SALES, RENTALS & LAYAWAYS

PROTECTING EVERYTHING THAT HAS EVER BEEN OF VALUE TO YOU

Open 24/7/365

We Have A Life-Time Warranty /
Guarantee On All Products. (Includes Parts And Labor)

A New Ransomware Enters The Fray: Epsilon Red

A bare-bones ransomware offloads most of its functionality to a cache of PowerShell scripts. A New Ransomware Enters The Fray: Epsilon Red

In the past week, Sophos analysts uncovered a new ransomware written in the Go programming language that calls itself Epsilon Red. The malware was delivered as the final executable payload in a hand-controlled attack against a US-based business in the hospitality industry in which every other early-stage component was a PowerShell script.

Based on the cryptocurrency address provided by the attackers, it appears that at least one of their victims paid a ransom of 4.29BTC on May 15th (valued at roughly $210,000 on that date).

While the name and the tooling were unique to this attacker, the ransom note left behind on infected computers resembles the note left behind by REvil ransomware, but adds a few minor grammatical corrections. There were no other obvious similarities between the Epsilon Red ransomware and REvil.

It appears that an enterprise Microsoft Exchange server was the initial point of entry by the attackers into the enterprise network. It isn’t clear whether this was enabled by the ProxyLogon exploit or another vulnerability, but it seems likely that the root cause was an unpatched server. From that machine, the attackers used WMI to install other software onto machines inside the network that they could reach from the Exchange server.

The name Epsilon Red, like many coined by ransomware threat actors, is a reference to pop culture. The character Epsilon Red was a relatively obscure adversary of some of the X-Men in the Marvel extended universe, a “super soldier” alleged to be of Russian origin, sporting four mechanical tentacles and a bad attitude.

Laying The Groundwork Using Powershell

During the attack, the threat actors launched a series of PowerShell scripts, numbered 1.ps1 through 12.ps1 (as well as some that just were named with a single letter from the alphabet), that prepared the attacked machines for the final ransomware payload and, ultimately delivered and initiated it.

The PowerShell orchestration was, itself, created and triggered by a PowerShell script named RED.ps1 that was executed on the target machines using WMI. The script retrieves and unpacks into the system32 folder a .7z archive file that contains the rest of the PowerShell scripts, the ransomware executable, and another executable.

It also sets up Scheduled Tasks that run the scripts numbered 1 through 12 but skips 7 and 8, it also creates tasks for scripts named “S” and “C.”

For example, when attackers ran the 2.ps1 script on a machine, it executed a command that deleted the Volume Shadow Copies from the computer. This is an important precursor to the attack, as these files could be used to recover some or all of the files encrypted by the attackers.

A PowerShell script named c.ps1 appears to be a clone of an open source tool called Copy-VSS, part of a suite of penetration tester tools named Nishang. The Copy-VSS script permits an attacker to copy the SAM file, which an attacker could use to retrieve and crack passwords saved on the computer.

Obscured…Just Enough

The PowerShell scripts also use a rudimentary form of obfuscation in which the threat actors appear to have added in some square brackets and braces at random into the script, breaking up the lines of PowerShell script code, and then use a command that strips out those brackets.

While this technique doesn’t have much of an effect on our ability to analyze the files after the fact, it might be just good enough to evade the detection of an anti-malware tool that’s scanning the files on the hard drive for a few minutes, which is all the attackers really need.

We were able to use the same rules the attackers set up to craft a recipe using CyberChef that strips out the extraneous characters and renders the script human-readable.

Blocked Firewall Ports And Cleaning Up Tracks

The red.ps1 script unpacks RED.7z into the %SYSTEM%\RED directory, then creates scheduled tasks that run the unpacked scripts. But then it waits one hour, and executes commands that modify the Windows Firewall rules such that the firewall blocks inbound connections on all TCP ports except the Remote Desktop Protocol’s 3389/tcp and the communications port used by a commercial tool called Remote Utilities, 5650/tcp.

Oddly, it does this by first blocking inbound traffic to ports 80 and 443, then redundantly blocks entire large ranges of ports that include 80 and 443, but also exclude the RDP and Remote Utilities ports: 1-3388, 3390-5649, and 5651-65352. 

Upon closer inspection, one of the first things the attackers did after gaining access to the target’s network was to download and install a copy of Remote Utilities and the Tor Browser, so this seems like a way to reassure themselves they will have an alternate foothold if the initial access point gets locked down. 

An Unusual Commercial Remote Access Tool 

The commercial Remote Utilities software, used by the criminals, has several features they might find helpful.  

For one thing, they can use it for free. Anyone can submit an email address through the company’s website and receive a free license key by email that allows them to use the full capability of the product on up to 10 machines, in perpetuity. 

The company’s “Viewer” software includes the ability for a licensed user to generate a digitally signed executable installer, pre-configured with a password and other preferences embedded into the .exe. Users choose their options, which get transmitted back to the company via the application to generate a unique “One-Click package” executable the program then downloads. The threat actor can then deploy this installer, which runs unattended, and automatically synchronizes to their Remote Utilities Viewer console. 

The console also serves as a Remote Desktop client utility, as a convenience. 

We found that the attackers had generated at least two of these “One-Click installer” executables, which they downloaded to several machines on the target’s network and ran. The installer was named rutserv.exe and the attackers stored it in different filesystem locations on different machines they downloaded it to.

Running Down The Orchestration Scripts

Initially, the malware runs the scripts numbered 9 and 12, this is followed by a 180 second delay, before then creating the tasks for 1 through 6, 10, 11, and S.ps1 and C.ps1. By default, the attackers extracted these files to a folder named RED under the %SYSTEM% path.

Each of these scripts accomplishes a specific task the threat actors use to prepare the system prior to launching the ransomware. Many of these tasks involve hindering security or backup tools, but also involve disabling or killing processes that, if they were running, might prevent a complete encryption of the valuable data on the hard drive.

It isn’t clear whether the attackers were just being thorough or if they weren’t sure they could do what they set out to do, but in several cases the scripts issue redundant commands to accomplish the same goal using slightly different methods.

For instance, the 1.ps1 file looks for processes that contain any of the following strings in their process name, and attempts to kill them.

These strings indicate the attackers are not only trying to shut down security tools, but also database services, backup programs, office applications, email clients, QuickBooks, and even Steam, the gaming platform.

2.ps1 deletes all the Volume Shadow Copies on the system by running a single command (vssadmin.exe delete shadows /all /quiet), while 3.ps1 disables automatic repairs that Windows might try to run upon a reboot.

4.ps1 then attempts to delete the Volume Shadow Copies using a different method:

wmic shadowcopy delete /nointeractive
Get-WmiObject Win32_ShadowCopy | % { $_.Delete() }
Get-WmiObject Win32_ShadowCopy | Remove-WmiObject
Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
Get-CimInstance Win32_ShadowCopy | Remove-CimInstance

5.ps1 executes two commands that, between them, delete Windows Event Logs, which would hinder an investigation.

Similarly to 1.ps1, 6.ps1 attempts to kill not processes but services, based on a list of strings that may appear in the services’ names:

‘sql’,’Sql’,’SQL’,’BASup’,’Titan’,’Cylance’,’cylance’,’Defend’,’NisSvc’,’Veeam’,’veeam’,’backup’,’Backup’,’rsa’,’wrsa’,’WRSA’,’RSA’

It also disables Windows defender by setting the following Windows Registry key:

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender” /f /v DisableAntiSpyware /t REG_DWORD /d

9.ps1, which is executed first, attempts to invoke the Uninstaller for security software from Sophos, Trend Micro, Cylance, MalwareBytes, Sentinel One, Vipre, Webroot, and several cloud backup agents

10.ps1 then, redundantly, runs the dropped p.exe executable, which suspends the processes that contain the following strings, and clears their logs.

And 11.ps1 adds yet another layer of redundancy, executing the following commands that delete Volume Shadow Copies (again, for the third time!) as well as changing recovery options and clearing event logs in yet another way.

‘vssadmin.exe Delete Shadows /All /Quiet’,
‘bcdedit /set {default} recoveryenabled no’,
‘wmic shadowcopy delete’,
‘wbadmin delete backup’,
‘wbadmin delete systemstatebackup -keepversions:0’,
‘bcdedit /set {default} bootstatuspolicy ignoreallfailures’,
‘bcdedit /set {default} recoveryenabled no’,
‘wevtutil.exe clear-log Application’,
‘wevtutil.exe clear-log Security’,
‘wevtutil.exe clear-log System’,
‘wbadmin delete systemstatebackup’,
‘wbadmin delete catalog -quiet’,
‘bootstatuspolicy ignoreallfailures’

This level of redundancy may be an indication that this threat actor is unsure of their own tools’ capabilities, but aren’t willing to take any chances.

12.ps1 grants the “Everyone” group access permissions to every drive letter that might exist on the machine to ensure as many files are encrypted as possible.

The red.ps1 script also deletes itself, the .7z archive, and the local copy of 7zip from the system when it runs, removing key evidence.

In addition to the ransomware executable itself, Labs recovered and analyzed another ancillary executable that the attackers deployed on the target machines. The file, just called p.exe, appears to be a custom-compiled version of an open source tool called EventCleaner, which was created to erase or manipulate the contents of Windows event logs. The attackers used the p.exe component to clean up evidence of what they had done.

We also mentioned that there were other PowerShell scripts delivered in the .7z archive the attackers dropped on targeted machines. While we saw no evidence they were executed in the context of this attack, the scripts numbered 7, 8, and 9 serve important purposes. 7.ps1 logs off practically all open sessions on the computer; 8.ps1 is a redundant copy of the same firewall rules script included in RED.ps1.

The ransomware itself, called RED.exe, is a 64-bit Windows executable programmed in the Go language, compiled using a tool called MinGW, and packed with a modified version of the runtime packer UPX.

The executable contains some code taken from an open source project called godirwalk, which gives it the ability to scan the hard drive on which it’s running for directory paths and compile them into a list. The ransomware then spawns a new child process that encrypts each subfolder separately, which after a short amount of time results in a lot of copies of the ransomware process running simultaneously.

A New Ransomware Enters The Fray: Epsilon Red

In the past week, Sophos analysts uncovered a new ransomware written in the Go programming language that calls itself Epsilon Red. The malware was delivered as the final executable payload in a hand-controlled attack against a US-based business in the hospitality industry in which every other early-stage component was a PowerShell script.

Based on the cryptocurrency address provided by the attackers, it appears that at least one of their victims paid a ransom of 4.29BTC on May 15th (valued at roughly $210,000 on that date).

While the name and the tooling were unique to this attacker, the ransom note left behind on infected computers resembles the note left behind by REvil ransomware, but adds a few minor grammatical corrections. There were no other obvious similarities between the Epsilon Red ransomware and REvil.

It appears that an enterprise Microsoft Exchange server was the initial point of entry by the attackers into the enterprise network. It isn’t clear whether this was enabled by the ProxyLogon exploit or another vulnerability, but it seems likely that the root cause was an unpatched server. From that machine, the attackers used WMI to install other software onto machines inside the network that they could reach from the Exchange server.

The name Epsilon Red, like many coined by ransomware threat actors, is a reference to pop culture. The character Epsilon Red was a relatively obscure adversary of some of the X-Men in the Marvel extended universe, a “super soldier” alleged to be of Russian origin, sporting four mechanical tentacles and a bad attitude.

Laying The Groundwork Using Powershell

During the attack, the threat actors launched a series of PowerShell scripts, numbered 1.ps1 through 12.ps1 (as well as some that just were named with a single letter from the alphabet), that prepared the attacked machines for the final ransomware payload and, ultimately delivered and initiated it.

The PowerShell orchestration was, itself, created and triggered by a PowerShell script named RED.ps1 that was executed on the target machines using WMI. The script retrieves and unpacks into the system32 folder a .7z archive file that contains the rest of the PowerShell scripts, the ransomware executable, and another executable.

It also sets up Scheduled Tasks that run the scripts numbered 1 through 12 but skips 7 and 8, it also creates tasks for scripts named “S” and “C.”
A typical Scheduled Task command looked like:

C:\Windows\system32\schtasks.exe /create /tn Microsoft\Windows\TASK12 /tr “powershell -file c:\windows\system32\RED\12.ps1” /sc minute /mo 2 /ru SYSTEM /f

For example, when attackers ran the 2.ps1 script on a machine, it executed a command that deleted the Volume Shadow Copies from the computer. This is an important precursor to the attack, as these files could be used to recover some or all of the files encrypted by the attackers.

A PowerShell script named c.ps1 appears to be a clone of an open source tool called Copy-VSS, part of a suite of penetration tester tools named Nishang. The Copy-VSS script permits an attacker to copy the SAM file, which an attacker could use to retrieve and crack passwords saved on the computer.
Obscured…Just Enough

The PowerShell scripts also use a rudimentary form of obfuscation in which the threat actors appear to have added in some square brackets and braces at random into the script, breaking up the lines of PowerShell script code, and then use a command that strips out those brackets.

While this technique doesn’t have much of an effect on our ability to analyze the files after the fact, it might be just good enough to evade the detection of an anti-malware tool that’s scanning the files on the hard drive for a few minutes, which is all the attackers really need.

We were able to use the same rules the attackers set up to craft a recipe using CyberChef that strips out the extraneous characters and renders the script human-readable.
Blocked firewall ports and cleaning up tracks

The red.ps1 script unpacks RED.7z into the %SYSTEM%\RED directory, then creates scheduled tasks that run the unpacked scripts. But then it waits one hour, and executes commands that modify the Windows Firewall rules such that the firewall blocks inbound connections on all TCP ports except the Remote Desktop Protocol’s 3389/tcp and the communications port used by a commercial tool called Remote Utilities, 5650/tcp.
Firewall rules modified by the RED.ps1 script

Oddly, it does this by first blocking inbound traffic to ports 80 and 443, then redundantly blocks entire large ranges of ports that include 80 and 443, but also exclude the RDP and Remote Utilities ports: 1-3388, 3390-5649, and 5651-65352.
Epsilon Red firewall rules appear in the Windows Firewall UI

Upon closer inspection, one of the first things the attackers did after gaining access to the target’s network was to download and install a copy of Remote Utilities and the Tor Browser, so this seems like a way to reassure themselves they will have an alternate foothold if the initial access point gets locked down.
An unusual commercial remote access tool

The commercial Remote Utilities software, used by the criminals, has several features they might find helpful.

For one thing, they can use it for free. Anyone can submit an email address through the company’s website and receive a free license key by email that allows them to use the full capability of the product on up to 10 machines, in perpetuity.

The company’s “Viewer” software includes the ability for a licensed user to generate a digitally signed executable installer, pre-configured with a password and other preferences embedded into the .exe. Users choose their options, which get transmitted back to the company via the application to generate a unique “One-Click package” executable the program then downloads. The threat actor can then deploy this installer, which runs unattended, and automatically synchronizes to their Remote Utilities Viewer console.

The console also serves as a Remote Desktop client utility, as a convenience.

Both Rutserv.Exe Samples Are Digitally Signed With Remote Utilities’ Certificate

We found that the attackers had generated at least two of these “One-Click installer” executables, which they downloaded to several machines on the target’s network and ran. The installer was named rutserv.exe and the attackers stored it in different filesystem locations on different machines they downloaded it to.

Initially, the malware runs the scripts numbered 9 and 12, this is followed by a 180 second delay, before then creating the tasks for 1 through 6, 10, 11, and S.ps1 and C.ps1. By default, the attackers extracted these files to a folder named RED under the %SYSTEM% path. Each of these scripts accomplishes a specific task the threat actors use to prepare the system prior to launching the ransomware.

Many of these tasks involve hindering security or backup tools, but also involve disabling or killing processes that, if they were running, might prevent a complete encryption of the valuable data on the hard drive.
The RED.ps1 script executes 12 of the 14 PowerShell scripts by adding them to the Task Scheduler

It isn’t clear whether the attackers were just being thorough or if they weren’t sure they could do what they set out to do, but in several cases the scripts issue redundant commands to accomplish the same goal using slightly different methods.

For instance, the 1.ps1 file looks for processes that contain any of the following strings in their process name, and attempts to kill them:

‘sql’,’Sql’,’SQL’,’BASup’,’Titan’,’SBAM’,’sbam’,’vipre’,’Vipre’,’Cylance’,’cylance’,’Senti’,’senti’,’sql’,’backup’,’veeam’,’outlook’,’word’,’excel’,’office’,’ocomm’,’dbsnmp’,’onenote’,’firefox’,’xfssvccon’,’infopath’,’wordpa’,’isqlplussvc’,’sql’,’dbeng50′,’mspub’,’mydesktopqos’,’ocautoupds’,’thunderbird’,’encsvc’,’oracle’,’mydesktopservice’,’thebat’,’agntsvc’,’steam’,’ocssd’,’tbirdconfig’,’synctime’,’visio’,’sqbcoreservice’,’winword’,’msaccess’,’powerpnt’,’mepocs’,’memtas’,’svc$’,’vss’,’sophos’,’crm’,’quickbooks’,’pos’,’qb’,’sage’,’SQL’,’prc’,’w3wp’,’java’,’store’,’ax32′,’dbs’,’wordpad’,’VeeamAgent’,’Backup’,’Cloud’,’Mbae’,’MB3′,’WRSA’,’rsa’,’wrsa’

These strings indicate the attackers are not only trying to shut down security tools, but also database services, backup programs, office applications, email clients, QuickBooks, and even Steam, the gaming platform.

2.ps1 deletes all the Volume Shadow Copies on the system by running a single command (vssadmin.exe delete shadows /all /quiet), while 3.ps1 disables automatic repairs that Windows might try to run upon a reboot.

4.ps1 then attempts to delete the Volume Shadow Copies using a different method:

wmic shadowcopy delete /nointeractive
Get-WmiObject Win32_ShadowCopy | % { $_.Delete() }
Get-WmiObject Win32_ShadowCopy | Remove-WmiObject
Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
Get-CimInstance Win32_ShadowCopy | Remove-CimInstance

5.ps1 executes two commands that, between them, delete Windows Event Logs, which would hinder an investigation.

Similarly to 1.ps1, 6.ps1 attempts to kill not processes but services, based on a list of strings that may appear in the services’ names:

‘sql’,’Sql’,’SQL’,’BASup’,’Titan’,’Cylance’,’cylance’,’Defend’,’NisSvc’,’Veeam’,’veeam’,’backup’,’Backup’,’rsa’,’wrsa’,’WRSA’,’RSA’

It also disables Windows defender by setting the following Windows Registry key:

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender” /f /v DisableAntiSpyware /t REG_DWORD /d

9.ps1, which is executed first, attempts to invoke the Uninstaller for security software from Sophos, Trend Micro, Cylance, MalwareBytes, Sentinel One, Vipre, Webroot, and several cloud backup agents

10.ps1 then, redundantly, runs the dropped p.exe executable, which suspends the processes that contain the following strings, and clears their logs:

‘MpCmd’,’MsMp’,’Senti’,’senti’,’sql’,’backup’,’veeam’,’outlook’,’word’,’excel’,’office’,’ocomm’,’dbsnmp’,’onenote’,’firefox’,’xfssvccon’,’infopath’,’wordpa’,’isqlplussvc’,’sql’,’dbeng50′,’mspub’,’mydesktopqos’,’ocautoupds’,’thunderbird’,’encsvc’,’oracle’,’mydesktopservice’,’thebat’,’agntsvc’,’steam’,’ocssd’,’tbirdconfig’,’synctime’,’visio’,’sqbcoreservice’,’winword’,’msaccess’,’powerpnt’,’mepocs’,’memtas’,’svc$’,’vss’,’sophos’,’crm’,’quickbooks’,’pos’,’qb’,’sage’,’SQL’,’prc’,’w3wp’,’java’,’store’,’ax32′,’dbs’,’wordpad’,’VeeamAgent’,’Backup’,’Cloud’,’Mbae’,’MB3′

And 11.ps1 adds yet another layer of redundancy, executing the following commands that delete Volume Shadow Copies (again, for the third time!) as well as changing recovery options and clearing event logs in yet another way.

‘vssadmin.exe Delete Shadows /All /Quiet’,
‘bcdedit /set {default} recoveryenabled no’,
‘wmic shadowcopy delete’,
‘wbadmin delete backup’,
‘wbadmin delete systemstatebackup -keepversions:0’,
‘bcdedit /set {default} bootstatuspolicy ignoreallfailures’,
‘bcdedit /set {default} recoveryenabled no’,
‘wevtutil.exe clear-log Application’,
‘wevtutil.exe clear-log Security’,
‘wevtutil.exe clear-log System’,
‘wbadmin delete systemstatebackup’,
‘wbadmin delete catalog -quiet’,
‘bootstatuspolicy ignoreallfailures’

This level of redundancy may be an indication that this threat actor is unsure of their own tools’ capabilities, but aren’t willing to take any chances.

12.ps1 grants the “Everyone” group access permissions to every drive letter that might exist on the machine to ensure as many files are encrypted as possible.

Scheduled Tasks Set Up By The RED.ps1 Script

The red.ps1 script also deletes itself, the .7z archive, and the local copy of 7zip from the system when it runs, removing key evidence.

In addition to the ransomware executable itself, Labs recovered and analyzed another ancillary executable that the attackers deployed on the target machines. The file, just called p.exe, appears to be a custom-compiled version of an open source tool called EventCleaner, which was created to erase or manipulate the contents of Windows event logs. The attackers used the p.exe component to clean up evidence of what they had done.

We also mentioned that there were other PowerShell scripts delivered in the .7z archive the attackers dropped on targeted machines. While we saw no evidence they were executed in the context of this attack, the scripts numbered 7, 8, and 9 serve important purposes. 7.ps1 logs off practically all open sessions on the computer; 8.ps1 is a redundant copy of the same firewall rules script included in RED.ps1.

Bare-Bones Ransomware

The ransomware itself, called RED.exe, is a 64-bit Windows executable programmed in the Go language, compiled using a tool called MinGW, and packed with a modified version of the runtime packer UPX.

The executable contains some code taken from an open source project called godirwalk, which gives it the ability to scan the hard drive on which it’s running for directory paths and compile them into a list. The ransomware then spawns a new child process that encrypts each subfolder separately, which after a short amount of time results in a lot of copies of the ransomware process running simultaneously.

In this root cause analysis diagram, each instance of the red.exe ransomware encrypting a single folder appears as a unique process

The ransomware itself is quite small as it only really is used to perform the encryption of the files on the targeted system. It makes no network connections, and because functions like killing processes or deleting the Volume Shadow Copies have been outsourced to the PowerShell scripts, it’s really quite a simple program.

In the sample we’ve seen, it doesn’t even contain a list of targeted file types or file extensions. In fact, it will encrypt everything inside the folders it decides to encrypt, including other executables and DLLs, which can render programs or the entire system nonfunctional, if the ransomware decides to encrypt the wrong folder path. After it encrypts each file, it appends a file suffix of “.epsilonred” to the files, and drops a ransom note in each folder.

Strangely enough, the ransom note closely resembles the note used by REvil, a much more widely used ransomware. But where the REvil note is typically riddled with spelling and grammatical errors, the note delivered by Epsilon Red has gone through a few edits to make its text more readable to an audience of native English speakers.

Victims are encouraged to visit a special URL on a website operated on the normal web (epsilons[.]red) to engage with the attackers.

Detections

Sophos endpoint products, such as Intercept X, will behaviorally detect several of the actions taken by the PowerShell scripts or the ransomware payload. The act of attempting to encrypt files is blocked by the CryptoGuard feature. As the ingress point for this attack appears to have been an Exchange server vulnerable to the ProxyLogon exploit chain, customers are urged to patch internet-facing Exchange servers as quickly as possible. Sophos endpoint products can protect Exchange servers as well as Domain Controllers or workstations.

 

Related Articles:

This Massive Phishing Campaign Delivers Password-Stealing Malware Disguised As Ransomware

Biden Proposes Billions For Cybersecurity After Wave of Attacks

Mobile Crypto ‘Mining’ App Possibly Connected To Personal Data Leak

Ireland Confirms Second Cyber Attack On Health System

US Unveils Plan To Protect Power Grid From Foreign Hackers

Hackers Breach Thousands of Security Cameras, Exposing Tesla, Jails, Hospitals

A Hacker Was Selling A Cybersecurity Exploit As An NFT. Then OpenSea Stepped In

Clubhouse And Its Privacy & Security Risk

Using Google’s ‘Incognito’ Mode Fails To Prevent Tracking

Kia Motors America Victim of Ransomware Attack Demanding $20M In Bitcoin, Report Claims

The Long Hack: How China Exploited A U.S. Tech Supplier

Clubhouse Users’ Raw Audio May Be Exposed To Chinese Partner

Hacker Changed Chemical Level In Florida City’s Water System

UK Merger Watchdog Suffers 150 Data Breaches In Two Years

KeepChange Foils Bitcoin Theft But Loses User Data In Sunday Breach

Hacker Refuses To Hand Police Password For Seized Wallet With $6.5M In Bitcoin

SonicWall Says It Was Victim of ‘Sophisticated’ Hack

Tor Project’s Crypto Donations Increased 23% In 2020

Read This Now If Your Digital Wallet Which Holds Your Crypto-currencies Can Be Accessed Through Cellular, Wifi, Or Bluetooth

Armed Robbers Steal $450K From Hong Kong Crypto Trader

Is Your iPhone Passcode Off Limits To The Law? Supreme Court Ruling Sought

Researchers Warn 3 Apps Have Been Stealing Crypto Undetected For A Year

Ways To Prevent Phishing Scams In 2020

The Pandemic Turbocharged Online Privacy Concerns

US Treasury Breached By Foreign-Backed Hackers

FireEye Hack Portends A Scary Era Of Cyber-Insecurity

How FinCEN Became A Honeypot For Sensitive Personal Data

Apple And Google To Stop X-Mode From Collecting Location Data From Users’ Phones

Surge In Physical Threats During Pandemic Complicates Employee Security Efforts

Imagine A Nutrition Label—for Cybersecurity

Cybercriminals Attack GoDaddy-based Cryptocurrency Platforms

Biden Team Lacks Full U.S. Cybersecurity Support In Transition Fracas

Nasdaq To Buy Anti-Financial Crime Firm Verafin For $2.75 Billion

Mysterious Software Bugs Were Used To Hack iPhones and Android Phones and No One Will Talk About It

Dark Web Hackers Say They Hold Keys To 10,000 Robinhood Accounts #GotBitcoin

Hackers Steal $2.3 Million From Trump Wisconsin Campaign Account

Crypto Scammers Deface Trump Campaign Website One Week From Elections

Telecoms Protocol From 1975 Exploited To Target 20 Crypto Executives

With Traders Far From Offices, Banks Bring Surveillance To Homes

Financial Systems Set Up To Monitor Unemployment Insurance Fraud Are Being Overloaded (#GotBlockchain?)

A Millionaire Hacker’s Lessons For Corporate America

Container Shipping Line CMA CGM Says Data Possibly Stolen In Cyberattack

Major Hospital System Hit With Cyberattack, Potentially Largest In U.S. History

Hacker Releases Information On Las Vegas-Area Students After Officials Don’t Pay Ransom

Russian Troll Farms Posing As African-American Support For Donald Trump

US Moves To Seize Cryptocurrency Accounts Linked To North Korean Heists

These Illicit SIM Cards Are Making Hacks Like Twitter’s Easier

Uber Exec Allegedly Concealed 2016 Hack With $100K BTC ‘Bug Bounty’ Pay-Off

Senate Panel’s Russia Probe Found Counterintelligence Risks In Trump’s 2016 Campaign

Bockchain Based Surveillance Camera Technology Detects Crime In Real-Time

Trump Bans TicToc For Violating Your Privacy Rights While Giving US-Based Firm Go Ahead (#GotBitcoin?)

Facebook Offers Money To Reel In TikTok Creators

How A Facebook Employee Helped Trump Win—But Switched Sides For 2020

Facebook Rebuffs Barr, Moves Ahead on Messaging Encryption

Facebook Ad Rates Fall As Coronavirus Undermines Ad Spending

Facebook Labels Trump Posts On Grounds That He’s Inciting Violence

Crypto Prediction Markets Face Competition From Facebook ‘Forecasts’ (#GotBitcoin?)

Coronavirus Is The Pin That Burst Facebook And Google Online Ads Business Bubble

OpenLibra Plans To Launch Permissionless Fork Of Facebook’s Stablecoin (#GotBitcoin?)

Facebook Warns Investors That Libra Stablecoin May Never Launch (#GotBitcoin?)

FTC Approves Roughly $5 Billion Facebook Settlement (#GotBitcoin?)

How Facebook Coin’s Big Corporate Backers Will Profit From Crypto

Facebook’s Libra Is Bad For African Americans (#GotBitcoin?)

A Monumental Fight Over Facebook’s Cryptocurrency Is Coming (#GotBitcoin?)

Alert! 540 Million Facebook Users’ Data Exposed On Amazon Servers (#GotBitcoin?)

Facebook Bug Potentially Exposed Unshared Photos of Up 6.8 Million Users (#GotBitcoin?)

Facebook Says Millions of Users’ Passwords Were Improperly Stored in Internal Systems (#GotBitcoin?)

Advertisers Allege Facebook Failed to Disclose Key Metric Error For More Than A Year (#GotBitcoin?)

Ad Agency CEO Calls On Marketers To Take Collective Stand Against Facebook (#GotBitcoin?)

Thieves Can Now Nab Your Data In A Few Minutes For A Few Bucks (#GotBitcoin?)

New Crypto Mining Malware Beapy Uses Leaked NSA Hacking Tools: Symantec Research (#GotBitcoin?)

Equifax, FICO Team Up To Sell Your Financial Data To Banks (#GotBitcoin?)

Cyber-Security Alert!: FEMA Leaked Data Of 2.3 Million Disaster Survivors (#GotBitcoin?)

DMV Hacked! Your Personal Records Are Now Being Transmitted To Croatia (#GotBitcoin?)

Lithuanian Man Pleads Guilty In $100 Million Fraud Against Google, Facebook (#GotBitcoin?)

Hack Alert! Buca Di Beppo, Owned By Earl Enterprises Suffers Data Breach Of 2M Cards (#GotBitcoin?)

SEC Hack Proves Bitcoin Has Better Data Security (#GotBitcoin?)

Maxine Waters (D., Calif.) Rises As Banking Industry’s Overseer (#GotBitcoin?)

FICO Plans Big Shift In Credit-Score Calculations, Potentially Boosting Millions of Borrowers (#GotBitcoin?)

Our Facebook Page

Your Questions And Comments Are Greatly Appreciated.

Monty H. & Carolyn A.

Go back

Leave a Reply