Search This Blog

Showing posts with label US. Show all posts

Iranian Hackers Attacked Websites of an African Bank and US Federal Library

 

According to Iran Briefing, hackers posing as Iranians targeted the websites of the Sierra Leone Commercial African Bank and the United States Federal Depository Library Program, by posting pro-Iranian remarks and graphics. 

The website of Sierra Leone Commercial Bank was found to be "H4ck3D IRANIAN HACKER" in Google search results. 

The words "hacked by Iranian hacker, hacked by shield Iran" were written in Twitter screenshots on a drawing of former IRGC Quds Force commander Qasem Soleimani, who was killed in a US airstrike. 

According to CBC News, the library program's website was updated with a bloodied picture of US President Donald Trump being punched in the face, as well as a message is written in Farsi and English that read "martyrdom was Soleimani's... reward for years of implacable efforts," and another caption that read "this is only a small part of Iran's cyber ability!" 

A spokesman from the US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency verified the incident. Though the hack has still proven to be the activity of Iranian state-sponsored actors. 

The representative stated, “We are aware the website of the Federal Depository Library Program [FDLP] was defaced with pro-Iranian, anti-US messaging”. 

“At this time, there is no confirmation that this was the action of Iranian state-sponsored actors”. 

The website has been removed from the internet and is no longer accessible. In coordination with the FDLP and other government partners, the Cybersecurity and Infrastructure Security Agency (CISA) is keeping an eye on the situation. 

According to another senior US official, the defacement was a minor event carried out by Iranian sympathizers. Former US Secretary of State Mike Pompeo indicated at the time that a cyberattack by Iran against the US could be a possible retaliation. 

It's unclear whether the hackers had a government position or had any connection to Iran. The hack occurs at a time when tensions between the US and Iran are still high following the assassination of Qasem Soleimani, the chief of Iran's Revolutionary Guards Corps Quds Force, by a US strike in Baghdad on Jan. 2. 

Iran has already threatened retaliation for the assassination, implying that US assets and interests in the Middle East, as well as US allies, may be targeted.

Herff Jones Credit Card Breach: College Students Across the US Affected

 

Graduating students from many universities in the United States have reported fraudulent transactions after using payment cards at Herff Jones, a prominent cap and gown seller. Following the initial reports last Sunday, the company launched an investigation to assess the scope of the data breach. 

The complaints persisted this week, prompting others to review their credit card statements for fraudulent charges. Students at universities in Indiana (Purdue, IU), Boston, Maryland (Towson University), Houston (UH, UHD), Illinois, Delaware, Michigan, Wisconsin, Pennsylvania (Lehigh, Misericordia), New York (Cornell), Arizona (Wake Forest), Florida (State University), and California (Sonoma State) are affected by the issue. 

Herff Jones was entirely unaware of the data violation until students began to complain about fraudulent charges to their payment cards on social media. They all had one thing in common: they were graduating students who had purchased commencement gear at Herff Jones. Some of them had to withdraw their payment cards and file a dispute with the bank over the fraudulent charges. 

Apart from delivery delays, the students said that they had been charged fraudulently for amounts ranging from tens of dollars to thousands of dollars. While the majority of reports indicate losses ranging from $80 to $1,200, one student said that a friend was charged $4,000. 

“Someone just bought a ps5 with my card info and I respect the hustle,” stated one student.  

A parent chimed in saying that their “daughter and about 30 other graduates that she knows of at her school (not Purdue) have had their debit cards compromised through HJ [Herff Jones].” 

According to one Cornell University senior, their credit card was stolen, and fraudsters attempted to charge $3,000 to "asics" and use it on adult content subscription service OnlyFans. Although the exact date of the Herff Jones violation is unknown, some of the earliest transactions date from the beginning of the month. Several students reported that they bought graduation products in April. 

Herff Jones released a statement on May 12th acknowledging the payment card data breach and apologizing for the incident.

Herff Jones said in a statement, “We sincerely apologize to those impacted by this incident. We are working diligently to identify and notify impacted customers. The company is investigating the incident with the help of “a leading cybersecurity firm.”

US and Australia Warn of Rise in Avaddon Ransomware Attacks

 

The Federal Bureau of Investigation (FBI) and the Australian Cyber Security Centre (ACSC) have issued an alert about an ongoing Avaddon ransomware campaign that is affecting organizations across a wide range of industries in the United States and across the world. 

Avaddon ransomware associates are attempting to breach the networks of manufacturing, healthcare, and other private sector entities around the world, according to a TLP:GREEN flash warning issued by the FBI last week. 

The ACSC clarified the targeting details today, stating that the ransomware group's associates are targeting companies from a broad variety of industries, including government, banking, law enforcement, energy, information technology, and health. Although the FBI only cites ongoing attacks, the ACSC lists a number of countries that have been targeted, including the United States, the United Kingdom, Germany, China, Brazil, India, the United Arab Emirates, France, and Spain, to name a few.

"The Australian Cyber Security Centre (ACSC) is aware of an ongoing ransomware campaign utilizing the Avaddon Ransomware malware [..] actively targeting Australian organizations in a variety of sectors," the ACSC added. 

Avaddon threat actors threaten victims with denial-of-service (DDoS) attacks in order to persuade them to pay ransoms, according to the ACSC (in addition to leaking stolen data and encrypting their system). However, no evidence of DDoS attacks has been discovered as a result of the Avaddon ransomware attacks, according to the FBI. 

The Avaddon ransomware group first declared in January 2021 that they would use DDoS attacks to bring down victims' websites or networks before they reach out and negotiate a ransom payment. 

When ransomware groups started using DDoS attacks against their victims as an additional leverage point, BleepingComputer first posted on this new trend in October 2020. SunCrypt and RagnarLocker were the two ransomware operations that used this new strategy at the time. 

The first Avaddon ransomware samples were discovered in February 2019, and the ransomware started hiring affiliates in June 2020 after launching a massive spam campaign that targeted users all over the world. Affiliates of the Avaddon RaaS operation are required to obey a set of guidelines, one of which is that no targets from the Commonwealth of Independent States be pursued (CIS). 

Avaddon pays each affiliate 65 percent of the ransom money they bring in, with the operators receiving the remaining 35 percent. Avaddon ransomware’s affiliates have also been known to steal data from their victims' networks before encrypting systems in order to double-extortion. 

Almost all active ransomware operations have adopted this technique, with victims commonly informing their customers or employees of potential data breaches following ransomware attacks.

Russian Actors Change Techniques After UK and US Agencies Expose Them

After the western agencies outed their techniques, Russian actors from the APT29 group responded to the expose by using a red-teaming software to get into the victim's network as a trusted pentesting exercise. Currently, NCSC (National Cyber Security Centre) of UK and the US have alarmed, that the SVR is currently exploiting vulnerabilities that are critical rated (a dozen of them) which also include RCEs in devices that range from VMware virtualization to Cisco's routers, as well as the famous Pulse Secure VPN flaw, along with other equipment. 

"The NCSC, CISA, FBI, and NSA publish advice on detection and mitigation of SVR activity following the attribution of the SolarWinds compromise," says the NCSC website. It found a case where the spies look for verification credentials in mails, which included passwords and PKI keys. Quite similar to MI6 with a bit of GCHQ, the SVR is a foreign intelligence agency of Russia and is as popular among the cybersecurity realm as APT29. 

Last month, UK and US agencies came together to expose the group's techniques, allowing cybersecurity research around the world to have a glance at the lethal state-sponsored attackers that might've attacked their network infrastructure. After finding the NCSC report, the SVR actors have changed their TTP to avoid getting further caught and also to escape any preventive measures that network defenders might've placed. Besides this, the group is also pretending to be an authorized red-team pentester, to avoid getting caught. The actors also got into GitHub and installed Sliver, an open-source red-teaming platform, to keep their access active. 

The Russian actors have become more active in exploiting these vulnerabilities. NCSC, in its blogpost, warned smart City infrastructure, public operators, to be alert of suspicious state-sponsored actors that intend to steal data. "Why the sudden focus on smart streetlights and all the rest of it? The risk in smart cities is the direct control of operational technology; industrial equipment such as CCTV, streetlights, and access control systems. We understand at least one UK council is removing some smart city gear after having thought of the wisdom of installing it," reports the Register.

Colonial Hackers Stole Data on Thursday Ahead of Shutdown

 

The hackers who caused Colonial Pipeline to shut down the biggest US petrol pipeline last Friday began their blitz against the company a day earlier, stealing a large amount of data before locking computers with ransomware and demanding payment, as per the sources.

According to the two reports, the intruders, who are members of the DarkSide cybercrime group, took nearly 100 gigabytes of data from the Alpharetta, Georgia-based company's network in just two hours on Thursday.

The step was part of a double-extortion scheme that has become a trademark of the group. According to the reports, Colonial was told that the stolen data will be released to the Internet, although information encrypted by the hackers on machines within the network will stay locked until it paid a ransom. The company didn't immediately respond to requests to comment on the investigation. It said earlier that it "proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems". 

Colonial's decision on Friday to shut down the main pipeline that supplies the US East Coast with gasoline, diesel, and jet fuel, without specifying when it would reopen, indicates a risky new escalation in the battle against ransomware, which President Joe Biden's administration identified as a priority. 

It's unclear how much the attackers requested or whether Colonial has agreed to pay. In cryptocurrency, ransomware demands can vary from a few hundred dollars to millions of dollars. Many businesses compensate, with the help of their insurers. 

According to the Associated Press, AXA, one of ’s leading insurance firms, announced last week that it will break the trend and stop offering schemes in France that reimburse customers for payments made to ransomware hackers. In recent years, cyberattacks have disrupted the operations of other energy assets in the US. Last year, the Department of Homeland Security announced that an unnamed natural gas compressor facility was shut down for two days due to an attack. 

The theft of Colonial's records, combined with the installation of ransomware on the company's machines, demonstrates the power that hackers frequently hold over their victims in such situations. The investigation is being assisted by FireEye Inc's Mandiant digital forensics division, according to the company. 

Mr. Biden was briefed on the incident on Saturday morning, according to the White House.

Ransomware Hits US Defense Contractor BlueForce

A ransomware attack hit U.S defense contractor Blueforce, says Hatching Triage sample, and a Conti ransomware chat. Ransomware in the Hatching Triage page consisted of a ransom threat likely to be from an attacker who hit the victim with Conti Ransomware strain. Tech Target's sister website LMagIT found the sample which was sent to SearchSecurity. 

The note said that all the victim's files were encoded by CONTI ransomware, attacker told the victim to google about if he weren't aware of what the strain is, and said that all information has been encrypted with the software and couldn't be restored by any method unless the victims contact the team directly. 

If the victim tried anything suspicious with recovery software, the attacker warned that all files will get damaged, and told the victim to continue at his own risk. "Conti ransomware was first reported in mid-2020, and like many other modern ransomware families, it extorts victims by not only encrypting data but threatening to publish it, too. Recent Conti victims include several London schools, as well as fashion retailer FatFace. It was also a member of the Maze ransomware cartel when it was active," said SearchSecurity. The threat also included a .onion link and a standard URL to an active chat between a negotiator from Blueforce and Conti actor. 

Blueforce is Virginia-based which builds nexus between the Department of State (DoS) and Department of Defense (DoD) via a sophisticated mix of interagency, international development expertise, and cross-functional defense. The conversation dates back to April 9, actor enquired if the target was willing to negotiate. After about 2 weeks, the victim replied with a request saying all the files were encrypted and to help. 

The attacker asked the victim for identification, Blueforce responded last week, asked for the following procedure, and also enquired whether any data was encrypted. According to SearchSecurity "the threat actor responded in the affirmative and demanded 17 bitcoins (worth nearly $969,000 as of this writing). In addition, the response included a list and data pack of files to verify that Conti had breached the company and exfiltrated data. The chat has not been updated since."

US Agencies Hit By Cyberattack, Confirms CISA Investigation

 

Around five federal civilian agencies were breached recently, in a hit to the US government, revealed an investigation by a top Cybersecurity and Infrastructure Security Agency, which followed emergency protocol to minimize damage from the attack. Suspected hackers from China exploited vulnerabilities in Pulse Secure VPN, a popular remote connectivity tool, to hack into government organizations, defense systems, financial agencies across Europe and the US, said a report released earlier this month. 

For the past few weeks, CISA has been constantly working to find out to find the total damage of the attack and help organizations protect their systems, telling organizations to run an "integrity tool" to look for potential breaches. Matt Hartman, Deputy Executive Assistant Director of Cybersecurity said "CISA is aware of at least five federal civilian agencies who have run the Pulse Connect Secure Integrity Tool and identified indications of potential unauthorized access." CISA is coordinating with various agencies to verify if a breach occurred and to provide assistance as a response to the issue. The news came out first when Reuters reported about the affected agencies. Earlier this week, CNN had reported that CISA found 24 Federal Civilian Agencies using Pulse Secure VPN, but were not sure whether they were compromised. 

CNN reports, "The discovery of potential breaches comes a little over a week after CISA issued a rare "emergency directive" ordering all federal civilian agencies to determine how many instances of the product they have, run the "integrity tool," install updates and submit a report to CISA. Emergency directives are used when there is a high potential for compromise of agency systems. Since March 31, CISA has been assisting multiple entities whose vulnerable Pulse Connect Secure products have been exploited by a cyber threat actor, according to a CISA spokesperson." 

The US government is still determining the extent of the attack. The Pulse Secure VPN intrusions don't show any signs of sophisticated attack or supply chain attack, as was the case with the recent SolarWinds attack. The hack was also different from the Microsoft Exchange Server Campaign indiscriminate targetting, where hackers breached thousands of servers.

New FiveHands Ransomware Deploy Into SonicWall Internal System

 

Earlier this year, money-oriented cybercriminals leveraged a zero-day vulnerability that has been introduced by SonicWall in its Secure Mobile Access (SMA) 100 Series VPN appliances to install advanced ransomware studied as FiveHands, victims are reported to be North American and European networks. 

The operation was traced by FireEye’s Mandiant cyber analysts as “UNC2447’’. Analysts unit has informed that the group took advantage of the CVE-2021-20016 SonicWall bug to breach networks and further install FiveHands ransomware payloads before the vendor released patches in late February 2021. Further, the report also reads that the threat actor poses advanced skills in exploiting networks. 

Additionally, over the past half a year, a brand new cyber hacker group has been noticed to be exploiting a wide range of malware and creating pressure on ransomware victims into making payments. 

Previously in similar contexts, FireEye reported that the cyber attackers have been deploying ransomware families and malware such as FiveHands (a variant of the DeathRansom ransomware), Sombrat, the Cobalt Strike beacon, the Warprism PowerShell dropper, and FoxGrabber, additionally the new ransomware's actions also demonstrated signs of RagnarLocker and HelloKitty ransomware affiliation. 

“When affiliate-based ransomware is observed by Mandiant, uncategorized clusters are assigned based on the infrastructure used, and in the case of UNC2447 were based on the Sombrat and Cobalt Strike Beacon infrastructure used across 5 intrusions between November 2020 and February 2021,” FireEye reported. 

The group deployed a critical SQL injection flaw in SonicWall SMA100 series devices, which will give remote access to attackers and further, access to login credentials, session information, and other vulnerable appliances. 

The existence of the vulnerability was first observed in January 2021, when SonicWall warned its customers that the company's internal system has been attacked in a cyber operation that may have targeted zero-day vulnerabilities in the company’s secure remote access devices. CVE-2021-20016 was patched in February 2021 by SonicWall, however, FireEye reported that UNC2447 had exploited it before the patch was released. 

"UNC2447 monetizes intrusions by extorting their victims first with FIVEHANDS ransomware followed by aggressively applying pressure through threats of media attention and offering victim data for sale on hacker forums," Mandiant further added in a report published today.

Child Tweets Gibberish from US Nuclear Agency Account

 

An unintelligible tweet sent out from the official account of U.S. Strategic Command in charge of the nation’s nuclear arsenal last weekend had left many in shock. Some jokingly said the cryptic tweet, “;l;;gmlxzssaw,” was a US nuclear launch code and some even thought it was a message to political conspiracists.

Now the US strategic command has revealed that it was a young member of the account’s social media manager who accidentally tweeted from the official account, which was then deleted within minutes. Many people saw this tweet as an attack on the country’s nuclear arsenal including Mikael Thalen, a journalist with the Daily Dot. He decided to file a Freedom of Information Act (FOIA) request to get answers. 

“Filed a FOIA request with U.S. Strategic Command to see if I could learn anything about their gibberish tweet yesterday. Turns out their Twitter manager left his computer unattended, resulting in his ‘very young child’ commandeering the keyboard,” Thalen wrote on his Twitter account. 

“The command’s Twitter manager…momentarily left the command’s Twitter account open and unattended. His very young child took advantage of the situation and started playing with the keys and unfortunately, and unknowingly, posted the tweet. Absolutely nothing nefarious occurred, i.e., no hacking of our Twitter account. The post was discovered and notice to delete it occurred telephonically,” U.S. Strategic Command responded. 

According to a report published by Kaspersky security researchers, remote workers can be more vulnerable to outside attacks, which was proved in this instance. “Lockdown has been a stressful time for everyone…without additional support from young employers, young people and caregivers could continue to deviate further from pre-set and learned IT security rules, exposing their companies to further increased security risk,” Margaret Cunnigham, principal researcher at Facepoint stated.

EU Banking Regulator Suffers Cyberattack in a Microsoft Email Breach

A significant EU financial regulator, the EU Banking Authority said that it suffered a cyberattack where its Microsoft email systems were hacked. The US company is putting the blame on a Chinese threat actor. Recently, Microsoft said that a Chinese state-sponsored hacking group was exploiting earlier unknown security vulnerabilities in Microsoft's exchange email services to hijack government and user data. The list of victims counts to as many as tens of thousands. Microsoft earlier this week said that "Hafnium attacks were in no way connected to the separate SolarWinds-related attacks." 

Threat actor "Hafnium" is highly skilled and sophisticated, says Microsoft. Hafnium has earlier attacked companies based in the US that include cybersecurity firms, law firms, defense contractors, think tanks, defense agencies, NGOs, and universities. The EBA (EU Banking Authority) said in a statement that the inquiries have not revealed any data theft as of now. Presently, the EBA e-mail infrastructure is safe and the investigation concludes that there has been no data breach, says the statement. 

There's no evidence to suggest that the breach affected anything more than email servers.  The company says that the investigation is still in process and security measures have been set up to restore the functionality of e-mails. EBA in a statement issued on Sunday said that it had shut down its systems as a preventive measure, observing that hackers may have got access to personal data in the emails. The company has issued updates to fix the security issues. It is very much likely that the hackers may want to take the advantage of the unpatched systems, says Tom Burt, Microsoft executive. 

In this regard, Security Week reported, "Beijing typically rejects US hacking charges out of hand and last year berated Washington following allegations that Chinese hackers were attempting to steal coronavirus research. In January, the US said Russia was probably behind the massive SolarWinds hack that hit large swathes of the government and private sectors, and which experts say may constitute an ongoing threat."  

JFC International Compromised with a Ransomware Attack

 

JFC International has reported that some of its IT networks have been compromised by a ransomware attack. The food giant is one of Asian food products' main producers and wholesalers in Europe and the US. The attacks have reportedly damaged the European Group of JFC International and the organization anticipates the resumption of regular activities. The event has also been confirmed by JFC International, law enforcement, staff, and partners. 

Headquartered in Los Angeles, California, Unites States, JFC International is a leading producer and wholesaler of Asian foodstuffs in the US. JFC International also purchases branded goods from other international firms, in addition to its own products. The official creation of the company was in 1958 and eventually named in 1978, but it operated in various ways from 1906 onwards. It belongs to the Japanese Kikkoman company. 

JFC International also undertakes a thorough forensic inquiry to ascertain what the cyber-attack source was. As per a comment published on the company's European website, the servers affected were reportedly already protected. What kind of ransomware was involved in the attack or whether anyone compromised due to the incident, such details remain unknown. Any personal information may be accessible to the perpetrators since JFC defined the case as a data protection event. 

“JFC International (Europe) was recently subject to a ransomware attack that briefly disrupted its IT systems. A full forensic investigation by in-house specialists together with external cyber experts was immediately started and is underway. The normal conduct of business in Europe will be up and running after a brief interruption for security reasons,” as mentioned in a press release published by the company. “The affected servers were secured. JFC International (Europe) is cooperating closely with the relevant authorities,” states the company. 

The organization reported security events to staff and business associates and advised the competent authorities. With the aid of external cyber specialists, the firm investigated the intrusions and confirmed that the compromised servers had already been protected. Initially while giving the statement, it's not really clear which of the ransomware families was responsible for the attack are involved and whether the attackers have stolen any information. 

“A full forensic investigation by in-house specialists together with external cyber experts was immediately started and is underway. Normal conduct of business in Europe will be up and running after a brief interruption for security reasons. The affected servers were secured,” the company said in a statement posted on its European website.

American Telecommunications Firm, T-Mobile Confirmed Data Breach and Sim Swapping Attacks

 

After an undisclosed number of subscribers were reportedly hit by SIM swap attacks, American telecommunications company T-Mobile has announced a data breach. The organization believes that this malicious conduct has been detected very easily and that it has taken steps to stop it and discourage it from continuing in the future. 

SIM swap attacks (or SIM hijacking) permits scammers who use social engineering or bribing mobile operator workers to a fraudster-controlled SIM to gain a charge of their target telephone number. They then receive messages and calls from victims and enable users to easily bypass multi-factor authentication (MFA) through SMS, steal user identifiers, and take over the victims' Online Service Accounts. Criminals will enter the bank accounts of the victims and take money, swap passwords for their accounts, and even lock the victims out of their own accounts. 

T-Mobile disclosed that an anonymous perpetrator had access to customer account details, including contact information and personal id numbers- in the communication of violation sent to affected consumers on 9 February 2021. As the attackers have been able to port numbers, it is not known whether or not they have been able to access an employee's account by means of the affected account users.

"An unknown actor gained access to certain account information. It appears the actor may then have used this information to port your line to a different carrier without your authorization," T-Mobile said.
 
"T-Mobile identified this activity—terminated the unauthorized access, and implemented measures to protect against reoccurrence".

Client names, emails, e-mail addresses, account numbers, Social Security Numbers (SSN), PINs, questions and responses about account security, date of birth, schedule information, and a number of lines signed up to their accounts may have been used for the information stolen by hackers stated T-Mobile.
 
"T-Mobile quickly identified and terminated the unauthorized activity; however we do recommend that you change your customer account PIN."

Affected customers of T-Mobile are encouraged to update their name, PIN, and security questions and answers. Via 'myTrueIdentity' from Transunion, T-Mobile is providing two years of free surveillance and identity fraud prevention services. Details on how to log on to these systems are given to the recipient of the data breach notice that is sent to the compromised customers. Changing PIN and security concerns, since both have been weakened, should be a top priority at this time.

USCellular Hit by a Data Breach After Hackers Access CRM Software

 

US Cellular, which is a mobile network operator, has suffered a data breach after threat actors gained access to its CRM and took control over customer’s account details. As per the complaint that has been filed with the Vermont attorney general’s office, USCellular mentioned that retail store employees were scammed into downloading software onto a computer. 

This software has given permission to the threat actors to gain access to computers remotely, and as the company employee was logged into the customer relationship management (CRM), hackers acquired access to this as well. 

"On January 6, 2021, we detected a data security incident in which unauthorized individuals may have gained access to your wireless customer account and wireless phone number. A few employees in retail stores were successfully scammed by unauthorized individuals and downloaded the software onto a store computer." 

"Since the employee was already logged into the customer retail management ("CRM") system, the downloaded software allowed the unauthorized individual to remotely access the store computer and enter the CRM system under the employee's credentials," states the USCellular data breach notification. 

According to USCellular, the attack has taken place on January 4th, 2021. On the basis of the information given by the USCellular, it is unclear as to how many customers were affected and whether the employees were scammed via a phishing email or some other method has been used. 

While getting access to customers' accounts in the CRM, the malicious actors would have been able to get information including their names, addresses, PIN, cell phone numbers, service plan, and billing/usage statements. 

"As indicated above, your customer account was impacted in this incident. Information your customer account includes your name, address, PIN code, and cellular telephone numbers(s) as well as information about your wireless services including your service plan, usage, and billing statements known as Customer Proprietary Network Information ("CPNI")," the data breach notification further adds.

USCelluar also stated that customers' social security numbers and credit card information were not accessible as they are masked in the CRM; from a deleted data breach notification that was on USCellular's site, the hackers were able to port numbers for affected customers to another carrier. 

"After accessing your account, a wireless number on your account was ported to another carrier by the unauthorized individuals," stated USCellular. After learning about the attack, USCellular has taken the necessary steps to protect the system from further attacks. The measures included isolating the infected computer and resetting the employee's passwords.

US Cyberattack: More than 50 Companies Suffer A Massive Breach

FireEye, the cybersecurity firm responsible for finding out about the massive hacking campaign against the US government says that 50 organizations have suffered major breaches from the attack. According to BBC, "Several other organizations around the world, including in the UK, are understood to have been targeted by hackers using the same network management software." FireEye CEO, Kevin Mandia said a total of 18,000 organizations had suffered an attack, out of which 50 have suffered a major data breach. 

Among the targets include DHS(Department of Homeland Security), The US Treasury, and state and defenses.  Mike Pompeo, US Secretary of State, says Russia is responsible for the attack. Whereas former US President Donald Trump suspects China behind the cyberattacks. Trump took to Twitter last Saturday and said that he believes China is responsible for the attack against the US. According to FireEye, the hacking breach is very serious and consistent. The US officials believe that the attack is the work of SVR, a Russian foreign intelligence agency. 

According to Mr. Mandia, these might be the same hackers that the US encountered in the 90s and the early 2000s. It all started when the hackers breached SolarWinds Orion, a Texas-based firm. In the SolarWinds supply chain hack, a "big" telecommunications company, various government organizations, and a fortune 500 company have been the targets of the breaches. The news comes a day after Microsoft agreed that it had informed its 40 customers of a breach in its Defender antivirus software. Mr. Pompeo has a firm belief that Russia is engaged with this activity. He alleges Russia for undermining the US government and says Russian President Putin is the real risk. 

"Hackers managed to gain access to major organizations by compromising network management software developed by the Texas-based IT company SolarWinds," reports BBC news. The access could have allowed the hackers to take a high degree of control over the networks of organizations using that software, but appears to have been used to steal data rather than for any disruptive or destructive impact, it further says.

Massive Cyberattack On US Government Exposes Shortcomings, Russia Named Top Suspect

Not long ago, US agencies had confirmed a massive data breach that compromised their networks. The problem persists, and US federals are still grappling to comprehend the extent of the breach. The data breach is linked to a large-scale hacking campaign that the experts have associated with Russia's operations. "The broad Russian espionage attack on the US government and private companies, underway since spring and detected only a few weeks ago, is among the most significant intelligence failures of modern times," reports The New York Times

As of now, various firms are investigating the issue, and a cybersecurity agency Fireye on Wednesday revealed that the malware has a "killswitch" that allows the software to shutdown. However, even if the malware is deactivated, the infected systems can remain susceptible to hackers' attacks. Besides this, currently, US federal agencies are under a lot of pressure to take strict action against Russia. In reality, the officials are still trying to address the exploited vulnerabilities and officially find the threat actor. 

The attack has exposed the vulnerabilities and shortcomings of the US cyber defenses. The news appears at a delicate time when the Biden administration has just taken over the office. President Joe Biden's administration is currently meeting with various agencies to look for options for dealing with this alarming threat. The Biden staff came to know about the massive intrusion on Monday, says DHS and Infrastructure Security Agency. US cybersecurity experts and officials say that the incident should be a warning to both the US government and private sector organizations because foreign actors will keep charging more damage in the future. 

"House and Senate Intelligence Committee aides received a phone briefing on the hack from administration officials on Wednesday, but the full extent of the breach remains unclear, according to sources familiar with the briefing. The Biden transition team was also briefed on the attack this week, an official from the Department of Homeland Security's cyber arm told CNN. The official declined to provide additional details about what was discussed," reports CNN.

Are Media Agencies the Next Target of Cybercriminals?

 

There is no denying the fact that cybercriminals have been exploiting the trust of people in media agencies. However, the ongoing situations have seen an incredible surge in cybercriminals needing to utilize each possible way to target media agencies.

Aside from direct attacks, they have even misused brand names to create counterfeit identities, which are then used to target 'potential victims'.

A couple of incidents throw light upon how and why these threat actors have set their sights on the media industry.

Some of them have been directly targeted generally through ransomware attacks.

Ritzau, the biggest independent news agency in Denmark, was targeted by a ransomware attack, prompting the compromise and encryption of more than one-fourth of its 100 network servers.

The computer servers at the Press Trust of India were also attacked by LockBit ransomware, which kept the agency from delivering news to its subscribers.

A few attackers very cleverly utilize the 'pretense' of media agencies to plan out their attacks.

Some time back, TA416 Able was found carrying out spear-phishing attacks by imitating journalists from the Union of Catholic Asia News, endeavoring to target the scope of victims, including diplomats for Africa and people in the Vatican.

Another incident happened when the U.S. seized 27 domain names that were utilized by Iran's Islamic Revolutionary Guard Corps (IRGC) for carrying out secretive influence campaigns, in which a few domains were suspected to be veritable media outlets.

OceanLotus had set up and operated a few websites, professing to be news, activist, or anti-corruption sites consistently. Furthermore, they traded off a few Vietnamese-language news websites and utilized them to load an OceanLotus web profiling framework.

Subsequently keeping these events in mind, experts recommend having sufficient safety measures, like frequent data backups, anti-malware solutions, and implementing Domain-based Message Authentication, Reporting & Conformance (DMARC).

Furthermore, recommendations were made on carrying out tests to distinguish and eliminate the risks of domain spoofing.


US President’s Twitter Account Hacked; The Ethical Hacker ‘Guessed’ The Password

 

According to reports by a Dutch media, US President Donald Trump's Twitter account was purportedly hacked, after a Dutch researcher accurately speculated the president's password: "maga2020!"

De Volkskrant, a Dutch daily morning newspaper revealed, the ethical hacker and security researcher Victor Gevers had been able to access Trump's direct messages, post tweets in his name and even change his profile. 

A Twitter spokesperson however has denied this hack, in a statement, they stated, "We’ve seen no evidence to corroborate this claim, including from the article published in the Netherlands today. We proactively implemented account security measures for a designated group of high-profile, election-related Twitter accounts in the United States, including federal branches of government." 

Jack Mannino, CEO at nVisium, a Falls Church, Virginia-based application security provider, explains, “A security-savvy team would assume that these controls were important and would likely opt to use a strong password as well as MFA to reduce the likelihood of account takeover attacks. However, in the event users of the account opted for convenience over safety, it is not Twitter's responsibility to force people to pick strong passwords or to implement the security features they offer to users. Twitter's job is to offer a secure platform and strong security features, which they do. If people are unable to convince the President to wear a mask during a pandemic, it's unlikely they could force him to use a strong password.” 

Supposedly gaining access to Trump's Twitter implied that Gevers was suddenly able to associate with all of Trump's followers i.e. approximately 87 million users as per De Volkskrant's story. 

He had attempted multiple times before utilizing the "correct" password, says, “I expected to be blocked after four failed attempts. Or at least would be asked to provide additional information.” 

Gevers revealed to De Volkskrant that President Trump was not utilizing fundamental safety measures, like the multifaceted authentication. 

As indicated by the news report, Gevers frantically reached out to Donald Trump to caution him, which ended up being a rather impossible task. Remarkably though, Gevers along two other Dutch ethical hackers had likewise hacked Trump's record somewhere four years back.

In those days Trump's password was "your fired", which according to VN news, was his 'catchphrase' from the reality television show that brought him half the popularity that he has today, before his election, The Apprentice.

A Brief Summary of The Potential Threats Revealed in Black Hat 2020 Conference


Cybersecurity experts had a lot to say about possible cybersecurity threats in the USA Black Hat Conference.




Main Highlights

US Presidential Elections
As the US awaits its presidential elections, cybersecurity has become a significant issue. In the conference, experts came out with various solutions to election-related cybersecurity threats that might arise during the campaigning and offered new ideas to strengthen the infrastructure.

Exploits and Vulnerabilities 
Cybersecurity expert Matt Vixey presented research on cybersecurity exploits. The main idea is that cyberattacks can only be prevented if there's a proper system involved; in other words, a plan-of-action. Here, the 'Human factor' risk is involved, and the hackers attack it.

DNS Attacks 
In recent times, DNS encryptions and its security have come into question. Hackers have come with a new way to breach the encryption; the technique is known as DOH (DNS-over-HTTPS). The key speaker for the topic was Mr. Eldridge Alexander, Cisco's Duo Labs, Security Research, and Development manager.

Cyberthreats and COVID-19 
The COVID-19 pandemic saw a surge in cybersecurity threats. With people working from home, hackers saw new targets that were easy to attack. Keeping this particular issue in mind, Shyam Sundar Ramaswami presented several ways to identify pandemic based malware or malspam, including a rapid statics analysis approach.

A world without passwords 
Imagine a world with no passwords, a world where all the systems are integrated with a unique authorization model. Wolfgang Goerlich and Chris Demundo presented their 'Zero Trust' theory, where systems would not need to require passwords, making a secure cyber world.

Possible Threats

  • Influence Campaigns- Misuse of social media platforms to disseminate fake news and misinformation has become a critical problem, especially during the election campaigns. 
  • According to James Pevur, satellite communications are open to surveillance and monitoring. Hackers can easily bug communication using a few sophisticated gadgets. 
  • Botnets- Hackers can use high watt devices and turn them into Botnets, attacking energy campaigns. 
  • Experts say that open source tools can be used by hackers to create fake websites or channels that look the same as the original. It can allow the influence of public opinion.

Cyberattacks in the U.S. Hit an All-Time High due to Covid-19, Says Black Hat Report.


Due to the coronavirus pandemic, cybersecurity experts suspect a rise in cyberattacks and cybercrimes, says a survey by Black Hat earlier this week. Around 275 cybersecurity professionals (respondents in the study) have expressed concerns about potential breaches in the U.S. infrastructure and the I.T. industry. More than 90% of these experts believe that due to coronavirus, there has been a jump in cyber threats in the U.S., resulting in data leaks and privacy breaches. Around 24% of experts believe that the current danger is very severe and critical.


Among the cybersecurity threats, work from vulnerabilities in the remote access systems tops the list, accounting for 57% of the attacks. Meanwhile, phishing scams and spam attacks account for a hefty 51%. Around 85% of these experts claim that there might be a targeted cyberattack on the U.S. infrastructure in the next two years. The threat figures went up from 69% in 2018 to 77% in 2019. Among these, around 15% of the respondents believe that the government and the private sector is ready to face these attacks. These percentage figures went down from about 20% in 2019.

The majority of the cybersecurity experts believe that their firms would have to take care of the upcoming cybersecurity challenges. More than half of these believe that they currently lack the required staff force to combat cyber threats. Besides this, the budget required to protect their organization's data from cyberattacks is also low. Besides the concerns about the lack of resources to defend against cybercriminals, experts also say that they lack proper technology. According to the survey results, only half of the technology tools could be termed effective.

"The survey results suggest that the world's top cybersecurity professionals are more concerned than ever about cybersecurity risk at the global, national, enterprise, and consumer levels. While cyber threats have been growing in volume and sophistication in recent years, most security professionals believe that the radical shift toward remote access creates unprecedented risk for sensitive data," says the 2020 Black Hat USA report.

US Intelligence Reveals Malware, Blames North Korea


The FBI (Federal Bureau of Investigation), US Cyber Command, and DHS (Department of Homeland Security) recently discovered a hacking operation that is supposed to originate from North Korea. To inform the public, the agencies issued a security statement which contains the information of the 6 malware that the North Korean Hackers are currently using.


US Cyber Command's subordinate unit, Cyber National Mission Force (CNMF), on its official twitter account published that the North Korean hackers are spreading the malware via phishing campaigns. The tweet says, "Malware attributed to #NorthKorea by @FBI_NCIJTF just released here: https://www.virustotal.com/gui/user/CYBERCOM_Malware_Alert …. This malware is currently used for phishing & remote access by #DPRK cyber actors to conduct illegal activity, steal funds & evade sanctions. #HappyValentines @CISAgov @DHS @US_CYBERCOM."

According to the US Cyber Command, the malware allows the North Korean hackers to sneak their way into infected systems and steal money. The funds stolen are then transferred back to North Korea, all of it done to avoid the economic sanctions imposed upon it. It is not the first time that the news of the North Korean government using hackers to steal money and cryptocurrency to fund its nuclear plans and missile programs, and avoid the economic sanctions have appeared. According to the reports of the US agencies, the 6 malware are Bistromath, Slickshoes, Crowdedflounder, Hotcroissant, Artfulpie, and Buffet line. The official website and twitter account of DHS, US Cyber Command, have complete details about the malware.

The US Alleges Lazarous Group for the Attack 

Cybersecurity and Infrastructure Security Agency (CISA) claims that the attack was carried away by the North Korean hacker group Lazarus. The group also works under an alias, Hidden Cobra, and is one of the largest and most active hackers' groups in North Korea. According to the DOJ (Department of Justice), Lazarus was also involved in the 2014 Sony hack, 2016 Bangladesh Bank Attack, and planning the 2017 WannaCry ransomware outbreak.

A new 'Name and Shame' approach 

Earlier, the US used to avoid issuing statements when it faced cybersecurity attacks. However, in the present times, it has adopted a new name and shame approach to deal with this issue. The US cybercommand, as observed, publishes about the malware publicly on its Twitter handle, along with the nation responsible. This didn't happen earlier.