothold within these essential systems for years.

One alarming capability of Volt Typhoon is its control over surveillance camera systems of some victims, which, combined with its sustained network access, could enable the group to disrupt critical controls in energy and water facilities. The use of “living off the land” techniques by the group — utilizing built-in tools to minimize detection — further complicates efforts to identify and mitigate these threats.

International concerns and defensive measures

The advisory, which also drew contributions from authorities in Canada, Australia, and New Zealand, highlights a growing international concern over China’s cyber activities. The collaborative warning points to a broader pattern of targeting by China, not limited to the U.S. but extending to other allied nations as well.

This revelation comes amid heightened U.S. apprehensions that China might initiate destructive cyberattacks in the context of escalating tensions over Taiwan. Previous alerts from Microsoft and the U.S. government have indicated Volt Typhoon’s strategic positioning to attack U.S. infrastructure, including water utilities and ports. Although recent efforts have thwarted the group’s immediate access, officials caution that Volt Typhoon remains determined to find alternative entry points.

The advisory underscores the systemic vulnerabilities plaguing U.S. critical infrastructure, from inadequate password management and security update protocols to financial constraints hindering security improvements in sectors like water systems. Legal obstacles have further impeded government efforts to mandate cybersecurity audits.

In response to these China-backed hackers, U.S. cyber defense agencies are urging infrastructure operators to strengthen their security postures. Recommended measures include applying software updates to all internet-facing systems, enabling multi-factor authentication, and activating activity logs to monitor for suspicious behavior.

The post China-linked hackers target US infrastructure for over five years appeared first on ReadWrite.

Part of the Pennsylvania Courts online system has fallen victim to a cyber attack.

The Chief Justice of the US State, Deborah Todd announced that that a denial of service attack (DDoS) had hit the Pennsylvania court website.

Integral court systems such as the PACFile, online docket sheets, PAePay, and the Guardianship Tracking System are affected.

Law enforcement agencies are now involved in diagnosing the extent of the attack.

“Our court information technology and executive team is working closely with law enforcement including the CISA, the U.S. Department of Homeland Security, and the F.B.I to investigate the incident.” The Chief Justice announced via the official statement.

pic.twitter.com/F0HQV0nxYm

— PA Courts (@PACourts) February 5, 2024

This cyber attack restricts litigants, lawyers and key court stakeholders who rely on the court’s online systems to prepare for legal proceedings.

“At this time, there is no indication that any court data was compromised, and our courts will remain open and accessible to the public,” said the Chief Justice.

The Pennsylvania courts will hope that all data remains secure and the investigating legal bodies can bring back the key functions that keep the wheels of the courthouse turning.

For updates on when the Pennsylvania Court website is back up, follow the organization’s X account.

What is a DDoS cyber attack?

A denial of service attack (DDoS) is a targeted attempt by a third party to cripple a digital system by undermining and removing core functions.

It is generally the precursor to information or a system being compromised and then a group will take responsibility for the attack, prompting further developments such as a ransom for extracted data or an official statement from those responsible.

Cyber attacks more than doubled across 2023. According to security firm Armis, in January, legacy systems were the cause of many breaches and assaults on digital security.

The FBI however managed to eradicate the Volt Typhoon bot net earlier this month after a series of routers were flagged as compromised. The coordinated strike operation prevented the reinfection of the routers and removed the malware that was deployed by the hackers.

FBI Director Christopher Wray said “Volt Typhoon malware enabled China to hide as they targeted our communications, energy, transportation, and water sectors. Their pre-positioning constitutes a potential real-world threat to our physical safety that the FBI is not going to tolerate.”

Image credit:  Pete Linforth from Pixabay

The post Pennsylvania Court website down in DDoS cyber attack appeared first on ReadWrite.

The FBI has suppressed an attack by Chinese hackers Volt Typhoon group.

The concentrated attack focused on routers in an attempt to cripple Cisco and Netgear devices in small businesses and homes.

The court-authorized operation prevented reinfection of the routers and removed the malware that was deployed by the hackers.

”The United States will continue to dismantle malicious cyber operations – including those sponsored by foreign governments – that undermine the security of the American people,” said Attorney General Merrick B. Garland in a statement.

FBI’s Houston Field Office and Cyber Division, the U.S. Attorney’s Office for the Southern District of Texas and the National Security Cyber Section of the Justice Department’s National Security Division were responsible for the successful co-ordination and delivery of the operation.

FBI Director Christopher Wray said “Volt Typhoon malware enabled China to hide as they targeted our communications, energy, transportation, and water sectors. Their pre-positioning constitutes a potential real-world threat to our physical safety that the FBI is not going to tolerate.”

”We are going to continue to work with our partners to hit the PRC hard and early whenever we see them threaten Americans.” he concluded.

Disrupting the botnet

The Hackers targeted a vulnerability in old routers that were near the “end of their life” according to the U.S. Department of Justice.

The malware, known as “KV Botnet” had its ties severed by the co-ordinated response from the FBI.

Deputy Attorney General Lisa O. Monaco said that “in wiping out the KV Botnet from hundreds of routers nationwide, the Department of Justice is using all its tools to disrupt national security threats – in real-time.”

The operation did not alter or compromise the devices, nor was any data collected by the response to the Chinese hacker group.

The FBI has contacted the service providers of the Cisco and Netgear devices to inform them of the suppressed corruption of the devices.

In other cybersecurity infrastructure news earlier this month, the Biden Administration announced more robust measures for U.S. hospitals. The new requirements are set to fortify digital defenses in healthcare facilities.

The current administration has been dedicated to finding solutions to cybercrime and building bulwarks against invasive online criminals. Last year the White House laid the foundations of a national cybersecurity certification and labeling program.

Featured image: FBI

The post FBI shuts down Chinese hacker group Volt Typhoon’s Botnet appeared first on ReadWrite.

The U.S. government has thwarted a sophisticated Chinese hacking campaign that posed a serious threat to American and allied critical infrastructure networks, according to the Wall Street Journal. This action, announced on Wednesday, reflects the Biden administration’s heightened vigilance against China’s increasingly advanced hacking capabilities.

Attorney General Merrick Garland emphasized the U.S. commitment to dismantling foreign-sponsored cyber operations that jeopardize American security. This latest effort involved the Justice Department and the FBI taking decisive steps in December to dismantle a botnet—a network of hacked devices—comprising primarily small office and home office (SOHO) routers.

The routers, predominantly Cisco and Netgear products, were vulnerable due to their end-of-life status, meaning they no longer received regular security updates. These routers served as nodes for the hackers, allowing them to conduct their operations covertly. The U.S. officials successfully removed the botnet from these routers and cut off the hackers’ access.

FBI Director Chris Wray issued a stark warning about the Chinese hacking threat, particularly their focus on infiltrating U.S. critical infrastructure networks. In his testimony before the House China committee, Wray highlighted the potential for real-world harm and disruption, noting that Chinese hackers have targeted essential sectors such as water treatment, energy, transportation, and communication systems.

The disrupted hacking campaign, known as Volt Typhoon, has been a concern for the U.S. and its allies for nearly a year. Microsoft and other private-sector entities have reported on this campaign’s attempts to access sensitive networks in various critical sectors. The campaign’s objectives appear to include disrupting communication infrastructure between the U.S. and Asia, potentially impacting American support for Taiwan in the event of a crisis.

China has consistently denied involvement in cyberattacks against the U.S. and other nations. The Chinese Embassy in Washington has not responded to requests for comment on this latest development. This operation by the U.S. government underscores the ongoing cyber warfare landscape and the need for robust cybersecurity measures to protect national infrastructure and interests.

The post FBI and DOJ counter advanced Chinese hacking campaign against American networks appeared first on ReadWrite.

The Nevada Gaming Control Board, the regulatory body overseeing the state’s gaming industry, has experienced a significant cyber attack, leading to the temporary shutdown of its public-facing website. According to Gambling Insider, the attack, which also targeted the Nevada Gaming Commission’s website, has raised concerns about cybersecurity in the state’s gaming sector.

The compromised website contained a variety of public information, including meeting agendas, gaming regulations, press releases, and contact details. However, officials have assured that critical data such as gaming license details and financial records were stored on a separate, secure internal system and were not affected by the breach.

Kirk Hendrick, the Chairman of the Nevada Gaming Control Board, has not yet commented on the specifics of the incident. The Board, however, has been proactive in addressing the situation. In a statement released via social media, they mentioned, “Technology personnel initiated immediate steps to protect the website by taking it offline. The board is working with experts to thoroughly assess the situation. While working to restore the full website, the board is preparing to publish a temporary website for those seeking access to information.”

This cyber attack on the Nevada Gaming Control Board’s website comes in the wake of similar high-profile attacks on major casino operators in Nevada, including MGM Resorts International and Caesars Entertainment, last September. Those incidents led to substantial financial and reputational losses for the companies involved.

In response to the growing threat of cyber attacks, Nevada lawmakers approved funding last June for the Nevada Gaming Control Board to upgrade its information technology system. This system, which is separate from the website, is crucial for the board’s operations and has been in dire need of modernization since it was first implemented in the 1980s.

The recent cyber attack did not impact other state agencies, which continue to operate normally. The Nevada Gaming Commission’s monthly meeting also proceeded as scheduled, with no mention of the cyber incident.

The post Nevada Gaming Control Board’s website compromised in cyber attack appeared first on ReadWrite.

Last year was a bad year for cybersecurity. Just months after US Government emails were hacked, in October 2023, biotech company 23andMe admitted that they too were the victim of hacking.

Per Reuters, this hacking impacted roughly 5.5 million customers, with bad actors being able to access their information online along with the Family Tree profile information of 1.4 million DNA Relative participants.

The company filed a data breach notification last week, and in this letter, more details emerged about the cyber-attack.

New information has emerged about the hack

A new legal filing revealed that hackers first started breaking into customers’ accounts in April 2023, and that this continued right up until the end of September that year. This means that the attack went on unnoticed for five months before it was eventually detected by the genetic testing company. But by that point, it was too late. As reported by TechCrunch, the genetic data of roughly 6.9 million people had already been stolen, which accounts for roughly half of the company’s customer base.

23andMe became aware of the breach after hackers provided a sample of the data they stole on the 23andMe subreddit and other forums. However, according to TechCrunch, the company failed to notice hackers advertising the stolen data on forums as far back as August.

The filing, which is available in the public domain, also includes letters from 23andMe to affected customers. It was in these letters that 23andMe confirmed that the bad actors gained access to customer data via a technique known as ‘credential stuffing’, which involves exploiting previously-compromised login credentials to gain access to customer accounts. Some of the data the hackers stole includes birth years, relationship labels, locations, DNA percentages, and customer names.

When they were made aware of the breach, numerous customers tried to band together and sue 23andMe in a class-action lawsuit. The company then sparked controversy by changing the language of its terms and service, which, purportedly, made it harder for customers to sue.

In a statement in December, 23andme said: “Since detecting the incident, we emailed all customers to notify them of the investigation and are continuing to notify impacted customers, based on applicable laws. We also required every 23andMe customer to reset their password. In addition, 23andMe now requires all new and existing customers to login using two-step verification. Protecting our customers’ data privacy and security remains a top priority for 23andMe, and we will continue to invest in protecting our systems and data.”

Featured Image: Photo by Braňo on Unsplash

The post 23andMe’s data breach: cyberattack was missed for months appeared first on ReadWrite.

Cyber attacks more than doubled in 2023, according to analysis from cyber security firm Armis, as it is claimed many businesses around the world continue to fail to acknowledge the increasing threat to cyber security.

The Armis report that attack attempts were at their peak in July, with imaging, manufacturing and communications devices targeted the most. Attacks on utilities tripled and attacks on manufacturing increased by 165%.

But businesses continue to ignore the growing threat and aren’t taking cyber security seriously, it is believed, with the report suggesting that companies are regularly ignoring blind spots, which is causing a surge in cyber breaches.

Co-founder and CTO of Armis, Nadir Izrael, said: “Armis found that not only are attack attempts increasing, but cyber security blind spots and critical vulnerabilities are worsening, painting prime targets for malicious actors.

“It’s critical that security teams leverage similar intelligence defensively so that they know where to prioritize efforts and fill these gaps to mitigate risk.”

The report goes on to suggest legacy technology is most at risk, with pre-2012 Windows OS versions found to be 77% more likely to experience cyber attacks than newer versions. Moreover, older server versions are reaching end-of-support, leaving them even more vulnerable to attack. This is mostly an issue in the educational services sector, with 18% of organizations facing this very issue.

Businesses in the education industry are 41% more vulnerable compared to other industries, which have a general average of 10%. Other vulnerable industries, due to outdated OS servers are retail, healthcare, manufacturing and public administration.

The report says more than 65,000 common vulnerabilities and exposures (CVEs) were discovered, pointing to wearable devices as having the highest percentage (93%) of unpatched CVEs.

What is a cyber attack?

A cyber attack can be defined as a malicious attempt to gain access to a computer, operating system or network without authorization, with the sole purpose of causing damage and/or stealing confidential information.

These attacks look to disrupt, destroy or control said computer systems and may also intend to steal, block or manipulate the data stored on these systems.

How to prevent a cyber attack?

Typically, installing up-to-date antivirus software protects your computer and network against malware, while firewalls are there to filter traffic that might enter your device.

Other ways people and businesses can protect themselves from cyber security threats include multi-factor authentication, ensuring passwords are strong, password encryption and using robust Virtual Private Networks (VPN).

The most simple way of staying on top of your cyber security is ensuring all of your apps, devices, operating systems and devices are running the most up-to-date versions to ensure security patches are prepared for any new cyber attacks.

Featured Image: Dall-E

The post Cyber attacks doubled in 2023 but businesses remain slow to act appeared first on ReadWrite.