Sinclair TV Stations Taken Down in Ransomware Attack
REvil operation shuttered yet again, Wave of weekend cyberattacks on Israeli hospitals thwarted, $590 million in ransomware-related activity occurred during the first half of 2021, much more
Early yesterday, TV broadcasts for Sinclair-owned channels went down across the U.S. in a ransomware attack. The company says it implemented its incident response plan and took measures to contain the incident. However, Sinclair also says the attack may continue to cause “disruption to parts of the Company’s business, including certain aspects of its provision of local advertisements by its local broadcast stations on behalf of its customers.”
The attack took down the Sinclair internal corporate network, email servers, phone services, and the broadcasting systems of local TV stations. The attack's widespread nature stems from the fact that sections of the Sinclair IT network were interconnected through the same Active Directory domain, allowing the attackers to reach broadcasting systems for local TV stations. The attack follows a company-wide password reset for IT resources shared by local stations in July after what it described as a “potentially serious network security issue.” (Catalin Cimpanu / The Record)
Catalin Cimpanu @campuscodiScoop: Sinclair TV broadcasts disrupted across the US in apparent ransomware attack Company calls it "technical issues." Sources who called Sinclair employees said it was ransomware. https://t.co/TQplQO35xF https://t.co/1PKynrQtQC
Following an apparent hijacking of the gang’s domains, the REvil ransomware operation has likely shut down yet again.
Recorded Future's Dmitry Smilyanets says that an unknown person hijacked the Tor hidden services (onion domains) with the same private keys as REvil's Tor sites and likely has backups. The gang had earlier shut down in the face of international condemnation of the ransomware attack on Kaseya in July, but REvil revived itself again in September. (Lawrence Abrams / Bleeping Computer)
Related: The Hacker News
Israel’s National Cyber Directorate and Health Ministry announced that a wave of attempted cyberattacks targeting Israeli hospitals and health centers was thwarted over the weekend.
The directorate said nine hospitals and health institutions were the targets. These unidentified attacks follow a ransomware attack last week against the Hillel Yaffe Medical Center in Hadera that crippled systems at the facility. (Emanuel Fabian and Times of Israel staff / Times of Israel)
The Treasury Department’s Financial Crimes Enforcement Network report said there was $590 million in suspicious activity related to ransomware in the first six months of 2021, topping the $416 million reported in 2020.
The average amount of reported ransomware transactions per month in 2021 was $102.3 million (William Turton / Bloomberg)
Related: AndroidHeadlines.com, Wall Street Journal, Business Insider, The Record by Recorded Future, PYMNTS.com, Fincen.gov, Bleeping Computer, Cyberscoop, Reuters, Meritalk, Security Affairs, The Hill
In its financial report for the fourth quarter and full fiscal year, global IT consultancy Accenture confirmed that LockBit ransomware operators stole data from its systems during an attack that hit its systems in August 2021.
"In addition, our clients have experienced, and may in the future experience, breaches of systems and cloud-based services enabled by or provided by us,” the report says. The company has not yet confirmed the data breach outside SEC filings or data breach notification letters with relevant authorities. (Sergiu Gatlan / Bleeping Computer)
Chinese security researchers took home $1.88 million after hacking some of the world’s most popular software at the Tianfu Cup.
This year’s contest included a list of 16 possible targets, with the 11 participants mounting successful exploits against 13 targets. (Catalin Cimpanu / The Record)
Catalin Cimpanu @campuscodiThis year's Tianfu Cup saw successful exploits against: -Windows 10 -iOS 15 -Ubuntu 20 -Chrome -Safari -Microsoft Exchange -Docker -VMWare ESXi/Workspace -qemu -ASUS routers -Parallels VM https://t.co/1pVAkenmRv https://t.co/ly8nSLvYwv
Cybersecurity researcher TheAnalyst claims that Microsoft has knowingly been hosting BazarLoader malware in Office 365 for years.
BazarLoader is a significant access broker for ransomware threat actors that has proved to be a particular problem for healthcare organizations. Microsoft is not alone in the chronic hosting of malware. According to researchers at the Bern University of Applied Sciences, Google and Cloudflare are also currently among the top online malware-hosting networks. (Nathan Ord / Hot Hardware)
TheAnalyst @ffforwardLarge #BazarISO>#BazarLoader>#BazarBackdoor inc from /muppetcast.com, started yesterday. Direct links to @onedrive. Iso contains dll+lnk running dll with entrypoint "EnterDll", your EDR might have problems detecting this, and less obvious for most users than maldocs... > https://t.co/ZS8sspWqtG
Video gaming company Twitch downplayed its recent data breach saying that they “are confident that it only affected a small fraction of users and the customer impact is minimal.”
Moreover, Twitch says it is confident that the breach exposed no passwords and “that systems that store Twitch login credentials, which are hashed with bcrypt, were not accessed, nor were full credit card numbers or ACH / bank information.” (Sergiu Gatlan / Bleeping Computer)
Related: Engadget, Security Week, Reuters: World News, Evening Standard, Cyber Security Intelligence, The Register - Security, HotHardware.com, Eurogamer, The Verge, How-To Geek, AndroidHeadlines.com, Cyber Security Intelligence, Security Affairs, iTnews - Security, Slashdot, Vice
Missouri lawmaker Representative Ashley Aune, D-Kansas City, criticized Republican Governor Mike Parson for seeking to prosecute the St. Louis Post-Dispatch reporter who responsibly reported a flaw in a state website that exposed social security numbers of state school teachers, administrators, and counselors.
She also called on the governor to allow a cybersecurity panel to investigate the incident. Ashley said that instead of prosecuting a journalist, the governor should finally appoint members to the newly established Missouri Cybersecurity Commission, “something he has neglected to do since he signed the bill establishing it earlier this year.” (Jason Hancock / Missouri Independent)
In a significant move, the White House has an ambitious plan to reduce the risk of phishing to the U.S. government that calls for phasing out the use of SMS and app-based multi-factor authentication and replace them with phishing-resistant methods such as hardware security keys.
The effort is part of a broader push to move the federal government to zero trust architecture, as President Biden’s executive order spelled out last May. The move to zero trust will be a significant task for the Office of Management and Budget (OMB). OMB has recently published its zero trust strategy, which points to PIV [Personal Identity Verification] cards, as well as WebAuthn. This specification allows the use of hardware security keys to log into websites. (Joseph Cox / Motherboard)
South Korea asked Interpol for help in arresting two foreigners it alleges played a leading role in cyberattacks and large-scale extortion that targeted South Korean and U.S. companies.
South Korea didn’t release the names of the individuals except to say one suspect is a Ukrainian national who was among six people detained by Ukrainian police in June, when South Korean and U.S. authorities joined in raids on the homes of suspects affiliated with the Clop ransomware syndicate in Kyiv and elsewhere (HYUNG-JIN KIM / Associated Press)