Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label FBI. Show all posts
Wireless
Cyber Scammers cyber threat Cyberattacks CyberCrime FBI FCC Financial Loss Reddit SIM SIM swap Swap Scam T-Mobile Technology Verizon Wireless

Inside Job Exposed: T-Mobile US, Verizon Staff Solicited for SIM Swap Scam

 


T-Mobile and Verizon employees are being texted by criminals who are attempting to entice them into swapping SIM cards with cash. In their screenshots, the targeted employees are offering $300 as an incentive for those willing to assist the senders in their criminal endeavours, and they have shared them with us. 

The report indicates that this was part of a campaign that targets current and former mobile carrier workers who could be able to access the systems that would be necessary for the swapping of SIM cards. The message was also received by Reddit users claiming to be Verizon employees, which indicates that the scam isn't limited to T-Mobile US alone. 

It is known that SIM swapping is essentially a social engineering scam in which the perpetrator convinces the carrier that their number will be transferred to a SIM card that they own, which is then used to transfer the number to a new SIM card owned by the perpetrator. 

The scammer can use this information to gain access to a victim's cell phone number, allowing them to receive multi-factor authentication text messages to break into other accounts. If the scammer has complete access to the private information of the victim, then it is extremely lucrative. 

SIM swapping is a method cybercriminals utilize to breach multi-factor authentication (MFA) protected accounts. It is also known as simjacking. Wireless carriers will be able to send messages intended for a victim if they port the victim’s SIM card information from their legitimate SIM card to one controlled by a threat actor, which allows the threat actor to take control of their account if a message is sent to the victim. 

Cyber gangs are often able to trick carrier support staff into performing swaps by presenting fake information to them, but it can be far more efficient if they hire an insider to take care of it. In the past, both T-Mobile and Verizon have been impacted by breaches of employee information, including T-Mobile in 2020 and Verizon last year, despite it being unclear how the hackers obtained the mobile numbers of the workers who received the texts. 

The company stated at the time that there was no evidence that some of the information had been misused or shared outside the organization as a result of unauthorized access to the file, as well as in 2010 a Verizon employee had accessed a file containing details for about half of Verizon s 117,00-strong workforce without the employee's authorization.

It appears that the hackers behind the SIM swap campaign were working with outdated information, as opposed to recent data stolen from T-Mobile, according to the number of former T-Mobile employees who commented on Reddit that they received the SIM swap message. As the company confirmed the fact that there had not been any system breaches at T-Mobile in a statement, this was reinforced by the company. 

Using SIM swap attacks, criminals attempt to reroute a victim's wireless service to a device controlled by the fraudster by tricking their wireless carrier into rerouting their service to it. A successful attack can result in unauthorized access to personal information, identity theft, financial losses, emotional distress for the victim, and financial loss. Criminals started hijacking victims' phone numbers in February 2022 to steal millions of dollars by performing SIM swap attacks. 

The FBI warned about this in February 2022. Additionally, the IC3 reported that Americans reported 1,075 SIM-swapping complaints during the year 2023, with an adjusted loss of $48,798,103 for each SIM-swapping complaint. In addition to 2,026 complaints about SIM-swapping attacks in the past year, the FBI also received $72,652,571 worth of complaints about SIM-swapping attacks from January 2018 to December 2020. 

Between January 2018 and December 2020, however, only 320 complaints were filed regarding SIM-swapping incidents resulting in losses of around $12 million. Following this huge wave of consumer complaints, the Federal Communications Commission (FCC) announced new regulations that will protect Americans from SIM-swapping attacks to protect Americans from this sort of attack in the future.

It is required by the new regulations that carriers have a secure authentication procedure in place before they transfer the customer's phone numbers to a different device or service provider. Additionally, they need to warn them if their accounts are changed or they receive a SIM port out request.
Read more »
USA
Cyber Attacks FBI phishing Road Toll SMS Phishing USA

Nationwide Scam Targets Road Toll Users via SMS Phishing Scheme

 



The Federal Bureau of Investigation (FBI) has alerted the public to a widespread SMS phishing scam sweeping across the United States. The scam, which began in early March 2024, specifically targets individuals with fraudulent messages regarding unpaid road toll fees.

What Does The Scam Entails?

Thousands of Americans have already fallen victim to this harrowing scam, with over 2,000 complaints flooding the FBI's Internet Crime Complaint Center (IC3) from at least three states. The deceptive messages typically claim that the recipient owes money for outstanding tolls, urging them to click on embedded hyperlinks.

The perpetrators behind these attacks employ sophisticated tactics to deceive their targets. By impersonating legitimate toll services and altering phone numbers to match those of the respective states, they create a false sense of authenticity. However, the links provided within the messages lead to fake websites designed to extract personal and financial information from unsuspecting victims.

Cautionary Advice

Authorities are urging individuals who receive such messages to exercise caution and take immediate action. The Pennsylvania Turnpike, one of the affected toll services, has advised recipients not to click on any suspicious links and to promptly delete the messages. Similarly, the Pennsylvania State Police have issued warnings about the scam, emphasising the dangers of providing personal information to fraudulent sources.

To safeguard against falling prey to this scam, the FBI recommends several preventive measures. Victims are encouraged to file complaints with the IC3, providing details such as the scammer's phone number and the fraudulent website. Additionally, individuals should verify their toll accounts using the legitimate websites of the respective toll services and contact customer service for further assistance. Any suspicious messages should be promptly deleted, and if personal information has been compromised, immediate steps should be taken to secure financial accounts and dispute any unauthorised charges.

What Is Smishing?

Smishing, a blend of "SMS" and "phishing," is a form of social engineering attack wherein fraudulent text messages are used to deceive individuals into divulging sensitive information or downloading malware. In this instance, the scam preys on individuals' concerns regarding unpaid toll fees, exploiting their trust in official communication channels.

As the SMS phishing scam continues to proliferate, it is imperative for individuals to remain vigilant and sceptical of unsolicited messages. By staying informed and taking proactive measures to protect personal information, users can mitigate the risks posed by such malicious activities. Authorities are actively investigating these incidents, but it is crucial for the public to be proactive in safeguarding their financial and personal information from exploitation.


Read more »
VPN
2024 cyber crimes CISA Cyber crimes cybersecurity advisory Cybersecurity Experts Data Breach Data protection FBI IMF VPN

Rising Cybercrime Threats and Prevention Measures Ahead of 2024

 

According to projections from Statista, the FBI, and the IMF, the global cost of cybercrime is anticipated to experience a substantial increase. By 2027, it is estimated to surge to $23.84 trillion, marking a significant rise from the $8.44 trillion reported in 2022. 

Security expert James Milin-Ashmore, from Independent Advisor VPN, has provided a comprehensive list of 10 crucial guidelines aimed at enhancing digital safety by avoiding sharing sensitive information online. 

These guidelines serve as proactive measures to combat the rising threat of cybercrime and safeguard personal and confidential data from potential exploitation. 

1. Avoid Sharing Your Phone Number on Random Sites 

Sharing your phone number online can expose you to a range of security risks, warns an expert. Cybercriminals could exploit this information to gather personal details, increasing the likelihood of identity theft and other malicious scams: 

  • Subscriber Fraud: Scammers set up fake cell phone accounts with stolen info. 
  • Smishing: Fraudsters send text messages to trick victims into revealing data or visiting harmful sites.
  • Fake Call Frauds: Scammers pose as legitimate entities to extract sensitive information. 
  • Identity Theft: Phone numbers are exploited to commit financial fraud and impersonate individuals. 

2. Do Not Update Your Current Location 

It is not new or unknown that people share their current locations on social media handles however, experts caution against sharing personal addresses or current locations online, citing heightened risks of theft, stalking, and malicious online activity. 

Such information can be exploited to tailor phishing attempts, rendering them more convincing and increasing the likelihood of falling victim to scams. 

3. Do Not Post Your Holiday Plans 

As the holiday season approaches, many individuals may feel inclined to share their vacation plans on social media platforms. However, security experts are warning against this seemingly innocent practice, pointing out the potential risks associated with broadcasting one's absence from home. 

Announcing your vacation on social media not only informs friends and family of your whereabouts but also alerts criminals that your residence will be unoccupied. This information could make your home a target for burglary or other criminal activities. 

4. Do Not Take Risks of Sharing Password Online 

Passwords serve as the primary defense mechanism for safeguarding online accounts, making them crucial components of digital security. However, security expert emphasizes the importance of protecting passwords and refraining from sharing them online under any circumstances. Sharing passwords, regardless of the requester's identity, poses a significant risk to online security. 

Unauthorized access to sensitive accounts can lead to various forms of cybercrime, including identity theft, financial fraud, and data breaches. 

 5. Protect Your Financial and Employment Information 

Experts caution against sharing sensitive financial or employment details online, highlighting the potential risks associated with divulging such information. Financial details, including credit card numbers and bank account details, are highly sought after by online fraudsters. Similarly, sharing employment information can inadvertently provide criminals with valuable data for social engineering scams. 

 6. Protect Your ID Documentation 

Expert urges individuals to refrain from posting images of essential identification documents such as passports, birth certificates, or driver's licenses online. These documents contain sensitive information that could be exploited by identity thieves for various criminal activities, including opening unauthorized bank accounts or applying for credit cards. 

7. Stop Sharing Names of Your Loved Ones/Family/Pets 

Security experts advise against sharing personal details such as the names of loved ones or pets online. Hackers frequently attempt to exploit these details when guessing passwords or answering security questions. 

 8. Protect Your Medical Privacy 

Your medical history is a confidential matter and should be treated as such, caution experts. Sharing details about the hospitals or medical facilities you visit can inadvertently lead to a data breach, exposing personal information such as your name and address. 

 9. Protect Your Child's Privacy 

Expert warns against sharing information about your child's school online, as it can potentially put them at risk from online predators and expose them to identity theft. 

 10. Protect Your Ticket Information 

Expert advises against sharing pictures or details of tickets for concerts, events, or travel online. Scammers can exploit this information to impersonate legitimate representatives and deceive you into disclosing additional personal data. 

Furthermore, in 2023, the Internet Crime Complaint Center (IC3) reported a staggering surge in complaints from the American public. A total of 880,418 complaints were filed, marking a significant uptick of nearly 10% compared to the previous year. 

These complaints reflected potential losses exceeding $12.5 billion, representing a substantial increase of 22% in losses suffered compared to 2022. Also, according to the Forbes Advisors, Ransomware, Misconfigurations and Unpatched Systems, Credential Stuffing, and Social Engineering will be the most common threats in 2024.
Read more »
Website
Cyber Security FBI Online Data Ransomware TAD Texas Website

Ransomware Strikes Tarrant Appraisal District

 



Tarrant Appraisal District (TAD) finds itself grappling with a major setback as its website falls prey to a criminal ransomware attack, resulting in a disruption of its essential services. The attack, which was discovered on Thursday, prompted swift action from TAD, as the agency collaborated closely with cybersecurity experts to assess the situation and fortify its network defences. Following a thorough investigation, TAD confirmed that it had indeed fallen victim to a ransomware attack, prompting immediate reporting to relevant authorities, including the Federal Bureau of Investigation and the Texas Department of Information Resources.

Despite concerted efforts to minimise the impact, TAD continues to work towards restoring full functionality to its services. Presently, while the TAD website remains accessible, the ability to search for records online has been temporarily suspended. Moreover, disruptions extend beyond the digital realm, with phone and email services also facing temporary outages. This development comes hot on the heels of a recent database failure experienced by TAD, which necessitated the expedited launch of a new website. Originally intending to run both old and new sites concurrently for a fortnight, the agency was compelled to hasten the transition following the database crash.

Chief Appraiser Joe Don Bobbitt has moved seamlessly to reassure the public, asserting that no sensitive information was compromised during the disruption. However, TAD remains vigilant and committed to addressing any lingering concerns. The agency is poised to provide further updates during an upcoming board meeting.

These recent challenges encountered by TAD underscore the critical importance of robust cybersecurity measures and organisational resilience in the face of unforeseen disruptions. Against the backdrop of escalating property values across North Texas, scrutiny of appraisal processes has intensified, with TAD having previously grappled with website functionality issues. Nevertheless, the agency remains steadfast in its commitment to enhancing user experience and fostering transparency.

In light of recent events, TAD remains resolute in prioritising the integrity of its operations and the safeguarding of sensitive data. The deliberate response to the ransomware attack prompts the agency's unwavering dedication to addressing emerging threats and maintaining public trust. As TAD diligently works towards restoring full operational capacity, stakeholders are urged to remain careful and report any suspicious activity promptly.

The resilience demonstrated by TAD in navigating these challenges serves as a testament to its dedication to serving the community and upholding the highest standards of accountability and transparency in property valuation processes.


Read more »
Ransomware
AI Cyber Crime Cyber Extortion FBI Ransomware

Cyber Extortion Stoops Lowest: Fake Attacks, Whistleblowing, Cyber Extortion

Cyber Extortion

Recently, a car rental company in Europe fell victim to a fake cyberattack, the hacker used ChatGPT to make it look like the stolen data was legit. It makes us think why would threat actors claim a fabricated attack? We must know the workings of the cyber extortion business to understand why threat actors do what they do.

Mapping the Evolution of Cyber Extortion

Threats have been improving their ransomware attacks for years now. Traditional forms of ransomware attacks used encryption of stolen data. After successful encryption, attackers demanded ransom in exchange for a decryption key. This technique started to fail as businesses could retrieve data from backups.

To counter this, attackers made malware that compromised backups. Victims started paying, but FBI recommendations suggested they not pay.

The attackers soon realized they would need something foolproof to blackmail victims. They made ransomware that stole data without encryption. Even if victims had backups, attackers could still extort using stolen data, threatening to leak confidential data if the ransom wasn't paid.

Making matters even worse, attackers started "milking" the victims and further profiting from the stolen data. They started selling the stolen data to other threat actors who would launch repeated attacks (double and triple extortion attacks). Even if the victims' families and customers weren't safe, attackers would even go to the extent of blackmailing plastic surgery patients in clinics.

Extortion: Poking and Pressure Tactics

Regulators and law enforcement organizations cannot ignore this when billions of dollars are on the line. The State Department is offering a $10 million prize for the head of a Hive ransomware group, like to a scenario from a Wild West film. 

Businesses are required by regulatory bodies to disclose “all material” connected to cyber attacks. Certain regulations must be followed to avoid civil lawsuits, criminal prosecution, hefty fines and penalties, cease-and-desist orders, and the cancellation of securities registration.

Cyber-swatting is another strategy used by ransomware perpetrators to exert pressure. Extortionists have used swatting attacks to threaten hospitals, schools, members of the C-suite, and board members. Artificial intelligence (AI) systems are used to mimic voices and alert law enforcement to fictitious reports of a hostage crisis, bomb threat, or other grave accusation. EMS, fire, and police are called to the victim's house with heavy weapons.

What Businesses Can Do To Reduce The Risk Of Cyberattacks And Ransomware

What was once a straightforward phishing email has developed into a highly skilled cybercrime where extortionists use social engineering to steal data and conduct fraud, espionage, and infiltration. These are some recommended strategies that businesses can use to reduce risks.

1. Educate Staff: It's critical to have a continuous cybersecurity awareness program that informs staff members on the most recent attacks and extortion schemes used by criminals.

2. Pay Attention To The Causes Rather Than The Symptoms: Ransomware is a symptom, not the cause. Examine the methods by which ransomware infiltrated the system. Phishing, social engineering, unpatched software, and compromised credentials can all lead to ransomware.

3. Implement Security Training: Technology and cybersecurity tools by themselves are unable to combat social engineering, which modifies human nature. Employees can develop a security intuition by participating in hands-on training exercises and using phishing simulation platforms.

4. Use Phishing-Resistant MFA and a Password Manager: Require staff members to create lengthy, intricate passwords. To prevent password reuse, sign up for a paid password manager (not one built into your browser). Use MFA that is resistant to phishing attempts to lower the risk of corporate account takeovers and identity theft.

5. Ensure Employee Preparedness: Employees should be aware of the procedures to follow in the case of a cyberattack, as well as the roles and duties assigned to incident responders and other key players.


Read more »
ransomware attacks
cryptocurrency cryptocurrency scam Cyber Crime FBI Identity Fraud ransomware attacks

FBI Reports Surge in Cryptocurrency Scams, Highlighting Growing Threat of Confidence Scams

 

The FBI has recently brought attention to a concerning trend in cybercrime: the rise of cryptocurrency scams, particularly through romance and confidence schemes, which have outpaced ransomware attacks in terms of financial losses. According to the FBI's data, individuals fell victim to cryptocurrency scams amounting to a staggering $4.57 billion in 2023, marking a significant 38% increase compared to the previous year's losses of $3.31 billion. 

These scams typically unfold over a period of several weeks, with fraudsters assuming false identities, often posing as attractive individuals, to establish relationships with their targets. As the relationship progresses, the scammers introduce the idea of joint cryptocurrency investments, recommending fake platforms or apps under their control. Victims are manipulated into making substantial investments, with the scammers fabricating gains to maintain the illusion of profitability. 

When victims attempt to withdraw their funds, the fraudsters employ various tactics, including impersonating customer support representatives and demanding additional fees, resulting in further financial losses for the victims. In contrast, ransomware attacks, a prevalent form of cyber extortion, generated comparatively minor losses of $59.6 million. 

However, the FBI acknowledges that this figure may not fully reflect the true extent of ransomware-related losses, as it fails to account for indirect costs such as business downtime. Moreover, the reported losses only encompass ransomware incidents reported to the Internet Crime Complaint Center (IC3), suggesting that the actual financial impact of ransomware attacks could be significantly higher. The discrepancy in reported losses between cryptocurrency scams and ransomware attacks underscores the evolving landscape of cyber threats and the shifting tactics employed by cybercriminals. 

While ransomware attacks continue to pose a significant threat to businesses and organizations, the surge in cryptocurrency scams highlights the effectiveness of social engineering techniques in deceiving individuals and extracting substantial sums of money. To combat these threats effectively, individuals and businesses must remain vigilant and exercise caution when engaging in online interactions. It is essential to verify the authenticity of investment opportunities and platforms, especially those related to cryptocurrencies, and to refrain from disclosing sensitive information or transferring funds without proper verification. 

Additionally, organizations should implement robust cybersecurity measures, including regular employee training and the deployment of advanced threat detection technologies, to mitigate the risk of falling victim to cyber scams and attacks. As cybercriminals continue to exploit vulnerabilities and devise increasingly sophisticated schemes, collaboration between law enforcement agencies, cybersecurity professionals, and the public is crucial in combating cybercrime and safeguarding against financial losses and data breaches. By raising awareness of emerging threats and adopting proactive security measures, individuals and organizations can better protect themselves against the pervasive threat of cybercrime in today's digital landscape.
Read more »
State-sponsored Hackers
Cyber Crime cyber espionage FBI I-Soon State-sponsored Hackers

I-Soon Leak: Exposing China's Cyber Espionage

I-Soon Leak

In the dark caves of cyberspace, where secrets are traded like currency and digital shadows gamble, a recent leak of documents reveals that China's hacking community is not as advanced and systematic as it appears.

The leak is likely from a frustrated employee of Chinese cybersecurity company I-soon (Anxun in China), which tells a denting story of China's cyberespionage operations. It provides us with a backstage glimpse of China's hacking ecosystem.

Since 2010, China has leveled up its cyberespionage and cybertheft game to such extremes that FBI Chief Christopher Wray said that China's state-sponsored hackers outnumber U.S. cyber intelligence personnel 50-to-1.

The Players

I-Soon: The Contractor

I-Soon works for Chinese government agencies and private players. It has ties to China's major government contractors such as the Ministry of Public Security (police) and the Ministry of State Security (intelligence). I-Soon is a shadowy figure that plans campaigns crossing borders. Its weapons include zero-day exploits, sophisticated tools, and a diverse team of skilled hackers.

Targets: Foreign Networks to Dissidents

The leaked documents disclose I-Soon's wide range of surveillance. Their spying targets include both Chinese citizens and foreigners. The main targets are:

1. Foreign Networks: I-Soon's reach goes beyond Chinese borders. They hack foreign networks, steal sensitive info, and leave no digital stone untouched. Whether military intelligence, personal data, or corporate secrets, I-soon is involved in everything.

2. Political Dissidents: Regions like Hong Kong and Xinjiang are constantly under I-Soon's surveillance radar. The aim is to keep an eye on any form of dissent and opposition and inform the Chinese government.

The Exposed Data

Darkweb and Hacked Databases

I-Soon has vast databases of hacked info. These databases have stolen credentials, surveillance footage, and hacked emails. But where does it end? The hacked data is sold on the dark web. Chinese police are always on the lookout for this information, they buy these digital assets to improve their surveillance operations.

The Silent War

Cyberespionage is a war fought on an unseen battlefield. Contrary to traditional conflicts, there are no casualties or damage that can be seen in the open. However, cyber espionage destroys firewalls, lines of code are disrupted, and digital footprints disappear. A lot is at stake, economic dominance, national security, and ideological superiority.

The Impact

State-sponsored Cyberattack

I-Soon's operations highlight the murky relationship between state-sponsored cyber operations and private contractors. While the Chinese government shows it has no involvement, contractors like I-soon do their dirty work. The blurred lines between private and public actors create an environment where accountability doesn't exist.

Global Cybersecurity Awareness

The leak serves as a reminder to individuals, corporations, and nations to strengthen their digital defenses. Cybersecurity is a basic need for digital survival, it's not a luxury. Threat intelligence, encryption, and partnership across borders can be the defense against unknown cyber terror.

What have we learned?

The leak is only a glimpse into the dark world of cyberespionage, what we see is just the tip of the iceberg- the iceberg is hiding much more. I-Soon's leak is a wake-up call.

Read more »
Insecurity
Cyber Security Cyberattacks CyberCrime CyberThreat FBI Healthcare Cyberattacks Insecurity

Prescription Insecurity: The Russian Connection to Healthcare Cyber Attacks

 


Pharmacies and hospitals nationwide are experiencing disruptions as a result of ransomware attacks, which leaves patients with difficulties filling prescriptions or obtaining medical care. UnitedHealth Group, a healthcare provider in the United States, announced on Thursday that it had been hacked by a ransomware gang known as Black Cat, otherwise known as AlphV. 

There was a breach of security at Optum last week, causing its digital healthcare payment platform, known as Change Healthcare, to be taken offline as a result of a "cybersecurity issue." Optum, which provides healthcare benefits across the United States, announced last week that it was impacted by a "cybersecurity issue." 

There are a variety of legal issues that have resulted in hospitals, pharmacies and other healthcare providers being unable to access the popular payment platform or purposefully disabling connections to its network so as not to allow hackers to gain access to the sensitive data. In a statement on Monday, UnitedHealth estimates that more than 90% of the 70,000 pharmacies in the U.S. have had to change how they processed electronic claims in response to the outage, as more than 90% of them are going to change how they process claims in the future. 

A UnitedHealth executive on a conference call with cybersecurity officers was quoted as saying that, according to a UnitedHealth executive who spoke on a conference call with cybersecurity officers, the outage could last "weeks," despite UnitedHealth reiterating that there are workarounds to ensure customers get access to medications. 

According to a recording obtained by STAT News, the outage could last up to a week. In a report released by UnitedHealth, it was determined that BlackCat, or AlphV, is responsible for the breach, a conclusion which was supported by the group itself claiming credit on its dark web leak site, as well as the hiring of multiple outside firms, including top cybersecurity companies Mandiant and Palo Alto Networks. 

After a few days, the post had been removed from the website. It is, however, interesting that the ransomware gang may also be responsible for the attack. A few months ago, the FBI broke into the group's internal servers to steal information regarding decryption tools for its victims as well as to seize control of several of its websites. 

In celebration of the disruption, which involved multiple foreign governments, the U.S. government celebrated its success. According to Deputy Attorney General Lisa Monaco, the Justice Department has disrupted the Black Cat ransomware group for the second time by hacking the hackers. As a result of Black Cat's apparent ability to regroup and breach one of the nation's largest healthcare organizations, it is evident that reducing these groups for long periods is quite difficult. 

When a cybercriminal suffers a setback, the criminals will frequently reassemble, especially if their operators reside in countries where their law enforcement agencies are lax about prosecuting their crimes as a result of their laziness.
Read more »
Verizon
911 service AT&T Consumer Cellular customer complaints Cyber Security Downdetector FBI mobile phone Outage service interruptions T-Mobile USCellular Verizon

Cell Service Restored Following Extensive AT&T Outage

 

AT&T has resolved issues affecting its mobile phone customers following widespread outages on Thursday, according to a company announcement.Throughout the day, tens of thousands of cell phone users across the United States reported disruptions.

Reports on Downdetector.com, a platform monitoring outages, indicated instances of no service or signal after 04:00 EST (09:00 GMT).

AT&T issued an apology to its customers and confirmed that services were fully operational again by early afternoon. The company stated its commitment to taking preventive measures to avoid similar incidents in the future. The cause of the outage is currently being investigated.

Verizon and T-Mobile informed the BBC that their networks were functioning normally. However, they acknowledged that some customers may have experienced service issues while attempting to communicate with users on different networks.

According to Downdetector, AT&T received over 74,000 customer complaints, with significant clusters in southern and eastern regions of the country.

Smaller carriers like Cricket Wireless, UScellular, and Consumer Cellular also reported interruptions in service. Complaints ranged from difficulties with calls, texts, to internet access, with many users reporting no service or signal.

Downdetector's data showed that major cities including Los Angeles, Chicago, Houston, and Atlanta experienced high numbers of outages.

Some individuals also faced challenges with 911 services, prompting officials to advise the use of landlines, social media, or cell phones from alternative carriers in emergencies.

The widespread outage has garnered the attention of the US government, with the FBI and Department of Homeland Security launching investigations, as confirmed by John Kirby, spokesperson for the US National Security Council.

Eric Goldstein, executive assistant director for cybersecurity at the US Cybersecurity and Infrastructure Security Agency, stated that they are collaborating with AT&T to understand the root cause of the outage and are ready to provide assistance as necessary.

Although a confidential memo reported by ABC News suggested no signs of malicious activity, CISA officials are actively investigating the incident.
Read more »
Warzone RAT
Cyber Crime Cyber Threats FBI Hacking malware Warzone RAT

FBI Shuts Down Warzone RAT; Cybercriminals Arrested

 


In a major victory against cybercrime, the FBI has successfully taken down the Warzone RAT malware operation. This operation led to the arrest of two individuals involved in the illicit activities. One of the suspects, 27-year-old Daniel Meli from Malta, was apprehended for his role in the distribution of Warzone RAT, a notorious remote access trojan used for various cybercrimes.

Warzone RAT, also known as 'AveMaria,' surfaced in 2018 as a commodity malware offering a range of malicious features. These include bypassing User Account Control (UAC), stealing passwords and cookies, keylogging, remote desktop access, webcam recording, and more. Meli's arrest took place last week in Malta following an indictment issued by U.S. law enforcement authorities on December 12, 2023.

The charges against Meli include unauthorised damage to protected computers, illegally selling and advertising an electronic interception device, and participating in a conspiracy to commit several computer intrusion offences. He has been involved in the cybercrime space since at least 2012, starting at the age of 15 by selling hacking ebooks and the Pegasus RAT for a criminal group called 'Skynet-Corporation.'

Simultaneously, another key figure linked to Warzone RAT, Prince Onyeoziri Odinakachi, 31, from Nigeria, was arrested for providing customer support to cybercriminals purchasing access to the malware. Federal authorities in Boston seized four domains, including the primary website "warzone.ws," associated with Warzone RAT.

The international law enforcement effort coordinated by the FBI not only resulted in arrests but also identified and confiscated server infrastructure related to the malware across various countries, including Canada, Croatia, Finland, Germany, the Netherlands, and Romania.

While the U.S. Department of Justice (DoJ) mainly implicates Meli in the distribution and customer support for the malware, it remains unclear whether he is the original creator of Warzone RAT. The DoJ announcement reveals Meli's involvement as a seller in the cybercrime space since the age of 15, raising questions about the malware's origin.

Meli faces serious consequences, with a potential 15-year prison sentence, three years of supervised release, and fines of up to $500,000 or twice the gross gain or loss (whichever is greater) for the charges against him. The Northern District of Georgia seeks Meli's extradition from Malta to the United States for trial.

This successful operation not only brings two significant cybercriminals to justice but also marks a crucial step in dismantling the infrastructure supporting Warzone RAT. The FBI's coordinated efforts with international law enforcement agencies highlight the commitment to combating cyber threats on a global scale. The implications of this takedown will likely have a positive impact on cybersecurity efforts worldwide, deterring future vicious activities.


Read more »
Hckers
Chinese Hackers Cyber Security Cyberattacks CyberCrime FBI Hckers

Cybersecurity Crisis Looms: FBI Chief Unveils Chinese Hackers' Plan to Target US Infrastructure

 


As the head of the FBI pointed out Wednesday, Beijing was positioning itself to disrupt the daily lives of Americans if there was ever a war between the United States and China if it were to plant malware to damage civilian infrastructure. U.S. officials said Wednesday they disrupted a state-backed Chinese effort to plant malware. 

As FBI Director Chris Wray addressed House legislators just before the operation was announced, a botnet comprising hundreds of U.S.-based small office and home routers owned by individuals and companies was disrupted as part of the operation. Chinese hackers hijacked these routers to hide their presence as they sow malware. 

To achieve their ultimate objectives, they sought to attack water treatment plants, electrical grids, and transportation systems throughout the country. During a hearing scheduled for the House Select Committee on the Chinese Communist Party this afternoon, a copy of a prepared speech that Mr Wray intends to make in front of the House Select Committee on the Chinese Communist Party, it is stated that "far too little attention" has been paid to a cyber threat that is of concern to “every American.” 

During the US House hearing on Wednesday, Christopher Wray, the director of the Federal Bureau of Investigation, said that China’s hackers are targeting infrastructure to create havoc and harm American citizens and communities. In a report released by Wray hours after the FBI, with the support of the US Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA), identified and disabled hundreds of routers hacked by a group known as Volt Typhoon, which US intelligence agencies suspect may be financed by the Chinese government. 

As a result of the group's work, Chinese critical infrastructure, such as communications, energy, transport, and water, was exploited by China using malware developed and distributed by the group. There is a consensus among outside cybersecurity firms, such as Microsoft, that Chinese state-backed hackers have been targeting U.S. critical infrastructure, and these comments align with statements made by outside cybersecurity firms in May. 

In the event of future crises between the U.S. and Asia, these technological advancements could lay the technical groundwork for the disruption of critical communications. In the month following, Mandiant reported that it was suspected state-backed Chinese hackers had hacked the networks of hundreds of public and private organizations across the globe using a security hole in a popular email security appliance. 

Among the many senior U.S. officials who have been raising the alarm for years about not only Chinese hacking prowess but also Beijing's determination to steal American scientific and industrial research have been raising the alarm for years. Multiple criminal indictments have laid out detailed evidence supporting China's claims that those accusations are unfounded. 

During these last few years, officials in the United States have been concerned about the possibility of such hackers hiding in U.S. infrastructure. For example, when the Volt Typhoon exploited older Cisco and NetGear routers no longer supported by their manufacturers with security updates, they became easy prey. 

To meet the urgency, law enforcement officials said, investigators worked with U.S. cyber operators who removed the malware from the routers without informing their owners directly - and added code to prevent the routers from being infected again. 

In a statement given to reporters under the condition of anonymity by government ground rules, a Justice Department official said officials were determined to interrupt Volt Typhoon's operation as soon as possible since the hackers were using it as a stepping stone to hide in U.S. internet traffic. 

The hackers burrow their way into critical infrastructure networks, ready to take advantage of that access whenever they please, ready to exploit it at any time of the day or night. According to Chinese government officials, the US government's allegations are unfounded and unfounded. 

A spokesman for the Chinese foreign ministry, Wang Wenbin, made a statement last year, according to which the Chinese government believes that China is the biggest victim of cyberattacks in the world due to almost daily and huge amounts of intrusions into its systems. 

The commander of US Cyber Command, Gen. Paul Nakasone, who is leaving the post, has maintained that responsible cyber actors do not attack civilian infrastructure as part of their activities. When Leon Panetta testified on Tuesday before the same committee, he said that he believed that Chinese agents had implanted malware within our computer networks and that the Chinese government would spread disinformation using artificial intelligence as a method of spreading disinformation. 

Panetta was the director of the Central Intelligence Agency and the secretary of defence in the Obama administration. There was an onset of a prime-time hearing last month, kicked off by Republican Representative Mike Gallagher of Wisconsin, who has been calling for establishing a committee devoted to countering China. Chinese officials have used their influence to lash out at the committee, accusing its members of ideological bias and the mindset of a zero-sum game typical of the Cold War.
Read more »
NSA
Cyber Security Cyberattacks CyberCrime data security FBI NSA

NSA Confession: Unlawful Surveillance on Americans Exposed

 


Despite attempts to conceal details of arrangements between United States spy agencies and private companies that track the location of Americans using their cell phones, United States officials fought to conceal the details. Normally, law enforcement and intelligence agencies require a warrant to obtain data from US phones. 

Still, they usually pay companies for that data instead, effectively circumventing the courts to obtain the data. Ron Wyden, a Democratic Senator from Oregon, claims that the US National Security Agency has confirmed that it has bought the internet browsing records of American users without a warrant. 

During the past three years, Congressman Wyden has worked tirelessly to expose the NSA's practices, including buying location data from smartphones without the need for a warrant. It was Wyden's “warrantless purchases” that included information about websites and apps used by users. 

As a result, US government agencies often acquire sensitive information about Americans from commercial marketplaces without the necessity of getting court warrants. The NSA director, Paul Nakasone, wrote to Wyden in a letter that stated that they were only purchasing Netflow data and information from electronic devices that are used in both domestic and international environments. 

It was mostly Internet communications data that was collected, but American communications content was not included in the data. In their claim that the National Security Agency is using commercially available Netflow data to conduct cybersecurity and foreign intelligence activities, to defend US military networks against foreign hackers, and to minimize the collection of U.S. personal information through technical filters, they claim that they are using commercially available Netflow data. 

There is a recent order from the Federal Trade Commission that prohibits data brokers from selling individuals' geolocation data without consumers' consent first, which the senator says the NSA violates. According to him, it is critical that the Office of the Director of National Intelligence ask intelligence agencies to conduct a broader audit of the types of data that they collect and whether the databases they use contain information that violates the FTC order. 

As a result of this most recent disclosure, it has become increasingly apparent how essential it is to improve the accountability and transparency of the intelligence community. Public disclosure should be made of the scope of data collection initiatives, the measures taken to protect against misuse, and the legal justifications for these actions. 

The absence of clear monitoring and judicial review contributes to increased public mistrust and concerns about possible abuse of power. As a key force in influencing clarification from the NSA and passing legislation designed to limit the NSA's appetite for data collection, Congress must play a key role in pressing for clarification. 

To control an intelligence agency that appears more and more concerned about mass surveillance rather than targeted investigation, it is critical to strengthen privacy rights, create independent judicial scrutiny, and develop robust oversight procedures. 

A large amount of information has been obtained by the National Security Agency (NSA) from American citizens in the past. Several reports have surfaced that have revealed similar actions taken by the FBI and other intelligence organizations that are comparable to those taken by the FBI. 

The expansion of the market for personal information gives rise to more general concerns surrounding the possible emergence of a dark sector in which people's privacy may be exploited and commodified for the benefit of the government, thus creating a society in which privacy is exploited and commodified. 

Internet privacy goes beyond simply opposing the NSA's practices of buying data to fight back against the practices of selling data. The call for accountability, transparency, and respect for the individual rights of citizens has been accompanied by a comprehensive approach that takes the data-driven surveillance apparatus as a whole into consideration. As soon as users achieve a balance between the benefits of freedom and the risks of national security, they will be well-positioned to successfully navigate the hazy seas of national security.
Read more »
Zeppelin2
CISA cybersecurity advisory Dark Web FBI malware Online Security Ransomware Threat Zeppelin2

Zeppelin2 Ransomware: An Emerging Menace in the Dark Web Ecosystem

 

In a recent update from an underground online forum, a user is actively promoting the sale of Zeppelin2 ransomware, providing both its source code and a cracked version of its builder tool. This malicious software, known for its destructive capabilities, has garnered the attention of cybersecurity experts and law enforcement agencies globally.

The forum post asserts that the user successfully breached the security measures of the Zeppelin2 builder tool, originally designed for data encryption. The post includes screenshots of the source code, shedding light on the intricate details of the build process and revealing that the ransomware is programmed in Delphi.

The Zeppelin2 ransomware builder tool, being promoted by the threat actor, showcases various features, such as file settings, ransom notes, IP logging, startup commands, task killers, and auto-unlocking busy files. The threat actor underscores the ransomware's capability to comprehensively encrypt files, rendering data recovery impossible without a unique private key held by the attackers.

Upon completing the encryption process, victims are presented with a ransom note declaring the encryption of all their files. The note instructs victims to contact the attackers via email and offers a method for testing the legitimacy of the decryptor by sending a non-valuable file.

Reports indicate that Zeppelin2 ransomware demands ransom payments in Bitcoin, with extortion amounts ranging from several thousand dollars to over a million dollars. The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have jointly issued a cybersecurity advisory to address the Zeppelin2 threat.

Zeppelin2, employed by threat actors since 2019 and continuing at least until June 2022, targets various sectors through its ransomware-as-a-service (RaaS) model. These sectors include defense contractors, educational institutions, manufacturers, technology companies, and notably, organizations in the healthcare and medical industries.

The ransomware's modus operandi involves exploiting vulnerabilities such as remote desktop protocol (RDP) exploitation, SonicWall firewall vulnerabilities, and phishing campaigns to gain access to victim networks. Before deploying the Zeppelin2 ransomware, threat actors meticulously map and enumerate the victim's network, identifying critical data enclaves, including cloud storage and network backups.

Consistent with ransomware groups, Zeppelin2 operators exfiltrate sensitive corporate data with the intention of making it accessible to buyers or the public if the victim resists complying with their demands.

Of significance, the FBI has observed instances where Zeppelin2 actors execute their malware multiple times within a victim's network, generating different IDs or file extensions for each attack instance, necessitating multiple unique decryption keys.
Read more »
User Priavcy
Australian Data Breach Digital Age FBI Malicious actor Online Library Sensitive data User Priavcy

Cybersecurity Breach Shakes Sydney's Woollahra Council Libraries

Sydney's Woollahra Council Libraries were the target of a cyberattack that sent shockwaves across the community, demonstrating how susceptible information is in the digital age. Concerns regarding protecting personal data and the possible repercussions of such breaches have been raised in response to the occurrence, which was covered by several news sources.

The attack, which targeted libraries in Double Bay, Paddington, and Watsons Bay, has left thousands affected, with the possibility of personal information being stolen. The breach has underscored the importance of robust cybersecurity measures, especially for institutions that store sensitive data.

Woollahra Council has not disclosed the nature of the information compromised, but the potential risks to affected individuals are substantial. Cybersecurity experts are emphasizing the need for swift and comprehensive responses to mitigate the fallout from such breaches. As investigations unfold, users are advised to remain vigilant and monitor their accounts for suspicious activity.

This incident is a stark reminder that cybersecurity is an ongoing challenge for organizations across the globe. As technology advances, so do the methods employed by malicious actors seeking to exploit vulnerabilities. In the words of cybersecurity expert Bruce Schneier, "The user's going to pick dancing pigs over security every time." This emphasizes the delicate balance between user experience and safeguarding sensitive information.

The attack on Woollahra Council Libraries adds to the growing list of cyber threats institutions worldwide face. It joins a series of high-profile incidents that have targeted government agencies, businesses, and educational institutions. The consequences of such breaches extend beyond the immediate loss of data; they erode public trust and raise questions about the effectiveness of existing cybersecurity protocols.

In response to the incident, the Woollahra Council has assured the public that it is working diligently to address the issue and enhance its cybersecurity infrastructure. This event serves as a call to action for organizations to prioritize cybersecurity measures, invest in cutting-edge technologies, and educate users on best practices for online security.

The Sydney incident serves as a timely warning for people and businesses to stay vigilant in the face of emerging cyber dangers, even as the investigation is ongoing. Former FBI director Robert Mueller once said, "There are only two types of companies: those that have been hacked and those that will be hacked." Proactive steps are essential to reduce the effects of these breaches and safeguard everyone's access to the digital world.
Read more »
Vulnerabilities and Exploits
ChatGPT CISA Cyberattacks CyberCrime Cybersecurity FBI Microsoft ProxyNotShell Ransomware Vulnerabilities and Exploits

FBI Alarmed as Ransomware Strikes 300 Victims, Critical Sectors Under Siege

 


There was an advisory published late on Monday about the Play ransomware gang that was put out by the Federal Bureau of Investigation (FBI) together with the US Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre. The Play gang is thought to have debuted last year and has launched multiple attacks on targets since then. 

It was first spotted being deployed against South American government agencies around the middle of last year but pivoted months later to target entities in the US and Europe. The FBI and other cyber security agencies are warning about the rise of the Play ransomware double-extortion group which has now attacked hundreds of organizations. 

Since June 2022, Play ransomware - also known as Playcrypt - has hit a wide range of businesses and critical infrastructure organizations in North America, South America, and Europe, the cyber security advisory said. Unlike typical ransomware operations, the Play ransomware affiliates use email communication for negotiations, rather than providing Tor negotiations page links in ransom notes left on compromised systems. 

However, the gang still employs strategies commonly associated with ransomware, such as stealing sensitive documents from compromised systems to pressure victims into paying ransom demands under the threat of leaking the stolen data online. The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) issued a joint advisory to disseminate IOCs and TTPs discovered as recently as October 2023 by the Play ransomware group. 

According to the joint advisory, these organizations are urged to cover their vulnerabilities that have been previously exploited to diminish the likelihood of falling victim to Play ransomware attacks. A special focus should be placed on the implementation of multifactor authentication for webmail, VPN, and accounts accessing critical systems, and the advisory also discusses the importance of updating and patching regular software, along with routine vulnerability assessments, as recommended. 

It is recommended that organizations follow security best practices to ensure that their endpoints are secure. A few of the steps include keeping all software and hardware up-to-date and making sure that all urgent security patches are applied as soon as possible, as these patches usually address known and abused security vulnerabilities. Companies should also be encouraged to implement multi-factor authentication (MFA) wherever possible to keep their passwords strong and fresh.  

An example of a high-profile victim of a ransomware attack would be the City of Oakland in California, Arnold Clark, Rackspace cloud computing company, and the Belgian city of Antwerp in Belgium. A custom VSS Copying Tool is also used by the Play Gang to evict files from shadow volume copies, even when other applications are currently using them. 

The joint advisory issued by CISA and other agencies indicates that the Playgroup is gaining access to the networks of organizations through the abuse of legitimate accounts and the exploitation of public-facing applications through known security flaws in FortiOS [CVE-2018-13379 and CVE-2020-12812] and Microsoft Exchange, including ProxyNotShell, a remote code execution (RCE) vulnerability, as well as CVE-2022-41040, which is also tracked as CVE-2022-40802. 

In their report, the authors noted that many ransomware actors were observed to use services and resources that could be accessed externally, such as Remote Desktop Protocol (RDP) and Virtual Private Networks (VPN), to gain access. In addition to using tools like AdFind to run AD queries and Grixba to steal information from the network, the bad actors also use tools like the Grixba infostealer to scan for antivirus software and grab data from the network once they have accessed the computer. 

Also, they have used PowerShell scripts to target Microsoft Defender, and they have used GMER, IOBit, and PowerTool to disable these software and remote log files. In most cases, ransomware actors obtain their access via external-facing services such as Virtual Private Networks (VPNs) and Remote Desktop Protocols (RDPs). 

The actors in play ransomware use tools such as AdFind, an information-stealing tool, to enumerate network information and scan for anti-virus software, and Grixba, an information stealer, to enumerate network information and scan for anti-virus software, to execute active directory queries. As well as removing log files and disabling antivirus software, actors use tools such as GMER, IOBit, and PowerTool.
Read more »
SiegedSec
CISA Critical Data Data Breach Employee Data FBI Hacktivist group Idaho National Laboratory Nuclear Agency SiegedSec

Idaho National Laboratory Suffers Data Breach, Employee Data Compromised


Idaho National Laboratory, the nuclear energy testing lab that comprise of an estimated 5,700 experts, has recently suffered a major data breach in their systems.

The data breach took place last Sunday, on November 19. The stolen data comprise of the laboratory’s employees’ critical data, which was later leaked on online forums. 

The investigation on the breach is being carried out by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI, who are working in collaboration with INL, a spokesperson informed. Physical addresses, bank account details, and Social Security numbers are among the data that are impacted.

In an interview regarding the incident, the spokesperson told local news outlet EastIdahoNews.com that the breach has impacted INL’s Oracle HCM system, a cloud-based workforce management platform that offers payroll and other HR solutions, was impacted by the attack.

SiegedSec, a self-entitled hacktivist group has since taken responsibility of the attack, following which it published a sample of the stolen employee data online, which included full names, dates of birth, email addresses, contact details and other identity info of the INL employees to their data breach forum. 

The group, which seems to have political motivations, was also accused in the past of stealing information from the Communities of Interest Cooperation Portal, an unclassified information-sharing portal run by NATO.

However, INL has not implied that the breach has had any impact on its classified information or nuclear research, and CISA did not immediately respond to the request for a comment. 

Regardless of whether the classified nuclear details were accessed by the threat actors, Colin Little, security engineer at the cybersecurity firm Centripetal, said it is "highly disconcerting that the staff generating that intellectual property and participating in the most advanced nuclear energy research and development have had their information leaked online."

"Now those who are politically motivated and would very much like to know the names and addresses of the top nuclear energy researchers in the U.S. have that data," he said. 

INL supports large-scale initiatives from the Department of Energy, the Department of Defense. The laboratory bills itself as "a world leader in securing critical infrastructure systems and improving the resiliency of vital national security and defense assets."

Read more »
State Secrets
Cyber Attacks Data Safety FBI Ransomware Outfit State Secrets

FBI Reveals Scattered Spider’s Alliance with Notorious Ransomware Outfit

 

In an advisory released last weekend, the FBI and the Cybersecurity and Infrastructure Security Agency revealed further details regarding the cybercrime outfit Scattered Spider and its link with the notorious ALPHV/BlackCat ransomware operation. 

Scattered Spider, who goes by multiple aliases including 0ktapus, Starfraud, and Octo Tempest, has reportedly been behind some of the most renowned ransomware attacks in recent memory, according to a Bleeping Computer report. The agile group of 16-year-old English-speaking hackers has broken into networks belonging to Twilio, Reddit, MailChimp, and other companies using devious social engineering techniques. 

The FBI now reveals that some members of Scattered Spider have teamed up with ALPHV/BlackCat, the ransomware cartel based in Russia that is responsible for significant attacks on the government of Costa Rica and oil giant Shell. Thanks to this partnership, the actors known as Scattered Spider can use BlackCat to lock down and encrypt systems before extorting money from victims. 

Experts claim that Scattered Spider is hard to follow because of its disorganised, loose structure. At least twelve people are known to the FBI, but no one has been charged with a crime as of yet. A subset of them are thought to be affiliated with "The Comm," a hacker collective implicated in recent violent crimes. 

The access strategies used by Scattered Spider prey on human weaknesses. They use phone calls, fake domain names that resemble corporate services, and SMS phishing to trick workers into giving up credentials while posing as IT personnel. 

Once inside, they sneakily set up surveillance software and RAT malware in order to steal information and find out about incident response activities in email or Slack. This enables Scattered Spider to avoid detection, create fake accounts to move laterally, and figure out how victims are attempting to kick them out.

Experts advise fortifying multi-factor authentication, email security, network segmentation, and patching against the FBI's list of MITRE techniques. In order to facilitate recovery following an attack, they also suggest putting in place reliable data recovery plans and offline backups. 

The disclosure of Scattered Spider's internal functioning sheds light on the human infrastructure that powers sophisticated cybercriminal networks to carry out ransomware attacks. It also exemplifies the evolving cyber threat landscape, in which threat actors pool their resources to maximise extortion profits.
Read more »
Royal Ransomware
Advisory BlackSuit BleepingComputer CISA Cyber Attacks FBI ransomware attacks Ransomware group Royal Ransomware

FBI and CISA Reveals: ‘Royal’ Ransomware Group Targeted 350 Victims for $275 Million


In a joint advisory, the FBI and CISA have revealed a network breach conducted by the ‘Royal ransomware gang’ that has targeted nearly 350 organizations globally since 2022. 

Giving further details of the original advisory published in March, in the information acquired during the FBI investigation, the agencies noted that the ransomware campaign was connected to ransom demands totalling more than $275 million.

"Since September 2022, Royal has targeted over 350 known victims worldwide and ransomware demands have exceeded 275 million USD," the advisory reads.

"Royal conducts data exfiltration and extortion prior to encryption and then publishes victim data to a leak site if a ransom is not paid. Phishing emails are among the most successful vectors for initial access by Royal threat actors."

In March, the two agencies shared their initial indicators of an apparent compromise, along with a list of tactics, methods, and procedures (TTPs), in order to assist defenders in identifying and thwarting attempts to deploy Royal ransomware payloads onto their networks.

The Department of Health and Human Services (HHS) security team discovered in December 2022 that the ransomware operation was responsible for several attacks against U.S. healthcare organizations. This led to the release of the joint advisory.

Royal to BlackSuit

The advisory update also states that BlackSuit ransomware shares several coding traits with Royal, suggesting that Royal may be planning a rebranding campaign and/or a spinoff variation.

While it was anticipated that the Royal ransomware operation would rebrand in May, during the course of the BlackSuit ransomware operation, the rebranding never happened. 

According to a report published by BleepingCompter in June, the Royal ransomware gang was apparently testing a new BlackSuit encryptor, similar to the operation’s conventional encryptor. 

At the time, Partner and Head of Research and Development at RedSense – Yelisey Bohuslavskiy believed that this experiment did not in fact go well.

However, since then, Royal was able to rebrand into BlackSuit and restructure into a more centralized business, following the same blueprint as Team 2 (Conti2) when they were a member of the Conti syndicate.

"In September 2023, Royal accomplished a full rebrand into BlackSuit, most likely entirely dismantling their Royal infrastructure. Moreover, according to the primary source intel, Royal has also accomplished a broader reorganization during the rebrand, making the group structure more corporate and more similar to their Conti2 origins," said Yelisey Bohuslavskiy.  

Read more »
Ransomware
Cyber Security cyber threat Cyberattacks CyberCrime FBI Ragnar Locker Ransomware

Ransomware Kingpin Behind Ragnar Locker Arrested in Paris

 


An international law enforcement action coordinated by European Interpol and officials of foreign law enforcement agencies led to the removal of the Ragnar Locker ransomware group on October 20, 2023. Various law enforcement agencies including the French, American, and Japanese law enforcement agencies were involved in the operation, which was conducted by Eurojust and Europol jointly. A notice stating that the group had seized the websites was posted on the group's Tor negotiation and data leak websites indicating that the websites had been taken down. 

As part of a joint international operation, law enforcement agencies arrested a malware developer linked to the Ragnar Locker ransomware gang and seized their dark websites that were previously used to distribute the malware. 168 international companies are believed to have been hit by attacks by the Ragnar Locker ransomware gang since 2020, and throughout that time, they have made over $1 million in profits. 

In a related operation, which was conducted on October 18 and 19 in Paris, a "key target" said to have been involved in the Ragnar Locker ransomware group was arrested as part of this operation. A report on one of the EU's official news outlets, Europa, claims that the developer of the ransomware has also been arrested, in addition to the victim of the ransomware. Law enforcement agencies from around the world have collaborated to make these arrests possible. 

There was an arrest in Paris, France, on October 16, of the "main leader" of the malicious ransomware that was circulating on the Internet. It was also reported that his home in the Czech Republic had been raided by the police. It was found that the alleged leaders of the Ragnar Group developers were brought before the examining magistrate of the Paris Justice Court at the end of a weeklong action. 

It also turned out that the ransomware infrastructure had been confiscated in the Netherlands, Germany, and Sweden. The data leak website associated with the ransomware had also been taken offline in Sweden as well. 

The Ragnar Locker ransomware group was one of the first big game-hunting ransomware groups to steal data in addition to encrypting files and threatening victims with ransom. The Ragnar Locker ransomware operation was not a ransomware-as-a-service (RaaS) operation, but rather an operation in collaboration with external penetration testers to gain first access to victims' networks, as opposed to many other ransomware groups. 

There was an announcement on Friday that at least one arrest had been made after the dark website was seized on Thursday, with at least one arrest being reported on Friday. As a result of the seized negotiation site now being seized by law enforcement, ransomware victims will now receive a message indicating that they are being assisted by law enforcement, even though no assistance has yet been provided for them. 

There was news that a 35-year-old Czech national who was arrested in France on October 16 under suspicion of being the group leader had been detained, and police in his country had searched his residence on suspicion of protecting his activities.

According to Ukrainian authorities, there was a search of a suspect's home in Kyiv and several devices and electronic media were taken from the residence of the suspect. The name of the suspect has not yet been released publicly.  

In late 2019, Ragnar Locker began operating as an affiliate of Maze or MountLocker. The company has been operating since then. There was no doubt that this group was one of the biggest groups in terms of attack volumes or money collected, but it was a significant threat and several critical infrastructure entities in several countries were penetrated by the group as a major threat, making it a priority for law enforcement. 

A central theme that emerges from the groups that are targeted by these major law enforcement campaigns is their tendency to become overly audacious in their attacks on sensitive critical infrastructure, such as power grids, water supply systems, and hospitals. While Ragnar Locker gained notoriety for its high-profile attacks on gaming company Capcom and liquor giant Campari, it is the attacks on entities like Energias de Portugal that truly propelled it up the priority ladder.  

A flash warning issued by the FBI in early 2022 revealed that Ragnar Locker had already breached the defences of 52 critical infrastructure companies across 10 different sectors in the United States up until that point in time. This alarming revelation highlights the scale and impact of Ragnar Locker's activities. 

This investigation was conducted by agents from the US FBI and the French Secret Service, along with representatives of Europol and INTERPOL. As a result of this investigation, two senior Ragnar Locker operatives were arrested, along with eight other officers from French and US intelligence agencies. 

There have been arrests and disruptions this week due to the investigation that has been ongoing for the past few days. Europol had supported the investigation from the very beginning, bringing together all the concerned nations to coordinate a coordinated action. 

During the preparation of the current steps, its cybercrime experts conducted 15 coordination meetings along with two week-long sprints. As a consequence of Europol's decision last week to establish a virtual command post for smooth cooperation among all entities involved in cybercrime, the company is also providing analysis, malware, forensic, and crypto-tracing assistance.  

This move by the government to bring down the Ragnar Locker ransomware group underlines the importance of international cooperation to combat cybercrimes. Law enforcement officials from different countries worked together to dismantle the infrastructure of the group and arrest its key members as part of this operation. 

The Ragnar Locker ransomware group was brought to an end by a remarkable display of international collaboration among law enforcement agencies. International cooperation has proven to be an effective method of safeguarding our digital environment in this particular operation.
Read more »
Subscribe to: Posts (Atom)