Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label CISA & FBI. Show all posts
User Priavcy
AI Chatbot AI Tool CIA CISA & FBI Cyber Security NSA Open Source Software Spies US-China USA officials User Priavcy

CIA's AI Chatbot: A New Tool for Intelligence Gathering

The Central Intelligence Agency (CIA) is building its own AI chatbot, similar to ChatGPT. The program, which is still under development, is designed to help US spies more easily sift through ever-growing troves of information.

The chatbot will be trained on publicly available data, including news articles, social media posts, and government documents. It will then be able to answer questions from analysts, providing them with summaries of information and sources to support its claims.

According to Randy Nixon, the director of the CIA's Open Source Enterprise division, the chatbot will be a 'powerful tool' for intelligence gathering. "It will allow us to quickly and easily identify patterns and trends in the data that we collect," he said. "This will help us to better understand the world around us and to identify potential threats."

The CIA's AI chatbot is part of a broader trend of intelligence agencies using AI to improve their operations. Other agencies, such as the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI), are also developing AI tools to help them with tasks such as data analysis and threat detection.

The use of AI by intelligence agencies raises several concerns, including the potential for bias and abuse. However, proponents of AI argue that it can help agencies to be more efficient and effective in their work.

"AI is a powerful tool that can be used for good or for bad," said James Lewis, a senior fellow at the Center for Strategic and International Studies. "It's important for intelligence agencies to use AI responsibly and to be transparent about how they are using it."

Here are some specific ways that the CIA's AI chatbot could be used:

  • To identify and verify information: The chatbot could be used to scan through large amounts of data to identify potential threats or intelligence leads. It could also be used to verify the accuracy of information that is already known.
  • To generate insights from data: The chatbot could be used to identify patterns and trends in data that may not be apparent to human analysts. This could help analysts to better understand the world around them and to identify potential threats.
  • To automate tasks: The chatbot could be used to automate tasks such as data collection, analysis, and reporting. This could free up analysts to focus on more complex and strategic work.

The CIA's AI chatbot is still in its early stages of development, but it has the potential to revolutionize the way that intelligence agencies operate. If successful, the chatbot could help agencies to be more efficient, effective, and responsive to emerging threats.

However, it is important to note that the use of AI by intelligence agencies also raises several concerns. For example, there is a risk that AI systems could be biased or inaccurate. Additionally, there is a concern that AI could be used to violate people's privacy or to develop autonomous weapons systems.

It is important for intelligence agencies to be transparent about how they are using AI and to take steps to mitigate the risks associated with its use. The CIA has said that its AI chatbot will follow US privacy laws and that it will not be used to develop autonomous weapons systems.

The CIA's AI chatbot is a remarkable advancement that might have a substantial effect on how intelligence services conduct their business. To make sure that intelligence services are using AI properly and ethically, it is crucial to closely monitor its use.

Read more »
User Privacy
Antivirus CISA & FBI Cross-platform malware Identity Theft malware Sensitive Data Leak US Hospital User Privacy

Hospitals Paralyzed by Cyberattack, Emergency Services Diverted

Several hospitals in Pennsylvania and California were compelled to close their emergency departments and redirect incoming ambulances due to a recent uptick in cyberattacks, which created a frightening situation. The hack, which targeted the healthcare provider Prospect Medical Holdings, has drawn attention to the fragility of essential infrastructure and sparked worries about how it would affect patient care.

The malware hit Prospect Medical's network, impairing its capacity to deliver crucial medical services. No other option was available to the hospitals that were impacted by the attack other than to temporarily close their emergency rooms and divert ambulance traffic to other hospitals.

The severity of the situation cannot be understated. Hospitals are at the heart of any community's healthcare system, providing life-saving treatments to patients in their most critical moments. With emergency rooms rendered inoperable, the safety of patients and the efficacy of medical response are compromised. Dr. Sarah Miller, a healthcare analyst, voiced her concerns, stating, "This cyberattack has exposed a glaring weakness in our healthcare infrastructure. We need robust cybersecurity measures to ensure patient care is not disrupted."

The impact of the cyberattack extends beyond immediate patient care. It raises questions about data security, patient privacy, and the overall stability of healthcare operations. As patient information becomes vulnerable, there is a risk of data breaches and identity theft, further exacerbating the challenges posed by the attack.

Prospect Medical Holdings has since released a statement acknowledging the cyber incident and expressing its commitment to resolving the issue promptly. The company is working with cybersecurity experts to contain the breach, assess the extent of the damage, and implement safeguards to prevent future attacks.

Government agencies, including the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA), are also actively involved in investigating the attack and providing support to the affected hospitals. Michael Johnson, a spokesperson for CISA, emphasized the agency's dedication to assisting healthcare providers in enhancing their cybersecurity posture. Dr. Emily Collins, a cybersecurity expert, noted, "Hospitals need to invest not only in advanced cybersecurity technologies but also in training their staff to recognize and respond to potential threats."

As hospitals work tirelessly to restore normalcy and bolster their defenses against cyber threats, this incident underscores the urgent need for a collaborative approach involving healthcare providers, cybersecurity experts, and government agencies to ensure the resilience of our healthcare system in the face of evolving cyber risks.
Read more »
Threat actors
CISA & FBI CrowdStrike cryptocurrency hack Cyber Attacks IT Companies JumpCloud Labyrinth Collima North Korea Hackers Threat actors

North Korea-Backed Hackers Breach US Tech Company to Target Crypto Firms


A North Korean state-sponsored hacking group has recently breached a US IT management company, in a bid to further target several cryptocurrency companies, cybersecurity experts confirmed on Thursday. 

The software company – JumpCloud – based in Louisville, Colorado reported its first hack late in June, where the threat actors used their company’s systems to target “fewer than 5” of their clients. 

While the IT company did not reveal the identity of its affected customers, cybersecurity firms CrowdStrike Holding and Alphabet-owned Mandiant – managing JumpCloud and its client respectively – claims that the perpetrators are known for executing heists targeting cryptocurrency. 

Moreover, two individuals that were directly connected to the issue further confirmed the claim that the JumpCloud clients affected by the cyberattack were in fact cryptocurrency companies. 

According to experts, these North Korea-backed threat actors, who once targeted firms piecemeal are now making efforts in strengthening their approach, using tactics like a “supply chain attack,” targeting companies that could provide them wider access to a number of victims at once.

However, Pyongyang’s mission to the UN did not respond to the issue. North Korea has previously denied claims of it being involved in cryptocurrency heists, despite surplus evidence claiming otherwise.

CrowdStrike has identified the threat actors as “Labyrinth Collima,” one of the popular North Korea-based operators. The group, according to Mandiant, works for North Korea’s Reconnaissance General Bureau (RGB), its primary foreign intelligence agency.

However, the U.S. cybersecurity agency CISA and the FBI did not confirm the claim. 

Labyrinth Chollima is one of North Korea’s most active hackers, claiming responsibility for some of the most notorious and disruptive cyber threats in the country. A staggering amount of funds has been compromised as a result of its cryptocurrency theft: An estimated $1.7 billion in digital currency was stolen by North Korean-affiliated entities, according to data from blockchain analytics company Chainalysis last year.

JumpCloud hack first came to light earlier this month when an email from the firm reached its customers, mentioning how their credentials would be changed “out of an abundance of caution relating to an ongoing incident.”

Adam Meyers, CrowdStrike’s Senior Vice President for Intelligence further warns against Pyongyang’s hacking squads, saying they should not be underestimated. "I don't think this is the last we'll see of North Korean supply chain attacks this year," he says.  

Read more »
unauthorised access
CISA & FBI Data Breach education sector Law Enforcement PaperCut Ransomware Attacks. Sensitive Data Leak unauthorised access

Bl00dy Ransomware Targets Education Orgs via PaperCut Flaw

The Federal Bureau of Investigation (FBI) has issued a warning about the Bl00dy ransomware gang targeting educational organizations through vulnerabilities in the popular print management software, PaperCut. The cybercriminals are exploiting a critical flaw in PaperCut to gain unauthorized access and launch ransomware attacks, posing a significant threat to the education sector.

The Bl00dy ransomware gang has been actively targeting schools and other educational institutions, taking advantage of the vulnerabilities in PaperCut's software. By exploiting this flaw, the attackers can gain unauthorized access to the system and deploy ransomware, encrypting critical files and demanding a ransom for their release.

The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have urged educational organizations to take immediate action to address this vulnerability and strengthen their security measures. It is crucial for educational institutions to promptly update and patch their PaperCut installations to protect against potential attacks.

The Bl00dy ransomware gang's targeting of the education sector is particularly concerning as schools and colleges hold sensitive data, including student records and financial information. The impact of a successful ransomware attack can be severe, leading to significant disruptions in educational services and potential data breaches.

To defend against such attacks, educational organizations must adopt a multi-layered approach to cybersecurity. This includes regularly updating and patching software and systems, implementing robust network security measures, and conducting regular backups of critical data. Additionally, user awareness training can help educate staff and students about potential threats and how to avoid falling victim to social engineering tactics.

The FBI and CISA have emphasized the importance of reporting any suspected or confirmed cyberattacks to law enforcement agencies promptly. Timely reporting can assist authorities in tracking and apprehending cybercriminals, while also providing valuable intelligence to help prevent future attacks.

The PaperCut vulnerability was used by the Bl00dy ransomware gang to extort money, underscoring the constantly changing nature of cyber threats and the necessity for ongoing monitoring. Prioritizing cybersecurity measures is essential as businesses continue to rely on digital systems and services to protect sensitive information and ensure smooth operations.

In order to effectively address risks and adopt cybersecurity measures, educational institutions must be proactive. The education sector may reduce the chance of falling victim to ransomware attacks and safeguard the integrity of their systems and data by being watchful, updating software, and working with law enforcement organizations.



Read more »
VMware
CERT CISA & FBI CVE vulnerability Encryption malware Patch Fix Ransomware Attacks. VMware

Ransomware Targeting VMware ESXi Servers Rises

The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have released a joint advisory warning about an ongoing ESXiArgs ransomware campaign targeting unpatched and out-of-service or out-of-date versions of the VMware ESXi hypervisor for virtual machines (VMs).

The OpenSLP service contains a heap overflow bug that can be exploited by unverified threat actors in simple attacks. This security hole is identified as CVE-2021-21974 on the CVE database. 3,800 VMware ESXi servers around the world have reportedly been compromised, potentially rendering any running VMs useless, as per CISA.

Application of the patch as soon as feasible is strongly advised by CERT-FR, but it also says that systems that are not patched should be checked for indicators of compromise.

Although it has since moved to North America, the ESXiArgs ransomware appears to have begun attacking servers in Europe around February 3. Organizations should isolate impacted servers, reinstall ESXi 7. x or ESXi 8. x in a supported version, and apply any patches, according to the French computer emergency response team (CERT).

Updated ESXiArgs Ransomware

On infected ESXi hosts, the ransomware encrypts files with the. vmxf,.vmx,.vmdk,.vmsd, and. nvram extensions and produces a.args file for each encrypted document with metadata.

The research shows that ESXiArgs is based largely on stolen Babuk source code, which has previously been used by other ESXi ransomware attacks, including CheersCrypt and the PrideLocker encryptor from the Quantum/Dagon group. It is unclear whether this is a new variety or simply a shared Babuk codebase because the ransom notes for ESXiArgs and Cheerscrypt are quite similar but the encryption technique is distinct.

CISA and FBI urged owners of VMware ESXi servers to upgrade them to the most recent version, harden ESXi hypervisors by turning off the SLP service and make sure the ESXi hypervisor is not accessible through the open internet.

Read more »
Government
Albanian Hacker CISA CISA & FBI cyber attack Cyber Attacks Government

HomeLand Justice: Government of Albania attacked by Iranian Cyber Threat Actors

 

The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint Cybersecurity advisory on the recent cyber operations held by the Iranian state cyber actors against the Government of Albania in July and September. 

The advisory provides a detailed timeline pertaining to activities that were detected, from the initial software access to the execution of encryption and wiper attacks. The information also included the files that the actors used for the attacks. 
 
The hackers, referred to as HomeLand Justice, who are state-sponsored Iranian advanced persistent threat (ATP) actors, attempted to paralyse public services, delete and steal governmental data, and disrupted the government’s websites and services, wreaking havoc and panic on the state.  
 
As per the agencies, the threat actors had the access to the Albanian government servers for 14 months before executing the cyber attacks that included the execution of encryption and wiper attacks. 
 
A series of cyberattacks was then launched by the threat actors, on July 17th, 2022, after conducting lateral movements, network reconnaissance, and credential harvesting from the Albanian government network, leaving an anti-Mujahideen E- Khalq (MEK) messages on the desktops.  
 
After the network defenders detected and begin responding to the ransomware activities, HomeLand Justice employed a new family ransomware ROADSWEEP, along with a variant of wiper malware, ZEROCLEAR. 
 
While claiming to have carried out these cyber attacks, on July 23rd, HomeLand Justice took to social media, demonstrating a repeated pattern of advertising the Albanian Government about the leaks, and posting polls asking the viewers to select the information they want to be leaked. It was followed by the release of information in a .zip file or video of a screen recording with the documents. 
 
The cyber actors launched another thread of cyberattacks in September against the Albanian government, using similar TTPs and malware as the attacks made in July. The attacks were possibly done in retaliation for public attribution of the previous attack and severed diplomatic ties between the Albanian and Iranian governments. 
 
Although Albania lacks an efficient cyber defense, it is a member of NATO which can be confirmed by Appathurai's statement, “You can be sure of NATO’s continued political and practical support.” Thus, apparently, NATO will be supporting Albania with the incident to deal with immediate challenges and long-term requirements.
Read more »
RSA
APT CISA & FBI Cyber Attacks Encryption North Korean Hackers Ransomware Attacks. RSA

North Korea: Maui Ransomware Attacks Healthcare Services

 

North Korean state-sponsored hackers are using Maui to encrypt computers and data for vital healthcare services, including electronic health records, diagnostics, imaging, and intranet. A joint advisory from the FBI, the Treasury Department, and the Cybersecurity and Infrastructure Security Agency (CISA) describes a ransomware campaign that Pyongyang has been executing at least since May 2021. 

Traits of threat actors

It is unknown how these threat actors enter organizations through the initial access vector. The less well-known ransomware family stands out, according to cybersecurity firm Stairwell, since it lacks numerous essential characteristics typically found in ransomware-as-a-service (RaaS) groups. Stairwell's findings served as the basis for the alert. 

The lack of an "embedded ransom letter to provide recovery instructions or automated means of transferring encryption keys to attackers" is one analogy of this, according to security expert Silas Cutler in a technical analysis of the ransomware.

Instead, Maui sample analysis indicates that the malware is made to be manually executed by a remote actor using a command-line interface, utilizing it to target particular files on the compromised machine for encryption, as recently seen in the case of Bronze Starlight.

Each of these keys is then encrypted with RSA using a key pair generated for the first time when Maui is launched, in addition to encrypting target files with AES 128-bit encryption with a new key. The RSA keys are encrypted using a hard-coded, particular-to-each-campaign RSA public key as a third-degree of security.

The fact that Maui is not provided as a service to other affiliates for use in exchange for a cut of the money earned is another thing that sets it apart from other conventional ransomware products. 

Why is DPRK targeting healthcare?

Ransomware is highly hazardous in the healthcare industry. Such businesses often don't provide cybersecurity much attention or funds. Hospitals and other similar organizations also own critical medical and health data prone to abuse. Furthermore, such facilities cannot afford to be shut down for an extended period, which increases the possibility that they might pay the ransom to resume services.

Although these North Korean-sponsored ransomware operations targeting healthcare companies have been occurring for a year, iboss claims that they have increased significantly and become more sophisticated since then. It's the most recent example of how North Korean enemies are changing their strategies to shadily produce an ongoing flow of income for the country's struggling economy. 

The ransomware attacks are alleged to have temporarily or permanently affected health services in several cases. It is currently uncertain what infection vector was first used to carry out the incursions. Only 2% of those who paid the ransom in 2021 received their whole data recovered, according to the Sophos' State of Ransomware in Healthcare 2022 report. This compares to the global average of 46%. 

Read more »
Vulnerability and Exploits
APT actors C&C Chinese Actors CISA & FBI CVE vulnerability NSA SQL Vulnerabilities and Exploits Vulnerability and Exploits

China's Attacks on Telecom Providers Were Exposed by US

 

Since 2020, US cybersecurity and intelligence agencies have cautioned about state-sponsored cyber attackers located in China using network vulnerabilities to target public and private sector enterprises.

Chinese hacking gangs have used publicly known vulnerabilities to infiltrate everything from unpatched small office/home office (SOHO) routers to moderate and even big enterprise networks, according to a joint cybersecurity alert released on Tuesday by the NSA, CISA, and the FBI. 

Several servers are used by China-linked APTs to create new email accounts, host command and control (C&C) domains, and connect with target networks, using hop points as an obfuscation strategy to mask its true location."Once within a telecommunications organization or network service provider, PRC state-sponsored cyber actors identified essential users and infrastructure, including systems critical to ensuring the stability of authentication, authorization, and accounting," as per the report. 

These threat actors are continually altering their techniques to avoid detection, according to US authorities, including watching network defenders' actions and adjusting current attacks to remain undiscovered. 

They were also seen changing the infrastructure and tools when the campaigns were made public. After stealing credentials to access underlying SQL databases, the attackers utilized SQL commands to discard user and admin credentials from key Remote Authentication Dial-In User Service (RADIUS) servers. The three US agencies have revealed that Chinese threat actors primarily exploit vulnerabilities in: 
  • Cisco (CVE-2018-0171, CVE-2019-15271, and CVE-2019-1652)
  • Citrix (CVE-2019-19781) 
  • DrayTek (CVE-2020-8515) 
  • D-Link (CVE-2019-16920) 
  • Fortinet (CVE-2018-13382) 
  • MikroTik (CVE-2018-14847) 
  • Netgear (CVE-2017-6862) 
  • Pulse ( (CVE-2020-29583) 

Open-source tools such as RouterSploit and RouterScan (vulnerability scanning framework) are used by threat actors to scan for vulnerabilities and conduct reconnaissance, allowing them to identify brands, models, and known problems that can be attacked. 

"Once within a network service provider, PRC state-sponsored cyber actors identified essential users and infrastructure, particularly systems critical to maintaining the security of authentication, authorization, and accounting," as per the joint advisory.

Lastly, the attackers altered or deleted local log files to eliminate proof of its presence and avoid discovery. Security updates should be applied as quickly as feasible, unneeded ports and protocols should be disabled to reduce the attack surface, and end-of-life network infrastructure which no longer receives security patches should be replaced, according to federal agencies.

Segmenting networks to prevent lateral movement and enabling robust monitoring on internet-exposed services to discover attack attempts as soon as possible are also recommended.
Read more »
US Government
APT CISA & FBI Cyber Security DDOS Attacks Fortinet US Government

FBI says Attackers Breached US Local Govt After Hacking a Fortinet Appliance

 

After issuing a cybersecurity advisory warning that APT hacker groups are purposefully targeting vulnerabilities in Fortinet FortiOS, the FBI now warned that after hacking a Fortinet appliance, state-sponsored attackers compromised the webpage of a US local government. 

Fortinet is a multinational security company based in Sunnyvale, California. It creates and sells cybersecurity solutions, which include hardware like firewalls as well as software and services like anti-virus protection, intrusion prevention systems, and endpoint security components.

"As of at least May 2021, an APT actor group almost certainly exploited a Fortigate appliance to access a web-server hosting the domain for a U.S. municipal government," the FBI's Cyber Division said in a TLP:WHITE flash alert published on 27th May. 

The advanced persistent threat (APT) actors moved laterally around the network after gaining access to the local government organization's server, creating new domain controller, server, and workstation user identities that looked exactly like existing ones. On compromised systems, attackers linked to this ongoing APT harmful activity have created 'WADGUtilityAccount' and 'elie' accounts, according to the FBI.

This APT organization will most likely utilize this access to capture and exfiltrate data from the victims' network, according to the FBI. "The APT actors are actively targeting a broad range of victims across multiple sectors, indicating the activity is focused on exploiting vulnerabilities rather than targeted at specific sectors," the FBI added.

Last month, the FBI and the CISA issued a warning about state-sponsored hacking groups gaining access to Fortinet equipment by exploiting FortiOS vulnerabilities CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591. The threat actors are also scanning for CVE-2018-13379 vulnerable devices on ports 4443, 8443, and 10443, and enumerating servers that haven't been patched against CVE-2020-12812 and CVE-2019-5591. 

Once they've gained access to a vulnerable server, they'll use it in subsequent attacks aimed at critical infrastructure networks. "APT actors may use other CVEs or common exploitation techniques—such as spear-phishing—to gain access to critical infrastructure networks to pre-position for follow-on attacks," the two federal agencies said.

"APT actors have historically exploited critical vulnerabilities to conduct distributed denial-of-service (DDoS) attacks, ransomware attacks, structured query language (SQL) injection attacks, spear-phishing campaigns, website defacements, and disinformation campaigns." They further told. 
Read more »
Vulnerabilities and Exploits
APT actors CISA & FBI Fortinet FortiOS User Security Vulnerabilities and Exploits

FBI & CISA Warns of Active Attacks on Fortinet FortiOS Servers

 

The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have released a Joint Cybersecurity Advisory (CSA) to warn users and administrators of active exploits targeting three susceptibilities in Fortinet FortiOS. Fortinet FortiOS is an operating system designed to improve enterprise security and it enables secure networks, endpoints, and clouds to keep the user safe from vulnerabilities and threats. 

According to the advisory, these three unpatched vulnerabilities in Fortinet FortiOS platforms belong to technology services, government agencies, and other private sector bodies. The advanced persistent threat (APT) actors are targeting the vulnerabilities CVE-2018-13379, a path traversal vulnerability (CVSS base score of 9.8); CVE-2020-12812, an improper authentication flaw (CVSS base score of 9.8) and CVE-2019-5591, a default configuration vulnerability (CVSS base score of 7.5) which were initially revealed in 2019.

The attackers have specifically exploited the vulnerability CVE-2018-13379 since its discovery in 2018. In 2019, nation-state hackers exploited the flaw and targeted the U.S. National Security Agency. Last year in October, a joint CISA/FBI advisory regarding federal, state, and local U.S. government networks being targeted mentioned the flaw.

“The APT actors may be using any or all of these CVEs to gain access to networks across multiple critical infrastructure sectors to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks. APT actors may use the other CVEs or common exploiting techniques – such as spear-phishing – to gain access to critical infrastructure networks to pre-position for follow-on attacks,” the advisory read.

Carl Windsor, Fortinet field chief technology officer responded to the joint advisory by stating that Fortinet has already patched the flaws and is educating the customers regarding the vulnerabilities.

“The security of our customers is our first priority. CVE-2018-13379 is an old vulnerability resolved in May 2019. Fortinet immediately issued a PSIRT advisory and communicated directly with customers and via corporate blog posts on multiple occasions in August 2019 and July 2020 strongly recommending an upgrade. Upon resolution we have consistently communicated with customers, as recently as late as 2020,” he further stated.
Read more »
Subscribe to: Posts (Atom)