Search This Blog

Showing posts with label FBI. Show all posts

Surge in Sextortion Attacks Cost Targeted Users $8 This Year

 

The FBI IC3 (Internet Crime Complaint Center) raised an alert about a great surge in sextortion complaints since January 2021, which has led to a total financial loss of around $8 Million till July. FBI got over 16000 complaints of sextortion until July, most of them coming from the age group of 20-39. "Victims over 60 years comprised the third largest reporting age group, while victims under the age of 20 reported the fewest number of complaints," says FBI. Sextortion happens when potential victims are blackmailed by criminals in person or through dating sites, emails, and online chats that may expose sensitive or private photos/videos if the victims fail to pay the ransom. 

Started with an email scam, the Sextortion incident came to light in July 2018, when criminals started mailing victims threatening that they had proof of them surfing adult sites (which include victim passwords exposed through data leaks) to get credibility. Email sextortion campaign scammers also distributed various malware strains that range from ransomware to data-stealing trojans. As per the majority of the victims, the initial contact with the criminal is mutual as it is made via dating apps and websites. After the interaction, the criminal then requests the target to connect on some other platform for conversation. 

According to the FBI, "the fraudster instigates the exchange of sexually explicit material and then encourages the victim to participate via video chat or send their own explicit photos. Immediately after the victim complies, the fraudster blackmails the victim and demands money to prevent the release of the photos or videos on social media." The victims have it even worse, as the criminal may also get access to the target's social media account or contact no. They threaten the victims to leak sensitive images which the criminals possess and show them to the victim's friends and family. 

If any user ends up as a victim in such situations, they are advised to immediately stop all contact with the criminal, they should immediately report the incident to authorities and register a complaint at FBI IC3 as soon as the sextortion incident happens. To be safe from such incidents FBI suggests: 

•NEVER send compromising images of yourself to anyone, no matter who they areâ or who they say they are. 

•Do not open attachments from people you do not know. Links can secretly hack your electronic devices using malware to gain access to your private data, photos, and contacts, or control your web camera and microphone without your knowledge. 

•Turn off your electronic devices and web cameras when not in use.

The FBI has Issued a Warning About the Hive Ransomware Gang

 

The Federal Bureau of Investigation (FBI) has issued a security alert regarding the Hive ransomware attacks, which provides technical data and indicators of compromise related to the gang's operations. The gang recently targeted Memorial Health System, which was compelled to shut down some of its activities.   

The new Hive ransomware, according to John Riggi, senior advisor for cybersecurity at the American Hospital Association, is of particular concern to healthcare organizations. Hive has targeted at least 28 companies so far, including Memorial Health System, which was infected by ransomware on August 15. Across Ohio and West Virginia, the non-profit operates a number of hospitals, clinics, and healthcare facilities.

The attack, led Memorial, which is situated in Ohio, to stop user access to IT applications. All urgent surgery cases and radiology exams were canceled for August 16th, but all general care visits went through as planned. While systems were restored, staff at Memorial's hospitals - Marietta Memorial, Selby, and Sistersville General Hospital – had to rely on paper records. 

Hive ransomware has been active since June 2021, and it uses a Ransomware-as-a-Service model with a wide range of tactics, techniques, and procedures (TTPs). According to government experts, the gang uses a variety of methods to infiltrate victims' networks, including phishing emails with malicious attachments to acquire access and Remote Desktop Protocol (RDP) to move around once on the network. 

"After compromising a victim network, Hive ransomware actors exfiltrate data and encrypt files on the network. The actors leave a ransom note in each affected directory within a victim's system, which provides instructions on how to purchase the decryption software. The ransom note also threatens to leak exfiltrated victim data on the Tor site, 'HiveLeaks,'" the FBI explained. "Hive ransomware seeks processes related to backups, anti-virus/anti-spyware, and file copying and terminates them to facilitate file encryption. The encrypted files commonly end with a .hive extension."

Before directing victims to a link to the group's "sales department" that can be reached through a TOR browser, the alert explains how the ransomware corrupts systems and backups. The link connects victims to a live chat with the perpetrators, but the FBI reports that some victims have been called by the attackers demanding ransom. The majority of victims have a payment deadline of two to six days, however, some have been able to extend their deadlines through negotiation.

FBI: Credential Stuffing Attacks on Grocery and Food Delivery Services


 




According to the FBI, hackers are hacking online accounts at grocery shops, restaurants, and food delivery services using credential stuffing attacks to empty customer cash through fake orders and obtain personal or financial details. 

The warning comes from the agency's Cyber Division, FBI Private Industry Notification issued last week to firms in the US food and agriculture fields. According to the agency, cybercriminal gangs are logging into customer accounts at grocery and food delivery services using username and password combinations stolen from other firms' breaches, in the hopes that customers have repeated credentials across accounts. 

Credential stuffing attacks use automated tools and proxy botnets to distribute the attacks across a wide range of IP addresses and obscure the attackers' location. Due to billions of user credentials being exposed online, credential stuffing attacks have become prevalent across a wide number of trade verticals over the last decade. Most supermarket, restaurant, and food delivery accounts include a reward points program and generally retain payment card information, as a result, cybercriminals have been concentrating their efforts on these accounts in the last year. 

Since July 2020, the FBI has received reports of multiple instances: 

“As of February 2021, identified US-based food company suffered a credential stuffing attack that affected 303 accounts through customers’ emails. The cyber actors used six of the compromised accounts to make purchases through the US-based company; however, the US-based company canceled and flagged one of the orders as fraudulent. The US-based company suffered a financial loss of $200,000 due to the fraudulent orders. 

In October 2020, customers of a restaurant chain reported orders fraudulently charged to their accounts as the result of a credential stuffing attack. The company reimbursed the customers for the fraudulent charges. Another restaurant chain experienced a credential stuffing attack in April 2019. Customers posted on social media that their payment cards had been used to pay for food orders placed at restaurants. 

In July 2020, customers' personal information of a grocery delivery company was being sold on the dark web. The information from approximately 280,000 accounts included names, partial credit card numbers, and order history. The company received customer complaints about fraudulent orders and believed the activity was the result of credential stuffing.” 

Furthermore, independent research from threat intelligence firm DarkOwl revealed an increase in the number of underground advertisements promising access to restaurant and food delivery accounts, a surge that appears to have occurred after the COVID-19 pandemic began in early 2020. 

As more people are confined at home and have to order meals online, the demand for food delivery accounts has increased as fraudsters try to dine at someone else's cost. According to the FBI, victim firms are typically unaware of any intrusions until customers report strange activity on their accounts, such as food orders for pick-ups that they did not place. 

FBI also states that in the majority of cases, thieves got access to individual accounts using basic tactics such as credential stuffing. The agency now demands businesses to enhance their security defenses against such assaults. They are also advising businesses to be on the lookout for signs of a credential stuffing attack and to develop a multi-layered mitigation strategy.

Signs of a credential stuffing attack include: 
-an unexpectedly high number of unsuccessful logins via the online account portal 
-a higher than usual lockout rate and/or a flow of customer calls regarding account lockouts and unauthorized changes 

Recommended Mitigations: 

• Inform customers and workers about the program, emphasizing the need to use different passwords for different accounts and change passwords regularly. 
• Advise consumers to keep an eye on their accounts for illegal access, changes, and unusual activity; usernames and passwords should be changed if the account is compromised or if fraud is suspected. 
• Set up Two-Factor or Multi-Factor Authentication while creating or upgrading an account. 
• Create corporate policies that require contacting the account's owner to verify any changes to the account's details. 
• Utilize anomaly detection tools to spot unexpected traffic spikes and unsuccessful login attempts. Consider using CAPTCHA to counter automated scripts or bots. 
• Develop policies for device fingerprinting and IP blacklisting. 
• Use both a PIN code and a password. 
• Keep an eye out for lists of leaked user IDs and passwords on the dark web, and run tests to see if current user accounts are vulnerable to credential stuffing attacks. 

Furthermore, owners of hacked accounts should be informed that if financial data was saved in their account and not secured, they may need to verify payment card balances. In addition to selling access to compromised accounts, DarkOwl reported last year that some hackers profited from selling or openly sharing step-by-step guidelines on how to execute return policy fraud. 

Although refund policy fraud may not pose a direct threat to end customers, food delivery firms should be cautious of these sorts of scams as well, even if the FBI has not issued a warning.

Nearly 2 Million Records From Terrorist Watchlist Exposed Online

 

A terrorist watchlist comprising 1.9 million data remained open and unsecured on the internet for three weeks between July 19th and August 9th. The Terrorist Screening Center (TSC), a multi-agency centre run by the Federal Bureau of Investigation, is believed to have compiled the watchlist. The list was left accessible to the public on an Elasticsearch cluster with no password. 

In July this year, Security Discovery researcher Bob Diachenko discovered various JSON documents in an unsecured Elasticsearch cluster, which grabbed his interest. 

The 1.9 million-strong record set includes sensitive information about people, such as their names, nation citizenship, gender, date of birth, passport data, and no-fly status. 

Search engines Censys and ZoomEye listed the exposed server, implying Diachenko was not the only one who came across the list. Given the nature of the open data (e.g. passport details and "no-fly indicator"), the researcher informed BleepingComputer that it seemed to be a no-fly or similar terrorist watchlist. 

“The exposed Elasticsearch cluster contained 1.9 million records. I do not know how much of the full TSC Watchlist it stored, but it seems plausible that the entire list was exposed,” he added.

In addition, the researcher observed specific enigmatic fields like "tag," "nomination kind," and "selectee indication" that were not understandable. Diachenko told BleepingComputer, as per the nature of the data and the presence of a specific field entitled 'TSC ID," was the only reasonable conclusion implying that the record set's source may be the Terrorist Screening Center (TSC). 

Multiple federal agencies use the FBI's TSC to manage and exchange integrated information for counterterrorism reasons. The Terrorist Screening Database, often known as the "no-fly list," is a secret watchlist managed by the agency. 

Such databases are regarded as extremely sensitive, given the critical role they play in assisting national security and law enforcement activities. Terrorists or reasonable suspicions who represent a national security threat at the government's discretion are "nominated" for inclusion on the secret watchlist. 

The list is cited by airlines and multiple agencies, like the Department of State, Department of Defense, Transportation Security Administration (TSA), and Customs and Border Protection (CBP), to check the list in order to determine whether a passenger is allowed to fly, impermissible to the United States, or to examine their risk for various activities. 

The unsecured database was discovered on July 19th on a server with a Bahrain IP address and disclosed the data leak to the US Department of Homeland Security on the same day (DHS). 

"I discovered the exposed data on the same day and reported it to the DHS. The exposed server was taken down about three weeks later, on August 9, 2021. It's not clear why it took so long, and I don't know for sure whether any unauthorized parties accessed it," writes Diachenko in his report. 

According to Diachenko, releasing such sensitive information might affect people whose data might be included on the list. 

“The terrorist watchlist is made up of people who are suspected of terrorism, but who have not necessarily been charged with any crime. In the wrong hands, this list could be used to oppress, harass, or persecute people on the list and their families. It could cause any number of personal and professional problems for innocent people whose names are included in the list,” he alerted.

FBI Told Congress That Ransomware Payments Shouldn't be Prohibited

 

After meeting with the business sector and cybersecurity experts, the Biden administration backed away from the concept of barring ransomware payments, according to a top cybersecurity official on Wednesday. At an Aspen Security Forum event, Anne Neuberger, deputy national security adviser for cyber and new technology, said, "Initially, I thought that was a good approach. We know that ransom payments are at the heart of this ecosystem.”

A top FBI official told US lawmakers in July that making ransom payments to cybercriminals illegal is not the best way to combat the danger of ransomware. According to Bryan Vorndran, assistant director of the FBI's cyber division, banning ransom payments could unwittingly open the door to more extortion by ransomware gangs. 

"If we ban ransom payments now, you're putting US companies in a position to face yet another extortion, which is being blackmailed for paying the ransom and not sharing that with authorities," Vorndran said at a Senate Judiciary Committee hearing on ransomware. 

The debate over whether or not ransomware payments should be illegal exemplifies the larger issue that policymakers have in trying to combat a crime that takes advantage of a victim's financial incentives. According to cybersecurity experts, paying in the hopes of rapidly fixing an issue is often more appealing than refusing to negotiate, having to recover data from backups, and risking the publishing of sensitive information online. 

“We heard loud and clear from many that the state of resilience is inadequate, and as such, if we banned ransom payments we would essentially drive even more of that activity underground and lose insight into it that will enable us to disrupt it,” Anne said. 

Work to gain transparency into cryptocurrency networks, which have become a popular method of payment for cybercriminals, is one of the disruptive attempts. The National Security Council, according to Neuberger, is working with other members of an interagency task force to review regulations and safeguards that would allow for improved payment monitoring. 

“Our driving goal is rapid tracing and really the strengthening of domestic and international virtual currency regulatory environments to enable that,” she said. “One big part of it is also building in those types of protections in the design of new virtual currencies and addressing that in a way that we can both have the innovation, and not have a broad illicit use that’s driving criminal activity.”

FTC Issued a Warning About Phishing Scams Involving Unemployment Benefits

 

Americans should be skeptical of text messages appearing to be from their state workforce agency, according to the Federal Trade Commission. Following the discovery of an SMS-based phishing effort targeting users of unemployment insurance benefits, the FTC has raised a red flag. In one year, consumers lost $57 million to phishing schemes, according to the FBI's Internet Crime Complaint Center.

"Identity thieves are targeting millions of people nationwide with scam phishing texts aimed at stealing personal information, unemployment benefits, or both," said Seena Gressin, attorney at the division of consumer and business education at the FTC. As part of the effort, several fraudulent texts are being sent out. One advises the receiver that their unemployment insurance (UI) claim requires "necessary corrections." Another instructs the target to double-check their personal details.

A targeted user who clicks on a link in one of these messages will be directed to a fake website impersonating their state workforce agency, which Gressin described as "looking very real." Instructions on the site ask the user to enter a slew of personal information, including their login credentials and Social Security number. "Fraudsters can use the information to file fraudulent UI benefits claims or for other identity theft," warned Gressin.

Scammers love to target people when they are most vulnerable, knowing that they will be more likely to fall for the trap. That is especially true for people who are unemployed and rely on unemployment benefits to get by. 

The Federal Trade Commission (FTC) disclosed the information of seven different phishing texts that are now circulating. One reads "RI-DLT Labor: This is to notify you that your Rhode Island insurance claim account is currently on hold for verification. Please complete your verification by following the instruction link below to activate your account."

"As we continue to work our way through the pandemic and associated issues, unemployment insurance has become more and more important to people unable to work when jobs that match their skills are not available," said KnowBe4security awareness advocate Erich Kron. "With the recent rise in cases, due to the Delta variant and other factors, stress levels continue to rise for people impacted. This makes them prime candidates for attacks such as this, which threaten their only source of income."

1,500 Businesses Globally were Affected by Kaseya Cyberattack

 

Kaseya, a Miami-based software provider to over 40,000 businesses, reported on July 2 that it was looking into a possible hack. The IT solutions provider for managed service providers (MSPs) and enterprise clients revealed a day later that it had been targeted by a "sophisticated cyberattack." According to CEO Fred Voccola, the ransomware attack has hit between 800 and 1,500 organizations throughout the world. In an interview with Reuters, he said it was impossible to determine the exact impact of the hack because the firms affected were Kaseya's clients. 

REvil, a hacking organization linked to Russia, published a blog on the dark web on Sunday claiming its involvement in the attack. REvil sought $70 million for the data to be restored. REvil has become one of the most well-known ransomware creators in the world. In the last month, it demanded an $11 million payment from the U.S. subsidiary of the world's largest meatpacking company, a $5 million payment from a Brazilian medical diagnostics company, and launched a large-scale attack on dozens, if not hundreds, of companies that use IT management software from Kaseya VSA. 

Kaseya is a company that provides its comprehensive integrated IT management platform to other businesses. It also provides organizations with tools such as VSA (Virtual System/Server Administrator) and other remote monitoring and management solutions for network endpoints. Kaseya also offers compliance systems, service desks, and a platform for service automation. 

According to the FBI, a vulnerability in Kaseya VSA software was used against many MSPs and their clients in the recent supply-chain ransomware campaign. VSA allows a company to control servers and other hardware, as well as software and services, from a remote location. Large enterprises and service providers who manage system administration for companies without their own IT staff utilize the software. 

According to Kevin Beaumont, a security specialist, the REvil ransomware was distributed through an apparent automatic bogus software update in the product. Because the malware had administrator access down to client systems, the MSPs who were attacked were able to infect the systems of their clients.

The attacker quickly disabled administrator access to VSA, according to Beaumont, and then inserted a task called "Kaseya VSA Agent Hot-fix." This phoney update was then pushed out to the entire estate, including MSP client systems. The management agent update was actually REvil ransomware, and non-Kaseya customers were still encrypted. The ransomware allowed hackers to disable antivirus software and run a phoney Windows Defender app, after which the computer's files were encrypted and couldn't be viewed without a key.

NSA and FBI Blame Russia for Massive ‘Brute Force’ Attacks on Microsoft 365

 

American intelligence and law enforcement agencies have accused a Kremlin-backed hacking group for a two-year campaign to breach into Microsoft Office 365 accounts. 

In a joint report with British intelligence, the NSA, FBI, and DHS blamed Fancy Bear for the broad "brute force" attacks. Fancy Bear is most known for hacking the Democratic National Committee in the run-up to the 2016 Presidential Elections. 

Fancy Bear, according to the agencies, was actually the 85th Main Special Service Center (GTsSS), a group within the Russian General Staff Main Intelligence Directorate (GRU), and that it had been carrying out its brute force attacks on a variety of sectors, which include government and military departments, defense contractors, political parties, energy companies, and media outlets. The majority of the targets were based in the United States and Europe. 

The joint statement stated, “These efforts are almost certainly still ongoing. This brute force capability allows the 85th GTsSS actors to access protected data, including email, and identify valid account credentials. Those credentials may then be used for a variety of purposes, including initial access, persistence, privilege escalation, and defense evasion.” 

“This lengthy brute force campaign to collect and exfiltrate data, access credentials, and more is likely ongoing, on a global scale,” said Rob Joyce, the NSA's director of cybersecurity. 

At the time of writing, neither Microsoft nor the Russian embassy in London had replied to requests for comment. Fancy Bear used a technique known as "password spraying," in which computers attempt as many login attempts as feasible on a particular system as possible. The devices' traffic is routed through virtual private networks or the Tor network, both conceal a system's actual IP address by routing it through a variety of servers. 

According to the US report, they did it by utilizing Kubernetes, an open-source platform built by Silicon Valley tech giant Google for managing computer processes. Users of Microsoft 365 and other targeted cloud products should utilize multi-factor authentication, which requires a one-time code in addition to the login and password to get access to an account. It also suggests that if a user makes many unsuccessful tries to log into an account, the user should be locked out or put on a waiting list before trying again. 

The allegations follow President Biden's meeting with Russian President Vladimir Putin, during which the US leader urged his Russian counterpart to assist America in stopping the flow of destructive cyberattacks plaguing organizations throughout the world. 

In recent months, ransomware attacks on gas company Colonial Pipeline and meat supplier JBS, as well as thefts of US federal agency emails via a breach of IT supplier SolarWinds, have prompted concern. 

The current attacks look to be one of Fancy Bear's "classic military intel mission that is their major emphasis," according to John Hultquist, vice president of intelligence analysis at cybersecurity firm FireEye. 

Hultquist added that their bread and butter is good old-fashioned spy vs. spy activity that has been carried over into the cyber arena. He expressed concern that the organization may target the next Olympic Games in Japan, citing Russia's prior involvement in assaults on the 2018 Winter Olympics in South Korea.

FBI Alerts: BEC Scammers are Posing as Construction Companies

 

The FBI has issued a warning to private sector enterprises about scammers masquerading construction companies in business email compromise (BEC) cyberattacks targeting firms in a variety of critical infrastructure sectors across the United States. 

BEC scammers utilize a variety of techniques (such as social engineering and phishing) to hijack or spoof business email accounts in order to redirect pending or future payments to bank accounts under their control. 

The alert was delivered to enterprises today via a TLP:GREEN Private Industry Notification (PIN) to assist cybersecurity professionals in defending against these ongoing threats. 

The instances are part of a BEC campaign that began in March 2021 and has already resulted in monetary losses ranging from hundreds of thousands of dollars to millions of dollars. 

The scammers use data collected from web services about the construction companies they spoof and the customers they're targeting to successfully carry out these BEC attacks. Local and state government budget data portals, as well as subscription-based construction sector data aggregators, are used to gather valuable data (e.g., contact information, bid data, and project prices). 

The attackers can modify emails to undermine the victim's business relationship with the construction contractors using the information they've gathered. The scammers send emails urging the victims to update their direct deposit account and automated clearing house (ACH) information to make the emails more convincing. The new account information leads to bank accounts controlled by criminals. 

To make sure the victims won’t be able to tell that the messages are fraudulent, they are sent using names that impersonate the contractors' actual sites and real corporate logos and visuals. 

Around $2 billion lost in 2020 BEC scams:

Between November 2018 and September 2020, the FBI warned of a new wave of BEC attacks increasingly targeting US state, local, tribal, and territorial (SLTT) government bodies, with losses ranging from $10,000 to $4 million. 

Microsoft discovered a large-scale BEC operation targeting over 120 companies last month that used typo-squatted domains registered just days before the attacks began. 

The FBI stated, "The FBI's Internet Crime Complaint Center (IC3) notes BEC is an increasing and constantly evolving threat as criminal actors become more sophisticated and adapt to current events. There was a 5 percent increase in adjusted losses from 2019 to 2020, with over $1.7 billion adjusted losses reported to IC3 in 2019 and over $1.8 billion adjusted losses reported in 2020." 

The FBI also warned last year that BEC scammers were using email auto-forwarding and cloud email platforms like Microsoft Office 365 and Google G Suite in their attacks.  

International Sting Operation Cracks Down Encryption Criminal Groups

In an international sting operation targeting drug suppliers led to an arrest of a man. The suspect's face was blurred by the Australian Federal Police on privacy matters. The criminals while dealing with drug smuggling and money laundering, texted with each other, they were pretty confident that they'd not get caught because of a special encrypted platform the criminals were using for communication. However, the was only one issue with the group, that all these texts, which were in millions, were being tapped by the FBI. 

As a matter of fact, the FBI had sent these Anom devices to the black market. Operation Trojan Shield has these details and allegations revolving around it. It is an international operation led by the FBI which has resulted in more than 800 arrests. NPR says "the document includes transcripts of smugglers' conversations in which they name their prices and handling fees and describe their methods. Many of them also sent snapshots to each other, showing packages of cocaine and other drugs. They discussed strategies, from adding drugs to diplomatic pouches to filling pineapples and tuna cans with cocaine." 

Law enforcement agencies captured around 8 tonnes of cocaine, around 22 tonnes of cannabis, and several other drugs (in tonnes). Besides this, authorities have seized "55 luxury vehicles and over $48 million in various worldwide currencies and cryptocurrencies," says Interpol, a European law enforcement agency. As per the FBI, the agencies worked together to provide these criminal organization that operates all over the world more than 12,000 devices. Europol says it has been one of the largest and sophisticated crackdown operations on encryption criminal activities to date. Using Anom, FBI, and Europol around 300 Transnational Criminal Organizations (TCO). 

These include Italian organized crime group Outlaw Motorcycle gangs and other narcotics source (international), distribution systems, and transportation. "Law enforcement agencies were in a unique position to help the new Anom device find its market. In recent years, they've taken down three similar networks — Phantom Secure, EncroChat and, earlier this year, Sky Global — boosting criminals' demand for a new alternative," said NPR.

Operation Trojan Shield a Success: The FBI and Australian Officials

 

More than 800 suspects, 8 tonnes of cocaine as well as more than $48 million have been captured in a large worldwide sting operation involving sixteen countries, including the US, officials revealed on Tuesday 8th of July.

According to Europol, the European Union law enforcement agency, the FBI, and Australian law enforcement have established and operated an encoded device company, named ANOM, which was then utilized to obtain access to organized criminal networks in over 100 nations. 

The ANOM APP allows police officers to track the drug smuggling, money laundering, and even assassination plans, which had been discreetly circulated among the offenders. 

Drug gangs and those linked to the mafia were their targets. The operation, which took place in even more than a dozen nations, comprised drugs, firearms, luxury automobiles, and cash of the offenders. 

“Operation Trojan Shield is a shining example of what can be accomplished when law enforcement partners from around the world work together and develop state of the art investigative tools to detect, disrupt and dismantle transnational criminal organizations,” said Calvin Shivers, the assistant director of the FBI’s Criminal Investigative Division in a press conference in The Hague, Netherlands. 

Whereas Australian Prime Minister Scott Morrison said the operation had "struck a heavy blow against organized crime" around the world. 

Initially, the FBI started using a network of protected devices named ANOM and disseminated devices that over the criminal world using the chat app. The operation came about when the law enforcement agencies took over two other encrypted websites leaving criminal gangs on the market for new protected phones. 

Initially, the gadgets were utilized by claimed senior criminals, which provided the platform with confidence to other offenders. 

Van der Berg added that the users of the network had talked in 45 languages about drug trafficking, arms and explosives, armed robbery, contract assassinations, and more. 

Australian fugitive and suspected drug trafficker Hakan Ayik was vital to the sting because, after being provided a cell phone by undercover detectives, the App was relentlessly recommended to criminal friends, authorities said. 

Officials added that the operation was able to eliminate over 100 threats to lives, other than the drug, weapons, and money arrests and seizures. Access to their networks also permitted law enforcement agencies to see images of hundreds of tonnes of cocaine camouflaged in fruit and canned goods. Authorities have indicated that they have triggered these large arrests because illicit companies have gained critical strength. 

Australian Prime Minister Scott Morrison said in a press conference Tuesday that the operation "struck a heavy blow against organized crime — not just in this country, but one that will echo around organized crime around the world."

New Evil Corp Ransomware Disguised as PayloadBin to Avoid Sanctions

 

The new PayloadBIN ransomware has been linked to the Evil Corp cybercrime gang, which rebranded to avoid US Treasury Department restrictions issued by the Office of Foreign Assets Control (OFAC). The Evil Corp gang, also known as the Indrik Spider and the Dridex gang, began as a ZeuS botnet affiliate. They eventually organized a group dedicated to disseminating the Dridex banking virus and downloader via phishing emails. 

According to the FBI, Dridex was used to steal more than $100 million from banks in more than 40 nations. Following that, the software was utilized as a loader to install the BitPaymer ransomware on victims' computers. Two Russian nationals, Maksim Yakubets and Igor Turashev were indicted by a US grand jury in December 2019 for allegedly running Evil Corp. 

Yakubets was functioning "as Evil Corp's head and is answerable for overseeing the group's illicit cyber activities," the Treasury Department claimed at the time, after assisting with money laundering and the GameOver/Zeus botnet and malware operation. It said Yukabets had been working for Russia's Federal Security Service, or FSB, since at least 2017, and that it had previously sanctioned the FSB for assaults against US targets. It also announced a $5 million reward for information leading to his apprehension. 

The Babuk gang said that they would stop using ransomware encryption and instead focus on data theft and extortion after breaching the Metropolitan Police Department in Washington, DC, and taking unencrypted data. The Babuk data leak site had a graphic makeover at the end of May, and the ransomware gang rebranded as 'payload bin.' 

On Thursday, BleepingComputer discovered PayloadBIN, a new ransomware strain linked to the rebranding of Babuk Locker. When the ransomware is installed, the ransomware will append the . PAYLOADBIN extension to encrypted files. The ransom message is also known as 'PAYLOADBIN-README.txt,' and it claims that the victim's "networks are LOCKED with PAYLOADBIN ransomware." 

BleepingComputer suspected Babuk of lying about their plans to move away from ransomware and relaunched under a new name after discovering the sample. After examining the new ransomware, both Emsisoft's Fabian Wosar and ID Ransomware's Michael Gillespie confirmed that it is a rebranding of Evil Corp's prior ransomware operations.

DeFi100, a Crypto Project, Allegedly Scammed Investors of $32 Million

 

According to reports and tweets, DeFi100, a cryptocurrency project, allegedly defrauded investors out of $32 million (roughly Rs. 233 crores). The project has now released a denial of the allegations, but some skepticism appears to still exist. After a very distasteful message appeared on their website on Sunday, rumors of people behind the project fleeing with the money began to circulate. The message on the DeFi100 website read, "We scammed you guys, and you can't do **** about it." DeFi100 has since clarified that their website has been hacked and that the hackers had placed the post, which has since been removed.

“DeFi100 coin exit scams, and runs away with $32 million, and leaves a message for all of us. Feels like the summer of 2017,” tweeted Cryptokanoon, co-founder Kashif Raza. 

DeFi100 is a cryptocurrency similar to Bitcoin, Dogecoin, and Ethereum, among others. It is, however, much less well-known than the other well-known digital assets. The website was still down at the time of publishing. “Oops, looks like the page is lost. This is not a fault, just an accident that was not intentional,” is what it says now. 

On Sunday, the crypto project announced on its official Twitter account that it had not exited as previously thought. “Firstly, total supply of D100 at present is less than 4 million tokens. At the beginning of the project, total supply was 2.5 million tokens. Secondly, D100 was never a yield farming protocol, which was holding investors funds with TVL over 32 million,” it said in a tweet. 

“Thirdly, total tokens sold during IDO were 750,000 at $0.80 per token. These facts are available in public for checking their authenticity. The rumours of stealing $32 million are absolutely false and baseless," it added in the subsequent tweet. "We reiterate it again that we have not made any exit." 

Although the DeFi100 founders have stated that they did not defraud the investors, nothing can be said before the website is up and running again. The value of D100, DeFi100's native token, has dropped 25% in the last 24 hours to $0.08, according to a Coindesk article (roughly Rs. 6). 

The reports of DeFi100 developers defrauding their investors came just days after the FBI, the US's main law enforcement agency, announced that it had received a record 1 million complaints related to online scams and investment frauds in the previous 14 months.

FBI Analyst Charged for Stealing National Security Documents

 

An FBI employee with a top-secret security clearance has been indicted on charges that she illegally stored several national security documents and other national security information at home over more than a decade, the Justice Department stated on Friday. 

Kendra Kingsbury, a 48-year-old from Dodge City, Kansas, is accused of taking a range of materials between 2004 and 2017, many of which were marked secret because they discussed intelligence sources and methods containing information about operatives such as a suspected associate of Osama bin Laden. The files were from 2005 and 2006, when bin Laden, who engineered the Sept. 11 terrorist attacks, was alive and on the run from U.S. forces. 

The grand jury indictment, filed in the Western District of Missouri, alleges that Kingsbury illegally removed documents she was granted access to at work and stored them at home. She is charged with two counts of gathering, transmitting, or losing defense information, a felony that carries a maximum sentence of 10 years.

“The documents include information about al-Qaeda members on the African continent, including a suspected associate of Usama bin Laden,” the indictment reads. In addition, there are documents regarding the activities of emerging terrorists and their efforts to establish themselves in support of al-Qaeda in Africa,” the indictment reads. 

Though Kingsbury held a top-secret security clearance and was assigned to squads covering a range of crimes and threats, she did not have a “need to know” the information in most of the documents, prosecutors say. However, the indictment does not provide a reason for why Kingsbury mishandled the documents, nor does it accuse her of having transmitted the information to anyone else. The Justice Department declined to elaborate beyond the indictment on Friday.

“As an intelligence analyst for the FBI, the defendant was entrusted with access to sensitive government materials. Insider threats are a significant danger to our national security, and we will continue to work relentlessly to identify, pursue and prosecute individuals who pose such a threat,” John Demers, assistant attorney general for the Justice Department’s National Security Division, said in a statement.

In 2018, the FBI collaborated with the Office of the Director of National Intelligence to set up an updated framework meant to guide the U.S. government’s National Insider Threat Task Force (NITTF). Last month the NITTF issued an advisory on protecting against insider threats to critical infrastructure entities, including those with work touching on the U.S. electric grid, telecommunications networks, and hospitals.

Irish Health System and 16 U.S. Health and Emergency Networks Hit by Conti Ransomware Gang

 

According to the Federal Bureau of Investigation, the same group of online extortionists responsible for last week's attack on the Irish health system has also targeted at least 16 medical and first-responder networks in the United States in the past year. The FBI said cybercriminals using the malicious software called 'Conti' have attacked law enforcement, emergency medical services, dispatch centers, and municipalities, according to a warning issued by the American Hospital Association on Thursday. 

In May of 2020, the Conti ransomware appeared on the threat landscape. It has some links to other ransomware families. Conti has evolved quickly since its discovery, and it's known for how quickly it encrypts and deploys around a target system. Conti is a “double extortion” ransomware that steals and attempts to reveal data in addition to encrypting it. 

The FBI didn't specify who was targeted in these hacks or whether ransoms were paid, only that these networks "are among more than 400 organizations worldwide victimized by Conti, with over 290 of them based in the United States." The new ransom demands have been as high as $25 million, according to the study. 

On Thursday, Ireland said experts were looking into a decryption tool that had been posted online, which could help activate IT systems that had been crippled by a major ransomware attack on the country's healthcare provider. The government stated that it had not paid any ransom and would not pay any in return for the alleged key. It didn't respond to claims that the gang had threatened to release reams of patient information next week. 

This ransomware attack has prevented access to patient information, forced medical facilities to cancel appointments, and disrupted Covid-19 testing around the country for the past week. Ossian Smyth, Ireland's e-government minister, has described it as "perhaps the most serious cyber crime assault on the Irish state." 

The hackers who took down Ireland's healthcare system are said to be members of "Wizard Spider," a sophisticated cybercrime group based in Russia that has become more involved in the past year. The group has threatened to release medical records unless Ireland pays a $20 million fine.

Brazilian Cybercriminals Created Fake Accounts for Uber, Lyft and DoorDash

 

According to a recent report by the Federal Bureau of Investigation (FBI), a Brazilian organization is planning to defraud users of digital networks such as Uber, Lyft, and DoorDash, among others. According to authorities, this group may have used fake IDs to build driver or delivery accounts on these sites in order to sell them to people who were not qualified for the companies' policies. 

This scam may have also included the use of GPS counterfeiting technologies to trick drivers into taking longer trips and earning more money. Furthermore, the Department of Justice (DOJ) states that this organization would have begun operations in 2019 and would have expanded its operations after the pandemic paralyzed many restaurants and supermarkets. 

The gang, which worked mainly in Massachusetts but also in California, Florida, and Illinois, communicated through a WhatsApp group called "Mafia," where they allegedly agreed on similar pricing strategies to avoid undercutting each other's income, according to the FBI. 

The party leased driver accounts on a weekly basis, according to court records. A ride-hailing service driver account costs between $250 and $300 per week, while a food delivery web account costs $150 per week. The FBI claimed to have tracked more than 2,000 accounts created by gang members during their investigation. 

According to the agents in charge of the investigation, the suspects made hundreds of thousands of dollars from this scheme, depositing their earnings in bank accounts under their control and withdrawing small sums of money on a regular basis to avoid attracting the attention of the authorities. Thousands of dollars were also made by criminals due to referral incentives for new accounts. One of the gang members received USD 194,800 through DoorDash's user referral system for 487 accounts they had on the website, according to a screenshot posted on the group's WhatsApp page. 

The DOJ has charged 19 Brazilian people so far, as well as revealing that six members of the fraudulent party are still on the run. The Department of Justice reported the second round of charges against five Brazilian citizens last week. Four were apprehended and charged in a San Diego court, while a fifth is still on the run and assumed to be in Brazil.

FBI – CISA Published a Joint Advisory as Colonial Pipeline Suffers a Catastrophic Ransomware Attack

 

Following a catastrophic ransomware assault on a Colonial Pipeline, the FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) published a joint advisory. The notice, issued on Tuesday 11th May, contains information on DarkSide, malware operators running a Ransomware-as-a-Service (RaaS) network. 

DarkSide is in charge of the latest Colonial Pipeline cyber assault. Past Friday - 7th May, the fuel giant has said that a Cyberattack had obliged the company, which was found to be an intrusion of DarkSide affiliates, to stop pipeline activities and to pull the IT systems offline. 

Cybercriminal gangs use DarkSide for data encryption and to gain entry to a victim's server. These groups attempt to disclose the information if the victim is not paying the ransom. DarkSide leverage groups have recently targeted organizations, including production, legal, insurance, healthcare, and energy, through various sectors of CI. 

Colonial pipeline is yet to be recovered, and the FBI is engaged with them as a key infrastructure supplier – one of which provides 45% of the fuel of the East Coast and typically provides up to 100 million gallons of fuel per day. 

"Cybercriminal groups use DarkSide to gain access to a victim's network to encrypt and exfiltrate data," the alert says. "These groups then threaten to expose data if the victim does not pay the ransom. Groups leveraging DarkSide have recently been targeting organizations across various CI sectors including manufacturing, legal, insurance, healthcare, and energy." 

The ransomware from DarkSide is available to RaaS clients. This cybercriminal template has become prominent because only a core team needs to create malware that can be transmitted to other people. 

RaaS can also be offered on a subscription basis as a ransomware partner, and/or the developers may earn cuts in income when a ransom is paid. In exchange, developers continue to enhance their 'product' malware. 

Furthermore the FBI - CISA advisory also provides tips and best practices to avoid or mitigate ransomware threats. 

The most important defense act against ransomware is prevention. It is crucial to follow good practices to defend against attacks by ransomware, that can be damaging to a person or an organization. 

"CISA and FBI urge CI [critical infrastructure] asset owners and operators to adopt a heightened state of awareness and implement recommendations [...] including implementing robust network segmentation between IT and OT networks; regularly testing manual controls; and ensuring that backups are implemented, regularly tested, and isolated from network connections," the agencies say. "These mitigations will help CI owners and operators improve their entity's functional resilience by reducing their vulnerability to ransomware and the risk of severe business degradation if impacted by ransomware."

US and Australia Warn of Rise in Avaddon Ransomware Attacks

 

The Federal Bureau of Investigation (FBI) and the Australian Cyber Security Centre (ACSC) have issued an alert about an ongoing Avaddon ransomware campaign that is affecting organizations across a wide range of industries in the United States and across the world. 

Avaddon ransomware associates are attempting to breach the networks of manufacturing, healthcare, and other private sector entities around the world, according to a TLP:GREEN flash warning issued by the FBI last week. 

The ACSC clarified the targeting details today, stating that the ransomware group's associates are targeting companies from a broad variety of industries, including government, banking, law enforcement, energy, information technology, and health. Although the FBI only cites ongoing attacks, the ACSC lists a number of countries that have been targeted, including the United States, the United Kingdom, Germany, China, Brazil, India, the United Arab Emirates, France, and Spain, to name a few.

"The Australian Cyber Security Centre (ACSC) is aware of an ongoing ransomware campaign utilizing the Avaddon Ransomware malware [..] actively targeting Australian organizations in a variety of sectors," the ACSC added. 

Avaddon threat actors threaten victims with denial-of-service (DDoS) attacks in order to persuade them to pay ransoms, according to the ACSC (in addition to leaking stolen data and encrypting their system). However, no evidence of DDoS attacks has been discovered as a result of the Avaddon ransomware attacks, according to the FBI. 

The Avaddon ransomware group first declared in January 2021 that they would use DDoS attacks to bring down victims' websites or networks before they reach out and negotiate a ransom payment. 

When ransomware groups started using DDoS attacks against their victims as an additional leverage point, BleepingComputer first posted on this new trend in October 2020. SunCrypt and RagnarLocker were the two ransomware operations that used this new strategy at the time. 

The first Avaddon ransomware samples were discovered in February 2019, and the ransomware started hiring affiliates in June 2020 after launching a massive spam campaign that targeted users all over the world. Affiliates of the Avaddon RaaS operation are required to obey a set of guidelines, one of which is that no targets from the Commonwealth of Independent States be pursued (CIS). 

Avaddon pays each affiliate 65 percent of the ransom money they bring in, with the operators receiving the remaining 35 percent. Avaddon ransomware’s affiliates have also been known to steal data from their victims' networks before encrypting systems in order to double-extortion. 

Almost all active ransomware operations have adopted this technique, with victims commonly informing their customers or employees of potential data breaches following ransomware attacks.

Microsoft Detected a BEC Campaign Targeted at More than 120 Organizations

 

Microsoft discovered a large-scale business email compromise (BEC) program that attacked over 120 organizations and used typo-squatted domains that were registered only days before the attacks began. Cybercriminals continue to harass companies in order to deceive recipients into accepting fees, exchanging money, or, in this case, buying gift cards. This kind of email attack is known as business email compromise (BEC), which is a dangerous type of phishing aimed at gaining access to sensitive business data or extorting money via email-based fraud.

In this operation, Microsoft discovered that attackers used typo-squatted domains to make emails appear to come from legitimate senders in the consumer products, process manufacturing, and agriculture, real estate, distinct manufacturing, and professional services industries. 

BEC emails are purposefully crafted to look like regular emails as if they were sent from someone the intended client already knows, but these campaigns are much more complicated than they seem. They necessitate planning, staging, and behind-the-scenes activities. 

"We observed patterns in using the correct domain name but an incorrect TLD, or slightly spelling the company name wrong. These domains were registered just days before this email campaign began," the Microsoft 365 Defender Threat Intelligence Team said. 

Despite the scammers' best efforts, Microsoft found that "the registered domains did not always comply with the company being impersonated in the email." The attackers' surveillance capabilities are evident when they called the targeted workers by their first names, despite their methodology being faulty at times.  

To give authenticity to the phishing emails, scammers used common phishing tactics including bogus responses (improved by also spoofing In-Reply-To and References headers), according to Microsoft.

 
"Filling these headers in made the email appear legitimate and that the attacker was simply replying to the existing email thread between the Yahoo and Outlook user," Microsoft added. "This characteristic sets this campaign apart from most BEC campaigns, where attackers simply include a real or specially crafted fake email, adding the sender, recipient, and subject, in the new email body, making appear as though the new email was a reply to the previous email." 

Though the tactics used by these BEC scammers seem crude, and their phishing messages seem to be clearly malicious, BEC attacks have resulted in record-breaking financial losses per year since 2018. The FBI formed a Recovery Asset Team in 2018 intending to retrieve money that can still be traced and freezing accounts used by fraudsters for illegal BEC transactions.

Everthing You Need to Know About Ongoing TrickBot Attacks, US Agencies Warn

 

The Cybersecurity and Infrastructure Security Agency (CISA) in unison with the Federal Bureau of Investigation (FBI) published an advisory on Wednesday to warn organizations of ongoing TrickBot attacks despite in October multiple security firms dismantled their C2 infrastructure in a joint operation.

In their joint advisory, two agencies disclosed that a sophisticated group of cybercrime actors is leveraging a traffic infringement phishing scheme to lure victims into installing the Trickbot malware.

TrickBot was initially observed in 2016, it is believed to be designed by the threat actors behind the Dyre Trojan. TrickBot has become one of the most prevalent families out there, entrapping machines into a botnet that was being offered under a malware-as-a-service model to both nation-states and cybercrime groups.

“The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have observed continued targeting through spear phishing campaigns using TrickBot malware in North America. A sophisticated group of cybercrime actors is luring victims, via phishing emails, with a traffic infringement phishing scheme to download TrickBot,” the joint advisory reads.

In October 2020, Microsoft revealed that it had disrupted the infrastructure behind TrickBot, taking most of it down. However, the malware survived the takedown attempt and came back stronger, with several new updates that protected against similar attempts. The recent attacks come as a confirmation to the same, that TrickBot’s operators were able to restore their malicious operations. 

“CISA and FBI are aware of recent attacks that use phishing emails, claiming to contain proof of a traffic violation to steal sensitive information. The phishing emails contain links that redirect to a website hosted on a compromised server that prompts the victim to click on photo proof of their traffic violation. In clicking the photo, the victim unknowingly downloads a malicious JavaScript file that, when opened, automatically communicates with the malicious actor’s command and control (C2) server to download Trickbot to the victim’s system,” the advisory further stated.