By Antoinette Hodes, Office of the CTO, Check Point Software Technologies.

The post How the Internet of Things (IoT) became a dark web target – and what to do about it appeared first on CyberTalk.

EXECUTIVE SUMMARY:

Amazon is launching an invite only ordering experience for high-demand low-availability products. The new option is designed to limit inventory shortages and price gouging caused by robot traffic.

Amazon made this move to ensure that authentic customers can access products without problems. The new program launches in the United States. Items associated with the program include PlayStation 5 and Xbox Series X game consoles.

“We work hard everyday to provide customers with low prices, vast selection and fast delivery,” stated Amazon’s vice president of consumer engagement, Llew Mason. “This includes developing a shopping experience where customers can purchase items they’re interested in without having to worry about bad actors buying and reselling them at a much higher price.”

Amazon’s invite only ordering

The ordering option will enable consumers to request an invitation to purchase high-demand items. The information for this can be found on the product detail page. The invite only program does not require any additional purchases or costs.

Any consumer with an Amazon account can request an invitation to purchase a given item. Prime accounts are not requirements.

“Available by invitation” label

According to Amazon, items that are part of the program will have a label indicating that they’re “available by invitation.” The product pages for such items will also explain that items are in high demand, with limited quantities available and that the company may not be able to grant all requests.

To ensure that only genuine consumers obtain invitations to purchase products, Amazon will filter out bot-like submissions. Invitations will be sent to remaining customers.

Bots vs. humans

To separate the bots from the humans, Amazon plans to leverage a number of different data points. These include an account’s prior purchase history and the longevity of the account itself.

When invitations to purchase are granted, consumers will receive an email with instructions about exactly how to purchase the item. The email will explain the time-frame in which the item must be purchased and provide a link to the item’s webpage. On the webpage, users will be able to add the item to a cart or select the ‘Buy Now’ option.

An icon will depict how many hours or minutes a user has before the invitation expires. Amazon aims to grant more invitations to purchase if inventory availability increases.

Cyber criminals and Amazon

Amazon notes that bad actors make up only a small percentage of buyers on its marketplace. However, it’s committed to stopping them from negatively affecting the shopping experience for customers.

The new ordering experience is designed to provide customers with access to products at reasonable prices. Otherwise, bad actors may buy up products and resell them at exceptionally high mark-ups, leaving customers frustrated and disappointed.

The reselling issue has largely pertained to gaming consoles. Nonetheless, other high-demand, low-availability tech products also suffer from this effect every now and then.

Program’s first phase

The new ordering option starts today in the United States. At this time, it only affects gaming consoles. Amazon intends to expand the program to other countries and products in the future.

Get the full story on TechCrunch. Lastly, to receive cutting-edge cyber security news, exclusive interviews, expert analyses and security resources, please sign up for the CyberTalk.org newsletter.

The post Amazon launches new invitation only ordering option, starting today appeared first on CyberTalk.

EXECUTIVE SUMMARY:

The 2easy dark web marketplace has gained notoriety for its role in selling and exchanging stolen data. Site operators harvest the stolen data via 600,000 devices tainted with information-stealing malware.

What is 2easy?

The 2easy platform first appeared in 2018 and has since shown rapid growth. Last year, the platform sold data from 28,000 infected devices. 2easy was considered a minor player in this particular dark web and info-stealing space.

Since then, analyses indicate that ‘high-quality’ offerings on the site amped up interested among cyber criminals. Hackers want to see whose network they can access next.

How it works

The data logs are archives of stolen data from malware-compromised web browsers or systems. Logs commonly contain account credentials, cookies, and saved credit card information.

The 2easy platform is fully automated, allowing individuals to create accounts, add money to wallets and engage in purchases without directly interacting with sellers. Hackers can purchase logs for as low a price as $5.00 per item. This is roughly 5X less than what a common competitor offers and three times less the average cost of bot logs in another underground marketplace.

The 2easy logs consistently provide valid credentials that offer network access to many organizations. In addition to the cost benefits for hackers, they can also explore a variety of functional details around purchases that other services cannot provide. The only downside for hackers is the inability to preview certain items.

Why 2easy matters

Logs packed with credentials represent keys to doors and those doors can lead straight into your online accounts, giving hackers access to financial information or corporate networks. While logs are sold for as little as $5.00 per item, the harm inflicted on your organization could cost millions of dollars.

In June of 2021, the Electronic Arts attack occurred due to hackers who purchased stolen cookies online and then weaponized them to gain access to an EA Slack channel. Upon accessing the Slack channel, attackers tricked an EA employee into providing a multi-factor authentication token. The rest is history.

Further details

Items purchased on the 2easy platform are packaged as archive files that contain stolen logs from selected bots. Exact content type depends on the info-stealing malware previously deployed and corollary capabilities. Each strain of malware focuses on something slightly different.

In 50% of cases, sellers rely on RedLine as the malware of choice. RedLine can pinch passwords, cookies, credit cards, FTP credentials and additional details. Of the 18 sellers active on the site, five use RedLine exclusively. Four others use RedLine in tandem with other malware strains.

Conclusion

2easy supports an ecosystem that exploits logs in order to help hackers get into privately-owned and otherwise inaccessible locations. These types of intrusions can lead to ransomware attacks and other types of malware disturbances. Measures for preventing access-based attacks include use of multi-factor authentication, frequent password rotation, and use of zero trust principles.

For the latest information about ransomware prevention, read our e-book.

Lastly, to learn more about managing cyber risk in a changing world, please join us at the premiere cyber security event of the year – CPX 360 2022. Register here.

The post What is the 2easy dark web marketplace? appeared first on CyberTalk.

EXECUTIVE SUMMARY:

The 3D printing enterprise suffered a mass data breach, losing custody of 228,000 subscribers’ data. Although the breach occurred in October of 2020, breach notification provider ‘Have I Been Pwned’ states that present circulation of this data in underground dark web communities could be problematic. The 3D printing group, known as Thingiverse, states that it is “taking this matter very seriously.”

Why this data breach is significant

Thingiverse, whose parent company is MakerBot, was developed for the maker community, which sees enthusiastic participation in Silicon Valley and beyond. Thingiverse serves as a repository where ‘makers’ can post 3D print model designs. As of two years ago, the platform reported more than two million registered users and facilitated more than 340 million object downloads. Since then, Thingiverse has expanded to new user populations and grown exponentially.

In addition to offering over 1.5 million design files, the site provides options for design customization via a Customizer tool, or via OpenSCAD. The platform also permits the uploading of models under the GNU General Public or Creative Commons licenses. In turn, the platform has transformed into a forum for certain kinds of creative types who wish to share and discuss work.

Nonetheless, the open nature of the platform renders it vulnerable to cyber breaches. In December of 2017, a bug within the comments section of the site enabled bad actors to quietly mine cryptocurrencies. The perpetrators leveraged the CPU power of visitors’ devices to solve certain mathematical problems required for mining Bitcoin and other forms of crypto.

This crypto mining episode in MakerBot’s history was eventually resolved. Security issues enabling the crypto mining were righted. User data was never compromised and those responsible for the hijacking were banned from the platform.

In contrast, the data breach at-hand involves 255 million lines of data and includes usernames, physical addresses and persons’ legal names.  As noted earlier, 228,000 pieces of data are involved. And, according to Troy Hunt, who runs Have I Been Pwned, “228k is also just the unique *real email addresses*; on top of that are well over 2M addresses in the form of webdev+[username] @makerbot.com, alongside password hashes. The highest ID in the users table 2,857,418 so the scope is much bigger.”

Where to go from here

Cyber security expert Troy Hunt first received information about this data breach by another cyber aficionado. After investigating the information cache on October 1^st of 2021, the pair verified its validity and identified the source of the issue. Shortly thereafter, MakerBot, the parent company for Thingiverse, was contacted directly.

The company did not provide a swift response to the security incident report, prompting the white hat cyber investigators to Tweet about the breach. A spokesperson for MakerBot stated that teams attribute the leak to an internal human error. Members of the Thingiverse community are encouraged to update passwords as a precautionary measure. MakerBot also apologized for the incident and regrets any user inconveniences.

In conclusion

Cyber security breaches are growing increasingly common. In the past decade, more than 4 billion records have been stolen or leaked. A data breach can happen within any organization. Get breach prevention insights here. Also, be sure to read our article titled How to Improve Security After a Data Breach. Lastly, for more cyber security and business insights, analysis and resources, sign up for the Cyber Talk newsletter.

The post This data breach dumped thousands of files on the dark web appeared first on CyberTalk.

EXECUTIVE SUMMARY:

The statistical probability of a data breach hovers around 30%. Your organization is liable to experience breach. Whether you’re sprucing up your incident response (IR) plan or want to share post-breach best practice reminders with colleagues or contacts, the insights in this article can help. From the no-brainers to the more nuanced and obscure, here’s how to improve security after a data breach…

Secure systems. After a breach hits, secure your systems immediately to prevent lateral movement or the reappearance of the cyber attackers. As you go about this process, ensure that you’re aware of the entire scope of the breach.

• Get to the heart of the issue. Was it caused by nation-state hacking or a forgetful employee?
• Understand what the hackers had access to.
• Recognize how the information was accessed.
• Determine whether or not any materials were stolen or copied.
• Check to see whether or not any of your organization’s data was dumped on the dark web.

Assemble a group of individuals to assist with incident response. This team of individuals can include members of your IT team, your HR department, your PR department and your legal representatives. Ideally, you won’t have to think about this because your incident response plan will describe the who, what, why and how. Encourage everyone to document activities in preparation for formal report development.

Seek legal counsel. Once a breach has occurred, seek legal counsel. Most countries maintain legal requirements around breach reporting, especially when it concerns personal information. Failure to report a breach or to adhere to legal guidelines could result in serious penalties.

In the European Union, for example, organizations are required to notify authorities of a breach within 72 hours. Lack of compliance could translate to 20M fines or the need to hand over 4% of the organization’s revenue to governing bodies.

In the US, all 50 states, along with the District of Columbia, Guam, Puerto Rico and the Virgin Islands have established legislation mandating breach reporting when personally identifiable information is involved. Federal authorities are exploring the possibility of enacting more stringent breach reporting mandates, especially in relation to ransomware.

At the end of the day, your legal obligations will affect all further cyber attack clean-up efforts. Therefore, it pays to prioritize legal counseling.

Notify appropriate persons. Once you have gathered the facts, share the information.

Law enforcement

Whether or not to immediately contact law enforcement depends on the precise circumstances of the cyber security incident. However, breached organizations are generally advised to eventually provide a police report.

Credit bureaus and banks

Call credit bureaus to let them know that your organization has experienced a cyber attack. The credit bureaus will then place fraud alerts on your records, as appropriate. Reach out to any banks and credit card companies that your firm works with. This can help prevent unauthorized transactions and can potentially release you from liability surrounding recent fraud.

Users

Among large organizations, communications or PR teams can assist with this aspect of information sharing. Organizations may want to admit fault as appropriate, and to accept responsibility. Transparency around when and why the breach occurred is generally expected.

Also, be sure to describe what mitigation and prevention strategies are in place to prevent further issue. Most of the time, the average user isn’t particularly interested in what got an organization into a tight spot. They’re more interested in what you’re doing to correct the problem and to rectify the situation.

Securing accessories. Assuming that your firm does not provide life-saving services, take affected technologies offline after the breach. Experts recommend leaving them ‘on’ in order to allow forensics teams to investigate appropriately. Once equipment is removed from the internet, secure the physical locations of these pieces of equipment.

Further, consider updating the access credentials of those who retain permissions to use the affected systems and to enter the physical locations in which they are housed. More than 19% of all data breaches stem from credential compromise. Securing credentials is an easy way to stop a potential or ongoing threat in its tracks.

Dark web deletion. In the event that your organization’s data has hit the dark web, immediately contact site operators to request data removal and permanent deletion. In addition, consider reaching out to search engines, which sometimes store or archive data for set durations of time.

Zero trust network access. As your organization grows, an increasing number of people will receive access to credentials. This introduces increased data security risk. Limiting access to critical data is considered a crucial step that enterprises can take post-breach (although, ideally, this is part of breach prevention that should be carried out preemptively).

After a cyber security event, audit who has access to which systems, and for what reasons. Limit access to essential individuals. If fewer people have access, the likelihood of credential, insider threats, and other forms of attack declines.

To preempt potential attacks, consider using and asking employees to routinely use a breached password checker. This type of tool can check passwords in real-time. Password detection tools will inform individuals in the event that the password has been breached. It also allows for the prevention of further access until the user has updates his/her password.

Encryption of data. To make your data unintelligible for hackers, opt for encryption. The vast majority of hackers lack the mathematical foundations and patience to meticulously decrypt data. Despite propitious warnings, many organizations have not yet encrypted sensitive data. There are numerous ways to encrypt data. The recent warnings from CISA and the FBI surrounding VPN hacking suggest that enterprises should apply VPN-based encryption as soon as possible.

Focus on the human factor. Humans can be your weakest link or your strongest defense. Continually provide employees with cyber security awareness training. Avoid a once-a-year style awareness program. Rather, continually provide training and engagement year-round. Modern software tools can help you do this quickly and easily, and can even provide backend metrics to help you assess engagement and efficacy.

Explain why cyber security matters. Employees who understand the value of a behavioral practice are more likely to implement requested behaviors (like looking for phishing threats or reporting suspicious online activities).

Further, encourage employees to implement multi-factor authentication wherever possible. This provides an additional layer of security. If a password is stolen, a hacker will not be able to access accounts unless MFA credentials are also acquired.

In summary: Moving to a proactive, prevention-first security model can help organizations avoid complex and convoluted breach mitigation and investigation processes. The best way to improve security after a data breach is to develop a multi-layered prevention-focused cyber security strategy. For further insights into improving your cyber security strategy, check out our short guide to why security can fail. Lastly, to receive cyber security insights, analysis and resources in your inbox each week, sign up for our newsletter.

The post How to improve security after a data breach appeared first on CyberTalk.

EXECUTIVE SUMMARY:

In a recent international law enforcement effort, agencies dismantled the infrastructure supporting Emotet. As of July 2020, a global threat index showed that Emotet impacted 5% of organizations, worldwide. By early 2021, Emotet had disrupted 19% of organizations around the world.

Check Point expert Lotem Finklestein says calls Emotet, “The most successful and prevalent malware of 2020 by a long shot.” Emotet earned its reputation due to its dynamic nature, technical features, and the organized business model supporting it.

When did Emotet first emerge on the scene?

Emotet is known as one of the world’s largest botnets. It has existed since 2014. Initially a banking trojan, Emotet was created to spy on victims’ banking login credentials.

While easily discoverable by malware tools, Emotet evolved into a malware-as-a-service platform that saw extensive use.

The US Department of Homeland Security estimates that incidents involving Emotet cost organizations over $1M, on average.

How did Emotet work? 

Emotet launched malspam campaigns. These campaigns included malicious attachments. The attachments would leverage a PowerShell to move the Emotet binary from remote websites and machines, adding them to the botnet.

The botnet grew in size and capabilities over time.

Emotet also retained worm-like capabilities. Moving from machine to machine across a network was one of its strengths. Emotet was difficult to detect. Most victims could not detect it until long after the infection.

What made the Emotet botnet so successful? 

Emotet is considered an advanced, self-propagating and modular Trojan. In a single year, the botnet managed to deliver phishing emails with more than 150,000 unique subject lines and 100,000 different file names for the attachments.

The internationally coordinated response

Authorities were able to disrupt Emotet from the inside. “This operation is the result of a collaborative effort between…the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine, with international activity coordinated by Eropol and Eurojust,” stated Europol.

Two of the three Emotet command and control servers were located in the Netherlands. The Dutch police report that an operation is in place to “reset Emotet“.

Newly deployed software is expected to release a time-bomb-like code that will uninstall Emotet malware on all computers, worldwide, on April 25th, 2021.

Who created Emotet?

The Emotet botnet was controlled by a group known as TA452, which provided the software to the group that runs TrickBot. Those who run TrickBot are known for disseminating business-destroying Ryuk ransomware.

Emotet’s operators are unique in that they collaborated with other organized crime groups. This allowed them to net higher gains. It’s also part of how Emotet’s operators gained a foothold in so many organizations.

An investigation into the identity of the criminals responsible for running Emotet is still ongoing.

An under-the-radar Emotet botnet attack? 

Do you suspect that your organization may have been compromised by Emotet?  Visit the Dutch website that can help you check. The website was established by the Dutch national police. The text can be translated into English.

For organizations that have been hit by Emotet

“As part of the global remediation strategy…information was distributed worldwide via the network of so-called Computer Emergency Response Teams (CERTs),” says Europol.

For more on botnets and Emotet, visit the BBC.

The post International botnet takedown, Emotet botnet gone from internet appeared first on CyberTalk.

EXECUTIVE SUMMARY:

In August of 2020, hackers launched a phishing campaign that involved spoofing Xerox scan notifications in an effort to trick individuals into opening malicious HTML attachments.

The technique was simple. It enabled hackers to bypass Microsoft Office ATP and to pinch over 1,000 corporate credentials. Thousands of organizations were hit with the attack.

Image courtesy of Check Point Software.

A phishing attack gone sideways

Attackers made an error in their attack chain process that rendered stolen credentials exposed to the public internet.

Typically, hackers engage in cyber criminal activity in order to gain stolen credentials and to sell them for a profit on the dark web.

However, these hackers bungled their mission. They accidentally dumped their stolen loot on the public internet, enabling every hacker to access them free of charge. For the original hackers, these credentials no longer held value on the dark web.

With a quick Google search, anyone could have picked up the password to one of the email addresses stolen in this breach. “…a gift to every opportunistic attacker,” Check Point security researchers wrote.

“This was a clear operation security failure for the attackers,” says Lotem Finklesteen, head of threat intelligence for Check Point Software.

Which industries were impacted by the attack?

• Retail
• Manufacturing
• Healthcare
• IT sector

What else do we know about this phishing campaign?

It is suspected that this is not the attackers’ first phishing campaign. Emails and JavaScript encoding within this attack happen to mirror those used in a May 2020 phishing campaign.

For more on this story, click here.

The post Inside a phishing attack gone wrong appeared first on CyberTalk.

EXECUTIVE SUMMARY:

Authorities stop illicit commerce and DarkMarket

In a Europol-coordinated event, the world’s largest dark web marketplace, known as DarkMarket, has been dismantled. German authorities arrested a 34 year-old Australian man who is allegedly behind the dark website. Authorities have also seized 20 of the servers connected to the nefarious operations.

Prior to the takedown, DarkMarket hosted nearly 500,000 users. More than 320,000 transactions transpired across its network. Most of the transactions occurred via bitcoin or monero, which were considered largely untraceable forms of payment.

In addition to investigating the website’s operator, Europol has announced plans to investigate the buyers and sellers who frequented the site.

How much money changed hands on DarkMarket?

• 4,6500 bitcoin
• 12,800 monero
• A total of more than €140 million

Governments getting more aggressive in taking down dark web

On the part of federal agencies, dark website takedowns have grown increasingly aggressive and sophisticated. In 2020, a European investigation led to the take down of sites like Empire Market. As governments have ramped up their efforts, cyber criminals have wound down some of their operations. Fear of prosecution is high and some operators are cutting their losses, taking the money and running.

In the case of the Alphabay marketplace, taken down in 2017, federal agents continued to make arrests for several years after. Dark web marketplace technology can no longer easily outpace law enforcement.

The coordinated approach by European Cybercrime Centre (EC3)

In a comprehensive, coordinated, international program EC2 is:

• Sharing intelligence
• Developing new tools and techniques to improve dark web investigations
• Elevating its threat detection and target detection initiatives

The scale of EC3’s efforts reflect the organization’s commitment to tackle the use of the dark web as a façade for criminal activities.

For more on the removal of DarkMarket, visit The Verge.

The post World’s largest dark web marketplace, how authorities removed it from the internet appeared first on CyberTalk.

EXECUTIVE SUMMARY:

The new coronavirus variant is prompting a renewed sense of urgency among official entities and organizations orchestrating the vaccine rollout. In Britain, the coronavirus vaccine distribution efforts have hit a few roadblocks. “The situation could be best described as confused,” reports ZDNet. ​Before you scroll away to more optimistic articles, here’s why that confusion is significant.

The British vaccine distribution efforts

Vaccine distribution is expected to proceed in batches. The highest-risk groups are intended to receive the vaccine first. Among the front running group of intended vaccine recipients, letters were sent to some individuals, but not all individuals, informing them of their vaccine appointment options.

Some individuals initially received notices of appointments for a second dose, only to later receive correspondence saying that their second appointment has been canceled in favor of providing first-doses to as many individuals as possible.

The curse that is confusion

Confusion amidst a pandemic is problematic for several reasons; most obviously, the panic and logistical hurdles interrupt processes, leading to delays and a potential increase in coronavirus cases.

Confusion is also problematic from the standpoint that it’s an ideal cover for criminal operations. Interpol announced that it expected an “onslaught of all types of criminal activity linked to the COVID-19 vaccine”.

Here’s what has officials worried

• Organized crime groups may attempt to carjack trucks containing the vaccine. Think about it—The vaccine is the most valuable asset on the planet right now. It’s more valuable than gold, precious metals, or capital investments.
• Cyber criminals are soliciting fake vaccines on dubious websites. Check Point researchers discovered that these vendors want as much as $300 in cryptocurrency for these spoofed vaccines.
• Scam artists are cold calling targets. Individuals have received phone calls asking them to press a number on their keypad in order to reserve a coronavirus vaccine appointment. The caller/robo message then prompts individuals to enter their banking details.
• Coronavirus-related text messages are trending. People have reported fake texts about online coronavirus tests, stimulus payments, lockdown fines, health supplements for the coronavirus, financial support and more.
• Vaccine scams are prevalent on social media. Ads and fake friends could misinform social media users.

Vaccine scams and how to avoid falling for them

• The real coronavirus vaccine will be distributed to individuals free of cost. Any organization or individual that attempts to assert otherwise is likely tangled up in vaccine scams.
• Avoid purchasing vaccines, medical equipment or treatments from unknown online vendors. Products purchased online from third-parties are not guaranteed to be safe or effective.
• If the message tries to elicit panic or a sense of heightened urgency, it’s likely a scam.
• Spelling errors, extra spaces between words and grammatical errors are also common signs of scams.
• Anyone who arrives at your door selling, offering or bullying you about vaccines is a vaccine scam artist.
• Turn to trusted sources, such as physicians and federal agency web pages, for reliable information about getting a coronavirus vaccine.
• Groups that offer to ship vaccines for payment are also perpetuating vaccine scams.

For more on this story, visit ZDNet. For more on vaccine scams, see Cyber Talk’s past coverage.

The post Cyber criminals capitalize on confusion, vaccine scams chaos appeared first on CyberTalk.

EXECUTIVE SUMMARY:

Millions of medical images floating around the web?

Cyber security researchers recently found that hospitals are leaving millions of private medical images electronically accessible by way of insecure storage practices. Over 45 million medical images from scans such as X-rays, MRIs, and CT scans are stored on unsecured servers and storage devices.

On top of patient privacy concerns, cybercriminals could steal the data on these systems to blackmail individuals. Hackers could also leverage these under-secured servers to execute ransomware attacks on healthcare facilities.

In the past few months, we’ve seen an alarming increase in the number of healthcare groups hit with ransomware attacks. A key US healthcare system recently enacted EHR downtime procedures after falling victim to a ransomware related ruse. A string of strikes has shut down a variety of health focused organizations across the past few months, impacting over 60 providers and more than 500 facilities.

What happens if these images are inaccessible to those who need them? 

These millions of medical files may be needed for clinical decision-making purposes. Without on-demand access, people may receive sub-standard healthcare and may suffer through serious consequences.

What’s causing healthcare industry-related security issues? 

Medical groups may be using outdated technologies that leave patients and their data vulnerable. Healthcare security budgets are often stretched thin and organizations may resist purchasing new equipment or even investing in better security.

​In one recent example, 45 million unique cases of Digital Imaging and Communications in Medicine (DICOM) exposed. Further, researchers found malicious scripts on several servers, indicating that malicious actors had already accessed the unsecured devices.

It goes without saying, cyber security in the healthcare sector needs to be a top priority, especially as these organizations are at the frontline of this global pandemic.

How can your healthcare group improve security?

The US Cybersecurity and Infrastructure Security Agency recommends following best practices, from proper segmentation to explicit access rules. For additional insights into securing the healthcare sector, check out Cyber Talk’s healthcare-focused whitepapers and solutions briefs. ​

The post Millions of medical images on the move across the web appeared first on CyberTalk.

EXECUTIVE SUMMARY:

Cyber criminals amplified their efforts in 2020 and amassed a large volume of information to sell on the dark web. Right now, the dark web shows many MySQL databases for sale, with each one fetching roughly $550. More than 85,000 MySQL databases have been compromised.

As ZDNet reports, “Hackers have been breaking into MySQL databases, downloading tables, deleting the originals, and leaving ransom notes behind, telling server owners to contact the attackers to get their data back.”

Initially, the server owners were able to contact the attackers. However, as the attackers expanded their operations, they eventually grew to automate responses for data requests. Automation is becoming as popular with hackers as it is with everyone else.

How can victims retrieve the stolen MySQL data?

Victims must access the hackers’ website, enter a unique ID embedded within the ransom note, and follow the instructions presented on the screen.

Unless victims pay in Bitcoin within a nine-day window of time, their data will be released for sale on the dark web.

Researchers contend that the entire process in these instances -from intrusion to auction- is likely automated. Each victim appears to have a near identical set of experiences.

How can organizations deal with the fallout from these attacks?

Victims or forensics teams can report the Bitcoin addresses utilized within the ransom demands on BitcoinAbuse.com.

In addition, ensure that your organization has a strong cyber security strategy and an incident response plan in place.

For more on this story, visit ZDNet.com.

The post Were 85,000 databases dumped on the dark web? appeared first on CyberTalk.