There is bad news for Americans who want to get behind their unlawful pasts: sensitive data on millions of convicted offenders has been leaked, according to researchers.
In a blog post, Malwarebytes describes how a group of hackers exposed a database believed to have 70 million rows of data, which included the criminal histories of millions of Americans.
We can infer that Malwarebytes’ researchers did not have direct access to this database based on the language used in the statement. Nevertheless, it was said to include details such as full names, birth dates, postal addresses, known aliases, dates of arrest, dates of conviction, sentences, and more.
Developing a new leak site
The database, which contains information created between 2020 and 2024, is relatively new. A single felony is represented by each row; it is not a list of all the crimes a person may have committed.
EquationCorp and USDoD, two well-known cybercriminals, released the data.
The researchers claim that the latter is a “high-profile player” in the world of data leaks and that Connor Fitzpatrick, also known as Pompompurin, is intimately connected to him.
In case you missed it, Pompompurin was the proprietor and chief administrator of BreachForums, which is the most well-known underground site worldwide for exchanging malware, stolen and leaked data, and other pirated files. Fitzpatrick was recently taken into custody and the forum dismantled.
According to Malwarebytes, USDoD intends to create a new leak forum like BreachForums, and making this data public may be a publicity gimmick to generate interest in the new website.
It is currently unknown when, how, or from whom the hackers obtained this material. Regardless, our American readers who have a criminal record ought to be cautious about the emails they receive, particularly if they cite prior convictions, provide attachments or links, or require immediate action. The database will probably be used by hackers for social engineering and phishing scams.
In response to a high-severity security vulnerability in its Chrome browser that it said has been used in the wild, Google released updates for the browser on Thursday.
The vulnerability, which has been assigned the CVE identifier CVE-2024-5274, is related to a type misunderstanding fault in the WebAssembly and JavaScript V8 engines. On May 20, 2024, Brendon Tiszka of Chrome Security and Clément Lecigne of Google’s Threat Analysis Group reported it.
Type confusion vulnerabilities happen when a programme tries to use a resource that isn’t compatible with its kind. Because it gives threat actors the ability to run arbitrary code, do out-of-bounds memory access, and cause a crash, it may have dangerous repercussions.
With the development, Google has now fixed four zero-day vulnerabilities this month, following CVE-2024-4671, CVE-2024-4761, and CVE-2024-4947.
Although it could not provide further technical information regarding the vulnerability, the tech giant did admit that it “is aware that an exploit for CVE-2024-5274 exists in the wild.” It is unclear whether the flaw is a workaround for CVE-2024-4947, a V8 type confusion fault.
Since the beginning of the year, Google has fixed eight zero-day vulnerabilities in Chrome with the most recent patch.
To reduce possible risks, users are advised to update to Chrome versions 125.0.6422.112/.113 for Windows and macOS and 125.0.6422.112 for Linux.
It’s also recommended that users of Chromium-based browsers like Vivaldi, Microsoft Edge, Brave, Opera, and Opera update the changes as soon as they become available.
New research reveals that ransomware assaults on VMware ESXi infrastructure follow a consistent pattern, independent of the file-encrypting malware used.
“Virtualization platforms are a core component of organizational IT infrastructure, yet they often suffer from inherent misconfigurations and vulnerabilities, making them a lucrative and highly effective target for threat actors to abuse,” cybersecurity firm Sygnia said in a report shared with The Hacker News.
The Israeli business discovered that attacks on virtualization environments follow a similar pattern of events through its incident response work with different ransomware families, including LockBit, HelloKitty, BlackMatter, RedAlert (N13V), Scattered Spider, Akira, Cactus, BlackCat, and Cheerscrypt.
This entails taking the subsequent actions:
Gaining first access by means of phishing scams, downloading malicious files, and taking advantage of known flaws in assets that are visible to the internet
Escalating their privileges to use brute-force assaults or other techniques to get credentials for ESXi hosts or Center
Establishing the ransomware and confirming their access to the virtualization infrastructure
Destroying or encrypting backup systems, or in certain situations, altering the passwords, to make recovery attempts more difficult
Stealing information and transferring it to other sites like Dropbox, Mega.io, or their own hosting services
Starting the ransomware’s execution to encrypt the ESXi filesystem’s “/vmfs/volumes” subdirectory
Spreading the ransomware to workstations and servers that aren’t virtualized in order to increase the attack’s reach
Organizations should make sure that sufficient monitoring and logging are in place, develop reliable backup plans, impose stringent authentication procedures, harden the environment, and put in place network limitations to stop lateral movement in order to reduce the dangers caused by such attacks.
The development came about after cybersecurity firm Rapid7 issued a warning on a campaign that has been going on since early March 2024 and uses malicious advertisements on popular search engines to disseminate trojanized installers for PuTTY and WinSCP via typosquatted domains, which in turn installs ransomware.
By dropping the Sliver post-exploitation toolkit through these fake installers, additional payloads are sent, such as a Cobalt Strike Beacon that is used to spread ransomware.
The action is tactically similar to other BlackCat ransomware assaults in which the initial access vector was malvertising, as part of a recurrent campaign that spreads the Nitrogen malware.
“The campaign disproportionately affects members of IT teams, who are most likely to download the trojanized files while looking for legitimate versions,” Tyler McGraw, a security researcher, stated.
“The successful execution of the malware gives the threat actor a stronger footing and impedes analysis by distorting the aim of following administrative activities.”
The discovery also comes following the introduction of new ransomware families such as Beast, MorLock, Synapse, and Trinity, with the MorLock gang specifically targeting Russian companies and encrypting files without first exfiltrating them.
“The [MorLock] attackers demand a significant ransom, which can be tens or hundreds of millions of rubles,” Group-IB’s Russian subsidiary F.A.C.C.T. claimed.
According to NCC Group data, global ransomware attacks in April 2024 decreased by 15% from the previous month, from 421 to 356.
Notably, April 2024 marks the end of LockBit’s eight-month reign as the threat actor with the most victims, showing the company’s difficulties to survive surviving a massive law enforcement takedown earlier this year.
However, in an unexpected change of events, the business reported that LockBit 3.0 had fewer than half of the detected attacks from March and was not the most prevalent threat group for the month. “Instead, Play was the most active threat group, followed shortly after by Hunters.”
Cybercriminals promoting hidden Virtual Network Computing (hVNC) and remote access services like Pandora and TMChecker that might be used for data exfiltration, distributing more malware, and enabling ransomware assaults have added to the instability in the ransomware scenario.
According to Security, a number of initial access brokers (IABs) and ransomware operators use [TMChecker] to examine hacked data that is readily available to determine whether corporate VPN and email account credentials are legitimate.
The significance of TMChecker’s concurrent growth lies in the fact that it significantly reduces the entrance hurdles for threat actors seeking high-impact corporate access for their own use or to sell to other enemies on the secondary market.
