cyber attack - Pwim.Net

Jack Daniel’s Parent Company Brown-Forman Targeted for Ransomware by Notorious REvil

Brown-Forman, Jack Daniel’s parent company and a giant powerhouse in the alcoholic industry, recently suffered a ransomware data breach originating from REvil.

REvil ransomware gang strikes again

One of the largest American-owned spirits and wine companies in the world and the official mother company of Jack Daniel’s whiskey, Brown-Forman disclosed that they had suffered from a cyber-attack in which some sensitive information, including but not restricted to employee data, had been stolen.

An anonymous message was sent to Bloomberg to confirm the privacy branch and the compromising of Brown-Forman’s internal servers. Speaking about the ransomware attack, Brown-Forman said that they had everything under control and that they were working with law enforcement to resolve the issue. The company also added, “There are no active negotiations.”

Who is REvil?

This is definitely not the first rodeo for REvil ransomware group. The cybercrime operation, also known under the pseudonym Sodinokibi, rose to fame in the digital world with their criminal activities. It first made its appearance in early 2019, and the file blocking virus, which was closely monitored by cybersecurity giant McAfee, released by the cybercriminals would enable REvil hackers to seize private information.

Often, they would demand payment from the targeted company. In exchange for unlocking the files and delivering the sensitive data safely back to its owner, REvil ransomware group would demand a hefty cryptocurrency sum. Should the victimized company fail to comply with their demands, REvil hackers would then threaten to release the stolen confidential files on websites and on the internet, for all to see and use to their own advantage.

Come and get it – REvil claims to have stolen data

Though Brown-Forman denied that there were any active negotiations currently set in motion, hackers have allegedly backed their ransom demands by stating that they possessed 1 terabyte of confidential data. Revil ransomware gang threatened to share the sensitive information and affirmed that the company-sensitive secrets would be available for all to see if ransom was not delivered.

Sodinokibi group also shared screenshots of sensitives file names to back their claims. The ransomware group has been notorious for previously hitting big names such as Mariah Carey, rap star Nicki Minaj, and NBA superstar Lebron James to attain their ransom objectives. Revil also possesses a dedicated website for leaks to post and auction off stolen data.

Blockchain against cybercrime

With cybercrime on the rise and hackers capitalizing on COVID-19 to conduct their illicit activities online, numerous Asian countries have been reported to have increased the adoption of blockchain for security purposes. Schools, companies, and traditional institutions have all been victims of hackers’ deviant behavior at some time or another. With blockchain adoption, Asian entities hope that their institutions would be better equipped to battle scams.

Advocating for blockchain technology for global digital advancement is the Senior Manager of PwC Consulting, Tomohiro Maruyama. The PwC manager said when speaking with Nikkei Asian Review:

“Internet piracy has posed a major challenge for companies as they look to digitize operations. Blockchain emerged as a solution for fighting digital counterfeits, pushing businesses to adopt the technology.”

Maruyama thinks that when COVID-19 finally passes, the world will change on a global scale, with more companies converting to blockchain technology and integrating it into their business for its numerous benefits.

Ransomware Attack Directed Towards University of California Generated 118 Bitcoin

The University of California, San Francisco’s plans to further COVID-19 vaccine research were disrupted by a ransomware attack on the school’s servers.

Ransomware Operation Hits US, Seeks $3 Million

School files, transcripts, employee, and student-related data were reported to have been stolen during the hack. The University of California, San Francisco (UCSF) was working on a vaccine for COVID-19 when several of its school servers were shut down and locked by hackers.

The ransomware group responsible for the network freeze appears to be Netwalker, a hacking ring that has been fairly active since last fall. The hacking operation demanded a ransom of $3 million in exchange for releasing the digital keys and set a deadline of “2 days, 23 hours, and 0 minutes” for the transfer of digital assets. It also appointed a representative whose purpose was to coordinate all negotiations and discussions with UCSF. The hacker’s speaker was dubbed “Operator.”

Negotiations to Drive Down Ransom

Though UCSF has not been able to confirm the origin of the attackers, the messages that were exchanged between the university’s negotiator and Operator were riddled with grammatical tics that are commonly observed among native Russian speakers. One thing that seemed like a fair bet was that the hackers were not in US jurisdiction at the time of the act.

Though the FBI usually handles ransomware attacks on US soil, UCSF took matters into their own hands for this case. UCSF negotiator demanded that Operator give the university a bit more time to come up with the sum that they demanded. The professional also negotiated for a lower price, tugging on Operator’s emotional chords and stating that due to the ongoing COVID-19 research that the university was engaged in, it had nowhere near the funds that Operator demanded.

The exchange took approximately six days, with ransom demands fluctuating from $390k to $780k and so on. UCSF negotiator relentlessly attempted to drive down the ransom price, to no avail. Finally, resorting to empathy, the negotiator said to Operator, as disclosed by Bloomberg, “I haven’t slept in a couple of days because I’m trying to figure this out for you. I am being viewed as a failure by everyone here and this is all my fault this is happening.”

Whether or not this was a strategy employed by the negotiator, it somehow worked, as Operator responded, “My friend, your team needs to understand this is not your failure. Every device on the internet is vulnerable.”

BTC Funds for Netwalker

The negotiator and Operator finally agreed on a price, that was worth $1.14 million. This translates to approximately 118 Bitcoin at the time of writing. The university representative then demanded a few days to gather the digital assets. The deal that was struck entailed that the Netwalker ransomware group would transfer all the data it stole from the university’s network to UCSF, in exchange for the funds. The attackers also had to provide evidence that they had deleted the copies from their own servers, a task that required attentive decryption.

UCSF was able to link the hackers to Netwalker, due to the cybercriminals’ dark web blog. Netwalker hacking operation also possessed its own malware, available for leasing to any future attackers to use. In March, they also posted a dark web ad to recruit new hackers to their team. The posting read: “Russian-speaking network intruders—not spammers—with a preference for immediate, consistent work.”

Final Deal Struck Between UCSF & Operator

Through down-to-earth conversation, an appeal to empathy and compliments —a common negotiation strategy that seasoned negotiators stand by —UCSF negotiator was able to strike a deal to recover at least 20 gigabytes of stolen files that attackers had gained from their hack from the university network. This translated to encrypted data from at least seven university servers.

Japanese University Leverages Blockchain to Protect Servers

Ransomware attacks appear to be on the surge, especially during the pandemic.

Companies are certainly not the only ones concerned with cyber attacks. In fact, schools have also been increasingly targeted for encrypted data and transcript forgery. Recently, Japan came up with a system called CloudClerts that leveraged blockchain technology to provide universities with a more secure way of distributing academic transcripts and expected graduation diplomas.Blockchain is increasingly perceived by many firms and institutions as a way to combat digital counterfeits and conduct business more efficiently.

Lazarus Group Hacks for Crypto via LinkedIn Blockchain Job Posting

A hacking operation that is allegedly backed by North Korea has been reported to be targeting blockchain and cryptocurrency employees through LinkedIn.

Malware Infiltrates LinkedIn

The group of cyber hackers, Lazarus, has been growing their online presence through their huge cyber-attack operations. Since 2017, Lazarus ransomware group has accumulated over $571 million in stolen cryptocurrencies.

According to a report by Finnish cybersecurity firm F-Secure, the latest cyber-attack from Lazarus was conducted through the professional employment-oriented digital platform LinkedIn. Lazarus hackers targeted a blockchain and crypto industry employee through a phishing message. The digital text was presented as a legitimate blockchain job offer and an MS Word document with the title “BlockVerify Group Job Description” was enclosed. Embedded in the MS Word document was a malicious macro code, which automatically launched when the file was open.

Hacking for Crypto

After further investigation, the cybersecurity threat intelligence team behind F-Secure revealed that the names, authors, and document details found in the “BlockVerify Group Job Description” document posted on LinkedIn shared the same publicly available code from VirusTotal, a huge malware and online URL scanning service. Data from VirusTotal confirmed F-Secure’s suspicions of foul play, as findings revealed that the malicious macro code was originally created in 2019. 37 antivirus systems have already reported it since then.

The goal of releasing the malware was to gain login credentials to gain entry into the victim’s network. Through that crucial step, Lazarus could then invade the network digitally and steal cryptocurrency funds.

Furthermore, F-Secure disclosed that the Lazarus Group also shared similar interests as that of the government of North Korea. According to F-Secure cybersecurity experts, the cyber operations set in place by the Democratic People’s Republic of Korea will also very likely target organizations and companies that are not necessarily working within the realm of the crypto industry.

North Korea Has an Army of Hackers

It has been uncovered recently in a tactical report revealed presented by the US army that the North Korean government had more than 6,000 hackers dispersed throughout the world working for them. Countries that had North-Korea based hackers include Belarus, China, India Malaysia, and Russia, to name a few.

The US has long been active in trying to put an end to North Korea’s widespread cryptocurrency-driven cybercrime campaigns and is still actively working on strategically obliterating the illicit online activities.

Ransomware Group Demands $4M in Bitcoin from Argentina, Border Activity Halted for 4 Hours

A Bitcoin ransomware attack was directed towards Argentina’s immigration agency, halting border crossing temporarily.

Netwalker Malware Strikes Again

It appears as though the notorious ransomware group Netwalker has struck again with their infamous cryptocurrency demands.

According to the computer support platform Bleeping Computer, this may be the first time that a cyber attack on a federal agency has effectively interrupted a country’s global operations. Argentina’s cybercrime agency—Unidad Fiscal Especializada en Ciberdelincuencia—caught wind of the Bitcoin ransomware attack when multiple checkpoints called in for tech support on August 27.

After further investigations from the Central Data Center and Servers Distributed, a virus infecting MS Windows and Microsoft Office files were discovered. The malware, Netwalker, is reputed to be a powerful virus used in numerous cryptocurrency ransom attacks in the past. It functions by encrypting documents using an Advanced Encryption Standard (AES) cipher, which is often leveraged by government bodies to protect classified information. Ransom notes were also found on the encrypted devices, and the Netwalker group made their demands through them.

In exchange for a safe release of the stolen private data, Netwalker hackers asked for a $2 million ransom in Bitcoin from Argentina’s immigration office. They also linked a dark web payment site with details containing information about how to purchase a decryptor, sensitive data from their attack as proof that it happened, and the ransom amount. In an email to the immigration office, hackers said:

“Do not try to recover your files without a decryptor program, you may damage them and then they will be impossible to recover.”

As their crypto requests were not granted after several days, the hackers increased the ransomware sum to $4 million in Bitcoin, which translates to roughly 355 Bitcoins (BTC). On the Tor website through which they issued their demands, it read: “Payment expired! New price: 4,000,000 $ (355.87180000 BTC).”

Officials unfazed by Bitcoin extortion

To ensure that the ransomware attack did not spread on to other servers, the immigration office of Argentina shut down its computer networks and temporarily suspended border crossing for four hours. Because some of the servers were particularly compromised, there were delays for entry and exit at the Argentinian border, as cybersecurity experts scrambled to resolve the issue.

Argentinian government officials were reluctant to comply with the ransomware hackers’ demands, disclosing to local news outlet Infobae that “they will not negotiate with hackers and neither are they too concerned with getting that data back.” Argentina’s immigration agency refused to be intimidated, calling the Netwalker ruse an extortion crime that could be punishable with 5-10 years of imprisonment.

Netwalker group is Bitcoin hungry

Netwalker ransomware group has notoriously engaged in cybercrime since September 2019, with their most recent attack affecting the University of California, San Francisco. After a week-long negotiation, a sum of 118 Bitcoin was finally agreed upon between the educational institution and the ransomware group.

Ransomware Hackers Hunt for Bitcoin by Targeting Call of Duty: Warzone

Ransomware hackers have raided Call of Duty: Warzone player accounts and demanded Bitcoin payments in exchange for releasing the retained data.

With the rising popularity of Call of Duty, hackers have also been lured to it increasingly, due to the sizeable profit that could be reaped through the sale of the rare gun skins found on players’ accounts. The first-person shooter game appears to have hundreds of dollars locked into it, with serious players dedicating a lot of time in unlocking new levels, especially given the pandemic. More elaborate skins also take more time for players to earn and unlock and can be purchased with in-game tokens, which can be bought with fiat. Expert level accounts have therefore been of interest to ransomware hackers, as the purchased items and the account itself have a lot of value.

Though multiple players have reported that their account has been breached, it was reported that the publisher, Activision, has been unresponsive to outcries for help. The theft of credentials and the data breach has caused a lot of frenzy among Warzone players. One gamer disclosed that hackers have tried to extort bitcoins from him by reaching out to him through email. Along with a linked Bitcoin (BTC) wallet address, the ransomware note read:

“If you wants our helps to prevent to leak ur deta [sic] and information and bank account etc, and help to gets your account back clarity need pay 400$ in below address.”

The Bitcoin wallet address has been reported to reap funds of at least $12,000 which translates to a total of 1.2 BTC. Some of the transactions recorded amounts ranging from $20 to $2600, but whether the funds were transfers originating from Warzone players have yet to be uncovered.

Victims have speculated that the ransomware hackers have been able to steal private log-in credentials by experimenting with previously compromised passwords from other websites. Others said that their Blizzard account was targeted instead, which was linked to the Call of Duty:Warzone one. Despite the large cry for help, multiple targeted players have complained that the game publisher, Activision, has been unresponsive in assisting them to recover their compromised accounts.

Call of Duty: Warzone has boomed since its release in March, recording at least 75 million players within five month of its launch. The producing company, Activision Blizzard has seen an increase in digital spending of around $1.59 billion since the launch of the game.

US Sanctions Crypto Addresses of Russian Hackers Accused of Running Presidential Election Interference

US Department of Treasury has released a Specially Designated Nationals list of Russian hackers and their crypto addresses, under allegations that they have been working to interfere with the 2020 presidential election.

The nationals list includes St. Petersburg natives Anton Nikoaleyvich Andreyev, Artem Mikhaylovich Lifshits, and more. Though this is not the first time the Office of Foreign Assets Control (OFAC), under the US Department of Treasury, has named crypto wallet addresses in their sanctions, it is the first time that digital wallets including such a huge range of digital currencies – Litecoin, ZCash, Ether, and Dash – have been reported for their involvement in funding an election interference conspiracy.

Project Lakhta

Under allegations of wire fraud conspiracy and misconduct, the US Department of Justice filed criminal charges designated at Lifshits, a 27-year-old Russian national. He is accused of having purposely interfered with US elections beforehand, and of doing it again. Artem Lifshits is alleged to have played a major managing role in Project Lakhta, a multimillion-dollar Russian-based operation using propaganda to conduct political and presidential electoral interference.

Through Project Lakhta, the Department of Justice (DoJ) decreed that Lifshits illegally accessed US confidential documents and used the identification credentials of American citizens to open cryptocurrency, Paypal, and bank accounts. Under the criminal complaint filed with the DoJ, US attorney Zachary Terwilliger said:

“Project Lakhta conspirators used the stolen identities of U.S. persons to further their goals of undermining faith in our democratic institutions and for personal gain.”

The criminal complaint was filed hours after the US Treasury released an official sanction list of Russian nationals, along with their respective cryptocurrency wallet addresses. US attorney Terwilliger added during the legal complaint:

“Federal law enforcement will work aggressively to hold accountable cyber criminals located in Russia and other countries, which serve as safe-havens for this type of criminal activity.”

Lifshits is accused of conspiracy to commit wire fraud and for “opening fraudulent accounts at banking and cryptocurrency exchanges” with stolen ID credentials originating from American citizens.

Electoral interference started in 2014

This is not the first time that US law enforcers have cracked down on Russian nationals for running presidential election interference through crypto funding. Russian nationals have been accused of scheming and running political campaign interference since at least 2014 when Project Lakhta first rose to notoriety. The complaint read:

“Since at least May 2014, Project Lakhta’s stated goal in the United States has been to disrupt the democratic process and spread distrust towards candidates for political office and the political system in general.”

The sanction and criminal complaint from the US Department of Justice come at a critical time, with the upcoming presidential election in 2 months.

Axie Infinity's Home Ronin Network Suffers Over $600m in another DeFi Hack

The Ronin Network has suffered what is being tagged as the largest hack in the history of Decentralized Finance (DeFi), which funds in excess of $625 million carted away by the hackers.

The Ronin Network’s official blog post shared that the hackers perpetrated the attack on March 23, even though it is just being discovered.

Ronin Network is an Ethereum sidechain that was created with Axie Infinity’s community in mind. It is the product of the search by the Axie Infinity team for a fast, cheap, and reliable network resident on the Ethereum blockchain. As detailed in the Ronin Network blog post, a total of “173,600 Ethereum and 25.5M USDC drained from the Ronin bridge in two transactions.”

“The attacker used hacked private keys in order to forge fake withdrawals. We discovered the attack this morning after a report from a user being unable to withdraw 5k ETH from the bridge,” the blog post reads.

As detailed by Ronin Network, a transaction can only be recognized by at least 5 out of the 9 validators’ signatures the protocol has. The network said the hackers “managed to get control over Sky Mavis’s four Ronin Validators and a third-party validator run by Axie DAO.”

The Ronin Network also explained that the “validator key scheme is set up to be decentralized so that it limits an attack vector, similar to this one, but the attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator.”

The address of the hackers is a relatively new one. Fortunately, the majority of the funds stolen are still existing, minus the 6,250 ETH that has been sent to various other addresses. As confirmed in the blog post, transactions on the Ronin Network and the Katana Decentralized Exchange have been halted to allow joint investigation with relevant agencies.

Prior to this Ronin Network hack, interoperability blockchain, Poly Network ranked as having the largest hacked funds in DeFi history, however, the entire $610 million hacked was completely returned after a bout of interactions between the hacker and the Poly Network team.

DeFi Platform Raft Compromised, Loses $3.3 Million in Ether

A massive security breach recently occurred on the DeFi platform known as Raft, which resulted in the theft of around $3.3 million worth of Ether (ETH). The fact that the hacker was able to effectively remove 1,577 ETH from the network demonstrates the continued difficulties with security that exist inside the DeFi ecosystem.

The hacker did something quite unusual and transferred 1,570 ETH to a burn address, which basically rendered the bulk of the stolen assets useless. In sharp contrast to the significant sum that had been stolen in the beginning, the attacker was left with just seven ETH after this. This peculiar behavior led to the hacker suffering a loss, despite the fact that he or she had previously been paid 18 ETH by means of a crypto mixer service in order to allegedly finance the assault.

After the assault, the value of the dollar-pegged stablecoin known as Raft’s R plummeted dramatically, falling by fifty percent relative to its previous level. After some time had passed, it had partly recovered to around 70 cents. Raft’s co-founder, David Garai, has said that the assault and its consequences for the platform are true. Raft is now concentrating its efforts on compensating impacted users by using the sDAI that is controlled by the protocol inside the Peg Stability Module. This move was made in an attempt to limit the extent of the harm.

The issue with the Raft is not an uncommon occurrence in the crypto space. A number of high-profile assaults on Defiant platforms have taken place during the last several months. For example, a well-known cryptocurrency exchange called Poloniex had its hot wallet compromised, resulting in a loss of around $114 million in bitcoin. A breach that cost CoinEx $54 million, a heist that cost HTX (previously Huobi Global) $7.9 million, and the Mixin Network suffering the greatest DeFi hack of 2023 with an estimated loss of $200 million owing to stolen private keys are some of the other noteworthy instances that have occurred.

As a result of these occurrences, there is a heightened awareness of the critical need for DeFi platforms to strengthen the security frameworks they have in place. Trust must be maintained within the ecosystem of decentralized finance, and one of the most important ways to do this is by protecting the user money. This episode should serve as a wake-up call for improved security processes and more diligent monitoring systems in order to forestall future occurrences of events of a similar kind.