Search This Blog

Showing posts with label USA. Show all posts

Driver's License Exploitation Scams Surge


The Covid epidemic has provided a ripe opportunity for cybercriminals, who are taking advantage of internet information from outdated driver's licenses of targeted individuals. 

According to Stateline, the “phishing” scams benefit from the fact that several nations have made emergency declarations permitting driver's licenses to remain in force beyond expiry dates. With the expiration of such renewals, drivers must now ensure that their licenses are updated, but scammers are taking full advantage of that shift, according to Stateline. 

In conventional phishing, cybercriminals send malicious links or attachments via email, and victims inadvertently click on them. Fraudsters use messaging to conduct their operations, which is known as "SMS phishing" or "smishing." 

As per state motor vehicle agencies, driver's license phishing frauds attempts to steal individual identities and personal information, that have already been sprouting up across the United States. Iowa, Minnesota, Ohio, Vermont, and Wyoming are among the states in which the frauds have been detected until now. 

Scam artists send out SMS or emails making false claims that the target's license needs an urgent update, as some of the information is missing, or even that it is about to expire and will be invalid within a few days. When a person clicks the hyperlink, a Google Forms spreadsheet with personally identifiable information such as a Social Security number and birth date is often opened. 

“It’s despicable,” said David Druker, a spokesperson for the Illinois secretary of state’s office, which issues driver’s licenses. “It’s just outrageous that when the country is going through the COVID crisis, people are taking the time and energy to steal information from others.” 

A large number of people in Illinois, according to Druker, reportedly obtained texts and emails from fraudsters posing as the secretary of state or employees from the state transportation department. Druker also added that he had no idea if anyone else has succumbed to the ruses. 

Upon learning well about phishing and smishing, Illinois officials notified the FBI and IRS, who had collaborated with Google to remove the bogus webpages. According to Druker, the authorities have discovered 1,035 sites so far, and Google has halted nearly 900 such websites. 

As per a notice issued earlier this month by the U.S. Department of Health and Human Services' Office of Inspector General, fraudsters are now employing door-to-door visits, along with telemarketing calls, messages, and social networking sites, to conduct COVID-19-related frauds. 

“Do not provide personal, medical, or financial details to anyone in exchange for vaccine information, and obtain vaccinations from trusted providers,” the Office of Inspector General urges. 

“Posting content that includes your date of birth, health care details, or other personally identifiable information can be used to steal your identity,” said the Inspector General’s office.

DHS Called On Hackers to Join Government During Black Hat Speech

Department of Homeland Security Secretary Alejandro Mayorkas at a conference of Black Hat motivated participants to come forward and share their creativity, ideas, and boldness with the government agencies on defining the future of cybersecurity policy that has not been mapped yet. 

“We need your creativity, your ideas, your boldness, and your willingness to push limits. We need you to help us navigate a path that has not yet been mapped,” Mayorkas said. “What’s at stake here is nothing less than the future of the internet, the future of our economic and national security, and the future of our country.” 

Mayorkas introduced the upcoming program named the Cyber Talent Management System which will redefine hiring requirements for cybersecurity roles in the government agencies and payment will also be adjusted according to the current workforce environment. He motivated the participants to “lead the charge on the inside,” by joining the Cybersecurity and Infrastructure Security Agency and DHS. 

“This initiative…will give us more flexibility to hire the very best cyber talent and ensure we can compete more effectively with the private sector,” he said. 

According to the present statistics, under the Biden administration hiring is a major focus of DHS. Currently, the firm is trying to fill a number of open cybersecurity jobs within the agency and to recruit more diverse talent in cybersecurity. 

Furthermore, Mayorkas said that they are observing the current scenario if young talents are not interested in working with the federal government. However, security specialists have an opportunity to “bridge the gap between the hacker community and the federal government” by collaborating with the agency, he added. He concluded his speech by comparing the current state of cybersecurity with the mid-18th-century struggle between Britain, China, and Russia. 

“We are competing for the future of cyberspace – one in which friends gather, colleagues communicate, businesses sell, consumers buy, dissidents organize, horrific crimes occur, governments hear from their citizens, and information is widely and quickly disseminated,” he said.

Evidence Indicates Russia's SVR is Still Using 'WellMess' Malware, Despite US Warnings


President Joe Biden's appeal for Vladimir Putin to crack down on cyberattacks emanating from within Russia appears to have failed to persuade the Kremlin to give it up. 

In a report published Friday, RiskIQ stated it discovered ongoing hacking infrastructure that Western governments associated last summer to the Russian SVR intelligence agency-linked APT29 or Cozy Bear, which it utilized to obtain Covid-19 research data.

The malware, also known as WellMess or WellMail, led to official warnings in the United States, the United Kingdom, and Canada in July 2020. In April, the FBI urged companies to fix five known vulnerabilities that the SVR had exploited, according to US officials. 

RiskIQ detected three dozen command and control servers supplying WellMess which were under APT29 control, as per the firm. Following a US-Russia summit at which cyberattacks were discussed, the focus was on infrastructure. 

“The behaviour found was noteworthy considering the circumstances in which it emerged, following on the heels of President Biden's public condemnation of Russian hacking at a recent summit with President Putin,” stated RiskIQ's Team Atlas. 

Cozy Bear has not been openly accused of being involved in any recent ransomware operations, which were the focus of the White House's discussions with Russia. The organization has set itself apart by executing cyber-espionage against targets like the federal contractor SolarWinds and the Democratic National Committee. 

RiskIQ is perplexed as to how Russian agents are now utilizing the WellMess malware. The company stated, “Readers should note that much of this infrastructure is still in active use by APT29, though we do not have enough information to say how it is being used or who the targets are.” 

Biden has been urging Putin both personally and in public statements, to stop malicious cyber activities originating from Russia, notably ransomware assaults are believed to be conducted by criminal groups.

A phone call between the two men came after a series of high-profile ransomware attacks with suspected Russian roots, the most recent of which has affected hundreds of people as a result of an incident at the software company Kaseya. 

“I made it very clear to him that the United States expects, when a ransomware operation is coming from his soil even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is,” Biden stated reporters about the call. 

In a speech last week, Biden told intelligence officials that if the US finds itself in a “shooting war” with a significant foreign power, it will probably come in response to a cyber attack.

U.S. Department of Commerce Seizes Trade with 6 Russian Companies


The Department of Commerce restricts trade with four Russian IT and cybersecurity companies together with two additional entities, based on the latest document issued on Friday 16th of July, because of suspicions that these corporations constitute a threat to the US national security. 

On Friday, six Russian corporations were added to the Department's Entity List, build off sanctions enforced by the Treasury Department in April, claiming these companies and other organizations are in line with or help Russia's intelligence agencies. 

Since these organizations have appeared on the Entity List, the Department of Commerce will require them to seek a special license to do business with US companies or to receive supplies and components from American companies.

The Russian organizations that are now on the list of companies managed by the Commerce Department's Bureau of Industry and Security include: 

  •  Aktsionernoe Obschchestvo Past: An IT company that reportedly conducted research and development for the country's Foreign Intelligence Service; 
  •  Federal State Autonomous Institution Military Innovative Technopolis Era: A research center and technology park operated by the Russian Ministry of Defense;
  •  Federal State Autonomous Scientific Establishment Scientific Research Institute Specialized Security Computing Devices and Automation (SVA): A state-owned institution believed to support malicious cyber activity; 
  •  Aktsionernoe Obshchaestvo AST; 
  •  Aktsionernoe Obshchestvo Pozitiv Teknolodzhiz, or JSC Positive Technologies; 
  •  Obshchestvo S Ogranichennoi Otvetstvennostyu Neobit; 

As per the Commerce Department, IT companies like, AST, Positive Technologies, and Neobit have also worked with the Russian Government. 

In April, Treasury Department sanctions indicated Russian technology, security organizations, and research companies reportedly engaging in cyber campaigns with the Russian Foreign Intelligence Service, often referred to as the SVR, as well as other Russia's agencies, which includes the GRU. 

The government of Biden sought to curtail the cyber activities in the country while responding to frequent events - along with a large-scale attack on the software provider Kaseya with remote management software this month - that the Russian-speaking group of REvil is accused of carrying out. 

“Treasury is leveraging…[its] authority to impose costs on the Russian government for its unacceptable conduct, including by limiting Russia’s ability to finance its activities and by targeting Russia’s malicious and disruptive cyber capabilities," Treasury Secretary Janet L. Yellen said at the time. 

The department also noted: "The Russian Intelligence Services have executed some of the most dangerous and disruptive cyberattacks in recent history," including the 2020 SolarWinds incident, a supply chain attack that ultimately affected several U.S. agencies. 

The Treasury Department has also criticized the Kremlin for its electoral intervention to poison Kremlin's opponent Aleksei Navalny, and for robbing a U.S. security firm, among other recent measures, of "red team tools" – imitations of cyber-attack. The Kremlin refused these claims. 

On Thursday, the State Department also announced that it will now reward the country's key infrastructure with up to $10 million for information concerning cyber-threats. 

In addition, a website named 'StopRansomware' was revealed by the Homeland Security Department and the Justice Department, which is intended to be a primary platform for building ransomware-fighting tools from all government departments. 

Further, Biden added that the U.S. government is prepared to take "any necessary action to defend its people and its critical infrastructure in the face" of ongoing cyberattacks.

Hackers Asking $70 Million in Ransom, Kaseya Confirmed


On Monday, U.S. information technology organization ‘Kaseya’ has reported a new ransomware attack that has targeted 800 to 1,500 businesses around the world. Florida-based company's CEO, Fred Voccola told the media that as of now, it is difficult to gauge the impact of the ransomware attack because those who have been targeted were mainly customers of Kaseya's customers. 

Reportedly, hackers got their way into the internal files of the system that gave them command over the system. It allowed them to successfully disable hundreds of businesses on all five continents. However, those who have been targeted were not necessarily affected adversely, it included dentists' offices or accountants. While, in some countries, disruption has been felt more severely such as in Sweden, where hundreds of supermarkets had to shut since their cash registers were inoperative, and in New Zealand schools and kindergartens ran offline. 

The group of hackers who asserted liability for the breach is asking $70 million ransom for restoring all the businesses' data that has been stolen. 

Alongside, the group has also shown readiness in person-to-person conversations with a cybersecurity expert and with Reuters. "We are always ready to negotiate," a representative of the hackers told Reuters earlier Monday. The spokesperson, who had dialogue via a chat interface on the hackers' website, has not disclosed their names. 

When Voccola was asked about this negotiation he directly refused to say anything. "I can't comment 'yes,' 'no,' or 'maybe'," he said when asked whether his company would talk to or pay the hackers. "No comment on anything to do with negotiating with terrorists in any way."

Kaseya Limited is an American software company that provides software for managing networks, systems, and information technology infrastructure. It also offers software tools to IT companies and its network monitor is used for observing the performance and various types of network assets like switches, Firewalls, routers, etc. 

After Ransomware Attack AJG US Reported Data Breach


US-based global insurance brokerage and risk management firm, Arthur J. Gallagher (AJG) has reported a cyberattack on the company’s infrastructure. The company has started mailing about the breach to its potentially impacted individuals. It is worth noting that earlier, in September 2020, the company made headlines for a ransomware attack that crippled its systems. 

"Working with the cybersecurity and forensic specialists to determine what may have happened and what information may have been affected, we determined that an unknown party accessed or acquired data contained within certain segments of our network between June 3, 2020, and September 26, 2020," AJG reported to the press. 

As per the latest statistic, AJG stands as one of the largest insurance brokers in the world, it has more than 33,300 employees and the firm works in 49 countries remotely. Alongside, in Fortune 500 list, AJG ranked 429, and as per the information on its website this insurance company provides insurance-related services to more than 150 countries. 

Regarding the breach, the company has not given technical details, it remains unclear whether customers' or employees' credentials were accessed or stolen. However, during the investigation, the company found that sensitive information stored on systems in various forms have been breached during the attack including usernames, passwords, social security number or tax identification number, date of birth, passport details, driver's license, employee identification number, credit card information, medical records, electronic signature, claim, diagnosis, health insurance information, and biometric information.

Following the incident, the company has notified data regulatory authorities and all affected people (7,376 according to the information provided to the Office of Maine's Attorney General) as per the law. Additionally, the company has recommended affected individuals keep an eye on their bank, credit cards for any fraud cases.  

“While Gallagher is not aware of any attempted or actual misuse of the impacted information, Gallagher is providing access to credit monitoring services for twenty-four months through Kroll to individuals whose personal information was affected by this incident, at no cost to these individuals,” AJG added.

United States Tops ITU's Global Cyber Security Index


The United Nations International Telecommunication Union (ITU) released its 2020 Global Cyber Security Index on 29th June 2021, which ranked the United States first overall, with the United Kingdom and Saudi Arabia tied for the second position. 

The index uses 82 questions prepared by a team of experts to rate countries. Members of the ITU are asked to select individuals to take part in the procedure and the organization performs desk research on nations that refuse to participate. The members of the ITU are then ranked on a scale of one to one hundred. 

In essence, the higher the rank, the more dedicated the country is to cybersecurity defense. However, it's a measure of a country's computer security. The report commences with a piece of positive news: the 2020 index's median score is 9.5 percent higher than the 2018 edition. 

Smaller countries fared well, and there were some notable improvements. Estonia, for instance, came in third place. South Korea, Singapore, and Spain tied for fourth place, while Russia, the United Arab Emirates, and Malaysia shared for fifth. Lithuania, Japan, Canada, France, and India made it to the top ten. India moved from 47th to tenth place. 

Another promising result from the Index is that many nations that have established a national computer incident response team (CIRT) have increased by 11% during 2018, implying that nearly half of ITU members now have CIRT or CERT. 

Sixty-four percent have established a new cybersecurity strategy (NCS), up from 58 percent last year, and 70 percent implemented cybersecurity awareness campaigns in 2020, up from 66 percent last year. 

Thirty-eight nations received a score of 90% or above. Individual training programs are also required in several areas, according to the Index. 

Despite a predicted global shortfall of half a million cybersecurity specialists by 2021, the report claims that nations are failing to establish sector-specific training. Over half of those surveyed do not have programs customized to specific sectors or professions, such as law enforcement, legal actors, SMEs, private firms, or government employees. 

Indices ranking national cybersecurity are like buses: none for a long time, then two at once — the International Institute for Strategic Studies, a British think tank, presented its own assessment earlier this week, concluding that the United States is the sole cyber superpower.

Mercedes-Benz USA: Nearly 1,000 Customers’ Data Accessible Online


Mercedes-Benz USA stated on Thursday 24th of June, that sensitive information was made inadvisably accessible on a cloud storage network for over 1,000 customers and prospective buyers. 

On 11 June 2021, Mercedes-Benz was told by a salesperson that sensitive personal data on cloud storage was mistakenly made available to fewer than 1000 Mercedes-Benz customers and interested buyers. This confirmation was made in consultation with the vendor as part of a continuing investigation. The problem was discovered through an external safety researcher's effort.

They believe that the information was entered between 01 January 2014 and 19 June 2017 by customers and interested buyers on the Mercedes-Benz websites. As a consequence of this event, no Mercedes-Benz system has been hacked and there is no sign of malpractice for any Mercedes-Benz data at this time. 

For MBUSA, data safety is a major issue. The seller stated that the problem is fixed and no replication is possible of such an event. The company will carry on its research to guarantee that this matter is addressed properly. 

The store claims that these consumers' personal information largely includes self-reported credit scores and a limited number of driver's license numbers, social security numbers, credit card details, and birth dates. To examine the information, one needs to understand the special software applications and tools – no information included in these files would be returned by an Internet search. 

The study was launched to analyze the accessibility of around 1.6 million unique documents. Amid the overwhelming bulk of those records, the names, addresses, emails, telephone, and some car details were obtained. Nevertheless, MBUSA needs to underline that the analysis of the overall data record set found that there is more personal information available in a state publicly accessible, of less than 1.000 Mercedes-Benz customers and concerned buyers. 

Mercedes-Benz, also branded as Mercedes, is both a German car brand and a subsidiary of Daimler AG, as Mercedes-Benz AG, from late 2019. Mercedes-Benz is renowned for its luxury and commercial vehicle production. It is headquartered in Stuttgart, Baden-Württemberg. 

Mercedes-Benz USA has already started reporting this incident to those who could get additional information.

Navistar International Corporation Hit by Cyberattack

Navistar International Corporation, a maker of United States trucks and military vehicles confirmed that it was hit by a cyberattack recently which resulted in data theft. In form 8-K filing with SEC (Security and Exchange Commission) this Monday, the company said that the company came to know about an attack on its IT systems on May 20, 2021. Navistar took immediate actions to limit the impact of the cyberattack and has launched an investigation with various cybersecurity and foreign agencies. Due to the attack, Navistar has strengthened its cybersecurity infrastructure and data protection, saying all of its systems are fully functional. 

On May 31, the company got a mail saying it was hit by a cyberattack and some data had been stolen.  As of now, the company is enquiring about and finding the impact of the attack. It has already called law enforcement agencies for help. Navistar didn't disclose any technical details about the attack but it might be a possibility that it was a ransomware attack. The claim is based on the recent rise of ransomware incidents in the US. In all these incidents, major US organizations were attacked and crucial data was stolen. Navistar was established in 1986, it makes trucks, diesel engines, and buses. 

Besides this, the Navistar Defense subsidiary makes military automobiles. After the attack that made US Colonial Pipeline to close its operations and distribution systems at the start of May, JBS USA, the world's largest meat processing company of US subsidiary also announced recently that it had closed down its plants in America and Australia.  Besides this, recently, Steamship Authority, the largest ferry service to the Massachusetts Islands of Martha’s Vineyard and Nantucket from Cape Cod, was hit by a cyberattack of a similar kind. 

At the start of this year, Molson Coors Beverage company was also hit by a ransomware attack. "White House this week urged corporate executives and business leaders to take the appropriate measures to protect their organizations against ransomware attacks. The  memo, signed by Anne Neuberger, deputy national security advisor for cyber and emerging technology, mentions the recent increase in the number of ransomware incidents, as well as the Biden administration’s response to such attacks targeting government and private sector organizations," reports Security Wee

DOJ Charges Latvian National for Helping Develop the Trickbot Malware


The US Department of Justice has charged a Latvian woman for her alleged role in developing the Trickbot malware, which was responsible for infecting millions of computers, targeting schools, hospitals, public utilities, and governments. 

After being arrested on February 6 in Miami, Florida, Alla Witte (aka Max) was charged with 19 counts of a 47-count indictment. 

The DOJ said in a press release, Witte created the code used by Trickbot malware to control, launch, and manage ransomware payments. Witte is also said to have given the Trickbot Group the code required to track and monitor approved malware users and the tools and protocols needed to store login credentials obtained from victims' networks. 

The FBI's Cleveland Office and the Department of Justice's Ransomware and Digital Extortion Task Force investigated the case, which was formed to combat the rising number of ransomware and digital extortion attacks. 

FBI special agent Eric B. Smith said. In a statement, "Witte and her associates are accused of infecting tens of millions of computers worldwide, in an effort to steal financial information to ultimately siphon off millions of dollars through compromised computer systems.

Trickbot is a malware variant that was first discovered in October 2016 as a modular banking trojan and has subsequently been updated with new modules and capabilities. 

Microsoft and many partners reported on October 12 that they had taken down certain Trickbot C2s. Before the presidential election, the US Cyber Command apparently tried to destroy the botnet by sending infected devices a configuration file that cut them off from the botnet's C2 servers. Despite these concerted attacks on TrickBot's infrastructure, the TrickBot gang's botnet remains alive, and new malware builds are continually being released. 

The TrickBot gang is renowned for spreading the ransomware Ryuk and Conti onto the networks of valuable business targets. According to Deputy Attorney General Lisa O. Monaco, Trickbot penetrated millions of victim computers throughout the world, harvesting banking information and delivering ransomware. 

"The Trickbot malware was designed to steal the personal and financial information of millions of people around the world, thereby causing extensive financial harm and inflicting significant damage to critical infrastructure within the United States and abroad," Acting US Attorney Bridget M. Brennan of the Northern District of Ohio added.

Metropolitan Transportation Authority Systems Hacked


The MTA document outlining the breach reckoned that in April a hacker organization having links to the Chinese government breached the computer systems of the Metropolitan transport authority, highlighting vulnerabilities in a large transit network that carries millions of people every day. 

Transit officials also said that the hackers did not have access to systems that do not jeopardize the operation of train cars and driver safety, stressing that there was minimal harm if any to the intruder. 

Transit authorities said that a forensic assessment of the attack has so far not uncovered any proof either and that attackers have not affected the personal information of consumers. The agency reported the incident to the police and other governmental authorities but has not announced it publicly. 

The intrusion was the third – and perhaps the most major – cyber attack by hackers, according to transit authorities, on North America's largest transit network in recent times. 

According to FireEye, a private cyber-security company working with the federal government to recognize the offense said that the attack did not involve financial demands and instead appears to form part of a recent wide range of intrusions by sophisticated hackers supported by the Chinese government. 

The wider hacking campaign affected hundreds and was found at the end of April by federal organizations, defense contractors, banking institutions, etc. These Routine hacking activities are denied by the Chinese government. 

Researchers have different theories as to why the M.T.A was chosen to be the campaign's objective, however, the actual reason remains unknown. One of the main objectives is the attempt by China to control the multibillion-dollar railway market—an effort to get insight into the inner workings of a transport system that awards profitable contracts. 

Another view is that attackers wrongly have accessed the M.T.A. system and have found that it was not exceptional, as cybersecurity specialists say. 

However, hacking companies have made no adjustments to the operational activities of the company and have not collected any employees or customer data, such as credit card information. Notably, they did not compromise any M.T.A. accounts, transit authorities stated, referring to a forensic audit of the agency's attack by a leading cybersecurity firm, IBM and Mandiant. 

“The M.T.A.’s existing multi-layered security systems worked as designed, preventing the spread of the attack,” said Rafail Portnoy, the M.T.A.’s chief technology officer. “We continue to strengthen these comprehensive systems and remain vigilant as cyberattacks are a growing global threat.” 

The attacks against the M.T.A. also came into play because of increasing concerns about China Railway Rolling Stock Corporation, which is the world's largest producer of train cars. 

As the threat from cyber strikes has increased and trade disputes between the US and China have also increased, the dominance by the state-owned company has raised concerns among legislators, defense officials, and industry experts that crucial US transport infrastructures have been left vulnerable to cyber-attacks. 

In the second week of April, it seems that the M.T.A. systems were targeted on two days, and access persisted at least until the breach was reported on April 20. The hackers used the so-called "Zero-day," or an unknown code defect in software that was found unpatched. 

Thus according to the M.T.A. document describing the violation, hackers got special access to the system being used by New York City Transit, which monitors both the metro and the buses. 

Mr. Portnoy said, there was “no employee or customer information breached, no data loss, and no changes to our vital systems.” 

“Our response to the attack, coordinated and managed closely with State and Federal agencies, demonstrated that while an attack itself was not preventable, our cybersecurity defense systems stopped it from spreading through M.T.A. systems,” he added.

Russian Hacking Group Nobelium Attacks 150 Organizations, Hacks Mails

Nobelium, a Russian hacking group that was responsible for the 2020 SolarWinds cyberattacks, is back in the game, however, now, they've used Constant Contact, a cloud marketing service in a phishing attack that resulted in a hack of 3,000 email accounts throughout 150 organizations. Microsoft disclosed the latest attack in a blog post titled "Another Nobelium Cyberattack" which alarmed that the group aims to hack into trusted technology providers and attack their customers. 

This time, Nobelium didn't use the SolarWinds network monitoring tool for the attack but gained access to the Constant Contact Account of USAID (United States Agency for International Development). Tom Burt, Microsoft’s corporate vice president of customer security and trust, “using the legitimate mass mailing service Constant Contact, Nobelium attempted to target around 3,000 individual accounts across more than 150 organizations. Due to the high-volume campaign, automated systems blocked most of the emails and marked them as spam. However, automated systems might have successfully delivered some of the earlier emails to recipients.” 

After hacking the Constant Contact Account email service via a USAID account, Nobelium distributed authentic-looking phishing emails containing a link, which upon opening, attached a malicious file "NativeZone" which is used to distribute backdoor. The backdoor could allow multiple activities like data stealing and corrupting other computer networks. Constant Contact Account said that it was aware of an account breach of one of its customers. It was an isolated incident, and the agency has deactivated all the affected accounts while working with law enforcement agencies. It says that most of the attacks targetting the customers were blocked automatically by Windows Defender, which also blocked the malware used in the attack. 

"We detected this attack and identified victims through the ongoing work of the Microsoft Threat Intelligence Center (MSTIC). team in tracking nation-state actors. We have no reason to believe these attacks involve any exploit against or vulnerability in Microsoft’s products or services. At least a quarter of the targeted organizations were involved in international development, humanitarian, and human rights work," said Burt.

World’s Biggest Meat Supplier JBS Suffered a Cyber Attack


An advanced cyber attack was carried out at the largest meat processing enterprise in the world. 

JBS, the largest beef supplier in the world, stated that its systems returned online late on Tuesday, following a severe cyberattack that took down certain activities of the USA and Australia. 

The attack damaged servers in North America and Australia that were supporting their IT systems, the corporation said in a press release. 

"The company is not aware of any evidence at this time that any customer, supplier, or employee data has been compromised or misused as a result of the situation," JBS said. "Resolution of the incident will take time, which may delay certain transactions with customers and suppliers." 

JBS USA, the food giant, is part of JBS Foods. According to its website, it operates in 15 countries and has clients in around 100 nations. Pilgrim's, Great Southern, and Aberdeen Black are among its brands. JBS said that it is working with an incident response company to restore its systems as quickly as possible. 

During a press conference on Tuesday, the White House acknowledged the attack. Principal Deputy Secretary of Press, Karine Jean-Pierre, briefed reporters that JBS has been a victim of a ransomware attack "from a criminal organization likely based in Russia." The FBI investigates the attack, the White House confirms. 

President Biden has also instructed his government, to assess the impact on the supplies of beef in the country that may be mitigated, alongside the United States Dollars. 

According to Union officials, JBS stopped slaughtering cattle in every U.S. plant on Tuesday. The incident on Monday brought Australian activities to a halt. JBS controls approximately 20% of the US livestock slaughter capability with North American operations based in Greeley, Colorado. 

Australia's Agriculture, Drought, and Emergency Management Minister David Littleproud tweeted regarding the JBS cyber-attack on Tuesday, stating that the company works tightly with law enforcement authorities and in Australia and abroad, to get operational activities back and forth and "to bring those responsible to account." 

The attack happened a few weeks after a cyberattack that prompted a six-day shutdown from one of the largest gas pipelines in the United States: Colonial Pipeline. Since then, the pipeline has returned to normal working. 

"If the Colonial Pipeline cyberattack didn't impact enough consumers to spur response by the international community, the JBS meat supplier incident likely will," Meg King, the director of the science and technology innovation program at The Wilson Center, told CNN Business. "Now is the time for a global agreement to break the business model of ransomware," she added. 

However, "The White House is engaging directly with the Russian government on this matter and delivering the message that responsible states do not harbor ransomware criminals," Jean-Pierre said. 

In the past, the US government has suggested that firms do not compensate offenders for ransomware attacks if they encourage such hacking in the future.

Pipeline Shutdown Shows Need for Tougher Cybersecurity Laws


The six-day shutdown of a key 5,550-mile fuel pipeline earlier this month as a result of a malware attack proved a case study of everything that can go wrong when the private sector, which regulates critical sections of American infrastructure, fails to prioritize cybersecurity and the government lacks the resources to properly deter cyberattacks and manage the fallout. 

Colonial Pipeline's response to a recent hacker attack was fast and comprehensive. The private company turned off the supply of nearly half of the East Coast's oil, diesel, and jet fuel, which had never been done before. Long lines formed at gas stations from Washington, D.C., to Florida as a result of a combination of fuel shortages and panic buying. Stopovers were added to US air travel routes to enable planes to refuel in central and northern states. 

Colonial Pipeline was the victim of a ransomware attack by a group of Eastern European cyber bandits known as DarkSide, which extorted $4.4 million from the company as it rushed to reclaim control of its information management infrastructure and ensure the hackers had not breached the pipeline's operating system. The pipeline was eventually brought back online, and DarkSide discontinued operations However, the most serious harm had already been done: The incident demonstrated how simple it was to put a large portion of American infrastructure to a halt with a cyberattack that was as sophisticated as a pickpocketing. 

President Biden responded by signing an executive order that would provide incentives for IT service providers to share data share about cybersecurity vulnerabilities and breaches with the government. The order also establishes a cybersecurity safety review board with jurisdiction similar to the National Transportation Safety Board, which investigates airline and railroad safety accidents and makes security recommendations. 

However, Congress should impose mandatory reporting regulations requiring private sector companies in charge of sections of the nation's vital infrastructure to report possible and actual violations so that the government and industry can respond more quickly to minimize the consequences. A bill like this has been discussed in Congress for more than a decade, but it has yet to become law. 

Senator Angus King, who is co-chair of the Cyberspace Solarium Commission, established by Congress to bolster US cybersecurity protections, stated in an interview, “We need to build a structure that facilitates and supports open communication and trust, between this critically important infrastructure and the government in order for the government to be able to help.” 

Because of the vast number of phishing or other low-level security breach attempts they face, private sector companies are sometimes unable to disclose sensitive details regarding cybersecurity vulnerabilities or risks for fear of civil liability. The carrots to the mandatory reporting requirement's stick, according to King, will be liability protections and carefully restricting and identifying what counts as reportable accidents. 

A lot needs to be done to ensure the cybersecurity of our country's vital infrastructure which includes enforcing more structured federal oversight in place of the current multi-agency approach, which can be cumbersome, redundant, and slow; holding Russia responsible not just for its own cyber espionage but also for sheltering other cyber attackers within its borders; and tightening the federal government's own cybersecurity, which was discovered to be vulnerable last year by the SolarWinds hack.

Irish Health System and 16 U.S. Health and Emergency Networks Hit by Conti Ransomware Gang


According to the Federal Bureau of Investigation, the same group of online extortionists responsible for last week's attack on the Irish health system has also targeted at least 16 medical and first-responder networks in the United States in the past year. The FBI said cybercriminals using the malicious software called 'Conti' have attacked law enforcement, emergency medical services, dispatch centers, and municipalities, according to a warning issued by the American Hospital Association on Thursday. 

In May of 2020, the Conti ransomware appeared on the threat landscape. It has some links to other ransomware families. Conti has evolved quickly since its discovery, and it's known for how quickly it encrypts and deploys around a target system. Conti is a “double extortion” ransomware that steals and attempts to reveal data in addition to encrypting it. 

The FBI didn't specify who was targeted in these hacks or whether ransoms were paid, only that these networks "are among more than 400 organizations worldwide victimized by Conti, with over 290 of them based in the United States." The new ransom demands have been as high as $25 million, according to the study. 

On Thursday, Ireland said experts were looking into a decryption tool that had been posted online, which could help activate IT systems that had been crippled by a major ransomware attack on the country's healthcare provider. The government stated that it had not paid any ransom and would not pay any in return for the alleged key. It didn't respond to claims that the gang had threatened to release reams of patient information next week. 

This ransomware attack has prevented access to patient information, forced medical facilities to cancel appointments, and disrupted Covid-19 testing around the country for the past week. Ossian Smyth, Ireland's e-government minister, has described it as "perhaps the most serious cyber crime assault on the Irish state." 

The hackers who took down Ireland's healthcare system are said to be members of "Wizard Spider," a sophisticated cybercrime group based in Russia that has become more involved in the past year. The group has threatened to release medical records unless Ireland pays a $20 million fine.

Molson Coors "Cyberattack Incident" Could Cost Company $140 Million


The popular beer brands producers in the United States such as Molson Canadian, Coors Light, Miller Lite, Carling, Blue Moon, Coors Banquet, and many more, disclosed severe impacts of a cyberattack on their business, including brewery operations, production, and shipments. 

Brewing giant Molson Coors stated that the disruptive cyberattack led to a huge disruption in its brewery functioning operations and is going to cost the organization around $140 million. Additionally, Officials added that the company is working hard for its normalization: production and shipping have yet to reach normal operating levels. 

“Despite this progress led by the significant efforts of the Molson Coors team, along with the support of leading forensic information technology firms and other advisors, the Company has experienced and continues to experience some delays and disruptions in its business, including brewery operations, production, and shipments in the U.K., Canada, and the U.S.,” a March 26 statement reads. 

While the firm did not press a cause for what is being called a "cybersecurity incident”, but the occurrence comes amid a wave of malware and ransomware attacks that has a huge impact on companies worldwide. The recent cyberattack affected healthcare providers, computer producers- Acer, IoT provider Sierra Wireless and various other giants. 

The company stated that the cyber attack is going to impact its first quarter of business and consequently 2021 financial revenue as well, but the company has not released specific figures on expected costs. But, it is being observed that for the normal revenue company has to work hard and wait. 

According to the company, “the cybersecurity incident and the February winter storms in Texas will shift between 1.8 and 2.0 million hectoliters of production and shipments from the first quarter 2021 to the balance of the fiscal year 2021 and will also shift between $120 million to $140 million of underlying EBITDA from the first quarter 2021 to the balance of the fiscal year 2021.” 

The company is also yet to share its technical data regarding the cyber attack incident, but various experts are speculating that it could be ransomware-related cybercrime. 

“We notified law enforcement and are cooperating in their investigation. We also have notified and are working with all of our relevant insurance companies,” the company said in a statement.

FTC Busts $110m Charity Fraud Operation

A massive campaign has been started by the US Department of Federal Trade Commission (FTC) with 40 US state forces joining hands of these government agencies who are coming together to crack down a major charity fraud operation that scammed victims for more than $110million. 

The Federal agencies teamed up with 46 government agencies from 38 states and Washington DC. Those who teamed up with regulators, most of them are state attorneys general who came together to shut down the work of sister companies Central Processing Services and Community Services Appeal, Associated Community Services (ACS), and two other fund-raising spin-offs run by ACS managers, The Dale Corporation and Directele.

The scam operation initiated by the threat actors was driven by illegitimate rob calls, which have already compromised around 1.3 billion data of fundraising by the means of misleading fundraising calls, alongside obtaining donations from 67 million clients. ACS and related agencies that faced accusations by the FTC and other state agencies for this scam have agreed to settle down regarding charges. According to the FTC department, certain cases saw that the accused kept around 90 percent of the money that they received from their donors.

The scam operation has been active since 2008 and the threat actors deliberately capitalize on sensitive issues to trick donors such as breast cancer patients, homeless veterans, victims of house fires, and refugee children to encourage victims to donate. 

According to the official data, ACS and Directele both were charged for breaking FTC norms and regulations (that prohibits robocalls to first-time donors and automated calls to prior donors), having well-founded knowledge of all the outcomes. Moreover, ACS was also charged for harassing donors; It made calls around 1.3 million people over 10 times each in a single week and 7.8 million phone calls twice in an hour. Around 500 victims were called 5000 times or more than that, according to the FTC data.

However, since 2019, ACS has stopped operating, having previously charged with the subject of 20 law enforcement actions, but it is said that two accused are still operating this scam campaign with Directele and The Dale Corporation. 

“Deceptive fundraising can be big business for scammers, especially when they use illegal rob calls,” said Daniel Kaufman, acting director of the FTC’s Bureau of Consumer Protection. “…The FTC and our state partners are prepared to hold fraudsters accountable when they target generous consumers with lies.”

U.S. Department of Justice Warns of Fake Unemployment Benefits Websites Stealing Data


Recently a department of United States Justice has warned its civilians against threat actors who are imitating state workforce agencies (SWAs) in order to hack Americans’ sensible credentials and other important data. 

A press release has been released on 5th March; it reported that the department has received informative reports on the cyber attacks. Further, it added that there were certain threat actors who were mimicking real websites which looked like those genuinely belonging to the state workforce agencies (SWAs). 

The entire purpose of this attack is to pursue users into believing that they are actually applying for unemployment benefits and submitting their information and other sensitive credentials on the right platform. However, after collecting identifiable data of consumers’ hackers use this information for their private advantages such as to commit theft. While doing so, threat criminals usually send spam messages and emails with a link to a spoofed SWA website in order to make victims access these fake websites. 

“Unless from a known and verified source, consumers should never click on links in text messages or emails claiming to be from an SWA offering the opportunity to apply for unemployment insurance benefits,” said the department. 

Department further added that anyone who wants to submit their application for unemployment benefits should directly go to an official SWA website. Around 10 million people in the USA who are trying to take unemployment benefits are also advised that they should watch out for phishing attacks and do not take any communications they receive at face value. 

“Carefully examine any message purporting to be from a company and do not click on a link in an unsolicited email or text message. Remember that companies generally do not contact you to ask for your username or password,” said the department. 

Officers said, if you find yourself being unsure about any messages whether the entity sending the email is authentic or not, you must be contacting the department of the National Center for Disaster Fraud (NCDF) and report the communication but you must not rely on any contact information given in the fraudulent messages.

NSA and CISA Jointly Issued Guidance On Protective DNS Services

America’s chief security departments The National Security Agency (NSA) and Cybersecurity and Infrastructure Agency (CISA) have released a joint information sheet on Thursday which provides information regarding the positive outcomes of using a Protective Domain Name System (PDNS).
How Protective Domain Name System (PDNS) works? 

Its (PDNS) service uses present Domain Name System (DNS) protocols and its structure to analyze DNS queries and mitigate threats. It leverages many open sources, such as non-profit organizations, and various governmental threat feeds to categorize domain information and block queries to identified hackers' domains. 

According to The National Security Agency (NSA) and the Cybersecurity and Infrastructure Agency (CISA), the service (PDNS) presents threat prevention measures against network exploitation, includes various kind of online threats such as addressing phishing attacks, malware distribution, domain generation algorithms, command and control, and content filtering. 

Additionally, a PDNS can log in and save suspicious data and can give a blocked response to the malicious activities into a system– such as ransomware locking victim files – while letting institutions using those logged DNS information data. 

The information sheet gave a list of providers, but NSA and CISA explicitly stated, “We, the federal agencies do not endorse one provider over another”. The listed six companies are BlueCat, Akamai, Cisco, EfficientIP, Nominet, and Neustar. 

How NSA and CISA made their recommendations? 

The recommendations are based on the learned lessons from an NSA PDNS pilot. The NSA partnered with the Defense Cyber Crime Center (DDCCC) department to offer PDNS-as-a-service to its members of the defense industrial base. Alongside, the PDNS studied over 4 billion DNS queries and participating networks, and successfully blocked millions of connections identified as malicious domains. 

Oliver Tavakoli, chief technology officer at Vectra stated, “Like other preventive approaches, they are useful in protecting organizations from known bads, but ultimately fall short in blocking the early stages of a new attack or more sophisticated attacks...”

“...So it makes sense to implement PDNS to reduce the attack surface, however, it should not be thought of as a preventive silver bullet that obviates the need to detect attackers who know how to bypass these protections.” She added. 

Ray Kelly, a principal security engineer at WhiteHat Security, added that “DNS exploitations are still incredibly rampant and require some attention because they are such an effective technique used by malicious actors”.

CompuCom MSP Hit By DarkSide Ransomware Cyberattack


CompuCom, a US-managed service provider, has witnessed a DarkSide ransomware attack. It has resulted in a service outage and users are disconnecting from the MSP's network so the spread of the malware can be prevented. 

CompuCom is an IT managed services provider (MSP) that supplies remote support to its customers, includes repairing hardware and software, and provides various other technical facilities to the companies. 

CompuCom is owned by ODP Corporation (Office Depot/Office Max), additionally, it gives employment opportunities to a maximum of 8,000 people. 

It was around the weekend, CompuCom witnessed an outage that had prevented clients from getting access to the company's customer portal to open troubleshooting tickets. When customers visit the portal, the website simply is displaying an error message. "An error occurred while processing your request." Website reads. 

In a conversation with Press CompuCom told that they have started informing its users and warned them against the malware attack. However, the company has not revealed to its customers the type of attack that has occurred and whether it was ransomware or not. Multiple people in conversation with the press stated that “this was a ransomware attack”, however, the officials had not confirmed. 

Additionally, when the press talked with affected customers, it has been known that CompuCom had disconnected their access to some customers so the attack can be prevented. Another client told, “Some of us had detached from CompuCom's VDIs (Virtual Desktop Infrastructure) to ensure their data was not affected by the attack”.

CompuCom issued a statement in which they stated that the company had witnessed a 'malware incident', and there's no evidence of it spreading to customers' systems. 

"Certain CompuCom information technology systems have been affected by a malware incident which is affecting some of the services that we provide to certain customers. Our investigation is in its early stages and remains ongoing. We have no indication at this time that our customers' systems were directly impacted by the incident...”

“...As soon as we became aware of the situation, we immediately took steps to contain it and engaged leading cybersecurity experts to begin an investigation. We are also communicating with customers to provide updates about the situation and the actions we are taking. We are in the process of restoring customer services and internal operations as quickly and safely as possible,”

“...We regret the inconvenience caused by the interruption and appreciate the ongoing support of our customers." – CompuCom reported. 

But today, CompuCom's customers shared a 'Customer FAQ Regarding Malware Incident' that gives even thorough details of the attack, than given by the company. 

"Based on our expert's analysis to date, we understand that the attacker deployed a persistent Cobalt Strike backdoor to several systems in the environment and acquired administrative credentials. These administrative credentials were then used to deploy the Darkside Ransomware," the CompuCom FAQ reads.