Search This Blog

Showing posts with label FBI. Show all posts

1,500 Businesses Globally were Affected by Kaseya Cyberattack

 

Kaseya, a Miami-based software provider to over 40,000 businesses, reported on July 2 that it was looking into a possible hack. The IT solutions provider for managed service providers (MSPs) and enterprise clients revealed a day later that it had been targeted by a "sophisticated cyberattack." According to CEO Fred Voccola, the ransomware attack has hit between 800 and 1,500 organizations throughout the world. In an interview with Reuters, he said it was impossible to determine the exact impact of the hack because the firms affected were Kaseya's clients. 

REvil, a hacking organization linked to Russia, published a blog on the dark web on Sunday claiming its involvement in the attack. REvil sought $70 million for the data to be restored. REvil has become one of the most well-known ransomware creators in the world. In the last month, it demanded an $11 million payment from the U.S. subsidiary of the world's largest meatpacking company, a $5 million payment from a Brazilian medical diagnostics company, and launched a large-scale attack on dozens, if not hundreds, of companies that use IT management software from Kaseya VSA. 

Kaseya is a company that provides its comprehensive integrated IT management platform to other businesses. It also provides organizations with tools such as VSA (Virtual System/Server Administrator) and other remote monitoring and management solutions for network endpoints. Kaseya also offers compliance systems, service desks, and a platform for service automation. 

According to the FBI, a vulnerability in Kaseya VSA software was used against many MSPs and their clients in the recent supply-chain ransomware campaign. VSA allows a company to control servers and other hardware, as well as software and services, from a remote location. Large enterprises and service providers who manage system administration for companies without their own IT staff utilize the software. 

According to Kevin Beaumont, a security specialist, the REvil ransomware was distributed through an apparent automatic bogus software update in the product. Because the malware had administrator access down to client systems, the MSPs who were attacked were able to infect the systems of their clients.

The attacker quickly disabled administrator access to VSA, according to Beaumont, and then inserted a task called "Kaseya VSA Agent Hot-fix." This phoney update was then pushed out to the entire estate, including MSP client systems. The management agent update was actually REvil ransomware, and non-Kaseya customers were still encrypted. The ransomware allowed hackers to disable antivirus software and run a phoney Windows Defender app, after which the computer's files were encrypted and couldn't be viewed without a key.

NSA and FBI Blame Russia for Massive ‘Brute Force’ Attacks on Microsoft 365

 

American intelligence and law enforcement agencies have accused a Kremlin-backed hacking group for a two-year campaign to breach into Microsoft Office 365 accounts. 

In a joint report with British intelligence, the NSA, FBI, and DHS blamed Fancy Bear for the broad "brute force" attacks. Fancy Bear is most known for hacking the Democratic National Committee in the run-up to the 2016 Presidential Elections. 

Fancy Bear, according to the agencies, was actually the 85th Main Special Service Center (GTsSS), a group within the Russian General Staff Main Intelligence Directorate (GRU), and that it had been carrying out its brute force attacks on a variety of sectors, which include government and military departments, defense contractors, political parties, energy companies, and media outlets. The majority of the targets were based in the United States and Europe. 

The joint statement stated, “These efforts are almost certainly still ongoing. This brute force capability allows the 85th GTsSS actors to access protected data, including email, and identify valid account credentials. Those credentials may then be used for a variety of purposes, including initial access, persistence, privilege escalation, and defense evasion.” 

“This lengthy brute force campaign to collect and exfiltrate data, access credentials, and more is likely ongoing, on a global scale,” said Rob Joyce, the NSA's director of cybersecurity. 

At the time of writing, neither Microsoft nor the Russian embassy in London had replied to requests for comment. Fancy Bear used a technique known as "password spraying," in which computers attempt as many login attempts as feasible on a particular system as possible. The devices' traffic is routed through virtual private networks or the Tor network, both conceal a system's actual IP address by routing it through a variety of servers. 

According to the US report, they did it by utilizing Kubernetes, an open-source platform built by Silicon Valley tech giant Google for managing computer processes. Users of Microsoft 365 and other targeted cloud products should utilize multi-factor authentication, which requires a one-time code in addition to the login and password to get access to an account. It also suggests that if a user makes many unsuccessful tries to log into an account, the user should be locked out or put on a waiting list before trying again. 

The allegations follow President Biden's meeting with Russian President Vladimir Putin, during which the US leader urged his Russian counterpart to assist America in stopping the flow of destructive cyberattacks plaguing organizations throughout the world. 

In recent months, ransomware attacks on gas company Colonial Pipeline and meat supplier JBS, as well as thefts of US federal agency emails via a breach of IT supplier SolarWinds, have prompted concern. 

The current attacks look to be one of Fancy Bear's "classic military intel mission that is their major emphasis," according to John Hultquist, vice president of intelligence analysis at cybersecurity firm FireEye. 

Hultquist added that their bread and butter is good old-fashioned spy vs. spy activity that has been carried over into the cyber arena. He expressed concern that the organization may target the next Olympic Games in Japan, citing Russia's prior involvement in assaults on the 2018 Winter Olympics in South Korea.

FBI Alerts: BEC Scammers are Posing as Construction Companies

 

The FBI has issued a warning to private sector enterprises about scammers masquerading construction companies in business email compromise (BEC) cyberattacks targeting firms in a variety of critical infrastructure sectors across the United States. 

BEC scammers utilize a variety of techniques (such as social engineering and phishing) to hijack or spoof business email accounts in order to redirect pending or future payments to bank accounts under their control. 

The alert was delivered to enterprises today via a TLP:GREEN Private Industry Notification (PIN) to assist cybersecurity professionals in defending against these ongoing threats. 

The instances are part of a BEC campaign that began in March 2021 and has already resulted in monetary losses ranging from hundreds of thousands of dollars to millions of dollars. 

The scammers use data collected from web services about the construction companies they spoof and the customers they're targeting to successfully carry out these BEC attacks. Local and state government budget data portals, as well as subscription-based construction sector data aggregators, are used to gather valuable data (e.g., contact information, bid data, and project prices). 

The attackers can modify emails to undermine the victim's business relationship with the construction contractors using the information they've gathered. The scammers send emails urging the victims to update their direct deposit account and automated clearing house (ACH) information to make the emails more convincing. The new account information leads to bank accounts controlled by criminals. 

To make sure the victims won’t be able to tell that the messages are fraudulent, they are sent using names that impersonate the contractors' actual sites and real corporate logos and visuals. 

Around $2 billion lost in 2020 BEC scams:

Between November 2018 and September 2020, the FBI warned of a new wave of BEC attacks increasingly targeting US state, local, tribal, and territorial (SLTT) government bodies, with losses ranging from $10,000 to $4 million. 

Microsoft discovered a large-scale BEC operation targeting over 120 companies last month that used typo-squatted domains registered just days before the attacks began. 

The FBI stated, "The FBI's Internet Crime Complaint Center (IC3) notes BEC is an increasing and constantly evolving threat as criminal actors become more sophisticated and adapt to current events. There was a 5 percent increase in adjusted losses from 2019 to 2020, with over $1.7 billion adjusted losses reported to IC3 in 2019 and over $1.8 billion adjusted losses reported in 2020." 

The FBI also warned last year that BEC scammers were using email auto-forwarding and cloud email platforms like Microsoft Office 365 and Google G Suite in their attacks.  

International Sting Operation Cracks Down Encryption Criminal Groups

In an international sting operation targeting drug suppliers led to an arrest of a man. The suspect's face was blurred by the Australian Federal Police on privacy matters. The criminals while dealing with drug smuggling and money laundering, texted with each other, they were pretty confident that they'd not get caught because of a special encrypted platform the criminals were using for communication. However, the was only one issue with the group, that all these texts, which were in millions, were being tapped by the FBI. 

As a matter of fact, the FBI had sent these Anom devices to the black market. Operation Trojan Shield has these details and allegations revolving around it. It is an international operation led by the FBI which has resulted in more than 800 arrests. NPR says "the document includes transcripts of smugglers' conversations in which they name their prices and handling fees and describe their methods. Many of them also sent snapshots to each other, showing packages of cocaine and other drugs. They discussed strategies, from adding drugs to diplomatic pouches to filling pineapples and tuna cans with cocaine." 

Law enforcement agencies captured around 8 tonnes of cocaine, around 22 tonnes of cannabis, and several other drugs (in tonnes). Besides this, authorities have seized "55 luxury vehicles and over $48 million in various worldwide currencies and cryptocurrencies," says Interpol, a European law enforcement agency. As per the FBI, the agencies worked together to provide these criminal organization that operates all over the world more than 12,000 devices. Europol says it has been one of the largest and sophisticated crackdown operations on encryption criminal activities to date. Using Anom, FBI, and Europol around 300 Transnational Criminal Organizations (TCO). 

These include Italian organized crime group Outlaw Motorcycle gangs and other narcotics source (international), distribution systems, and transportation. "Law enforcement agencies were in a unique position to help the new Anom device find its market. In recent years, they've taken down three similar networks — Phantom Secure, EncroChat and, earlier this year, Sky Global — boosting criminals' demand for a new alternative," said NPR.

Operation Trojan Shield a Success: The FBI and Australian Officials

 

More than 800 suspects, 8 tonnes of cocaine as well as more than $48 million have been captured in a large worldwide sting operation involving sixteen countries, including the US, officials revealed on Tuesday 8th of July.

According to Europol, the European Union law enforcement agency, the FBI, and Australian law enforcement have established and operated an encoded device company, named ANOM, which was then utilized to obtain access to organized criminal networks in over 100 nations. 

The ANOM APP allows police officers to track the drug smuggling, money laundering, and even assassination plans, which had been discreetly circulated among the offenders. 

Drug gangs and those linked to the mafia were their targets. The operation, which took place in even more than a dozen nations, comprised drugs, firearms, luxury automobiles, and cash of the offenders. 

“Operation Trojan Shield is a shining example of what can be accomplished when law enforcement partners from around the world work together and develop state of the art investigative tools to detect, disrupt and dismantle transnational criminal organizations,” said Calvin Shivers, the assistant director of the FBI’s Criminal Investigative Division in a press conference in The Hague, Netherlands. 

Whereas Australian Prime Minister Scott Morrison said the operation had "struck a heavy blow against organized crime" around the world. 

Initially, the FBI started using a network of protected devices named ANOM and disseminated devices that over the criminal world using the chat app. The operation came about when the law enforcement agencies took over two other encrypted websites leaving criminal gangs on the market for new protected phones. 

Initially, the gadgets were utilized by claimed senior criminals, which provided the platform with confidence to other offenders. 

Van der Berg added that the users of the network had talked in 45 languages about drug trafficking, arms and explosives, armed robbery, contract assassinations, and more. 

Australian fugitive and suspected drug trafficker Hakan Ayik was vital to the sting because, after being provided a cell phone by undercover detectives, the App was relentlessly recommended to criminal friends, authorities said. 

Officials added that the operation was able to eliminate over 100 threats to lives, other than the drug, weapons, and money arrests and seizures. Access to their networks also permitted law enforcement agencies to see images of hundreds of tonnes of cocaine camouflaged in fruit and canned goods. Authorities have indicated that they have triggered these large arrests because illicit companies have gained critical strength. 

Australian Prime Minister Scott Morrison said in a press conference Tuesday that the operation "struck a heavy blow against organized crime — not just in this country, but one that will echo around organized crime around the world."

New Evil Corp Ransomware Disguised as PayloadBin to Avoid Sanctions

 

The new PayloadBIN ransomware has been linked to the Evil Corp cybercrime gang, which rebranded to avoid US Treasury Department restrictions issued by the Office of Foreign Assets Control (OFAC). The Evil Corp gang, also known as the Indrik Spider and the Dridex gang, began as a ZeuS botnet affiliate. They eventually organized a group dedicated to disseminating the Dridex banking virus and downloader via phishing emails. 

According to the FBI, Dridex was used to steal more than $100 million from banks in more than 40 nations. Following that, the software was utilized as a loader to install the BitPaymer ransomware on victims' computers. Two Russian nationals, Maksim Yakubets and Igor Turashev were indicted by a US grand jury in December 2019 for allegedly running Evil Corp. 

Yakubets was functioning "as Evil Corp's head and is answerable for overseeing the group's illicit cyber activities," the Treasury Department claimed at the time, after assisting with money laundering and the GameOver/Zeus botnet and malware operation. It said Yukabets had been working for Russia's Federal Security Service, or FSB, since at least 2017, and that it had previously sanctioned the FSB for assaults against US targets. It also announced a $5 million reward for information leading to his apprehension. 

The Babuk gang said that they would stop using ransomware encryption and instead focus on data theft and extortion after breaching the Metropolitan Police Department in Washington, DC, and taking unencrypted data. The Babuk data leak site had a graphic makeover at the end of May, and the ransomware gang rebranded as 'payload bin.' 

On Thursday, BleepingComputer discovered PayloadBIN, a new ransomware strain linked to the rebranding of Babuk Locker. When the ransomware is installed, the ransomware will append the . PAYLOADBIN extension to encrypted files. The ransom message is also known as 'PAYLOADBIN-README.txt,' and it claims that the victim's "networks are LOCKED with PAYLOADBIN ransomware." 

BleepingComputer suspected Babuk of lying about their plans to move away from ransomware and relaunched under a new name after discovering the sample. After examining the new ransomware, both Emsisoft's Fabian Wosar and ID Ransomware's Michael Gillespie confirmed that it is a rebranding of Evil Corp's prior ransomware operations.

DeFi100, a Crypto Project, Allegedly Scammed Investors of $32 Million

 

According to reports and tweets, DeFi100, a cryptocurrency project, allegedly defrauded investors out of $32 million (roughly Rs. 233 crores). The project has now released a denial of the allegations, but some skepticism appears to still exist. After a very distasteful message appeared on their website on Sunday, rumors of people behind the project fleeing with the money began to circulate. The message on the DeFi100 website read, "We scammed you guys, and you can't do **** about it." DeFi100 has since clarified that their website has been hacked and that the hackers had placed the post, which has since been removed.

“DeFi100 coin exit scams, and runs away with $32 million, and leaves a message for all of us. Feels like the summer of 2017,” tweeted Cryptokanoon, co-founder Kashif Raza. 

DeFi100 is a cryptocurrency similar to Bitcoin, Dogecoin, and Ethereum, among others. It is, however, much less well-known than the other well-known digital assets. The website was still down at the time of publishing. “Oops, looks like the page is lost. This is not a fault, just an accident that was not intentional,” is what it says now. 

On Sunday, the crypto project announced on its official Twitter account that it had not exited as previously thought. “Firstly, total supply of D100 at present is less than 4 million tokens. At the beginning of the project, total supply was 2.5 million tokens. Secondly, D100 was never a yield farming protocol, which was holding investors funds with TVL over 32 million,” it said in a tweet. 

“Thirdly, total tokens sold during IDO were 750,000 at $0.80 per token. These facts are available in public for checking their authenticity. The rumours of stealing $32 million are absolutely false and baseless," it added in the subsequent tweet. "We reiterate it again that we have not made any exit." 

Although the DeFi100 founders have stated that they did not defraud the investors, nothing can be said before the website is up and running again. The value of D100, DeFi100's native token, has dropped 25% in the last 24 hours to $0.08, according to a Coindesk article (roughly Rs. 6). 

The reports of DeFi100 developers defrauding their investors came just days after the FBI, the US's main law enforcement agency, announced that it had received a record 1 million complaints related to online scams and investment frauds in the previous 14 months.

FBI Analyst Charged for Stealing National Security Documents

 

An FBI employee with a top-secret security clearance has been indicted on charges that she illegally stored several national security documents and other national security information at home over more than a decade, the Justice Department stated on Friday. 

Kendra Kingsbury, a 48-year-old from Dodge City, Kansas, is accused of taking a range of materials between 2004 and 2017, many of which were marked secret because they discussed intelligence sources and methods containing information about operatives such as a suspected associate of Osama bin Laden. The files were from 2005 and 2006, when bin Laden, who engineered the Sept. 11 terrorist attacks, was alive and on the run from U.S. forces. 

The grand jury indictment, filed in the Western District of Missouri, alleges that Kingsbury illegally removed documents she was granted access to at work and stored them at home. She is charged with two counts of gathering, transmitting, or losing defense information, a felony that carries a maximum sentence of 10 years.

“The documents include information about al-Qaeda members on the African continent, including a suspected associate of Usama bin Laden,” the indictment reads. In addition, there are documents regarding the activities of emerging terrorists and their efforts to establish themselves in support of al-Qaeda in Africa,” the indictment reads. 

Though Kingsbury held a top-secret security clearance and was assigned to squads covering a range of crimes and threats, she did not have a “need to know” the information in most of the documents, prosecutors say. However, the indictment does not provide a reason for why Kingsbury mishandled the documents, nor does it accuse her of having transmitted the information to anyone else. The Justice Department declined to elaborate beyond the indictment on Friday.

“As an intelligence analyst for the FBI, the defendant was entrusted with access to sensitive government materials. Insider threats are a significant danger to our national security, and we will continue to work relentlessly to identify, pursue and prosecute individuals who pose such a threat,” John Demers, assistant attorney general for the Justice Department’s National Security Division, said in a statement.

In 2018, the FBI collaborated with the Office of the Director of National Intelligence to set up an updated framework meant to guide the U.S. government’s National Insider Threat Task Force (NITTF). Last month the NITTF issued an advisory on protecting against insider threats to critical infrastructure entities, including those with work touching on the U.S. electric grid, telecommunications networks, and hospitals.

Irish Health System and 16 U.S. Health and Emergency Networks Hit by Conti Ransomware Gang

 

According to the Federal Bureau of Investigation, the same group of online extortionists responsible for last week's attack on the Irish health system has also targeted at least 16 medical and first-responder networks in the United States in the past year. The FBI said cybercriminals using the malicious software called 'Conti' have attacked law enforcement, emergency medical services, dispatch centers, and municipalities, according to a warning issued by the American Hospital Association on Thursday. 

In May of 2020, the Conti ransomware appeared on the threat landscape. It has some links to other ransomware families. Conti has evolved quickly since its discovery, and it's known for how quickly it encrypts and deploys around a target system. Conti is a “double extortion” ransomware that steals and attempts to reveal data in addition to encrypting it. 

The FBI didn't specify who was targeted in these hacks or whether ransoms were paid, only that these networks "are among more than 400 organizations worldwide victimized by Conti, with over 290 of them based in the United States." The new ransom demands have been as high as $25 million, according to the study. 

On Thursday, Ireland said experts were looking into a decryption tool that had been posted online, which could help activate IT systems that had been crippled by a major ransomware attack on the country's healthcare provider. The government stated that it had not paid any ransom and would not pay any in return for the alleged key. It didn't respond to claims that the gang had threatened to release reams of patient information next week. 

This ransomware attack has prevented access to patient information, forced medical facilities to cancel appointments, and disrupted Covid-19 testing around the country for the past week. Ossian Smyth, Ireland's e-government minister, has described it as "perhaps the most serious cyber crime assault on the Irish state." 

The hackers who took down Ireland's healthcare system are said to be members of "Wizard Spider," a sophisticated cybercrime group based in Russia that has become more involved in the past year. The group has threatened to release medical records unless Ireland pays a $20 million fine.

Brazilian Cybercriminals Created Fake Accounts for Uber, Lyft and DoorDash

 

According to a recent report by the Federal Bureau of Investigation (FBI), a Brazilian organization is planning to defraud users of digital networks such as Uber, Lyft, and DoorDash, among others. According to authorities, this group may have used fake IDs to build driver or delivery accounts on these sites in order to sell them to people who were not qualified for the companies' policies. 

This scam may have also included the use of GPS counterfeiting technologies to trick drivers into taking longer trips and earning more money. Furthermore, the Department of Justice (DOJ) states that this organization would have begun operations in 2019 and would have expanded its operations after the pandemic paralyzed many restaurants and supermarkets. 

The gang, which worked mainly in Massachusetts but also in California, Florida, and Illinois, communicated through a WhatsApp group called "Mafia," where they allegedly agreed on similar pricing strategies to avoid undercutting each other's income, according to the FBI. 

The party leased driver accounts on a weekly basis, according to court records. A ride-hailing service driver account costs between $250 and $300 per week, while a food delivery web account costs $150 per week. The FBI claimed to have tracked more than 2,000 accounts created by gang members during their investigation. 

According to the agents in charge of the investigation, the suspects made hundreds of thousands of dollars from this scheme, depositing their earnings in bank accounts under their control and withdrawing small sums of money on a regular basis to avoid attracting the attention of the authorities. Thousands of dollars were also made by criminals due to referral incentives for new accounts. One of the gang members received USD 194,800 through DoorDash's user referral system for 487 accounts they had on the website, according to a screenshot posted on the group's WhatsApp page. 

The DOJ has charged 19 Brazilian people so far, as well as revealing that six members of the fraudulent party are still on the run. The Department of Justice reported the second round of charges against five Brazilian citizens last week. Four were apprehended and charged in a San Diego court, while a fifth is still on the run and assumed to be in Brazil.

FBI – CISA Published a Joint Advisory as Colonial Pipeline Suffers a Catastrophic Ransomware Attack

 

Following a catastrophic ransomware assault on a Colonial Pipeline, the FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) published a joint advisory. The notice, issued on Tuesday 11th May, contains information on DarkSide, malware operators running a Ransomware-as-a-Service (RaaS) network. 

DarkSide is in charge of the latest Colonial Pipeline cyber assault. Past Friday - 7th May, the fuel giant has said that a Cyberattack had obliged the company, which was found to be an intrusion of DarkSide affiliates, to stop pipeline activities and to pull the IT systems offline. 

Cybercriminal gangs use DarkSide for data encryption and to gain entry to a victim's server. These groups attempt to disclose the information if the victim is not paying the ransom. DarkSide leverage groups have recently targeted organizations, including production, legal, insurance, healthcare, and energy, through various sectors of CI. 

Colonial pipeline is yet to be recovered, and the FBI is engaged with them as a key infrastructure supplier – one of which provides 45% of the fuel of the East Coast and typically provides up to 100 million gallons of fuel per day. 

"Cybercriminal groups use DarkSide to gain access to a victim's network to encrypt and exfiltrate data," the alert says. "These groups then threaten to expose data if the victim does not pay the ransom. Groups leveraging DarkSide have recently been targeting organizations across various CI sectors including manufacturing, legal, insurance, healthcare, and energy." 

The ransomware from DarkSide is available to RaaS clients. This cybercriminal template has become prominent because only a core team needs to create malware that can be transmitted to other people. 

RaaS can also be offered on a subscription basis as a ransomware partner, and/or the developers may earn cuts in income when a ransom is paid. In exchange, developers continue to enhance their 'product' malware. 

Furthermore the FBI - CISA advisory also provides tips and best practices to avoid or mitigate ransomware threats. 

The most important defense act against ransomware is prevention. It is crucial to follow good practices to defend against attacks by ransomware, that can be damaging to a person or an organization. 

"CISA and FBI urge CI [critical infrastructure] asset owners and operators to adopt a heightened state of awareness and implement recommendations [...] including implementing robust network segmentation between IT and OT networks; regularly testing manual controls; and ensuring that backups are implemented, regularly tested, and isolated from network connections," the agencies say. "These mitigations will help CI owners and operators improve their entity's functional resilience by reducing their vulnerability to ransomware and the risk of severe business degradation if impacted by ransomware."

US and Australia Warn of Rise in Avaddon Ransomware Attacks

 

The Federal Bureau of Investigation (FBI) and the Australian Cyber Security Centre (ACSC) have issued an alert about an ongoing Avaddon ransomware campaign that is affecting organizations across a wide range of industries in the United States and across the world. 

Avaddon ransomware associates are attempting to breach the networks of manufacturing, healthcare, and other private sector entities around the world, according to a TLP:GREEN flash warning issued by the FBI last week. 

The ACSC clarified the targeting details today, stating that the ransomware group's associates are targeting companies from a broad variety of industries, including government, banking, law enforcement, energy, information technology, and health. Although the FBI only cites ongoing attacks, the ACSC lists a number of countries that have been targeted, including the United States, the United Kingdom, Germany, China, Brazil, India, the United Arab Emirates, France, and Spain, to name a few.

"The Australian Cyber Security Centre (ACSC) is aware of an ongoing ransomware campaign utilizing the Avaddon Ransomware malware [..] actively targeting Australian organizations in a variety of sectors," the ACSC added. 

Avaddon threat actors threaten victims with denial-of-service (DDoS) attacks in order to persuade them to pay ransoms, according to the ACSC (in addition to leaking stolen data and encrypting their system). However, no evidence of DDoS attacks has been discovered as a result of the Avaddon ransomware attacks, according to the FBI. 

The Avaddon ransomware group first declared in January 2021 that they would use DDoS attacks to bring down victims' websites or networks before they reach out and negotiate a ransom payment. 

When ransomware groups started using DDoS attacks against their victims as an additional leverage point, BleepingComputer first posted on this new trend in October 2020. SunCrypt and RagnarLocker were the two ransomware operations that used this new strategy at the time. 

The first Avaddon ransomware samples were discovered in February 2019, and the ransomware started hiring affiliates in June 2020 after launching a massive spam campaign that targeted users all over the world. Affiliates of the Avaddon RaaS operation are required to obey a set of guidelines, one of which is that no targets from the Commonwealth of Independent States be pursued (CIS). 

Avaddon pays each affiliate 65 percent of the ransom money they bring in, with the operators receiving the remaining 35 percent. Avaddon ransomware’s affiliates have also been known to steal data from their victims' networks before encrypting systems in order to double-extortion. 

Almost all active ransomware operations have adopted this technique, with victims commonly informing their customers or employees of potential data breaches following ransomware attacks.

Microsoft Detected a BEC Campaign Targeted at More than 120 Organizations

 

Microsoft discovered a large-scale business email compromise (BEC) program that attacked over 120 organizations and used typo-squatted domains that were registered only days before the attacks began. Cybercriminals continue to harass companies in order to deceive recipients into accepting fees, exchanging money, or, in this case, buying gift cards. This kind of email attack is known as business email compromise (BEC), which is a dangerous type of phishing aimed at gaining access to sensitive business data or extorting money via email-based fraud.

In this operation, Microsoft discovered that attackers used typo-squatted domains to make emails appear to come from legitimate senders in the consumer products, process manufacturing, and agriculture, real estate, distinct manufacturing, and professional services industries. 

BEC emails are purposefully crafted to look like regular emails as if they were sent from someone the intended client already knows, but these campaigns are much more complicated than they seem. They necessitate planning, staging, and behind-the-scenes activities. 

"We observed patterns in using the correct domain name but an incorrect TLD, or slightly spelling the company name wrong. These domains were registered just days before this email campaign began," the Microsoft 365 Defender Threat Intelligence Team said. 

Despite the scammers' best efforts, Microsoft found that "the registered domains did not always comply with the company being impersonated in the email." The attackers' surveillance capabilities are evident when they called the targeted workers by their first names, despite their methodology being faulty at times.  

To give authenticity to the phishing emails, scammers used common phishing tactics including bogus responses (improved by also spoofing In-Reply-To and References headers), according to Microsoft.

 
"Filling these headers in made the email appear legitimate and that the attacker was simply replying to the existing email thread between the Yahoo and Outlook user," Microsoft added. "This characteristic sets this campaign apart from most BEC campaigns, where attackers simply include a real or specially crafted fake email, adding the sender, recipient, and subject, in the new email body, making appear as though the new email was a reply to the previous email." 

Though the tactics used by these BEC scammers seem crude, and their phishing messages seem to be clearly malicious, BEC attacks have resulted in record-breaking financial losses per year since 2018. The FBI formed a Recovery Asset Team in 2018 intending to retrieve money that can still be traced and freezing accounts used by fraudsters for illegal BEC transactions.

Everthing You Need to Know About Ongoing TrickBot Attacks, US Agencies Warn

 

The Cybersecurity and Infrastructure Security Agency (CISA) in unison with the Federal Bureau of Investigation (FBI) published an advisory on Wednesday to warn organizations of ongoing TrickBot attacks despite in October multiple security firms dismantled their C2 infrastructure in a joint operation.

In their joint advisory, two agencies disclosed that a sophisticated group of cybercrime actors is leveraging a traffic infringement phishing scheme to lure victims into installing the Trickbot malware.

TrickBot was initially observed in 2016, it is believed to be designed by the threat actors behind the Dyre Trojan. TrickBot has become one of the most prevalent families out there, entrapping machines into a botnet that was being offered under a malware-as-a-service model to both nation-states and cybercrime groups.

“The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have observed continued targeting through spear phishing campaigns using TrickBot malware in North America. A sophisticated group of cybercrime actors is luring victims, via phishing emails, with a traffic infringement phishing scheme to download TrickBot,” the joint advisory reads.

In October 2020, Microsoft revealed that it had disrupted the infrastructure behind TrickBot, taking most of it down. However, the malware survived the takedown attempt and came back stronger, with several new updates that protected against similar attempts. The recent attacks come as a confirmation to the same, that TrickBot’s operators were able to restore their malicious operations. 

“CISA and FBI are aware of recent attacks that use phishing emails, claiming to contain proof of a traffic violation to steal sensitive information. The phishing emails contain links that redirect to a website hosted on a compromised server that prompts the victim to click on photo proof of their traffic violation. In clicking the photo, the victim unknowingly downloads a malicious JavaScript file that, when opened, automatically communicates with the malicious actor’s command and control (C2) server to download Trickbot to the victim’s system,” the advisory further stated. 

FBI Warns of PYSA Ransomware Attacks on Educational Institutions

 

The Federal Bureau of Investigation (FBI) has issued a warning notifying of an increase in PYSA ransomware attacks targeting educational institutions. While singling out educational institutions, the FBI notes the PYSA ransomware surge is also targeting government bodies, private firms, and the healthcare department in the US and the UK.

PYSA, also known as Mespinoza was first discovered in October 2019. It has the capability of exfiltrating and encrypting files and data, with the threat actors specifically targeting higher education, K-12 schools, and seminars. 

The advisory issued by the FBI stated: “These actors use PYSA to exfiltrate data from victims prior to encrypting victim’s systems to use as leverage in eliciting ransom payments. The cyber actors then exfiltrate files from the victim’s network, sometimes using the free opensource tool WinSCP5, and proceed to encrypt all connected Windows and/or Linux devices and data, rendering critical files, database, virtual machines, backups, and applications inaccessible to users.”

The attackers often use phishing and Remote Desktop Control (RDP) attacks for initial access to targeted networks and then use tools such as PowerShell Empire, Mimikatz, and Koadic to gain further access. They also gather and exfiltrate sensitive files from the victims’ networks, including personally identifiable information (PII), payroll tax information, and other types of data that could be used to force the victims to pay a ransom under the threat of leaking the stolen info.

The FBI researchers have also discovered Advanced Port Scanner and Advanced IP Scanner used by the attackers to conduct network reconnaissance. These are open-source tools that allow users to identify open network computers and discover the versions of programs on those ports. From there, threat actors are deploying various open-source tools for lateral movement. 

“Educational institutions are big targets for hackers as thousands of people’s sensitive information is potentially involved, and the substantial shift towards e-learning has made them even more appealing to hackers and ransomware. These attacks on schools can bring education to a halt while potentially exposing every student and teacher’s personal data within the organization. Parents are also targeted and may be coerced into paying ransom for personal information or school assignments if information falls into bad actors’ hands,” James Carder, CSO at LogRhythm stated.

US Agencies Publish Advisory on North Korean Cryptocurrency Malware, AppleJeus

 

The Federal Bureau of Investigation (FBI) jointly with the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury, released an advisory on North Korea's cyber-threat to cryptocurrency and on suggestions for mitigating. 

Operated with the US government allies, FBI, CISA and the Treasury assess that, Lazarus Group –advanced persistent threat (APT) actors assisted by these agencies in North Korea is targeting the consumers and firms through the dissemination of cryptocurrency trading apps, including crypto-currency exchange and financial service providers, that have been updated to cover. 

“This advisory marks another step by the U.S. Government to counter the ongoing and criminal North Korean global cryptocurrency theft scheme targeting finance, energy, and other sectors,” said CISA Acting Executive Assistant Director of Cybersecurity Matt Hartman. “The FBI, Treasury, and CISA continue to assess the evolving cyber threat posed by North Korea, cybercriminals, and other nation-state actors and are committed to providing organizations timely information and mitigations to combat these threats.” 

In the last year alone, these cyber actors attacked organizations for cryptocurrency theft, in more than 30 nations. These actors would undoubtedly see amended cryptocurrency trade applications as a way of bypassing North Korea's foreign sanctions—applications that allow them to gain access to cryptocurrency exchanges and loot cryptocurrency cash from victims' accounts. 

The US government refers to the North Korean Government's malicious cyber activity as HIDDEN COBRA. Malware and indicators of compromise (IOCs) have been identified by the United States Government to facilitate North Korean cryptocurrency robbery, which is called "AppleJeus" by the Cyber Security community. 

Although the malware was first found in 2018, North Korea has used several versions of AppleJeus. In the first place, HIDDEN COBRA actors used websites that seemed to host genuine cryptocurrency trading platforms, but these actors seem to be using other infection feature vectors, such as phishing, social networking, and social engineering, to get users to download the malware and to infect victims with AppleJeus. They are also using other infection vectors. Active AppleJeus Malware agencies in several areas, including energy, finances, government, industry, technology, and telecommunications, were targeted by HIDDEN COBRA actors. 

Ever since it was discovered, several variants of AppleJeus were found in the wild. Most of them are supplied as relatively simple applications from attacker-controlled websites that resemble legitimate cryptocurrency exchange sites and firms. 

“It is likely that these actors view modified cryptocurrency trading applications as a means to circumvent international sanctions on North Korea — the applications enable them to gain entry into companies that conduct cryptocurrency transactions and steal cryptocurrency from victim accounts,” states the report. 

If consumers perceive that they have been affected by AppleJeus, the findings suggest victims creating new keys or transferring funds from corrupted crypto wallets, expelling hosts, running anti-malware tests on tainted devices, and notifying the FBI, CISA, or treasury.

FBI Warns About Using TeamViewer and Windows 7

 

The FBI issued this week a Private Industry Notification (PIN) caution to warn organizations about the dangers of utilizing obsolete Windows 7 systems, poor account passwords, and desktop sharing software TeamViewer. The alert comes after the recent assaults on the Oldsmar water treatment plant's network where assailants attempted to raise levels of sodium hydroxide, by a factor of more than 100. The investigation into the occurrence uncovered that operators at the plant were utilizing obsolete Windows 7 systems and poor account passwords, and the desktop sharing software TeamViewer which was utilized by the assailants to penetrate the network of the plant. 

“The attempt on Friday was thwarted. The hackers remotely gained access to a software program, named TeamViewer, on the computer of an employee at the facility for the town of Oldsmar to gain control of other systems, Sheriff Bob Gualtieri said in an interview,” reported Reuters. 

The FBI alert doesn't explicitly advise associations to uninstall TeamViewer or some other sort of desktop sharing software but cautions that TeamViewer and other similar software can be abused if assailants gain access to employee account credentials or if remote access accounts, (for example, those utilized for Windows RDP access) are secured with frail passwords. 

Moreover, the FBI alert likewise cautions about the continued use of Windows 7, an operating system that has reached end-of-life a year ago, on January 14, 2020, an issue the FBI cautioned US organizations about a year ago. This part of the warning was incorporated in light of the fact that the Oldsmar water treatment plant was all the while utilizing Windows 7 systems on its network, as indicated by a report from the Massachusetts government. 

While there is no proof to suggest that the attackers abused Windows 7-explicit bugs, the FBI says that continuing to utilize the old operating system is risky as the OS is unsupported and doesn't get security updates, which presently leaves numerous systems exposed to assaults via newly discovered vulnerabilities. While the FBI cautions against the utilization of Windows 7 for valid reasons, numerous organizations and US federal and state agencies might not be able to do anything about it, barring a serious financial investment into modernizing IT foundation from upper management, something that is not expected at any point soon in many locations.

Operation LadyBird: International Law Enforcement Agencies Crackdown Emotet

 

European and US law agencies earlier this week directed a brilliant crackdown on Emotet. Emotet is a botnet of corrupted computers, which has attacked millions of victims to date. The international police operation "LadyBird" consisted of a team of officials from nine governments. The Dutch police, however, was more resolute and used its cyber agencies to get access to the Emotet infrastructure. Next, it installed a software update on the servers which disrupted the communication between botnet and hacked computers, putting a stop to its further spread.  

FBI can learn a thing or two from this operation, realizing that sometimes foreign allies can be a help too. Here, the Dutch police were a step ahead of the bureau in making an arrest and even using offensive cyber capabilities to get the mission done. The Bureau had first discovered Emotet in 2017, by that time, it had already dealt damage of $1.4 Million to North Carolina school computers. As per the Department of Homeland Security (DHS), it cost the agency around $1 Million to settle the dust after each Emotet incident happened, however, not clear how the agency calculated this data. 

An FBI agent, however, suggested the estimated total cost to be around hundreds of millions of dollars, that the U.S victims might have suffered from the digital cyberattack. But, American agents failed to reach Emotet's infrastructural roots on their own. A senior FBI cyber-official in a press conference said that this is why it becomes so important for law enforcement agencies to work together. Hinting to the Dutch crackdown on Emotet, the official said "working within the legal frameworks of each individual partner to make sure that we have the greatest impact that we can within the law."  As of now, it's not confirmed if the Emotet's criminal group will be back in the action again. 

Experts say that Botnet generally survives until its operatives are finally captured. Dutch news website Politie reports, "A computer infection with Emotet malware often comes about through a phishing attack by email. In doing so, the victim is tempted to click on a malicious link, for example in a PDF file, or to open a Word file containing macros. The cybercriminals behind Emotet used different types of 'bait' to trick unsuspecting users into opening malicious attachments. For example, last year they pretended that e-mail attachments contained information about COVID-19."

Joker's Stash, the Largest Carding Forum Shutting Down

 

Joker's Stash opened in 2014 and was perhaps the most well-known underground carding site which gave new stolen credit card data and a guarantee of card validity. The activity gas has undergone a decline since mid-2020. The normally active administrator, Joker's Stash, had several gaps in communication. Joker's Stash, announced on January 15, 2021, that it is expected to shut down in a month - the stipulated date being February 15, 2021. The news was announced by the site's administrator through messages posted on different underground cybercrime forums where the site normally publicized its services.

Threat intelligence firm Intel 471 posted a blog expressing that Joker's Stash's fall comes after an extremely tempestuous close to 2020, documenting the website's end. In October, the individual who purportedly runs the site declared that he had contracted COVID-19, going through seven days in the hospital. The condition has influenced the site's forums, inventory replenishments, and different tasks. Intel 471 likewise found that the customers of the site were complaining that the shop's payment card data quality was progressively poor. 

The FBI and Interpol held onto four domains operated by the marketplace. During that time, the site's administrators said the law enforcement crackdown left just restricted effect on the site, the domains were just utilized as proxies to reroute clients from landing pages to the genuine marketplace, and that authorities didn't hold onto any servers containing card or client information. Despite the fact that the seizure didn't have a lot of effects, it chiefly influenced the site's reputation and made clients feel that the once-untouchable Joker's Stash was presently an open book for law enforcement agencies. 

The Joker's Stash admin didn't give more insights about the choice to close down the site. They may have chosen to stop as opposed to being taken down by the law enforcement agencies. Nonetheless, that doesn't infer that the site's administrator is now immune to prosecution. Prior to its declaration of closing down, the Joker's Stash was viewed as perhaps the most profitable cybercrime operations today.

As indicated by Christopher Thomas, Intelligence Production Analyst at Gemini Advisory, the shop is assessed to have made countless dollars in illicit profits, despite the fact that this cash also goes to the vendors themselves. Joker's Stash has been working since October 7, 2014. Last year alone, the site had posted more than 35 million CP (card present) records and in excess of 8 million CNP (card not present) records.

The site's administrator intends to wipe all servers and backups when they shut their operations next month.

Security Analysis: The Rise of Cybercrime Underworld and Hacking Groups

During the Covid-19 pandemic, educational institutions, health agencies, and other significant organizations have suffered the most from cyberattacks. As if this was not enough, a massive wave of cyberattacks have risen against these institutions,  a new hacking group has emerged which uses modern techniques to attack its targets. The troublesome part is that these hackers are using an operational structure that is not very uncommon in the hacking underworld. Known as "Egregor," the hacking group has attacked more than 130 targets in recent months. 

The victims include logistics companies, schools, health agencies, the manufacturing industry, and financial agencies. The working of Egregor is similar to other ransomware, i.e. keeping hold of the data until the client pays the ransom money. There is but one minor change, Egregor's methods reveal the present structure of the hacking economy.  Instead of depending solely on lone wolfs (hackers) that orchestrate massive data breaches, or dark web platforms abundant with Russian threat actors, the hackers today work as a kind of unified group/team which acknowledges innovations and changes in the hacking industry. 

In other words, one can say that is a replica of Silicon Valley, but one that thrives on exploiting agencies for profit rather than building interactivity. Cybersecurity expert Jason Passwaters, CEO, Intel 471, says that there exist hackers which were active a long time ago and are still in the hacking game. They offer the same services as they used to back in the time, but the only change is now these hackers rely on each other, rather than working solely. Cybersecurity experts suggest that there might be up to 12 hackers involved in a data breach or a commodity cyberattack. The Egregor group isn't the only one. 

Hacking groups like Thanos, Conti, and SunCrypt that use similar malware strains, have also started operating in a cooperative way.  Cyberscoop reports, "it’s a style with roots in the mid-2000s when a hacker using the name “slavik” released the Zeus malware, a hacking tool that helped accelerate what’s known now as an affiliate model. The FBI has identified a Russian man, Evgeniy Bogachev, as “slavik,” and has listed him on the bureau’s list of most wanted fugitives. Bogachev’s Zeus malware is responsible for financial losses of more than $100 million, the FBI says, even as the creator has posed in ostentatious outfits in social media pictures."