New Ransomware Gang RA Group Hits U.S. and South Korean Organizations

A new ransomware group known as RA Group has become the latest threat actor to leverage the leaked Babuk ransomware source code to spawn its own locker variant.

The cybercriminal gang, which is said to have been operating since at least April 22, 2023, is rapidly expanding its operations, according to cybersecurity firm Cisco Talos.

“To date, the group has compromised three organizations in the U.S. and one in South Korea across several business verticals, including manufacturing, wealth management, insurance providers and pharmaceuticals,” security researcher Chetan Raghuprasad said in a report shared with The Hacker News.

RA Group is no different from other ransomware gangs in that it launches double extortion attacks and runs a date leak site to apply additional pressure on victims into paying ransoms.


The Windows-based binary employs intermittent encryption to speed up the process and evade detection, not to mention delete volume shadow copies and contents of the machine’s Recycle Bin.

“RA Group uses customized ransom notes, including the victim’s name and a unique link to download the exfiltration proofs,” Raghuprasad explained. “If the victim fails to contact the actors within three days, the group leaks the victim’s files.”

It also takes steps to avoid encrypting system files and folders by means of a hard-coded list so that it allows the victims to download the qTox chat application and reach out to the operators using the qTox ID provided on the ransom note.

What sets RA Group apart from other ransomware operations is that the threat actor has also been observed selling the victim’s exfiltrated data on its leak portal by hosting the information on a secured TOR site.


The development comes less than a week after SentinelOne disclosed that threat actors of varying sophistication and expertise are increasingly adopting the Babuk ransomware code to develop a dozen variants that are capable of targeting Linux systems.

“There is a noticeable trend that actors increasingly use the Babuk builder to develop ESXi and Linux ransomware,” the cybersecurity firm said. “This is particularly evident when used by actors with fewer resources, as these actors are less likely to significantly modify the Babuk source code.”

Other ransomware actors that have adopted the Babuk source code over the past year include AstraLocker and Nokoyawa. Cheerscrypt, another ransomware strain based on Babuk, has been linked to a Chinese espionage actor called Emperor Dragonfly that’s known for operating short-lived ransomware schemes such as Rook, Night Sky, and Pandora.

The findings also follow the discovery of two other new ransomware strains codenamed Rancoz and BlackSuit, the latter of which is designed to target both Windows and VMware ESXi servers.

“The constant evolution and release of new ransomware variants highlight the advanced skills and agility of [threat actors], indicating that they are responding to cybersecurity measures and checks being implemented and customizing their ransomware accordingly,” Cyble said.


(c) Ravie Lakshmanan

Industrial Cellular Routers at Risk: 11 New Vulnerabilities Expose OT Networks

Several security vulnerabilities have been disclosed in cloud management platforms associated with three industrial cellular router vendors that could expose operational technology (OT) networks to external attacks.

The findings were presented by Israeli industrial cybersecurity firm OTORIO at the Black Hat Asia 2023 conference last week.

The 11 vulnerabilities allow “remote code execution and full control over hundreds of thousands of devices and OT networks – in some cases, even those not actively configured to use the cloud.”

Specifically, the shortcomings reside in the cloud-based management solutions offered by Sierra Wireless, Teltonika Networks, and InHand Networks to remotely manage and operate devices.


Successful exploitation of the vulnerabilities could pose severe risks to industrial environments, allowing adversaries to sidestep security layers as well as exfiltrate sensitive information and achieve code execution remotely on the internal networks.

Even worse, the issues could be weaponized to obtain unauthorized access to devices in the network and perform malicious operations such as shutdown with elevated permissions.

OT Networks

This, in turn, is made possible due to three different attack vectors that could be exploited to compromise and takeover cloud-managed IIoT devices through their cloud-based management platforms:

  • Weak asset registration mechanisms (Sierra Wireless): An attacker could scan for unregistered devices that are connected to the cloud, get their serial numbers by taking advantage of the AirVantage online Warranty Checker tool, register them to an account under their control, and execute arbitrary commands.
  • Flaws in security configurations (InHand Networks): An unauthorized user could leverage CVE-2023-22601, CVE-2023-22600, and CVE-2023-22598, a command injection flaw, to gain remote code execution with root privileges, issue reboot commands, and push firmware updates.
  • External API and interfaces (Teltonika Networks): A threat actor could abuse multiple issues identified in the remote management system (RMS) to “expose sensitive device information and device credentials, enable remote code execution, expose connected devices managed on the network, and allow impersonation of legitimate devices.”

The six flaws impacting Teltonika Networks – CVE-2023-32346, CVE-2023-32347, CVE-2023-32348, CVE-2023-2586, CVE-2023-2587, and CVE-2023-2588 – were discovered following a “comprehensive research” carried out in collaboration with Claroty.

“An attacker successfully exploiting these industrial routers and IoT devices can cause a number of impacts on compromised devices and networks, including monitoring network traffic and stealing sensitive data, hijacking internet connections and accessing internal services,” the companies said.

OTORIO said cloud-managed devices pose a “huge” supply-chain risk and that a single vendor compromise can act as a backdoor for accessing several OT networks in one sweep.

The development comes a little more than three months after the cybersecurity company disclosed 38 security flaws in the wireless industrial Internet of Things (IIoT) devices that could provide attackers a direct path to internal OT networks and put critical infrastructure at risk.

“As the deployment of IIoT devices becomes more popular, it’s important to be aware that their cloud management platforms may be targeted by threat actors,” security researcher Roni Gavrilov said. “A single IIoT vendor platform being exploited could act as a ‘pivot point’ for attackers, accessing thousands of environments at once.”


(c) Ravie Lakshmanan

Microsoft Authenticator to Enforce Number Matching

As a way to enhance MFA security, Microsoft will require users to authorize login attempts by entering a numeric code into the Microsoft Authenticator app.

Multifactor authentication (MFA) is an essential element of identity and access management, but it is not fail-proof, especially as attackers increasingly employ social-engineering tactics to bypass MFA controls. To enhance the security of MFA, Microsoft is enforcing “number matching” for all users of its Microsoft Authenticator app.

Previously, the process flow for Microsoft Authenticator displayed a prompt in the app when the user tried to log in. The user tapped the prompt on the secondary device to authorize the transaction. Number matching adds another step by forcing users to have the secondary device and see the login screen on the primary device. Instead of just tapping the prompt, users will now have to enter a number that is displayed on the application’s login screen. A person logging into Office 365, for example, would see a message on the original login screen with a numeric code. The person would enter that code into the Authenticator app on their secondary device to approve the transaction. There is no way to opt out of entering the code.

“Number matching is a key security upgrade to traditional second factor notifications in Microsoft Authenticator,” Microsoft said in a supporting article. “We will remove the admin controls and enforce the number match experience tenant-wide for all users of Microsoft Authenticator push notifications starting May 8, 2023.”

Attacks Are More Prevalent

Number matching was originally introduced in Microsoft Authenticator as an optional feature in October, after attackers started spamming users with MFA push notification requests. Users were granting access to the attackers just to get the spam notifications to stop or by mistake. Number matching is designed to help users avoid accidentally approving false authentication attempts. MFA fatigue – overwhelming users with MFA push notifications requests – has “become more prevalent,” according to Microsoft, which observed almost 41,000 Azure Active Directory Protection sessions with multiple failed MFA attempts last August, compared with 32,442 in 2021. Last year 382,000 attacks employed this tactic, Microsoft said.

It was also recently used in attacks against Uber, Microsoft, and Okta.

Number matching with Authenticator will be used for actions such as password resets, registration, and access to Active Directory. Users will also see additional context, such as the name of the application and the location of the login attempt, to prevent accidental approvals. The idea is that users cannot accept a login attempt if they are not in front of the login screen at that time.

How to Enable Number Matching

While number matching was enabled by default for Microsoft Azure in February, users will see some services start using this feature before others. Microsoft recommends enabling number matching in advance to “ensure consistent behavior.” Administrators can enable the setting by navigating to Security – Authentication methods – Microsoft Authenticator in the Azure portal.

  1. On the Enable and Target tab, click Yes and All users to enable the policy for everyone or add selected users and groups. The Authentication mode for these users and groups should be either Any or Push.
  2. On the Configure tab for Require number matching for push notifications, change Status to Enabled, choose who to include or exclude from number matching, and click Save.

Administrators can also limit the number of MFA authentication requests allowed per user and lock the accounts or alert the security team when the number is exceeded.

Users should upgrade to the latest version of Microsoft Authenticator on their mobile devices. Number matching does not work for wearables, such as Apple Watch, or other Android devices. Rather, users will have to key in the number via the mobile device.


(c) Dark Reading

‘Very Noisy:’ For the Black Hat NOC, It’s All Malicious Traffic All the Time

Black Hat Asia’s NOC team gives a look inside what’s really happening on the cyberfront during these events.

BLACK HAT ASIA – Singapore – When you’re in an environment where the overwhelming majority of network traffic is classified as posing a severe cybersecurity threat, deciding what to be concerned about becomes not a needle in a haystack situation, but a needle in a needlestack problem.

That’s the word this week at Black Hat Asia, where Neil Wyler, global lead of active threat assessments at IBM X-Force, and Bart Stump, senior systems engineer for NetWitness, took to the stage to give attendees a look inside the event’s enterprise-grade network operations center (NOC). The duo oversaw the NOC’s design and led the security team for the show, which ran from May 9-12. The multi-vendor network supported attendee Wi-Fi access; internal operations such as registration; the needs of business hall stands; and the communications requirements of technical trainings, briefings, keynotes, and vendor demonstrations.

“When we discuss the traffic, try to explain to others that at Black Hat it’s bad all the time — all or most of the traffic is malicious,” Wyler explained. “That sounds scary, but for this crowd that traffic is normal. There are people demoing attacks, there are red teams trainings going on, etc., and that means that we don’t really block anything. We let that traffic fly because we don’t want to take down a demo on stage or on the expo floor. Unless we see a direct attack on our infrastructure, say the registration system, we let it go.”

So, in order to ferret out the actual bad, bad traffic, the NOC relies on a number of dashboards that allow a real-time view of everything flowing through the network, with the ability to capture stats on everything from device profiles to which cloud apps attendees are connecting to. It also captures raw packet data so NOC analysts can go back and rebuild sessions in the event something seems abnormally suspicious, to look at “every single thing someone is doing with every packet, in a way we can’t using just logs,” Wyler noted.

One of the more unusual dashboards put in place for the event offered a heat map of where Wi-Fi, Bluetooth, and even peer-to-peer wireless connections were being used, offering a quick look at where people were congregating and where there might be cyber issues afoot.

“It’s an interesting perspective,” explained Stump. “The bottom left corner of the map is actually the show floor, and after the business hall opened up, that got more red. You can see when breaks are happening and when they put the beverages out because people migrate. And overall, it’s a quick visualization for us to see where potential issues might be coming from, where we should focus our attention.”

A heat map of where devices connected to the network.

In all, the NOC tracked 1,500 total unique devices connecting to the network across mobile phones, Internet of things (IoT) gear, and other endpoints, with DNS queries at their highest for the event since 2018. About three-quarters (72%) of that traffic was encrypted — a refreshingly high amount, the researchers noted. And interestingly, a domain called Hacking Clouds hosted the most user sessions — more even than the show’s general Wi-Fi network for attendees.

In terms of the apps being used, TikTok made an appearance in the Top 10 for the first time, the team observed. Other top apps included Office 365 (no surprise there), Teams, Gmail, Facebook, and WhatsApp.

Interesting NOC Happenings

A few interesting incidents emerged from the data during the event, the duo noted. In one case, an individual was generating so much malicious activity that all of the NOC systems alerted at once.

“One particular person was so noisy that every NOC vendor partner saw their activity at the same time,” Wyler said. “We’re talking SQL injection on public-facing websites, WordPress compromises, lots and lots of scanning for vulnerabilities and open ports. It was like they learned something this week and went, ‘Let me see if it works. I’ve heard about Log4j, let me see what’s out there.’ They took a training class and now they’re spreading their wings and flying.”

After the person moved from attacking restaurant chain websites to probing payment sites, it was clear the activity wasn’t demo-related, so the team pinpointed the person and sent the individual a cease-and-desist email.

“We figured out they were sitting in the hallway looking out at the Bay, just attacking company after company after company,” Wyler said. “We explained that it’s still illegal to do what they’re doing, so please discontinue attempting to execute vulnerabilities on public-facing websites. This is a violation of the Black Hat Code of Conduct and we will come find you if it doesn’t stop — love, the NOC. They got that and everything stopped.”

Other incidents involved VPN issues, including one that was transmitting the user’s location information in clear text. The team captured the data, plugged it into Google Maps and generated a view of exactly where the person had been during the day.

A VPN leak allowed the team to create a map of the user’s location.

Yet another issue involved an endpoint detection and response (EDR) vendor that was sending all of the usage data it was collecting on the endpoints of its users in clear text back to its servers; one antivirus vendor was found sending unencrypted SMTP emails containing pricing quotes and other information in an unencrypted fashion, along with login credentials — allowing easy harvesting.

“An attacker could have pulled down quotes, changed quotes, gathered internal work information and customer information, definitely not good,” said Stump. “It could be used to craft phishes or to manipulate pricing.”

In all cases, the team worked with the problematic entities to resolve the issues. The NOC, quite simply, is on the case, according to Stump.

“People often say that at Black Hat, you shouldn’t even get on the network because it’s dangerous,” said Stump. “But our goal is actually to leave attendees more secure than when they arrived. And that’s why we do things like letting people know they’re sending passwords in clear text, or when we see cryptomining activity, we’ll alert them. We’re committed to that.”


(c) Dark Reading

Multiple Ransomware Groups Adapt Babuk Code to Target ESXi VMs

Two years ago, a popular ransomware-as-a-service group’s source code got leaked. Now other ransomware groups are using it for their own purposes.

Over the past year, 10 different ransomware families have utilized leaked Babuk source code to develop lockers for VMware ESXi hypervisors.

Hypervisors are programs used to run multiple virtual machines (VMs) on a single server. By targeting ESXi, hackers may be able to infect multiple VMs in an enterprise environment more directly than they could through conventional means.

A few of the Babuk-based ESXi ransomwares are associated with major threat actors like Conti and REvil. And according to Alex Delamotte, senior threat researcher at SentinelOne, a majority of them have been utilized in real-world attacks in recent months.

“It looks like it’s an effective model,” says Delamotte, who published the new research this week. “As long as they stay profitable, hackers are going to keep using these lockers. And it does seem like they work.”

How We Got Here

Babuk was a popular though imperfect ransomware-as-a-service (RaaS) offering, first circulated in early 2021.

In September 2021, its business model was interrupted when one of the original creators had a moment of reckoning. “One of the developers for Babuk ransomware group, a 17 year old person from Russia, has been diagnosed with Stage-4 Lung Cancer,” vx-underground, a repository for malware source code, wrote in a tweet. “He has decided to leaked the ENTIRE Babuk source code for Windows, ESXI, NAS.”

Babuk As a Baseline

Since then, threat actors have been using Babuk’s various leaked tools as a baseline for crafting new malicious payloads.

For instance, in their report published May 4, researchers from Sentinel Labs identified significant overlaps between the Babuk ESXi ransomware builder and ten other ransomware families: Cylance, Dataf Locker, Lock4, Mario, Play, Rorschach, RTM Locker, XVGV, RHKRC — closely associated with the REvil group’s Revix locker — and “Conti POC” — a proof of concept from the notorious and now largely defunct ransomware group.

Delamotte says Mario, Rorschach, XVGV, and Conti POC have all been utilized in attacks already, and users on Bleeping Computer forums have reported being victim to Dataf Locker and Lock4.

Why Hackers Target ESXi

VMware ESXi, a “bare metal” hypervisor, uses no operating system as a buffer (“bare metal”), instead interfacing directly with logic hardware. It’s installed directly onto a physical server with unfettered access and control over the machine’s underlying resources.

All of this is what makes ESXi a powerful platform for IT administrators and, by the same token, hackers. Bad actors can aim to hit multiple VMs running on a single virtual server, utilizing “built-in tools for the ESXi hypervisor to kill guest machines, then encrypt crucial hypervisor files,” Delamotte explained in the report.

Enterprises running VMware’s ESXi need to be cautious, though the fix is straightforward.

“The most important thing is to ensure that any access — especially management access, to something like an ESXi hypervisor — is very limited,” Delamotte advises. “You want to have good role-based access controls and definitely MFA wherever possible on any service account.”

Strict, effective access controls should be enough to insulate the vulnerable. “I don’t really see any situation,” she says, “where somebody can move on to this kind of server without having admin privileges.”


(c) Dark Reading

Dragos Employee Hacked, Revealing Ransomware, Extortion Scheme

Attackers compromised the personal email of a new employee and, when the initial attack failed, attempted through socially engineered messages to get the company to pay them off.

One might argue that security companies should be more prepared than most organizations to defend against a cyberattack. That was the case at Dragos recently, when a known ransomware group attempted, but failed, to extort money from the security vendor in a socially engineered attack that occurred after it compromised a new employee’s personal email account.

The attack occurred May 8, with attackers gaining access to SharePoint and the Dragos contract management system by compromising the personal email address of a new sales employee prior to the person’s start date, the company revealed in a blog post on May 10. The attacker then used stolen personal information from the hack to impersonate the employee and accomplish initial steps in Dragos’ employee-onboarding process.

Dragos’ swift response prevented the threat group from achieving its objective — the deployment of ransomware — or to engage in further activity, such as lateral movement, escalating privileges, establishing persistent access, or making changes to any Dragos infrastructure, the company said.

“No Dragos systems were breached, including anything related to the Dragos Platform,” according to the post.

However, the attackers didn’t stop there. Once the group’s initial compromise and ransomware strategy was unsuccessful, it quickly “pivoted to attempting to extort Dragos to avoid public disclosure,” the company said. Attackers did this by sending a flurry of messages to Dragos executives that threatened to reveal the attack publicly if they weren’t paid off.

In a creepy twist, the group even went so far as to get personal in the messages, making references to the family members and personal contacts of Dragos employees, as well as sending emails to the personal accounts of senior Dragos employees to elicit a response.

The company ultimately decided that “the best response was to not engage with the criminals,” and managed to contain the incident, according to the post.

Still, Dragos acknowledged a data loss that will likely result in a public leak of information because the company chose not to pay a ransom, which is “regrettable.” However, the company sticks by its decision not to engage or negotiate with cybercriminals, it said.

Promoting Cyber Transparency

It’s not often that security companies reveal attacks that they experience, but Dragos said that it decided to do so as an example of how to defuse a security breach before it causes significant damage. Also, it wanted to “help de-stigmatize security events,” the company wrote in the post.

Indeed, as security incidents have proven time and again, no company — not even ones that seem firmly locked down — is safe from attack, particularly with the current level of attackers’ cleverness and sophistication when using social engineering tactics, according to one security expert.

In fact, the Dragos narrative “is one of the rare stories where you hear about a truly crafted social engineering attempt and a quick discovery which led to minimal damage,” Roger Grimes, data-driven defense evangelist at security firm KnowBe4, wrote in an emailed statement.

The incident should drive awareness to “the very active social-engineering scams that are happening in the hiring space” in particular, he wrote. In fact, not every company is so lucky, nor defends itself so well, Grimes noted.

“There are also many stories of employers hiring fake employees who existed only to steal and scam from their employer, fake employees who actually didn’t know their job and just collected paychecks until they were fired, and scams the other way where legitimate job seekers were scammed while seeking employment,” he says.

Response & Internal Mitigation Is Key During a Cyberattack

While an investigation into the incident is ongoing, Dragos was able to prevent a more serious attack due to swift response and a layered security approach by the company, which should provide a blueprint for others, according to the post.

The company investigated alerts in its corporate security information and event management (SIEM) and blocked the compromised account, as well as activated its incident response retainer with a service provider, and engaged a third-party monitoring, detection and response (MDR) provider to manage incident-response efforts.

“Verbose system activity logs enabled the rapid triage and containment of this security event,” the company said.

To avoid similar attacks in the future, the company said it has added an additional verification step to further harden its new-employee onboarding process to ensure that the technique used in the attack won’t be repeated.

Moreover, since every thwarted access attempt was due to multistep access approval, Dragos also is evaluating the expansion of this strategy to other systems based on how critical they are.

Cyber-Resilience Advice for Other Organizations

Dragos also made some recommendations for other organizations to help avoid a similar attack scenario. The company advised that the hardening of identity and access management infrastructure and processes is ultimately a baseline linchpin for every organization looking for cyber resilience. And it’s a good idea to implement separation of duties across the enterprise so no one person has full run of the environment.

Organizations also should apply the principle of least privilege to all systems and services, and implement multifactor authentication wherever possible, the company said.

Other steps for avoiding a similar employee compromise like Dragos suffered include applying explicit blocks for known bad IP addresses, and scrutinizing incoming emails for typical phishing triggers, including the email address, URL, and spelling.

Finally, organizations overall should ensure that continuous security monitoring is in place, with tested incident response playbooks ready in case an attack does occur, according to Dragos.


(c) Dark Reading

Why Economic Downturns Put Innovation at Risk & Threaten Cyber Safety

Supplementing staff by hiring hackers to seek holes in a company’s defense makes economic sense in a downturn. Could they be cybersecurity’s unlikely heroes in a recession?

For 30 years, Silicon Valley Bank (SVB) helped technology clients transform the region, and the world, growing to hold more than $200 billion in total assets and $175 billion in deposits. And then — spectacularly, and seemingly overnight — collapsing. While the Federal Reserve’s bailout might have helped to staunch the bleeding for now, those who witnessed the events of early March firsthand will not forget what those first few frantic, uncertain days were like. The psyches of the investor class and tech sector may not recover for some time to come.

This could manifest as skittishness among the investor class, impacting tech of all focuses, but I’m particularly concerned about cybersecurity startups. A downturn in cybersecurity funding threatens not just the sector itself, but all who rely on cybersecurity innovation to keep threat actors at bay.

A recent article makes interrelated points to this effect. One: SVB has long been central to the banking needs of the cybersecurity community in the US and abroad, with public reports that roughly 500 cybersecurity vendors banked with them. Two: investors spooked by the collapse of SVB will likely be “re-evaluating practices” in the short term. Already, cybersecurity funding in 2023 had dipped to 2020 numbers. The collapse of SVB serves to intensify that trend.

One approach that has helped organizations shore up their defenses and continue innovating since the heyday of investment will be critical in this tumultuous time. Ethical hackers have always been one of the best solutions to rising rates of cybercrime. These hackers replicate the strategies of bad actors to penetrate systems and inform organizations about vulnerabilities. At this precarious economic moment, with funding collapsing and companies slashing security budgets, they’re an especially viable alternative.

A downturn in funding for innovative solutions such as hackers against a perpetually intensifying cyberthreat landscape could be disastrous for both private and federal security needs. But, before explaining exactly why hackers are so important, it’s worth sketching out our current threat and economic landscape in greater detail.

Cybercrime and the Economy

There’s no shortage of statistics illustrating the challenging state of our current cybersecurity landscape. One report says cyberattacks on industrial firms increased by 87% in 2022. Meanwhile, another report shows cyberattacks against governments jumped by 95% in the second half of 2022. According to another study, the global cyberattack volume surged by 38% last year. The financial impact is significant; according to IBM, the average total cost of a data breach has risen to $4.35 million.

In many IT departments, keeping on top of their attack surface is an ongoing, hour-to-hour struggle.

The looming economic downturn will make these problems worse. Economic turbulence and spikes in cybercrime go hand in hand. In the aftermath of the 2009 recession, cybercrime rose an average of 40% over the following two years. It was clear again when Interpol and others noted a surge in cybercrime during the COVID-19 pandemic.

In other words: Economic turbulence means less investment in cybersecurity and a surge in cybercrime. Put simply, it’s a recipe for disaster.

Why Hackers Are the Answer

You can see why reduced funding for cybersecurity startups is a major problem. Any reduction in funding will be compounded by yet another problem: individual companies cutting back on cybersecurity spending.

I believe that hackers represent the most viable solution to mounting budget concerns. It’s not just that hackers are as inventive as the criminals they’re trying to combat — prone to exactly the kind of left-of-field, unconventional thinking that routinely allows criminals to infiltrate well-fortified organizations. It’s that — in a word — they’re affordable. And what could matter more in times of economic stress?

Companies can access a diverse range of expertise and knowledge by using hackers, who bring a different mindset to your system’s defenses and let you know quickly where your vulnerabilities are and how you might remediate them. Many organizations now routinely incentivize hackers to bring vulnerabilities to their attention through vulnerability reward programs such as bug bounty. That being said, such programs aren’t meant to replace your very important cybersecurity teams. They’re meant to supplement them, reduce internal burnout, and overall make your organization more successful.

Hackers have been largely mainstreamed by now, but a not-insignificant number of organizations remain resistant to the concept, on the logic that inviting hackers of any kind or motivation into one’s internal systems may prove risky. But this is an outdated way of thinking. For proof, look no further than the US government, which is not usually known to take radical risks in the cybersecurity department. And yet: in 2017, the Department of Defense (DoD) launched Hack the Pentagon, and since then, hackers have alerted the DoD to more than 45,000 vulnerabilities. The US isn’t alone in this: Insights generated by hackers are now a routine part of government security in countries all over the world, including Singapore and the UK.

A few years from now, we’ll have a clearer picture of how precisely the collapse of SVB impacted the tech sector and the larger economy. In the here and now, though, all organizations need to stay on high alert. It would be a shame to weather an economic downturn just to lose it all from a major breach. The latter scenario, at least, is preventable — and hackers can help.


(c) Dark Reading

North Korean Hackers Behind Hospital Data Breach in Seoul

Data on more than 830K people exposed in the 2021 cyberattack.

The Korean National Police Agency (KNPA) has concluded that a cyberattack on Seoul National University Hospital (NSUH), one of the largest hospitals in the country, was the handiwork of North Korean hackers.

The attack occurred between May and June 2021.

The police report does not explicitly name any particular threat group, but it is believed that the Kimsuky group is responsible for the attack, according to South Korean media reports. Using seven servers based in multiple countries, including South Korea, the attackers infiltrated the hospital’s internal network, leading to data exposure for 831,000 people, most of whom were patients.

After two years conducting analytical investigations to identify the threat actors, South Korean law enforcement stated they attributed the attack to North Korean hackers based on the intrusion techniques, website registration, the IP addresses linked to threat actors in that country, and the North Korean language and vocabulary used in the attack.

“We plan to actively respond to organized cyberattacks backed by national governments by mobilizing all our security capabilities,” the KNPA stated in a press release, “and to firmly protect South Korea’s cybersecurity by preventing additional damage through information sharing and collaboration with related agencies.”


(c) Dark Reading

Billy Corgan Paid Off Hacker Who Threatened to Leak New Smashing Pumpkins Songs

Corgan got FBI involved to track down the cybercriminal, who had stolen from other artists as well, he said.

Smashing Pumpkins front man Billy Corgan was on a recent podcast to promote the band’s new album, and he told the hosts that a hacker stole several of the songs before the release and threatened to leak them without a payoff.

“A fan contacted me and said nine of the songs have leaked,” Corgan told the Klein/Ally Show, according to CBS News. “This is like six months ago. And they were all probably the most catchy, singley type songs.”

Corgan added he paid off the cybercriminal out of his own pocket. After Corgan contacted the FBI, the hacker was tracked down, he explained.

“What we were able to do was stop the leak from happening,” Corgan added, “because it was a mercenary person who had hacked somebody — I don’t want to say who, excuse me — and they had other stuff from other artists.”


(c) Dark Reading

WhatsApp now lets you lock chats with a password or fingerprint

Meta is now rolling out ‘Chat Lock,’ a new WhatsApp privacy feature allowing users to block others from accessing their most personal conversations.

Chat Lock will create a new folder that can be locked with a password or biometric methods like a fingerprint.

You can ensure the privacy of your conversations by choosing the lock option after tapping the name of a one-to-one or group chat.

“Locking a chat takes that thread out of your inbox and puts it behind its own folder that can only be accessed with your device’s password or biometric, like a fingerprint,” WhatsApp said today.

It will also automatically hide details of the locked chat in notifications to prevent others from snooping in while using the phone.

“We believe this feature will be great for people who share their phones from time to time with a family member, or in moments where someone else is holding your phone at the exact moment an extra-special chat arrives,” the company added.

To view locked chats, gently pull down on your inbox, and authenticate yourself with your password or the biometric identification you used when locking the conversation.

Today, WhatsApp added that it’s planning to further expand Chat Lock capabilities to provide users with additional features.

These forthcoming additions include locks explicitly designed for companion devices and the ability to establish a personalized password for your chats, allowing the use of a distinct password separate from your phone’s credentials.

WhatsApp also introduced end-to-end encryption seven years ago and started rolling out end-to-end encrypted chat backups to iOS and Android five years later, in October 2021, to block access to backed-up chat content.

In December 2021, WhatsApp expanded the platform’s privacy control features by adding default disappearing messages to all new chats.

Meta says the WhatsApp video calling and instant messaging platform is now used by over two billion people worldwide.


(c) Sergiu Gatlan