Search This Blog

Showing posts with label US. Show all posts

Spy Agencies Exploit Computer Networks to Gather Digital Information

 


In a recent report, a new revelation from one of the country's two spy agencies revealed the agency retrieves information directly from where it is stored on computers. This is not processed. There has been a high level of secrecy surrounding the “exploitation” of computer networks at the GCSB for a long time. 

There have been comments by US commentators that computer network exploitation can be labeled as a form of cyber warfare, or "theft of data". "With the help of our legislation, we can gain access to information infrastructures, which is more than just interception," said Andrew Hampton, Director-General of the Government Communications Security Bureau. 

"As a result of it, we are also now able to retrieve digital information directly from its storage or processing place." The GCSB calls this "access to information infrastructures", or "accessing the infrastructure of information."

Hampton's speech to the Institute of International Affairs, given in May, was cited as the source of the revelation, by the spying watchdog, Inspector-General of Intelligence and Security, Brendan Horsley.

According to Horsley in his annual report released on Friday, he was able to use that time to make sure that the exploitation operations were thoroughly scrutinized. He was able to assure the public that they were not abused. 

He had been forced to refer to "certain operations" in the past. He said, "although it was subject to oversight, it was not possible to provide any clear public assurance of this." 

During his review of the compliance systems associated with CNE, he found that they were "on the whole, appropriate and effective". 

Even so, he was not permitted to elaborate on "the bureau's use of this potentially significant capability." 

According to the Inspector-General, the SIS is also doing a lot more "target discovery", resulting in the SIS having to manage a lot more data than it has been in the past, at a time when its checks and controls on data have not yet improved to the level they need to be. 

A review is currently being conducted by Horsley of the target discovery process by the SIS, and one will be conducted by the GCSB soon as well. 

After the attacks on the mosque in the summer of 2019, both agencies have intensified their efforts in this area. 

From civil liberties and privacy standpoint, one of the potential hazards associated with target discovery activities would be an intrusion into the lives of people who have done nothing to merit the attention of a national security agency, the Inspector-General declared in his report. 

There was no significant problem with Section 19 of the security laws as he concluded that the law simply required each agency responsible for monitoring or collecting data to be able to justify that monitoring or collection "other than the fact that certain ideas were expressed on a platform". 

A revised policy was adopted late last year by the GCSB regarding the practice of holding on to all of the extra data. This policy specifically states that the GCSB can not hold onto information solely because it may be useful to them in the future. 

On the other hand, a report by the same institution found that the SIS was struggling with its policy implementation. More than 93 percent of its policies and procedures needed to be reviewed before their implementation, and some of them, such as data analytics policies, were non-existent. 

Horsley said that decisions were being made based on draft procedures and that they had been used to guide them. 

There is an agreement between the SIS and DOJ to deal with the backlog of policies. Even though the SIS has already reduced its policy number by half, a policy's suitability for its intended purpose cannot be guaranteed in the meantime. 

In addition, it had a long way to go in reviewing its data-sharing agreement with the Department of Internal Affairs, which is also well behind schedule. 

As far as the SIS and the bureau are concerned, both have fine control mechanisms and effective ways to manage any breaches that may occur. 

When it was determined that sharing information among the agencies would result in human rights abuses, a change was made to the agency's joint policy about sharing information with foreign partners. 

As far as Horsley was concerned, the updated policy was "a marked improvement" on the 2017 policy, although he maintained reservations about some of the terms, criteria, and the handling of reports likely to have been obtained by torture, and he wanted more details made public about the revised policy. 

The report shows that he reviewed 63 spying warrants, 49 of which were the most serious, a Type 1 spying warrant. A New Zealander can therefore be harmed by someone engaging in what would otherwise be an unlawful activity to collect information about him or her.

US Healthcare Department Issues Warning Regarding Venus Ransomware

 

Healthcare organizations across the United States have been warned by the Department of Health and Human Services (HHS) regarding Venus ransomware assaults following a recent breach against a healthcare provider. 

Despite the attack, no data leak site for the Venus ransomware actors has been identified, according to a report published by the Health Sector Cybersecurity Coordination Center (HC3). 

"HC3 is aware of at least one healthcare entity in the United States falling victim to Venus ransomware recently. The operators of Venus ransomware are not believed to operate as a ransomware-as-a-service (RaaS) model and no associated data leak site (DLS) exists at this time," said the report. 

Since its emergence in the middle of August 2022, ransomware has propagated throughout the networks of numerous corporate victims around the globe. 

The ransomware terminates 39 processes linked with database servers and Microsoft Office apps. It targets publicly exposed Remote Desktop Services and exploits them to secure initial access to the target endpoints. In addition, the ransomware deletes event logs, Shadow Copy Volumes, and disables Data Execution Prevention on exploited endpoints. 

Lucrative Target 

Since the outbreak of Covid-19, the healthcare industry has been a lucrative target for malicious hackers. Hospitals operate multiple computers, printers, and internet-linked smart devices, generating thousands of sensitive files. These devices are sometimes outdated and improperly secured, making them a perfect candidate for an initial entry endpoint.

Moreover, with the Covid-19 pandemic filling up every last space in hospitals, overworked healthcare workers are an easy target to prey on with phishing and social engineering attacks. 

Last month, government officials in the United States warned regarding multiple ransomware attacks targeting healthcare facilities nationwide. Warnings showed that the attackers are employing ransomware variants such as Maui and Zeppelin against healthcare and public health (HPH) institutions. 

And in February, in a data breach report, debt management firm Professional Finance Corporation, Inc (PFC) revealed that 657 healthcare organizations were impacted by a Quantum ransomware attack. 

To mitigate risks, security experts recommended healthcare organizations implement an email security solution, consider adding a banner to emails from external sources, disable hyperlinks in emails, and provide regular security awareness training to the employees.

A Glitch in Ballot Tabulation Machines, an Opportunity for Election Deniers

 

Earlier this week, former American president Donald Trump and his followers seized on technical issues with ballot tabulation machines in the battleground state of Arizona and falsely claimed it was evidence of an election scam by the Democrats. 

The false claims were made after video emerged of voters being turned away from polling stations in Maricopa, Arizona’s largest county, and officials asking them to head to a different voting center. 

The elections officials also flagged printer issues with ballot tabulators in nearly 20% of the county’s polling locations but made clear that voters can cast ballots without concerns. 

"We also have redundancy in place. If you can't put the ballot in the tabulator, then you can simply place it here where you see the number three and this is a secure box where those ballots will be kept for later this evening, where we'll bring them in here to central count to tabulate them," Maricopa official explained. 

There is nothing fishy regarding the voting process. The issues in a handful of places around the US are well within the normal range of glitches to be expected in thousands of jurisdictions with millions of people voting, a senior official at the US Cybersecurity and Infrastructure Security Agency stated.

However, Trump contradicted state officials claims who said that the paper ballots will be tabulated later and posted on his social media platform, Truth Social, telling voters to stay in line. 

The state's Republican candidate for governor, Kari Lake, also seized on the machine glitches, tweeting out a quote "voter alert". 

She has previously echoed Trump's false claims that the 2020 elections were stolen from him. When election results were announced, she nodded toward the issues with the machines. "We had a big day today. And don't let those cheaters and crooks think anything different. Don't let them doubt. Don't let them put doubt in you." 

Arizona was central in the false claims by Trump and his followers that the 2020 presidential election was rigged against him, after his narrow loss to Joe Biden in the state. The state was ground zero for Trump’s attempts to overturn his White House loss and in this year’s midterms, it’s the only state where all four major statewide candidates are election deniers. 

An election official in Arizona said that the malfunctions in ballot tabulation machines were "disappointing" and correctly predicted that election deniers such as Trump would "exploit" the issue.

TikTok has Grown Into a Global Giant, United States has Threatened to Rein it in

 

This summer was a period of economic uncertainty for much of the tech industry, resulting in a drop in bitcoin prices, hundreds of layoffs, and a hiring freeze. It was also the summer that US regulators crossed the aisle to reach an agreement: it was time for stricter rules for the video platform TikTok. 

TikTok has been the focus of rare bipartisan calls for regulation and investigation since Buzzfeed reported in June that employees of TikTok's Chinese parent company ByteDance had access to US consumer data. When the FBI director, Christopher Wray, called Chinese espionage the "greatest long-term threat to our nation's... economic vitality" in July, those inquiries became more pressing.

“If you are an American adult, it is more likely than not that China has stolen your personal data,” Wray said. “We’ve now reached the point where the FBI is opening a new China-related counterintelligence case about every 10 hours.”

The China question

TikTok is a relatively new player in the arena of massive global social media platforms, but it has already piqued the interest of European regulators. New laws in the UK and the EU concerning child safety and general internet safety have compelled the company to become more transparent about how it operates and how content spreads on its platform.

In the United States, efforts to rein in the video platform have only recently gained traction, though there is little doubt that the round of regulatory pressure is warranted. With 1 billion users, the platform, which uses an algorithmic feed to push short-form videos to users, has had its fair share of misinformation, data privacy concerns, and child safety concerns.

The app's connection to China is one of the issues that US lawmakers are most publicly focused on.   TikTok has consistently stated that the data of its US users is stored in Virginia data centers and backed up in Singapore. In June, the company announced that all US user data would be routed through Oracle servers in the United States.

However, recordings of TikTok executives obtained by BuzzFeed News indicate that ByteDance employees based in China accessed US user data multiple times between September 2021 and January 2022. “Everything is seen in China,” one TikTok employee reportedly said in a meeting.

On June 23, a bipartisan group of five senators proposed a new bill that would prohibit companies from sending American users' data to "high risk foreign countries." In July, Senators Mark Warner and Marco Rubio asked the Federal Trade Commission (FTC) to investigate TikTok.

“TikTok, their parent company ByteDance, and other China-based tech companies are required by Chinese law to share their information with the Communist party,” Warner said. “Allowing access to American data, down to biometrics such as face prints and voiceprints, poses a great risk to not only individual privacy but to national security.”

Brendan Carr, the FCC's senior Republican commissioner, said the BuzzFeed News story marked a watershed moment in lawmakers' thinking about TikTok. “What really changed things was it wasn’t people theorizing or government officials saying stuff in talking points that you weren’t really sure if there was any there, there. This was a report that had internal communications and leaked audio of internal meetings … that just blew the doors off of all of [TikTok’s] representations about how it handled data and showed it to be gaslighting.”

Carr, who has advocated for Google and Apple to remove TikTok from their stores, said the revelations made TikTok's national security concerns more real than ever before and brought people from different political parties together.

TikTok claims that US lawmakers' concerns about national security are exaggerated and that the platform does not share user data with the Chinese government. "Neither would we if asked," company spokesperson Maureen Shanahan said.

Shanahan stated that the company has been open about its efforts to limit employees' access to US user data, and the BuzzFeed News report demonstrates that TikTok is "doing what it said it would do."

“In 2021, TikTok engaged consultants to help assess how to limit data access to US user data,” Shanahan said in a statement. “In the 80 leaked meetings, there were 14 statements indicating that engineers in China had access to US data … It is unfortunate that BuzzFeed cherry-picked quotes from meetings about those very efforts and failed to provide adequate context.”

“Like many global companies, TikTok has engineering teams around the world,” Shanahan said. “We employ access controls like encryption and security monitoring to secure user data, and the access approval process is overseen by our US-based security team.”

Bigger than China

Experts contacted by the Guardian did not question China's cybersecurity threat to the US. However, some expressed concern that regulators' focus on TikTok's China connection would divert attention away from other pressing issues, such as TikTok's algorithm and how much user data the company collects, stores, and shares with other US entities.

There is little information available about the amount of user data TikTok collects and shares with entities in the United States. Even Oracle, the company TikTok hired to audit its algorithms and data privacy policies in order to reassure lawmakers that the platform is free of Chinese influence, has been accused of keeping dossiers on 5 million people worldwide. There are currently no federal regulations in place to safeguard such information.

“The China question to me is almost a red herring because there’s so little being done to protect user privacy generally in the US,” said Sara Collins, a senior policy counsel at the non-profit public interest group Public Knowledge. “The thing I would be concerned about is the same stuff that we’re concerned about with Facebook or with Google. It’s their data privacy practices, what they’re doing with that data, how they’re monetizing it, and what adverse effects are there on users.”

A federal privacy bill currently being debated in Congress could begin to address these concerns. According to Collins, whose employer Public Knowledge works on content moderation and regulation issues, the American Data Privacy and Protection Act (ADPPA) would "actually create a privacy framework for all these companies that would affect TikTok and its business model." (TikTok has made donations to Public Knowledge.)
 
In the meantime, states are taking control of the situation. California passed a landmark child-only safety bill that would require platforms like TikTok and Instagram to vet any products geared toward children before releasing them, as well as to implement privacy safeguards for younger users by default.

Marc Faddoul, co-director of Tracking Exposed, an organization that tracks how TikTok's algorithm works, believes that congressional leaders' focus on the platform's China connections misses the mark when it comes to pressing for more information about the app's algorithm.

“To me, what’s missing from regulators’ radars is that the biggest leverage point in disseminating content online is the mechanics of algorithmic promotion and algorithmic demotion because taking down an individual piece of content, especially if it has already been spread, does little to mitigate the potential harm,” Faddoul said. Those opaque mechanisms, he argued, pose “the biggest threat in terms of interference in internal politics or popular opinion”.

There isn't much information available about how the algorithm decides which content to promote to the top of each person's For You Page. However, in many cases, that content has proven to have real-world implications. Domestic extremists, for example, used TikTok to promote violence and call on their followers to bring guns to the US Capitol in the run-up to the January 6 riots, according to a Department of Homeland Security intelligence document. According to the document, the platform is also rife with violent extremist content.

TikTok says it uses “a combination of technology and thousands of safety professionals” to identify and remove videos that violate its policies. AB Obi-Okoye, a spokesman for the company, said TikTok will continue those efforts, factchecking content in over 30 languages.

“Factchecking is just one component of how we moderate content,” Obi-Okoye continued. “We use a combination of publicly available information as well as the information we receive from our factchecking partners to help us assess content.”

It's also critical to understand how TikTok's algorithm works, according to Faddoul. As the Guardian first reported, the company has previously directed its moderators to censor certain posts, including those mentioning Tiananmen Square or Tibetan independence, according to Faddoul. Obi-Okoye stated that those policies were outdated and no longer in use.  “Today, we take a nuanced approach to moderation, including building out a global team with deep industry experience and working with external content and safety advisory councils,” Obi-Okoye said.

Is there too much or too little oversight?

While experts and lawmakers agree that more regulation is needed, there is significant disagreement about how much regulatory scrutiny TikTok has historically received, especially in comparison to players such as Facebook, Twitter, and Google.

Carr, the FCC commissioner, attributes some of the apparent lack of focus on TikTok to a politicization of the debate after Donald Trump signed an executive order in 2020 requiring ByteDance to sell or spin off its US TikTok business. (That order has since been revoked by Joe Biden.)

Because of TikTok's ties to China, he believes the threats it poses are in a different category than those posed by Facebook and Google. And, in comparison to other Chinese-based tech companies like Huawei and ZTE, TikTok has "largely skated and avoided having to account for some very serious national security concerns," according to Carr.

Battling the Russian Disinformation War

 

Over the years, the US- Russian ties have been in fluctuation mode. Donald Trump, the former US president was lenient towards Kremlin from 2017-2020 during which the White House seemed to take a backseat to cybersecurity issues. 

However, the Joe Biden regime is ready to take on Russia on every possible front. After Russia invaded Ukraine last February, the American-led European Union moved blocked RT and Sputnik, two of the Kremlin’s top channels for spreading misinformation about the war. 

Blake Dowling, CEO at Florida- based Aegis Business Technologies blamed Russian-backed hackers for staging cyberattacks against American infrastructure (Colonial Pipeline), businesses and government (SolarWinds and others), and elections. 

According to Dowling, Russian Internet Research Agency has also played in propagating disinformation around the globe.

The IRA is an army of internet trolls based in an old arms factory in St Petersburg founded by Yevgeny Prigozhin. The internet operatives in IRA work as regular employees during their shifts of 8 hours per day. 

During their shifts employees must meet quotas which would be something like designing a dozen social media accounts, and posting five political posts and 10 nonpolitical posts. At the same time, they must comment and like hundreds of their colleague’s posts. 

One IRA employee published a blog about a new video game in the U.S. that had a theme of slavery, aiming to stir up anti-U.S. feelings in Russia. In reality, there was no such game, but that is what the job was. 

Apart from social media trolls, a Russian hacktivist group called Killnet is also playing a major role in disrupting services in the United States. They are looking to cause chaos to the enemies of Russia, specifically those entities that side with Ukraine. 

The standard modus operandi of the hacking group is to launch distributed denial of service attacks (DDoS) toward their victims, causing their web presence to break down. Earlier targets include the European song contest Eurovision and this month fourteen airports in the United States. 

To counter this cyber onslaught, the Department of Homeland Security and Cyber Security and Infrastructure Security Agency recommends a Shields Up approach for American citizens. 

The Shield Up technique refers to a heightened cyber defensive posture when protecting data and technical assets. This includes updating your network and hardware for known exploits and vulnerabilities and using robust passwords that are changed regularly.

Authorities Seize Online Marketplace for Stolen Credentials

In coordination with International Law enforcement authorities, Portuguese conducted an investigation and successfully seized the website selling login credentials and PII addresses of over 5.85 million people. 

The United States law enforcement agencies also reported that they have seized four domains of an online marketplace associated with the online shop, named ‘wt1store.cc’, ‘wt1shop.net’, wt1store.com’, and ‘wt1store.net’. 

A federal agency had charged Nicolai Colesnicov, 36, of the Republic of Moldova, with operating wt1shop to facilitate the selling of stolen credentials and PII. 

Following the incident, the U.S. Justice Department (DoJ) stated that the agencies seized approximately 25,000 scanned driver’s licenses/passports, 1.7 million login credentials for various online shops, 108,000 bank accounts, and 21,800 credit cards.

According to the documents, visitors of the illegal marketplace could purchase the stolen data using Bitcoin. Around 2.4 million credentials had been sold on wt1shop, for total proceeds of $4 million. Also, the online market had a forum that could be accessed by the customers. 

The data that was sold was for online retailers, PayPal accounts, financial institutions, and email accounts. Other credentials were for remote access to computers, servers, and other appliances Additionally,  a person visiting the website to buy stolen credentials can also purchase the credit card accounts of that victim. 

 U.S. Attorney Brit Featherston said that “This case exemplifies the need for all of us, right now, to take steps to protect our online identity, our personal data, and our monetary accounts. Cyber-criminals are lurking behind the glow of computer screens and are harming Americans. These investigations require dedicated professionals who work tirelessly to stop thieves that steal from unknowing innocent people. To those who dedicate their lives to stopping cyber-criminals, we thank you.”

Earlier this year, the Department of Justice along with other international authorities had announced that they had seized Slilpp, the largest site for stolen credentials on the Dark Web. The site had data of 80 million users from 1,400 service providers. 

Also, on March 16, 2022, a federal grand jury put Igor Dekhtyarchuk, a Russian citizen, on trial for running a cyber-criminal marketplace that stole and sold thousands of login credentials, authentication tools, and Personally Identifiable Information. 

HHS Warns, Karakurt Ransomware Group Targeting Healthcare Providers

 

The US Department of Health and Human Services Cybersecurity Coordination Center (HC3) recently issued a warning about rising Karakurt activities against the healthcare centre. The department has now issued a new warning about Evil Corp attacks. 

According to the alert, Evil Corp is supposedly obtaining intellectual property from the United States healthcare sector on behalf of the Russian government. Evil Corp's Dridex trojan is competent in compromising the confidentiality and accessibility of operational systems and data, including financial and health data. 

The threat actor has constantly changed its tactics in order to avoid sanctions imposed by the US government, causing millions of dollars in damage.

Evil Corp has a plethora of tools and techniques at its disposal, which are frequently combined with commodity malware and off-the-grid tactics. Furthermore, HC3 is concerned because nation-state-sponsored threat actors, such as Evil Corp, see data exfiltration as a cost-effective way to steal intellectual property. 

In addition to the aforementioned, Evil Corp makes no distinction between large and small organisations, preferring to target wherever there is an opportunity. Karakurt has at least compromised an assisted living facility, a healthcare provider, a hospital, and a dental clinic, according to HC3. The group even transformed its leak site into a searchable database, making it easier to locate victims.

The healthcare sector has long been a favourite target of cybercriminals, and this has only increased since the pandemic's onslaught. On a regular basis, various threat groups target the sector. As a result, putting in place the necessary security measures is advised.

FBI Issues Warning as BlackCat Ransomware Targets More Than 60 Organizations Worldwide

 

An FBI flash alert released this week suggests that the law enforcement agency has identified at least 60 ransomware attacks worldwide by the BlackCat (ALPHV) group between November 2021 and March 2022. 

The flash alert highlights the tactics, techniques, and procedures (TTPs) employed and indicators of compromise (IOCs) associated with ransomware groups spotted during FBI investigations.

According to the FBI's Cyber Division, BlackCat also tracked as ALPHV and Noberus "is the first ransomware group to do so successfully using RUST, considered to be a more secure programming language that offers improved performance and reliable concurrent processing."

BlackCat's ransomware executable is also highly customizable and is loaded with several encryption methods and options that make it easy to adapt attacks to a wide range of industrial organizations. "Many of the developers and money launderers for BlackCat/ALPHV are linked to Darkside/Blackmatter, indicating they have extensive networks and experience with ransomware operations," the FBI added. 

Security researchers recently revealed an increased interest from BlackCat operators in targeting industrial organizations. BlackCat affiliates often demand ransom payments of millions of dollars, but they have been observed accepting lower payments after negotiations with their victims. 

For initial access, the FBI explains, BlackCat employs compromised user credentials. Next, Active Directory user and administrator accounts are compromised and malicious Group Policy Objects (GPOs) are used to deploy the ransomware, but not before victim data is exfiltrated. 

As part of observed BlackCat assaults, PowerShell scripts, Cobalt Strike Beacon, and authentic Windows tools and Sysinternals utilities have been used. The malicious actors were also seen disabling security features to move unhindered within the victim’s network. 

As usual, the FBI recommends not paying the ransom, as this would not guarantee the recovery of compromised data, and urges organizations to proactively deploy cybersecurity defenses that can help them prevent ransomware attacks. 

Since the start of the year, the notorious group has taken credit for ransomware attacks on US schools like Florida International University and North Carolina A&T University and has already breached dozens of US critical infrastructure organizations. 

The group was first spotted in November 2021 and became known for aggressively posting details about its victims publicly. Emsisoft threat analyst Brett Callow and others previously said the group is a rebrand of the BlackMatter and DarkSide ransomware groups, something the FBI also highlighted in its notice.

US Attributes North Korean Lazarus Hackers to Axie Infinity Crypto Theft

 

The US Treasury Department announced on Thursday that it had linked North Korean hackers to the heist of hundreds of millions of dollars in cryptocurrencies linked to the popular online game Axie Infinity. 

On March 23, digital cash worth about $615 million was stolen, according to Ronin, a blockchain network that enables users to transfer crypto in and out of the game. No one has claimed responsibility for the hack, but the US Treasury announced on Thursday that a digital currency address used by the hackers was under the control of a North Korean hacking group known as "Lazarus." 

The Treasury Department spokesperson stated, using the initials of North Korea’s official name, “The United States is aware that the DPRK has increasingly relied on illicit activities — including cybercrime — to generate revenue for its weapons of mass destruction and ballistic missile programs as it tries to evade robust U.S. and U.N. sanctions.” 

The wallet's users risk being sanctioned by the US, according to the representative. Chainalysis and Elliptic, two blockchain analytics companies, said the designation validated North Korea was behind the break-in. Sky Mavis co-founder Aleksander Larsen, who develops Axie Infinity, declined to comment. Sky Mavis engaged CrowdStrike to investigate the incident, but the firm declined to comment. 

The FBI has ascribed the attack to the Lazarus Group, according to a post on the official Ronin blog, and the US Treasury Department has sanctioned the address that received the stolen money. The Reconnaissance General Bureau, North Korea's primary intelligence bureau, is said to be in charge of the Lazarus hacking squad, according to the US. It has been accused of being involved in the "WannaCry" ransomware attacks, as well as hacking multinational banks and customer accounts and the Sony Pictures Entertainment hacks in 2014. 

Cryptocurrency systems have long been afflicted by hacks. The Ronin hack was one of the most massive cryptocurrency thefts ever. Sky Mavis stated it will refund the money lost using a combination of its own balance sheet capital and $150 million raised from investors including Binance. 

The Ronin blog stated, “We are still in the process of adding additional security measures before redeploying the Ronin Bridge to mitigate future risk. Expect the bridge to be deployed by end of month.” 

According to a Treasury spokesperson, the US will consider publishing crypto cybersecurity guidelines to help in the fight against the stolen virtual currency.

FBI Witnesses Rising Russian Hacker Interest in US Energy Firms

 

Since the outbreak of Russia's war against Ukraine, the FBI has detected an uptick in Russian hackers' interest in energy firms, though it gives no evidence that a specific attack is planned. 

According to an FBI advisory received by The Associated Press on Tuesday, Russian hackers have assessed at least five energy businesses and at least 18 other companies in sectors such as military and financial services for vulnerabilities. None of the companies is identified in the advisory. 

Scanning a network for vulnerabilities or flaws is widespread, and it does not always mean that an assault is on the way, though it can be a sign of one. Nonetheless, the FBI's Friday warning highlights the Biden administration's increased cybersecurity concerns as a result of Russia's war in Ukraine. The White House said on Monday that there was "evolving intelligence" suggesting Russia was planning cyberattacks against critical infrastructure in the United States. 

At a White House press briefing, Anne Neuberger, the White House's deputy national security advisor for cyber and emerging technologies, expressed disappointment that some critical infrastructure firms have failed to repair known software vulnerabilities that Russian hackers may exploit. The FBI advisory lists 140 internet protocol, or IP addresses it claims have been linked to critical infrastructure scans in the United States since at least March 2021. 

According to the alert, scanning has grown since the beginning of the war last month, leading to a greater likelihood of future incursions. The FBI acknowledges that scanning activity is frequent, but the IP addresses have been linked to the active exploitation of a foreign victim, which resulted in the victim's systems being destroyed, according to the advisory.

The United States and the West are Afraid of Possible Cyber Attacks by Russian Hackers

 

According to CNN, the FBI has warned American businessmen about the growth of possible cyberattacks using ransomware by Russian hackers against the background of sanctions that US President Joe Biden imposed against Russia in connection with the situation around Ukraine. 

Earlier, Jen Easterly, head of the U.S. Agency for Cybersecurity and Infrastructure Protection, said that Russia might consider taking measures that could affect critical U.S. infrastructure in response to U.S. sanctions. She urged all organizations to familiarize themselves with the steps the agency has developed to mitigate cybersecurity risks. In addition, David Ring, head of cybersecurity at the FBI, said that Russia is allegedly a favorable environment for cybercriminals, which will not become less against the background of the confrontation between Russia and the West over the situation around Ukraine. According to CNN, briefings on such topics have been held by the FBI and the Department of Homeland Security for the past two months. 

It is important to note that Polish Prime Minister Mateusz Morawiecki decided to introduce a special high-level security regime for telecommunications and information technology in the country. 

On February 21, he signed a decree introducing the third level of the Charlie– CRP warning throughout the country. This level is introduced if there is an event confirming the probable purpose of a terrorist attack in cyberspace or if there is reliable information about a planned event. 

The Polish Law on Anti-terrorist actions provides that in the event of a terrorist attack or its threat, the head of government may introduce one of four threat levels: Alfa, Bravo, Charlie, and Delta. The highest level, Delta, can be announced if a terrorist attack occurs or incoming information indicates its high probability in Poland. 

Similar levels marked with CRP relate to threats in cyberspace. They are introduced to strengthen the control of the security level of information systems in order to monitor the possible occurrence of violations in their work. 

The Russian Federation has repeatedly rejected the accusations of Western countries in cyberattacks, calling them unfounded, and also stated that it is ready to cooperate on cybersecurity. 

Earlier, CySecurity News reported that CNN reported citing US administration sources that representatives of the White House, US intelligence, the US Department of Homeland Security (DHS), and other agencies have discussed preparations to repel cyber attacks that could be carried out in the United States and Ukraine.

The Examination of the Seized Equipment of the Lurk Group did not Reveal the Fact of an Attack on the US Government

 

A law enforcement source said that the examination of the equipment seized from the members of the Lurk hacker group did not reveal traces of attacks on the servers of the American government. During the court session, hacker Konstantin Kozlovsky, who is being held as one of the defendants in the case of the Lurk hacker group, declared his involvement in hacking the servers of the Democratic Party of the USA, as well as in hacking Hillary Clinton's mail. 

However, the examination showed that this is not the case. "The examination was carried out by the security forces together with the leading companies in the field of information security in Russia, all seized equipment, media, communications were checked. No evidence of attacks on the U.S. government was found. Also, the group members did not discuss it in the seized correspondence," the source said. 

He added that the investigation did not establish a connection between Kozlovsky and any FSB officers. "If you follow his statements, they always follow the high-profile hacking topics in the media, to which he is trying to link his criminal case: first it was Russian interference in the US elections, then, when information about the arrest of employees of the FSB Information Security Center appeared in the media, he also mentioned it. 

Even in the list of those involved in the attack on American information resources, published by the US Department of Justice, there is neither Kozlovsky himself nor other members of the Lurk group," the source explained. 

The detention of a group of Lurk hackers became known on June 1, 2016. There are 22 people in the dock. According to investigators, the participants of the hacker group stole 1 billion 264 million rubles (16.7 million dollars) from commercial companies and banks. 

They also hacked the network of Yekaterinburg Koltsovo airport and copied information from servers. It should be noted that Kozlovsky is not the first to try on the role of a hacker of the servers of the Democratic Party. Previously, a hacker with the nickname Guccifer 2.0 took responsibility for hacking. The user called himself a Romanian hacker, but spoke Romanian with machine translation errors.

Cyberattack Compels Albuquerque Public Schools to Close 144 Schools

 

Following a cyberattack that attacked the district's attendance, communications, and transportation systems, all 144 Albuquerque Public Schools are closed for the remainder of this week, according to APS's announcement on mid-day Thursday. 

APS is one of the 50 largest school districts in the country, with around 74,000 students. 

District IT staff discovered the problem on Wednesday, and APS posted a statement on its website and Twitter account that afternoon stating, “All Albuquerque Public Schools will be closed Thursday, Jan. 13, due to a cyberattack that has compromised some systems that could impact teaching, learning, and student safety. … The district is working with contracted professionals to fix the problem.” 

"The district continues to examine a cyberattack that affected the student information system used to take attendance, contact families in emergencies, and ensure that students are picked up from school by authorised people," APS stated online on Thursday afternoon and cancelled classes for Friday. 

APS said it will reopen schools on Tuesday, Jan. 18, after being closed on Monday for Martin Luther King Jr. Day, specifying that administrative offices stayed open. The attack was detected Wednesday morning when instructors attempted to enter onto the student information system and were unable to obtain access to the site, according to APS Superintendent Scott Elder in a brief statement uploaded to the district's APS Technology YouTube page. 

Elder further stated, “APS is working with local and national law enforcement as well as teams of cyber specialists to as quickly as possible limit our exposure to this attack, to protect all systems in our network and ensure a safe environment to return to school and business as usual.” 

He noted that the district's IT department had been "mitigating attacks" in recent weeks. A spokeswoman told the Albuquerque Journal she was sceptical about what kind of attack it was and said she didn’t know whether those responsible had demanded a ransom.

FBI Warned Against a Canadian Indicted for Attacks Against US and Canada

 

The FBI and the Justice Department unveiled warrants today charging 31-year-old Canadian Matthew Philbert with a variety of ransomware-related offenses. On Tuesday, authorities from the Ontario Provincial Police made a public statement in Ottawa to disclose the charges and Philbert's arrest. 

U.S. Attorney Bryan Wilson of the District of Alaska said in a statement that Philbert “conspired with others known and unknown to the United States to damage computers, and in the course of that conspiracy did damage a computer belonging to the State of Alaska in April 2018.” 

Canadian officials received assistance from Dutch authorities and Europol in this case; Canadian authorities also charged Philbert, claiming that he was apprehended on November 30. Authorities did not specify which ransomware gang Philbert was a member of or which operations he is responsible for. 

"Cybercriminals are opportunistic and will target any business or individual they identify as vulnerable," stated Deputy Commissioner Chuck Cox of the Ontario Provincial Police. 

Philbert is charged with one count of conspiracy to commit fraud as well as another count of fraud and associated activities involving computers. 

Cox stated during the press conference that the FBI alerted officials in Ontario over Philbert's activities, which also included ransomware cyberattacks on businesses, government entities, and individual citizens. Police further stated they were able to seize multiple laptops, hard drives, blank cards with magnetic stripes, as well as a Bitcoin seed phrase while Philbert was being arrested. 

In January, authorities in Florida apprehended another Canadian individual concerning several Netwalker ransomware attacks. According to the DOJ, Sebastien Vachon-Desjardins made around $27.6 million through various ransomware attacks on Canadian companies such as the Northwest Territories Power Corporation, the College of Nurses of Ontario, and the Canadian tire business in British Columbia. 

Some people believe that ransomware attacks originated in Russia or the Commonwealth of Independent States, according to Emsisoft risk analyst Brett Callow, a ransomware expert located in Canada. 

Whereas the ransomware was "made" in certain countries, Callow pointed out that the people who use it to carry out attacks could be located elsewhere. 

"In fact, there's so much money to be made from ransomware, it would be extremely surprising if individuals in countries like Canada, America, and the UK hadn't entered the market. Those individuals may, however, be sleeping a little less well at night than they used to. In the past, there was a near-zero chance of them being prosecuted for their crimes, but that's finally starting to change," Callow said.

Israeli Company Spyware Targets US Department Phones

 

According to four individuals familiar with the situation, the iPhones of at least nine U.S. State Department workers had been compromised by an unidentified man using advanced spyware produced by the Israel-based NSO Group. 

The attacks, which occurred in the previous few months, targeted U.S. officials who were either based in Uganda or focused on issues about the East African country, according to two of the sources. 

The attacks, which were first revealed here, are the most extensive known hacks of US officials using NSO technology. Earlier, a database of numbers with prospective targets that included certain American leaders surfaced in NSO reporting, although it was unclear if incursions were always attempted or successful. 

NSO Group stated in a statement that it had no evidence that its tools had been used, but that it had canceled access for the relevant clients and therefore would investigate. 

"If our investigation shall show these actions indeed happened with NSO's tools, such customer will be terminated permanently and legal actions will take place," said an NSO spokesperson, who added that NSO will also "cooperate with any relevant government authority and present the full information we will have." 

NSO has always stated that it exclusively sells its products to government law enforcement and intelligence agencies to assist them in monitoring security concerns and that it is not intimately associated with surveillance operations. 

A State Department official refused to respond to the intrusions and pointed to the Commerce Department's recent decision to place the Israeli corporation on an entity list, making it more difficult for US businesses to do business with them. 

NSO Group and another spyware firm were "added to the Entity List based on a determination that they developed and supplied spyware to foreign governments that used this tool to maliciously target government officials, journalists, business people, activists, academics, and embassy workers," the Commerce Department said in an announcement last month. 

According to product instructions reviewed by Reuters, the NSO application is capable of not just stealing encrypted messages, images, and other confidential material from compromised phones, but also turning them into recording devices to watch their surroundings. 

The developer of the spyware employed in this hack was not named in Apple's advisory to affected consumers. According to two of the people who were alerted by Apple, the victims included American residents who were easily identified as U.S. government officials because they paired email addresses ending in state.gov with their Apple IDs. 

According to the sources, they and other victims alerted by Apple in multiple countries have been affected by the same graphics processing vulnerability. 

The Israeli embassy in Washington stated in a statement that targeting American officials would be a major violation of its norms. 

"Cyber products like the one mentioned are supervised and licensed to be exported to governments only for purposes related to counter-terrorism and severe crimes," an embassy spokesperson said. "The licensing provisions are very clear and if these claims are true, it is a severe violation of these provisions."

The New Yanluowang Ransomware Gang is Targeting US Businesses

 

Symantec recently identified a new ransomware strain known as Yanluowang in targeted operations against US companies. 

The Symantec Threat Hunter team has found a "new arrival to the targeted ransomware scene" during October that seemed to have been in the development stage. Nevertheless, according to a blog post published on Wednesday 1st of December 2021, the variation dates back to at least August of this year. As per Symantec, the operators behind Yanluowang mostly targeted financial firms, although businesses in the manufacturing, IT services, consulting, and engineering industries have also been attacked. 

According to Vikram Thakur, technical director at Symantec, the danger is more opportunistic than carefully focused ransomware attacks. Thakur has encountered the majority of situations involving unfixed Microsoft Exchange servers or Internet Information Services (ISS) servers. 

Symantec detected multiple evidence of compromise, including the usage of publicly available tools such as AdFind to locate the victim's Active Directory server and SoftPerfect Network Scanner, which finds hostnames and network services. Yanluowang threat actors frequently employ BazarLoader, a malware version typically employed in the early stages of ransomware assaults. 

"Once attackers get onto the computer, they take the installer for ConnectWise type applications and then double click on it and then they install it," Thakur said. 

"If I was to take a look at the last 100 ransomware connected investigations over the last couple of months, attackers have always installed it on the computer rather than relying upon something that's already there." 

In most cases, according to the blog post, "PowerShell was used to download tools to compromised systems." 

"After gaining initial access, the attackers usually deploy ConnectWise (formerly known as ScreenConnect), a legitimate remote access tool."  

Among the most recent attack phases detected by Symantec is featured credential theft employing a variety of credential-stealing programs, including GrabChrome, which collects credentials from Chrome. Open-source tools such as KeeThieft, described by Symantec as a "PowerShell script to copy the master key from KeePass" have also been used. 

While investigating the new ransomware outbreak, Symantec Threat Intelligence discovered certain tactics, methods, and procedures (TTP) that are similar to Thieflock, a well-known ransomware-as-a-service "developed by the Canthroid". 

The usage of "custom password recovery tools such as GrabFF and other open-source password dumping tools." was mentioned in one link.

To counteract the Yanluowang threat, Thakur proposes that businesses must audit the computers on their network and hunt for unapproved software. 

"The simplest solution is when patches are released for the applications on your machines, test them, deploy them as quickly as possible, because attackers are going to exploit them in just a matter of days after," he added.

US Department of Treasury Declares Sanctions Against Chatex Cryptocurrency

 

The US Treasury Department today declared sanctions against Chatex cryptocurrency exchange for assisting ransomware groups escape sanctions and helping them in carrying out ransomware transactions. The US department also sanctioned Suex crypto exchange (based in Russia) in September for assisting a minimum of 8 ransomware teams, with more than 40% of public transactions linked to threat actors. 

"Ransomware incidents have disrupted critical services and businesses globally, as well as schools, government offices, hospitals, and emergency services, transportation, energy, and food companies. Reported ransomware payments in the United States so far have reached $590 million in the first half of 2021, compared to a total of $416 million in 2020," said US Treasury. The investigation of public transactions hints that more than 50% of transactions are tracked down to malicious or illegal activities like darknet market, ransomware, and high-risk exchanges, says US Treasury Department. 

As of now, Chatex is designated as pursuant to Executive Order (E.O) 13694, amending for material support assistance to Suex and malicious harm posed by ransomware hackers. When the crypto exchanges are sanctioned for providing material support to ransomware groups, the United States is hoping to extract out fundings and shut down the campaign. According to the US Treasury of the department, unprincipled virtual currency exchanges like Chatex are critical to the profitability of ransomware activities, especially by laundering and cashing out the proceeds for criminals. 

The treasury is constantly using all available resources to restrict harmful threat actors, disrupt illegal criminal proceedings, and stop extra activities against US citizens. According to Bleeping Computers, "FinCEN's Financial Trend Analysis report was issued on the heels of governments worldwide saying they will crackdown on cryptocurrency payment channels used by ransomware gangs. One year ago, the Treasury Department's Office of Foreign Assets Control (OFAC) also warned that ransomware negotiators that they could face civil penalties for facilitating ransom payments if their deals involve ransomware gangs already on its sanctions list."

Iran Accuses USA and Israel for Carrying Out Fuel Cyberattacks

 

An Iranian General alleged that Israel and US might have planned a cyberattack that caused disruption of fuel in service stations in Iran. The attack which happened on Tuesday is similar to two recent incidents where, as per the general, the attackers might be Iran's rivals: USA and Israel. Two incidents were analyzed, the Shahid Rajaei port incident and the railway accident, and found that these two incidents were similar. Earlier this year, as per Iran's transportation ministry, a cyberattack disrupted its website and computer systems, reports Fars news agency. 

"In a country where petrol flows freely at what are some of the lowest prices in the world, motorists need digital cards issued by the authorities. The cards entitle holders to a monthly amount of petrol at a subsidized rate and, once the quota has been used up, to buy more expensive at the market rate," reports The Security Week. In 2020, Washington Post reported an incident where Israel orchestrated an attack on Iranian port Shahid Rajaei (in Hormuz Strait), a strategic path to global oil shipments. 

The recent cyber disruption resulted in traffic jams in major pockets in Tehran, having long lines at petrol pumps disrupting traffic flow. Following the incident, the oil ministry shut down the service stations in order for easy manual distribution of petrol, said the authorities. On Wednesday, President Ebrahim Raisi alleged that the actors were trying to sway the people of Iran against Islamic Republic leadership. As per the reports, an estimated 3200 out of 4300 of the country's service stations have been re-linked with the central distribution system, said the National Oil Products Distribution Company. 

Besides this, there are other stations who also give fuel to motorists, but not at subsidized rates, which makes it twice in the rates, around 5-6 US cents/litre. The Security Week reports, "Since 2010, when Iran's nuclear program was hit by the Stuxnet computer virus, Iran and its arch-foes Israel and the United States have regularly accused each other of cyberattacks. The conservative Fars news agency on Tuesday linked the breakdown to opponents ahead of the second anniversary of deadly protests sparked by a hike in petrol prices."

Facebook says Iranian Hackers Targeted U.S. Military Personnel

 

On Thursday, Facebook announced that it had shut down approximately 200 accounts operated by a group of hackers in Iran as part of a cyber-spying operation that focused primarily on US military officials and others working in defense and aerospace firms. 

The group, termed 'Tortoiseshell' by security experts, utilized fraudulent online identities to interact with targets, establish confidence over time (often months), and lead them to other sites where they were duped into clicking malicious links that infected their devices with spying software, according to Facebook. 

In a blog post, Facebook's investigative team stated, "This activity had the hallmarks of a well-resourced and persistent operation while relying on relatively strong operational security measures to hide who's behind it." 

Thus according to Facebook, the group created dubious identities on numerous social media sites to look more legitimate, frequently impersonating recruiters or staff of aerospace and defense firms. LinkedIn, which is controlled by Microsoft, announced the removal of several accounts, while Twitter said it was "actively investigating" the data in Facebook's report. 

The virus was distributed via email, chat, and collaboration platforms, according to Facebook, including malicious Microsoft Excel spreadsheets. In a statement, a Microsoft spokesman said the company was aware and following this actor, and that it takes action when harmful behavior is detected. 

Google stated it had discovered and prevented phishing on Gmail as well as provided user warnings. Slack, a workplace messaging service, claimed it has taken action against hackers who exploited the platform for social engineering and had shut down any Workspaces that broke its rules. 

According to Facebook, the hackers utilized customized domains to entice their targets, including phony defense recruitment websites and internet infrastructure that spoofed a real job search website for the US Department of Labor. 

In a campaign that began in mid-2020, Facebook claimed the hackers mostly targeted users in the United States, as well as some in the United Kingdom and Europe. It did not name the firms whose employees were targeted, but its chief of cyber espionage, Mike Dvilyanski, said the "fewer than 200 individuals" who were targeted were being alerted. 

The campaign appeared to demonstrate an extension of the group's operations, which had previously been claimed to focus mostly on the Middle East's I.T. and other businesses, according to Facebook. A section of the malware employed by the organization was developed by Mahak Rayan Afraz (MRA), a Tehran-based IT firm with links to the Islamic Revolutionary Guard Corps, as per the inquiry. 

Mahak Rayan Afraz's contact information was not readily available to Reuters, and former employees of the firm did not respond to LinkedIn messages sent to them. A request for comment from Iran's mission to the United Nations in New York was not promptly reported. The allegations that MRA is involved in Iranian state cyber espionage are not new. MRA was one of the numerous contractors suspected of assisting the IRGC's elite Quds Force, according to cybersecurity firm Recorded Future. 

Iranian spies, like other espionage services, have long been alleged of farming out their missions to a variety of domestic contractors. Facebook stated the fraudulent domains had been prohibited from being shared, while Google said the domains had been placed to its "blocklist."

100 Military Personnel to Train in US to Combat Cyber Warfare

 

The Indian government seems to be gearing up in the wake of the growing threat of cyber-attacks against the Indian armed forces. The Department of Military Affairs (DMA) is planning to send 100 personnel to the US to be trained in the latest cybersecurity technology and Artificial Intelligence (AI) for future warfare. The reports published in the month of June indicate that China's cyber spies are targeting the Defense Department of India and many sectors including Telecom. 

According to South Block officials, under the 2016 Cyber Framework and Defense Cooperation Agreement, the US has offered to train 100 military personnel in Silicon Valley to help them combat cyber warfare and the role of AI in future defense and warfare. The South Block houses the offices of the Ministry of Defence, Ministry of External Affairs, PMO, and NSA. 

Actually, the Indian Army has a tri-services defense cyber agency under the Integrated Headquarters. The government is in favor of setting up a proper cyber command in the hinterland of Madhya Pradesh to give a fighting edge to the proposed theater command. The proposed Cyber Command will match the individual capabilities of the three services to protect the Army from being vulnerable to cyber-attacks from India's adversaries.  

The command's charter would also ensure that Indian military communications are secure and systems are not affected by any malware in forward formations like the sensitive Siliguri Corps, Tezpur Corps, and the Northern Command including the Tibet-facing Ladakh Corps. The Siliguri Corps in Chumbi Valley has witnessed cyber-attacks through malware over the past decade to not only affect software but also leak sensitive documents to adversaries. Let me inform you that these corps, including the Siliguri Corps, are separate teams of the Indian Army.

On June 16, cybersecurity firm Recorded Future published a report claiming that a suspected unit of Chinese cyber soldiers has targeted Indian telecom companies, government agencies, and several defense contractors. A cyber threat intelligence company disclosed that there was evidence of these manipulative espionage operations by China and that one of these operations was linked to a specific unit of the People's Liberation Army (PLA).