uTalk

Local governments are extremely important in the lives of the majority of citizens, regardless of the state.

In early 2023, Oakland, California fell victim to a ransomware attack. Although city officials have yet to say how the attack happened, experts believe phishing emails are the most likely cause. As a result, city officials shut down the server to stop the attack. Governments have been the target of many ransomware attacks and disruptions. Because most municipalities have small IT staffs, there is potential for password sharing, credential reuse, and a lack of multi-factor authentication security, exposing vulnerabilities. Oakland is broken#
The phenomenon was first noticed on a Wednesday evening in early February; when officials in Oakland, Calif., quickly took most of the service's back-end servers offline and posted the news on the city's website. A few days later, a state of emergency was declared. As well as a number of office closures, many services remained offline for some time, including Oak311, parking ticket help centres, VAT permits and licences.

The Play ransomware group claimed responsibility for disrupting city services and posted information about the hack on their organization's website. In the first release, they provided 10GB of data containing decades of files. In another, larger breach, as much as 600 GB of data was leaked. play ransomware
The impact of a security breach goes beyond disrupting city services and affects Oakland residents and city employees on a personal level. Between July 2010 and January 2022, city employees were notified that their personal information may have been compromised. In addition, some Oakland residents, such as those who file claims with the city or apply for federal programs through the city, may also be affected.

As expected, this current situation is a nightmare for both IT and city management, as well as a PR nightmare. Many concerned citizens continue to question how they are affected and how they can protect themselves from identity theft.

Consequences of violations#
Any system vulnerability is serious. In this case, the data is encrypted, making the service unusable. However, if the infrastructure is compromised, threat actors could use this access to further infect the city's residents and workers. The data breach in Oakland may have been limited to data loss, but depending on the group responsible, the consequences could have been much more serious.

The work of city IT services is already difficult, often with limited budgets and overworked IT staff. The sheer number of security vulnerabilities found in popular software and the difficulty of dealing with ever-changing threats make IT's job even more difficult. It is therefore important to have policies and procedures in place that go a long way towards protecting and safeguarding local authorities. Passwords and policies that control access to critical services are the foundation of many services. Common best practice guidelines such as NIST 800-63B, ISO 27001/27002 and SOC 2 ensure your organization's success. Enforcing these standards is difficult, and tools like Specop's Password Policy with Disclosed Password Protection can make life easier for struggling IT professionals.

Protecting users with Specop's password policy and password compromise protection#
Keeping up with best practices and standards can be difficult. Fortunately, there are tools like Specops Password Policies that enforce stronger password policies in Active Directory, help ensure compliance with security standards, and block the use of more than 3 billion known compromised passwords to help protect users against ransomware attacks from organizations like Play.

Specop Password Policy
Specop's password policies include a number of features to help keep your organization secure. These include custom dictionaries, unique and customizable password policies, and strong protection against password cracking.

Protect Cities Against Ransomware #
The ongoing challenges facing Oakland, California are complex for residents and city officials alike. The unknown threat of how stolen information can be used for future hacking or identity theft leaves many people feeling anxious and scared. By proactively protecting your government agencies with tools like Specops password policies, you can significantly limit the scope of attacks and strengthen security measures.

Two foreign commercial spyware vendors, Cytrox and Intellexa, were added to the US government's economic blacklist on Tuesday for using cyberattacks to compromise devices and "threaten the security of individuals and organizations around the world.". Privacy and Security".

This includes the company's holdings in Hungary (Cytrox Holdings Crt), North Macedonia (Cytrox AD), Greece (Intellexa S.A.) and Ireland (Intellexa Limited). Adding to the economic exclusion list, it prohibits US companies from doing business with these companies. The US Bureau of Industry and Security (BIS) said: "Recognizing the growing role that surveillance technology plays in repression and other human rights abuses, Commerce's action today targets the ability of these entities to acquire goods, software and technology that may facilitate the development of surveillance tools that pose a risk of violations that violate human rights or human rights."

Cytrox is the maker of a mobile mercenary spyware called Predator, similar to NSO Group's Pegasus. It's part of the Intellexa Alliance, a marketing brand for a coalition of leased surveillance vendors that emerged in 2019, according to the University of Toronto's Citizen Lab.

The consortium is said to consist of Nexa Technologies (formerly Amesys), WiSpear/Passitora Ltd., Cytrox and Senpai, while the exact connection between Cytrox and Intellexa is still unclear. Intellexa founder Tal Dilian describes himself as an intelligence expert with over 25 years of experience in the Israel Defense Forces (IDF). Intellexa says on its website that it is a regulated company with six locations and research and development laboratories across Europe. Its main product is Nebula, which it calls an "ultimate insight platform" that helps law enforcement "stay ahead of criminal activity."

Dillin was forced to resign from the IDF in 2003 following an internal investigation by three former senior Israeli military officials who suspected Dillin was involved in the mismanagement of funds, The New York Times reported. His website says that he was "honorably discharged" in 2002. In early May, Cisco Talos described the inner workings of Predator, stating that the monitoring tool uses the Alien component to collect sensitive data from infected devices. The Predator also has an iOS counterpart, which was previously seen arriving via a click link sent by WhatsApp. "Aliens are critical to the successful operation of Predator, including Predator's on-demand additions," Cisco Talos threat researcher Asheer Malhotra told The Hacker News at the time. "The relationship between the aliens and the Predators is extremely symbiotic, requiring them to constantly work together to spy on the victims."

The move builds on the US action in November 2021, where the US government added Israeli companies NSO Group and Candiru to its list of entities for developing software targeting government officials, journalists, businessmen, activists, academics and embassy staff. At the same time, the Biden administration signed an executive order restricting the use of commercial spyware by federal government agencies.

While vendors of such digital surveillance tools ostensibly sell them to law enforcement and intelligence agencies around the world to fight serious crimes and national security threats, they have also been misused by governments on several occasions to infiltrate targeted smartphones of members of civil society.

I believe we all know that Crypton coin is the native cryptocurrency of the UtopiaP2P ecosystem and I mostly hear that miners can manipulate the price of cryptocurrency through certain trends.
My question is how does an increase in miners influence the price of Crypton coin?

In a manner reminiscent of the supply chain attack against 3CX, an analysis of the indicators of compromise (IoCs) linked to the JumpCloud hack has uncovered evidence pointing to the involvement of North Korean state-sponsored groups.

SentinelOne, which mapped out the infrastructure related to the intrusion to find underlying patterns, provided the findings. It's important to note that JumpCloud blamed an unidentified "sophisticated nation-state sponsored threat actor" for the attack last week. ".

Tom Hegel, a security researcher at SentinelOne, told The Hacker News that North Korean threat actors exhibit a high degree of ingenuity and strategic awareness in their targeting techniques. The research's conclusions show that these actors used a successful and multifaceted strategy to infiltrate developer environments. ".

They actively look for networks and tools that can open doors to bigger opportunities. Prior to engaging in theft with a financial motivation, they frequently carry out multiple levels of supply chain intrusions.
".

According to Reuters, in a related development, CrowdStrike, which is collaborating with JumpCloud to investigate the incident, has linked the attack to a North Korean actor going by the stage name Labyrinth Chollima, a sub cluster of the notorious Lazarus Group.

According to the news agency, the infiltration was used as a "springboard" to target cryptocurrency companies, indicating an effort on the part of the adversary to generate illegitimate income for the country under sanctions.

The revelations also line up with a low-volume social engineering campaign that GitHub has identified. This campaign uses a combination of malicious npm package dependencies and repository invitations to target the personal accounts of employees of technology companies. These accounts are related to the blockchain, cryptocurrency, or online gambling industries.

The North Korean hacker collective known as Jade Sleet (also known as TraderTraitor), which the Microsoft subsidiary tracks, was blamed for the campaign.

According to GitHub's Alexis Wales, "Jade Sleet primarily targets users associated with cryptocurrency and other blockchain-related organizations, but it also targets vendors used by those firms.".

The attack chains entail creating phony accounts on GitHub and other social media platforms like LinkedIn, Slack, and Telegram, though in some instances the threat actor is thought to have taken over real accounts.

Jade Sleet contacts the targets while posing as someone else, asks them to collaborate on a GitHub repository, and then tricks them into cloning and running its contents. This decoy software contains malicious npm dependencies that serve as first-stage malware, downloading and executing second-stage payloads on the compromised machine.

According to GitHub, the malicious npm packages are a part of a campaign that first came to light last month when Phylum described a supply chain threat involving a special execution chain that uses two false modules to fetch an unknown piece of malware from a remote server.

According to SentinelOne's most recent analysis, 144.217.
92[.
The JumpCloud attack's associated IP address, ]197, resolves to npmaudit[. ]com, one of the eight websites that GitHub has identified as being used to download the second-stage malware. 23.29 is a different IP address.
115[.
171 maps to the npm-pool. ]org.

Hegel said that it was clear that North Korean threat actors were constantly adapting and looking into new ways to infiltrate specific networks. The JumpCloud intrusion serves as an excellent example of their propensity for supply chain targeting, which opens up a wide range of potential future intrusions. ".

Hegel continued, "The DPRK exhibits a profound understanding of the advantages derived from meticulously choosing high-value targets as a pivot point to conduct supply chain attacks into productive networks.

Peer-to-peer (P2P) worm called P2PInfect that targets vulnerable Redis instances for further exploitation has been discovered by cybersecurity researchers.

P2PInfect is more scalable and powerful than other worms, according to researchers William Gamazo and Nathaniel Quist from Palo Alto Networks Unit 42.
It exploits Redis servers that are running on both Linux and Windows operating systems. The programming language Rust, which is very scalable and cloud-friendly, is also used to create this worm. ".

Up to 934 different Redis systems are thought to be at risk from the danger. On July 11, 2023, P2PInfect was discovered for the first time.

The worm has the ability to spread to vulnerable Redis instances by using the critical Lua sandbox escape vulnerability, CVE-2022-0543 (CVSS score: 10.0), which has been used in the past year to spread malware families like Muhstik, Redigo, and HeadCrab.

The initial access made possible by a successful exploit is then used to deliver a dropper payload that creates peer-to-peer (P2P) communication with a larger P2P network and fetches additional malicious binaries, including scanning software for spreading the malware to other exposed Redis and SSH hosts.

The infected instance then joins the P2P network to give future compromised Redis instances access to the other payloads, according to the researchers.

Worm P2PInfect.
In order to establish and maintain communication between the compromised host and the P2P network and give threat actors persistent access, the malware also makes use of a PowerShell script. Additionally, P2PInfect for Windows includes a Monitor component that enables self-updating and launching of the new version.

Although the word "miner" appears in the toolkit's source code and the campaign has not yet been identified, Unit 42 notes that there is no concrete proof of cryptojacking.

No known threat actor groups, such as Adept Libra (aka TeamTNT), Aged Libra (aka Rocke), Automated Libra (aka PURPLEURCHIN), Money Libra (aka Kinsing), Returned Libra (aka 8220 Gang), or Thief Libra (aka WatchDog), have been linked to the activity.

The development comes as malicious actors constantly scanning the internet for misconfigured and vulnerable cloud assets are finding them within minutes to launch sophisticated attacks.

The researchers claimed that the P2PInfect worm "appears to be well designed with several modern development choices.". "The design and construction of a P2P network to carry out malware auto-propagation is not something commonly seen within the cloud targeting or cryptojacking threat landscape. ".