Ransomware attack halts London trading

Ion Markets, a financial data group crucial to the financial plumbing underlying the derivatives trading industry, has fallen prey to the cybercrime group Lockbit

The company has revealed that 42 clients have been affected by the attack, which has caused major disruption in its cleared derivatives division. 

Reports suggest that some clients have been unable to contact Ion by phone since Tuesday, with some travelling to the company’s office at St Pauls to seek more information.

“The incident is contained to a specific environment, all the affected servers are disconnected, and remediation of services is ongoing,” according to a post on Ion’s website. 

It’s understood that the incident has impacted other trade processing systems, even forcing some companies to process trades manually. 

Lockbit has been especially active recently, claiming responsibility for the attack on Royal Mail last month, which forced the company to suspend international postal deliveries. 

The cybercriminal group has reportedly used its’ signature ransomware, which encrypts files and issues a ransom note, typically demanding payment in cryptocurrency before the decryption key is provided.

Expert Insight: 

Jonathan Knudsen, head of global research at the Synopsys Cybersecurity Research Centre:

Software is the critical infrastructure for all other critical infrastructure. The attack on the Ion Markets illustrates not only the interconnected nature of the financial system, but also a crucial dependence on software. 

Software is a powerful tool for productivity but must be managed properly. In particular, security must be a top priority in all phases of software, from its conception through to its deployment. This applies equally to builders and buyers. Builders must include security at every phase of their software development life cycle, using a combination of expert analysis and automated testing to flush out as many vulnerabilities as possible before software is put into production use. Buyers, similarly, should carefully evaluate the security practices of their vendors, then apply meticulous and repeatable processes for configuring, deploying, and operating the software they acquire. 

Every piece of software is, in essence, an incredibly complicated machine. To secure such a machine against attack, builders and buyers alike must examine the entire supply chain of infrastructure, tools, open source components, source code, and configurations in a ceaseless quest to locate and mitigate vulnerabilities. When an incident occurs, such as the Ion Markets attack, existing processes must be examined to understand what went wrong and how the processes can be improved to reduce risk in the future.”

Sam Curry, chief security officer at Cybereason:

“While specific details are scant at this time, with dozens of Ion’s customers potentially impacted by this latest shameless ransomware attack, you can’t just snap your fingers and restore disrupted services. Let me be clear that LockBit is a criminal organisation and their brazen attack raises their profile and spreads more fear, uncertainty and doubt across many industries. In time, we will learn if a ransom demand was issued and paid, or whether Ion refused to negotiate with this criminal organisation.

Organisations can’t pay their way out of ransomware, and those that do only embolden the criminals to launch future attacks. For Ion and other organisations that improve their network resiliency, the cyber criminals will quickly move onto softer targets because they are looking for the path of least resistance. Most gangs want to maintain a low profile and avoid being caught in the cross hairs of law enforcement agencies. In general, companies should prepare for ransomware attacks in peacetime and ensure redundancy in network connectivity and have mitigation strategies ready. Practise good security hygiene and regularly update and patch operating systems and other software. Also, conduct periodic table-top exercises and drills including people beyond the security team and all the way to the Executive Suite.”

Jamie Cameron, security consultant at Adarma:

“Money is the biggest motivator for cyber threat groups like Lockbit, who are becoming ever more sophisticated in their attacks, which is why financial organisations need to be hyper focused on building their cyber resilience. It’s important they are aware that Lockbit is currently in a state of flux, and that previous defences against Lockbit’s signature ransomware is no longer applicable. Lockbit is evolving and it’s vital that businesses update their defences accordingly. 

We’ve observed that Lockbit have been bringing in developers from the BlackMatter ransomware group to write a new version of their software (Lockbit Black), which is now free on the open market due to a leak from a disgruntled developer over a pay dispute. Most recently, Lockbit has had a developer, believed to be from the now defunct Conti group, write new malware, known as Lockbit Green or they’ve utilised the leaked toolset from the two prominent Conti leaks of last year to develop this new variant. 

Lockbit have been launching attacks using both the original version of their ransomware and Lockbit Black and we see no reason why they wouldn’t throw Lockbit Green into the mix. Organisations should be aware of this due to how prolific the group are.”

Ziv Dines, CTO, Cyber at Armis:

“The majority of organisations see PII, critical infrastructure and operational downtime as the most at risk in the event of a cyberwarfare attack, and Lockbit’s recent activity encompasses all three. It’s clear from attacks on critical services such as the Royal Mail and ION Group, a major supplier of services to the financial system, that criminals are gathering pace.

The affected company confirmed the incident has been contained to a specific environment, but the operational inefficiencies caused by having to switch to manual processes introduce a significant amount of risk in both the short and long term. Organisations should be on high alert, making sure they have oversight of their internal systems and any assets that may be connected to them in order to spot and remediate anomalies quickly.”

Jamie Akhtar, CEO and co-founder of CyberSmart: 

“This incident and its attribution demonstrate that we aren’t dealing with run-of-mill cybercriminals or threats. Instead, this looks like a calculated attack on the very infrastructure that supports the UK’s financial system. What’s more, it’s a signal that the ‘cyber cold war’ being conducted as part of the conflict in Ukraine has begun to heat up.

We’ve been seeing a pattern of escalation in these attacks over the past few months, so we urge all businesses, even SMEs, to be as vigilant as possible in updating and patching software, employing good cyber hygiene, and treating anything unusual with suspicion.”






The post Ransomware attack halts London trading appeared first on IT Security Guru.

Threat actors launch one malicious attack every minute

BlackBerry’s inaugural Quarterly Threat Intelligence Report highlights the volume and model of treats across a range of organisations and regions, including industry-specific attacks targeting the automotive and manufacturing, healthcare and financial sectors.

In the 90 day period between September 1 and November 30 2022, BlackBerry says it stopped 1,757,248 malware-based cyberattacks. This includes 62 unique samples per hour, or one sample each minute. The most common cyber-weapons used in  attacks include the resurgence of the Emotet botnet after a four-month dormancy period, the extensive presence of the Qakbot phishing threat, which hijacks existing email threads to convince victims of their legitimacy, and the increase in infostealer downloaders like GuLoader.

“Annual threat reports have been a fantastic way to provide insight into overall trends, but now more than ever, organisations need to make well-informed decisions and take prompt effective actions, using the latest actionable data,” said Ismael Valenzuela, Vice President, Threat Research & Intelligence at BlackBerry. “Our public and private reports are written by our top threat researchers and intelligence analysts, world-class experts that not only understand the technical threats but also the global and local geopolitical situation, and how it affects organisational threat models in each region. This expertise allows us to provide actionable and contextualised threat intelligence to increase cyber resilience and to enable mission and business objectives.”

Other revelations from the report include:

  • MacOS is not immune. It is a common misconception that macOS is a “safe” platform due to it being used less among enterprise systems. However, this could be lulling IT managers into a false sense of security. BlackBerry explores the pernicious threats targeting macOS, including malicious codes that are sometimes even explicitly downloaded by users. In Q4, the most-seen malicious application on macOS was Dock2Master which collects users’ data from its own surreptitious ads. BlackBerry researchers noted that 34 percent of client organisations using macOS had Dock2Master on their network.
  • RedLine was the most active and widespread infostealer in this last quarter. Post-pandemic work models have necessitated the need for businesses to support remote and hybrid employees, putting corporate credentials at greater risk of attack from malicious actors than ever before. RedLine is capable of stealing credentials from numerous targets including browsers, crypto wallets, and FTP and VPN software, among others, and selling them on the black market. Cybercriminals and nation state threat actors rely on initial access brokers trading stolen credentials. RedLine is one of them providing initial access to another threat actors. 

The post Threat actors launch one malicious attack every minute appeared first on IT Security Guru.

Hive Group Admits to Leaking Data in Tata Power Ransomware Attack

Reports have said that the Hive ransomware-as-a-service (RaaS) group has claimed responsibility for the cyber-attack against Tata Power disclosed by the company on October 14 and believed to have occurred on October 3.

“The company has taken steps to retrieve and restore the systems. All critical operational systems are functioning,” the Mumbai-based company said at the time.

Security researcher Rakesh Krishnan, has claimed that the leak has reportedly affected several of Tata’s 12 million customers and includes personally identifiable information (PII) like Aadhaar national identity card numbers, tax account numbers, salary information, addresses and phone numbers, among others.

It appears that many have taken Hive leaking the stolen data to mean that any ransomware negotiations failed, but Edward Liebig, global director of cyber-ecosystem at Hexagon, has suggested a different option.

“Let’s face it, even if negotiations are successful, there is still only a 50% chance of recovery of the encrypted assets,” Liebig told Infosecurity in an emailed statement.

“The decision to pay or not to pay is a business call. If the organization is in a very vulnerable position (recovery of assets is not possible), if there is a chance for extremely damaging information to be compromised, or if the potential business impact far outweighs the ransom payment, then the business may decide to pay.”

The executive has said another aspect to consider in this scenario is the rules of the cyber insurance carrier.

“Some Cyber Insurers prohibit the payment of a ransom,” Liebig said. “This means that a ransomware Incident Response (IR) playbook must have a very defined and comprehensive declaration and approval process that goes to the top of the executive team.”

Further to this, Liebig has said he believes that increasing the chances of defending against ransomware begins with watching the front and back doors.

“Watch for, block, and educate against incoming spam and phishing attempts. Know your assets and endpoints. Know and mitigate the vulnerabilities within your environment that enable the exploitation of those assets,” Liebig explained.

“The best way to defend against ransomware is never to let it take root in your systems. The next best way is to have a bulletproof, trusted recovery strategy to minimize downtime and eliminate the ‘ransom’ debate.”

The statistics published by Intel 471 and Digital Shadows, Hive was the third-most prevalent ransomware family observed in Q3 2022.

Lastly, the ransomware group also upgraded its tools to Rust in July to deliver more sophisticated encryption.

The post Hive Group Admits to Leaking Data in Tata Power Ransomware Attack appeared first on IT Security Guru.

Magniber Ransomware Uses JavaScript to Attack Individual Users

A recent analysis shows that Magniber ransomware has been targeting home users by masquerading as software updates.

Reports have shown a ransomware campaign isolated by HP Wolf Security in September 2022 saw Magniber ransomware spread. The malware is known as a single-client ransomware family that demands $2,500 from victims.

In previous news, Magniber was primarily spread through MSI and EXE files, but in September 2022 HP Wolf Security began seeing campaigns distributing the ransomware in JavaScript files.

“Some malware families, such as Vjw0rm and GootLoader, rely exclusively on JavaScript, but have done so for some time,” Patrick Schläpfer, malware analyst at HP Wolf Security, told Infosecurity. “Currently, we are also seeing more HTML smuggling, such as with Qakbot and IcedID. This technique also makes use of JavaScript to decode malicious content. The only difference is that the HTML file is executed in the context of the browser and therefore usually requires further user interaction”

Remarkably , HP Wolf Security said, the attackers used clever techniques to evade detection, such as running the ransomware in memory, bypassing User Account Control (UAC) in Windows, and bypassing detection techniques that monitor user-mode hooks by using syscalls instead of standard Windows API libraries.

It appears that with the UAC bypass, the malware deletes the infected system’s shadow copy files and disables backup and recovery features, preventing the victim from recovering their data using Windows tools.

Having recently described the ransomware campaign in a recent interview, HP Wolf noted that the infection chain starts with a web download from an attacker-controlled website.

In addition, the user is asked to download a ZIP file containing a JavaScript file that purports to be an important anti-virus or Windows 10 software update.

Furthermore, for Magniber to access and block files, it needs to be executed on a Windows account with administrator privileges – a level of access which is much more commonplace in personal systems.

“Consumers can protect themselves by following ‘least-privilege’ principles – only logging on with their administrator account when strictly needed, and creating another account for everyday use,” explained Schläpfer. “Users can also reduce risk by making sure updates are only installed from trusted sources, checking URLs to ensure official vendor websites are used, and backing up data regularly to minimize the impact of a potential data breach.”

To conclude, the company noted that this ransomware does not fall into the category of Big Game Hunting but can still cause significant damage.

“This is not a shift away from big game hunting, but rather demonstrates that not only enterprises are the focus of ransomware groups, but home users as well,” Schläpfer said.

The post Magniber Ransomware Uses JavaScript to Attack Individual Users appeared first on IT Security Guru.

Recovery From NHS Attack Could Take Weeks

Last week, Advanced, a key NHS IT partner was hit by a ransomware attack. The IT company has said that it could take three to four weeks for systems to resume normal service.

Advanced runs several key systems within the health service. One of its most important clients is the NHS 111 service.

The UK Government tried to downplay the seriousness of the incident last week by claiming “minimal disruption.” However, reports suggested that it disrupted patient referrals, emergency prescriptions, ambulance dispatches, out-of-hours appointment bookings.

An update was published by Advanced on 10th August which said that they were working with Microsoft DART, Mandiant, and the National Cyber Security Centre (NCSC) to investigate and remediate, with no further incidents detected and the original breach contained.

The statement said: “With respect to the NHS, we are working with them and the NCSC to validate the additional steps we have taken, at which point the NHS will begin to bring its services back online. For NHS 111 and other urgent care customers using Adastra and NHS Trusts using eFinancials, we anticipate this phased process to begin within the next few days.”

“For other NHS customers and care organisations our current view is that it will be necessary to maintain existing contingency plans for at least three to four more weeks. We are working tirelessly to bring this timeline forward, and while we are hopeful to do so, we want our customers to be prepared. We will continue to provide updates as we make progress.”

Advanced also disclosed that other services are also impacted by the attack, including its care home management software (Caresys) and patient record software (Carenotes).

No ransomware group has publicly claimed responsibility for the attack. It is also not yet know whether or not data was stolen.

Before bringing its systems back online, Advanced said they were implementing extra blocking rules, scanning all impacting systems and ensuring they are fully patched, conducting 24/7 monitoring, resetting credentials, and deploying additional endpoint detection and response agents.

The post Recovery From NHS Attack Could Take Weeks appeared first on IT Security Guru.

Attack on Supplier Leaves NHS Recovering Services

A cyberattack, first identified last Thursday, has caused a “major” computer system outage affecting companies within the NHS, including the 111 call line.

Reportedly, a number of health and care systems delivered by business software and services provider Advanced are currently experiencing major outages.

Advanced has 26 NHS clients, according to Digital Health Intelligence, and they supply services to thousands of healthcare professionals. The company’s Adastra software works with 85% of NHS 111 services, where service remains affected as a result of the attack. Adastra is used to refer patients for care, including out-of-hours appointment bookings, emergency prescriptions, and ambulance dispatching.

Neither NHS England nor Advance would initially confirm reports that a cyberattack was to blame.

However, last Friday, Advance’s Chief Operating Officer Simon Short confirmed the incident occurred as a result of a cyberattack and said that the company had taken action which contained the attack, adding that “no further issues have been detected.”

An NHS England spokeswoman said NHS 111 services are still available and that there is “currently minimal disruption”, adding that “tried and tested contingency plans are in place for local areas who use this service”.

In 2017, the NHS was hit by a large cyberattack carried out by the ransomware gang WannaCry. Javvad Malik, Lead Security Awareness Advocate at KnowBe4, notes: “The 111 outage brings back many unfortunate memories of Wannacry which crippled the NHS. While no details have been released about the root cause of the 111 service outage, all signs would seem to indicate ransomware to be the cause.”

“One needs to look at the root causes of attacks and try to address them. This could be through implementing stronger authentication, having a patch management process in place, and running a security awareness and training programme for staff so that a culture of security is created whereby security issues can be quickly detected and responded to.”

Additionally, Jamie Akhtar, CEO and co-founder of CyberSmart, warns of an increased risk of attacks elsewhere following the incident: “It’s likely that we will see more attacks of this nature in the coming months. Classified by the NCSC as a ‘Category One’ attack, this situation does not bode well for the future of UK public sector cybersecurity. Although the NCA states that only a few servers were impacted and disruption was minimal, the consequences of attacks such as these can be devastating.”

Worryingly, research by Armis on NHS Trusts indicates that “suspicious activity” – including “exploit attempts, drive-by attacks, port scans, and connections to the dark web” – has risen since this April, with 80% of Trusts experiencing a record level of suspicious activities.

Andy Norton, European Cyber Risk Officer at Armis, notes that: “Trusts’ abilities to protect themselves from these threats have remained the same since pre-April.”

“What is clear from these figures is that NHS infrastructure is being targeted more heavily than ever before, so gaining visibility and understanding of all connected assets is vital to the health of these critical services.”

The post Attack on Supplier Leaves NHS Recovering Services appeared first on IT Security Guru.