Search This Blog

Showing posts with label US. Show all posts

FBI Issues Warning as BlackCat Ransomware Targets More Than 60 Organizations Worldwide


An FBI flash alert released this week suggests that the law enforcement agency has identified at least 60 ransomware attacks worldwide by the BlackCat (ALPHV) group between November 2021 and March 2022. 

The flash alert highlights the tactics, techniques, and procedures (TTPs) employed and indicators of compromise (IOCs) associated with ransomware groups spotted during FBI investigations.

According to the FBI's Cyber Division, BlackCat also tracked as ALPHV and Noberus "is the first ransomware group to do so successfully using RUST, considered to be a more secure programming language that offers improved performance and reliable concurrent processing."

BlackCat's ransomware executable is also highly customizable and is loaded with several encryption methods and options that make it easy to adapt attacks to a wide range of industrial organizations. "Many of the developers and money launderers for BlackCat/ALPHV are linked to Darkside/Blackmatter, indicating they have extensive networks and experience with ransomware operations," the FBI added. 

Security researchers recently revealed an increased interest from BlackCat operators in targeting industrial organizations. BlackCat affiliates often demand ransom payments of millions of dollars, but they have been observed accepting lower payments after negotiations with their victims. 

For initial access, the FBI explains, BlackCat employs compromised user credentials. Next, Active Directory user and administrator accounts are compromised and malicious Group Policy Objects (GPOs) are used to deploy the ransomware, but not before victim data is exfiltrated. 

As part of observed BlackCat assaults, PowerShell scripts, Cobalt Strike Beacon, and authentic Windows tools and Sysinternals utilities have been used. The malicious actors were also seen disabling security features to move unhindered within the victim’s network. 

As usual, the FBI recommends not paying the ransom, as this would not guarantee the recovery of compromised data, and urges organizations to proactively deploy cybersecurity defenses that can help them prevent ransomware attacks. 

Since the start of the year, the notorious group has taken credit for ransomware attacks on US schools like Florida International University and North Carolina A&T University and has already breached dozens of US critical infrastructure organizations. 

The group was first spotted in November 2021 and became known for aggressively posting details about its victims publicly. Emsisoft threat analyst Brett Callow and others previously said the group is a rebrand of the BlackMatter and DarkSide ransomware groups, something the FBI also highlighted in its notice.

US Attributes North Korean Lazarus Hackers to Axie Infinity Crypto Theft


The US Treasury Department announced on Thursday that it had linked North Korean hackers to the heist of hundreds of millions of dollars in cryptocurrencies linked to the popular online game Axie Infinity. 

On March 23, digital cash worth about $615 million was stolen, according to Ronin, a blockchain network that enables users to transfer crypto in and out of the game. No one has claimed responsibility for the hack, but the US Treasury announced on Thursday that a digital currency address used by the hackers was under the control of a North Korean hacking group known as "Lazarus." 

The Treasury Department spokesperson stated, using the initials of North Korea’s official name, “The United States is aware that the DPRK has increasingly relied on illicit activities — including cybercrime — to generate revenue for its weapons of mass destruction and ballistic missile programs as it tries to evade robust U.S. and U.N. sanctions.” 

The wallet's users risk being sanctioned by the US, according to the representative. Chainalysis and Elliptic, two blockchain analytics companies, said the designation validated North Korea was behind the break-in. Sky Mavis co-founder Aleksander Larsen, who develops Axie Infinity, declined to comment. Sky Mavis engaged CrowdStrike to investigate the incident, but the firm declined to comment. 

The FBI has ascribed the attack to the Lazarus Group, according to a post on the official Ronin blog, and the US Treasury Department has sanctioned the address that received the stolen money. The Reconnaissance General Bureau, North Korea's primary intelligence bureau, is said to be in charge of the Lazarus hacking squad, according to the US. It has been accused of being involved in the "WannaCry" ransomware attacks, as well as hacking multinational banks and customer accounts and the Sony Pictures Entertainment hacks in 2014. 

Cryptocurrency systems have long been afflicted by hacks. The Ronin hack was one of the most massive cryptocurrency thefts ever. Sky Mavis stated it will refund the money lost using a combination of its own balance sheet capital and $150 million raised from investors including Binance. 

The Ronin blog stated, “We are still in the process of adding additional security measures before redeploying the Ronin Bridge to mitigate future risk. Expect the bridge to be deployed by end of month.” 

According to a Treasury spokesperson, the US will consider publishing crypto cybersecurity guidelines to help in the fight against the stolen virtual currency.

FBI Witnesses Rising Russian Hacker Interest in US Energy Firms


Since the outbreak of Russia's war against Ukraine, the FBI has detected an uptick in Russian hackers' interest in energy firms, though it gives no evidence that a specific attack is planned. 

According to an FBI advisory received by The Associated Press on Tuesday, Russian hackers have assessed at least five energy businesses and at least 18 other companies in sectors such as military and financial services for vulnerabilities. None of the companies is identified in the advisory. 

Scanning a network for vulnerabilities or flaws is widespread, and it does not always mean that an assault is on the way, though it can be a sign of one. Nonetheless, the FBI's Friday warning highlights the Biden administration's increased cybersecurity concerns as a result of Russia's war in Ukraine. The White House said on Monday that there was "evolving intelligence" suggesting Russia was planning cyberattacks against critical infrastructure in the United States. 

At a White House press briefing, Anne Neuberger, the White House's deputy national security advisor for cyber and emerging technologies, expressed disappointment that some critical infrastructure firms have failed to repair known software vulnerabilities that Russian hackers may exploit. The FBI advisory lists 140 internet protocol, or IP addresses it claims have been linked to critical infrastructure scans in the United States since at least March 2021. 

According to the alert, scanning has grown since the beginning of the war last month, leading to a greater likelihood of future incursions. The FBI acknowledges that scanning activity is frequent, but the IP addresses have been linked to the active exploitation of a foreign victim, which resulted in the victim's systems being destroyed, according to the advisory.

The United States and the West are Afraid of Possible Cyber Attacks by Russian Hackers


According to CNN, the FBI has warned American businessmen about the growth of possible cyberattacks using ransomware by Russian hackers against the background of sanctions that US President Joe Biden imposed against Russia in connection with the situation around Ukraine. 

Earlier, Jen Easterly, head of the U.S. Agency for Cybersecurity and Infrastructure Protection, said that Russia might consider taking measures that could affect critical U.S. infrastructure in response to U.S. sanctions. She urged all organizations to familiarize themselves with the steps the agency has developed to mitigate cybersecurity risks. In addition, David Ring, head of cybersecurity at the FBI, said that Russia is allegedly a favorable environment for cybercriminals, which will not become less against the background of the confrontation between Russia and the West over the situation around Ukraine. According to CNN, briefings on such topics have been held by the FBI and the Department of Homeland Security for the past two months. 

It is important to note that Polish Prime Minister Mateusz Morawiecki decided to introduce a special high-level security regime for telecommunications and information technology in the country. 

On February 21, he signed a decree introducing the third level of the Charlie– CRP warning throughout the country. This level is introduced if there is an event confirming the probable purpose of a terrorist attack in cyberspace or if there is reliable information about a planned event. 

The Polish Law on Anti-terrorist actions provides that in the event of a terrorist attack or its threat, the head of government may introduce one of four threat levels: Alfa, Bravo, Charlie, and Delta. The highest level, Delta, can be announced if a terrorist attack occurs or incoming information indicates its high probability in Poland. 

Similar levels marked with CRP relate to threats in cyberspace. They are introduced to strengthen the control of the security level of information systems in order to monitor the possible occurrence of violations in their work. 

The Russian Federation has repeatedly rejected the accusations of Western countries in cyberattacks, calling them unfounded, and also stated that it is ready to cooperate on cybersecurity. 

Earlier, CySecurity News reported that CNN reported citing US administration sources that representatives of the White House, US intelligence, the US Department of Homeland Security (DHS), and other agencies have discussed preparations to repel cyber attacks that could be carried out in the United States and Ukraine.

The Examination of the Seized Equipment of the Lurk Group did not Reveal the Fact of an Attack on the US Government


A law enforcement source said that the examination of the equipment seized from the members of the Lurk hacker group did not reveal traces of attacks on the servers of the American government. During the court session, hacker Konstantin Kozlovsky, who is being held as one of the defendants in the case of the Lurk hacker group, declared his involvement in hacking the servers of the Democratic Party of the USA, as well as in hacking Hillary Clinton's mail. 

However, the examination showed that this is not the case. "The examination was carried out by the security forces together with the leading companies in the field of information security in Russia, all seized equipment, media, communications were checked. No evidence of attacks on the U.S. government was found. Also, the group members did not discuss it in the seized correspondence," the source said. 

He added that the investigation did not establish a connection between Kozlovsky and any FSB officers. "If you follow his statements, they always follow the high-profile hacking topics in the media, to which he is trying to link his criminal case: first it was Russian interference in the US elections, then, when information about the arrest of employees of the FSB Information Security Center appeared in the media, he also mentioned it. 

Even in the list of those involved in the attack on American information resources, published by the US Department of Justice, there is neither Kozlovsky himself nor other members of the Lurk group," the source explained. 

The detention of a group of Lurk hackers became known on June 1, 2016. There are 22 people in the dock. According to investigators, the participants of the hacker group stole 1 billion 264 million rubles (16.7 million dollars) from commercial companies and banks. 

They also hacked the network of Yekaterinburg Koltsovo airport and copied information from servers. It should be noted that Kozlovsky is not the first to try on the role of a hacker of the servers of the Democratic Party. Previously, a hacker with the nickname Guccifer 2.0 took responsibility for hacking. The user called himself a Romanian hacker, but spoke Romanian with machine translation errors.

Cyberattack Compels Albuquerque Public Schools to Close 144 Schools


Following a cyberattack that attacked the district's attendance, communications, and transportation systems, all 144 Albuquerque Public Schools are closed for the remainder of this week, according to APS's announcement on mid-day Thursday. 

APS is one of the 50 largest school districts in the country, with around 74,000 students. 

District IT staff discovered the problem on Wednesday, and APS posted a statement on its website and Twitter account that afternoon stating, “All Albuquerque Public Schools will be closed Thursday, Jan. 13, due to a cyberattack that has compromised some systems that could impact teaching, learning, and student safety. … The district is working with contracted professionals to fix the problem.” 

"The district continues to examine a cyberattack that affected the student information system used to take attendance, contact families in emergencies, and ensure that students are picked up from school by authorised people," APS stated online on Thursday afternoon and cancelled classes for Friday. 

APS said it will reopen schools on Tuesday, Jan. 18, after being closed on Monday for Martin Luther King Jr. Day, specifying that administrative offices stayed open. The attack was detected Wednesday morning when instructors attempted to enter onto the student information system and were unable to obtain access to the site, according to APS Superintendent Scott Elder in a brief statement uploaded to the district's APS Technology YouTube page. 

Elder further stated, “APS is working with local and national law enforcement as well as teams of cyber specialists to as quickly as possible limit our exposure to this attack, to protect all systems in our network and ensure a safe environment to return to school and business as usual.” 

He noted that the district's IT department had been "mitigating attacks" in recent weeks. A spokeswoman told the Albuquerque Journal she was sceptical about what kind of attack it was and said she didn’t know whether those responsible had demanded a ransom.

FBI Warned Against a Canadian Indicted for Attacks Against US and Canada


The FBI and the Justice Department unveiled warrants today charging 31-year-old Canadian Matthew Philbert with a variety of ransomware-related offenses. On Tuesday, authorities from the Ontario Provincial Police made a public statement in Ottawa to disclose the charges and Philbert's arrest. 

U.S. Attorney Bryan Wilson of the District of Alaska said in a statement that Philbert “conspired with others known and unknown to the United States to damage computers, and in the course of that conspiracy did damage a computer belonging to the State of Alaska in April 2018.” 

Canadian officials received assistance from Dutch authorities and Europol in this case; Canadian authorities also charged Philbert, claiming that he was apprehended on November 30. Authorities did not specify which ransomware gang Philbert was a member of or which operations he is responsible for. 

"Cybercriminals are opportunistic and will target any business or individual they identify as vulnerable," stated Deputy Commissioner Chuck Cox of the Ontario Provincial Police. 

Philbert is charged with one count of conspiracy to commit fraud as well as another count of fraud and associated activities involving computers. 

Cox stated during the press conference that the FBI alerted officials in Ontario over Philbert's activities, which also included ransomware cyberattacks on businesses, government entities, and individual citizens. Police further stated they were able to seize multiple laptops, hard drives, blank cards with magnetic stripes, as well as a Bitcoin seed phrase while Philbert was being arrested. 

In January, authorities in Florida apprehended another Canadian individual concerning several Netwalker ransomware attacks. According to the DOJ, Sebastien Vachon-Desjardins made around $27.6 million through various ransomware attacks on Canadian companies such as the Northwest Territories Power Corporation, the College of Nurses of Ontario, and the Canadian tire business in British Columbia. 

Some people believe that ransomware attacks originated in Russia or the Commonwealth of Independent States, according to Emsisoft risk analyst Brett Callow, a ransomware expert located in Canada. 

Whereas the ransomware was "made" in certain countries, Callow pointed out that the people who use it to carry out attacks could be located elsewhere. 

"In fact, there's so much money to be made from ransomware, it would be extremely surprising if individuals in countries like Canada, America, and the UK hadn't entered the market. Those individuals may, however, be sleeping a little less well at night than they used to. In the past, there was a near-zero chance of them being prosecuted for their crimes, but that's finally starting to change," Callow said.

Israeli Company Spyware Targets US Department Phones


According to four individuals familiar with the situation, the iPhones of at least nine U.S. State Department workers had been compromised by an unidentified man using advanced spyware produced by the Israel-based NSO Group. 

The attacks, which occurred in the previous few months, targeted U.S. officials who were either based in Uganda or focused on issues about the East African country, according to two of the sources. 

The attacks, which were first revealed here, are the most extensive known hacks of US officials using NSO technology. Earlier, a database of numbers with prospective targets that included certain American leaders surfaced in NSO reporting, although it was unclear if incursions were always attempted or successful. 

NSO Group stated in a statement that it had no evidence that its tools had been used, but that it had canceled access for the relevant clients and therefore would investigate. 

"If our investigation shall show these actions indeed happened with NSO's tools, such customer will be terminated permanently and legal actions will take place," said an NSO spokesperson, who added that NSO will also "cooperate with any relevant government authority and present the full information we will have." 

NSO has always stated that it exclusively sells its products to government law enforcement and intelligence agencies to assist them in monitoring security concerns and that it is not intimately associated with surveillance operations. 

A State Department official refused to respond to the intrusions and pointed to the Commerce Department's recent decision to place the Israeli corporation on an entity list, making it more difficult for US businesses to do business with them. 

NSO Group and another spyware firm were "added to the Entity List based on a determination that they developed and supplied spyware to foreign governments that used this tool to maliciously target government officials, journalists, business people, activists, academics, and embassy workers," the Commerce Department said in an announcement last month. 

According to product instructions reviewed by Reuters, the NSO application is capable of not just stealing encrypted messages, images, and other confidential material from compromised phones, but also turning them into recording devices to watch their surroundings. 

The developer of the spyware employed in this hack was not named in Apple's advisory to affected consumers. According to two of the people who were alerted by Apple, the victims included American residents who were easily identified as U.S. government officials because they paired email addresses ending in with their Apple IDs. 

According to the sources, they and other victims alerted by Apple in multiple countries have been affected by the same graphics processing vulnerability. 

The Israeli embassy in Washington stated in a statement that targeting American officials would be a major violation of its norms. 

"Cyber products like the one mentioned are supervised and licensed to be exported to governments only for purposes related to counter-terrorism and severe crimes," an embassy spokesperson said. "The licensing provisions are very clear and if these claims are true, it is a severe violation of these provisions."

The New Yanluowang Ransomware Gang is Targeting US Businesses


Symantec recently identified a new ransomware strain known as Yanluowang in targeted operations against US companies. 

The Symantec Threat Hunter team has found a "new arrival to the targeted ransomware scene" during October that seemed to have been in the development stage. Nevertheless, according to a blog post published on Wednesday 1st of December 2021, the variation dates back to at least August of this year. As per Symantec, the operators behind Yanluowang mostly targeted financial firms, although businesses in the manufacturing, IT services, consulting, and engineering industries have also been attacked. 

According to Vikram Thakur, technical director at Symantec, the danger is more opportunistic than carefully focused ransomware attacks. Thakur has encountered the majority of situations involving unfixed Microsoft Exchange servers or Internet Information Services (ISS) servers. 

Symantec detected multiple evidence of compromise, including the usage of publicly available tools such as AdFind to locate the victim's Active Directory server and SoftPerfect Network Scanner, which finds hostnames and network services. Yanluowang threat actors frequently employ BazarLoader, a malware version typically employed in the early stages of ransomware assaults. 

"Once attackers get onto the computer, they take the installer for ConnectWise type applications and then double click on it and then they install it," Thakur said. 

"If I was to take a look at the last 100 ransomware connected investigations over the last couple of months, attackers have always installed it on the computer rather than relying upon something that's already there." 

In most cases, according to the blog post, "PowerShell was used to download tools to compromised systems." 

"After gaining initial access, the attackers usually deploy ConnectWise (formerly known as ScreenConnect), a legitimate remote access tool."  

Among the most recent attack phases detected by Symantec is featured credential theft employing a variety of credential-stealing programs, including GrabChrome, which collects credentials from Chrome. Open-source tools such as KeeThieft, described by Symantec as a "PowerShell script to copy the master key from KeePass" have also been used. 

While investigating the new ransomware outbreak, Symantec Threat Intelligence discovered certain tactics, methods, and procedures (TTP) that are similar to Thieflock, a well-known ransomware-as-a-service "developed by the Canthroid". 

The usage of "custom password recovery tools such as GrabFF and other open-source password dumping tools." was mentioned in one link.

To counteract the Yanluowang threat, Thakur proposes that businesses must audit the computers on their network and hunt for unapproved software. 

"The simplest solution is when patches are released for the applications on your machines, test them, deploy them as quickly as possible, because attackers are going to exploit them in just a matter of days after," he added.

US Department of Treasury Declares Sanctions Against Chatex Cryptocurrency


The US Treasury Department today declared sanctions against Chatex cryptocurrency exchange for assisting ransomware groups escape sanctions and helping them in carrying out ransomware transactions. The US department also sanctioned Suex crypto exchange (based in Russia) in September for assisting a minimum of 8 ransomware teams, with more than 40% of public transactions linked to threat actors. 

"Ransomware incidents have disrupted critical services and businesses globally, as well as schools, government offices, hospitals, and emergency services, transportation, energy, and food companies. Reported ransomware payments in the United States so far have reached $590 million in the first half of 2021, compared to a total of $416 million in 2020," said US Treasury. The investigation of public transactions hints that more than 50% of transactions are tracked down to malicious or illegal activities like darknet market, ransomware, and high-risk exchanges, says US Treasury Department. 

As of now, Chatex is designated as pursuant to Executive Order (E.O) 13694, amending for material support assistance to Suex and malicious harm posed by ransomware hackers. When the crypto exchanges are sanctioned for providing material support to ransomware groups, the United States is hoping to extract out fundings and shut down the campaign. According to the US Treasury of the department, unprincipled virtual currency exchanges like Chatex are critical to the profitability of ransomware activities, especially by laundering and cashing out the proceeds for criminals. 

The treasury is constantly using all available resources to restrict harmful threat actors, disrupt illegal criminal proceedings, and stop extra activities against US citizens. According to Bleeping Computers, "FinCEN's Financial Trend Analysis report was issued on the heels of governments worldwide saying they will crackdown on cryptocurrency payment channels used by ransomware gangs. One year ago, the Treasury Department's Office of Foreign Assets Control (OFAC) also warned that ransomware negotiators that they could face civil penalties for facilitating ransom payments if their deals involve ransomware gangs already on its sanctions list."

Iran Accuses USA and Israel for Carrying Out Fuel Cyberattacks


An Iranian General alleged that Israel and US might have planned a cyberattack that caused disruption of fuel in service stations in Iran. The attack which happened on Tuesday is similar to two recent incidents where, as per the general, the attackers might be Iran's rivals: USA and Israel. Two incidents were analyzed, the Shahid Rajaei port incident and the railway accident, and found that these two incidents were similar. Earlier this year, as per Iran's transportation ministry, a cyberattack disrupted its website and computer systems, reports Fars news agency. 

"In a country where petrol flows freely at what are some of the lowest prices in the world, motorists need digital cards issued by the authorities. The cards entitle holders to a monthly amount of petrol at a subsidized rate and, once the quota has been used up, to buy more expensive at the market rate," reports The Security Week. In 2020, Washington Post reported an incident where Israel orchestrated an attack on Iranian port Shahid Rajaei (in Hormuz Strait), a strategic path to global oil shipments. 

The recent cyber disruption resulted in traffic jams in major pockets in Tehran, having long lines at petrol pumps disrupting traffic flow. Following the incident, the oil ministry shut down the service stations in order for easy manual distribution of petrol, said the authorities. On Wednesday, President Ebrahim Raisi alleged that the actors were trying to sway the people of Iran against Islamic Republic leadership. As per the reports, an estimated 3200 out of 4300 of the country's service stations have been re-linked with the central distribution system, said the National Oil Products Distribution Company. 

Besides this, there are other stations who also give fuel to motorists, but not at subsidized rates, which makes it twice in the rates, around 5-6 US cents/litre. The Security Week reports, "Since 2010, when Iran's nuclear program was hit by the Stuxnet computer virus, Iran and its arch-foes Israel and the United States have regularly accused each other of cyberattacks. The conservative Fars news agency on Tuesday linked the breakdown to opponents ahead of the second anniversary of deadly protests sparked by a hike in petrol prices."

Facebook says Iranian Hackers Targeted U.S. Military Personnel


On Thursday, Facebook announced that it had shut down approximately 200 accounts operated by a group of hackers in Iran as part of a cyber-spying operation that focused primarily on US military officials and others working in defense and aerospace firms. 

The group, termed 'Tortoiseshell' by security experts, utilized fraudulent online identities to interact with targets, establish confidence over time (often months), and lead them to other sites where they were duped into clicking malicious links that infected their devices with spying software, according to Facebook. 

In a blog post, Facebook's investigative team stated, "This activity had the hallmarks of a well-resourced and persistent operation while relying on relatively strong operational security measures to hide who's behind it." 

Thus according to Facebook, the group created dubious identities on numerous social media sites to look more legitimate, frequently impersonating recruiters or staff of aerospace and defense firms. LinkedIn, which is controlled by Microsoft, announced the removal of several accounts, while Twitter said it was "actively investigating" the data in Facebook's report. 

The virus was distributed via email, chat, and collaboration platforms, according to Facebook, including malicious Microsoft Excel spreadsheets. In a statement, a Microsoft spokesman said the company was aware and following this actor, and that it takes action when harmful behavior is detected. 

Google stated it had discovered and prevented phishing on Gmail as well as provided user warnings. Slack, a workplace messaging service, claimed it has taken action against hackers who exploited the platform for social engineering and had shut down any Workspaces that broke its rules. 

According to Facebook, the hackers utilized customized domains to entice their targets, including phony defense recruitment websites and internet infrastructure that spoofed a real job search website for the US Department of Labor. 

In a campaign that began in mid-2020, Facebook claimed the hackers mostly targeted users in the United States, as well as some in the United Kingdom and Europe. It did not name the firms whose employees were targeted, but its chief of cyber espionage, Mike Dvilyanski, said the "fewer than 200 individuals" who were targeted were being alerted. 

The campaign appeared to demonstrate an extension of the group's operations, which had previously been claimed to focus mostly on the Middle East's I.T. and other businesses, according to Facebook. A section of the malware employed by the organization was developed by Mahak Rayan Afraz (MRA), a Tehran-based IT firm with links to the Islamic Revolutionary Guard Corps, as per the inquiry. 

Mahak Rayan Afraz's contact information was not readily available to Reuters, and former employees of the firm did not respond to LinkedIn messages sent to them. A request for comment from Iran's mission to the United Nations in New York was not promptly reported. The allegations that MRA is involved in Iranian state cyber espionage are not new. MRA was one of the numerous contractors suspected of assisting the IRGC's elite Quds Force, according to cybersecurity firm Recorded Future. 

Iranian spies, like other espionage services, have long been alleged of farming out their missions to a variety of domestic contractors. Facebook stated the fraudulent domains had been prohibited from being shared, while Google said the domains had been placed to its "blocklist."

100 Military Personnel to Train in US to Combat Cyber Warfare


The Indian government seems to be gearing up in the wake of the growing threat of cyber-attacks against the Indian armed forces. The Department of Military Affairs (DMA) is planning to send 100 personnel to the US to be trained in the latest cybersecurity technology and Artificial Intelligence (AI) for future warfare. The reports published in the month of June indicate that China's cyber spies are targeting the Defense Department of India and many sectors including Telecom. 

According to South Block officials, under the 2016 Cyber Framework and Defense Cooperation Agreement, the US has offered to train 100 military personnel in Silicon Valley to help them combat cyber warfare and the role of AI in future defense and warfare. The South Block houses the offices of the Ministry of Defence, Ministry of External Affairs, PMO, and NSA. 

Actually, the Indian Army has a tri-services defense cyber agency under the Integrated Headquarters. The government is in favor of setting up a proper cyber command in the hinterland of Madhya Pradesh to give a fighting edge to the proposed theater command. The proposed Cyber Command will match the individual capabilities of the three services to protect the Army from being vulnerable to cyber-attacks from India's adversaries.  

The command's charter would also ensure that Indian military communications are secure and systems are not affected by any malware in forward formations like the sensitive Siliguri Corps, Tezpur Corps, and the Northern Command including the Tibet-facing Ladakh Corps. The Siliguri Corps in Chumbi Valley has witnessed cyber-attacks through malware over the past decade to not only affect software but also leak sensitive documents to adversaries. Let me inform you that these corps, including the Siliguri Corps, are separate teams of the Indian Army.

On June 16, cybersecurity firm Recorded Future published a report claiming that a suspected unit of Chinese cyber soldiers has targeted Indian telecom companies, government agencies, and several defense contractors. A cyber threat intelligence company disclosed that there was evidence of these manipulative espionage operations by China and that one of these operations was linked to a specific unit of the People's Liberation Army (PLA).

Countries Not Capable To Face Current Cyber Threats: IISS Report Says


Currently, the US is the leading cyberspace power, but China is also closing in quickly and will be a tough rival to the US in the military and civil sector, says International Institute for Strategic Studies, a Britain-based research organization. The other countries are still in the early process to come on foot with the cyberspace implications, according to the experts at IISS. In the present scenario, a feeling of inadequacy and crisis is evident in political circles, where private players can be seen bragging 'catch me if you can' to government organizations as they are trying to reap off high profits. 

There has been rapid advancement in surveillance and intelligence technologies that are capable of compromising network capabilities and advanced computing, but still, there is a need in the government sector to build legal frameworks for the use of such technologies. "China is a second-tier cyber power but, given its growing industrial base in digital technology, it is the state best placed to join the US in the first tier," says the IISS report. At the heart of the national strategies of the US and China, and the trade war between them is competition for control over the technologies that physically underpin the future of cyberspace -- such as microchip production, computer assembly, mobile internet (such as 5G), cloud architectures, cables, and routers," the analysts said. 

The primitive model of government, social organization, and corporate management are continuously struggling to adapt to the current changes, says the IISS report. The reports list 15 major countries into three groups, on the basis of their technological capabilities. The US tops the list, as expected because of 25 years of experience and investment in cybersecurity infrastructure. However, China is also closing in rapidly in technological advancements, along with France, Britain, Russia, Australia, Canada, and Israel. India has emerged as the leading country in the third group along with North Korea, Iran, and Japan. 

As of now, the countries in the third group are not that eminent, but they are making quite progress in particular areas with high ambitions for building their cyber power sector. IISS says, "Governments worldwide are too often playing catch-up against private cyberspace operators in what is poised to become a key arena for defending national interests."

Research Reveals Americans Not Aware About Cybersecurity Issues Happening In U.S


Although many cyberattacks made major headlines in the US this year, most of the customers are still not aware of the attacks. The latest study shows that users still lack basic awareness about these attacks and their repercussions on organizations and customers. Armis, a cybersecurity firm in its survey found more than 21% of respondents were unaware of the colonial pipeline cyberattack which happened in May. Whereas, 24% of the respondents believed that one of the biggest attacks that happened on the largest US fuel pipeline wouldn't have any long terms impact on the nation's fuel sector. 

Besides this, 45% of the working Americans didn't have any knowledge about the tampering incident on a local drinking water supply in Florida that happened earlier this year. Armis reports, "released new data uncovering the lack of knowledge and general awareness of major cyberattacks on critical infrastructure and an understanding of security hygiene. End users are not paying attention to the major cybersecurity attacks plaguing operational technology and critical infrastructure across the country, signaling the importance of businesses prioritizing a focus on security as employees return to the office." "Despite the spotlight on these attacks, the data shows that many consumers are simply not taking notice — and the responsibility of security falls on the businesses themselves."

Currently, many organizations are shifting back to the office, according to Armis, around 70% of respondents want to bring their work from home devices to the office. Besides this, the survey also revealed that 54% of the respondents don't think that bringing their personal devices to the office would pose any threat to organizational security. "From the Colonial Pipeline attack shutting down services to the Florida Water Facility hack endangering the water supply, to the ransomware attack on JBS, which could raise meat prices and also restrict access to necessary nutrients in developing countries — the impact of cyber attacks on our critical infrastructure has been evident. We’ve also seen ransomware hit healthcare in a major way, with attacks on Scripps Health's technology systems and a chain of Las Vegas hospitals," says Armis research. "

A New GoLang Trojan ChaChi Used in Attacks Against US Schools


A new Trojan written in the Go programming language has shifted its focus from government agencies to schools in the United States. 

The malware, termed ChaChi, is also being utilized as a critical component in initiating ransomware assaults, according to a research team from BlackBerry Threat Research and Intelligence. ChaChi is built in GoLang (Go), a programming language used with threat actors as a replacement for C and C++ because of its flexibility and simplicity of cross-platform code compilation. Over the last two years, there has been a 2,000 percent growth in Go-based malware strains, according to Intezer. 

ChaChi was spotted in the first half of 2020 and the original variant of the Remote Access Trojan (RAT) has been linked to cyberattacks against French local government bodies, as documented by CERT France in an Indicators of Compromise (IoC) report (.PDF); nevertheless, a considerably more sophisticated variation has since emerged. 

The most recent samples have been linked to attacks against significant US schools and educational institutions. In comparative analysis to ChaChi's first variant, which had inadequate obfuscation and low-level capabilities, the malware can now conduct typical RAT operations such as backdoor creation and data exfiltration, as well as credential dumping via the Windows Local Security Authority Subsystem Service (LSASS), network enumeration, DNS tunneling, SOCKS proxy functionality, service creation, and lateral movements across networks. 

For obfuscation, the malware makes use of gobfuscate, a publicly accessible GoLang utility. ChaChi gets its name from two off-the-shelf tools used by the malware during attacks: Chashell and Chisel. 

The Trojan, according to BlackBerry experts, is the product of PYSA/Mespinoza, a threat group that has been active since 2018. This group is renowned for employing the extension to launch ransomware operations. 

PYSA stands for "Protect Your System Amigo" and is used when victim data are encrypted. PYSA attacks against both UK and US schools have been on the rise, according to the FBI. PYSA, according to the group, emphasizes on "big game hunting," or choosing wealthy targets with large wallets capable of paying large ransoms. Rather than being a work for automated technologies, these attacks are targeted and often handled by a human operator. 

The researchers stated,"This is a notable change in operation from earlier notable ransomware campaigns such as NotPetya or WannaCry. These actors are utilizing advanced knowledge of enterprise networking and security misconfigurations to achieve lateral movement and gain access to the victim's environments."

Iranian Hackers Attacked Websites of an African Bank and US Federal Library


According to Iran Briefing, hackers posing as Iranians targeted the websites of the Sierra Leone Commercial African Bank and the United States Federal Depository Library Program, by posting pro-Iranian remarks and graphics. 

The website of Sierra Leone Commercial Bank was found to be "H4ck3D IRANIAN HACKER" in Google search results. 

The words "hacked by Iranian hacker, hacked by shield Iran" were written in Twitter screenshots on a drawing of former IRGC Quds Force commander Qasem Soleimani, who was killed in a US airstrike. 

According to CBC News, the library program's website was updated with a bloodied picture of US President Donald Trump being punched in the face, as well as a message is written in Farsi and English that read "martyrdom was Soleimani's... reward for years of implacable efforts," and another caption that read "this is only a small part of Iran's cyber ability!" 

A spokesman from the US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency verified the incident. Though the hack has still proven to be the activity of Iranian state-sponsored actors. 

The representative stated, “We are aware the website of the Federal Depository Library Program [FDLP] was defaced with pro-Iranian, anti-US messaging”. 

“At this time, there is no confirmation that this was the action of Iranian state-sponsored actors”. 

The website has been removed from the internet and is no longer accessible. In coordination with the FDLP and other government partners, the Cybersecurity and Infrastructure Security Agency (CISA) is keeping an eye on the situation. 

According to another senior US official, the defacement was a minor event carried out by Iranian sympathizers. Former US Secretary of State Mike Pompeo indicated at the time that a cyberattack by Iran against the US could be a possible retaliation. 

It's unclear whether the hackers had a government position or had any connection to Iran. The hack occurs at a time when tensions between the US and Iran are still high following the assassination of Qasem Soleimani, the chief of Iran's Revolutionary Guards Corps Quds Force, by a US strike in Baghdad on Jan. 2. 

Iran has already threatened retaliation for the assassination, implying that US assets and interests in the Middle East, as well as US allies, may be targeted.

Herff Jones Credit Card Breach: College Students Across the US Affected


Graduating students from many universities in the United States have reported fraudulent transactions after using payment cards at Herff Jones, a prominent cap and gown seller. Following the initial reports last Sunday, the company launched an investigation to assess the scope of the data breach. 

The complaints persisted this week, prompting others to review their credit card statements for fraudulent charges. Students at universities in Indiana (Purdue, IU), Boston, Maryland (Towson University), Houston (UH, UHD), Illinois, Delaware, Michigan, Wisconsin, Pennsylvania (Lehigh, Misericordia), New York (Cornell), Arizona (Wake Forest), Florida (State University), and California (Sonoma State) are affected by the issue. 

Herff Jones was entirely unaware of the data violation until students began to complain about fraudulent charges to their payment cards on social media. They all had one thing in common: they were graduating students who had purchased commencement gear at Herff Jones. Some of them had to withdraw their payment cards and file a dispute with the bank over the fraudulent charges. 

Apart from delivery delays, the students said that they had been charged fraudulently for amounts ranging from tens of dollars to thousands of dollars. While the majority of reports indicate losses ranging from $80 to $1,200, one student said that a friend was charged $4,000. 

“Someone just bought a ps5 with my card info and I respect the hustle,” stated one student.  

A parent chimed in saying that their “daughter and about 30 other graduates that she knows of at her school (not Purdue) have had their debit cards compromised through HJ [Herff Jones].” 

According to one Cornell University senior, their credit card was stolen, and fraudsters attempted to charge $3,000 to "asics" and use it on adult content subscription service OnlyFans. Although the exact date of the Herff Jones violation is unknown, some of the earliest transactions date from the beginning of the month. Several students reported that they bought graduation products in April. 

Herff Jones released a statement on May 12th acknowledging the payment card data breach and apologizing for the incident.

Herff Jones said in a statement, “We sincerely apologize to those impacted by this incident. We are working diligently to identify and notify impacted customers. The company is investigating the incident with the help of “a leading cybersecurity firm.”

US and Australia Warn of Rise in Avaddon Ransomware Attacks


The Federal Bureau of Investigation (FBI) and the Australian Cyber Security Centre (ACSC) have issued an alert about an ongoing Avaddon ransomware campaign that is affecting organizations across a wide range of industries in the United States and across the world. 

Avaddon ransomware associates are attempting to breach the networks of manufacturing, healthcare, and other private sector entities around the world, according to a TLP:GREEN flash warning issued by the FBI last week. 

The ACSC clarified the targeting details today, stating that the ransomware group's associates are targeting companies from a broad variety of industries, including government, banking, law enforcement, energy, information technology, and health. Although the FBI only cites ongoing attacks, the ACSC lists a number of countries that have been targeted, including the United States, the United Kingdom, Germany, China, Brazil, India, the United Arab Emirates, France, and Spain, to name a few.

"The Australian Cyber Security Centre (ACSC) is aware of an ongoing ransomware campaign utilizing the Avaddon Ransomware malware [..] actively targeting Australian organizations in a variety of sectors," the ACSC added. 

Avaddon threat actors threaten victims with denial-of-service (DDoS) attacks in order to persuade them to pay ransoms, according to the ACSC (in addition to leaking stolen data and encrypting their system). However, no evidence of DDoS attacks has been discovered as a result of the Avaddon ransomware attacks, according to the FBI. 

The Avaddon ransomware group first declared in January 2021 that they would use DDoS attacks to bring down victims' websites or networks before they reach out and negotiate a ransom payment. 

When ransomware groups started using DDoS attacks against their victims as an additional leverage point, BleepingComputer first posted on this new trend in October 2020. SunCrypt and RagnarLocker were the two ransomware operations that used this new strategy at the time. 

The first Avaddon ransomware samples were discovered in February 2019, and the ransomware started hiring affiliates in June 2020 after launching a massive spam campaign that targeted users all over the world. Affiliates of the Avaddon RaaS operation are required to obey a set of guidelines, one of which is that no targets from the Commonwealth of Independent States be pursued (CIS). 

Avaddon pays each affiliate 65 percent of the ransom money they bring in, with the operators receiving the remaining 35 percent. Avaddon ransomware’s affiliates have also been known to steal data from their victims' networks before encrypting systems in order to double-extortion. 

Almost all active ransomware operations have adopted this technique, with victims commonly informing their customers or employees of potential data breaches following ransomware attacks.

Russian Actors Change Techniques After UK and US Agencies Expose Them

After the western agencies outed their techniques, Russian actors from the APT29 group responded to the expose by using a red-teaming software to get into the victim's network as a trusted pentesting exercise. Currently, NCSC (National Cyber Security Centre) of UK and the US have alarmed, that the SVR is currently exploiting vulnerabilities that are critical rated (a dozen of them) which also include RCEs in devices that range from VMware virtualization to Cisco's routers, as well as the famous Pulse Secure VPN flaw, along with other equipment. 

"The NCSC, CISA, FBI, and NSA publish advice on detection and mitigation of SVR activity following the attribution of the SolarWinds compromise," says the NCSC website. It found a case where the spies look for verification credentials in mails, which included passwords and PKI keys. Quite similar to MI6 with a bit of GCHQ, the SVR is a foreign intelligence agency of Russia and is as popular among the cybersecurity realm as APT29. 

Last month, UK and US agencies came together to expose the group's techniques, allowing cybersecurity research around the world to have a glance at the lethal state-sponsored attackers that might've attacked their network infrastructure. After finding the NCSC report, the SVR actors have changed their TTP to avoid getting further caught and also to escape any preventive measures that network defenders might've placed. Besides this, the group is also pretending to be an authorized red-team pentester, to avoid getting caught. The actors also got into GitHub and installed Sliver, an open-source red-teaming platform, to keep their access active. 

The Russian actors have become more active in exploiting these vulnerabilities. NCSC, in its blogpost, warned smart City infrastructure, public operators, to be alert of suspicious state-sponsored actors that intend to steal data. "Why the sudden focus on smart streetlights and all the rest of it? The risk in smart cities is the direct control of operational technology; industrial equipment such as CCTV, streetlights, and access control systems. We understand at least one UK council is removing some smart city gear after having thought of the wisdom of installing it," reports the Register.