Search This Blog

Showing posts with label United States. Show all posts

TSA: New Cybersecurity Directives Issued for US Passenger and Freight Railroad Carriers


The Transportation Security Administration (TSA) has recently announced a new cybersecurity security directive. The directive is issued in order to improve the cybersecurity of railroad operations and regulate passengers and freight railroad carriers. 
The TSA announcement demonstrates the Biden-Harris Administration’s commitment to strengthening the cybersecurity of U.S critical infrastructure. The security directives will further improve the nation’s railroad operations’ cyber security preparedness and resilience, building on the TSA's work to fortify defenses in other modes of transportation. 

Why are the new directives important?  

The latest measures are taken by US officials following the series of ransomware attacks and hacking incidents in the past years.  

In 2016, San Francisco Municipal Transportation Agency was targeted by a ransomware attack, which caused administrators to disable ticketing machines and turnstiles for metro stations for a weekend. 

Last year, the US witnessed the disruptive potential of a cybercrime incident, where a major pipeline company had to halt its operations for days following a ransomware attack. 

The new TSA directive instructs rails companies to report hacking incidents to the Department of Homeland Security, having a strategy in place to prevent a cyberattack from affecting their business operations. 

The directive essentially focuses on creating access controls to prevent unauthorized access to critical systems.  

The operators must ensure that these systems are constantly monitored and detected by policies and procedures. Additionally, they must also make sure that the operating systems, applications, drivers, and firmware of the critical systems are patched and up to date. 

About the new directives, TSA Administrator David Pekoske said, “The nation’s railroads have a long track record of forward-looking efforts to secure their network against cyber threats and have worked hard over the past year to build additional resilience, and this directive, which is focused on performance-based measures, will further these efforts to protect critical transportation infrastructure from attack.” 

“We are encouraged by the significant collaboration between TSA, FRA, CISA and the railroad industry in the development of this security directive.”  

As per Anne Neuberger, a senior White House official, the US officials are also working on cybersecurity measures for the water and healthcare sectors. Alongside regulations for the communications sector, including emergency warning systems are also underway.

US Government Says Election Hacking Does Not Pose Any Threat


Despite the U.S. government's efforts to chill everyone out about election hacking less than a month before the midterm elections, the topic is still on many minds. 
According to a public service announcement, carried out on Tuesday, the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency (CISA) said they are aware that, as far as they know, an election hack has never been successful in the United States, and that it's unlikely there will be one anytime soon if it strikes.  
As stated in the announcement, "Neither the FBI nor CISA believes there is any evidence that cyber activity has prevented a registered voter from casting a ballot, compromised the integrity of any ballots cast, and affected the accuracy of voter registration information in their investigations" (emphasis in original). Considering the extensive safeguards in place and the distributed nature of election infrastructure, the FBI and the CISA continue to assess that it would be very difficult for any attempts to manipulate votes at scale to be unwittingly carried out."  
There has been a persistent campaign by some pro-Trump and GOP operatives and sympathizers for the past two years, including MyPillow CEO Mike Lindell, who spread unfounded conspiracy theories and sometimes even flat-out made-up claims of vote manipulation and hacking against voting systems across the country, leading to the announcement. Election security experts believe that the FBI and CISA's announcement appears to be all set to pre-empt these types of allegations. 
Matt Bernhard, a research engineer at the non-profit organization Voting Works, which focuses on election cybersecurity, told Motherboard in an online chat that this feels like a pre-bunking exercise.   
According to Professor Dan Wallach, an expert in electronic voting systems who taught at Rice University for many years. He has studied them; electronic voting systems are the future.  
“If we take it for what it says, it both focuses our attention on misinformation and ‘pre-bunks’ more sophisticated hacking operations,” Dan told Motherboard via email. 
It is pertinent to clarify, however, that “this does not mean we can relax about these sorts of sophisticated attacks. The election administrators are, to a specific degree, implementing cyber defenses, and they are currently working on improving them," he added. “Even though it is much easier to convince people that there has been tampering with the election than to do the tampering itself.”

Although election hacks have been rare and ineffective, and are unlikely, federal and state governments are prepared for any eventuality.  
"At the Department of Homeland Security, we are very intensely focused on the security of the elections," Minister Mayorkas, who serves as the secretary for the Department of Homeland Security, said earlier this week. There have been past reports on potential vulnerabilities in voting machines by Motherboard as well. However, there has not been any evidence that voting machines have been breached during an actual election that has happened in the past.

Rise in Cyber-Attacks Targeting U.S. Defense Security


In the context of a cyberattack campaign, which may be related to the act of cyber espionage itself, it is clear that cyber threats are becoming increasingly sophisticated with each passing. Threat actors are engineering the attacks to target defence contractors in the US and throughout the world. 

There have been several covert campaigns against weapons contractors in Europe over the last few months, which have been detected by researchers at Securonix. The campaign has adversely affected a supplier to the US program to build the F-35 Lightning II fighter plane, which has been identified as STEEP#MAVERICK by Securonix. 

According to the security vendor, the campaign is noteworthy for the overall attention the attacker has paid to operations security (OpSec) and in ensuring their malware is difficult to detect, remove, and analyse.  

The report from Securonix stated, the malware stager used in these attacks used an array of tactics, persistence methodology, counter-forensics, and layers upon layers of obfuscation to hide its code. 

As of late summer, it appears that the STEEP#MAVERICK campaign had started to attack two high-profile defence contractors in Europe as part of its attacks on their facilities. There is a similar trend in spear-phishing attacks that begin with an email that contains a compressed (.zip) file and a shortcut link (.lnk) to a PDF document that purports to describe company benefits, like many spear-phishing campaigns.  

According to SecurityTel, the sample email was sent this month via North Koreas APT37 threat group. 

APT37 (also known as Konni) is a North Korean threat group that was found sending emails earlier this month similar to a scam email they encountered earlier this month during another campaign that involved the North Korean threat group.  

The rising number of cyberattacks is indeed a matter of concern, especially for a department like defence which has access to secrets that require to be guarded with extra caution.  

The security research performed by Black Kite on the top 100 defence contractors, showed that 32% of them are having security flaws that can cause ransomware attacks. The major reasons for these defence contractors to be vulnerable to ransomware attacks include leaked credentials, lack of secure personal data management, etc, as per the research.

US Forex Scam Lasted for Ten Years

Two US men, Patrick Gallagher, 44, of Middleborough, Massachusetts, and Michael Dion, 49, of Orlando, Florida, both pled guilty to one charge of conspiracy to commit financial crimes in a foreign exchange operation that spanned a decade. 

Forex: Is it a con?

The world's currencies are traded on the Forex market, a credible platform.  It would be tricky to trade the currencies required to pay for imports, sell exports, travel, or conduct cross-border business without the Forex market. However, because there is no centralized or regulated exchange and massive leverage positions (which theoretically have the potential to earn traders a lot of money), are available, con artists use the scenario and rookie traders' desire to join the market. 

Since the forex market is a 'zero-sum' market, in order for one trader to profit, another dealer must lose money. As a result, the forex market does not by itself increase market value. 

About the Scam  

According to the Department of Justice, hackers established a fake organization called Global Forex Management and lured investors by assuring them large profits based on falsified trading performances from the past.

Hackers alleged that IB Capital, the business of a conspirator, would use an online trading platform to trade the victims' money. Rather, Gallagher and Dion were stealing the money from the victim investors while collaborating with other criminals in the Netherlands.

Gallagher and Dion carried out their scheme in May 2012 by deliberately setting up negative trades for the investors, effectively stealing $30 million from their victims.

After fabricating the enormous trading loss, Gallagher and Dion used shell businesses they had built up all across the world to transfer the stolen funds.

How can we detect a forex scam?

Learning how to correctly trade on the Forex market is the single most crucial thing a person can do to avoid getting conned. Finding reliable Forex brokers, on the other hand, is a challenge in this situation. Before trading with real money, practice making long-term profits on demo accounts. Be aware that it can take years to thoroughly learn the Forex trade, just like it does with any professional ability. Avoid any claim that suggests 'you can generate money quickly.'

Furthermore, don't accept the assertions made at face value; instead, take the time to conduct your own investigation. The legitimacy of the business that makes the claims or offers the course or expertise is something else a person might wish to investigate. 

Taiwanese Government Sites Suffered DDoS Attacks Following Nancy Pelosi Visit


Multiple Taiwanese government sites were disrupted by distributed denial-of-service (DDoS) attacks following the much-publicized arrival of U.S. House Speaker Nancy Pelosi who became the first high-ranking U.S. official in 25 years to visit the democratic island nation. 

Pelosi reportedly met Taiwanese President Tsai Ing-wen and reiterated America’s support for the country of 24 million. 

The cyber attacks caused intermittent outages across the government English portal, some websites of the presidential office, foreign ministry, and defense ministry. 

According to Taiwan's foreign ministry, the attacks on its website and the government's English portal were linked to Chinese and Russian IP addresses that tried to access the websites up to 8.5 million times per minute. 

A separate statement from a Tsai spokesperson on Facebook said the attack had funneled 200 times more traffic than usual to the site. However, it was back up and running just 20 minutes later, it added. 

“While the PRC is more than capable of this type of attack, DDoS is fairly unsophisticated and somewhat brutish, and it's not a tool they are known to deploy,” explained Casey Ellis, founder, and CTO at Bugcrowd. China has an enormous population of very clever technologists, large security research and hacking community, and a large government-sponsored team with offensive capability ranging from information warfare to targeted exploit development and R&D.” 

Experts believe that the attacks were likely launched by Chinese activist hackers rather than the Chinese government as retaliation for the visit of Nancy Pelosi. 

Taiwan has accused China of ramping up cyber assaults since the 2016 election of President Tsai Ing-wen, who views the island as a sovereign nation and not a part of China. In 2020, Taiwanese authorities said China-linked hackers breached at least 10 Taiwan government agencies and secured access to nearly 6,000 email accounts in an attempt to exfiltrate data. 

Earlier this year in February, Chinese APT group APT10 (aka Stone Panda, Bronze Riverside) targeted Taiwan’s financial trading sector with a supply chain attack. The malicious campaign was launched by the threat actors in November 2021, but it hit a peak between February 10 and 13 2022, Taiwanese cybersecurity firm CyCraft reported.

As the Ukraine Conflict Escalates, US Braces for Russian Cyberattacks


Some of the most serious cyberattacks on US infrastructure in the last two years have been traced back to Russian hackers. The SolarWinds hack, which infiltrated multiple government departments in 2020, the ransomware attack that forced the suspension of one of America's main fuel pipelines for several days last year, and another attack on JBS, one of the world's largest meat producers, are also on the list. 

The US administration is on high alert for signs of Russian cyberattacks on banks and other financial institutions, following Moscow's broad strike on Ukraine on Thursday, which drew harsh international sanctions. According to a homeland security source with knowledge of the situation, Russia's cyberthreat to the United States is still active and has not changed since Russian President Vladimir Putin started a full-scale invasion of Ukraine. 

Threats to the national grid and big American institutions, according to the source, are a definite possibility. The Department of Justice and the FBI are both bracing for a potential attack and closely monitoring any strange cyber activity. The Department of Justice has a whole national security division devoted to this.

If Russia entered and hacked the US power system, intelligence believes that it will take between one and two weeks to restore full functioning. The US government has previously disclosed information indicating that Moscow mounted a vast hacking campaign to breach America's "critical infrastructure," which includes power plants, nuclear power plants, and water treatment plants.

Russia has also been accused of conducting online disinformation campaigns aimed at the United States, including efforts to meddle with US elections and cause unrest. This week, US authorities again accused Russian intelligence of spreading misinformation about Ukraine. 

While many online attacks cannot be explicitly traced to the Russian state, Herb Lin, a senior research scholar for cyber policy and security at Stanford University's Center for International Security and Cooperation, believes that hackers work with Russia's support. 

"They don't operate directly for the Russian government, but they operate under a set of rules that says: 'you guys do what you want, don't target Russian stuff and we won't bother you,'" Lin said. 

Even if Russian hackers do not directly target US organisations, Ukraine's reliance on foreign technology, according to Lin, can cause significant problems for the US. If the crisis in Ukraine worsens, "all the stuff in the US that directly aids the Ukrainian military machine becomes fair game for the Russians to target," Lin added.

Ukraine: DDoS Attacks on State Websites Continue


Since February 23, some Ukrainian government websites have been subjected to DDoS attacks: web resources of the Ministry of Defense, the Verkhovna Rada of Ukraine, the Ministry of Foreign Affairs and others have suffered interruptions. 

The Insider publication (the organization is included in the list of foreign agents by the Ministry of Justice of Russia), referring to the data of the independent cyber analyst Snorre Fagerland, stated that the hacker group ART23 (Fancy Bear), which is attributed to links with the Main Intelligence Directorate of the Russian Federation, was behind the attacks. 

However, Igor Bederov, head of the Information and Analytical Research Department at T.Hunter, called this statement a provocation. "The investigation of a cyberattack (attribution) is a long and complex process that cannot be carried out from beginning to end in hours. Analysis of hacker software and malicious code is always a long and painstaking process," Mr. Bederov said. 

According to him, even if traces leading to Fancy Bear were indeed found, it's still impossible to say that this particular group was behind the attack. Mr. Bederov thinks that other hackers could have also taken advantage of the malware previously used by Fancy Bear. It's possible because hacker tools are openly resold on the Darknet. 

"Primary attribution is based on matching the hacker code used in today's attack with the code used in yesterday's attack, as well as special characters specific to a language group. This approach is fundamentally wrong, because the code can be stolen or bought, and the linguistic features can be imitated," said the expert. 

Mr. Bederov also noted that within the framework of pro-state activity, mainly Chinese groups like to engage in substitution of attribution. In addition, according to him, the NATO cyber intelligence center located in Tallinn was previously noticed for the substitution of attribution. 

Earlier it was reported that DDoS attacks on the website of the Ministry of Defense of Ukraine could have been deliberately set up by the United States. Earlier, Viktor Zhora, Deputy Chairman of the State Service for Special Communications and Information Protection of Ukraine, said that the government of Ukraine is ready for the scenario of forced destruction of secret data on servers. According to him, the authorities do not want to take risks and are not going to leave documentation and detailed information about the population of Ukraine to the enemy. 

He also said that if Russia gets access to government passwords, Ukrainian specialists "will quickly block access to hacked accounts."

Russian Man and his Wife Arrested in U.S. for Stealing Record $4.5 billion in Bitcoins

Russian citizen Ilya Lichtenstein and his wife Heather Morgan were arrested in the United States on Tuesday. The U.S. Justice Department in a statement called them the largest Internet fraudsters in history. 

The spouses are suspected of hacking the Hong Kong cryptocurrency exchange Bitfinex in 2016 and withdrawing 120,000 bitcoins from its accounts, which is $4.5 billion at current prices. Intelligence agencies managed to confiscate $3.6 billion worth of bitcoins stored in the Russian's e-wallets. 

On Tuesday night, after the arraignment in the Court of the Southern District of New York, Magistrate Judge Debra Freeman decided to release the suspects on bail of $8 million for two. However, the spouses were unable to leave federal prison as the judge's decision was put on hold by Washington. 

According to the prosecution, the couple should remain in custody because "they are sophisticated cybercriminals and money launderers, and there is a serious risk of their escape." Prosecutors admit that the couple may have passports in other names. 

In particular, agents found a file named Passport_ideas on Liechtenstein's computer. And a plastic container with disposable phones was found under the bed in the apartment of the defendants. Under American law, Ilya Lichtenstein and Heather Morgan face up to 25 years in prison. 

A few years ago, 34-year-old Ilya Lichtenstein unsuccessfully tried to create a technology startup and become an investor. He came to the United States from Russia at the age of six, when his family was granted asylum for religious reasons. 

His wife, Heather Morgan, called herself an economist, a journalist, and a "Crocodile of Wall Street", was a freelance writer for Forbes magazine and even performed as a rapper under the name Razzltkhan. According to the New York Times, giant billboards with her image decorated Times Square. 

According to the investigation conducted by the FBI and the US Internal Revenue Service, Lichtenstein and Morgan hacked the Bitfinex protection system and made about 2 thousand illegal transactions, transferring funds from the accounts of the exchange's clients to their electronic wallet. 

In subsequent years, the suspects managed to launder about 25 thousand bitcoins through third-party exchanges and online services on the darknet. A new hearing on Lichtenstein and his wife's bail application will be held in Washington on February 11.

Suspected Founder of Hacker Group The Infraud Organization Arrested in Moscow


It became known that Russia will not extradite the possible leader of the hacker group The Infraud Organization to the United States. Russian FSB officers and Russian law enforcement agencies, with the assistance of US law enforcement agencies, detained four members of the hacker group The Infraud Organization on January 22. Prior to that, the alleged founder Andrei Novak was put on the wanted list in the United States on charges of cyber fraud. 

According to the FSB, Novak has been arrested, and three other alleged hackers have been placed under house arrest. The investigation continues to identify other members of The Infraud Organization. The detained members of the group are accused of illegal access to computer information and illegal turnover of payment funds. 

Russia has no plans to extradite Andrei Novak, the possible leader of the international hacker group The Infraud Organization, to the United States. Thus, Russian law prohibits the extradition of citizens of one's own country to a foreign state. 

It is noted that if among the detained members of the organization there is a person without Russian citizenship, then after the investigation of a criminal case in Russia and the trial he will be extradited to the country where the case was opened against him. 

It is worth noting that in February 2018, it was reported that law enforcement officers detained 13 persons in the United States accused of involvement in a criminal scheme, the damage from which amounted to at least $530 million. In total, 36 people have been charged, and one Russian, Andrei Novak, was included in this list. 

The detained 13 people are citizens of the United States, Australia, Great Britain, France, Italy, and Serbia. The criminal group was organized by a citizen of Ukraine in 2010. 

The company Group-IB, which in Russia is engaged in the investigation and prevention of cybercrime (its founder Ilya Sachkov was arrested in Russia on charges of treason), said at the time that the defendants were not an organized group, but united on hacker sites solely to carry out attacks. Group-IB suggested that their main field of activity could be carding. In addition, cybercriminals could manage cardershops (sites for the sale of bank cards), sell accounts and accounts.

A Phishing Attack Impersonates the US DoL in Order to Steal Account Credentials


Many phishing attacks seek to defraud individuals by mimicking and imitating legitimate companies and organizations. A phishing email that looks to be from an official government agency is particularly deceiving since it exudes authority. Inky discovered a harmful campaign in the latter half of 2021 that spoofs the US Department of Labor in order to steal the account credentials of unwary victims. 

In a blog post published on Wednesday, Inky describes a series of phishing assaults in which the sender address on the majority of the emails looked to come from, the Department of Labor's legitimate domain. A couple of the emails were spoofed to appear to be sent from, which is not the department's actual domain. The remainder came from a collection of newly formed look-alike domains, including dol-gov[.]com, dol-gov[.]us, and bids-dolgov[.]us. These phishing emails claimed to be from a senior DoL employee in charge of procurement and asked recipients to submit bids for "ongoing government projects." 

A PDF attachment accompanying the email appeared to be an official DoL document, complete with all the necessary images and branding. On the second page of the PDF, a BID button led to what looked to be the Department of Labor's procurement platform but was actually a rogue website impersonating the department. 

When the victim closed the document, they saw an exact replica of the official DoL website. The smart phishers simply copied and pasted HTML and CSS from the original site onto the phishing site. 

The website then displays a "Click here to bid" button as the following step in the process. Anyone who clicks on that button will be directed to a credential harvesting form with instructions on how to submit a bid using a Microsoft account or another business account. The victim would be informed that their credentials were incorrect after entering them. The credentials, however, had been stolen by the attacker. If the user tried to input their credentials again, they would be sent to the official DoL page, which would further trick them. 

The phishers were able to send their phishing emails via abused servers supposedly managed by a non-profit professional membership group in the majority of these attacks (the ones in which the spoofed sender was either no-reply@dol[.]gov or no-reply@dol[.]com). 

Inky suggested a few tips to safeguard customers from this type of phishing scam, such as the fact that US government domains normally end in .gov or .mil rather than .com or another suffix, the US government does not usually send cold emails to collect bids for projects, and to check SMTP server settings. SMTP servers should not be configured to accept and forward emails from non-local IP addresses to non-local mailboxes by unauthenticated and unauthorized users.

U.S. Cyber Command Officially Links MuddyWater Gang to Iranian Intelligence


The US military's Cyber Command on Wednesday officially tied the Iranian-backed MuddyWatter hacking group to Iran's Ministry of Intelligence and Security (MOIS).

According to Cyber Command, the hacking group was first identified in 2017 and is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS), which is involved in both domestic surveillance operations and the targeting of a wide spectrum of entities in governments, academia, cryptocurrency, telecommunications, and oil sectors in the Middle East.

"MuddyWater is an Iranian threat group; previously, the industry has reported that MuddyWater has primarily targeted Middle Eastern nations, and has also targeted European and North American nations," Cyber Command said in a statement.

On Twitter, Cyber Command said the malicious group was employing a suite of malware for espionage and malicious activity. "MOIS hacker group MuddyWater is using open-source code for malware," it said. "MuddyWater and other Iranian MOIS APTs are using DNS tunneling to communicate to its C2 infrastructure; if you see this on your network, look for suspicious outbound traffic."

In partnership with the FBI, USCYBERCOM's Cyber National Mission Force (CNMF) has also shared multiple malware samples of PowGoop, a DLL loader designed to decrypt and run a PowerShell-based malware downloader. Five of the files that CYBERCOM has uploaded to VirusTotal this week aren’t identified as malicious by any of the antivirus engines in the scanning service, while six others have very low detection rates.

"If you see a combination of these tools, Iranian MOIS actor MuddyWater may be in your network. MuddyWater has been seen using a variety of techniques to maintain access to victim networks," the US military command added. "These include side-loading DLLs in order to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control functions."

Last year in November, cyber authorities across the US, UK, and Australia attributed attacks exploiting loopholes in Fortinet and Exchanges to Iranian-backed attackers. Rather than targeting a particular sector of the economy, the malicious actors were simply focused on exploiting the vulnerabilities wherever possible; following the operation, they then attempted to turn that initial access into data exfiltration, a ransomware attack, or extortion.

A Ransomware Attack Targeted Virginia Legislature Agencies and Commissions


A ransomware attack has caused the suspension of computer systems and websites for Virginia legislative agencies and commissions, including the Division of Capitol Police and the Division of Legislative Services, which is preparing bills and resolutions for the forthcoming General Assembly session. 

The attack started on Sunday at the Department of Legislative Automated Systems and has now expanded to practically all legislative branch websites, with the exception of the Legislative Information System on the General Assembly website. It has had no effect on state executive branch agencies. 

Virginia Governor Ralph Northam's spokesperson, Alena Yarmosky, said the governor has been briefed about the attack. The incident was communicated to the state's legislative leaders through email, who were informed that hackers attacked the state's computers. 

“Currently the bad guys have most of our critical systems locked up except for LIS,” Dave Burhop, director of the legislative IT agency, informed Senate and House of Delegates early on Monday morning. Capitol Police's website is unavailable, although spokesperson Joe Macenka stated that, "All of our critical communication systems are fine."

The attack employs ransomware, which a criminal organization implants in vital computer systems in order to extract money. The governor's office and Burhop both confirmed that the state had received a ransom note, but neither said what it contained. “The bad guys have left us a ransom note but details are scant and no amount of ransom has been specified yet,” Burhop said in the email to the House and Senate clerks. 

According to Senate Clerk Susan Schaar, the Department of Legislative Automated Services is collaborating with the Virginia Information Technologies Agency to resolve the problem. VITA provides assistance to approximately 60 agencies in the executive department of state government. The legislative IT sites are managed separately from the executive branch sites by the Department of Legislative Automated Systems, according to Yarmosky. “As such, VITA has very little knowledge of the system and security architecture or tools in place to address cyber-attacks.”

The Virginia Defense Force and the Virginia Department of Military Affairs reported in September that they were victims of a cyberattack in July. Attacks on local governments at the city, country, and state levels have netted ransomware groups millions of dollars. Experts say, at least 2,354 governments, healthcare facilities, and schools in the United States were hit with ransomware in 2020, according to The Washington Post.

FBI Seizes 39 BTC Worth $2.2M Tied to Ransomware Gangs


The Federal Bureau of Investigation (FBI) has seized 39 BTC worth approximately $2.3 million from a Russian man affiliated to Revil and Gandcrab ransomware gang, according to a court document unsealed Tuesday. 

"The United States of America files this verified complaint in rem against 39.89138522 Bitcoin Seized from Exodus Wallet ("the Defendant Property") that is now located and, in the custody, and management of the Federal Bureau of Investigation ("FBI") Dallas Division, One Justice Way, Dallas Texas," reads the United States' Complaint about Forfeiture. 

Exodus is a desktop or mobile wallet that owners can use to store cryptocurrency, including Bitcoin, Ethereum, Solana, and many others.

The FBI seized $2.3 million on 3rd August, however, the officials did not disclose how they secured access to the wallet. According to the court document, the wallet contained Revil ransom payments belonging to an affiliate discovered as Aleksandr Sikerin (aka Alexander Sikerin and Oleksandr Sikerin), whose email address is 

The name “engfog” in the email address is tied to a well-known Gandcrab and Revil/Sodinokibi affiliate known as “Lalartu,” Bleeping Computer reported. 

“Gandcrab and Revil organizations operated as Ransomware-as-a-Service (RaaS), where core operators’ partner with third-party hackers, known as affiliates, the news outlet noted, adding that ransom payments are split between the affiliate and core operators. The operators usually earn between 20% and 30% of the ransom,” reads the court document. 

The Justice Department this month announced the seizure of $6.1 million from Yevgeniy Polyanin, a Russian “charged with deploying Sodinokibi/Revil ransomware to attack businesses and government entities in the United States.” Meanwhile, the U.S. government has been increasing its efforts to fight ransomware attacks. The Treasury Department has already sanctioned two cryptocurrency exchanges tied to ransom payments. 

Earlier this year in October, REvil was reportedly forced offline by a multi-nation operation — giving the ransomware group a taste of its own medicine after it orchestrated a number of high-profile attacks. The attacks include targeting the Colonial Pipeline which resulted in gas shortage across the U.S., hundreds of supermarkets were forced to close in Sweden after the software firm Kaseya was crippled in a separate incident. 

On E-Commerce Servers, New Malware Masquerades as the Nginx Process


Remote access malware is being used to attack eCommerce servers, and it hides on Nginx servers in such a way that security solutions can't detect it. NginRAT is a combination of the application it targets and the remote access capabilities it delivers, and it is being used in server-side attacks to steal payment card data from online stores. 

NginRAT was discovered on eCommerce servers in North America and Europe infected with CronRAT, a remote access trojan (RAT) that hides payloads in activities scheduled to run on an invalid calendar day. Even if the day does not exist in the calendar, the Linux cron system accepts date requirements as long as they have a proper format, which implies the scheduled task will not run. 

CronRAT relies on this to maintain its anonymity. According to research released by Dutch cyber-security firm Sansec, it hides a "sophisticated Bash programme" in the names of scheduled tasks. Multiple levels of compression and Base64 encoding are used to conceal the payloads. The code has been cleaned up and now contains self-destruction, time modulation, and a custom protocol for communicating with a remote server. 

NginRAT has infected servers in the United States, Germany, and France, injecting into Nginx processes that are undetectable, allowing it to remain unnoticed. The new malware, according to researchers at Sansec, is delivered CronRAT, despite the fact that both perform the same function: granting remote access to the attacked system. 

While the two RATs use quite different approaches to preserve their secrecy, Willem de Groot, director of threat research at Sansec, told BleepingComputer that they appear to have the same role, operating as a backup for preserving remote access. After developing a custom CronRAT and analyzing the interactions with the command and control server (C2) in China, Sansec was able to investigate NginRAT. As part of the typical malicious interaction, the researchers duped the C2 into transmitting and executing a rogue shared library payload, masking the NginRAT "more advanced piece of malware."

“NginRAT essentially hijacks a host Nginx application to stay undetected. To do that, NginRAT modifies core functionality of the Linux host system. When the legitimate Nginx web server uses such functionality (eg dlopen), NginRAT intercepts it to inject itself", reads the analysis published by the experts. The remote access malware is embedded in the Nginx process in such a way that it is practically impossible to distinguish from a valid process at the end of the process.

22,000 Data Subjects were Impacted by a Cyberattack on S&R


Thousands of data subjects were harmed by the recent cyber-attack on S&R Membership Shopping, according to the National Privacy Commission (NPC). The NPC said in a statement that it got an initial breach report from S&R on November 15, 2021, at 4:47 p.m. regarding a cyber-attack that may have affected the personal data of its members. The breach was found on November 14, 2021, according to the NPC.

S&R is a membership-based shopping club modeled after the American warehouse membership shopping chains. The basic idea is to provide significant value to member-customers through a system that is based on aggressive buying, low-cost distribution, and streamlined operations. 

S&R Pricemart was founded in 2001 as a joint venture with PriceSmart of the United States. Sol and Robert Price, two American businessmen, are known as "S&R." Since the enactment of the Retail Trade Act of 2000, which liberalized the retail sector, PriceSmart was the first big international retailer to enter the Philippine market. The retail chain was rebranded S&R Member Shopping after PriceSmart lost its share in the joint venture in 2005 and was purchased by the Co family in 2006. 

S&R submitted a second breach report on November 24, 2021, indicating that the ransomware assault targeted the company's membership system, affecting 22,000 data subjects, according to the privacy body. The NPC cited the company's report as evidence that the S&R members' personal information, including date of birth, phone number, and gender, had been compromised. 

“Based on the S&R’s disclosure and confirmation from their data protection officer, credit cards and other financial information were not among the compromised personal data,” the Privacy body said. S&R had previously stated that it had been the victim of a cyberattack, but that its "staff quickly and decisively implemented our cybersecurity protocols, allowing us to restart our system operations." 

Despite this, the NPC ordered S&R to give a technical report on the event from a third-party cyber security company. The corporation was also reminded of its need to properly disclose and individually notify any affected data subjects, according to the agency. “They (S&R) informed the Commission that they instituted measures to secure their system, recover compromised data, prevent further disclosure, and recurrence of similar attacks,” the NPC said.

Apple Sues NSO Group for Using Pegasus Spyware to Spy on iPhone Users


In a U.S. federal court, Apple has sued NSO Group and its parent firm Q Cyber Technologies for illegally targeting users with its Pegasus spying tool, marking yet another setback for the Israeli spyware vendor. NSO Group is described as "notorious hackers — amoral 21st-century mercenaries who have constructed highly sophisticated cyber-surveillance equipment that promotes routine and egregious exploitation" by the Cupertino-based tech giant. 

“State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change,” said Craig Federighi, Apple’s senior vice president of Software Engineering. “Apple devices are the most secure consumer hardware on the market — but private companies developing state-sponsored spyware have become even more dangerous."

Pegasus is designed as an invasive "military-grade" spyware capable of exfiltrating sensitive personal and geolocation information and stealthily activating the phones' cameras and microphones. It is typically installed by leveraging "zero-click" exploits that infect targeted devices without any user interaction. 

The FORCEDENTRY exploit in iMessage was used to evade iOS security measures and target nine Bahraini activists, according to Apple's lawsuit. The attackers used over 100 false Apple IDs to send harmful data to the victims' devices, allowing NSO Group or its clients to deploy and install Pegasus spyware without their knowledge, according to the firm. In September, Apple patched the zero-day vulnerability. 

"The abusive data was sent to the target phone through Apple's iMessage service, disabling logging on a targeted Apple device so that Defendants could surreptitiously deliver the Pegasus payload via a larger file," Apple detailed in its filing. "That larger file would be temporarily stored in an encrypted form unreadable to Apple on one of Apple's iCloud servers in the United States or abroad for delivery to the target." 

The lawsuit also mirrors a similar action taken by Meta (previously Facebook) in October 2019, when it sued the firm for installing Pegasus on 1,400 mobile devices belonging to diplomats, journalists, and human rights activists by exploiting a weakness in its WhatsApp messaging software. 

Apple praises organizations such as Citizen Lab and Amnesty Tech for their pioneering efforts in identifying cyber-surveillance abuses and assisting victims. To support efforts like these, Apple announced that it will donate $10 million to organizations conducting cyber surveillance research and advocacy, plus any damages from the lawsuit.

TA406 APT Group, Which is Tied to North Korea, has Increased its Attacks


In 2021, a North Korean-linked threat actor known as TA406 ramped up its attacks, including credential harvesting activities, according to Proofpoint. The adversary, also known as Kimsuky, Thallium, and Konni by security researchers, has been attacking companies in sectors like education, government, media, and research, as well as other businesses. According to Proofpoint, TA406 is the most closely associated with Kimsuky activity, which is tracked by the security firm as three distinct threat actors: TA406, TA408, and TA427.

Kaspersky researchers initially discovered the TA406 cyberespionage group in 2013. The US-CERT published a report on Kimusky's latest operations towards the end of October 2020, detailing their TTPs and infrastructure. The APT group primarily targeted South Korean think tanks and organizations, with victims in the United States, Europe, and Russia. 

“Our analysts have tracked TA406 campaigns targeting customers since 2018, but the threat actor’s campaigns remained low in volume until the beginning of January 2021,” the company said. 

During the first half of the year, Proofpoint noticed weekly attacks against journalists, foreign policy experts, and non-governmental organizations (NGOs), particularly those related to actions that affect the Korean Peninsula. Journalists and academics were also targeted. TA406 targeted high-ranking political figures at numerous governmental institutions, and consultancy firms, defense institutions, law enforcement agencies, and economic and financial organizations, as part of their March 2021 campaign. 

Amadey, Android Moez, BabyShark, CARROTBAT/CARROTBALL, FatBoy, KONNI, SANNY, and YoreKey are among the malware families used. It also appears that NavRAT and QuasarRAT were used. 

“Generally, TA406 phishing campaigns focus on individuals in North America, Russia, and China, with the actors frequently masquerading as Russian diplomats and academics, representatives of the Ministry of Foreign Affairs of the Russian Federation, human rights officials, or Korean individuals. TA406 has also targeted individuals and organizations related to cryptocurrency for the purpose of financial gain.” reads the report. 

According to the security experts, TA406 has been involved in financially motivated assaults, such as sextortion and the targeting of cryptocurrency, just like other North Korean state-sponsored actors. “Proofpoint assesses with high confidence that TA406 operates on behalf of the North Korean government. Proofpoint anticipates this threat actor will continue to conduct corporate credential theft operations frequently, targeting entities of interest to the North Korean government,” the security firm notes.

Iranian Hackers are Exploiting Microsoft and Fortinet Flaws


Australia, the United Kingdom, and the United States issued a combined advisory on Wednesday of active exploitation of Fortinet and Microsoft Exchange ProxyShell vulnerabilities by Iranian state-sponsored hackers. CVE-2021-34473, 2020-12812, 2019-5591, and 2018-13379 are the four vulnerabilities they urged administrators to fix right away.

"FBI and CISA have observed this Iranian government-sponsored APT group exploit Fortinet vulnerabilities since at least March 2021, and a Microsoft Exchange ProxyShell vulnerability since at least October 2021 to gain initial access to systems in advance of follow-on operations, which include deploying ransomware," a joint release stated. "Australian Cyber Security Centre (ACSC) is also aware this APT group has used the same Microsoft Exchange vulnerability in Australia."

Rather than targeting a specific industry, the authorities said that the attackers merely focused on exploiting vulnerabilities wherever they could and then attempting to convert that initial access into data exfiltration, a ransomware assault, or extortion. 

To maintain access, the attackers would use the Fortinet and Exchange vulnerabilities to add tasks to the Windows Task Scheduler and create new accounts on domain controllers and other systems that looked like existing accounts. The next step was to enable BitLocker, post a ransom note, and download the files through FTP. 

In May 2021, CISA and FBI noticed the adversary misusing a Fortigate appliance to acquire a foothold on a web server holding the domain for a US municipal government, in addition to exploiting the ProxyShell vulnerability to obtain access to vulnerable networks. The APT attackers "exploited a Fortigate appliance to access environmental control networks associated with a U.S.-based hospital specializing in healthcare for children," according to the advisory. 

This is the second time the US government has issued a warning on advanced persistent threat groups targeting Fortinet FortiOS servers by exploiting CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591 to attack government and commercial systems. 

The FBI and CISA released warnings in April that Fortinet gear vulnerabilities were being regularly exploited, and in July, the complete quartet of authorities listed Fortinet among the top 30 exploited vulnerabilities. Separately, Microsoft issued a warning on Wednesday about six Iranian groups that were utilizing vulnerabilities in the same set of products to spread ransomware.

Organizations should immediately patch software affected by the aforementioned vulnerabilities, enforce data backup and restoration procedures, implement network segmentation, secure accounts with multi-factor authentication, and patch operating systems, software, and firmware as and when updates are released as mitigations, according to the agencies.

HSI San Antonio Issues a Public Warning on Spoofing Phone Calls


The Homeland Security Investigations (HSI) department of US Immigration and Customs Enforcement (ICE) in Texas has issued a warning about a new phone scam. Threat actors have been impersonating special agents at the San Antonio HSI to engage members of the public in the malicious campaign. The victims are informed that a problem with their passport has been discovered. The fake agent then threatens them with arrest unless they make a payment to the HSI. 

Officials with the San Antonio ICE said in a scam warning published November 4 that the scammers say the passport is linked to a crime and scare the caller by threatening to dispatch police to their home to arrest them. The fraudsters have devised a method of convincing the victim that the call is coming from the HSI San Antonio main phone number, 210-979-4500. 

HSI is a directorate of ICE and the primary investigative arm of the United States Department of Homeland Security (DHS). It is responsible for investigating transnational crime and threats, particularly those perpetrated by criminal organizations that take advantage of the global infrastructure that facilitates international trade, travel, and finance. HSI's overseas presence is DHS's largest investigative law enforcement presence abroad and one of US law enforcement's largest foreign footprints.

“HSI special agents and local police do not call people on the phone to warn them they are about to be arrested,” said HSI officials. “Agents neither request financial information, such as bank account and credit card account information, nor demand money from someone to dismiss an investigation or remove an arrest warrant.”

"If you receive a threatening call or message from the number, do not give the person any personal or financial information, try to collect any contact information from the caller, end the conversation immediately if threats and intimidation persist, report the incident to the ICE tip line at 1 (866) 347-2423," added HSI officials. 

International students studying in the United States on student visas were informed in July by ICE officials in Virginia that their phone number was being faked to fool them into making fraudulent payments and disclosing sensitive personal information. Scammers behind the campaign demanded Bitcoin payments from international students, a currency that the federal government does not recognize.

DDoSecrets Published 1.8 TB of Surveillance Footage From Helicopters on the Internet


Surveillance drones have been increasingly popular among law enforcement agencies across the United States in recent years, drawing criticism from privacy advocates. However, freshly obtained aerial surveillance footage from the Dallas Police Department in Texas and what appears to be the Georgia State Patrol highlights the range and quality of footage captured by helicopters. 

On Friday, the transparency activist group Distributed Denial of Secrets, or DDoSecrets, released a 1.8-terabyte archive of police helicopter footage on its website. DDoSecrets cofounder Emma Best said her organization doesn't know who shared the material and that no affiliation or purpose for disclosing the files was given. The source just stated that the data was being stored in insecure cloud infrastructure by the two police departments. 

In June 2020, DDoSecrets made headlines when it revealed a massive leak of law enforcement data taken by a hacker linked to Anonymous. Emails, audio, video, and intelligence documents from more than 200 states, municipal, and federal agencies around the US were included in the data, called BlueLeaks. DDoSecrets was banned from Twitter, and Reddit banned the r/blueleaks subreddit. 

The report merely stated that the law enforcement agencies responsible for keeping the video secure were sorting the data in an insecure cloud infrastructure when the bad actor obtained access and posted the video online. WIRED examined the material that was posted online, and according to their article, the samples included footage of a helicopter being piloted during the day and at night, recording everything from an aerial view. 

“This is exactly one of the things that people are constantly warning about, especially when it comes to government surveillance and corporate data mining,” Best told WIRED in a text message interview. “Not only is the surveillance itself problematic and worrisome, but the data is not handled in the ideal conditions we're always promised." 

Police drones have gained a lot of attention recently because they represent a new generation of aerial vehicles capable of stealthy surveillance and novel behaviors, such as flying indoors. Law enforcement forces, on the other hand, have been using helicopters for aerial surveys and monitoring for decades. However, DDoSecrets' footage shows how successful helicopter-mounted cameras are in capturing extremely crisp and detailed video near to the ground. 

Given that such footage could be helpful in a variety of ways for stalkers, assailants seeking materials for blackmail, domestic or international terrorist groups, or those conducting espionage operations, privacy advocates underline the importance of safeguarding aerial police surveillance data.