{"id":2607,"date":"2021-07-23T13:44:11","date_gmt":"2021-07-23T08:14:11","guid":{"rendered":"https:\/\/xiarch.com\/blog\/?p=2607"},"modified":"2021-07-23T13:44:13","modified_gmt":"2021-07-23T08:14:13","slug":"a-ransomware-gang-hijacked-cnas-network-via-fake-browser-update","status":"publish","type":"post","link":"https:\/\/xiarch.com\/blog\/a-ransomware-gang-hijacked-cnas-network-via-fake-browser-update\/","title":{"rendered":"A Ransomware Gang Hijacked CNA\u2019s Network via Fake Browser Update"},"content":{"rendered":"\n
One of the leading insurance companies CNA Financial has given an impression into how Phoenix CryptoLocker operators breached the network, hijack information, and set up the ransomware payloads in a ransomware attack that hit its network in March 2021.<\/p><\/p>\n\n\n\n
Two months ago, on May 13, CNA said it creates operating \u201cin a fully restored state\u201d after restoring the systems harmed in the attack. As discovered in a legal notice file earlier this month, CNA found a similar timeline of the ransomware attack following researches takes place with the help of third-party security experts hired immediately after discovering the incident.<\/p><\/p>\n\n\n\n
How do they Hijack the Network using Fake Browser Updates?<\/strong><\/h2>\n\n\n\n
As discovered by the US insurer, the threat actor first hijacked an employee\u2019s workstation in March using a fake and malicious browser update transmitted using an appropriate website. The ransomware operator generates elevated rights on the system using the \u201cadditional malicious activity\u201d and then moved laterally through CNA\u2019s network, breaching and establishing persistence on more devices.<\/p><\/p>\n\n\n\n
\u201cBetween March 5 and March 20, 2021, the threat actors conducted reconnaissance within CNA\u2019s IT environment using appropriate tools and passwords to bypass detection and to establish persistence,\u201d the legal notice filed with New Hampshire\u2019s Attorney General Office reveals.<\/p><\/p>\n\n\n\n
\u201cOn 20th of March and into March 21, 2021, the attacker disabled monitoring and security equipments; setup and disabled some of the CNA back-ups; and setup the ransomware onto some systems within the surroundings, leading CNA to proactively disconnect systems globally as in immediate containment measures.\u201d<\/p><\/p>\n\n\n\n
Sources familiar with the attack told to our experts that the Phoenix CryptoLocker encodes more than 15,000 systems after deploying the ransomware payloads on CAN\u2019s network on March 21. We also learned that the ransomware operators encrypted remote worker’s devices logged into the company\u2019s VPN during the attack.<\/p><\/p>\n\n\n\n
\u201cAs above-mentioned to deploy the ransomware, the attacker copied, compressed and staged unstructured information generated from the files shares discovered on three CNA virtual servers; and used MEGAsync, an appropriate tool, to copy certain of the unstructured data from the CNA environment directly into the threat actor\u2019s cloud-based account hosted by Mega NZ Limited,\u201d the organization concluded.<\/p><\/p>\n\n\n\n
Hijacked Data not sold or Traded with Others<\/strong><\/h2>\n\n\n\n
As CNA further founded, the hijacked files consist up of critical information (names Social Security numbers; date of birth, advantages enrollment, and\/or medical information) acceptance to employees, former employees, and their dependents, and in roughly 10% of cases, customers.<\/p><\/p>\n\n\n\n
The researchers also discovered that the attackers only depart information to the MEGAsync account captured with the help of the FBI and Mega. Based on the information given by the cloud storage platform, the hijacked CNA information was not transmitted outside the attacker’s Mega account.<\/p><\/p>\n\n\n\n
Taking the account the outcomes of the ransomware attack researches, CNA says that \u201cthere is no clue that the threat actor viewed, retained or transmits the exported information data and, thus, no risk of harm to individuals coming from the incident.\u201d<\/p><\/p>\n\n\n\n
Although this conclusion, CNA still decided to alert the harmed individuals earlier this month of a probable data hijacked after the March Phoenix CryptoLocker ransomware attack.<\/p><\/p>\n\n\n\n
<\/figure><\/div>\n\n\n\n
As per the hijacked data filed by CNA with the office of Maine\u2019s Attorney General, this information hijacked affected, 75,349 individuals.<\/p><\/p>\n\n\n\n
Probable links to Accepted Cybercrime Group<\/strong><\/h4>\n\n\n\n
Based on source code analogies, Phoenix Locker is believed to be an advanced ransomware strain developed by the Evil Crop hacking group to bypass actions after victims of WastedLocker ransomware no longer paid ransoms to avoid fines or legal action.<\/p><\/p>\n\n\n\n
When concerned by our experts about the probable connection between the sanctioned Evil Crop and Phoenix Locker, CNA stated there was no confirmed link. \u201cThe threat actor group, Phoenix, responsible for this attack, is not an authorized entity and no US government agency has confirmed a relationship between the group that attacked CNA and any authorized aspect,\u201d the company stated.<\/p><\/p>\n","protected":false},"excerpt":{"rendered":"
One of the leading insurance companies CNA Financial has given an impression into how Phoenix CryptoLocker operators breached the network, hijack information, and set up the ransomware payloads in a ransomware attack that hit its network in March 2021. Two months ago, on May 13, CNA said it creates operating \u201cin a fully restored state\u201d […]<\/p>\n","protected":false},"author":2,"featured_media":2611,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[5,1],"tags":[],"yoast_head":"\n
A Ransomware Gang Hijacked CNA\u2019s Network via Fake Browser Update - Xiarch Solutions Private Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/xiarch.com\/blog\/a-ransomware-gang-hijacked-cnas-network-via-fake-browser-update\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"A Ransomware Gang Hijacked CNA\u2019s Network via Fake Browser Update - Xiarch Solutions Private Limited\" \/>\n<meta property=\"og:description\" content=\"One of the leading insurance companies CNA Financial has given an impression into how Phoenix CryptoLocker operators breached the network, hijack information, and set up the ransomware payloads in a ransomware attack that hit its network in March 2021. Two months ago, on May 13, CNA said it creates operating \u201cin a fully restored state\u201d […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/xiarch.com\/blog\/a-ransomware-gang-hijacked-cnas-network-via-fake-browser-update\/\" \/>\n<meta property=\"og:site_name\" content=\"Xiarch Solutions Private Limited\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/xiarch\/\" \/>\n<meta property=\"article:published_time\" content=\"2021-07-23T08:14:11+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-07-23T08:14:13+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/07\/A-Ransomware-Gang-Hijacked-CNAs-Network-via-Fake-Browser-Update-featured-image-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1000\" \/>\n\t<meta property=\"og:image:height\" content=\"525\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Xiarch Security\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@xiarch\" \/>\n<meta name=\"twitter:site\" content=\"@xiarch\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Xiarch Security\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/xiarch.com\/blog\/a-ransomware-gang-hijacked-cnas-network-via-fake-browser-update\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/a-ransomware-gang-hijacked-cnas-network-via-fake-browser-update\/\"},\"author\":{\"name\":\"Xiarch Security\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\"},\"headline\":\"A Ransomware Gang Hijacked CNA\u2019s Network via Fake Browser Update\",\"datePublished\":\"2021-07-23T08:14:11+00:00\",\"dateModified\":\"2021-07-23T08:14:13+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/xiarch.com\/blog\/a-ransomware-gang-hijacked-cnas-network-via-fake-browser-update\/\"},\"wordCount\":650,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"articleSection\":[\"Breaches\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/xiarch.com\/blog\/a-ransomware-gang-hijacked-cnas-network-via-fake-browser-update\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/xiarch.com\/blog\/a-ransomware-gang-hijacked-cnas-network-via-fake-browser-update\/\",\"url\":\"https:\/\/xiarch.com\/blog\/a-ransomware-gang-hijacked-cnas-network-via-fake-browser-update\/\",\"name\":\"A Ransomware Gang Hijacked CNA\u2019s Network via Fake Browser Update - Xiarch Solutions Private Limited\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#website\"},\"datePublished\":\"2021-07-23T08:14:11+00:00\",\"dateModified\":\"2021-07-23T08:14:13+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/xiarch.com\/blog\/a-ransomware-gang-hijacked-cnas-network-via-fake-browser-update\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/xiarch.com\/blog\/a-ransomware-gang-hijacked-cnas-network-via-fake-browser-update\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/xiarch.com\/blog\/a-ransomware-gang-hijacked-cnas-network-via-fake-browser-update\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/xiarch.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"A Ransomware Gang Hijacked CNA\u2019s Network via Fake Browser Update\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/xiarch.com\/blog\/#website\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"name\":\"Xiarch Solutions Private Limited\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/xiarch.com\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\",\"name\":\"Xiarch\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"contentUrl\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"width\":300,\"height\":300,\"caption\":\"Xiarch\"},\"image\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/xiarch\/\",\"https:\/\/twitter.com\/xiarch\",\"https:\/\/www.linkedin.com\/company\/xiarch\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\",\"name\":\"Xiarch Security\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"caption\":\"Xiarch Security\"},\"sameAs\":[\"https:\/\/xiarch.com\/blog\/\"],\"url\":\"https:\/\/xiarch.com\/blog\/author\/vector\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"A Ransomware Gang Hijacked CNA\u2019s Network via Fake Browser Update - Xiarch Solutions Private Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/xiarch.com\/blog\/a-ransomware-gang-hijacked-cnas-network-via-fake-browser-update\/","og_locale":"en_US","og_type":"article","og_title":"A Ransomware Gang Hijacked CNA\u2019s Network via Fake Browser Update - Xiarch Solutions Private Limited","og_description":"One of the leading insurance companies CNA Financial has given an impression into how Phoenix CryptoLocker operators breached the network, hijack information, and set up the ransomware payloads in a ransomware attack that hit its network in March 2021. Two months ago, on May 13, CNA said it creates operating \u201cin a fully restored state\u201d […]","og_url":"https:\/\/xiarch.com\/blog\/a-ransomware-gang-hijacked-cnas-network-via-fake-browser-update\/","og_site_name":"Xiarch Solutions Private Limited","article_publisher":"https:\/\/www.facebook.com\/xiarch\/","article_published_time":"2021-07-23T08:14:11+00:00","article_modified_time":"2021-07-23T08:14:13+00:00","og_image":[{"width":1000,"height":525,"url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/07\/A-Ransomware-Gang-Hijacked-CNAs-Network-via-Fake-Browser-Update-featured-image-1.jpg","type":"image\/jpeg"}],"author":"Xiarch Security","twitter_card":"summary_large_image","twitter_creator":"@xiarch","twitter_site":"@xiarch","twitter_misc":{"Written by":"Xiarch Security","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/xiarch.com\/blog\/a-ransomware-gang-hijacked-cnas-network-via-fake-browser-update\/#article","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/a-ransomware-gang-hijacked-cnas-network-via-fake-browser-update\/"},"author":{"name":"Xiarch Security","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c"},"headline":"A Ransomware Gang Hijacked CNA\u2019s Network via Fake Browser Update","datePublished":"2021-07-23T08:14:11+00:00","dateModified":"2021-07-23T08:14:13+00:00","mainEntityOfPage":{"@id":"https:\/\/xiarch.com\/blog\/a-ransomware-gang-hijacked-cnas-network-via-fake-browser-update\/"},"wordCount":650,"commentCount":0,"publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"articleSection":["Breaches"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/xiarch.com\/blog\/a-ransomware-gang-hijacked-cnas-network-via-fake-browser-update\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/xiarch.com\/blog\/a-ransomware-gang-hijacked-cnas-network-via-fake-browser-update\/","url":"https:\/\/xiarch.com\/blog\/a-ransomware-gang-hijacked-cnas-network-via-fake-browser-update\/","name":"A Ransomware Gang Hijacked CNA\u2019s Network via Fake Browser Update - Xiarch Solutions Private Limited","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/#website"},"datePublished":"2021-07-23T08:14:11+00:00","dateModified":"2021-07-23T08:14:13+00:00","breadcrumb":{"@id":"https:\/\/xiarch.com\/blog\/a-ransomware-gang-hijacked-cnas-network-via-fake-browser-update\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/xiarch.com\/blog\/a-ransomware-gang-hijacked-cnas-network-via-fake-browser-update\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/xiarch.com\/blog\/a-ransomware-gang-hijacked-cnas-network-via-fake-browser-update\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/xiarch.com\/blog\/"},{"@type":"ListItem","position":2,"name":"A Ransomware Gang Hijacked CNA\u2019s Network via Fake Browser Update"}]},{"@type":"WebSite","@id":"https:\/\/xiarch.com\/blog\/#website","url":"https:\/\/xiarch.com\/blog\/","name":"Xiarch Solutions Private Limited","description":"","publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/xiarch.com\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/xiarch.com\/blog\/#organization","name":"Xiarch","url":"https:\/\/xiarch.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","contentUrl":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","width":300,"height":300,"caption":"Xiarch"},"image":{"@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/xiarch\/","https:\/\/twitter.com\/xiarch","https:\/\/www.linkedin.com\/company\/xiarch"]},{"@type":"Person","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c","name":"Xiarch Security","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","caption":"Xiarch Security"},"sameAs":["https:\/\/xiarch.com\/blog\/"],"url":"https:\/\/xiarch.com\/blog\/author\/vector\/"}]}},"_links":{"self":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/2607"}],"collection":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/comments?post=2607"}],"version-history":[{"count":1,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/2607\/revisions"}],"predecessor-version":[{"id":2612,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/2607\/revisions\/2612"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media\/2611"}],"wp:attachment":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media?parent=2607"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/categories?post=2607"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/tags?post=2607"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"A-Ransomware-Gang-Hijacked-CNAs-Network-via-Fake-Browser-Update-image1\"](\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/07\/A-Ransomware-Gang-Hijacked-CNAs-Network-via-Fake-Browser-Update-image1.jpg\")
<\/figure><\/div>\n\n\n\n