Search This Blog

Showing posts with label United States. Show all posts

As the Ukraine Conflict Escalates, US Braces for Russian Cyberattacks

 

Some of the most serious cyberattacks on US infrastructure in the last two years have been traced back to Russian hackers. The SolarWinds hack, which infiltrated multiple government departments in 2020, the ransomware attack that forced the suspension of one of America's main fuel pipelines for several days last year, and another attack on JBS, one of the world's largest meat producers, are also on the list. 

The US administration is on high alert for signs of Russian cyberattacks on banks and other financial institutions, following Moscow's broad strike on Ukraine on Thursday, which drew harsh international sanctions. According to a homeland security source with knowledge of the situation, Russia's cyberthreat to the United States is still active and has not changed since Russian President Vladimir Putin started a full-scale invasion of Ukraine. 

Threats to the national grid and big American institutions, according to the source, are a definite possibility. The Department of Justice and the FBI are both bracing for a potential attack and closely monitoring any strange cyber activity. The Department of Justice has a whole national security division devoted to this.

If Russia entered and hacked the US power system, intelligence believes that it will take between one and two weeks to restore full functioning. The US government has previously disclosed information indicating that Moscow mounted a vast hacking campaign to breach America's "critical infrastructure," which includes power plants, nuclear power plants, and water treatment plants.

Russia has also been accused of conducting online disinformation campaigns aimed at the United States, including efforts to meddle with US elections and cause unrest. This week, US authorities again accused Russian intelligence of spreading misinformation about Ukraine. 

While many online attacks cannot be explicitly traced to the Russian state, Herb Lin, a senior research scholar for cyber policy and security at Stanford University's Center for International Security and Cooperation, believes that hackers work with Russia's support. 

"They don't operate directly for the Russian government, but they operate under a set of rules that says: 'you guys do what you want, don't target Russian stuff and we won't bother you,'" Lin said. 

Even if Russian hackers do not directly target US organisations, Ukraine's reliance on foreign technology, according to Lin, can cause significant problems for the US. If the crisis in Ukraine worsens, "all the stuff in the US that directly aids the Ukrainian military machine becomes fair game for the Russians to target," Lin added.

Ukraine: DDoS Attacks on State Websites Continue

 

Since February 23, some Ukrainian government websites have been subjected to DDoS attacks: web resources of the Ministry of Defense, the Verkhovna Rada of Ukraine, the Ministry of Foreign Affairs and others have suffered interruptions. 

The Insider publication (the organization is included in the list of foreign agents by the Ministry of Justice of Russia), referring to the data of the independent cyber analyst Snorre Fagerland, stated that the hacker group ART23 (Fancy Bear), which is attributed to links with the Main Intelligence Directorate of the Russian Federation, was behind the attacks. 

However, Igor Bederov, head of the Information and Analytical Research Department at T.Hunter, called this statement a provocation. "The investigation of a cyberattack (attribution) is a long and complex process that cannot be carried out from beginning to end in hours. Analysis of hacker software and malicious code is always a long and painstaking process," Mr. Bederov said. 

According to him, even if traces leading to Fancy Bear were indeed found, it's still impossible to say that this particular group was behind the attack. Mr. Bederov thinks that other hackers could have also taken advantage of the malware previously used by Fancy Bear. It's possible because hacker tools are openly resold on the Darknet. 

"Primary attribution is based on matching the hacker code used in today's attack with the code used in yesterday's attack, as well as special characters specific to a language group. This approach is fundamentally wrong, because the code can be stolen or bought, and the linguistic features can be imitated," said the expert. 

Mr. Bederov also noted that within the framework of pro-state activity, mainly Chinese groups like to engage in substitution of attribution. In addition, according to him, the NATO cyber intelligence center located in Tallinn was previously noticed for the substitution of attribution. 

Earlier it was reported that DDoS attacks on the website of the Ministry of Defense of Ukraine could have been deliberately set up by the United States. Earlier, Viktor Zhora, Deputy Chairman of the State Service for Special Communications and Information Protection of Ukraine, said that the government of Ukraine is ready for the scenario of forced destruction of secret data on servers. According to him, the authorities do not want to take risks and are not going to leave documentation and detailed information about the population of Ukraine to the enemy. 

He also said that if Russia gets access to government passwords, Ukrainian specialists "will quickly block access to hacked accounts."

Russian Man and his Wife Arrested in U.S. for Stealing Record $4.5 billion in Bitcoins

Russian citizen Ilya Lichtenstein and his wife Heather Morgan were arrested in the United States on Tuesday. The U.S. Justice Department in a statement called them the largest Internet fraudsters in history. 

The spouses are suspected of hacking the Hong Kong cryptocurrency exchange Bitfinex in 2016 and withdrawing 120,000 bitcoins from its accounts, which is $4.5 billion at current prices. Intelligence agencies managed to confiscate $3.6 billion worth of bitcoins stored in the Russian's e-wallets. 

On Tuesday night, after the arraignment in the Court of the Southern District of New York, Magistrate Judge Debra Freeman decided to release the suspects on bail of $8 million for two. However, the spouses were unable to leave federal prison as the judge's decision was put on hold by Washington. 

According to the prosecution, the couple should remain in custody because "they are sophisticated cybercriminals and money launderers, and there is a serious risk of their escape." Prosecutors admit that the couple may have passports in other names. 

In particular, agents found a file named Passport_ideas on Liechtenstein's computer. And a plastic container with disposable phones was found under the bed in the apartment of the defendants. Under American law, Ilya Lichtenstein and Heather Morgan face up to 25 years in prison. 

A few years ago, 34-year-old Ilya Lichtenstein unsuccessfully tried to create a technology startup and become an investor. He came to the United States from Russia at the age of six, when his family was granted asylum for religious reasons. 

His wife, Heather Morgan, called herself an economist, a journalist, and a "Crocodile of Wall Street", was a freelance writer for Forbes magazine and even performed as a rapper under the name Razzltkhan. According to the New York Times, giant billboards with her image decorated Times Square. 

According to the investigation conducted by the FBI and the US Internal Revenue Service, Lichtenstein and Morgan hacked the Bitfinex protection system and made about 2 thousand illegal transactions, transferring funds from the accounts of the exchange's clients to their electronic wallet. 

In subsequent years, the suspects managed to launder about 25 thousand bitcoins through third-party exchanges and online services on the darknet. A new hearing on Lichtenstein and his wife's bail application will be held in Washington on February 11.

Suspected Founder of Hacker Group The Infraud Organization Arrested in Moscow

 

It became known that Russia will not extradite the possible leader of the hacker group The Infraud Organization to the United States. Russian FSB officers and Russian law enforcement agencies, with the assistance of US law enforcement agencies, detained four members of the hacker group The Infraud Organization on January 22. Prior to that, the alleged founder Andrei Novak was put on the wanted list in the United States on charges of cyber fraud. 

According to the FSB, Novak has been arrested, and three other alleged hackers have been placed under house arrest. The investigation continues to identify other members of The Infraud Organization. The detained members of the group are accused of illegal access to computer information and illegal turnover of payment funds. 

Russia has no plans to extradite Andrei Novak, the possible leader of the international hacker group The Infraud Organization, to the United States. Thus, Russian law prohibits the extradition of citizens of one's own country to a foreign state. 

It is noted that if among the detained members of the organization there is a person without Russian citizenship, then after the investigation of a criminal case in Russia and the trial he will be extradited to the country where the case was opened against him. 

It is worth noting that in February 2018, it was reported that law enforcement officers detained 13 persons in the United States accused of involvement in a criminal scheme, the damage from which amounted to at least $530 million. In total, 36 people have been charged, and one Russian, Andrei Novak, was included in this list. 

The detained 13 people are citizens of the United States, Australia, Great Britain, France, Italy, and Serbia. The criminal group was organized by a citizen of Ukraine in 2010. 

The company Group-IB, which in Russia is engaged in the investigation and prevention of cybercrime (its founder Ilya Sachkov was arrested in Russia on charges of treason), said at the time that the defendants were not an organized group, but united on hacker sites solely to carry out attacks. Group-IB suggested that their main field of activity could be carding. In addition, cybercriminals could manage cardershops (sites for the sale of bank cards), sell accounts and accounts.

A Phishing Attack Impersonates the US DoL in Order to Steal Account Credentials

 

Many phishing attacks seek to defraud individuals by mimicking and imitating legitimate companies and organizations. A phishing email that looks to be from an official government agency is particularly deceiving since it exudes authority. Inky discovered a harmful campaign in the latter half of 2021 that spoofs the US Department of Labor in order to steal the account credentials of unwary victims. 

In a blog post published on Wednesday, Inky describes a series of phishing assaults in which the sender address on the majority of the emails looked to come from no-reply@dol.gov, the Department of Labor's legitimate domain. A couple of the emails were spoofed to appear to be sent from no-reply@dol.com, which is not the department's actual domain. The remainder came from a collection of newly formed look-alike domains, including dol-gov[.]com, dol-gov[.]us, and bids-dolgov[.]us. These phishing emails claimed to be from a senior DoL employee in charge of procurement and asked recipients to submit bids for "ongoing government projects." 

A PDF attachment accompanying the email appeared to be an official DoL document, complete with all the necessary images and branding. On the second page of the PDF, a BID button led to what looked to be the Department of Labor's procurement platform but was actually a rogue website impersonating the department. 

When the victim closed the document, they saw an exact replica of the official DoL website. The smart phishers simply copied and pasted HTML and CSS from the original site onto the phishing site. 

The website then displays a "Click here to bid" button as the following step in the process. Anyone who clicks on that button will be directed to a credential harvesting form with instructions on how to submit a bid using a Microsoft account or another business account. The victim would be informed that their credentials were incorrect after entering them. The credentials, however, had been stolen by the attacker. If the user tried to input their credentials again, they would be sent to the official DoL page, which would further trick them. 

The phishers were able to send their phishing emails via abused servers supposedly managed by a non-profit professional membership group in the majority of these attacks (the ones in which the spoofed sender was either no-reply@dol[.]gov or no-reply@dol[.]com). 

Inky suggested a few tips to safeguard customers from this type of phishing scam, such as the fact that US government domains normally end in .gov or .mil rather than .com or another suffix, the US government does not usually send cold emails to collect bids for projects, and to check SMTP server settings. SMTP servers should not be configured to accept and forward emails from non-local IP addresses to non-local mailboxes by unauthenticated and unauthorized users.

U.S. Cyber Command Officially Links MuddyWater Gang to Iranian Intelligence

 

The US military's Cyber Command on Wednesday officially tied the Iranian-backed MuddyWatter hacking group to Iran's Ministry of Intelligence and Security (MOIS).

According to Cyber Command, the hacking group was first identified in 2017 and is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS), which is involved in both domestic surveillance operations and the targeting of a wide spectrum of entities in governments, academia, cryptocurrency, telecommunications, and oil sectors in the Middle East.

"MuddyWater is an Iranian threat group; previously, the industry has reported that MuddyWater has primarily targeted Middle Eastern nations, and has also targeted European and North American nations," Cyber Command said in a statement.

On Twitter, Cyber Command said the malicious group was employing a suite of malware for espionage and malicious activity. "MOIS hacker group MuddyWater is using open-source code for malware," it said. "MuddyWater and other Iranian MOIS APTs are using DNS tunneling to communicate to its C2 infrastructure; if you see this on your network, look for suspicious outbound traffic."

In partnership with the FBI, USCYBERCOM's Cyber National Mission Force (CNMF) has also shared multiple malware samples of PowGoop, a DLL loader designed to decrypt and run a PowerShell-based malware downloader. Five of the files that CYBERCOM has uploaded to VirusTotal this week aren’t identified as malicious by any of the antivirus engines in the scanning service, while six others have very low detection rates.

"If you see a combination of these tools, Iranian MOIS actor MuddyWater may be in your network. MuddyWater has been seen using a variety of techniques to maintain access to victim networks," the US military command added. "These include side-loading DLLs in order to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control functions."

Last year in November, cyber authorities across the US, UK, and Australia attributed attacks exploiting loopholes in Fortinet and Exchanges to Iranian-backed attackers. Rather than targeting a particular sector of the economy, the malicious actors were simply focused on exploiting the vulnerabilities wherever possible; following the operation, they then attempted to turn that initial access into data exfiltration, a ransomware attack, or extortion.

A Ransomware Attack Targeted Virginia Legislature Agencies and Commissions

 

A ransomware attack has caused the suspension of computer systems and websites for Virginia legislative agencies and commissions, including the Division of Capitol Police and the Division of Legislative Services, which is preparing bills and resolutions for the forthcoming General Assembly session. 

The attack started on Sunday at the Department of Legislative Automated Systems and has now expanded to practically all legislative branch websites, with the exception of the Legislative Information System on the General Assembly website. It has had no effect on state executive branch agencies. 

Virginia Governor Ralph Northam's spokesperson, Alena Yarmosky, said the governor has been briefed about the attack. The incident was communicated to the state's legislative leaders through email, who were informed that hackers attacked the state's computers. 

“Currently the bad guys have most of our critical systems locked up except for LIS,” Dave Burhop, director of the legislative IT agency, informed Senate and House of Delegates early on Monday morning. Capitol Police's website is unavailable, although spokesperson Joe Macenka stated that, "All of our critical communication systems are fine."

The attack employs ransomware, which a criminal organization implants in vital computer systems in order to extract money. The governor's office and Burhop both confirmed that the state had received a ransom note, but neither said what it contained. “The bad guys have left us a ransom note but details are scant and no amount of ransom has been specified yet,” Burhop said in the email to the House and Senate clerks. 

According to Senate Clerk Susan Schaar, the Department of Legislative Automated Services is collaborating with the Virginia Information Technologies Agency to resolve the problem. VITA provides assistance to approximately 60 agencies in the executive department of state government. The legislative IT sites are managed separately from the executive branch sites by the Department of Legislative Automated Systems, according to Yarmosky. “As such, VITA has very little knowledge of the system and security architecture or tools in place to address cyber-attacks.”

The Virginia Defense Force and the Virginia Department of Military Affairs reported in September that they were victims of a cyberattack in July. Attacks on local governments at the city, country, and state levels have netted ransomware groups millions of dollars. Experts say, at least 2,354 governments, healthcare facilities, and schools in the United States were hit with ransomware in 2020, according to The Washington Post.

FBI Seizes 39 BTC Worth $2.2M Tied to Ransomware Gangs

 

The Federal Bureau of Investigation (FBI) has seized 39 BTC worth approximately $2.3 million from a Russian man affiliated to Revil and Gandcrab ransomware gang, according to a court document unsealed Tuesday. 

"The United States of America files this verified complaint in rem against 39.89138522 Bitcoin Seized from Exodus Wallet ("the Defendant Property") that is now located and, in the custody, and management of the Federal Bureau of Investigation ("FBI") Dallas Division, One Justice Way, Dallas Texas," reads the United States' Complaint about Forfeiture. 

Exodus is a desktop or mobile wallet that owners can use to store cryptocurrency, including Bitcoin, Ethereum, Solana, and many others.

The FBI seized $2.3 million on 3rd August, however, the officials did not disclose how they secured access to the wallet. According to the court document, the wallet contained Revil ransom payments belonging to an affiliate discovered as Aleksandr Sikerin (aka Alexander Sikerin and Oleksandr Sikerin), whose email address is engfog1337@gmail.com. 

The name “engfog” in the email address is tied to a well-known Gandcrab and Revil/Sodinokibi affiliate known as “Lalartu,” Bleeping Computer reported. 

“Gandcrab and Revil organizations operated as Ransomware-as-a-Service (RaaS), where core operators’ partner with third-party hackers, known as affiliates, the news outlet noted, adding that ransom payments are split between the affiliate and core operators. The operators usually earn between 20% and 30% of the ransom,” reads the court document. 

The Justice Department this month announced the seizure of $6.1 million from Yevgeniy Polyanin, a Russian “charged with deploying Sodinokibi/Revil ransomware to attack businesses and government entities in the United States.” Meanwhile, the U.S. government has been increasing its efforts to fight ransomware attacks. The Treasury Department has already sanctioned two cryptocurrency exchanges tied to ransom payments. 

Earlier this year in October, REvil was reportedly forced offline by a multi-nation operation — giving the ransomware group a taste of its own medicine after it orchestrated a number of high-profile attacks. The attacks include targeting the Colonial Pipeline which resulted in gas shortage across the U.S., hundreds of supermarkets were forced to close in Sweden after the software firm Kaseya was crippled in a separate incident. 

On E-Commerce Servers, New Malware Masquerades as the Nginx Process

 

Remote access malware is being used to attack eCommerce servers, and it hides on Nginx servers in such a way that security solutions can't detect it. NginRAT is a combination of the application it targets and the remote access capabilities it delivers, and it is being used in server-side attacks to steal payment card data from online stores. 

NginRAT was discovered on eCommerce servers in North America and Europe infected with CronRAT, a remote access trojan (RAT) that hides payloads in activities scheduled to run on an invalid calendar day. Even if the day does not exist in the calendar, the Linux cron system accepts date requirements as long as they have a proper format, which implies the scheduled task will not run. 

CronRAT relies on this to maintain its anonymity. According to research released by Dutch cyber-security firm Sansec, it hides a "sophisticated Bash programme" in the names of scheduled tasks. Multiple levels of compression and Base64 encoding are used to conceal the payloads. The code has been cleaned up and now contains self-destruction, time modulation, and a custom protocol for communicating with a remote server. 

NginRAT has infected servers in the United States, Germany, and France, injecting into Nginx processes that are undetectable, allowing it to remain unnoticed. The new malware, according to researchers at Sansec, is delivered CronRAT, despite the fact that both perform the same function: granting remote access to the attacked system. 

While the two RATs use quite different approaches to preserve their secrecy, Willem de Groot, director of threat research at Sansec, told BleepingComputer that they appear to have the same role, operating as a backup for preserving remote access. After developing a custom CronRAT and analyzing the interactions with the command and control server (C2) in China, Sansec was able to investigate NginRAT. As part of the typical malicious interaction, the researchers duped the C2 into transmitting and executing a rogue shared library payload, masking the NginRAT "more advanced piece of malware."

“NginRAT essentially hijacks a host Nginx application to stay undetected. To do that, NginRAT modifies core functionality of the Linux host system. When the legitimate Nginx web server uses such functionality (eg dlopen), NginRAT intercepts it to inject itself", reads the analysis published by the experts. The remote access malware is embedded in the Nginx process in such a way that it is practically impossible to distinguish from a valid process at the end of the process.

22,000 Data Subjects were Impacted by a Cyberattack on S&R

 

Thousands of data subjects were harmed by the recent cyber-attack on S&R Membership Shopping, according to the National Privacy Commission (NPC). The NPC said in a statement that it got an initial breach report from S&R on November 15, 2021, at 4:47 p.m. regarding a cyber-attack that may have affected the personal data of its members. The breach was found on November 14, 2021, according to the NPC.

S&R is a membership-based shopping club modeled after the American warehouse membership shopping chains. The basic idea is to provide significant value to member-customers through a system that is based on aggressive buying, low-cost distribution, and streamlined operations. 

S&R Pricemart was founded in 2001 as a joint venture with PriceSmart of the United States. Sol and Robert Price, two American businessmen, are known as "S&R." Since the enactment of the Retail Trade Act of 2000, which liberalized the retail sector, PriceSmart was the first big international retailer to enter the Philippine market. The retail chain was rebranded S&R Member Shopping after PriceSmart lost its share in the joint venture in 2005 and was purchased by the Co family in 2006. 

S&R submitted a second breach report on November 24, 2021, indicating that the ransomware assault targeted the company's membership system, affecting 22,000 data subjects, according to the privacy body. The NPC cited the company's report as evidence that the S&R members' personal information, including date of birth, phone number, and gender, had been compromised. 

“Based on the S&R’s disclosure and confirmation from their data protection officer, credit cards and other financial information were not among the compromised personal data,” the Privacy body said. S&R had previously stated that it had been the victim of a cyberattack, but that its "staff quickly and decisively implemented our cybersecurity protocols, allowing us to restart our system operations." 

Despite this, the NPC ordered S&R to give a technical report on the event from a third-party cyber security company. The corporation was also reminded of its need to properly disclose and individually notify any affected data subjects, according to the agency. “They (S&R) informed the Commission that they instituted measures to secure their system, recover compromised data, prevent further disclosure, and recurrence of similar attacks,” the NPC said.

Apple Sues NSO Group for Using Pegasus Spyware to Spy on iPhone Users

 

In a U.S. federal court, Apple has sued NSO Group and its parent firm Q Cyber Technologies for illegally targeting users with its Pegasus spying tool, marking yet another setback for the Israeli spyware vendor. NSO Group is described as "notorious hackers — amoral 21st-century mercenaries who have constructed highly sophisticated cyber-surveillance equipment that promotes routine and egregious exploitation" by the Cupertino-based tech giant. 

“State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change,” said Craig Federighi, Apple’s senior vice president of Software Engineering. “Apple devices are the most secure consumer hardware on the market — but private companies developing state-sponsored spyware have become even more dangerous."

Pegasus is designed as an invasive "military-grade" spyware capable of exfiltrating sensitive personal and geolocation information and stealthily activating the phones' cameras and microphones. It is typically installed by leveraging "zero-click" exploits that infect targeted devices without any user interaction. 

The FORCEDENTRY exploit in iMessage was used to evade iOS security measures and target nine Bahraini activists, according to Apple's lawsuit. The attackers used over 100 false Apple IDs to send harmful data to the victims' devices, allowing NSO Group or its clients to deploy and install Pegasus spyware without their knowledge, according to the firm. In September, Apple patched the zero-day vulnerability. 

"The abusive data was sent to the target phone through Apple's iMessage service, disabling logging on a targeted Apple device so that Defendants could surreptitiously deliver the Pegasus payload via a larger file," Apple detailed in its filing. "That larger file would be temporarily stored in an encrypted form unreadable to Apple on one of Apple's iCloud servers in the United States or abroad for delivery to the target." 

The lawsuit also mirrors a similar action taken by Meta (previously Facebook) in October 2019, when it sued the firm for installing Pegasus on 1,400 mobile devices belonging to diplomats, journalists, and human rights activists by exploiting a weakness in its WhatsApp messaging software. 

Apple praises organizations such as Citizen Lab and Amnesty Tech for their pioneering efforts in identifying cyber-surveillance abuses and assisting victims. To support efforts like these, Apple announced that it will donate $10 million to organizations conducting cyber surveillance research and advocacy, plus any damages from the lawsuit.

TA406 APT Group, Which is Tied to North Korea, has Increased its Attacks

 

In 2021, a North Korean-linked threat actor known as TA406 ramped up its attacks, including credential harvesting activities, according to Proofpoint. The adversary, also known as Kimsuky, Thallium, and Konni by security researchers, has been attacking companies in sectors like education, government, media, and research, as well as other businesses. According to Proofpoint, TA406 is the most closely associated with Kimsuky activity, which is tracked by the security firm as three distinct threat actors: TA406, TA408, and TA427.

Kaspersky researchers initially discovered the TA406 cyberespionage group in 2013. The US-CERT published a report on Kimusky's latest operations towards the end of October 2020, detailing their TTPs and infrastructure. The APT group primarily targeted South Korean think tanks and organizations, with victims in the United States, Europe, and Russia. 

“Our analysts have tracked TA406 campaigns targeting customers since 2018, but the threat actor’s campaigns remained low in volume until the beginning of January 2021,” the company said. 

During the first half of the year, Proofpoint noticed weekly attacks against journalists, foreign policy experts, and non-governmental organizations (NGOs), particularly those related to actions that affect the Korean Peninsula. Journalists and academics were also targeted. TA406 targeted high-ranking political figures at numerous governmental institutions, and consultancy firms, defense institutions, law enforcement agencies, and economic and financial organizations, as part of their March 2021 campaign. 

Amadey, Android Moez, BabyShark, CARROTBAT/CARROTBALL, FatBoy, KONNI, SANNY, and YoreKey are among the malware families used. It also appears that NavRAT and QuasarRAT were used. 

“Generally, TA406 phishing campaigns focus on individuals in North America, Russia, and China, with the actors frequently masquerading as Russian diplomats and academics, representatives of the Ministry of Foreign Affairs of the Russian Federation, human rights officials, or Korean individuals. TA406 has also targeted individuals and organizations related to cryptocurrency for the purpose of financial gain.” reads the report. 

According to the security experts, TA406 has been involved in financially motivated assaults, such as sextortion and the targeting of cryptocurrency, just like other North Korean state-sponsored actors. “Proofpoint assesses with high confidence that TA406 operates on behalf of the North Korean government. Proofpoint anticipates this threat actor will continue to conduct corporate credential theft operations frequently, targeting entities of interest to the North Korean government,” the security firm notes.

Iranian Hackers are Exploiting Microsoft and Fortinet Flaws

 

Australia, the United Kingdom, and the United States issued a combined advisory on Wednesday of active exploitation of Fortinet and Microsoft Exchange ProxyShell vulnerabilities by Iranian state-sponsored hackers. CVE-2021-34473, 2020-12812, 2019-5591, and 2018-13379 are the four vulnerabilities they urged administrators to fix right away.

"FBI and CISA have observed this Iranian government-sponsored APT group exploit Fortinet vulnerabilities since at least March 2021, and a Microsoft Exchange ProxyShell vulnerability since at least October 2021 to gain initial access to systems in advance of follow-on operations, which include deploying ransomware," a joint release stated. "Australian Cyber Security Centre (ACSC) is also aware this APT group has used the same Microsoft Exchange vulnerability in Australia."

Rather than targeting a specific industry, the authorities said that the attackers merely focused on exploiting vulnerabilities wherever they could and then attempting to convert that initial access into data exfiltration, a ransomware assault, or extortion. 

To maintain access, the attackers would use the Fortinet and Exchange vulnerabilities to add tasks to the Windows Task Scheduler and create new accounts on domain controllers and other systems that looked like existing accounts. The next step was to enable BitLocker, post a ransom note, and download the files through FTP. 

In May 2021, CISA and FBI noticed the adversary misusing a Fortigate appliance to acquire a foothold on a web server holding the domain for a US municipal government, in addition to exploiting the ProxyShell vulnerability to obtain access to vulnerable networks. The APT attackers "exploited a Fortigate appliance to access environmental control networks associated with a U.S.-based hospital specializing in healthcare for children," according to the advisory. 

This is the second time the US government has issued a warning on advanced persistent threat groups targeting Fortinet FortiOS servers by exploiting CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591 to attack government and commercial systems. 

The FBI and CISA released warnings in April that Fortinet gear vulnerabilities were being regularly exploited, and in July, the complete quartet of authorities listed Fortinet among the top 30 exploited vulnerabilities. Separately, Microsoft issued a warning on Wednesday about six Iranian groups that were utilizing vulnerabilities in the same set of products to spread ransomware.

Organizations should immediately patch software affected by the aforementioned vulnerabilities, enforce data backup and restoration procedures, implement network segmentation, secure accounts with multi-factor authentication, and patch operating systems, software, and firmware as and when updates are released as mitigations, according to the agencies.

HSI San Antonio Issues a Public Warning on Spoofing Phone Calls

 

The Homeland Security Investigations (HSI) department of US Immigration and Customs Enforcement (ICE) in Texas has issued a warning about a new phone scam. Threat actors have been impersonating special agents at the San Antonio HSI to engage members of the public in the malicious campaign. The victims are informed that a problem with their passport has been discovered. The fake agent then threatens them with arrest unless they make a payment to the HSI. 

Officials with the San Antonio ICE said in a scam warning published November 4 that the scammers say the passport is linked to a crime and scare the caller by threatening to dispatch police to their home to arrest them. The fraudsters have devised a method of convincing the victim that the call is coming from the HSI San Antonio main phone number, 210-979-4500. 

HSI is a directorate of ICE and the primary investigative arm of the United States Department of Homeland Security (DHS). It is responsible for investigating transnational crime and threats, particularly those perpetrated by criminal organizations that take advantage of the global infrastructure that facilitates international trade, travel, and finance. HSI's overseas presence is DHS's largest investigative law enforcement presence abroad and one of US law enforcement's largest foreign footprints.

“HSI special agents and local police do not call people on the phone to warn them they are about to be arrested,” said HSI officials. “Agents neither request financial information, such as bank account and credit card account information, nor demand money from someone to dismiss an investigation or remove an arrest warrant.”

"If you receive a threatening call or message from the number, do not give the person any personal or financial information, try to collect any contact information from the caller, end the conversation immediately if threats and intimidation persist, report the incident to the ICE tip line at 1 (866) 347-2423," added HSI officials. 

International students studying in the United States on student visas were informed in July by ICE officials in Virginia that their phone number was being faked to fool them into making fraudulent payments and disclosing sensitive personal information. Scammers behind the campaign demanded Bitcoin payments from international students, a currency that the federal government does not recognize.

DDoSecrets Published 1.8 TB of Surveillance Footage From Helicopters on the Internet

 

Surveillance drones have been increasingly popular among law enforcement agencies across the United States in recent years, drawing criticism from privacy advocates. However, freshly obtained aerial surveillance footage from the Dallas Police Department in Texas and what appears to be the Georgia State Patrol highlights the range and quality of footage captured by helicopters. 

On Friday, the transparency activist group Distributed Denial of Secrets, or DDoSecrets, released a 1.8-terabyte archive of police helicopter footage on its website. DDoSecrets cofounder Emma Best said her organization doesn't know who shared the material and that no affiliation or purpose for disclosing the files was given. The source just stated that the data was being stored in insecure cloud infrastructure by the two police departments. 

In June 2020, DDoSecrets made headlines when it revealed a massive leak of law enforcement data taken by a hacker linked to Anonymous. Emails, audio, video, and intelligence documents from more than 200 states, municipal, and federal agencies around the US were included in the data, called BlueLeaks. DDoSecrets was banned from Twitter, and Reddit banned the r/blueleaks subreddit. 

The report merely stated that the law enforcement agencies responsible for keeping the video secure were sorting the data in an insecure cloud infrastructure when the bad actor obtained access and posted the video online. WIRED examined the material that was posted online, and according to their article, the samples included footage of a helicopter being piloted during the day and at night, recording everything from an aerial view. 

“This is exactly one of the things that people are constantly warning about, especially when it comes to government surveillance and corporate data mining,” Best told WIRED in a text message interview. “Not only is the surveillance itself problematic and worrisome, but the data is not handled in the ideal conditions we're always promised." 

Police drones have gained a lot of attention recently because they represent a new generation of aerial vehicles capable of stealthy surveillance and novel behaviors, such as flying indoors. Law enforcement forces, on the other hand, have been using helicopters for aerial surveys and monitoring for decades. However, DDoSecrets' footage shows how successful helicopter-mounted cameras are in capturing extremely crisp and detailed video near to the ground. 

Given that such footage could be helpful in a variety of ways for stalkers, assailants seeking materials for blackmail, domestic or international terrorist groups, or those conducting espionage operations, privacy advocates underline the importance of safeguarding aerial police surveillance data.

Ransomware Ranzy Locker Infected at Least 30 US Organizations

 

The FBI announced on Monday that the Ranzy Locker ransomware has infected at least 30 US firms across a variety of industries this year. “Unknown cyber criminals using Ranzy Locker ransomware had compromised more than 30 US businesses as of July 2021. The victims include the construction subsector of the critical manufacturing sector, the academia subsector of the government facilities sector, the information technology sector, and the transportation sector,” reads the flash alert. 

The flash alert was issued in collaboration with CISA and is intended to provide information to security professionals to aid in the detection and prevention of ransomware attacks. The majority of Ranzy Locker victims who reported intrusions told the FBI that the attackers broke into their networks by brute-forcing RDP credentials. 

Others have recently revealed that the attackers utilized credentials acquired in phishing operations or targeted insecure Microsoft Exchange servers.

Ranzy Locker operators will steal unencrypted documents while within a victim's network before encrypting systems on their victims' corporate networks, a method utilized by most other ransomware gangs. These exfiltrated files, which contain sensitive information such as customer information, personally identifiable information (PII) data, and financial records, are used as leverage to force victims to pay a ransom in order to regain access to their files and prevent the data from being leaked online. 

In several cases, the gang used a double model of extortion, threatening victims with leaking stolen data if they did not pay the ransom. Indicators of compromise (IOCs) connected with Ranzy Locker operations and Yara rules to identify the threat are also included in the flash warning. 

Victims will get a 'Locked by Ranzy Locker' notice and a live chat screen to negotiate with the threat actors when they visit the group's Tor payment site. The ransomware operators also offer their victims to decrypt three files for free as part of this "service" to demonstrate that the decryptor can restore their files. 

Implement regular backups of all data to be stored as air-gapped, password-protected copies offline, implement network segmentation so that no machine on your network is accessible from any other machine, install and regularly update antivirus software on all hosts, and enable real-time detection, and install updates/patches to operating systems, software, and firmware as soon as updates/patches become available, are some of the recommended mitigations that were included in the alert.

Gummy Browsers Attack Lets Hackers Spoof Browser's Digital Fingerprints

 

Gummy Browsers is a new fingerprint collecting and browser spoofing threat developed by university researchers in the United States. They warn about how simple it is to carry out the attack and the serious consequences it might have. The 'Gummy Browsers' attack involves obtaining a person's fingerprint by forcing them to visit an attacker-controlled website, then utilizing that fingerprint to fake that person's identity on a target platform. 

The researchers created the following way to impersonate the user on other sites after establishing a fingerprint of the user using existing or custom scripts: 

 • Script injection - Spoofing the fingerprint of the victim by running scripts (with Selenium) that deliver values retrieved from JavaScript API calls. 

 • Browser setting and the debugging tool - Both can be used to change the browser attributes to any custom value, which affects both the JavaScript API and the HTTP header value. 

 • Script manipulation - Modifying the scripts placed in the website before they are transmitted to the webserver to change the browser properties with faked values. 

A digital fingerprint is a one-of-a-kind online identifier linked to a certain person based on a device's characteristics. IP addresses, browser and OS versions, installed software, active add-ons, cookies, and even how a user moves their mouse or enters on the keyboard are all examples of these characteristics. These fingerprints can be used by websites and advertisers to verify that a visitor is human, monitor a user across several sites, and serve tailored advertising. Some authentication systems use fingerprints as well, allowing MFA or other security features to be circumvented if a valid fingerprint is identified. 

The researchers claimed they could fool state-of-the-art fingerprinting solutions like FPStalker and Panopliclick for long periods of time by just capturing the victim's fingerprint once. 

The researchers explained their findings in an Arxiv paper, "Our results showed that Gummy Browsers can successfully impersonate the victim’s browser transparently almost all the time without affecting the tracking of legitimate users." 

The attack system obtained average false-positive rates of greater than 0.95 in experimental tests, meaning that most of the faked fingerprints were misidentified as real ones, successfully fooling the digital fingerprinting algorithms. A breach of ad privacy and a bypass of defensive procedures put in place to verify users and detect fraud are two consequences of such an assault. 

"The impact of Gummy Browsers can be devastating and lasting on the online security and privacy of the users, especially given that browser fingerprinting is starting to get widely adopted in the real world," the researchers concluded. "In light of this attack, our work raises the question of whether browser fingerprinting is safe to deploy on a large scale."

One Million Users were Exposed Due to a VPN Provider's Misconfiguration

 

A misconfigured Elasticsearch server exposed the personally identifiable information (PII) of at least one million users of a Chinese-run VPN provider. According to WizCase, the privacy concern impacts Quickfox, a free VPN used mostly by the Chinese diaspora to access sites that are otherwise inaccessible from outside mainland China. Unfortunately, Fuzhou Zixun Network Technology, the owner of Quickfox, had not properly set up its Elastic Stack security, leaving an Elasticsearch server unprotected and accessible — with no password protection or encryption in place. 

Ata Hakcil headed a team of ethical cyber researchers who discovered a serious leak that exposed Quickfox's ElasticSearch server. The leak was caused by a security flaw in the ELK stack. Elasticsearch, Logstash, and Kibana (ELK) are three open-source applications that make searching enormous files easier, such as the logs of an online service like Quickfox. 

Quickfox had put up access controls in Kibana, but they hadn't done the same for their Elasticsearch server. Anyone with a browser and an internet connection might gain access to Quickfox records and extract sensitive information about Quickfox users. 

Around 500 million records totaling over 100GB of data were exposed as a result of the incident. There were primarily two categories of data in the information. The personal information of around 1 million users was the first type. The second type concerned software installed on over 300,000 users' devices. The documents discovered were all dated between June 2021 and September 2021. 

According to the IP addresses discovered in the breach, it mostly affected individuals in the United States, as well as countries bordering China, such as Japan, Indonesia, and Kazakhstan. 

Customers' emails, IP addresses, phone numbers, data to identify device kind, and MD5 hashed passwords were among the PII revealed. MD5 is far from safe, according to WizCase, and can be cracked with modern technology. This would have been enough for criminals to use phishing emails, vishing phone calls, and other methods to obtain further sensitive information such as credit card or bank account numbers.

“The leaked information about device type and installed software could make this con very convincing,” warned WizCase. “It’s unclear why the VPN was collecting this data, as it is unnecessary for its process and it is not standard practice seen with other VPN services.” 

Cyber-criminals could try to hijack other accounts across the web by unmasking MD5 hashed passwords and using credential stuffing tactics, WizCase said. It advised consumers to thoroughly vet VPN providers before selecting one and to be aware that free services may benefit from the collection and use of client data.

APT35 Continues Targeting Important US Citizens and Institutions

 

This year, the Google Threat Analysis Group (TAG) has noticed an increase in government-sponsored hacking. According to the data revealed in the blog post, Google has sent over 50,000 warnings of phishing and malware attempts to account holders thus far in 2021. The number of people has increased by 33% from the same period last year. 

APT35 operations dating back to 2014 have been found by FireEye. APT35, also known as the Newscaster Team, is an Iranian government-sponsored threat group that carries out long-term, resource-intensive operations to gather strategic intelligence. APT35 usually targets military, diplomatic, and government people in the United States and the Middle East, as well as organisations in the media, energy, and defense industrial base (DIB), as well as engineering, business services, and telecommunications. 

Since 2017, APT35 has been targeting politicians, NGOs, government institutions, journalists, and academia under the names Ajax Security Team, Charming Kitten, and Phosphorus. During the 2020 elections, the group also attempted to target former US President Donald Trump's election campaign staff. 

Charming Kitten made 2,700 attempts to gather information about targeted email accounts in a 30-day period between August and September 2019, according to Microsoft. There were 241 attacks and four compromised accounts as a result of this. Despite the fact that the initiative was allegedly directed at a presidential campaign in the United States, none of the stolen accounts had anything to do with the election. Microsoft did not say who was directly targeted, although Reuters later reported that it was Donald Trump's re-election campaign. The fact that only the Trump campaign utilized Microsoft Outlook as an email client backs up this claim.

 "For years, this group has hijacked accounts, deployed malware, and used novel techniques to conduct espionage aligned with the interests of the Iranian government," Google said. 

Phishing attacks including malicious URLs are the most popular approach employed by APT35. APT35, for example, infiltrated a website affiliated with a UK university in early 2021. The group then set up a phishing kit on the website in order to collect user credentials and began sending out emails with a link to the site. The users were instructed to log in using the link provided in order to participate in a fictitious webinar. 

APT35 also attempted to use the Google Play Store to distribute spyware disguised as a VPN client. If the app is installed on the phone, it can gather SMS and call records, as well as location data and contacts. The attempt was thwarted when Google removed the app from the Play Store.

US District Court Shuts Down an International Psychic Mail Fraud Scheme

 

The US District Court for the Southern District of Florida shuts down an international psychic mail fraud scheme operated by three individuals and two companies. The scammers forked millions of dollars by selling the promise of good fortune to tens of thousands of US residents.

Last week, the United States District Court permanently barred three France residents and two corporate defendants from participating in mass mailing campaigns. The complaint alleges that Robert Lhez, Mireille Dayer, and Julie Poulleau, using Arcana Center, a company in Delaware, and a Swiss corporation named Partners VAD International Sàrl, sent hundreds of thousands of mailers across the United States. 

According to the Department of Justice Office of Public Affairs, the letters were purportedly sent on behalf of companies or individuals offering unwary consumers psychic, clairvoyant, or astrological services. Individuals covered by the scheme were told that they would make some money as soon as they paid the prepaid fee.

Furthermore, the Justice Department alleged that the scammers forked millions of dollars from tens of thousands of victims, primarily the elderly. Victims sent the scammers more than 34,000 payments totaling over $1.4 million from March 2017 to June 2018 alone. However, none of the victims who handed over their cash received any of the promised good fortune.

“These solicitations were riddled with false and misleading statements that gave the false impression that in exchange for payment of a small fee, typically of $45 or $50, the individual recipient would come into good fortune resulting in an imminent financial windfall through the lottery, inheritance or other game of chance,” said the Department of Justice Office of Public Affairs in a statement. 

The defendants “have been known to Postal Inspectors for years, constantly changing their fraudulent schemes in the attempt to stay one step ahead of the law,” stated Eric Shen, inspector in charge of the US Postal Inspection Service’s Criminal Investigations Group. 

Juan Antonio Gonzalez, acting US Attorney for the Southern District of Florida urged the US residents to remain vigilant and question promotions that seem too good to be true and report suspected fraud to law enforcement. 

“Beyond financial losses, predatory fraud schemes like this one lead to immense emotional suffering for victims. We urge the public to question promotions that seem too good to be true and immediately report suspected fraud to law enforcement,” Gonzalez advised.