Mount Locker Ransomware Aggressively Changes Up Tactics
The changes have been accompanied by an uptick in Mount Locker attacks, especially those taking aim at companies in the biological tech industry. Schmitt said there has been a surge in incidents in this segment, indicating that there may be a larger campaign afoot that aggressively targets healthcare-adjacent industries.
“Biotech companies, in particular, are a prime target for ransomware because of their position in an industry flush not only with cash but also with highly sensitive IP,” Schmitt explained. “Additionally, connections to other research organizations increase the potential to damage the victim’s reputation in the industry and put business dealings at risk.”
Healthcare and biotech companies are also prime targets given that they stand to lose the most if operations are halted for too long or critical IP is lost, Schmitt pointed out. So, “attackers view them as more likely to pay the requested ransom quickly,” he said.
All of this has happened as Mount Locker appears to be rebranding to AstroLocker. Schmitt pointed out that “the verbiage and victims listed on both variants’ shaming sites share significant overlap.” He added, “this could signal a shift in the group’s overall tactics and an effort to fully rebrand as a more insidious threat.”
Organizations can look for signs of Mount Locker or AstroLocker within their environments, such as CobaltStrike stagers and beacons; and, they should monitor for the staging and exfiltration of files via FTP.
“While these would always be cause for alarm…an updated, more aggressive Mount Locker and the dramatic increase in attacks attributable to the group make these indicators of compromise particularly alarming,” Schmitt concluded.
Source: https://threatpost.com/mount-locker-ransomware-changes-tactics/165559/
Serious Bugs Allowed Hackers To Retrieve Sensitive Information of John Deere Tractor Owners
here is no evidence that hackers exploited these flaws. The researcher, who goes by Sick Codes, reported them to John Deere on April 12 and 13 and the company fixed one of the bugs just three days later. The company fixed the second bug on Wednesday, according to the researcher.
Before the fixes, the vulnerabilities, if exploited, would have exposed personal data about John Deere’s customers, including their physical address, according to Sick Codes.
Sick Codes explained that on newer farm equipment he was able to see the vehicle or equipment owner’s name, their physical address, the equipment’s unique ID, and its Vehicle Identification Number or VIN, the identifying code for a specific car.
Sick Codes said he could iterate and brute force all VIN numbers in the database, as they were “sequential,” according to him. Deere explained that not “all” devices were affected.
A John Deere spokesperson confirmed the existence of the vulnerabilities but downplayed their impact.
Sick Codes said that the claim that the bugs did not expose customer information is “a lie.”
A recent Forbes article dug into John Deere’s history — or lack thereof — of software vulnerabilities.
“One thing the company doesn’t have? A software vulnerability in any of its products — at least one that the company has disclosed to the public,” the author wrote.
That’s not the case anymore.
Sick Codes said that the first vulnerability allowed anyone to list all usernames on the John Deere Web Portal.
“A remote unauthenticated attacker can simply remove the cookie from the original request and replay an unlimited volume of username availability requests,” the researcher wrote in the vulnerability report, which he shared with Motherboard. “An unauthenticated remote attacker can easily enumerate an organization’s account username by submitting permutations of a target, with no observable rate-limit.”
The second flaw could be used in tandem with the first to dox all John Deere’s owners. The exploit leveraged John Deere Operations Center Mobile app for Android and iOS, as well on its corresponding web version.
Anyone with an API cookie, which could be obtained just by signing up for the app, which did not require proof of owning a John Deere vehicle, could “expose any vehicle or equipment owner’s name, physical address, equipment GUID (permanent equipment ID) and the status of whether the Terminal is remotely accessible via the RDA protocol via the Vehicle Identification Number (VIN) API,” according to the vulnerability report Sick Codes sent to John Deere.
Sick Codes complained that the process to disclose these vulnerabilities was “lackluster,” as John Deere was slow to respond.
Source: https://www.vice.com/en/article/4avy8j/bugs-allowed-hackers-to-dox-all-john-deere-owners
Stay Focused. Stay Vigilant.
Cyber Threat Incident Management Team — Cyber Security Commiunity @ SLIIT