Search This Blog

Showing posts with label USA. Show all posts

Ex-NSA Employee Charged with Espionage Case

A former U.S. National Security Agency (NSA) employee from Colorado has been arrested on account of attempting to sell classified data to a foreign spy in an attempt to fulfill his personal problems facing because of debts. 

According to the court documents released on Thursday, the accused Jareh Sebastian Dalke, 30, was an undercover agent who was working for the Federal Bureau of Investigation (FBI). 

Jareh Sebastian said that he was in contact with the representative of a particular nation "with many interests that are adverse to the United States," he was actually talking to an undercover FBI agent, according to his arrest affidavit. 

Dalke was arrested on Wednesday after he allegedly agreed to transmit classified data. "On or about August 26, 2022, Dalke requested $85,000 in return for additional information in his possession. Dalke agreed to transmit additional information using a secure connection set up by the FBI at a public location in Denver,"  eventually it led to his arrest,  the DoJ said. 

Earlier he was employed at the NSA from June 6, 2022, to July 1, 2022, as part of a temporary assignment in Washington D.C as an Information Systems Security Designer. Dalke is also accused of transferring additional National Defense Information (NDI) to the undercover FBI agent at an undisclosed location in the U.S. state of Colorado. 

Following the investigation, he was arrested on September 28 by the law enforcement agency. As per the USA court law, Dalke was charged with three violations of the Espionage Act. However, the arrest affidavit did not identify the country to which Dalke allegedly provided information. 

The affidavit has been filed by the FBI and mentioned that Dalke also served in the U.S. Army from about 2015 to 2018 and held a Secret security clearance, which he received in 2016. The defendant further held a Top Secret security clearance during his tenure at the NSA. 

"Between August and September 2022, Dalke used an encrypted email account to transmit excerpts of three classified documents he had obtained during his employment to an individual Dalke believed to be working for a foreign government," the Justice Department (DoJ) said in a press release.

Traffic Safety Agency Issues Final Guidelines for Vehicle Cybersecurity

Finally, the National Highway Traffic Safety Administration has announced the big news. The administration on Friday will publish the final version of the cybersecurity practices in the Federal Register, focusing on cryptographic techniques to mitigate cyber threat risks as vehicles become more technologically integrated. 

NHTSA officials took advice from the public in the final draft of Cybersecurity Best Practices for the Safety of Vehicles during the draft publication’s open comment period. In addition to this, the committee added more details on key systems and cryptographic elements, as well as how threat actors could use software updates to get into the vehicle’s network. 

The Federal Register in its blog post stated that the advancement in vehicle and automotive technology has increased the chances of cybercrimes, and for the safety of vehicles organizations need to follow proper guidelines. 

“The evolution of automotive technology has included an increasingly expanded use of electronic systems, software, and wireless connectivity. Automotive technology has developed to such an extent that today's vehicles are some of the most complex computerized products available to consumers,” the blog post by Federal Register read. 

“…Enhanced wireless connectivity and continued innovations in electronic control systems introduce substantial benefits to highway transportation safety, mobility, and efficiency. However, with the proliferation of computer-based control systems, software, connectivity, and onboard digital data communication networks, modern vehicles need to consider additional failure modes, vulnerabilities, and threats that could jeopardize benefits if the new safety risks are not appropriately addressed."

 According to the final draft the manufacturers have to implement measures in the following four areas: 

• Manufactures have to manage vehicle cyber risks 
• Investigating and responding to security incidents across the vehicle fleet 
• Securing modern vehicles by design to mitigate risks along the value chain 
• Ensuring that the safety of a vehicle is not compromised and also providing secure software updates

Furthermore, in the European Union, the final guidelines on automotive cybersecurity will be mandatory for all modern vehicles manufactured from July 2024. Also, the Japanese and the Korean government have agreed to implement the regulations, however, they will implement them according to their own timeline. 

US Government Seizes Cryptocurrency Worth $30 Million From Lazarus Hackers

The U.S. government in collaboration with blockchain analysts and FBI agents successfully seized $30 million worth of cryptocurrency stolen by the North Korean-linked hacker group 'Lazarus' from the popular token-based 'play-to-earn' game Axie Infinity earlier in the year. 

The government reported this news during the AxieCon event today, where the officials highlighted it as a big achievement. The officials further appreciated and encouraged large-scale collaboration between multiple law enforcement authorities and private entities against growing cyber threats. 

As per the statements made by blockchain analysts on Thursday, it's a momentous event for law enforcement agencies as it is the first time when the agencies have successfully seized crypto tokens from the infamous Lazarus Group. 

“I am proud to say that the Chainalysis Crypto Incident Response team played a role in these seizures, utilizing advanced tracing techniques to follow stolen funds to cash out points and liaising with law enforcement and industry players to quickly freeze funds”, the blog reads. 

Chainalysis talked about the laundering process of the group which involves the following five stages:  

• Stolen Ether sent to intermediary wallets 
• Ether mixed in batches using Tornado Cash 
• Ether swapped for bitcoin 
• Bitcoin mixed in batches 
• Bitcoin deposited to crypto-to-fiat services for cashout,  

However, following the incident, the US Office of Foreign Assets Control - Sanctions Programs and Information has sanctioned tornado cash for its role in the cryptocurrency laundering case. 

The total financial damage caused by Lazarus' Axie Infinity hack is around $620 million, thus, the amount that has been recovered represents only 5% of that value and 10% of the cryptocurrency amount. 

The analysts further stated they “have proven that with the right blockchain analysis tools, world-class investigators and compliance professionals can collaborate to stop even the most sophisticated hackers and launderers. There is still work to be done, but this is a milestone in our efforts to make the cryptocurrency ecosystem safer.” 

Hence, the US government and New York-based blockchain analysis firm are confident that in the future they will recover more damages from the past.

API Security Losses Total Billions, US Companies Hit Hard

According to the analysis of breach data, US companies are the ones affected the most by the APIs. Companies have lost a combined amount of $12 billion to $23 billion in 2022 from compromises linked to Web application programming interfaces (APIs). 

APIs are used in Internet of Things (IoT) applications and on websites. An API is a mechanism that facilitates two software systems to interact. It controls the types of requests that take place between programs, how these requests are made, and the kinds of data formats used. For example, the Google Maps application on a mobile device does not contain names of all the streets, cities, towns, and other landmarks on your device. Instead, it connects to another application within the Google server that contains all of that information and this connection is made possible using an API. 

The data over the last decade suggests that API security has leveled up as a significant cybersecurity problem. Following the information, the Open Web Security Application Project (OWASP) has listed the top 10 APl security issues in 2019. 

It has explained various API weaknesses including broken authorization for objects, weak user authentication, and excessive data exposure as sensitive issues for software makers and companies that rely on cloud services. Thus, API security has become increasingly important. 

APIs work as the backend framework for mobile and web applications. Crucial and sensitive data is transferred between users, APIs, and applications and systems. Therefore, it is important to protect the sensitive data they transfer. 

According to the report 'Quantifying the Cost of API Insecurity' published this week by application-security firm Imperva and risk-strategy firm Marsh McLennan – cybersecurity issues would grow as APIs continue to become a common pattern for cloud and mobile devices.

"The growing security risks associated with APIs correlate with the proliferation of APIs. The volume of APIs used by businesses is growing rapidly — nearly half of all businesses have between 50 and 500 deployed, either internally or publicly, while some have over a thousand active APIs," says Lebin Cheng, vice president of API security for Imperva. 

Further, in Asia, more than 100 combined API security incidents occurred, and in the US more than 600 API security events. To prevent this, companies have to gain visibility into how they are using APIs and create a complete inventory of the API traffic in their network.

Owner of CafePress Penalized $500,000 for Hiding a Data Breach


CafePress's past owner Residual Pumpkin firm has been fined $500,000 by U.S. Federal Trade Commission (FTC) in their final order over a 2019 data breach that impacted 23 million customers.

CafePress is a US site that sells print-on-demand items like apparel, housewares, and kitchenware. Sellers can register on the website and upload their designs, and CafePress takes a percentage of every sale. 

Social Security numbers and password recovery responses were kept in plain text and for a longer period by the Residual Pumpkin firm. Additionally, the organization did not implement existing safeguards and react to security vulnerabilities. After several attacks on its servers, it attempted to hide the significant data breach carried on by its inadequate security protocols. 

A unanimous 5-0 vote accepted the FTC's order. The FTC has mandated that the corporations immediately implement multi-factor authentication of stored data and set an encryption key for all social security numbers, in addition to imposing fines on the businesses. 

As a result, the company's current owner PlanetArt, who acquired CafePress in 2020, has set up an alert system to notify all customers and vendors whose private information has been compromised.

Unknown attackers acquired access to files stored as SHA-1 hashes during a February 2019 breach of CafePress' servers, exploited, and later sold 23,205,290 CafePress users' personal information on the dark web. However, after receiving notifications via Troy Hunt's Have I Been Pwned service, several users became aware of the situation. The fact the users seemed to reset their passwords on checking in without being informed of the data breach was the only indication that something was wrong. 

Since some of its merchants' accounts had been hacked since at least January 2018, as per FTC's claim, CafePress was aware that it had vulnerabilities even before the 2019 incident.

Instead of letting users acknowledge the instances, CafePress terminated their accounts and assessed a $25 account closure fee to each of them. Before the 2019 security breach, the company's network was again affected by several malware infestations, and CafePress once again neglected to look into the attacks.

North Orange County Community College District Suffered Ransomware Attack


According to an official filing by the District, on Monday, January 10, 2022, the North Orange County Community College District (NOCCCD or the District) noticed malicious activity on both of the District’s college servers including Cypress College and Fullerton College. 

In response to the attack, the District launched an investigation with the assistance of outside computer forensic specialists to learn more about the attack and determine if any employee or student data was breached. The notifications in which the attack has been reported on their component campus sites revealed that this was a ransomware incident. 

On March 25, 2022, following the attack, the NOCCCD reportedly notified more than 19,000 people about a data security incident. It has begun sending out data breach notification letters to all employees and students whose information was breached due to the data security incident. The District furthermore said that it will send additional security letters if it notices other parties were impacted by the attack. 

The investigation has confirmed that files containing sensitive credential data of employees and students may have been compromised or removed from the District’s network. A copy of the notice was also posted on Fullerton College for International Students. 

While disclosing what types of data might have been compromised, the notice read, “name, and passport number or other unique identification number issued on a government document (such as Social Security number or driver’s license number); financial account information; and/or medical information.” 

The district said that they are also coordinating with the colleges to review and enhance existing policies related to data protection. Besides, they have successfully implemented multi-factor authentication as well as an advanced threat protection and monitoring tool to better security and safeguard data. Additionally, new and advanced cybersecurity training for employees is being implemented throughout the District.

Biden Prolongs National Emergency Amid Increasing Cyber Threats


In the backdrop of the Russia-Ukraine conflict, the increasing risk of cybersecurity threats against U.S. national security, economy, and foreign policy has prompted President Joe Biden to extend the state of national emergency which was originally declared by former President Barack Obama in April 2015. 

The national emergency period has been extended after the Cybersecurity and Infrastructure Security Agency has published a warning regarding possible Russian state-sponsored cyberattacks against U.S. organizations following the invasion of Ukraine. 

The war between Russia and Ukraine will be the main topic at Thursday's NATO meeting, in which Biden's administration will rally western allies and announce a new round of financial sanctions against the Russian government, and Biden is expected to announce sanctions on hundreds of Russians serving in the country's lower legislative body, it is being observed that further sanctions will increase cybersecurity threats against U.S government. 

Last month, U.S. organizations have been altered by the CISA and the FBI regarding the potential spillover of data wiping attacks against Ukraine. 

"Significant malicious cyber-enabled activities originating from or directed by persons located, in whole or in substantial part, outside the United States continue to pose an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States. Therefore, I have determined that it is necessary to continue the national emergency declared in Executive Order 13694 with respect to significant malicious cyber-enabled activities," said Biden. 

On Tuesday, Biden's national security adviser Jake Sullivan said that the administration believes that right now "they have effective posture today for what's necessary today," but further he said that Biden and NATO allies will discuss "longer-term adjustments to NATO force posture on the eastern flank."

NSA Employee Indicted for 'Leaking Top Secret Info' To a Woman


Recently, the United States Department of Justice (DoJ) has claimed that an NSA employee has been sharing highly sensitive data of national security with an individual who allegedly is a private sector employee. 

According to a DoJ announcement and the indictment, an NSA staffer named Mark Unkenholz "held a TOP SECRET/Sensitive Compartmented Information (SCI) clearance and had lawful access to classified information relating to the national defense." 

The indictment has been unleashed on Thursday in U.S. District Court in Baltimore, which has accused Mark Unkenholz, 60 years old employee of the NSA office that engages with private industry, sent 13 unauthorized emails to the woman who was referred to as “RF” from February 2018 to June 2020, each email was containing top secret information relating to national defense. 

Following the incident, the court said that "reason to believe [the info] could be used to the injury of the United States or to the advantage of any foreign nation." Further, the justice departs reported that the RF also had a TOP SECRET/SCI clearance from April 2016 until approximately June 2019 through the company she was working for which was named Company 1, however when she switched the company 1 to company 2 her clearance lapsed. 

According to the indictment's timeline, Unkenholz sent the files to RF when she was working at Company 1 and at Company 2. It shows that RF's clearance was not sufficient for these sensitive materials. 
Also, Unkenholz used his personal email address for this act and according to the regulations, the personal email address is not considered as an authorized storage location for sensitive data. In this case, Unkenholz has been charged with 13 counts of willful retention of national defense information on top of the 13 counts of “willful transmission.” Each charge approves 10 years in federal prison.

FBI Investigating More than 100 Ransomware Variants


Ransomware attacks spread more quickly than most organizations can respond. The United States Federal Bureau of Investigation (FBI) is on a mission to investigate more than 100 different variants of ransomware, many of which have been used extensively in various cyberattack campaigns. 

Bryan Vorndran, assistant director of the FBI’s Cyber Division has explained his team’s efforts against the malware threats to the United States House Committee on the Judiciary in Washington. 

Following the incident, Bryan Vorndran said that “There is not a day that goes by without multiple FBI field offices responding to ransomware attacks. The ransomware threat is not new, and it has been one of the FBI’s top cybercriminal investigative priorities for some time, but we have seen ransomware attack reporting increase significantly in the past two years, and the impact of these attacks has grown to dangerous proportions, threatening our economic and national security.” 

According to new data published by the FBI this week, cyberattackers wreaked havoc across the U.S., resulting in a record-high number of cyber threat complaints. Describing the rise in ransomware attacks, Vorndran said that from 2019 to 2021, the number of ransomware complaints reported to the FBI’s Internet Crime Complaint Center (IC3) increased by 82%, with a 449% rise in ransom payments and more than 847,000 total complaints that corresponded with crimes had cost victims an estimated sum exceeding $6.9 billion. 

“Ransomware-as-a-service’ (when a developer sells or leases ransomware tools to criminal customers) has decreased the barrier to entry and technological savviness needed to carry out and benefit from these compromises and increased the number of criminals conducting ransomware campaigns,” noted Vorndran. 

Further, FBI Deputy Director Paul Abbate has said that the bureau’s cyber division is investigating and working harder than before against the surging cyber threats to protect people. 

He further said, “We can put a cyber-trained FBI agent on nearly any doorstep in this country within one hour, and we can accomplish the same in more than 70 countries in one day through our network of legal attachés and cyber assistants legal attachés.”

FBI Warns Election Officials of Credential Phishing Attacks


Recently, on Tuesday the Federal agency of United states FBI has released a warning report regarding the US election officials being targeted in an ongoing and widespread phishing campaign by unidentified malicious actors in an attempt to steal their credentials since at least October 2021. 

FBI revealed that the group of hackers has used various methods to redirect their targets to phishing pages and trick them into entering their login credentials. Reportedly, hackers used compromised email addresses of US government leaders to spoof US businesses. 

"If successful, this activity may provide cyber actors with sustained, undetected access to a victim's systems," the FBI said in a private industry notification.

"…As of October 2021, US election officials in at least nine states received invoice-themed phishing emails containing links to websites intended to steal login credentials." 

According to the FBI intelligence, the threat actors have targeted the officials in the three separate "coordinated" phishing attacks and breached accounts of elected officials across at least nine states, Additionally, representatives of the National Association of Secretaries of State were also impacted in October. 

The first attack came to light on 5 October when unrecognized hackers used two email addresses, one from the compromised account of a government official, in an attempt to steal the login data of elected leaders. Less than two weeks later, two identical phishing attacks had been seen from the email addresses linked to US businesses. 

It has been noticed that in each phishing attack, the group of attackers sent an email recognized as "INVOICE INQUIRY.PDF,” which once opened, redirected users to a credential-harvesting website.

Following the incident, the FBI and the US federal law enforcement agency said that the threat “is still very real” and is heading into the 2022 election season. The group of hackers who are behind this phishing campaign will likely continue the attacks against US election officials with new phishing emails as the 2022 midterm elections are closing in. 

The threat intelligence asked network defectors to educate officials against these attacks on how to identify phishing, social engineering, and spoofing attempts and how to protect their systems against such common threats.

Cyber-Attack on New York Ethics Watchdog

Databases maintained by New York’s public watchdog agency have to shut down their systems after state information technology researchers discovered a malicious cyber-attack on its web servers. 

The ethics watchdog, which regulates lobbying at the State Capitol reported last Friday evening that an investigation has been launched to determine the scope of the attack and the perpetrators behind the attack after it received an alert regarding suspicious activity on JCOPE’s network.

Following the attack, the Commission has shut down the systems as a precaution, including its lobbying application and financial disclosure statement online filing system.

JCOPE reported that the systems will remain shut down until the agency resume normal operations safely. As of the present, the Agency officials did not report anything regarding who was responsible for the attack. However, the agency said that they are planning to work with state law enforcement officials to investigate the attack.

“Our first and highest priority is the safety and integrity of the data entrusted to the Commission by the regulated community,” said JCOPE Executive Director Sanford Berland in a statement.

Following the attack, the public was not able to access the data about lobbyist expenditures. Lobbyists were kept from submitting their required records. JCOPE said that it will grant automatic extensions to the people who missed a deadline because of the outage. 

Walter McClure, a JCOPE spokesperson added that "the outage also affects searches using the agency’s legacy lobbyist filing system, which was in use until 2019".

US Arrested Multi-year Phishing Scam Suspect


An Italian man who was involved in a multi-year phishing scam aimed towards fraudulently stealing hundreds of unpublished book manuscripts from popular authors such as Margaret Atwood and Ethan Hawke − has been imprisoned. The accused will be in prison for a maximum of 20 years if found guilty of wire fraud and another additional two years for a count of aggravated identity theft. 

The Department of Justice while reporting on the incident, stated, that the man is 29-year-old Filippo Bernardini, was arrested by the FBI on Wednesday at the John F. Kennedy International Airport, in New York. The report also said that he was previously working at London-based publisher Simon & Schuster who allegedly impersonated editors, agents, and others personnel involved in the publishing industry to obtain manuscripts of unpublished books fraudulently. 

“We were shocked and horrified on Wednesday to learn of the allegations of fraud and identity theft by an employee of Simon & Schuster UK. The employee has been suspended pending further information on the case…” Simon & Schuster said in a statement to Variety. 

“…The safekeeping of our authors’ intellectual property is of primary importance to Simon & Schuster, and for all in the publishing industry, and we are grateful to the FBI for investigating these incidents and bringing charges against the alleged perpetrator.” 

Following the incident, agencies said that the scheme was started in August 2016 wherein Bernardini used various fake email addresses which were linked to over 160 domains spoofing literary talent agencies, literary scouting agencies, and publishing houses. 

Furthermore, he also sent phishing emails attacking employees of a New York City-based literary scouting company and obtained their sensitive data to gain access to the organization’s database of synopses and other information regarding upcoming books. 

"These prepublication manuscripts are valuable, and the unauthorized release of a manuscript can dramatically undermine the economics of publishing, and publishing houses generally work to identify and stop the release of pirated, prepublication, manuscripts," the Department of Justice said today. 

"Such pirating can also undermine the secondary markets for published work, such as film and television, and can harm an author’s reputation where an early draft of the written material is distributed in a working form that is not in a finished state."

Phishing Scam Tempts Military Families


Threat analysts at Lookout have reported in new findings that a phishing campaign is victimizing members of the United States military units and their families. As per the report, it is a long-running operation that has impersonated various military support organizations and personnel profiles to lure victims into advance-fee scams, stealing sensitive personal information and financial data. 

Motivated by monetary benefits, malicious actors are stealing financial sensitive data from victims which includes bank account information, photo identification, names, addresses, and phone numbers, Lookout said in the report. 

“Based on our analysis, it’s clear that the threat actor is looking to steal sensitive data from victims such as their photo identification, bank account information, name, address, and phone number…,” wrote Lookout’s threat analysts in a blog post published today. 

“…With this information, the actor could easily steal the victim’s identity, empty their bank account and impersonate the individual online,” the blog further read.

The group of scammers created a series of websites that appears legitimate and genuine, the operators enhanced the authenticity of the sites by adding various advertisements for Department of Defense services (DODS) to falsely indicate their affiliation with the military. 

Sources accounted, the operators offer high-priced services that are never delivered such as leave applications, communication permits, and care packages, to lure clients into thinking that they are interacting with a military member. Cybersecurity threat analysts have also reported that Nigeria is the scammers’ operational base. 

“The websites were primarily hosted by Nigerian providers that are offshore or ignore the Digital Millennium Copyright Act (DMCA). We were able to further confirm the operator’s location from a phone number one of the web developers accidentally left on the draft version of the site. The country code of the number is from Nigeria,” said researchers. 

“We were also able to link this group to numerous other scams advertising fake delivery services, crypto-currency trading, banks, and even online pet sales,” researchers added.

FBI Warns Against Ranzy Locker Ransomware That Had Attacked 30 US Firms Till Now


The FBI announced on Monday 25th of October, that Ranzy Locker ransomware perpetrators had hacked at least 30 US firms from diverse industries this year.

"Unknown cybercriminals using Ranzy Locker ransomware had compromised more than 30 US businesses as of July 2021," the FBI said in a TLP: WHITE flash alert. 

The flash warning was produced in collaboration with CISA and therefore is intended to give information that will assist security experts in detecting and preventing similar ransomware attacks. 

The majority of Ranzy Locker victims who reported cyberattacks to the FBI stated that the attackers broke into their networks and systems by brute-forcing Remote Desktop Protocol (RDP) credentials. 

“The FBI first identified Ranzy Locker ransomware in late 2020 when the variant began to target victims in the United States. Unknown cybercriminals using Ranzy Locker ransomware had compromised more than 30 US businesses as of July 2021. The victims include the construction subsector of the critical manufacturing sector, the academia subsector of the government facilities sector, the information technology sector, and the transportation sector,” stated the advisory. 

Subsequent victims indicated that the attackers compromised their networks by using existing Microsoft Exchange Server vulnerabilities and phishing. The attackers sought to discover critical data to exfiltrate, such as customer information, personally identifiable information (PII)-related files, and financial records. Ranzy Locker is used for encrypting files on infected Windows host systems (including servers and virtual machines) and network shares. The Ranzy Locker program puts a ransom note across all folders wherever encryption happened, requesting payment in return for a decryption tool. 

Victims who browse the group's Tor payment site will receive a 'Locked by Ranzy Locker' notice as well as a live chat screen where they could bargain with the malicious attackers. As part of the whole "service," ransomware operators offer their victims to decrypt three files for free to demonstrate that the decryptor can recover their files. 

If victims do not pay the ransom demands, their obtained papers will be exposed on Ranzy Locker's data breach site, Ranzy Leak. 

The domain utilized by their leak portal was previously used by Ako Ransomware, a move that was part of the gang's rebranding from Ako to ThunderX and subsequently Ranzy Locker. 

ThunderX was a ransomware operation that began in late August 2020. Tesorion discovered flaws in its encryption within just a month of its inception, which aided in the development of a free decryptor. Later, the cybercrime organization repaired the flaws and published a new version of its Ranzy Locker ransomware strain. 

“The FBI encourages recipients of this document to report information concerning suspicious or criminal activity to their local FBI field office. With regards to specific information that appears in this communication; the context, individual indicators, particularly those of a non-deterministic or ephemeral nature (such as filenames or IP addresses), may not be indicative of a compromise. Indicators should always be evaluated in light of your complete information security situation,” read the advisory.

Groove Ransomware Gang Approaches other Ransomware Gangs to Strike Attacks against the US


Following the shutting down of REvil's networks and infrastructure last week by the law authorities, the Groove ransomware gang has called on certain other extortion organizations to strike US interests. 

The REvil ransomware campaign was halted again during the weekend, according to Bleeping Computer, when an unidentified third party hacked its dark web domains. The Russian-led REvil ransomware syndicate was brought down by an extensive multi-country law enforcement investigation in the last week, which led to its network getting hacked and getting knocked offline again for the second time, in the latest effort taken by governments to destabilize the lucrative ecosystem. 

Whilst this takedown, a recognized REvil operator alleged that the unknown party was "looking" for them by changing configuration settings to lure the threat actor into visiting a site maintained by the mysterious entity. According to Reuters, REvil's takedown was the culmination of a multinational law enforcement effort that included FBI assistance. 

In a Russian blog post, the Groove ransomware group urged all the other ransomware organizations to target and attack US interests. 

The blog post also urges ransomware operators not to target Chinese enterprises, as organizations may need to utilize the nation as a haven if Russia takes a tougher stance against cybercriminals operating within its borders. 

The entire translated message, with some unacceptable phrases censored, read:

"In our difficult and troubled time when the US government is trying to fight us, I call on all partner programs to stop competing, unite and start xxcking up the US public sector, show this old man who is the boss here who is the boss and will be on the Internet while our boys were dying on honeypots, the nets from rude aibi squeezed their own... but he was rewarded with higher and now he will go to jail for treason, so let's help our state fight against such ghouls as cybersecurity firms that are sold to amers, like US government agencies, I urge not to attack Chinese companies, because where do we pinch if our homeland suddenly turns away from us, only to our good neighbors - the Chinese! I BELIEVE THAT ALL ZONES IN THE USA WILL BE OPENED, ALL xxOES WILL COME OUT AND xxCK THIS xxCKING BIDEN IN ALL THE CRACKS, I myself will personally make efforts to do this" - Groove ransomware. 

The possibility of assaults on US interests is consistent with previous information supplied this week to BleepingComputer by a threat intelligence analyst for a Dutch bank. 

After closing down and separating from the original Babuk Ransomware operation, a threat actor identified as 'Orange' created the RAMP hacker forum in July 2021. Because Orange still had control of Babuk's Tor site, he utilized it to build the hacker forum wherein he served as an administrator. Orange is also thought to be a symbol of the Groove ransomware attack. 

Orange recently resigned as the forum's administrator to explore a new venture, but he provided no additional details. 

In addition, a subsequent tweet implies that the malicious actor is likely launching a new ransomware campaign after actively seeking the purchase of network access to US hospitals and government entities. 

It's indeed unknown if 'Orange' would carry out these assaults on US firms as part of the Groove operation or initiate a separate ransomware campaign.

Cyber Attacker had Prior Access to the IT Systems of OSF Healthcare Before Outage


The Journal Star reported that OSF HealthCare's computer systems were back up on April 25 following a two-day outage that forced the Peoria, Ill.-based health institution to implement downtime processes and policies. The outage occurred around 3:45 a.m. on April 23, as per the report. 

OSF HealthCare, based in Peoria, Ill.- started informing patients on October 1 that their personal health information had been exposed for more than six weeks as a result of a cyberattack on its IT systems earlier this year. At numerous OSF HealthCare hospitals and sites, the computer systems included patient information and records.

OSF HealthCare is a non-profit Catholic healthcare organization based in Illinois and Michigan that administers a medical group, hospital system, and other healthcare facilities. OSF HealthCare is owned and run by the Sisters of the Third Order of St. Francis and is headquartered in Peoria, Illinois. 

"During the outage, downtime procedures and protocols were closely followed, which included rescheduling some appointments and procedures," an OSF HealthCare spokesperson informed. "Patient safety is at the forefront of everything we do, and any decision to delay an appointment or procedure was made with safety in mind." 

OSF HealthCare announced on its website on Oct. 1 that the outage was caused by a data security problem. After conducting an investigation, the health system learned that an unauthorized entity obtained access to its networks from March 7 to April 23. The hacker gained access to various files relating to OSF Little Company of Mary and OSF Saint Paul patients. 

The compromised data include personally identifiable information, name, birthdates, Social Security numbers, treatment information, medication information, and health insurance information. As per the warning, financial information from a "smaller subset of patients" was also compromised. 

Patients whose Social Security numbers or driver's license information were disclosed will receive free credit and identity monitoring services from the health system. OSF HealthCare further stated that new precautions and technical security procedures have been adopted to safeguard its network infrastructure. 

OSF HealthCare operates 14 hospitals and a variety of other institutions throughout Illinois and Michigan. All institutions and facilities continued to operate and also admitted new patients during the April outage.

US House Homeland Leaders Introduce Bipartisan Cyber Incident Reporting Legislation


Representative Yvette D. Clarke (D-NY), Chairwoman of the Cybersecurity, Infrastructure Protection & Innovation Subcommittee, along with other representatives and with other ranking officers of the Cybersecurity, Infrastructure Protection & Innovation Subcommittee, presented the Cyber Incident Reporting for Critical Infrastructure Act of 2021. Meanwhile, the Biden administration expressed public support during congressional testimony for such requirements. 

If this legislation is to come to fruition, it would require the DHS Cybersecurity and Infrastructure Security Agency (CISA) to organize requirements and procedures for critical infrastructure owners and operators to report cyber-attack incidents under this law. Additionally, under this legislation, critical infrastructure organizations and operators have to report cyber-attacks to the cybersecurity and Infrastructure Security agencies within 72 hours. 

The bill will also mandate it to organizations, including businesses with more than 50 employees, state and governments, and non-profits organizations, to report CISA of any ransomware payments they make within 24 hours. Along with this, the law reads that any organization when infected by ransomware should use recovery tactics instead of paying ransom to the attackers. 

According to the act, a new office will come into existence under CISA and it will be named “Review new Cyber Incident Office”. The office will be responsible for receiving, aggregating, and analyzing the reported cyberattack incidents. 

The introduced law is partly in response to a surge of major cyber-attacks particularly from ransomware that has hit the government agencies and private sectors which own and operate 85% of critical infrastructure. 

“As our nation continues to be faced with more frequent and increasingly sophisticated cyberattacks, authorizing mandatory cyber incident reporting is a key cybersecurity and national security priority,” said Chairman Thompson. 

“I applaud Chairwoman Clarke, as well as Ranking Member Katko and Ranking Member Garbarino, for their months of dedicated work to put together this legislation to require covered critical infrastructure entities to report certain cyber incidents to CISA. Once enacted, CISA will be on the path to getting the information it needs to identify malicious cyber campaigns early, gain a greater understanding of the cyber threat landscape, and be a better security partner to its critical infrastructure partners.” He added. 

Port of Houston Attacked Employing Zoho Zero-Day Vulnerability


CISA officers on 23rd of September reported about a potential government-backed hacker organization that has tried to break the Port of Houston networks, one of the major port agencies in the United States, employing zero-day vulnerabilities in a Zoho user authentication device. 

Authorities at the Port claimed they fought the attack effectively, adding that the attempted breach was not influenced by operational data or systems. 

The attack investigation was launched that led to the formation of a combined advisory on 16 September by the CISA, the FBI, and the Coast Guard alerting American organizations of cyberattacks by a nation-state hacking group utilizing the Zoho zero-day. 

The zero-day was employed mostly in late August cyberattacks according to Matt Dahl, Principal Intelligence Analyst at the CrowdStrike security firm. Nevertheless, on 8 September Zoho fixed the vulnerability (CVE-2021-40539), whereupon CISA additionally sent the first warning on the ongoing attacks. 

CISA officials have claimed that they have still not given a specific hacking organization or foreign government the credit for the attack on the Port of Houston. 

The Port Houston is the nation's largest port with a waterborne tonnage and a vital economic powerhouse for the Houston area, the State of Texas, and the United States, which has held and managed public wharves and terminals along with Houston Ship Chanel for over 100 years. More than 200 private terminals and eight public terminals along with the federal waterway aid nearly 1.35 million jobs in Texas and a national 3.2 million jobs, while $339 billion in economic activity in Texas—20.6% of Texas' total gross domestic product (GDP), with economic impacts totaling $801.9billion across the country. 

“[A]ttribution can always be complicated in terms of being able to dispositively say who that threat actor is,” CISA Director Jen Easterly told senators in a meeting of the Senate Homeland Security and Governmental Affairs Committee. 

“But we are working very closely with our interagency partners and the intelligence community to better understand this threat actor so that we can ensure that we are not only able to protect systems, but ultimately to be able to hold these actors accountable,” the CISA Director added, who categorized the attackers as a “nation-state actor” in an answer to a subsequent question. 

However, The officers of Port of Houston did not respond to the response request to gather further facts regarding the attack.

Driver's License Exploitation Scams Surge


The Covid epidemic has provided a ripe opportunity for cybercriminals, who are taking advantage of internet information from outdated driver's licenses of targeted individuals. 

According to Stateline, the “phishing” scams benefit from the fact that several nations have made emergency declarations permitting driver's licenses to remain in force beyond expiry dates. With the expiration of such renewals, drivers must now ensure that their licenses are updated, but scammers are taking full advantage of that shift, according to Stateline. 

In conventional phishing, cybercriminals send malicious links or attachments via email, and victims inadvertently click on them. Fraudsters use messaging to conduct their operations, which is known as "SMS phishing" or "smishing." 

As per state motor vehicle agencies, driver's license phishing frauds attempts to steal individual identities and personal information, that have already been sprouting up across the United States. Iowa, Minnesota, Ohio, Vermont, and Wyoming are among the states in which the frauds have been detected until now. 

Scam artists send out SMS or emails making false claims that the target's license needs an urgent update, as some of the information is missing, or even that it is about to expire and will be invalid within a few days. When a person clicks the hyperlink, a Google Forms spreadsheet with personally identifiable information such as a Social Security number and birth date is often opened. 

“It’s despicable,” said David Druker, a spokesperson for the Illinois secretary of state’s office, which issues driver’s licenses. “It’s just outrageous that when the country is going through the COVID crisis, people are taking the time and energy to steal information from others.” 

A large number of people in Illinois, according to Druker, reportedly obtained texts and emails from fraudsters posing as the secretary of state or employees from the state transportation department. Druker also added that he had no idea if anyone else has succumbed to the ruses. 

Upon learning well about phishing and smishing, Illinois officials notified the FBI and IRS, who had collaborated with Google to remove the bogus webpages. According to Druker, the authorities have discovered 1,035 sites so far, and Google has halted nearly 900 such websites. 

As per a notice issued earlier this month by the U.S. Department of Health and Human Services' Office of Inspector General, fraudsters are now employing door-to-door visits, along with telemarketing calls, messages, and social networking sites, to conduct COVID-19-related frauds. 

“Do not provide personal, medical, or financial details to anyone in exchange for vaccine information, and obtain vaccinations from trusted providers,” the Office of Inspector General urges. 

“Posting content that includes your date of birth, health care details, or other personally identifiable information can be used to steal your identity,” said the Inspector General’s office.

DHS Called On Hackers to Join Government During Black Hat Speech

Department of Homeland Security Secretary Alejandro Mayorkas at a conference of Black Hat motivated participants to come forward and share their creativity, ideas, and boldness with the government agencies on defining the future of cybersecurity policy that has not been mapped yet. 

“We need your creativity, your ideas, your boldness, and your willingness to push limits. We need you to help us navigate a path that has not yet been mapped,” Mayorkas said. “What’s at stake here is nothing less than the future of the internet, the future of our economic and national security, and the future of our country.” 

Mayorkas introduced the upcoming program named the Cyber Talent Management System which will redefine hiring requirements for cybersecurity roles in the government agencies and payment will also be adjusted according to the current workforce environment. He motivated the participants to “lead the charge on the inside,” by joining the Cybersecurity and Infrastructure Security Agency and DHS. 

“This initiative…will give us more flexibility to hire the very best cyber talent and ensure we can compete more effectively with the private sector,” he said. 

According to the present statistics, under the Biden administration hiring is a major focus of DHS. Currently, the firm is trying to fill a number of open cybersecurity jobs within the agency and to recruit more diverse talent in cybersecurity. 

Furthermore, Mayorkas said that they are observing the current scenario if young talents are not interested in working with the federal government. However, security specialists have an opportunity to “bridge the gap between the hacker community and the federal government” by collaborating with the agency, he added. He concluded his speech by comparing the current state of cybersecurity with the mid-18th-century struggle between Britain, China, and Russia. 

“We are competing for the future of cyberspace – one in which friends gather, colleagues communicate, businesses sell, consumers buy, dissidents organize, horrific crimes occur, governments hear from their citizens, and information is widely and quickly disseminated,” he said.