Search This Blog

Showing posts with label USA. Show all posts

Navistar International Corporation Hit by Cyberattack

Navistar International Corporation, a maker of United States trucks and military vehicles confirmed that it was hit by a cyberattack recently which resulted in data theft. In form 8-K filing with SEC (Security and Exchange Commission) this Monday, the company said that the company came to know about an attack on its IT systems on May 20, 2021. Navistar took immediate actions to limit the impact of the cyberattack and has launched an investigation with various cybersecurity and foreign agencies. Due to the attack, Navistar has strengthened its cybersecurity infrastructure and data protection, saying all of its systems are fully functional. 


On May 31, the company got a mail saying it was hit by a cyberattack and some data had been stolen.  As of now, the company is enquiring about and finding the impact of the attack. It has already called law enforcement agencies for help. Navistar didn't disclose any technical details about the attack but it might be a possibility that it was a ransomware attack. The claim is based on the recent rise of ransomware incidents in the US. In all these incidents, major US organizations were attacked and crucial data was stolen. Navistar was established in 1986, it makes trucks, diesel engines, and buses. 

Besides this, the Navistar Defense subsidiary makes military automobiles. After the attack that made US Colonial Pipeline to close its operations and distribution systems at the start of May, JBS USA, the world's largest meat processing company of US subsidiary also announced recently that it had closed down its plants in America and Australia.  Besides this, recently, Steamship Authority, the largest ferry service to the Massachusetts Islands of Martha’s Vineyard and Nantucket from Cape Cod, was hit by a cyberattack of a similar kind. 

At the start of this year, Molson Coors Beverage company was also hit by a ransomware attack. "White House this week urged corporate executives and business leaders to take the appropriate measures to protect their organizations against ransomware attacks. The  memo, signed by Anne Neuberger, deputy national security advisor for cyber and emerging technology, mentions the recent increase in the number of ransomware incidents, as well as the Biden administration’s response to such attacks targeting government and private sector organizations," reports Security Wee

DOJ Charges Latvian National for Helping Develop the Trickbot Malware

 

The US Department of Justice has charged a Latvian woman for her alleged role in developing the Trickbot malware, which was responsible for infecting millions of computers, targeting schools, hospitals, public utilities, and governments. 

After being arrested on February 6 in Miami, Florida, Alla Witte (aka Max) was charged with 19 counts of a 47-count indictment. 

The DOJ said in a press release, Witte created the code used by Trickbot malware to control, launch, and manage ransomware payments. Witte is also said to have given the Trickbot Group the code required to track and monitor approved malware users and the tools and protocols needed to store login credentials obtained from victims' networks. 

The FBI's Cleveland Office and the Department of Justice's Ransomware and Digital Extortion Task Force investigated the case, which was formed to combat the rising number of ransomware and digital extortion attacks. 

FBI special agent Eric B. Smith said. In a statement, "Witte and her associates are accused of infecting tens of millions of computers worldwide, in an effort to steal financial information to ultimately siphon off millions of dollars through compromised computer systems.

Trickbot is a malware variant that was first discovered in October 2016 as a modular banking trojan and has subsequently been updated with new modules and capabilities. 

Microsoft and many partners reported on October 12 that they had taken down certain Trickbot C2s. Before the presidential election, the US Cyber Command apparently tried to destroy the botnet by sending infected devices a configuration file that cut them off from the botnet's C2 servers. Despite these concerted attacks on TrickBot's infrastructure, the TrickBot gang's botnet remains alive, and new malware builds are continually being released. 

The TrickBot gang is renowned for spreading the ransomware Ryuk and Conti onto the networks of valuable business targets. According to Deputy Attorney General Lisa O. Monaco, Trickbot penetrated millions of victim computers throughout the world, harvesting banking information and delivering ransomware. 

"The Trickbot malware was designed to steal the personal and financial information of millions of people around the world, thereby causing extensive financial harm and inflicting significant damage to critical infrastructure within the United States and abroad," Acting US Attorney Bridget M. Brennan of the Northern District of Ohio added.

Metropolitan Transportation Authority Systems Hacked

 

The MTA document outlining the breach reckoned that in April a hacker organization having links to the Chinese government breached the computer systems of the Metropolitan transport authority, highlighting vulnerabilities in a large transit network that carries millions of people every day. 

Transit officials also said that the hackers did not have access to systems that do not jeopardize the operation of train cars and driver safety, stressing that there was minimal harm if any to the intruder. 

Transit authorities said that a forensic assessment of the attack has so far not uncovered any proof either and that attackers have not affected the personal information of consumers. The agency reported the incident to the police and other governmental authorities but has not announced it publicly. 

The intrusion was the third – and perhaps the most major – cyber attack by hackers, according to transit authorities, on North America's largest transit network in recent times. 

According to FireEye, a private cyber-security company working with the federal government to recognize the offense said that the attack did not involve financial demands and instead appears to form part of a recent wide range of intrusions by sophisticated hackers supported by the Chinese government. 

The wider hacking campaign affected hundreds and was found at the end of April by federal organizations, defense contractors, banking institutions, etc. These Routine hacking activities are denied by the Chinese government. 

Researchers have different theories as to why the M.T.A was chosen to be the campaign's objective, however, the actual reason remains unknown. One of the main objectives is the attempt by China to control the multibillion-dollar railway market—an effort to get insight into the inner workings of a transport system that awards profitable contracts. 

Another view is that attackers wrongly have accessed the M.T.A. system and have found that it was not exceptional, as cybersecurity specialists say. 

However, hacking companies have made no adjustments to the operational activities of the company and have not collected any employees or customer data, such as credit card information. Notably, they did not compromise any M.T.A. accounts, transit authorities stated, referring to a forensic audit of the agency's attack by a leading cybersecurity firm, IBM and Mandiant. 

“The M.T.A.’s existing multi-layered security systems worked as designed, preventing the spread of the attack,” said Rafail Portnoy, the M.T.A.’s chief technology officer. “We continue to strengthen these comprehensive systems and remain vigilant as cyberattacks are a growing global threat.” 

The attacks against the M.T.A. also came into play because of increasing concerns about China Railway Rolling Stock Corporation, which is the world's largest producer of train cars. 

As the threat from cyber strikes has increased and trade disputes between the US and China have also increased, the dominance by the state-owned company has raised concerns among legislators, defense officials, and industry experts that crucial US transport infrastructures have been left vulnerable to cyber-attacks. 

In the second week of April, it seems that the M.T.A. systems were targeted on two days, and access persisted at least until the breach was reported on April 20. The hackers used the so-called "Zero-day," or an unknown code defect in software that was found unpatched. 

Thus according to the M.T.A. document describing the violation, hackers got special access to the system being used by New York City Transit, which monitors both the metro and the buses. 

Mr. Portnoy said, there was “no employee or customer information breached, no data loss, and no changes to our vital systems.” 

“Our response to the attack, coordinated and managed closely with State and Federal agencies, demonstrated that while an attack itself was not preventable, our cybersecurity defense systems stopped it from spreading through M.T.A. systems,” he added.

Russian Hacking Group Nobelium Attacks 150 Organizations, Hacks Mails

Nobelium, a Russian hacking group that was responsible for the 2020 SolarWinds cyberattacks, is back in the game, however, now, they've used Constant Contact, a cloud marketing service in a phishing attack that resulted in a hack of 3,000 email accounts throughout 150 organizations. Microsoft disclosed the latest attack in a blog post titled "Another Nobelium Cyberattack" which alarmed that the group aims to hack into trusted technology providers and attack their customers. 

This time, Nobelium didn't use the SolarWinds network monitoring tool for the attack but gained access to the Constant Contact Account of USAID (United States Agency for International Development). Tom Burt, Microsoft’s corporate vice president of customer security and trust, “using the legitimate mass mailing service Constant Contact, Nobelium attempted to target around 3,000 individual accounts across more than 150 organizations. Due to the high-volume campaign, automated systems blocked most of the emails and marked them as spam. However, automated systems might have successfully delivered some of the earlier emails to recipients.” 

After hacking the Constant Contact Account email service via a USAID account, Nobelium distributed authentic-looking phishing emails containing a link, which upon opening, attached a malicious file "NativeZone" which is used to distribute backdoor. The backdoor could allow multiple activities like data stealing and corrupting other computer networks. Constant Contact Account said that it was aware of an account breach of one of its customers. It was an isolated incident, and the agency has deactivated all the affected accounts while working with law enforcement agencies. It says that most of the attacks targetting the customers were blocked automatically by Windows Defender, which also blocked the malware used in the attack. 

"We detected this attack and identified victims through the ongoing work of the Microsoft Threat Intelligence Center (MSTIC). team in tracking nation-state actors. We have no reason to believe these attacks involve any exploit against or vulnerability in Microsoft’s products or services. At least a quarter of the targeted organizations were involved in international development, humanitarian, and human rights work," said Burt.

World’s Biggest Meat Supplier JBS Suffered a Cyber Attack

 

An advanced cyber attack was carried out at the largest meat processing enterprise in the world. 

JBS, the largest beef supplier in the world, stated that its systems returned online late on Tuesday, following a severe cyberattack that took down certain activities of the USA and Australia. 

The attack damaged servers in North America and Australia that were supporting their IT systems, the corporation said in a press release. 

"The company is not aware of any evidence at this time that any customer, supplier, or employee data has been compromised or misused as a result of the situation," JBS said. "Resolution of the incident will take time, which may delay certain transactions with customers and suppliers." 

JBS USA, the food giant, is part of JBS Foods. According to its website, it operates in 15 countries and has clients in around 100 nations. Pilgrim's, Great Southern, and Aberdeen Black are among its brands. JBS said that it is working with an incident response company to restore its systems as quickly as possible. 

During a press conference on Tuesday, the White House acknowledged the attack. Principal Deputy Secretary of Press, Karine Jean-Pierre, briefed reporters that JBS has been a victim of a ransomware attack "from a criminal organization likely based in Russia." The FBI investigates the attack, the White House confirms. 

President Biden has also instructed his government, to assess the impact on the supplies of beef in the country that may be mitigated, alongside the United States Dollars. 

According to Union officials, JBS stopped slaughtering cattle in every U.S. plant on Tuesday. The incident on Monday brought Australian activities to a halt. JBS controls approximately 20% of the US livestock slaughter capability with North American operations based in Greeley, Colorado. 

Australia's Agriculture, Drought, and Emergency Management Minister David Littleproud tweeted regarding the JBS cyber-attack on Tuesday, stating that the company works tightly with law enforcement authorities and in Australia and abroad, to get operational activities back and forth and "to bring those responsible to account." 

The attack happened a few weeks after a cyberattack that prompted a six-day shutdown from one of the largest gas pipelines in the United States: Colonial Pipeline. Since then, the pipeline has returned to normal working. 

"If the Colonial Pipeline cyberattack didn't impact enough consumers to spur response by the international community, the JBS meat supplier incident likely will," Meg King, the director of the science and technology innovation program at The Wilson Center, told CNN Business. "Now is the time for a global agreement to break the business model of ransomware," she added. 

However, "The White House is engaging directly with the Russian government on this matter and delivering the message that responsible states do not harbor ransomware criminals," Jean-Pierre said. 

In the past, the US government has suggested that firms do not compensate offenders for ransomware attacks if they encourage such hacking in the future.

Pipeline Shutdown Shows Need for Tougher Cybersecurity Laws

 

The six-day shutdown of a key 5,550-mile fuel pipeline earlier this month as a result of a malware attack proved a case study of everything that can go wrong when the private sector, which regulates critical sections of American infrastructure, fails to prioritize cybersecurity and the government lacks the resources to properly deter cyberattacks and manage the fallout. 

Colonial Pipeline's response to a recent hacker attack was fast and comprehensive. The private company turned off the supply of nearly half of the East Coast's oil, diesel, and jet fuel, which had never been done before. Long lines formed at gas stations from Washington, D.C., to Florida as a result of a combination of fuel shortages and panic buying. Stopovers were added to US air travel routes to enable planes to refuel in central and northern states. 

Colonial Pipeline was the victim of a ransomware attack by a group of Eastern European cyber bandits known as DarkSide, which extorted $4.4 million from the company as it rushed to reclaim control of its information management infrastructure and ensure the hackers had not breached the pipeline's operating system. The pipeline was eventually brought back online, and DarkSide discontinued operations However, the most serious harm had already been done: The incident demonstrated how simple it was to put a large portion of American infrastructure to a halt with a cyberattack that was as sophisticated as a pickpocketing. 

President Biden responded by signing an executive order that would provide incentives for IT service providers to share data share about cybersecurity vulnerabilities and breaches with the government. The order also establishes a cybersecurity safety review board with jurisdiction similar to the National Transportation Safety Board, which investigates airline and railroad safety accidents and makes security recommendations. 

However, Congress should impose mandatory reporting regulations requiring private sector companies in charge of sections of the nation's vital infrastructure to report possible and actual violations so that the government and industry can respond more quickly to minimize the consequences. A bill like this has been discussed in Congress for more than a decade, but it has yet to become law. 

Senator Angus King, who is co-chair of the Cyberspace Solarium Commission, established by Congress to bolster US cybersecurity protections, stated in an interview, “We need to build a structure that facilitates and supports open communication and trust, between this critically important infrastructure and the government in order for the government to be able to help.” 

Because of the vast number of phishing or other low-level security breach attempts they face, private sector companies are sometimes unable to disclose sensitive details regarding cybersecurity vulnerabilities or risks for fear of civil liability. The carrots to the mandatory reporting requirement's stick, according to King, will be liability protections and carefully restricting and identifying what counts as reportable accidents. 

A lot needs to be done to ensure the cybersecurity of our country's vital infrastructure which includes enforcing more structured federal oversight in place of the current multi-agency approach, which can be cumbersome, redundant, and slow; holding Russia responsible not just for its own cyber espionage but also for sheltering other cyber attackers within its borders; and tightening the federal government's own cybersecurity, which was discovered to be vulnerable last year by the SolarWinds hack.

Irish Health System and 16 U.S. Health and Emergency Networks Hit by Conti Ransomware Gang

 

According to the Federal Bureau of Investigation, the same group of online extortionists responsible for last week's attack on the Irish health system has also targeted at least 16 medical and first-responder networks in the United States in the past year. The FBI said cybercriminals using the malicious software called 'Conti' have attacked law enforcement, emergency medical services, dispatch centers, and municipalities, according to a warning issued by the American Hospital Association on Thursday. 

In May of 2020, the Conti ransomware appeared on the threat landscape. It has some links to other ransomware families. Conti has evolved quickly since its discovery, and it's known for how quickly it encrypts and deploys around a target system. Conti is a “double extortion” ransomware that steals and attempts to reveal data in addition to encrypting it. 

The FBI didn't specify who was targeted in these hacks or whether ransoms were paid, only that these networks "are among more than 400 organizations worldwide victimized by Conti, with over 290 of them based in the United States." The new ransom demands have been as high as $25 million, according to the study. 

On Thursday, Ireland said experts were looking into a decryption tool that had been posted online, which could help activate IT systems that had been crippled by a major ransomware attack on the country's healthcare provider. The government stated that it had not paid any ransom and would not pay any in return for the alleged key. It didn't respond to claims that the gang had threatened to release reams of patient information next week. 

This ransomware attack has prevented access to patient information, forced medical facilities to cancel appointments, and disrupted Covid-19 testing around the country for the past week. Ossian Smyth, Ireland's e-government minister, has described it as "perhaps the most serious cyber crime assault on the Irish state." 

The hackers who took down Ireland's healthcare system are said to be members of "Wizard Spider," a sophisticated cybercrime group based in Russia that has become more involved in the past year. The group has threatened to release medical records unless Ireland pays a $20 million fine.

Molson Coors "Cyberattack Incident" Could Cost Company $140 Million

 

The popular beer brands producers in the United States such as Molson Canadian, Coors Light, Miller Lite, Carling, Blue Moon, Coors Banquet, and many more, disclosed severe impacts of a cyberattack on their business, including brewery operations, production, and shipments. 

Brewing giant Molson Coors stated that the disruptive cyberattack led to a huge disruption in its brewery functioning operations and is going to cost the organization around $140 million. Additionally, Officials added that the company is working hard for its normalization: production and shipping have yet to reach normal operating levels. 

“Despite this progress led by the significant efforts of the Molson Coors team, along with the support of leading forensic information technology firms and other advisors, the Company has experienced and continues to experience some delays and disruptions in its business, including brewery operations, production, and shipments in the U.K., Canada, and the U.S.,” a March 26 statement reads. 

While the firm did not press a cause for what is being called a "cybersecurity incident”, but the occurrence comes amid a wave of malware and ransomware attacks that has a huge impact on companies worldwide. The recent cyberattack affected healthcare providers, computer producers- Acer, IoT provider Sierra Wireless and various other giants. 

The company stated that the cyber attack is going to impact its first quarter of business and consequently 2021 financial revenue as well, but the company has not released specific figures on expected costs. But, it is being observed that for the normal revenue company has to work hard and wait. 

According to the company, “the cybersecurity incident and the February winter storms in Texas will shift between 1.8 and 2.0 million hectoliters of production and shipments from the first quarter 2021 to the balance of the fiscal year 2021 and will also shift between $120 million to $140 million of underlying EBITDA from the first quarter 2021 to the balance of the fiscal year 2021.” 

The company is also yet to share its technical data regarding the cyber attack incident, but various experts are speculating that it could be ransomware-related cybercrime. 

“We notified law enforcement and are cooperating in their investigation. We also have notified and are working with all of our relevant insurance companies,” the company said in a statement.

FTC Busts $110m Charity Fraud Operation



A massive campaign has been started by the US Department of Federal Trade Commission (FTC) with 40 US state forces joining hands of these government agencies who are coming together to crack down a major charity fraud operation that scammed victims for more than $110million. 

The Federal agencies teamed up with 46 government agencies from 38 states and Washington DC. Those who teamed up with regulators, most of them are state attorneys general who came together to shut down the work of sister companies Central Processing Services and Community Services Appeal, Associated Community Services (ACS), and two other fund-raising spin-offs run by ACS managers, The Dale Corporation and Directele.

The scam operation initiated by the threat actors was driven by illegitimate rob calls, which have already compromised around 1.3 billion data of fundraising by the means of misleading fundraising calls, alongside obtaining donations from 67 million clients. ACS and related agencies that faced accusations by the FTC and other state agencies for this scam have agreed to settle down regarding charges. According to the FTC department, certain cases saw that the accused kept around 90 percent of the money that they received from their donors.

The scam operation has been active since 2008 and the threat actors deliberately capitalize on sensitive issues to trick donors such as breast cancer patients, homeless veterans, victims of house fires, and refugee children to encourage victims to donate. 

According to the official data, ACS and Directele both were charged for breaking FTC norms and regulations (that prohibits robocalls to first-time donors and automated calls to prior donors), having well-founded knowledge of all the outcomes. Moreover, ACS was also charged for harassing donors; It made calls around 1.3 million people over 10 times each in a single week and 7.8 million phone calls twice in an hour. Around 500 victims were called 5000 times or more than that, according to the FTC data.

However, since 2019, ACS has stopped operating, having previously charged with the subject of 20 law enforcement actions, but it is said that two accused are still operating this scam campaign with Directele and The Dale Corporation. 

“Deceptive fundraising can be big business for scammers, especially when they use illegal rob calls,” said Daniel Kaufman, acting director of the FTC’s Bureau of Consumer Protection. “…The FTC and our state partners are prepared to hold fraudsters accountable when they target generous consumers with lies.”

U.S. Department of Justice Warns of Fake Unemployment Benefits Websites Stealing Data

 

Recently a department of United States Justice has warned its civilians against threat actors who are imitating state workforce agencies (SWAs) in order to hack Americans’ sensible credentials and other important data. 

A press release has been released on 5th March; it reported that the department has received informative reports on the cyber attacks. Further, it added that there were certain threat actors who were mimicking real websites which looked like those genuinely belonging to the state workforce agencies (SWAs). 

The entire purpose of this attack is to pursue users into believing that they are actually applying for unemployment benefits and submitting their information and other sensitive credentials on the right platform. However, after collecting identifiable data of consumers’ hackers use this information for their private advantages such as to commit theft. While doing so, threat criminals usually send spam messages and emails with a link to a spoofed SWA website in order to make victims access these fake websites. 

“Unless from a known and verified source, consumers should never click on links in text messages or emails claiming to be from an SWA offering the opportunity to apply for unemployment insurance benefits,” said the department. 

Department further added that anyone who wants to submit their application for unemployment benefits should directly go to an official SWA website. Around 10 million people in the USA who are trying to take unemployment benefits are also advised that they should watch out for phishing attacks and do not take any communications they receive at face value. 

“Carefully examine any message purporting to be from a company and do not click on a link in an unsolicited email or text message. Remember that companies generally do not contact you to ask for your username or password,” said the department. 

Officers said, if you find yourself being unsure about any messages whether the entity sending the email is authentic or not, you must be contacting the department of the National Center for Disaster Fraud (NCDF) and report the communication but you must not rely on any contact information given in the fraudulent messages.

NSA and CISA Jointly Issued Guidance On Protective DNS Services


America’s chief security departments The National Security Agency (NSA) and Cybersecurity and Infrastructure Agency (CISA) have released a joint information sheet on Thursday which provides information regarding the positive outcomes of using a Protective Domain Name System (PDNS).
 
How Protective Domain Name System (PDNS) works? 

Its (PDNS) service uses present Domain Name System (DNS) protocols and its structure to analyze DNS queries and mitigate threats. It leverages many open sources, such as non-profit organizations, and various governmental threat feeds to categorize domain information and block queries to identified hackers' domains. 

According to The National Security Agency (NSA) and the Cybersecurity and Infrastructure Agency (CISA), the service (PDNS) presents threat prevention measures against network exploitation, includes various kind of online threats such as addressing phishing attacks, malware distribution, domain generation algorithms, command and control, and content filtering. 

Additionally, a PDNS can log in and save suspicious data and can give a blocked response to the malicious activities into a system– such as ransomware locking victim files – while letting institutions using those logged DNS information data. 

The information sheet gave a list of providers, but NSA and CISA explicitly stated, “We, the federal agencies do not endorse one provider over another”. The listed six companies are BlueCat, Akamai, Cisco, EfficientIP, Nominet, and Neustar. 

How NSA and CISA made their recommendations? 

The recommendations are based on the learned lessons from an NSA PDNS pilot. The NSA partnered with the Defense Cyber Crime Center (DDCCC) department to offer PDNS-as-a-service to its members of the defense industrial base. Alongside, the PDNS studied over 4 billion DNS queries and participating networks, and successfully blocked millions of connections identified as malicious domains. 

Oliver Tavakoli, chief technology officer at Vectra stated, “Like other preventive approaches, they are useful in protecting organizations from known bads, but ultimately fall short in blocking the early stages of a new attack or more sophisticated attacks...”

“...So it makes sense to implement PDNS to reduce the attack surface, however, it should not be thought of as a preventive silver bullet that obviates the need to detect attackers who know how to bypass these protections.” She added. 

Ray Kelly, a principal security engineer at WhiteHat Security, added that “DNS exploitations are still incredibly rampant and require some attention because they are such an effective technique used by malicious actors”.

CompuCom MSP Hit By DarkSide Ransomware Cyberattack

 

CompuCom, a US-managed service provider, has witnessed a DarkSide ransomware attack. It has resulted in a service outage and users are disconnecting from the MSP's network so the spread of the malware can be prevented. 

CompuCom is an IT managed services provider (MSP) that supplies remote support to its customers, includes repairing hardware and software, and provides various other technical facilities to the companies. 

CompuCom is owned by ODP Corporation (Office Depot/Office Max), additionally, it gives employment opportunities to a maximum of 8,000 people. 

It was around the weekend, CompuCom witnessed an outage that had prevented clients from getting access to the company's customer portal to open troubleshooting tickets. When customers visit the portal, the website simply is displaying an error message. "An error occurred while processing your request." Website reads. 

In a conversation with Press CompuCom told that they have started informing its users and warned them against the malware attack. However, the company has not revealed to its customers the type of attack that has occurred and whether it was ransomware or not. Multiple people in conversation with the press stated that “this was a ransomware attack”, however, the officials had not confirmed. 

Additionally, when the press talked with affected customers, it has been known that CompuCom had disconnected their access to some customers so the attack can be prevented. Another client told, “Some of us had detached from CompuCom's VDIs (Virtual Desktop Infrastructure) to ensure their data was not affected by the attack”.

CompuCom issued a statement in which they stated that the company had witnessed a 'malware incident', and there's no evidence of it spreading to customers' systems. 

"Certain CompuCom information technology systems have been affected by a malware incident which is affecting some of the services that we provide to certain customers. Our investigation is in its early stages and remains ongoing. We have no indication at this time that our customers' systems were directly impacted by the incident...”

“...As soon as we became aware of the situation, we immediately took steps to contain it and engaged leading cybersecurity experts to begin an investigation. We are also communicating with customers to provide updates about the situation and the actions we are taking. We are in the process of restoring customer services and internal operations as quickly and safely as possible,”

“...We regret the inconvenience caused by the interruption and appreciate the ongoing support of our customers." – CompuCom reported. 

But today, CompuCom's customers shared a 'Customer FAQ Regarding Malware Incident' that gives even thorough details of the attack, than given by the company. 

"Based on our expert's analysis to date, we understand that the attacker deployed a persistent Cobalt Strike backdoor to several systems in the environment and acquired administrative credentials. These administrative credentials were then used to deploy the Darkside Ransomware," the CompuCom FAQ reads.

US Intelligence Task Force Accuses Russia Of Cyber Attack

 

Previously, US President Donald Trump had accused China of malicious security incidents; security experts and officials have suspected China to be involved in the recent cyberattacks on the US government and several other organizations in the nation but now other members of his administration are pointing out the finger at Moscow. 

In a joint statement on 5 January, the intelligence bodies said, "the attack believed to be an 'intelligence gathering' attempt, rather than cyber warfare, as touted by multiple lawmakers including President Donald Trump. Currently, it is also being observed that cyber-attack which attempted to sabotage online privacy and information has affected fewer than ten US government agencies along with several other organizations outside government”. 

 A collective report of government organizations, the UGC, also called Cyber Unified Coordination Group which has been set up to deal with the recent attack, stated that the Advance Persistence Threat (APT) actor which is responsible for the cyberattack was “likely Russian in origin”. It also said other government organizations that are collaborating for the collective report, are the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), the Office of the Director of National Intelligence (ODNI), and the National Security. 

The intelligence stated that the research regarding this is still going on to understand the scope of the data compromised during cyber attacks. According to the committee, the hacking attempts were initially made in March 2019 when the updated version of the IT network management tool called Orion was compromised. 
The report says those thousands of people who had installed this hacked tool across American territory, many of whom worked in important US federal agencies. Besides non-government organizations, a major part of the US government was compromised during the recent cyber attacks such as the Treasury and Department of Commerce, and the National Telecommunications and Information Administration.

"This is a serious compromise that will require a sustained and dedicated effort to remediate. Many organizations have to scour their systems for signs that they may have been compromised. The incident sent shockwaves across the US partly because the breach was undiscovered for many months and was potentially far-reaching in terms of who it might have affected. It also suggested a degree of sophistication and stealth which was widely seen as a trademark of hackers from the SVR", Russia's foreign intelligence agency, the Intelligence committee said in a statement.

Siemens USA Announced the Launch of Its Technologically Advanced Cyber Test Range

 

As the Coronavirus pandemic prompted an expansion in cyberattacks, this called for the need for certain facilities that would explicitly focus on prevention, discovery, and response solutions. For a similar reason, Siemens USA came up with the launch of its innovatively progressed cyber test go housed at its U.S. R&D headquarters in Princeton, New Jersey. 

The Siemens cyber test range was intended to test developing cybersecurity innovations against real-world situations to help distinguish and moderate potential weaknesses. 

The cyber range has embarked to turn into a hub where data scientists, security experts, and others can come together to perform inventive researches in the field of cybersecurity and prototype and approve new research ideas. 

Siemens' growing collection of operational innovation hardware and software components makes the range more valuable for 'a variety of industrially focused security research'.

The design of the facility was done keeping in mind the adaptability, permitting remote operation and range segments to be moved to different areas like gatherings, colleges, government research labs, and even customer environments. 

Siemens has partnered together with the Atlantic Council to utilize this cyber range to upgrade students' understanding during their 'Cyber 9/12 Strategy Challenge' arrangement through the re-enactment of cyberattacks on frameworks like advanced water treatment and power generation facilities. 

Today, Siemens and its products are upheld by a global association with more than 1,200 digital specialists. The organization's products and solutions have modern security functions that are inherent by design and empowered by default. 

Kurt John, Siemens USA's Chief Cybersecurity Office says “Cybersecurity is at the center of everything we do at Siemens. This cyber range will help Siemens continue to innovate in the field of critical infrastructure cybersecurity and build industry confidence in the secure digitalization of America’s operational technology. With this cyber range, our customers and partners can now join us on our ongoing journey to help mitigate cyberattacks and protect America’s critical infrastructure.” 

This cyber range will undoubtedly be another space for future pioneers to fabricate trust in associated foundation to shape an economical and a strong future and simultaneously for Siemens to ace the innovation foundational to a Fourth Industrial Revolution.

Iranian Threat Actors Have Modified Their Strategies, Attacks Now More Effective


Since the dawn of the digital age, Iranian hackers have been infamous for their attacks on critical infrastructures, targeting governments, and hacking large corporate networks. The main motive behind these attacks is getting espionage intelligence, steal confidential information, ransomware attacks, and target massive data networks. Since 2019, the hackers have been using developed strategies that are more effective in causing damage to the targets, resulting in better monetary benefits, says the Bloomsbury news.


Attack details

  • Earlier this year in April, hacking group APT34 (otherwise knowns as OilRig) launched a modified version of the backdoor named 'RDAT.' The backdoor uses the C2 channel, which can hide commands and data under images via attachments. 
  • Earlier this year in May, APT34 also added a new tool to its hacking inventory, known as DNSExfiltrator. The tool has allowed hackers to become the first hacking group that uses the DoH (DNS-over-HTTPS) protocol in its attacks. 

Keeping view of these new modifications in the hacking realm, organizations should know that the criminals are evolving and modifying their methods over time. It suggests that hackers have become more powerful and possess a more significant threat to the cybersecurity world.

Other developments 

  • In August 2020, the FBI issued a security alert about the hacking group going by the name of 'Fox Kitten' attacking potentially weak F5 networks. The hacker's purpose was to attack private and public U.S. government organizations. 
  • In July 2020, making its comeback, threat actor Charming Kitten launched a cyberespionage campaign, using WhatsApp and LinkedIn to imitate Persian speaking journalists. The targets included the U.S. government, Israeli scholars belonging to Tel Aviv and Haifa universities. 
  • In June 2020, an amateur hacking group from Iran attacked Asian companies using 'Dharma' ransomware. 

According to intelligence reports, the hackers used widely available hacking tools to target companies in China, Russia, Japan, and India. From July 2020, threat actor Fox Kitten is also infamous for giving small corporate networks access on hacking forums. According to experts, it is just trying to generate revenue using other income channels, using systems that lack any intelligence value but provide Iran money.

A City In Colorado Attacked, Forced to Pay $45,000 Ransom


Lafayette city from Colorado had to pay a ransom amount worth $45,000 for decryption of files that were encrypted in July, as the City was unable to restore the data from the backup. The town was attacked on 27th July, and the ransomware cyberattack affected people's smartphones, emails, and payment services. During the attack, the City didn't offer any explanation about what caused the problems. It asked its people to call 911 or emergency services if they were facing trouble with the outage. After a few days of the incident, Lafayette informed the citizens that the town had suffered a cyberattack. All the systems were encrypted by the hackers, which caused the outage problem.


The City managed to recover the lost financial data, but it had to pay a ransom of $45,000 to hackers (anonymous) for retrieving data. The recipient of the payment, an unknown identity, has offered a decryption software in return for the refund. The town on its official website says, "system servers and computers are currently being cared for and rebuilt. Once complete, data will be restored to the system, and operations will resume. No permanent damage to hardware has been identified. While core City operations continue, online payment systems have not resumed. At this time, the City is unable to estimate a timeline that all systems will be back up and running."

The city Mayor Harkens decided not to reveal the attacker's identity to the people as it might compromise their negotiation terms. As per the reports, neither user data nor the credit card credentials was stolen. The mayor has advised townpeople to stay wary of any suspicious activity in their accounts.

The Lafayette town must be lucky as the hackers demanded a minimal amount of ransom in return. According to experts, in cases like these, the ransom demand can go from a hundred thousand to millions of dollars. "System servers and computers are currently being cleaned and rebuilt. Once complete, data will be restored to the system, and operations will resume. No permanent damage to hardware has been identified," says the town's website.

Israeli Security Company NSO Pretends to Be Facebook


As per several reports, Facebook was imitated by an Israeli security company that is known as the “NSO Group” to get the targets to install their “phone-hacking software”.

Per sources, a Facebook-like doppelganger domain was engineered to distribute the NSO’s “Pegasus” hacking contrivance. Allegedly, serves within the boundaries of the USA were employed for the spreading of it.

The Pegasus, as mentioned in reports, if installed once, can have access to text messages, device microphone, and camera as well as other user data on a device along with the GPS location tracking.

NSO has denied this but it still happens to be in a legal standoff with Facebook, which contends that NSO on purpose distributed its software on WhatsApp that led to the exploitation of countless devices. Another allegation on NSO is about having delivered the software to spy on journalist Jamal Khashoggi before his killing, to the government of Saudi Arabia, citing sources.

Facebook also claimed that NSO was also behind the operation of the spyware to which NSO appealed to the court to dismiss the case insisting that sovereign governments are the ones who use the spyware.

Per sources, NSO’s ex-employee, allegedly, furnished details of a sever which was fabricated to spread the spyware by deceiving targets into clicking on links. The server was connected with numerous internet addresses which happened to include the one that pretended to be Facebook’s. And Facebook had to buy it to stop the abuse of it.

As per reports, package tracking links from FedEx and other links for unsubscribing from emails were also employed on other such domains.

NSO still stand their ground about never using the software, themselves. In fact they are pretty proud of their contribution to fighting crime and terrorism, mention sources.

Security researchers say that it’s almost impossible for one of the servers to have helped in the distribution of the software to be within the borders of the USA. Additionally, reports mention, NSO maintains that its products could not be employed to conduct cyber-surveillance within the United States of America.

Facebook still holds that NSO is to blame for cyber-attacks. And NSO maintains that they don’t use their own software.

BEC Scams Cost American Companies Billions!


Business Email Compromise (BEC) scams have surfaced among several US companies and have caused them damage costing along the lines of Billions, mentions a warning of the Federal Bureau of Investigation.

Per sources, BECs are “sophisticated scams” aiming at businesses involving electronic payments encompassing “wire transfers or automated clearing house transfers”. Usually, these scams include a cyber-con penetrating a legitimate business email account via device intrusion procedures.

Once the access has been acquired, the cyber-con is free to deceitfully dive into the email account to obtain funds by sending emails to suppliers, loaded with invoices of modified bank account details.

The hit list mostly consists of organizations that employ cloud-based email services, which makes it easier to go for Business Email Compromise (BEC) scams.

Per FBI, specially engineered “phish kits” with the ability to impersonate the cloud-based email services are used to prompt these scams only to exploit the business accounts and request or mi-sallocate funds.

Sources mention that the Internet Crime Complaint Center (IC3) received numerous complaints over the past years about companies having experienced damages amounting to a couple of Billions in “actual losses” as a result of the BEC scams.

The IC3 focused their attention on the BEC scams right after their number began to multiply rapidly across all the states of America.

The issue allegedly stands in the configuration of the cloud-based services which makes it almost effortless for cyber-criminals to exploit the company’s email accounts.

Obviously most cloud-based services are laden with security measures that intend to block all the BEC attempts. But that depends on the ability of the users to make good use of them. The maximum of these features needs to be enabled and manually configured.

Per sources, what makes these scams dangerous is that any organization, big or small, with kerbed IT resources is vulnerable.

The cyber-cons in addition to having control over the email accounts, usually also retrieve the address books of the exploited accounts to have a list of potential targets. Hence, a single bad apple could affect the entire basket, meaning a single affected organization could have ramifications for the entire business industry.

Phishing Attack Alert! Los Angeles County Says No Harm Done!


A Phishing attack last month surfaced over the LA County which was immediately contained before any devices got compromised.

The attack was discovered by the staff, last month. The containment of the attack was done by the staff instantaneously before much damage was done.

The hackers were apparently after the county’s residential data.

Per sources, it all began when the Los Angeles County received a phishing email which extended malicious activities. The malicious campaign was aimed at stealing the receiver’s personal data.

The hackers’ plan was to get the recipient to click on the links/attachment in the email. Reportedly, the email had come from a “third-party account”. Allegedly, the distribution list of the third party got leaked and was sent to more than 25 county employees.

Per website sources, The LA County happens to be the most populated area in the US. It has over 35,000 personal computers, 12,000+ cell phones and 800+ government network locations.

According to reports the “Internal Services Department” happens to support the “Countrywide Integrated Radio System” which extends essential services during emergencies.

Most local governments have faced attacks along the same lines including Los Angeles County as well. Per sources, in the Minnesota case where the phishing attack targeted over 100 LA County employees, the personal data including targets’ names, social security numbers, dates of birth, card details and other personal data was compromised.

It is evident that the phishing attack could have taken a gigantic form if it hadn’t been for the prompt skills of the employees and staff of the LA County.

Given that such a humongous number of devices and networks could have been jeopardized this attack must necessarily be taken as a serious warning.

The already existing and well-established security controls of the county also had a lot to contribute to this successful aversion of the accident.

Reportedly, the county’s Chief Executive Officer had taken this incident as quite a forewarning and mentioned that they would work stalwartly towards improving the security provisions and strengthening them.

The overall incident is still under investigation by the county along with help from a few private participants.

State of Texas Hit By a Ransomware Attack; 23 Agencies Shut Down!





The state of Texas got hit recently by a cyber-attack as a result of which 23 government agencies were taken down offline.

Per the DIR (Department of Information Resources) of Texas most of the aggrieved parties were small local government agencies which are unnamed so far.

The Texas state networks however are still unharmed. The State Operations center of the state has been rigorously working towards the problem.

Sources mention that all the state and federal agencies handling the case hint at the fact that the attack was coordinated by a single actor.

The attack has been categorized as a sure shot ransomware attack. Per sources in it was a stain which was identified as “Nemucod”.

The aforemetioned ransomware generally “encrypts files and then at the end adds the .JSE extension”, a researcher mentioned.

Allegedly, the US have been the target for a lot of cyber-attacks of late. With an apparent total of 53% of the entire global number, the US have been victimized the most by cyber-attacks.

A state emergency was declared on Louisiana in July this year in response to a ransomware attack on school computer systems.

The situation is very critical from the point of cyber-security as municipalities falling prey to such attacks and ransomware in particular is not a good sign at all.

Mass scale attacks and their increase in number are disconcerting on so many levels. Because threat actors willing to put so many efforts, like the researchers like to say, are numerous.