A top U.S. intelligence official on Thursday urged Congress to renew sweeping powers granted to American spy agencies to surveil and examine communications, saying they were critical to stopping terrorism, cyberattacks and other threats.

The remarks by Army Gen. Paul Nakasone, director of the National Security Agency, opened what’s expected to be a contentious debate over provisions of the Foreign Intelligence Surveillance Act that expire at year’s end. The bipartisan consensus in favor of expanded surveillance powers in the years after Sept. 11 has given way to increased skepticism, especially among some Republicans who believe spy agencies used those powers to undermine former President Donald Trump.

The new GOP majority in the U.S. House has already formed a panel on the “weaponization of the federal government.” And progressive Democrats have pushed for more curbs on warrantless surveillance.

The NSA and other spy agencies use authorities under FISA’s Section 702 to collect huge swaths of foreign communications, which also results in the incidental collection of emails and calls from Americans. The law prohibits spy agencies from targeting Americans and requires the FBI to seek a court order to access a U.S. citizen’s communications.

Section 702 was first added to FISA in 2008 and renewed for six years in 2018, when Trump originally tweeted opposition to the program but then reversed himself.

Nakasone argued the law “plays an outsize role in protecting the nation” and generates “some of the U.S. government’s most valuable intelligence on our most challenging targets.”

He gave several broad examples of that work, including the discovery of attempts to steal sensitive U.S. technology, stopping the transfer of weapons components, preventing cyberattacks, and “understanding the strategic intentions” of China and Russia.

“We have saved lives because of 702,” Nakasone told a virtual meeting of the U.S. Privacy and Civil Liberties Oversight Board.

The general said he could not publicly share more details about the impact of that surveillance, acknowledging that also limited his ability to make his case. Civil liberties advocates have long criticized the secrecy of intelligence court proceedings and the power agencies have to collect years of incidental data on Americans.

Cindy Cohn, executive director of the Electronic Frontier Foundation, said Congress had created an effective “national security exception to the U.S. Constitution.”

“The American people and indeed people all around the world have lost the ability to have a private conversation over digital networks,” she told the board. Section 702, Cohn said, “was a mass monitoring infrastructure that subjects people’s communications to NSA review.”

Republicans on the House Intelligence Committee and other national security hawks are expected to push GOP colleagues to support a renewal this year accompanied by still-unspecified changes.

“We’ve got to have a discussion within our own caucus, but I feel good about the groundwork we’ve laid,” said Rep. Mike Gallagher, a Wisconsin Republican who will lead the House’s new select committee on China, in an interview this week. “There’s serious and legitimate concern. And so part of the process of getting renewal is to put in place reform that gives people confidence that there won’t be abuses in the future.”

In December 2019, the Justice Department’s inspector general found the FBI had withheld key information from the Foreign Intelligence Surveillance Court as it applied for warrants to monitor the communication of Carter Page, a Trump campaign aide. But the inspector general did make clear the extent to which agents relied during that process on uncorroborated allegations compiled by a former British spy.

The chief judge of that court would issue an unusual rebuke to the FBI, saying it had made “unsupported” representations as it submitted the eavesdropping applications and had failed to provide other information that would have weakened the government’s case for surveillance.

Responding to the scrutiny, the FBI announced a series of changes designed to ensure that its applications to the court, which approves warrants to eavesdrop on American soil on people suspected of being agents of a foreign power, are more accurate.

Congress in 2020 let expire three provisions of the Patriot Act that the FBI and Justice Department had said were essential for national security, including one that permits investigators to surveil subjects without establishing that they’re acting on behalf of an international terrorism organization. A bill renewing those authorities passed the Senate, but Democrats pulled legislation from the House floor after Trump and House Republicans turned against the measure and ensured its defeat.

Related: NSA Outs Chinese Hackers Exploiting Citrix Zero-Day

Related: European Lawmaker Targeted With Cytrox Predator Surveillance Spyware

Previous Columns by Associated Press:

Tags:

https://www.securityweek.com/nsa-director-pushes-congress-renew-surveillance-powers

Most internet-exposed Cacti installations have not been patched against a critical-severity command injection vulnerability that is being exploited in attacks.

An open-source web-based network monitoring and graphing tool that offers an operational monitoring and fault management framework, Cacti is a front-end application for the data logging utility RRDtool.

In early December 2022, the tool’s maintainers announced patches for CVE-2022-46169, a critical-severity (CVSS score 9.8) command injection flaw that could allow unauthenticated attackers to execute code on the server running Cacti, if a specific data source was used.

The security defect consists of an authentication bypass, where an unauthenticated attacker can access a specific file, and an improper sanitization of an argument during the processing of a specific HTTP query for a polling ‘action’ defined in the database.

Users can define actions for the monitoring of hosts (pollers) and the issue impacts a poller type that executes a script. An attacker able to bypass authentication can supply the specific argument that is passed along to the execution call unsanitized, achieving command injection.

Cacti versions 1.2.23 and 1.3.0, released on December 5, include patches for this vulnerability.

A few days after SonarSource published a technical analysis of CVE-2022-46169 on January 3, The Shadowserver Foundation warned that it had logged the first exploitation attempts targeting the security defect.

“Using Cacti? We started to pick up exploitation attempts for Cacti unauthenticated remote command injection CVE-2022-46169 including subsequent malware download. These started Jan 3rd. Make sure to patch & not expose your Cacti instance to the Internet,” Shadowserver said.

This week, attack surface management firm Censys revealed that, out of 6,400 internet-accessible Cacti hosts that it has identified, only 26 were running a patched version of the tool. Most of these servers are in Brazil, with Indonesia and the US rounding up the top three.

With exploitation of this vulnerability underway, organizations are advised to update Cacti to a patched version as soon as possible.

Related: Google Documents IE Browser Zero-Day Exploited by North Korean Hackers

Related: Fortinet Ships Emergency Patch for Already-Exploited VPN Flaw

Related: Omron PLC Vulnerability Exploited by Sophisticated ICS Malware

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags:

https://www.securityweek.com/most-cacti-installations-unpatched-against-exploited-vulnerability

Security researchers are observing exploitation attempts targeting a critical Control Web Panel (CWP) vulnerability, following the publication of proof-of-concept (PoC) code in early January.

Formerly CentOS Web Panel, CWP is a popular, free web hosting panel for enterprise-based Linux systems, offering support for the management and security of both servers and clients.

Tracked as CVE-2022-44877 (CVSS score of 9.8), the exploited vulnerability allows unauthenticated attackers to achieve remote code execution (RCE) on impacted systems.

The security defect is a misconfiguration in functionality that logged incorrect entries on the panel, allowing attackers to insert commands that would be executed on the server, CloudSEK explains in a technical analysis of the PoC.

A NIST advisory notes that “login/index.php in CWP 7 before 0.9.8.1147 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter.”

The issue was identified and reported by Gais Cyber Security researcher Numan Turle and patches were released for both the admin panel and the user panel in October 2022.

On January 3, 2023, Turle published a PoC exploit targeting the vulnerability, along with a video demonstrating the bug in action.

Soon after, attackers started exploiting the vulnerability in malicious attacks, with both cybersecurity firm GreyNoise and nonprofit security organization The Shadowserver Foundation warning of active exploitation attempts.

“We are seeing CVE-2022-44877 exploitation attempts for CWP (CentOS Web Panel/Control Web Panel) instances. This is an unauthenticated RCE. Exploitation is trivial and a PoC published. Exploitation was first observed Jan 6th,” Shadowserver said.

Shadowserver also notes that it sees roughly 38,000 CWP instances exposed to the internet daily. According to CloudSEK, a Shodan query has revealed the existence of over 400,000 servers.

Patches for CVE-2022-44877 were included in CWP7 version 0.9.8.1147. CWP users are advised to update to this or a newer version of the management panel as soon as possible.

Related: Cisco Confirms In-the-Wild Exploitation of Two VPN Vulnerabilities

Related: Apple Warns of macOS Kernel Zero-Day Exploitation

Related: Atlassian Expects Confluence App Exploitation After Hardcoded Password Leak

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags:

https://www.securityweek.com/exploitation-control-web-panel-vulnerability-starts-after-poc-publication

The first round of security advisories published by Juniper Networks for 2023 cover hundreds of vulnerabilities that have been patched in the networking giant’s products.

The 32 Juniper Networks security advisories published by the company this week cover more than 230 vulnerabilities, roughly 200 of which impact third-party components.

Three advisories have an overall severity rating of critical and they all describe vulnerabilities affecting third-party components. Twenty advisories have a ‘high severity’ rating and nine have a ‘medium severity’ rating.

Roughly two dozen Junos OS vulnerabilities have been patched by the company. All of them can be leveraged for denial-of-service (DoS) attacks, and a majority can be exploited by unauthenticated attackers who have network access to the targeted device.

There is no indication that any of these vulnerabilities has been exploited in the wild.

The US Cybersecurity and Infrastructure Security Agency (CISA) has advised organizations to review Juniper’s advisories and take action as necessary.

Related: ​​U.S. Officials Ask Juniper Networks About Investigation Into 2015 Backdoor

Related: Juniper Patches Critical Third-Party Flaws Across Product Portfolio

Related: Juniper Networks Patches Critical Vulnerabilities in Firewalls

Related: Juniper Networks Patches Vulnerabilities in Contrail Networking, Junos OS

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Previous Columns by Eduard Kovacs:

Tags:

https://www.securityweek.com/juniper-networks-kicks-2023-patches-over-200-vulnerabilities

Fortinet reported this week that a recently patched vulnerability tracked as CVE-2022-42475 has been exploited in highly targeted attacks aimed at government organizations.

The security hole impacts the FortiOS SSL-VPN and it can allow a remote, unauthenticated hacker to execute arbitrary code or commands using specially crafted requests.

The vulnerability’s existence was disclosed on December 12, 2022, when Fortinet warned that it was aware of in-the-wild exploitation. The company at the time announced patches and shared indicators of compromise (IoCs).

In a blog post published this week, Fortinet’s Product Security Incident Response Team (PSIRT) shared additional details, including on the malware sample delivered in the observed attacks, as well as the related network traffic.

“The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets,” the cybersecurity firm said.

When the existence of CVE-2022-42475 came to light, researcher Kevin Beaumont said that it appeared to have been exploited by a ransomware group, but after additional information emerged, the expert said it may have actually been a state-sponsored threat actor disguising its activities as a ransomware operation.

According to new information shared by Fortinet, the hackers delivered a variant of a generic Linux malware customized for targeting its FortiOS operating system.

While some of the payloads could not be recovered, the company’s analysis indicated that the attackers were trying to execute commands, download additional malicious components to compromised systems, and manipulate FortiOS logging functionality.

Regarding the logs, the malware deployed in the attack attempted to patch the FortiOS logging process in an effort to alter logs and evade detection. The malware is also capable of killing the logging process.

This detailed analysis has allowed Fortinet to share additional IoCs.

It’s not uncommon for malicious actors to exploit vulnerabilities in Fortinet products in their attacks, and the vendor admitted in the past that some customers are slow when it comes to patching, even actively exploited vulnerabilities.

According to data from CISA’s Known Exploited Vulnerabilities Catalog, a total of nine Fortinet product vulnerabilities have been exploited in attacks since 2018.

Related: PoC Published for Fortinet Vulnerability as Mass Exploitation Attempts Begin

Related: Cybercriminals Selling Access to Networks Compromised via Recent Fortinet Vulnerability

Related: High-Severity Command Injection Flaws Found in Fortinet’s FortiTester, FortiADC

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Previous Columns by Eduard Kovacs:

Tags:

https://www.securityweek.com/fortinet-says-recently-patched-vulnerability-exploited-hack-governments

A Pro-Russian cybercrime group named NoName057(16) is actively launching distributed denial-of-service (DDoS) attacks against organizations in Ukraine and NATO countries.

Also known as NoName05716, 05716nnm or Nnm05716, the threat actor has been supporting Russia’s invasion of Ukraine since March 2022, launching disruptive attacks against government and critical infrastructure organizations.

To date, the group has launched DDoS attacks against government, military, telecommunications, and transportation organizations, as well as media agencies, suppliers, and financial institutions in Ukraine, Czech Republic, Denmark, Estonia, Lithuania, Norway, and Poland.

According to cybersecurity firm SentinelOne, the group focused on Ukrainian news websites at first, but later shifted attention to NATO-associated targets, aiming to silence what it deems to be anti-Russian.

NoName057(16) uses a Telegram channel to claim responsibility for disruptions, justify its actions, make threats, and mock targets. The group, SentinelOne says, “values the recognition their attacks achieve through being referenced online”.

The threat actor was also seen abusing GitHub to host tools advertised on their Telegram channel, including the DDoS tool DDOSIA, a multi-threaded application that has both Python and Golang implementations.

GitHub promptly removed the NoName057(16)-associated accounts and repositories after being informed about the nefarious activity.

Some of the most recent incidents attributed to the group include the targeting of the Polish government in December 2022, attacks on Lithuanian organizations (mainly cargo and shipping firms) in January 2023, and hits on Danish financial institutions.

This week, the group was seen attempting to disrupt the 2023 Czech presidential elections, taking place January 13-14.

“Specific targets include domains for candidates Pavel Fischer, Marek Hilšer, Jaroslav Bašta, General Petr Pavel, and Danuše Nerudová. Additionally, the Ministry of Foreign Affairs of the Czech Republic website was also targeted at the same time,” SentinelOne notes.

Throughout 2022, the group has been observed employing various tools for carrying out attacks, including Bobik-infected systems, which are ensnared in a botnet. According to SentinelOne, however, NoName057(16) “appears to primarily seek participation voluntarily through their DDOSIA tool”.

“NoName057(16) is yet another hacktivist group to emerge following the war in Ukraine. While not technically sophisticated, they can have an impact on service availability– even when generally short lived. What this group represents is an increased interest in volunteer-fueled attacks, while now adding in payments to its most impactful contributors,” SentinelOne concludes.

Related: Russian APT Gamaredon Changes Tactics in Attacks Targeting Ukraine

Related: Ukraine’s Delta Military Intelligence Program Targeted by Hackers

Related: New ‘Prestige’ Ransomware Targets Transportation Industry in Ukraine, Poland

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags:

https://www.securityweek.com/pro-russian-group-ddos-ing-governments-critical-infrastructure-ukraine-nato-countries

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to complete vehicle compromise.

Tesla, in tandem with Pwn2Own organizations Zero Day Initiative, is offering a $600,000 cash prize to any hacker capable of writing exploits that pivot through multiple systems in the car to gain arbitrary code execution.

“Success here gets a big payout and, of course, a brand-new Tesla,” contest organizers announced Thursday.

This isn’t the first time Tesla has sought to attract the attention of advanced exploit writers at Pwn2Own. Back in 2019, the company gave away a Tesla Model 3 to a pair of researchers demonstrating successful exploits and this year the organizers plan to raise the level of complexity of what constitutes a successful car-hacking exploit.

Hackers can register an entry against either a Tesla Model 3 (Intel or Ryzen-based) or the Tesla Model S (Ryzen-based).

This year, the organizers are looking for exploits targeting Tesla’s Tuner, Wi-Fi, Bluetooth or Modem components.  Hackers must demonstrate a successful intermediate pivot to the vehicle’s infotainment system and execute code against VCSEC, Gateway or Autopilot.

In addition to the vehicle itself and $500,000, contestants can go for the additional options to raise the payout to $600,000. “This represents the single largest target in Pwn2Own history,” conference organizers said in a note posted Thursday.

Organizers believe a complete vehicle takeover exploit is a tough undertaking. “It’s difficult to express the complexity of completing such a demonstration, but we’re certainly hopeful that someone can show off their exploit skills and drive off a winner.”

Pwn2Own is also offering cash prizes ranging from $250,000 to $400,000 to entice attackers to showcase exploits pivoting through some of the vehicle’s sub-systems. “This level requires the contestant to get arbitrary code execution on two different sub-systems in the vehicle, which is certainly a difficult challenge.”

Pwn2Own also announced the addition of a Steam VM Escape category with both a Tesla Model 3 and a Tesla Model S available as targets.

The annual hacker contest will also offer prizes for exploits for VMWare virtual machine escapes, attacks against Microsoft DNS Server and ISC BIND, and exploits for enterprise collaboration tools Zoom and Microsoft Teams.

Related: Pwn2Own 2019: Researchers Win Tesla After Hacking Its Browser 

Related: $200,000 Awarded for Zoom Zero-Click Zoom Exploit at Pwn2Own

Related: Over $1.1 Million Awarded at Pwn2Own 2022 for 25 Zero-Day Vulns

Related: ICS Exploits Earn Hackers $400,000 at Pwn2Own Miami 2022

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series.
Ryan is a veteran cybersecurity strategist who has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan’s past career as a security journalist included bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive’s ZDNet, PCMag and PC World.
Ryan is a director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.
Follow Ryan on Twitter @ryanaraine.

Previous Columns by Ryan Naraine:

Tags:

https://www.securityweek.com/tesla-returns-pwn2own-hacker-takeover-target

Twitter says it has analyzed the recently advertised databases allegedly containing the information of hundreds of millions of its users and found no evidence that a vulnerability has been exploited.

In August 2022, Twitter informed customers that a vulnerability in its systems had been exploited to obtain user data. The flaw, patched in January 2022, was used to determine whether a specified phone number or email address were tied to an existing Twitter account.

Twitter confirmed exploitation of the vulnerability after reports started circulating that the flaw had been leveraged to collect data on 5.4 million users.

A few months later, a cybersecurity expert said he had obtained a database that appeared to show the Twitter data breach was far bigger than initially reported, with tens of millions of impacted accounts.

Twitter said the data was the same in both cases, but it never clarified exactly how many users are believed to be impacted.

In December, just before Christmas, someone offered to sell a database of 400 million Twitter user records allegedly obtained through the exploitation of the same flaw.

A few weeks later, in early January, an individual leaked a database containing the information of roughly 235 million Twitter users, including name, username, email addresses, follower count, and account creation date. Experts who analyzed the publicly available data said it likely came from web scraping.

Twitter confirmed on Wednesday that the 200 million records were not obtained through the exploitation of the vulnerability patched in January 2022, nor other weaknesses in its systems.

In addition, the social media giant clarified that the 200 million records actually appear to be the same dataset as the previously sold 400 million records, but with duplicate entries removed.

The company also clarified that none of the leaked databases contained any passwords or other information that could lead to passwords getting compromised.

“Based on information and intel analyzed to investigate the issue, there is no evidence that the data being sold online was obtained by exploiting a vulnerability of Twitter systems. The data is likely a collection of data already publicly available online through different sources,” Twitter said.

Ireland’s Data Protection Commission (DPC) announced in December that it had launched an investigation in response to the data leak reports involving 5.4 million Twitter users.

In the statement published this week, Twitter said, “We are in contact with Data Protection Authorities and other relevant regulators from different countries to provide clarification about the alleged incidents, and we will continue to do so.”

Just like Facebook, Twitter has its European headquarters in Ireland. Facebook and Instagram have been issued hundreds of millions of euros in fines in the past year in Ireland over data privacy violations.

The individual offering to sell the 400 million records was actually hoping that the massive fines issued to other social media companies would convince Twitter to buy the data itself to prevent it from getting leaked.

Related: Twitter Logs Out Some Users Due to Security Issue Related to Password Resets

Related: Twitter Security Chief Resigns as Musk Sparks ‘Deep Concern’

Related: Twitter Ex-Security Chief Tells US Congress of Security Concerns

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Previous Columns by Eduard Kovacs:

Tags:

https://www.securityweek.com/twitter-finds-no-evidence-vulnerability-exploitation-recent-data-leaks

Cisco this week announced that no patches will be released for a critical-severity vulnerability impacting small business RV016, RV042, RV042G, and RV082 routers, which have reached end of life (EoL).

Tracked as CVE-2023-20025 (CVSS score of 9.0), the security defect impacts the web-based management interface of the routers and could be exploited to bypass authentication.

The issue exists because user input within incoming HTTP packets is not properly validated, allowing an attacker to send crafted HTTP requests to the router, to bypass authentication and gain root access to the operating system.

“Cisco has not and will not release software updates that address this vulnerability. There are no workarounds that address this vulnerability,” Cisco notes in its advisory.

The tech giant also warned of a high-severity bug in the web-based management interface of the same routers, which could lead to remote command execution. Tracked as CVE-2023-20026, the vulnerability requires for the attacker to be authenticated.

To mitigate these vulnerabilities, administrators can disable remote management on the affected devices, and block access to ports 443 and 60443.

Cisco warns that proof-of-concept exploit code targeting this vulnerability is available publicly, but says it is not aware of malicious attacks exploiting the bug. However, it’s not uncommon for threat actors to target Cisco’s small business RV routers in their attacks.

This week Cisco also announced patches for high-severity vulnerabilities impacting IP Phone 7800 and 8800 series phones, Industrial Network Director (IND), and the BroadWorks Application Delivery and BroadWorks Xtended Services platforms.

The insufficient validation of user-supplied input on the web-based management interface of IP Phone 7800 and 8800 series phones could allow a remote attacker to bypass authentication.

The security issue in IND “exists because a static key value that is stored in the application can be used to encrypt application data and remote credentials” and can be exploited to decrypt data and access remote systems monitored by IND.

The BroadWorks platforms are impacted by an improper input validation bug allowing attackers to send crafted HTTP requests and trigger a denial-of-service (DoS) condition.

Cisco says it is not aware of any malicious attacks targeting the vulnerabilities. More information about the addressed bugs can be found on Cisco’s product security page.

Related: Cisco Secure Email Gateway Filters Bypassed Due to Malware Scanner Issue

Related: Cisco Patches High-Severity Bugs in Email, Identity, Web Security Products

Related: Cisco Confirms In-the-Wild Exploitation of Two VPN Vulnerabilities

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags:

https://www.securityweek.com/cisco-warns-critical-vulnerability-eol-small-business-routers

British news organization The Guardian has confirmed that personal information was compromised in a ransomware attack in December 2022.

The company fell victim to the attack just days before Christmas, when it instructed staff to work from home, announcing network disruptions that mostly impacted the print newspaper.

Right from the start, the Guardian said it suspected ransomware to have been involved in the incident, and this week the company confirmed that this was indeed the case.

In an email to staff on Wednesday, The Guardian Media Group’s chief executive and the Guardian’s editor-in-chief said that the sophisticated cyberattack was likely the result of phishing.

They also announced that the personal information of UK staff members was compromised in the attack, but said that reader data and the information of US and Australia staff was not impacted.

“We have seen no evidence that any data has been exposed online thus far and we continue to monitor this very closely,” the Guardian representatives said.

While the attack forced the Guardian staff to work from home, online publishing has been unaffected, and production of daily newspapers has continued as well.

“We believe this was a criminal ransomware attack, and not the specific targeting of the Guardian as a media organization,” the Guardian said.

The company continues to work on recovery and estimates that critical systems would be restored in the next two weeks. Staff, however, will continue to work from home until at least early February.

“These attacks have become more frequent and sophisticated in the past three years, against organizations of all sizes, and kinds, in all countries,” the Guardian said.

It’s unclear which ransomware group was behind the attack.

Related: Rail Company Wabtec Says Data Stolen in Ransomware Attack

Related: New Zealand Government Hit by Ransomware Attack on IT Provider

Related: Virginia County Confirms Personal Information Stolen in Ransomware Attack

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags:

https://www.securityweek.com/guardian-confirms-personal-information-compromised-ransomware-attack