Tag: cybercrime

Posted on

A huge data leak exposes China’s vast surveillance state

A massive store of data containing information on about one billion Chinese residents could be one of the biggest breaches of personal information in history.

Portions of the leaked data appeared last week on a known cybercrime forum from someone selling the cache for 10 bitcoins, or about $200,000, and was allegedly siphoned from a Shanghai police database stored in Alibaba’s cloud.

Although details of the breach remain scarce, portions of the data have been verified as authentic, suggesting at least some of the data is real. The origins of the data and how it came to be in the hands of an underground seller, whose motives aren’t known, is still unclear.

News of the alleged breach has gone largely unreported in mainland China where restrictions on speech and expression are tightly controlled, and internet access is censored and strictly restricted.

The breach, if authentic, raises questions about the vast scale of China’s surveillance state, the largest and most expansive in the world, and Beijing’s ability to keep that data secure.

Here’s what we’ve learned so far.

How did the data leak?

In a since-deleted post on the cybercrime forum, the seller claimed to have downloaded the data from a cloud storage server hosted by Alibaba, the cloud computing arm of the Chinese e-commerce behemoth. When reached by TechCrunch on Monday, Alibaba said it was looking into the claims.

Exactly how the data leaked is murky, but experts say that the database may have been misconfigured and exposed by human error since April 2021 before it was discovered. This would seem to rule out a claim that the database’s credentials were inadvertently published as part of a technical blog post on a Chinese developer site in 2020 and later used to siphon the billion records from the police database, since no passwords were needed to access it.

Bob Diachenko, a Ukrainian security researcher, told TechCrunch that his own monitoring records shows the database was also exposed through a Kibana dashboard, a web-based software used to visualize and search huge Elasticsearch databases, in late April. If the database didn’t require a password as believed, anyone could have accessed the data if they knew its web address.

Security researchers frequently scan the internet for inadvertently exposed databases or other sensitive data, often to collect bounties offered by the companies that they help to secure. But threat actors also run the same scans, often with the goal of copying data from an exposed database, deleting it and offering the data’s return for a ransom payment — an increasingly common tactic used by criminal dumpster-divers in recent years. Diachenko said that’s what happened on this occasion; a malicious actor found, raided and deleted the exposed database, and left behind a ransom note demanding 10 bitcoins for its return.

“My hypothesis here is that the ransom note did not work and the threat actor decided to get money somewhere else. Or, another malicious actor came across the data and decided to put it up for sale,” said Diachenko.

Little is known about the seller or for what reason the data was dumped online. It’s not uncommon to see large quantities of personal data for sale on cybercrime forums and on the dark web, but seldom for data this sensitive or in such quantity.

What does the data look like?

TechCrunch reviewed a larger sample of the data uploaded by the seller containing three files, about 500 megabytes in total, each containing 250,000 individual records.

The data itself is formatted in JSON, a standard file format for Elasticsearch databases, making it easy to read and analyze. The format of the database suggests it was meticulously maintained and downloaded, rather than created by purely aggregating information from multiple data sources, a common technique used by information sellers and data brokers. However, some data may have been derived from external sources, such as from food delivery orders.

What also makes the data likely to be genuine is the sheer size of the data and that the level of detail would be difficult — though not impossible — to fake.

TechCrunch translated the police records, which were written in Chinese, and redacted personally identifiable information.

[gallery type="slideshow" ids="2349124,2349126,2349127,2349128,2349129,2349130"]

The files appear to contain detailed police reports dating back to 1995 through to 2019, including names, addresses, phone numbers, identity numbers, sex, as well as the reason for why the police were called out. The records seen by TechCrunch include granular coordinates where incidents occurred or police reports were made — and the names of informants who made the reports — which match the precise addresses also listed in each record, as well as the individuals’ race and ethnicity. (The Chinese government has incarcerated more than a million of its own citizens, mostly from Muslim minority ethnic groups, including Uyghurs and Kazakhs, which the Biden administration has declared a “genocide.”)

The records contain complaints and criminal allegations, from serious crimes involving violence to the relatively banal, such as detailing reports of credit card fraud, internet scams and gambling, which is illegal in China. Several records seen by TechCrunch show police reports cracking down on the use of VPNs, or virtual private networks, used for accessing sites blocked by China’s censorship system and as such outlawed in China. One record showed a Shanghai resident was accused of using a VPN to post critical remarks about the government on Twitter, which is banned in China. It’s not known what subsequently happened to the individual.

The data also contained full web addresses to photos stored on the same server, none of which were accessible at the time of writing, but the associated data often indicates what was uploaded, such as a person’s residency documentation or their passport when leaving the country. These web addresses are formatted in a way that is consistent with how Alibaba’s cloud service stores files.

Many of the records we examined appeared to contain information on children, based on their dates of birth and ages listed in the data.

Without the (unlikely) confirmation from the Chinese government, it’s difficult to know for sure if the seller’s claims are genuine and the data was obtained from Shanghai’s police department, as is claimed. The Wall Street Journal, The New York Times and CNN have verified portions of the data by calling individuals whose information was found in the database, lending weight to its authenticity.

What is the impact?

This alleged breach, if proved legitimate, could be highly damaging for Beijing, and raises questions about the government’s cybersecurity measures and the impact the breach will have on individuals.

It comes at a time when China is stepping up protection for personal data. Last September, China passed the Personal Information Protection Law, its first comprehensive privacy and data protection legislation, seen widely as China’s equivalent of Europe’s GDPR privacy rules. The law restricts how businesses can collect personal data and is expected to have a sweeping effect on the ad businesses of the country’s biggest tech giants, but allows broad exceptions for government agencies and departments that make up China’s vast surveillance capabilities.

Beijing is already reportedly censoring news of the alleged breach, and Chinese messaging apps WeChat and Weibo are blocking messages and mentions like “data leak” and “database breach.” The Chinese government has not yet commented on the breach.

It’s not the first security lapse involving a massive set of Chinese residents’ data that was left exposed to the wider internet without a password. In 2019, TechCrunch reported that a smart city installation in China was spilling the contents of a facial recognition database of nearby residents.

China passes data protection law

You can contact this reporter on Signal and WhatsApp at +1 646-755-8849 or zack.whittaker@techcrunch.com by email.

Posted on

US government says North Korean hackers are targeting American healthcare organizations with ransomware

The FBI, CISA, and the U.S. Treasury Department are warning that North Korean state-sponsored hackers are using ransomware to target healthcare and public health sector organizations across the United States.

In a joint advisory published Wednesday, the U.S. government agencies said they had observed North Korean-backed hackers deploying Maui ransomware since at least May 2021 to encrypt servers responsible for healthcare services, including electronic health records, medical imaging, and entire intranets.

“The FBI assesses North Korean state-sponsored cyber actors have deployed Maui ransomware against Healthcare and Public Health Sector organizations,” the advisory reads. “The North Korean state-sponsored cyber actors likely assume healthcare organizations are willing to pay ransoms because these organizations provide services that are critical to human life and health. Because of this assumption, the FBI, CISA, and Treasury assess North Korean state-sponsored actors are likely to continue targeting [healthcare] organizations.”

The advisory notes that in many of the incidents observed and responded to by the FBI, the Maui ransomware caused disruption to healthcare services “for prolonged periods.”

Maui was first identified by Stairwell, a threat-hunting startup that aims to help organizations determine if they have been compromised, in early-April 2022. In an analysis of the ransomware, Stairwell principal reverse engineer Silas Cutler notes that Maui lacks many of the features commonly seen with tooling from ransomware-as-a-service (RaaS) providers, such as an embedded ransom note or automated means of transmitting encryption keys to attackers. Rather, Stairwell concludes that Maui is likely manually deployed across victims’ networks, with remote operators targeting specific files they want to encrypt.

North Korea has long used cryptocurrency-stealing operations to fund its nuclear weapons program. In an email, John Hultquist, vice president of Mandiant Intelligence, said that as a result “ransomware is a no-brainer” for the North Korean regime.

“Ransomware attacks against healthcare are an interesting development, in light of the focus these actors have made on this sector since the emergence of COVID-19. It is not unusual for an actor to monetize access which may have been initially garnered as part of a cyber espionage campaign,” said Hultquist. “We have noted recently that North Korean actors have shifted focus away from healthcare targets to other traditional diplomatic and military organizations. Unfortunately, healthcare organizations are also extraordinarily vulnerable to extortion of this type because of the serious consequences of a disruption,” he added.

The advisory, which also includes indicators of compromise (IOCs) and information on tactics, techniques and procedures (TTPs) employed in these attacks to help network defenders, urges organizations in the healthcare industries to strengthen their defenses by limiting access to data, turning off network device management interfaces, and by using monitoring tools to observe whether Internet of Things devices have become compromised.

“The FBI, along with our federal partners, remains vigilant in the fight against North Korea’s malicious cyber threats to our healthcare sector,” said FBI Cyber Division assistant director Bryan Vorndran. “We are committed to sharing information and mitigation tactics with our private sector partners to assist them in shoring up their defenses and protecting their systems.”

The U.S. government’s latest warning follows a spate of high-profile cyberattacks targeting healthcare organizations; University Medical Center Southern Nevada was hit by a ransomware attack in August 2021 that compromised files containing protected health information and personally identifiable information, and Eskenazi Health said in October that cybercriminals had access to their network for almost three months. Last month, Kaiser Permanente confirmed a breach of an employee’s email account led to the theft of 70,000 patient records.

North Korean hackers are targeting blockchain companies with malicious crypto-stealing apps

Posted on

US publisher Macmillan confirms cyberattack forced systems offline

Macmillan, one of the largest book publishers in the U.S, said it has been hit by a cyberattack that forced it to shut down its IT systems. 

Macmillan spokesperson Erin Coffey told TechCrunch that the company recently experienced a “security incident” that “involved the encryption of certain files on our network.” The attack struck the company on June 25, according to reports, and also impacted its U.K. branch, known as Pan Macmillan.

While the company declined to answer further questions on the nature of the incident or how its systems were compromised, the use of encryption by the hackers indicates that it was ransomware. The attack has not yet been claimed by any major ransomware groups, and it remains unclear whether any sensitive data was stolen.

“As a precautionary measure, we immediately took systems offline to prevent further impact to our network,” Coffey added. “We are working diligently with specialists to investigate the source of this issue, understand its impact on our systems, and to restore full functionality to our networks as soon as possible.

“Customers and other third-party partners may notice that certain systems are unavailable while these efforts are underway. Please know that the Macmillan team is working around the clock on this restoration and installation of additional network safeguards.”

As a result of the cyber incident, Macmillan also closed its virtual and physical offices in New York, with staff tweeting that they had no access to their systems, emails, and files as a result. Publishers Weekly, which first broke the news of the cyberattack, notes that Macmillan’s sales team was also warning that disruption could cause delays in book shipments.

Macmillan told TechCrunch that it has already begun bringing systems back online, but remains unable to process orders. 

“We are bringing certain systems back online, including those that we took offline as a precautionary measure,” Coffee said. “For the U.S., we are accepting orders electronically, but are unable to process them at this time. We will continue to communicate updates as they come.”

Posted on

Daily Crunch: The party’s over — Airbnb bans all disruptive gatherings in perpetuity

To get a roundup of TechCrunch’s biggest and most important stories delivered to your inbox every day at 3 p.m. PDT, subscribe here.

Greetings, there is a lot of news to get into today, and my head is reeling a bit from some of that January 6 testimony today, so let’s get right into it. Oh, and TechCrunch+ is having an Independence Day sale! Save 50% on an annual subscription here. (More on TechCrunch+ here if you need it!) Now that you have said subscription, head on over to Haje’s story about your pitch deck needing an operating plan. — Christine

Get 50% off a year’s subscription to TechCrunch+ to mark Independence Day

The TechCrunch Top 3

  • Kid ’n Play would not be amused: Airbnb has spoken and is putting an end to party houses with a permanent ban, Ivan reports. This is something the company initially started 2 years ago, and it seems to have worked — the company reports 44% fewer complaints of parties year over year.
  • On target: Though crypto exchange FTX’s CEO Sam Bankman-Fried denied he was interested in buying Robinhood, Alex gets into why FTX would be interested at all.
  • The headline speaks for itself: Mike scored a home run with his headline for a story about four European founders turned angel investors who are giving some of their venture capital firm competitors — many they say have not operated a company before — a run for their money.

Startups and VC

We enjoyed Ingrid’s story about Speechmatics, a company that raised $62 million for its approach to speech-to-text artificial intelligence. One of the interesting things it is doing is removing some of the bias so that if you have an accent, or speak in a certain way, it will still be picked up and translated accurately.

E-commerce is hot, hot, hot, but it can be daunting to sift through something like 7,500 apps, which Shopify has, to find the ones that will be best for your business. I wrote about Shop Circle, which came out of stealth mode today with $65 million. The company sifted through all of those apps and is acquiring them so you don’t have to.

We know electric vehicles are expensive, so wouldn’t it be great to defer a portion of the monthly payment? Meet Tenet, which raised $18 million for its loan offering that could cut an average of $200 off the bill, Harri writes.

Here’s the short, short version of other stories:

  • Powering job boards: While the tech sector is seeing layoffs, Kyle reports that Gloat grabs $90 million to build better internal job boards.
  • Rising tides and all: Sustainable Ocean Alliance, an ocean-focused, early-stage startup incubator, got itself $18 million in new funding from sources, most notably Marc and Lynne Benioff, Devin writes.
  • You got a friend in me: Finding friends is hard, and as Catherine points out, it gets even harder as you get older. That’s why it’s heartwarming to read about apps like Hank, which grabbed $7 million in seed funding and connects older adults to something fun they like to do.
  • Vice no more?: It wasn’t that long ago that venture capital firms were skittish on the idea of investing in one of the “vices,” you know, like alcohol and cannabis. Haje reports that JourneyOne has a fresh $10 million fund that is ready to be put to work in cannabis tech.

Use chronological scenario planning to help your startup get through a potential recession

Digital generated image of many lollipop organised into circular pattern on pink surface.

Image Credits: Andriy Onufriyenko (opens in a new window) / Getty Images

People who burn wood to keep warm through the winter know how to calculate how many cords they’ll need to chop and stack. Creating a winterization strategy for a startup is a less straightforward process, however.

In this environment, entrepreneurs should build decision trees that can help them manage 36 months of runway, recommends Gaetano Crupi, partner at venture capital firm Prime Movers Lab.

A 3-year outlook “is a more appropriate time horizon for collecting more information so you can decelerate even further (with cash to pivot) if things are worse in 12 months, or accelerate if things are better in 18 months,” he advises.

Use chronological scenario planning to help your startup get through a potential recession

(TechCrunch+ is our membership program, which helps founders and startup teams get ahead. You can sign up here.)

Big Tech Inc.

Starting off our Big Tech news today is a handoff of one of India’s biggest telecom companies and the beginning of a new generation. Manish reports that Akash Ambani took the reins of Reliance Jio from his father, Mukesh Ambani, in what was viewed by analysts “as a clear illustration of a leadership transition in one of Asia’s wealthiest families.”

Carly writes that cybercrime operation RansomHouse (why do these sound like book publishers?) is supposedly behind the extortion of some data from U.S. chipmaker AMD. The company is investigating the incident.

Ron attended some of Google’s Sustainability Summit this week and came out with a story about Google Cloud’s new sustainability platform to provide businesses with data to help them achieve their climate goals.

More for your viewing pleasure:

  • Oh, yes, we got trouble, trouble, trouble: When you buy an electric vehicle, you want it to run with the same reliability as your old combustion engine car, but as Jaclyn reports, a J.D. Power survey found that was not the case.
  • Get the band back together: Spotify’s new Supergrouper in-app feature will create a mixed tape of sorts for up to five of your favorite artists, Aisha writes.
  • Convoy: Rebecca reported on an open letter sent to California governor Gavin Newsom from a group of autonomous truck developers urging the state to reconsider an earlier ruling that prohibits those kinds of vehicles in the state.
  • Listen up: If you are looking for some new earbuds, Brian provides a review of Nura’s prototype. 
  • Developer delight: Frederic writes about Hasura’s new GraphQL Data Connector that “allows developers to bring virtually any data source into Hasura in order to expose it as a GraphQL API.”
Posted on

RansomHouse extortion group claims AMD as its latest victim

AMD said it is investigating a potential data breach after RansomHouse, a relatively new data cybercrime operation, claims to have extorted data from the U.S. chipmaker.

An AMD spokesperson told TechCrunch that the company “is aware of a bad actor claiming to be in possession of stolen data,” adding that “an investigation is currently underway.”

RansomHouse, which earlier this month claimed responsibility for a cyberattack on Shoprite, Africa’s largest retailer, claims to have breached AMD on January 5 to steal 450GB of data. The group claims to be targeting companies with weak security, and claimed it was able to compromise AMD due to the use of weak passwords throughout the organization.

“An era of high-end technology, progress and top security… there’s so much in these words for the crowds. But it seems those are still just beautiful words when even technology giants like AMD use simple passwords to protect their networks from intrusion,” RansomHouse wrote on its data leak site. “It is a shame those are real passwords used by AMD employees, but a bigger shame to AMD Security Department which gets significant financing according to the documents we got our hands on — all thanks to these passwords.”

Brett Callow, a ransomware expert and threat analyst at Emsisoft, told TechCrunch there’s no reason to doubt the group’s claims. “Ransomware operators are untrustworthy bad-faith actors and all their claims should be viewed with skepticism,” he said. “That said, as far as I’m aware, none of the claims they’ve made to date have proven to be false.”

A portion of the stolen data leaked by RansomHouse and seen by TechCrunch suggests that AMD employees were using passwords as simple as “password,” “123456,” and “Welcome1.” Other data posted by the group appears to include network files and system information. It’s unclear if a ransom demand has been made to AMD, but RansomHouse advises victims to contact its support team to receive “further instructions” on how to prevent full data disclosure.

AMD would not say if it had received a ransom demand, nor would it say which of its systems had been targeted or whether customer data was accessed as a result. The chipmaker also declined to answer any questions regarding its password security measures.

Unlike other cybercrime gangs, RansomHouse claims it’s not a “ransomware” group, rather it describes its operation as a “professional mediators community,” even if the end goal of extorting companies for money remains the same.

“We have nothing to do with any breaches and don’t produce or use any ransomware,” RansomHouse says on its dark web site. “Our primary goal is to minimize the damage that might be sustained by related parties. RansomHouse members prefer common sense, good conflict management and intelligent negotiations in an effort to achieve fulfilment [sic] of each party’s obligations instead of having non-constructive arguments.”

RansomHouse first emerged in December 2021 and currently lists six victims on its data leak site, the first of which was Canada’s Saskatchewan Liquor and Gaming Authority (SLGA).

Ransomware ring claims attack on Africa’s largest retail chain Shoprite

Posted on

Rsocks, a popular proxy service, was just seized by the DOJ

The U.S. Department of Justice has confirmed it has seized and dismantled the infrastructure of a Russian botnet used to hijack millions of devices worldwide for use as proxy servers.

According to prosecutors, Rsocks provided its web proxy service — operated by unnamed Russian cybercriminals — by hacking into millions of computers, smartphones, and Internet of Things devices, and converting them into unwitting proxy servers, allowing paying customers to use the IP addresses of the compromised devices without the permission or the knowledge of the owners.

Rsocks’ own Twitter account claimed access to more than eight million residential devices and more than one million mobile IPs.

Proxy services, which are not inherently illicit or illegal, provide IP addresses to its clients for a fee, such as bypassing censorship or accessing content geo-blocked to a particular region. But according to prosecutors, Rsocks was allegedly hacking into millions of devices by conducting brute force attacks.

Customers could access a web-based “storefront” where they could rent access to proxies for a specific time period. Once purchased, the customer could download a list of IP addresses and ports associated with one or more of the botnet’s backend servers, and then route malicious internet traffic through the compromised devices to mask or hide the true source of the traffic.

“It is believed that the users of this type of proxy service were conducting large scale attacks against authentication services, also known as credential stuffing, and anonymizing themselves when accessing compromised social media accounts, or sending malicious email, such as phishing messages,” the Justice Department said in a press release announcing the successful takedown of the botnet’s infrastructure.

FBI investigators used undercover purchases to get access to the Rsocks botnet to identify its backend infrastructure and victims. The initial undercover purchase in early 2017 identified approximately 325,000 compromised victim devices, mainly located in the United States.

As well as home businesses and individuals, several large public and private entities have fallen victim to the Rsocks botnet, prosecutors said, including a university, a hotel, a television studio, and an electronics manufacturer — and homes and small businesses.

“Cyber criminals will not escape justice regardless of where they operate,” said U.S. Attorney Randy Grossman.” Working with public and private partners around the globe, we will relentlessly pursue them while using all the tools at our disposal to disrupt their threats and prosecute those responsible.”

The Rsocks botnet is the second of its kind that has recently been dismantled by U.S. authorities. In April, an FBI operation revealed that it had disrupted another botnet, known as Cyclops Blink, which was operated by a group of hackers working for Russia’s GRU, the country’s military intelligence unit.

FBI operation aims to take down massive Russian GRU botnet

Posted on

FBI seizes notorious marketplace for selling millions of stolen SSNs

U.S. law enforcement have announced the takedown of SSNDOB, a notorious marketplace used for trading the personal information — including Social Security numbers, or SSNs — of millions of Americans.

The operation was conducted by the FBI, the Internal Revenue Service (IRS), and the Department of Justice (DOJ), with help from the Cyprus Police, to seize four domains hosting the SSNDOB marketplace — ssndob.ws, ssndob.vip, ssndob.club, and blackjob.biz.

SSNDOB listed the personal information for approximately 24 million individuals in the United States, including names, dates of birth, SSNs, and credit card numbers, and generated more than $19 million in revenue, according to the DOJ. Chainalysis, a blockchain analysis company, reports separately that the marketplace has received nearly $22 million worth of Bitcoin across over 100,000 transactions since April 2015, though the marketplace is believed to have been active since at least 2013.

These figures suggest that some users were buying personally identifiable information from the service in bulk, according to Chainalysis, which also uncovered a connection between SSNDOB and Joker’s Stash, a large dark net market focused on stolen credit card information that shut down in January 2021.

The operators of SSDOB are said to have employed various techniques to protect their anonymity and to thwart detection of their activities, including using online monikers that were distinct from their true identities, and strategically maintaining servers in various countries, the DOJ said.

“Identity theft can have a devastating impact on a victim’s long-term emotional and financial health. Taking down the SSNDOB website disrupted ID theft criminals and helped millions of Americans whose personal information was compromised,” said Darrell Waldon, the special agent in charge of the IRS’ criminal investigation field office in Washington, D.C.

The seizure of SSNDOB’s infrastructure marks the continued ramping up of efforts by law enforcement to disrupt malicious cyber activity. Last week, Europol announced the shut down of FluBot, an Android trojan that steals online banking information, while the DOJ said it seized three domains used by cybercriminals to trade stolen personal information and facilitate distributed denial-of-service (DDoS) attacks for hire.

Posted on

Microsoft disrupts Iranian-linked hackers targeting organizations in Israel

Microsoft said on Thursday that it has successfully “identified and disabled” a previously unreported Lebanon-based hacking group that it believes is working with Iranian intelligence. 

The hacking group, tracked by the Microsoft Threat Intelligence Center (MSTIC) as “Polonium,” targeted or compromised more than 20 organizations based in Israel and one intergovernmental organization with operations in Lebanon over the past three months, with a focus on critical manufacturing, IT and Israel’s defense industry. In one case a cloud services provider “was used to target a downstream aviation company and law firm in a supply chain attack,” Microsoft said in a blog post.

It added that Polonium operators have also targeted multiple victims compromised by the MuddyWater APT group, tracked by Microsoft as Mercury, which U.S. Cyber Command earlier this year linked to Iranian intelligence.

The previously unknown hacking group created legitimate Microsoft OneDrive accounts and then utilized those accounts as command and control (C2) to execute part of their attack operation. The observed activity was not related to any security issues or vulnerabilities within OneDrive, the Microsoft researchers wrote.

MSTIC said it determined with high confidence the group behind the attacks is based in Lebanon, adding that they were “moderately” confident that Polonium was collaborating with Iran’s Ministry of Intelligence and Security (MOIS).

“The uniqueness of the victim organizations suggests a convergence of mission requirements with MOIS,” Microsoft said. “It may also be evidence of a ‘hand-off’ operational model where MOIS provides Polonium with access to previously compromised victim environments to execute new activity.”

Microsoft says it successfully suspended more than 20 malicious OneDrive applications created by the Polonium threat actors. The company added that it has also notified affected organizations and deployed a series of security intelligence updates that will quarantine tools developed by the Iranian-linked hackers. 

It’s still unclear how the attackers gained initial access to their victims’ networks, but Microsoft notes roughly 80% of compromised organizations were running Fortinet appliances, which “suggests, but does not definitively prove” that the Polonium compromised the Fortinet using a three-year-old vulnerability identified as CVE-2018-13379.

Microsoft’s action comes just months after the U.S. government, along with counterparts in Australia and the U.K., warned that Iranian state-backed hackers are targeting U.S. organizations in critical infrastructure sectors — in some cases with ransomware. The advisory said that Iranian-backed hackers accessed a web server hosting the domain for a U.S. municipal government in May last year, before accessing the networks of a U.S.-based hospital specializing in healthcare for children the following month.

Posted on

Foxconn confirms ransomware attack disrupted operations at Mexico factory

Smartphone manufacturing giant Foxconn has confirmed that a ransomware attack in late May disrupted operations at one of its Mexico-based production plants.

“It is confirmed that one of our factories in Mexico experienced a ransomware cyberattack in late May,” Jimmy Huang, a Foxconn spokesperson told TechCrunch. “The company’s cybersecurity team has been carrying out the recovery plan accordingly.”

The affected production plant is Foxconn Baja California, located in the city of Tijuana at the border with California, which specializes in the production of medical devices, consumer electronics and industrial operations. The company told TechCrunch that while operations at the plant were disrupted as a result of the ransomware attack, the factory is “gradually returning to normal.”

“The disruption caused to business operations will be handled through production capacity adjustment,” Huang added. “The cybersecurity attack is estimated to have little impact on the Group’s overall operations. Relevant information about the incident is also provided instantly to our management, clients and suppliers.” 

Foxconn declined to say whether any data was accessed as a result of the attack, nor did it provide any information on who was responsible. However, the operators of the LockBit — a prominent ransomware-as-a-service (RaaS) operation — have claimed responsibility for the May 31 attack and is threatening to leak data stolen from Foxconn unless a ransom is paid by June 11. LockBit’s demands remain unknown and Foxconn refused to comment on whether it had paid the ransom demand.

Cybersecurity firm Mandiant said in an analysis on Thursday that Russia-based Evil Corp, a notorious hacking group that was sanctioned by the U.S. Treasury’s Office of Foreign Assets Control in December 2019, had been using LockBit in a bid to blend in with other affiliates. It remains unclear whether the Foxconn attack is linked to the sanctioned hacking group, which developed and distributed the Dridex malware. 

This isn’t the first time that Foxconn has been hit by ransomware. In December 2020, the company said that some of its systems based in the U.S. had been attacked by the operators of the DoppelPaymer ransomware who demanded a payment of $34 million in bitcoin.

Posted on

Costa Rica’s public health system hit by Hive ransomware following Conti attacks

Costa Rica’s public health service, known as the Costa Rican Social Security Fund (CCSS), has been forced to take its systems offline after being hit by Hive ransomware.

In a statement on Twitter, the CCSS said the attack started early on Tuesday morning and that an investigation was being conducted. It added that several payroll and pension databases – including the Unified Digital Health system and the Centralized Tax-Collection System – were not affected by the attack. In an address to local media, the CCSS added that the Hive ransomware was deployed on at least 30 out of 1,500 government servers and that any estimation of time to recovery remains unknown. 

Several employees of the CCSS said they were told to shut down their computers after all of their printers began spitting out unintelligible documents. Another employee said that as a result of the attack, COVID-19 results cannot currently be reported.

The attack comes just weeks after Costa Rican President Rodrigo Chaves declared a state of emergency in the country in response to cyberattacks from the Conti ransomware group. Costa Rica’s Finance Ministry was the first government body to be hit by the Russia-linked hacking group, and in a statement on May 16, Chaves said the number of institutions impacted had since grown to 27. 

In a message posted to its dark web leaks blog at the time, Conti urged the citizens of Costa Rica to pressure their government to pay the ransom, which the group doubled from an initial $10 million to $20 million. In a separate statement, the group warned: “We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power.”

Cybersecurity experts have suggested that the cybercriminals behind this latest Hive ransomware attack could be working with the Conti gang to help the group rebrand and evade international sanctions targeting extortion payouts to cybercriminals operating in Russia.

According to threat intelligence company AdvIntel, Conti “can no longer sufficiently support and obtain extortion” due to its public allegiance to Russia in the first days of the Russian invasion of Ukraine, and believes the group is in the process of shutting down. The gang’s official website and negotiations service site has gone dark, while the rest of the infrastructure: from chatrooms to messengers, and from servers to proxy hosts was going through a major reset.

As a result, AdvIntel believes the gang has formed alliances with other ransomware groups, including Hive, a ransomware as a service (RaaS) operation that has been active since at least June 2021.

Brett Callow, a ransomware expert and threat analyst at Emsisoft, tells TechCrunch: “The same individual could be an affiliate with both Conti and Hive and potentially other RaaS operations too. It’s also possible that Conti and Hive have established a working relationship, as other researchers have claimed. 

“Some negotiating firms have refused to transact with Conti since they sided with Russia and threatened attacks on US critical infrastructure due to the risk of OFAC/sanction complications. Because of that, it’s not unlikely that the core team and/or affiliates want attacks to be attributed to other ransomware operations.”