Black Kingdom Ransomware Is Attacking Vulnerable Microsoft Exchange Servers

Ransomware attacks affecting DC events firm and Sierra Wireless, Top insurance company CNA hit by a ransomware attack, Personal information on all Israeli voters exposed online, much more

If you like Metacurity, please share this issue with your colleagues. Thank you!

Share Metacurity

In the midst of massive patching and remediation activity by admins everywhere, vulnerable Microsoft Exchange servers are under attack by a new ransomware gang called Black Kingdom. The gang was first spotted last year exploiting vulnerabilities in Pulse Secure VPN products.

The attacks were first spotted by Marcus Hutchins, a security researcher for US security firm Kryptos Logic, who initially noted that the gang failed to do any damage. However, according to security firms Arete IR, Sophos, and Speartip, the attacks changed at the start of the week, and the group is now encrypting files. (Catalin Cimpanu / The Record)

Related: Naked SecurityTechTargetArs TechnicaSearch Security

One of the top U.S. insurance companies, CNA Financial, has suffered business disruptions due to a likely ransomware attack.

Sources say the attack has disrupted business operations and forced CNA to shut down specific systems, while CNA said that it had shut down corporate email and disconnected systems. (Lawrence Abrams / Bleeping Computer)

The UK's National Cyber Security Centre (NCSC) has warned of a spike in ransomware attacks on schools and universities, causing problems all over the education sector.

"In recent incidents affecting the education sector, ransomware has led to the loss of student coursework, school financial records, as well as data relating to COVID-19 testing," the agency said in an alert. (Danny Palmer / ZDNet)

Related: ComputerWeekly: IT securityThe Register, Bleeping, NCSC

Michigan-based Flagstar Bank is notifying customers that it has lost their Social Security Numbers, home address, full name, phone number, and home address to a ransomware gang.

Like dozens of other victims, Flagstar Bank was a victim of attackers exploiting a vulnerability in one of their software vendor systems, Accellion. (Lorenzo Franceschi-Bicchierai / Motherboard)

Related:BGRBleeping Computer

Related:Reddit - cybersecurityGizmodoThe Insurer, CNA

Ransomware attacks took down a DC-area events firm Spargo, Inc., which counts the Armed Forces Communications and Electronics Association (AFCEA) as its client, on March 15. Separately another ransomware attack shuttered the manufacturing plants of wireless modem and communications gear maker Sierra Wireless.

Speaking at an event hosted by Auburn University, acting director of DHS’s Cybersecurity and Infrastructure Security Agency, Brandon Wales, said that “The ransomware problem has not gone away, and we need new thinking on it.” (Sean Lyngaas / Cyberscoop)

Related: SecurityWeekZDNet SecurityBleeping ComputerBusiness Wire Technology,  Telecompaper, The Record by Recorded Future, DataBreachToday.comSecurity AffairsSC MagazineSecurityWeek, Light Reading

DHS’s Cybersecurity and Infrastructure Security Agency (CISA) plans to activate its newly minted power to force internet service providers to supply their customers' identities so that officials can warn them about vulnerabilities in their systems, according to CISA’s acting director, Brandon Wales.

“It's an important new authority, one that the agency has been pushing for a couple of years, and we're actually getting ready to bring it live, as we've finished up some of our procedures and training, in the next 60 days or so,” Wales said at an Auburn University conference. (Mariam Baksh / NextGov)

Related: Executive GovInforisk Today

The personal information of nearly all Israeli voters was reportedly exposed online on Monday, a day before the country’s general election, by presumably ransomware attackers who infiltrated Elector Software. Elector operates the voter-prompting Elector app, used by Likud and several other Israeli political parties.

The leaked data includes registered voters’ addresses, phone numbers, and dates of birth from a breach in 2020.  (Jewish News Syndicate)

Related: AP Top NewsThe IndependentFinancial TimesGulf NewsChicago Sun-Times - AllLA Daily NewsPOLITICOVoice of America, The Record

Intruders that gained access to emails and files at the California State Controller’s Office (SCO) stole Social Security numbers and sensitive files on thousands of state workers and sent targeted phishing messages to at least 9,000 other workers and their contacts, sources say.

The SCO said that for more than 24 hours starting on the afternoon of March 18, attackers had access to the email records of an employee in its Unclaimed Property Division after the employee clicked a phishing link and then entered their email ID and password. (Brian Krebs / Krebs on Security)

Related: E Hacking NewsSiliconANGLE,

Deepanshu Kher, a former contractor of an unnamed company, has been sentenced to two years in prison after hacking into the company’s server and deleting most of its employees’ Microsoft Office 365 (O365) accounts.

The attack affected the bulk of the company’s employees and completely shut down the company. (Lindsey O’Donnell / Threatpost)

Related: The Register - SecurityZDNet SecurityDataBreaches.netInfosecurity Magazine, Malwarebytes LabsDark

Google is warning that a recently patched Android vulnerability, tracked as CVE-2020-11261, is exploited in the wild.

The vulnerability is a high-severity improper input validation issue affecting a display/graphics component from Qualcomm, which could be a privilege escalation vulnerability. (Eduard Kovacs / Security Week)

Related: The Hacker NewsSensors Tech ForumSecurity Affairs

Guardicore Labs reports that Purple Fox, a malware previously distributed via exploit kits and phishing emails, now has a worm module that allows it to scan for and infect Windows systems reachable over the Internet.

Since May 2020, Purple Fox attacks have significantly intensified, reaching 90,000 attacks and 600% more infections. (Sergiu Gatlan / Bleeping Computer)

Related: Reddit - cybersecurity,  TechCrunchSecurityWeek, The Hacker News, Guardicore Labs

Firefox has released a new intelligent tracking mechanism for Firefox Private Browsing and Strict mode called SmartBlock that tries to prevent the breaking of websites while blocking tracking cookies.

SmartBlock accomplishes this feat by adding scripts similar to the original tracking scripts to reduce the amount of breakage on a webpage. (Aditya Tiwari / fossbytes)

Related: ZDNet SecurityMacRumorsxda-developersiMore, Ubergizmo

Orca Security, an Israeli cybersecurity startup that offers an agent-less security platform for protecting cloud-based assets, has raised $210 million in a Series C funding round.

The round was led by Alphabet’s independent growth fund CapitalG and Redpoint Ventures. Existing investors GGV Capital, ICONIQ Growth, and angel syndicate Silicon Valley CISO Investment also participated. (Frederic Lardinois / TechCrunch)

Related: Crunchbase NewsBusiness Wire Technology News,

According to a law enforcement document obtained by Motherboard, a criminal-oriented encrypted phone firm, Encrochat, used the Signal protocol as part of its encrypted messaging application.

To get around the stiff Signal encryption, authorities reportedly managed to push a malicious update from Encrochat's server down to individual Encrochat devices, according to other law enforcement documents obtained by Motherboard. (Joseph Cox / Motherboard)

Related: The Register - Security

Photo by GR Stocks on Unsplash