Hackers Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Thu, 20 Jun 2024 16:43:33 +0000 en-US hourly 1 https://wordpress.org/?v=97565 200474804 Cracked Games https://gridinsoft.com/blogs/5-dangers-cracked-games/ https://gridinsoft.com/blogs/5-dangers-cracked-games/#comments Thu, 20 Jun 2024 14:10:13 +0000 https://blog.gridinsoft.com/?p=1138 Another one may crack everything that one human ever created. This sentence, in different alterations, is often used by computer pirates. Cracked games can be easily downloaded on the Internet. Of course, the main advantage of cracked apps is that they are completely free. This factor is a reason for cracked games’ popularity in 3rd… Continue reading Cracked Games

The post Cracked Games appeared first on Gridinsoft Blog.

]]>
Another one may crack everything that one human ever created. This sentence, in different alterations, is often used by computer pirates. Cracked games can be easily downloaded on the Internet. Of course, the main advantage of cracked apps is that they are completely free. This factor is a reason for cracked games’ popularity in 3rd world countries. But didn’t you think that computer pirates want to have money to live, too? To have this essential option, they profit in other illegal and possibly harmful ways. Let me explain which ways I am talking about and why using unlicensed games is bad.

Cracked Games Origins

Every not-freeware program has its own license checking mechanism. Such a check may be performed exclusively on the user’s PC and using a PC and a server where all data about licenses is stored. But the code responsible for this operation is stored inside the program’s root directory. Hence, a hacker is able to find this code and modify it in a specific way: he creates a specific “jump” on the license checking stage, so the operation will be simply skipped, and the program will think it is activated1.

The process of Game Hacking
The process of cracking games

Why are cracked programs dangerous?

After the described modification hacker can distribute his program for the wide pirate public. However, he will not have any profit in such a scenario. To solve this problem, hackers add several programs to the initial package. Which programs? Ones whose developers agreed to pay the pirate for this operation. And here goes the most interesting.

Many small developers distribute their programs as a part of the games bundle. It can be whatever – antiviruses (Segurazo, Santivirus, McAfee, Avast, et cetera), “fast and comfortable browsers”, different utilities with or without practical use, etc. Such apps are more annoying than harmful, but their usage may be dangerous because of wrong actions in tight places, like the registry or Group Policies.

McAfee installation
McAfee is going to install as a part of games bundle

But, besides free trash bag-like apps, computer pirates can add different malicious apps. And their type and severity depend only on the size of the reward promised to the hacker by malware developers. It may be something non-critical, like adware or browser hijacker. However, in most cases of malware injection through the cracked games, users get a full-house: trojan-stealer, trojan-backdoor, trojan-downloader, worm, virus, and, finally, ransomware. Because of modern trends through malware, you will get every malware mentioned earlier inside the single app. Bad perspective, isn’t it?

Breaking The Law With Cracked Games

Using cracked games is an outlaw action in all civilized countries. And if you use it on your home computer and do not create any commercial product with the pirated programs, you may keep calm – it is tough to detect that you use exactly unlicensed games. However, the executive authorities can check big companies and any other commercial organization. And in case cracked games usage is confirmed, the corporation will receive a large fine. The size of this fine is usually much bigger than the license cost for all games that has been used in its cracked version. So, think well before using cracked Spiderman Remastered or Call Of Duty.

Cracked Games: Judge finishes the lawsuit
Making use of cracked games may led to extremely large fines

Download games without any risks

There are various ways to download games without exposing yourself to any risk. Here are some tips on how to practice safe gaming:

  • Download games from official stores only.
  • Avoid buying games from bizarre locations like forums or random pages.
  • Learn how to protect your accounts on Twitch, Discord, Origin, Battle.net, and Steam. Many of them offer two-factor authentication, allowing you to protect your device from unauthorized access even further.
  • Check the security features on the platforms you use.
  • Always try to download the platform’s official app.
  • Use an antivirus for PC when going online and downloading anything.
  • Use a reputable antivirus program on all your devices and never disable it.

If you’ve used cracked games in the past, it’s imperative to check your computer for viruses. One effective way to do this is by using a reliable security tool like Gridinsoft Anti-Malware. This software specializes in identifying and removing malware that might have sneaked in through unsecured downloads. By conducting a thorough scan, you can ensure that your system is clean and secure. Remember, proactive measures are key to maintaining the health of your computer and the safety of your personal information. Always prioritize security in your digital activities to avoid potential hazards.

GridinSoft Anti-Malware main screen

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Scan results screen

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Removal finished

As you can see, cracked game usage carries many disadvantages that can cost you much more than the license for this program. Yes, in some cases, cracked game usage can be forced – for example, if you want to test the program before purchasing, being not sure if it can satisfy your needs. But even in such a situation – pirating with good intentions – you can become a victim of malware attacks.

The post Cracked Games appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/5-dangers-cracked-games/feed/ 2 1138
MIT Hacked, Students’ Data Sold on the Darknet https://gridinsoft.com/blogs/mit-hacked-data-on-the-darknet/ https://gridinsoft.com/blogs/mit-hacked-data-on-the-darknet/#comments Tue, 13 Feb 2024 15:30:33 +0000 https://gridinsoft.com/blogs/?p=19593 On February 13, 2024, a post on a Darknet forum appeared, offering to purchase a large pack of data leaked from Massachusetts Institute of Technology (MIT). The hacker under the alias “Ynnian” claims that the leak happened this year, and consists mainly of students’ data. No pay is asked for this DB, hence the information… Continue reading MIT Hacked, Students’ Data Sold on the Darknet

The post MIT Hacked, Students’ Data Sold on the Darknet appeared first on Gridinsoft Blog.

]]>
On February 13, 2024, a post on a Darknet forum appeared, offering to purchase a large pack of data leaked from Massachusetts Institute of Technology (MIT). The hacker under the alias “Ynnian” claims that the leak happened this year, and consists mainly of students’ data. No pay is asked for this DB, hence the information is unlikely to be highly valuable.

MIT Hacked, Data Leaked in the Darknet

The post on infamous BreachForums discloses the recent data leak that happened in the #2 universities in the world. As the leak is exquisitely fresh, posted only 2 hours prior to this blog post being written, there is no reaction from MIT yet. Though it should be, as the fact of such a leak raises a lot of questions.

MIT data leak Breachforums
Post with the database that is allegedly leaked from MIT

As I’ve mentioned in the introduction, the fact that it is posted “as is”, accessible to everyone without any pay, means that there are no really valuable things inside. But if so, maybe the hackers have got something valuable enough to just publish a lean dataset? Massachusetts university is one involved in different government-backed programs, including ones related to aerospace and defense. Hence, there is definitely enough valuable stuff to put the eye on.

Each row in the leaked database consists of 4 parts: faculty (or department), surname, name of a student, and email address. Occasionally, a “No Student” value is added, potentially meaning a graduate. Not much, sure, but already enough to arrange a phishing campaign – the typical way such data is used by frauds. As the total number of entries – 27,961 – exceeds the number of students currently studying in MIT, there could be either duplicates or data about the students from previous years.

Should Students be Worried?

If I were in the students’ hat, I would have my worries. Even though there are a lot of other ways to retrieve one’s personal information, especially things like email and name, the source is what matters here. Being a student of a certain university is a perfect identifier for further scam campaigns targeting. And be sure they will come: a free database like this pushes the margin for frauds even higher.

In the near future, I’d recommend the students present in the database to be exceptionally careful with any email messages. Even if this leak will not be used for spamming, precautions will not be excessive. Email phishing is too widespread nowadays to ignore such a threat.

MIT Hacked, Students’ Data Sold on the Darknet

The post MIT Hacked, Students’ Data Sold on the Darknet appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/mit-hacked-data-on-the-darknet/feed/ 2 19593
Water Curupira Hackers Spread PikaBot in Email Spam https://gridinsoft.com/blogs/water-curupira-spreads-pikabot-email-spam/ https://gridinsoft.com/blogs/water-curupira-spreads-pikabot-email-spam/#respond Thu, 11 Jan 2024 19:46:24 +0000 https://gridinsoft.com/blogs/?p=18967 Notorious group known as Water Curupira has unleashed a new wave of threats through their sophisticated malware, Pikabot. This menacing campaign, primarily spread through email spam, highlights an alarming escalation in cyber attacks. It targets unsuspecting victims with deceptive emails, leading to unauthorized access and potential data breaches. Water Curupira’s Email Spam Campaigns Water Curupira,… Continue reading Water Curupira Hackers Spread PikaBot in Email Spam

The post Water Curupira Hackers Spread PikaBot in Email Spam appeared first on Gridinsoft Blog.

]]>
Notorious group known as Water Curupira has unleashed a new wave of threats through their sophisticated malware, Pikabot. This menacing campaign, primarily spread through email spam, highlights an alarming escalation in cyber attacks. It targets unsuspecting victims with deceptive emails, leading to unauthorized access and potential data breaches.

Water Curupira’s Email Spam Campaigns

Water Curupira, one of the known operators behind Pikabot, have been instrumental in various campaigns. It primarily aims at deploying backdoors such as Cobalt Strike, that end up with Black Basta ransomware. Initially involved in DarkGate and IcedID spam campaigns, the group has since shifted its focus exclusively to Pikabot.

Pikabot’s Mechanism

Pikabot operates through two main components, a distinguishing feature that enhances its malicious capabilities. The loader and core module enable unauthorized remote access and execution of arbitrary commands through a connection with a command-and-control (C&C) server.

Pikabot’s Mechanism

Pikabot’s primary method of system infiltration involves spam emails containing archives or PDF attachments. These emails are skillfully designed to imitate legitimate communication threads. They utilize thread-hijacking techniques to increase the likelihood of recipients interacting with malicious links or attachments. The attachments, designed either as password-protected archives with an IMG file or as PDFs, are crafted to deploy the Pikabot payload.

System Impact

Once inside the target system, Pikabot demonstrates a complex and multi-layered infection process. It employs obfuscated JavaScript and a series of conditional execution commands, coupled with repeated attempts to download the payload from external sources. The core module of Pikabot is tasked with collecting detailed information about the system, encrypting this data, and transmitting it to a C&C server for potential use in further malicious activities.

Another layer of Pikabot mischievous actions is the ability to serve as a loader/dropper. Malware uses several classic techniques, such as DLL hookup and shellcode injection. Also, it is capable of straightforward executable file launching, which is suitable for certain attack cases. Among other threats, Pikabot is particularly known for spreading Cobalt Strike backdoor.

Recommendations

To protect yourself against threats like Pikabot, which is spread by Water Curupira through email spam, here are some key recommendations:

  • Always hover over links to see where they lead before clicking.
  • Be cautious of unfamiliar email addresses, mismatches in email and sender names, and spoofed company emails.
  • For emails claiming to be from legitimate companies, verify both the sender’s identity and the email content before interacting with any links or downloading attachments.
  • Keep your operating system and all software updated with the latest security patches.
  • Consistently backup important data to an external and secure location, ensuring that you can restore information in case of a cyber attack.
  • Educate yourself and your company. Keep up to date with the latest cyber news to stay ahead of the curve.

Water Curupira Hackers Spread PikaBot in Email Spam

The post Water Curupira Hackers Spread PikaBot in Email Spam appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/water-curupira-spreads-pikabot-email-spam/feed/ 0 18967
Integris Health Hacked, Patients Receive Ransom Emails https://gridinsoft.com/blogs/integris-health-patients-ransom-emails/ https://gridinsoft.com/blogs/integris-health-patients-ransom-emails/#respond Thu, 28 Dec 2023 10:20:31 +0000 https://gridinsoft.com/blogs/?p=18526 Integris Health, Oklahoma’s most extensive not-for-profit health network, fell victim to a sophisticated cyberattack, which compromised susceptible patient data. This unfortunate occasion got some really unusual results: patients of Integris Health in Oklahoma started receiving extortion emails. They threaten the sale of their data to other malicious actors if they fail to pay an extortion… Continue reading Integris Health Hacked, Patients Receive Ransom Emails

The post Integris Health Hacked, Patients Receive Ransom Emails appeared first on Gridinsoft Blog.

]]>
Integris Health, Oklahoma’s most extensive not-for-profit health network, fell victim to a sophisticated cyberattack, which compromised susceptible patient data. This unfortunate occasion got some really unusual results: patients of Integris Health in Oklahoma started receiving extortion emails. They threaten the sale of their data to other malicious actors if they fail to pay an extortion demand.

Integris Health Patient Data Extortion

By December 24, Integris Health patients reported receiving extortion emails. The attackers, claiming to have exfiltrated the personal data of over 2 million individuals, demanded payment to prevent the sale of this information. The extortion emails included links to a dark website where around 4,674,000 records were purportedly available.

A darknet site with patient data screenshot
A darknet site with patient data

The website provided choices to either delete or view the data upon payment. However, it is unclear whether there are duplicate records among all of them. The compromised data comprised Social Security Numbers, birthdates, addresses, insurance, and employment details. This fact was confirmed by patients who identified their personal information in those emails.

Incident Background

In November 2023, Integris Health detected unauthorized activities within its network. An investigation revealed that an unidentified party accessed confidential patient files on November 28. It is unknown at this time exactly what information was compromised.

Integris Health reports that the investigation is still ongoing. However, given the attack’s scale, cybercriminals likely gained access to a wide range of data, including names, addresses, insurance policy numbers, dates of birth, medical records, and other personal information.

Integris Responds to Ransom Emails

Integris Health has updated its security advisory, warning patients against interacting with the extortion emails. Nevertheless, this incident follows a similar pattern to that observed in the Fred Hutchinson Cancer Center attack. It suggests a potential link between the threat actors.

The dilemma faced by victims is whether to pay the ransom to protect their identity. However, legends say that paying the ransom does not assure data security or deletion. It also potentially marks the payer as a target for future extortion attempts.

Is It A New Cybercrime Meta?

The tactic of contacting users whose data was leaked directly is rather new, but looks organic in the modern threat landscape. While ransomware gangs like BlackCat practice forcing the companies to pay by reporting the hacks to SEC, the hackers who stand behind the Integris hack opted for this peculiar approach. But overall, such unusual steps appear to be if not a new extortion method, then at least a way to enforce paying off the ransom.

The intimidation factor is what makes us blush most. When it comes to multi-billion dollar companies that are listed on stock exchanges – it is much more than just a feeling of embarrassment. It is unlikely for hackers to start texting all their victims, as such practice is simply counter-productive. With large companies, however, it is essential to expect and be ready for some unique new tricks hackers come up with.

The post Integris Health Hacked, Patients Receive Ransom Emails appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/integris-health-patients-ransom-emails/feed/ 0 18526
KraftHeinz Hacked by Snatch Ransomware Gang https://gridinsoft.com/blogs/kraftheinz-hacked-by-snatch-ransomware/ https://gridinsoft.com/blogs/kraftheinz-hacked-by-snatch-ransomware/#respond Fri, 15 Dec 2023 08:27:36 +0000 https://gridinsoft.com/blogs/?p=18318 The global food and beverage company KraftHeinz became a target of an infamous Snatch ransomware gang. Hackers listed the company on its Darknet leak site. This is yet another hack of a food industry company throughout the last time. KraftHeinz Hacked by Snatch Ransomware On December 13th, the Snatch ransomware gang listed KraftHeinz on their… Continue reading KraftHeinz Hacked by Snatch Ransomware Gang

The post KraftHeinz Hacked by Snatch Ransomware Gang appeared first on Gridinsoft Blog.

]]>
The global food and beverage company KraftHeinz became a target of an infamous Snatch ransomware gang. Hackers listed the company on its Darknet leak site. This is yet another hack of a food industry company throughout the last time.

KraftHeinz Hacked by Snatch Ransomware

On December 13th, the Snatch ransomware gang listed KraftHeinz on their Darknet site. Although the entry for KraftHeinz on the site dates back to August 16th, it was only updated on the announcement day. Notably, the entry lacked detailed information or file samples, typical for such breaches. However, the absence of data could imply that the attackers are waiting for negotiations or have other strategic reasons for withholding information.

Post about KraftHeinz on the Snatch leak site screenshot
Post about KraftHeinz on the Snatch leak site.

But what info can be found in KraftHeinz network? The company barely had any business with retail customers, with all the deals going to wholesale chains. Nothing critical or sensitive about folks, sure, but enough important information about corporations.

What can be a better gift to a stock trader than a pack of info regarding the co’s financial results days before its earnings report? What can be more valuable for other hackers than an info about weak spots in a company’s security from someone who has already breached it earlier? Frauds will make their money, this way or another – that is for sure.

Food Industry Under Ransomware Attacks

This attack on KraftHeinz is not an isolated incident. In fact, it represents the second major attack on a food producer by Snatch in just two months. As for KraftHeinz scale, the company employs around 40,000 people in over 40 countries and reported net sales of $26 billion in 2022. As a result, the breach threatens corporate security. It poses a risk to a vast array of popular brands under the Kraft Heinz umbrella, including Oscar Meyer, Velveeta, and Jell-O, among others.

Before KraftHeinz, Tyson Foods, another giant in the food sector, fell victim to Snatch in November. The attack pattern mirrored that of KraftHeinz, with limited information disclosed by the ransom operators. Such attacks have something in common and underline a worrying trend in the food industry following previous high-profile cyber attacks on companies like JBS USA, New Cooperative Inc., and Dole Foods.

Who is Behind the Attack?

Seemingly, Snatch, a ransomware group active since 2018, might not be as well-known as other cybercriminal groups. Nonetheless, its impact is increasingly being felt. The US Cybersecurity and Infrastructure Security Agency has warned about Snatch’s tactics, which include exploiting Remote Desktop Protocol vulnerabilities and spending extended periods on a victim’s network before launching an attack.

Snatch utilizes a Ransomware-as-a-Service model and is known for its double extortion tactics. The group’s approach to ransomware attacks is meticulous, often involving prolonged observation of the victim’s network. Over the last year, at least 95 organizations have fallen prey to Snatch, per monitoring tool. The group’s position is noble, and their manifesto promises victim notification and prioritizes negotiations, pledging not to disclose the exploited vulnerabilities beyond the victim.

KraftHeinz Hacked by Snatch Ransomware Gang

The post KraftHeinz Hacked by Snatch Ransomware Gang appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/kraftheinz-hacked-by-snatch-ransomware/feed/ 0 18318
Google Addresses Zero-Day Vulnerability in Chrome https://gridinsoft.com/blogs/google-addresses-0day-vulnerability/ https://gridinsoft.com/blogs/google-addresses-0day-vulnerability/#respond Mon, 04 Dec 2023 17:15:46 +0000 https://gridinsoft.com/blogs/?p=18124 In a recent security alert, Google has addressed a critical zero-day vulnerability in its Chrome browser and ChromeOS software, urging users to update to the latest version (119.0.6045.199). The flaw, tracked as CVE-2023-6345, allows attackers to bypass sandbox security measures by compromising the browser’s rendering process, leading to potential remote code execution or access to… Continue reading Google Addresses Zero-Day Vulnerability in Chrome

The post Google Addresses Zero-Day Vulnerability in Chrome appeared first on Gridinsoft Blog.

]]>
In a recent security alert, Google has addressed a critical zero-day vulnerability in its Chrome browser and ChromeOS software, urging users to update to the latest version (119.0.6045.199). The flaw, tracked as CVE-2023-6345, allows attackers to bypass sandbox security measures by compromising the browser’s rendering process, leading to potential remote code execution or access to sensitive data.

Google Fixes CVE-2023-6345 0-day Vulnerability

Limited public information is available about CVE-2023-6345, but it is identified as an integer overflow issue affecting the Skia component within Chrome’s graphics engine. The National Vulnerability Database (NVD) describes it as a high-severity bug that allows a remote attacker, who has compromised the renderer process, to potentially perform a sandbox escape via a malicious file.

Actually, soon after the official announcement of the vulnerability fix, the real-world exploit appeared. Due to this, Google has rated the CVE-2023-6345 fix as a high-priority update due. The company has refrained from disclosing technical details until the majority of users and vendors employing the Chromium browser engine implement the fixes.

Security analysts note that Google TAG researchers reported CVE-2023-6345, highlighting its connection to spyware and APT activity. Comparisons are drawn with a previous similar flaw (CVE-2023-2136), suggesting the latest patch aims to prevent attackers from bypassing the earlier update.

More Security Patches

Alongside the zero-day fix, Google has released a total of seven security updates addressing various vulnerabilities:

  • CVE-2023-6348: Type Confusion in Spellcheck
  • CVE-2023-6347: Use after free in Mojo
  • CVE-2023-6346: Use after free in WebAudio
  • CVE-2023-6350: Out of bounds memory access in libavif
  • CVE-2023-6351: Use after free in libavif

This latest announcement marks the fourth zero-day vulnerability Google has disclosed and patched in its Chrome browser this year.

Update Google Chrome

As we said earlier, patches and updates are the best way to fix vulnerabilities. So if you’re using Mac or Linux, the update will take your browser to version 119.0.6045.199, while Windows users will be upgraded to version 119.0.6045.199/.200. To check if the update is available, go to “Help” in your Google Chrome menu, and then click on “About”. If the update is ready, it will automatically start downloading.

Update google chrome
Google Chrome update downloading window

It may take a few days for the update to be available to everyone. Once you have installed the update, make sure to restart your browser for the changes to take effect. Otherwise, your browser will remain vulnerable to attacks.

Google Addresses Zero-Day Vulnerability in Chrome

The post Google Addresses Zero-Day Vulnerability in Chrome appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/google-addresses-0day-vulnerability/feed/ 0 18124
Tipalti, Roblox and Twitch Hacked by ALPHV/BlackCat https://gridinsoft.com/blogs/tipalti-roblox-twitch-hacked/ https://gridinsoft.com/blogs/tipalti-roblox-twitch-hacked/#respond Mon, 04 Dec 2023 15:53:58 +0000 https://gridinsoft.com/blogs/?p=18132 On December 3, 2023, ALPHV ransomware gang claimed hacking into a fintech software provider Tipalti, Roblox and Twitch, its clients. The approach, however, appears to be unusual, as the gang created a listing that says “but we’ll extort Roblox and Twitch, two of their affected clients, individually”. Criminals promise to publish updated posts on Monday… Continue reading Tipalti, Roblox and Twitch Hacked by ALPHV/BlackCat

The post Tipalti, Roblox and Twitch Hacked by ALPHV/BlackCat appeared first on Gridinsoft Blog.

]]>
On December 3, 2023, ALPHV ransomware gang claimed hacking into a fintech software provider Tipalti, Roblox and Twitch, its clients. The approach, however, appears to be unusual, as the gang created a listing that says “but we’ll extort Roblox and Twitch, two of their affected clients, individually”. Criminals promise to publish updated posts on Monday morning, which will maximize the stock price impact.

Tipalti Hacked, Roblox and Twitch are Collateral

On Saturday, December 3, 2023, ALPHV came out with quite an unusual claim. Hacker group talked about hacking into the network of Tipalti, a payment automation and accounting software provider, back in early September 2023. The text below is the quote taken from their Darknet leak site:

We have remained present, undetected, in multiple Tipali systems since September 8th 2023. Over 265GB+ of confidential business data belonging to the company, as well as its employees and clients has been exfiltrated. We remain committed to this exfiltration operation, so we plan to reach out to both these companies once the market opens on Monday…
Tipalti listing Darknet
Listing of the Tipalti and other companies on the ALPHV’s Darknet site

Thing is – the company itself did not receive any ransom note yet. The typical practice in cyberattacks is notifying the victim via ransom notes, and only then publishing info about the hack. Though not this time – as hackers say, they doubt the co will contact them back due to some specific details they discovered while being active in the network.

…given that Tipalti’s insurance policy does not cover cyber extortion and considering the behavior of the executive team in general, observed through internal communications, we believe the likelihood of them reaching out on our terms is unlikely, regardless of the sensitivity of data in question…Cybercriminals' explanation to unusual hack flow

Another detail the hackers uncover is the involvement of an insider. Well, this is not a rare occurrence, but threat actors rarely speak openly about this. And in the context of several companies taken as collateral, this sounds more like an attempt to ruin the company’s image. That especially contrasts with the official response of the company, given to the Israeli media Calcalist.

Claim to Calcalist
Tipalti representative’s claims regarding the hack

Roblox and Twitch Fall Victim to Tipalti Hack

The worst part about this hack is that hackers managed to compromise two client companies, namely Roblox and Twitch. Actually, Roblox is not the first time a victim of a ransom hack – the same ALPHV gang hacked them in 2022. Twitch though is mentioned only in the listing title, without any further references in the text. This may be the sign of less than significant amount of data the hackers managed to leak.

At the same time, some serious threats faced towards Roblox appear in the text. Hackers say they will publish the data of more victims (supposedly other Tipalti clients) in the months to come. To avoid this from happening, both mentioned companies should pay the ransom. They either do not specify any sums and, what is more important, types of data leaked from the game developer.

Is it that dangerous?

Despite how threatening all the situation looks, I’d take it with a grain of salt. Hackers often exaggerate the total damage, especially when it comes to collateral damage. Claims about Tipalti’s clients being hacked are most likely just the attempts to scare all the involved parties and make them pay.

What is out of doubt though is hackers’ access to some of the data. In particular, they are not likely to lie about their access to the major amount of Tipalti’s data. For other companies though it is most likely some data about financial transactions – things they actually delegated to Tipalti. However, this is still not great, as such info leakage may be the reason for companies to switch to a different service.

To sum up, despite touching a whole array of companies, the hack brings the most harm to Tipalti. And mostly reputational: even if not a lot of clients’ info ended up in hackers’ hands, the fact of the leak persists. The obvious conclusion is to avoid deep integrations with such unreliable companies, just to minimize the possible damage in the case of another cyberattack.

UPD 12/05/2023

The original listing you could have seen above was changed for a more classic one, that claims Tipalti hack. However, threat actors still use the text note as a place for a post-scriptum note. Criminals disprove Roblox’ claims regarding absence of any signs of network compromise saying that they will contact them later.

ALPHV ransomware Tipalti listing
New Tipalti listing on the ALPHV ransomware Darknet site

At the moment, ALPHV hackers claim to be contacting the first group of Tipalti clients who got their info leaked during the hack. Though they do not contact the company itself, saying they are going to reach out to the clients first. Another interesting detail unveiled after the re-listing is the fact that no ransomware was used – they just leaked 265 gigabytes of data.

Tipalti, Roblox and Twitch Hacked by ALPHV/BlackCat

The post Tipalti, Roblox and Twitch Hacked by ALPHV/BlackCat appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/tipalti-roblox-twitch-hacked/feed/ 0 18132
What is Sextortion? Explanation, Signs & Ways to Avoid https://gridinsoft.com/blogs/what-is-sextortion/ https://gridinsoft.com/blogs/what-is-sextortion/#respond Fri, 01 Dec 2023 15:37:27 +0000 https://gridinsoft.com/blogs/?p=18051 Sextortion is a specific email phishing tactic that was around for quite some time. Over the last few years though its popularity skyrocketed, and some novice technologies make me concerned regarding possible sextortion approaches in future. Let me explain what I mean, what this scam is about, and how to detect and avoid it. What… Continue reading What is Sextortion? Explanation, Signs & Ways to Avoid

The post What is Sextortion? Explanation, Signs & Ways to Avoid appeared first on Gridinsoft Blog.

]]>
Sextortion is a specific email phishing tactic that was around for quite some time. Over the last few years though its popularity skyrocketed, and some novice technologies make me concerned regarding possible sextortion approaches in future. Let me explain what I mean, what this scam is about, and how to detect and avoid it.

What is Sextortion?

The term “Sextortion” is rather self-explanatory, aside from the fact that this practice has been in use for a pretty long time. That is a type of email scams that aim at money extortion through the threats of publishing explicit visual content with the victim. To look more authoritative, the scammer may claim to have access to the target’s social media accounts.

Professional Hacker Email scam example
Typical example of a sextortion email

Contrary to more classic email phishing scams, the attacker will never ask the victim about an action other than sending a sum of money. The reason for such a generous act is, as the villain assures, its possession over some compromising materials about you. Email text often discloses the way these photos and videos were obtained – from a webcam while you were browsing through adult sites, leaked from the hacked phone, or the like.

All this boils down to a simple demand: send the money or I will leak all these nude videos and pics to the public. Some definitely not exaggerating mates say they will post it from your profile, as they have access to it as well. Though ones who try to look more realistic simply promise to tag your entire friends list on a specific social media.

Are Sextortion Threats Real?

99.5% of the time, they are not. Even though some people can have someone’s nude photos on hand, the number of scam emails exceeds the number of these people by orders of magnitude. And since such graphic materials rarely end up in the hands of a stranger, it will be particularly easy to identify the extortionist. This adds up to the generic message text and absence of any proof – some definite signs of a scam. By the way, let’s have a more detailed look at them.

How to detect a Sextortion Scam Email?

Same as any email scam, sextortion bears on 3 psychological tricks: calling for a shock, forcing the feel of vulnerability and feeling of urgency. This leaves its footprint in the text, and eventually makes it somewhat templated in all the scam cases. Let’s review the most popular of them.

Typical Sextortion Email Patterns in Text

With time, there were dozens and hundreds of different text patterns for extortion emails. Most of them, however, are created with the intention of being suitable to any victim. It would be rather uncomfortable for a scammer to adjust the text whenever they target a new group of people. Thus, utterly generic and abstract text with absolutely no personalization is what you would expect from sextortion scams.

Sextortion email template
Sextortion emails are templated, even though the exact text may be different

The sense of shock appears as the stranger says it has your nude photos. Moreover, this guy tries to pose as a “professional hacker”. They boasts of having access to all the browsing history, webcams, online wallets and the like. Why would they do nothing about this info – hijacking accounts, stealing all the money from online wallets? The question is rhetorical.

Urgency to the situation appears due to the “deadline” you should pay the ransom before. As the hacker says, any negotiations and stuff are not possible, and failing the payment date will end up with publishing all the materials. Some crooks also say things like “this is not my email so I will stop using it shortly after”. This creates even bigger concerns about the inability to avoid public shame.

Sure enough, the same methods may be used by someone whose threats are real. But they never follow the pattern, at least not that straightforward. This distinguishes a letter written by a real human from a tool of scammers, designed to fit any circumstances.

Check For A Re-Used Crypto Wallet

As sextortion scams are running in “waves”, you are most likely not the only person who got such an email. Frauds often stick to the exact same text, changing only the crypto wallet they ask to send the ransom to. A simple Google search of the wallet may reveal not just one, but several text patterns used in the same scam wave.

Obviously, when the con actor is real in its threats and is not running this as a business, it will never use someone else’s crypto wallet or the one used in a scam before. Even when a real hacker does something like this (such an occasion happens once in a while) it will never use the same wallet twice. Moreover, “real hackers” rarely opt for Bitcoin as a payment method, preferring cryptos like Monero or DarkCoin. The latter have the anonymizing infrastructure that is so heavily demanded when you are going outlaw.

AI-fueled Sextortion Scams Incoming

All in all, sextortion is a rather old scam that was not really effective over the last few years. People are aware about it, and there is almost no way this is real after all. This is true, but over the last few years, there is a huge risk of sextortion scams being resurfaced with a force yet unseen. Let me explain.

AI undressing services
Undressing AI is galloping, and its potential use in malicious affairs is just a question of time

The current AI development is exciting. But what is more mind-boggling is the number of malignant implementations for this potential. In particular, we are talking about their photo editing capabilities. There are quite a few AI services even these days that will edit the clothing out of the picture of a person you’ve uploaded. Combine this ability with sextortion scams and the fact that most people share their normal photos without any doubt – and you receive fuel for a new, unpredictably powerful scam wave.

Scammers who stand behind sextortion emails will finally stop extorting money for nothing. This time, they may get not only a manipulative text, but things to prove their claims with. And, if you ignore the demand, they will post them somewhere. There’s still no reason to believe in their tails about access to all your accounts, but dumping the photos while tagging all your friends list may still be effective.

Sure, it is rather easy to prove the AI origin of images and videos. But the very fact of these images’ existence may throw people into panic. This will eventually force them to pay the ransom – which still does not guarantee that the scammer will not publish these fake photos. And even when you remain calm and ignore all the threats, it may be bothersome to prove that these nude photos of yours are just a hallucination of a vicious neural network.

How to protect yourself from email scams?

Well, that is not an easy question to answer. As I’ve just explained, things are getting complicated, and there is no well-rounded advice for the most modern cases. However, I took my time to think through the possible mitigation options for the majority of situations.

Control sharing your personal email address. While benign services try to keep their customers’ info private, there are enough services that do not care. Some shady forums, torrent tracking sites, websites with cracked software – they will gladly sell databases of their users’ emails to someone. Then, these databases are used to spam people and spread scams, including sextortion. Avoid leaving any personal info in such places, or at least do not use your personal email for authorization purposes.

Keep your head cold. A thing all extortionists rely on is your panic actions upon realization that someone may publish inappropriate graphic content with you online. You, in turn, should not do any emotional acts – that will save you both money and gray hair.

Change all your passwords. This is mostly for good measure, as only a few cases out of thousands of sextortion scams could really boast having your passwords leaked. Though, the very habit of updating your login credentials is a great enhancement to your personal cybersecurity.

Warn your friends, colleagues and relatives about a fake video. By announcing preventively that a provocative video can appear, you minimize the initial shock it may create. After that, all the fake video will do is call friendly laughs, avoiding shame or arguments. Even if the scammer is kidding and there is no graphic material in its possession, even a fake one, this will uplift the awareness of such cases.

What is Sextortion? Explanation, Signs & Ways to Avoid

The post What is Sextortion? Explanation, Signs & Ways to Avoid appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/what-is-sextortion/feed/ 0 18051
Okta Hack Exposes Data of All Support Customers https://gridinsoft.com/blogs/okta-hack-all-customers-exposed/ https://gridinsoft.com/blogs/okta-hack-all-customers-exposed/#respond Thu, 30 Nov 2023 10:47:15 +0000 https://gridinsoft.com/blogs/?p=18030 Back in mid-October 2023 Okta, one of the world’s largest identity providers, suffered a data breach. Security vulnerabilities in its support system allowed hackers to access one of the support accounts. Formerly, it was said about a miserable amount of customers suffering from the breach. But over a month later, the company discloses that hackers… Continue reading Okta Hack Exposes Data of All Support Customers

The post Okta Hack Exposes Data of All Support Customers appeared first on Gridinsoft Blog.

]]>
Back in mid-October 2023 Okta, one of the world’s largest identity providers, suffered a data breach. Security vulnerabilities in its support system allowed hackers to access one of the support accounts. Formerly, it was said about a miserable amount of customers suffering from the breach. But over a month later, the company discloses that hackers managed to leak the info about all the Okta Help Center clients.

Okta Hack Results Into a Massive Data Breach

As it was originally expected, the data breach within Okta Help Center touched only a miserable number of users. Due to the poor session token authentication, hackers managed to log in under the guise of a legit client and spawn several additional entities. This ended up with calling for a function designed to list all the Help Center accounts, which, as it was originally believed, had not been successful. As of October 20, Okta claimed about only 134 accounts having their data exposed in this incident.

As it turned out, this number was heavily underestimated. Further investigation showed that hackers successfully dumped info about all the accounts in the system. The co shares some specific details regarding the types of data exposed in that breach:

The majority of the fields in the report [created by hackers to dump the user data] are blank and the report does not include user credentials or sensitive personal data. For 99.6% of users in the report, the only contact information recorded is full name and email address.
Types of data Okta hack
Types of data stored within user support profiles

Therefore, it is possible that some of the users (0.4%, or 72 people) have more than just email and name exposed. Not a lot, but this already creates some critical contrast with the original claims from the company. And, what is more important, raises questions regarding the security architecture within the company.

More Details of Okta Hack Appeared

Aside from the data exposure disclosure, the company also shared some new details regarding the hack. As it turns out, crooks put their hands on a service account, designed to work with an automated algo running on a machine. This is often needed for automated backup creation and similar scheduled tasks. Credentials to this account were stored among other data on the employee’s Google account that hackers previously managed to access.

That explains the lack of the MFA protection on the compromised account (which is not an option for a machine) and its high privileges. Before, the story sounded rather ironic. The largest identity provider does not care about using identity protection mechanisms in their own networks. Now though it makes sense – as well as raises new questions about securing similar accounts. And it still does not justify the fact that compromising the account of a single employee in fact compromised the entire service.

Okta Hack Exposes Data of All Support Customers

The post Okta Hack Exposes Data of All Support Customers appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/okta-hack-all-customers-exposed/feed/ 0 18030
Welltok Data Breach Exposes More Than 8 million Patients https://gridinsoft.com/blogs/welltok-data-breach-8-million-patients/ https://gridinsoft.com/blogs/welltok-data-breach-8-million-patients/#respond Thu, 23 Nov 2023 19:44:51 +0000 https://gridinsoft.com/blogs/?p=17881 Welltok, a healthcare Software as a Service (SaaS) provider, has reported unauthorized access to its MOVEit Transfer server, impacting the personal information of nearly 8.5 million patients in the United States. The breach, detected on July 26, 2023, has raised concerns about the security of patient data and has significant implications for healthcare providers across… Continue reading Welltok Data Breach Exposes More Than 8 million Patients

The post Welltok Data Breach Exposes More Than 8 million Patients appeared first on Gridinsoft Blog.

]]>
Welltok, a healthcare Software as a Service (SaaS) provider, has reported unauthorized access to its MOVEit Transfer server, impacting the personal information of nearly 8.5 million patients in the United States. The breach, detected on July 26, 2023, has raised concerns about the security of patient data and has significant implications for healthcare providers across various states.

Welltok Data Leaked Because of MOVEit

Welltok specializes in online wellness programs, predictive analytics, and supporting healthcare needs for providers nationwide. The breach, resulting from a MOVEit software vulnerability exploited by the Cl0p ransomware gang, allowed unauthorized access to confidential patient data.

Sensitive patient information compromised during the breach includes a whole lot of information. Among them are full names, email addresses, physical addresses, telephone numbers, Social Security Numbers (SSNs), Medicare/Medicaid ID numbers, and certain health insurance information. The breach has affected healthcare institutions in multiple states, with notable providers such as:

  • Blue Cross and Blue Shield
  • Corewell Health
  • Mass General Brigham Health Plan
  • Corewell Health
  • Faith Regional Health Services

Welltok’s initial estimates didn’t disclose the full scale of impacted individuals. However, recent reports confirm that 8,493,379 people have been affected, making it the second-largest MOVEit data breach after Maximus. The breach’s ripple effect extends to various healthcare plans, emphasizing the widespread consequences for patients and healthcare providers.

Screen of phishing email
Typical phishing email used by Cl0p group to start the cyberattack

Implications of Welltok Data Breach

Welltok sent out data breach letters to those impacted by the data security incident on November 17, 2023. The letters contain a list of compromised information.

A review of the affected files revealed that they contained sensitive information about health plan members, including their names, dates of birth, addresses, and health records. In addition, some individuals’ Social Security numbers, Medicare/Medicaid IDs, and health insurance information were also stolen. A substitute breach notification was uploaded to the Welltok website in October. However, the page was set as no-index, meaning it wouldn’t be indexed by search engines and would only likely be found by individuals who visited the website.

How to prevent data breaches?

To prevent data breaches, organizations should prioritize a comprehensive cybersecurity strategy. Begin by conducting regular security audits and implementing strong access controls, ensuring employees have minimal access privileges. Encrypt sensitive data both in transit and at rest, utilizing robust encryption methods. Keep systems updated with the latest security patches and employ multi-factor authentication to enhance access security.

Invest in employee training to raise awareness about cybersecurity risks, particularly phishing attacks. Secure network perimeters using firewalls and intrusion detection systems, monitoring user activities for any anomalies. Regularly back up critical data and establish a solid recovery plan to minimize downtime in case of a breach.

Welltok Data Breach Exposes More Than 8 million Patients

The post Welltok Data Breach Exposes More Than 8 million Patients appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/welltok-data-breach-8-million-patients/feed/ 0 17881