Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label FBI cybersecurity advisory. Show all posts
Ransomwares
Advanced Social Engineering Cyber Attacks cybercriminal group data security FBI FBI cybersecurity advisory Law Firms Luna Moth phishing techniques ransomware attacks Ransomwares

FBI Warns of Silent Ransom Group Using Phishing and Vishing to Target U.S. Law Firms

 

The FBI has issued a warning about a sophisticated cybercriminal group known as the Silent Ransom Group (SRG), also referred to by aliases like Luna Moth, Chatty Spider, and UNC3753. This group has been actively targeting U.S.-based law firms and related organizations through advanced phishing techniques and social engineering scams. The group, which has been operational since 2022, is known for using deceptive communication methods to gain unauthorized access to corporate systems and extract sensitive legal data for ransom demands. In the past, SRG’s activities spanned across industries such as healthcare and insurance. 

However, since the spring of 2023, its focus has shifted to legal entities, likely because of the highly confidential nature of the data managed by law firms. The group commonly uses a method called callback phishing, also known as reverse vishing. In this approach, victims receive emails that appear to originate from reputable companies and warn them of small charges for fake subscriptions. The emails prompt users to call a phone number to cancel the subscription. During these calls, victims are instructed to download remote access software under the guise of resolving the issue. Once the software is installed, SRG gains control of the victim’s device, searches for valuable data, and uses it to demand ransom.  

In March 2025, SRG has adapted their strategy to include voice phishing or vishing. In this new approach, the attackers call employees directly, posing as internal IT staff. These fraudulent callers attempt to convince their targets to join remote access sessions, often under the pretext of performing necessary overnight maintenance. Once inside the system, the attackers move swiftly to locate and exfiltrate data using tools like WinSCP or a disguised version of Rclone. Notably, SRG does not prioritize escalating privileges, instead focusing on immediate data theft. The FBI noted that these voice phishing methods have already resulted in multiple successful breaches. 

SRG reportedly continues to apply pressure during ransom negotiations by making follow-up calls to victim organizations. While the group does maintain a public site for releasing stolen data, its use of this platform is inconsistent, and it does not always follow through on threats to leak information. A significant concern surrounding these attacks is the difficulty in detection. SRG uses legitimate system management and remote access tools, which are often overlooked by traditional antivirus software. The FBI advises organizations to remain vigilant, particularly if there are unexplained downloads of programs such as AnyDesk, Zoho Assist, or Splashtop, or if staff receive unexpected calls from alleged IT personnel. 

In response, the FBI urges companies to bolster cybersecurity training, establish clear protocols for authenticating internal IT requests, and enforce two-factor authentication across all employee accounts. Victims of SRG attacks are encouraged to share any information that might assist in ongoing investigations, including ransom communications, caller details, and cryptocurrency wallet data.
Read more »
Routers Threat
Cyber Security FBI FBI cybersecurity advisory FBI warning Malware Threat Malwares Router Hacking Router vulnerability Routers Routers Threat

FBI Warns Consumers to Replace Outdated Routers Hijacked by TheMoon Malware

 

The FBI has issued an urgent warning to American consumers and businesses: replace outdated internet routers immediately or risk becoming an unwitting accomplice in cybercrime. According to the agency, cybercriminals are actively targeting “end-of-life” routers—older models that no longer receive security updates from manufacturers—and infecting them with a sophisticated variant of TheMoon malware. Once compromised, these routers are hijacked and repurposed as proxy servers that enable criminals to mask their identities while conducting illegal activities online. 

These include financial fraud, dark web transactions, and cyberattacks, all executed through unsuspecting users’ networks. Because these routers lack updated firmware and security patches, they are especially vulnerable to remote infiltration and control. TheMoon malware, which first emerged in 2014, has evolved into a more potent threat. It now scans for open ports and installs itself without requiring a password. Once embedded, it silently operates in the background, routing illicit activity and potentially spreading to other devices within the network. The malware’s stealthy behavior often leaves users unaware that their home or business network has become part of a criminal infrastructure. 

The FBI specifically warned that routers manufactured in 2010 or earlier are particularly at risk—especially if features like remote administration are still enabled. Older Linksys models such as E1200, E2500, E1000, E4200, E1500, E300, E3200, WRT320N, E1550, WRT610N, E100, M10, and WRT310N are listed among the most vulnerable devices. Signs of a compromised router may include overheating, unexplained changes to settings, or erratic internet connectivity. In many cases, users may not even realize their equipment is outdated, making them easy targets for attackers seeking anonymous access to the web. 

To defend against these threats, the FBI strongly advises replacing unsupported routers with modern, secure models. Users should also disable remote access functions, install the latest security patches, and use complex, unique passwords to further protect their networks. If anyone suspects their router has been hijacked or detects suspicious activity, they are encouraged to file a report with the FBI’s Internet Crime Complaint Center (IC3). 

As cybercriminals become more innovative, relying on outdated technology increases exposure to serious digital threats. This latest alert is a stark reminder that cybersecurity begins at home—and that even something as common as a router can become a gateway for criminal exploitation if not properly secured.
Read more »
VPN vulnerabilities
Cyber Security Cyberespionage FBI cybersecurity advisory Fox Kitten Iranian cyber threat actor Ransomware Affiliates VPN vulnerabilities

Iran Cyber Attack: Fox Kitten Aids Ransomware Operations in the U.S

 

A new joint cybersecurity advisory from the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber Crime Center (DC3) has revealed updated details about the Iran-based cyber threat group known as Fox Kitten.

Fox Kitten, known for selling compromised corporate access on underground cybercriminal forums, collaborates with ransomware affiliates to further exploit their victims. Recently, the group has targeted organizations in the U.S. and abroad.

Also referred to as Pioneer Kitten, UNC757, Parasite, Rubidium, and Lemon Sandworm, Fox Kitten has been engaged in cyberespionage since at least 2017. According to the FBI, this group is linked to the Iranian government and is involved in stealing sensitive technical data from various organizations. Their targets have included entities in Israel, Azerbaijan, Australia, Finland, Ireland, France, Germany, Algeria, Turkey, the U.S., and potentially more.

Fox Kitten has conducted numerous network intrusion attempts against U.S. entities since 2017, focusing on schools, municipal governments, financial institutions, and healthcare facilities, with incidents reported as recently as August 2024. Dragos, an OT cybersecurity firm, noted that the group has also attacked industrial control system (ICS) entities by exploiting vulnerabilities in Virtual Private Network (VPN) appliances.

The advisory noted that Fox Kitten operates under the guise of an Iranian company, Danesh Novin Sahand, which likely serves as a front for their malicious activities.

In 2020, Fox Kitten led "Pay2Key," an operation that demonstrated the group's capabilities beyond cyberespionage. Israeli-based ClearSky Cyber Security reported that ransomware attacks during this campaign targeted Israeli organizations with a previously unknown ransomware, likely as a propaganda effort to incite fear and panic. Stolen data was leaked online with messages such as "Pay2Key, Israel cyberspace nightmare!"

A 2020 report by CrowdStrike revealed that Fox Kitten also advertised access to compromised networks on underground forums, suggesting a diversification of their revenue streams alongside their government-backed intrusions.

Collaboration with Ransomware Affiliates
Fox Kitten collaborates with ransomware affiliates such as NoEscape, RansomHouse, and ALPHV/BlackCat, providing them with full network access in exchange for a share of the ransom. Beyond just access, Fox Kitten assists ransomware affiliates in locking victim networks and devising extortion strategies. However, the group remains vague about their Iran-based origin to their ransomware partners.

The joint advisory notes that the group often uses the aliases “Br0k3r” and “xplfinder” in their operations throughout 2024.

Technical Details
Fox Kitten uses the Shodan search engine to locate devices with vulnerabilities in specific technologies, such as Citrix Netscaler, F5 Big-IP, Pulse Secure/Ivanti VPNs, or PanOS firewalls. Once these vulnerabilities are exploited, they:

  • Install web shells and capture login credentials, adding backdoor malware to maintain access.
  • Create new accounts with discreet names like “IIS_Admin” or “sqladmin$” on the compromised networks.
  • Gain control of administrative credentials to infiltrate domain controllers and other critical infrastructure components, often disabling existing security measures.
  • The advisory also lists several indicators of compromise, including the TOX identifiers for “Br0k3r,” which the SANS Institute previously exposed in 2023 as an Initial Access Broker selling access to networks in multiple countries, including the U.S., Canada, China, the U.K., France, Italy, Norway, Spain, India, Taiwan, and Switzerland. The U.S. remains a primary target, being the most ransomware-affected country as per MalwareBytes.
Fox Kitten promotes its access sales through a Tor-hosted website on various cybercriminal forums. The group's first website version highlighted sales that included full-domain control, domain admin credentials, Active Directory user credentials, DNS zones, and Windows Domain trusts.

How to Protect Your Business from Fox Kitten

To protect against Fox Kitten, organizations should:

  • Regularly update and patch VPNs, firewalls, operating systems, and software.
  • Monitor access to VPNs for unusual connections or attempts and use filtering to restrict access.
  • Analyze log files for any indicators of compromise mentioned in the advisory and investigate immediately.
  • Deploy security solutions across all endpoints and servers to detect suspicious activity.
  • The FBI and CISA advise against paying ransoms, as there's no guarantee of file recovery and payments could fund further criminal activities.
Read more »
Subscribe to: Posts (Atom)