company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Threatspy

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

By Role

Government

CISO/CTO

DevSecOps

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Threat Feeds

Threat Research

White Paper

SB Blogs

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

Our Story

Our Team

Careers

Press & Media

Contact Us
loading..
loading..
loading..
Loading...

Lazarus

DLL

Web Server

loading..
loading..
loading..

Lazarus Hacking Group Exploiting Vulnerable Windows IIS Web Servers

Learn about the Lazarus hacking group and their exploits on vulnerable Windows IIS web servers. Discover their techniques, known attack vectors

29-May-2023
6 min read

Related Articles

loading..

Data Theft

Cyberattack

IntelBroker sells GE's pipelines for $500 amid cyberattack probe. Uncover the th...

General Electric (GE), a stalwart in the American multinational scene, finds itself under scrutiny. A threat actor self-identified as IntelBroker, claims to have breached GE's development environment, an incident that has sparked concerns about the security of the company's data and systems. ## Alleged Breach Earlier this month, IntelBroker attempted to monetize their alleged access to GE's _"development and software pipelines"_ on a hacking forum, seeking $500 for the information. When met with a lack of serious buyers, the threat actor escalated their efforts, now offering both network access and supposedly stolen data. >>> "I am now selling the entire thing here separately, including access (SSH, SVN etc). Data includes much DARPA-related military information, files, SQL files, documents, etc.," IntelBroker declared on the forum. As evidence of the breach, screenshots were shared, purporting to be stolen GE data, notably including a database from GE Aviation with information on military projects. ## GE's Response In response to these claims, GE released a statement acknowledging the situation and asserting its commitment to investigating the alleged data leak. >>> _"We are aware of claims made by a bad actor regarding GE data and are investigating these claims. We will take appropriate measures to help protect the integrity of our systems,"_ stated a GE spokesperson to BleepingComputer. While the breach is yet to be confirmed, the involvement of IntelBroker raises eyebrows, given their track record of successful high-profile cyberattacks. ## IntelBroker's Notorious History IntelBroker has a history marked by successful cyber intrusions, including a breach of the [Weee! grocery service](https://www.secureblink.com/cyber-security-news/weee-grocery-confirms-data-breach-exposing-1-1-million-customer-records). However, their most notable exploit involved the theft of sensitive personal information from the District of Columbia's D.C. Health Link program. In March, IntelBroker breached DC Health Link, exposing a misconfigured server accessible online. The ensuing sale of a stolen database containing personal information triggered widespread media coverage and a congressional hearing to scrutinize the breach's origins. ## Technical Insights ### Code Exposure and Vulnerabilities The threat actor's ability to compromise GE's development environment implies potential vulnerabilities in their code repositories and version control systems. The mention of _"access (SSH, SVN, etc.)"_ raises concerns about the exposure of critical components in GE's infrastructure. ### DARPA-Related Military Information The alleged inclusion of DARPA-related military information in the stolen data underscores the severity of the breach. This not only poses a risk to GE but also raises questions about the broader implications for national security. ![forum-post(4).jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/forum_post_4_becccfb2c0.jpg) ***Screenshot of GE data and access sold on a hacking forum (BleepingComputer)*** ## Investigating Past Exploits To understand the potential ramifications of the GE breach, delving into IntelBroker's past exploits is crucial. The breach of DC Health Link, a healthcare marketplace for Washington, D.C., highlighted the vulnerability of misconfigured servers. ### Congressional Scrutiny The congressional hearing that followed the DC Health Link breach aimed to unravel the intricacies of the incident. Mila Kofman, Executive Director of the District of Columbia Health Benefit Exchange Authority, emphasized the exposure through a [misconfigured server](https://oversight.house.gov/wp-content/uploads/2023/04/Mila-Kofman-Written-Testimony-April-19-2023.pdf), emphasizing the importance of robust server configurations.

loading..   29-Nov-2023
loading..   3 min read
loading..

Ransomware

Encryption

Ransomware attack on "Ethyrial: Echoes of Yore" MMORPG. 17,000 player accounts w...

The indie game publisher Gellyberry Studios experienced a severe setback as their MMORPG, "Ethyrial: Echoes of Yore," fell victim to a ransomware attack last Friday. The attackers targeted the main server, encrypting all data, including local backup drives, and disarmed the gaming world. ## Unfortunate Fallout The ransomware attack impacted a staggering 17,000 player accounts, wiping out in-game items and progress. The attack on this free-to-play MMORPG, available on [Steam](https://store.steampowered.com/app/1277920/Ethyrial_Echoes_of_Yore/)'s Early Access, sent shockwaves through the gaming community. The game, still in its early development phase, relies on monthly subscriptions and community support for ongoing development. The assailants, leveraging cryptographic ransomware, demanded payment in Bitcoin for a decryption key. Faced with the grim reality that paying might not guarantee the recovery of their data, Gellyberry Studios opted for a manual restoration of all affected systems. > "Last Friday morning, our server fell victim to a cryptographic ransomware attack... As such, we were forced to rebuild the server and create new account and character databases." - [Announcement on Discord](https://discord.com/channels/540514574462615552/834424990707220560) ![announcement.png](https://sb-cms.s3.ap-south-1.amazonaws.com/announcement_e281d6cfae.png) ***Discord Announcement*** ## Gellyberry's Resilience and Commitment Despite the challenges posed by the attack, Gellyberry Studios reassured the affected players that they would restore everything lost to the fullest extent possible. As a gesture of appreciation for the community's understanding and support, impacted players would receive all their items and progress back, along with a premium "pet." In response to the incident, Gellyberry Studios outlined proactive measures for the future, including an increased frequency of offline account database backups, the implementation of a P2P VPN for remote access to the development server, and restricted access through specific IP addresses. The attack on "Ethyrial: Echoes of Yore" is not an isolated incident. Ransomware has, unfortunately, become a recurring threat in the gaming industry. The attack on CD PROJEKT RED in February 2021 and the recent ransom demand of $10,000,000 from hackers targeting Riot Games in January 2023 underscore the severity of the issue. ### CD PROJEKT RED: A Precedent in Ransomware In 2021, the developers of "Cyberpunk 2077" and "Witcher 3," CD PROJEKT RED, faced a [ransomware attack](https://www.secureblink.com/cyber-security-news/cd-projekt-ransomed-data-including-the-witcher-3-source-codes-are-now-made-public) by [HelloKitty ransomware](https://www.secureblink.com/cyber-security-news/hello-kitty-source-code-leaked-on-russian-forum). The incident highlighted the vulnerability of even well-established game developers to cyber threats. ### Riot Games: A Recent Ransom Demand In the more recent case involving [Riot Games](https://www.secureblink.com/cyber-security-news/riot-games-hit-by-cyberattack-league-of-legends-valorant-patches-delayed), the creators of popular titles like "[League of Legends](https://www.secureblink.com/cyber-security-news/league-of-legends-source-code-up-for-auction-after-riot-games-breach)" and "Valorant," hackers issued a ransom demand of $10,000,000. The threat to release stolen source code added a layer of complexity to the situation, emphasizing the high stakes in play. Gellyberry Studios, in their response to the attack, not only focused on technical solutions but also on empathetic gestures. Providing a premium "pet" to affected players demonstrates a commitment to the community's well-being beyond the digital realm. ### Strengthening Defenses: A Technical Perspective From a technical standpoint, the implementation of a P2P VPN and restricting server access to specific IP ranges are commendable steps taken by Gellyberry Studios. These measures aim to fortify the infrastructure against unauthorized access and potential breaches. ### Codebase and Scripts The underlying codebase and scripts are the silent guardians of virtual worlds. Developers must assess and reinforce the security of these foundations continually. Regular code audits, penetration testing, and adherence to secure coding practices become paramount in the face of evolving cyber threats. ### Key Takeaways: - The gaming industry faces recurring ransomware threats. - Gellyberry Studios opted for manual restoration post-ransomware attack. - Proactive cybersecurity measures include increased backups and restricted server access. - The human impact of cybersecurity incidents in gaming is profound. - The industry must collectively work towards a more secure gaming environment.

loading..   29-Nov-2023
loading..   4 min read
loading..

Ransomware

Discover how Slovenia's major power giant, HSE, experienced a ransomware attack....

Slovenia's power giant, Holding Slovenske Elektrarne (HSE), fell victim to a ransomware attack. While the incident compromised IT systems and encrypted files, HSE emphasizes that power production remains unscathed. ## **Attack Timeline and Response** The attack was disclosed last Wednesday, with containment achieved by Friday, November 24. Despite the crypto virus locking files, Uroš Svete, the Director of the Information Security Office, assured the public that power generation continued seamlessly. Immediate action involved notifying Si-CERT and the Ljubljana Police, with external experts engaged to curb the attack's spread. ## **Operational Resilience** Today, Uroš Svete and HSE's General Manager, Tomaž Štokelj, issued a [joint statement](https://video.siol.net/embed/IJJVmeI1ou), alleviating concerns about operational disruptions or significant economic damage. The impairment, confined to the websites of Šoštanj Thermal Power Plants and Velenje Coal Mine, underscores HSE's resilience amid adversity. ## **Rhysida Ransomware Group Implicated** Unofficial [reports](https://www.24ur.com/novice/slovenija/napad-na-hse-znova-primer-malomarnega-ravnanja-z-digitalno-varnostjo.html) point to the Rhysida ransomware gang as the perpetrator. Known for its sophisticated Techniques, Tactics, and Procedures (TTPs), Rhysida's recent activities triggered warnings from the FBI and CISA. Notably, Rhysida's ransom notes eschew monetary demands, only providing an email contact—a potential explanation for HSE's [lack of a ransom demand](https://siol.net/novice/slovenija/znane-so-nove-podrobnosti-o-kibernetskem-napadu-na-skupino-hse-620938). ![Rhysida_ransom_note.png](https://sb-cms.s3.ap-south-1.amazonaws.com/Rhysida_ransom_note_da7ef97bc7.png) ***Ransom Note by Rhysida Ransomware*** ## **Potential Breach Vector: Cloud Storage** Allegedly, Rhysida gained access by exploiting an unprotected cloud storage instance, pilfering passwords for HSE's systems. While these claims await HSE's confirmation, the incident underscores the evolving threat landscape, emphasizing the need for robust cloud security measures. ## **Rhysida's Track Record** Rhysida emerged in May 2023 and swiftly targeted high-profile organizations globally. From infiltrating the Chilean Army to affecting Prospect Medical and the British Library, the ransomware gang displayed a penchant for strategic targeting. Its attacks on healthcare entities even prompted a U.S. Department of Health and Human Services advisory. ## **Data Leak and Auction Dynamics** In a bold move, Rhysida recently listed stolen data from a Chinese state-owned electric power conglomerate for auction on its data leak site. The audacious demand of 50 BTC ($1,840,000) exemplifies the evolving monetization strategies employed by ransomware actors, posing severe challenges for cybersecurity professionals. ## **HSE's Response and Investigation** We tried to seek HSE's input on the allegations but are awaiting a response. The ongoing investigation underscores the intricacies of attributing these incidents and the challenges in verifying unofficial information.

loading..   28-Nov-2023
loading..   3 min read
Company Logo
logo

Secure Blink automates the application and API security testing for developers and security teams, helping them to rapidly identify and mitigate vulnerabilities more effectively than they can today.

Find Us Online

Facebook Logo
Twitter Logo
LinkedIn Logo
Telegram Logo
YouTube Logo
contact@secureblink.com

This website uses cookies to ensure you get the best experience on our website. By continuing on our website, you consent to our use of cookies. To find out more about how we use cookies, please see our Cookies Policy.

contact@secureblink.com

@ Copyright 2023 Secure Blink. All rights reserved.

4th Floor, Plot No- 7-10 Sector 126, Noida, UP -201303