FBI and CISA Caution of APT Attack that Already Exfiltrated Data from Government Systems

The FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory about Russian state-sponsored advanced persistent threats (APT) identified in various state, local, territorial, and tribal (SLTT) government networks, as well as aviation networks.

The FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory about Russian state-sponsored advanced persistent threats (APT) identified in various state, local, territorial, and tribal (SLTT) government networks, as well as aviation networks.

The interference of APT actors in the US infrastructure seems to have increased in the past few weeks. Law agencies issued a similar advisory a couple of weeks ago, although of a more limited scope. Now, there are more targets. Early reports say hackers managed to exfiltrate some data as well.

The activity, coming from a Russian state-sponsored APT actor known under names such as Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti and Koala, started in September 2020. The hackers targeted numerous state, local, tribal, and territorial (SLTT) governments and aviation networks, attempted intrusions at several SLTT organizations, and successfully compromised network infrastructure.

What really sets this attack apart is that, on October 1, the Russian-sponsored APT actor managed to exfiltrate data from two servers, although the agencies did not specify where the intrusion took place.

“The Russian-sponsored APT actor is obtaining user and administrator credentials to establish initial access, enable lateral movement once inside the network, and locate high value assets in order to exfiltrate data,” states the advisory.

“The FBI and CISA have no information to indicate this APT actor has intentionally disrupted any aviation, education, elections, or government operations. However, the actor may be seeking access to obtain future disruption options, to influence U.S. policies and actions, or to delegitimize SLTT government entities.”

For now, it’s unclear whether the attackers have a clear target in mind or whether they are trying to compromise as many victims as possible in the hopes of getting something more important along the way. The fact that the intrusions occurred so close to the upcoming November 3 US elections also raises questions.

The agencies also published the indicators of compromise, along with possible mitigations.

FBI Warns Healthcare Sector of Increased Ransomware Activity Commanded by Ryuk Gang

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Department of Health and Human Services (HHS) have issued a joint advisory warning the healthcare sector of increased ransomware attacks by ransomware threat actors.

In the notice (AA20-302A) the feds claim they “have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.” The advisory describes the tactics, techniques, and procedures used by cybercriminals against targets in the healthcare and public health sector (HPH) to infect systems with Ryuk ransomware for financial gain.

“CISA, FBI, and HHS are sharing this information in order to provide a warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats,” the advisory states. “CISA encourages users and administrators to review CISA’s Ransomware webpage for additional information.”

Threat actors are said to be targeting the HPH sector with Trickbot malware leading to ransomware attacks, data theft, and the disruption of healthcare services, according to the notice. CISA and the FBI believe these targeted attacks will only be exacerbated by the current pandemic, “therefore, administrators will need to balance this risk when determining their cybersecurity investments.”

AA20-302A includes a bit of history behind the malware employed by threat actors, followed by a long list of technical details for administrators to use to better understand the hackers’ breach tactics, complete with indicators of compromise. Three full pages are entirely dedicated to a close inspection of the Ryuk ransomware.

CISA, FBI, and HHS encourage the HPH organizations to maintain business continuity plans and identifying and addressing their security gaps to help keep them functioning during cyberattacks or other emergencies. A list of mitigation steps is also provided to IT administrators in the healthcare industry, including network best practices, ransomware mitigation, and user awareness tips.

The FBI recites the don’t-pay mantra saying, “Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.”

Healthcare organizations are instructed to keep regular, password-protected, offline backups of their data, and to have a recovery plan at hand.

COVID-19, Zoom and Bedroom Lewdness Make for Sly (S)extortion Tactic

Cybercriminals are getting creative during the Covid-19 social-distancing measures, taking advantage of popular video-conference tools such as Zoom to strengthen their pitch in a fresh sextortion scam.

Bitdefender Antispam Lab spotted a new cyber-extortion campaign that has seemingly spread across the globe over the past week. The campaign targeted a quarter-million recipients, mostly in the United States, starting October 20.

The subject line ostensibly reads “Regarding Zoom Conference call,” to make sure you do not disregard the message.

“You have used Zoom recently, like most of us during these bad COVID times,” the scammers said. “And I have very unfortunate news for you.”

Indeed, many remote workers, students, teachers and families have used Zoom during the past year to connect, work or do business, creating a large pool of potential victims for the hoax.

“There was a zero day security vulnerability on Zoom app, that allowed me a full time access to your camera and some other metadata on your account,” the message continues. “I found a few interesting targets through random lookups. You were just unlucky to be on the list.”

The extortionist has clearly done his homework. Multiple zero-day vulnerabilities have been reported this year, including some that even allow a full takeover of devices. Moreover, the company which announced over “300 million daily Zoom meeting participants,” has been in the spotlight for quite some time, making headlines with topics ranging from Zoom-bombing in online classrooms to phishing campaigns to steal login credentials from users.

Moving forward, the extortionist reveals his actions, hinting at the keynote of the entire message.

“After that, I did some creepy stuff and a few recordings, just for fun and to test a few things,” the scammer adds. “And as you can imagine in your worst dreams, this happened. I have made a recording, where you work on yourself.”

There is nothing unique in this extortionist’s methodology, except for his need to make up excuses for his deeds by blaming the “stupid virus.” He even apologizes and attempts to exploit your empathetic side by claiming he lost his job and is about to be evicted.

“Please dont blame me or yourself for this, I didn’t have any bad intentions,” he said. “I got very sick, lost my job, about to be evicted and have no money to survive. All of this because of the stupid virus. I’m sorry. I have no other choice.”

This extortionist gests additional creativity points by also mentioning the Jeffrey Toobin Zoom scandal, in which the top legal analyst from CNN unknowingly exposed himself in front of co-workers during a Zoom conference.

“I do not want you to be the next Jeffrey Toobin,” he adds. “I’m sure you don’t want to be embarrassed. And I dont want to make this video public so your friends and colleagues can see it.”

The deal is you have three days to pay $2,000 in bitcoin unless you want the “video” revealed to your close family and workplace. He says the amount is non-negotiable and promises to delete the sensitive file once payment is received in his bitcoin wallet.

You are advised not to contact police or reply to the message. “If you do something stupid, I will distribute the video,” he threatens.

Individuals are likely to respond to blackmail messages that threaten to expose sensitive information about them publicly, be they true or not. As such, cyber-extortion has gained more and more traction in recent years, harnessing millions of dollars from victims’ pockets.

However, it’s important not to panic as there is little chance the blackmailer could have spied or recorded you in reality. Cyber-extortionists usually send out threats at random, using large batches of email addresses from data breaches and leaks in the hopes of duping users.

If you are one of the unfortunate recipients, immediately delete the email, and report the extortion attempt to local authorities and email service providers.

World’s Largest Office Furniture Maker Hit with Ryuk Ransomware

The ransomware gang behind the recent attack on Sopra Steria is making new headlines this week, this time for an attack on the world’s top office furniture maker, Steelcase.

An unnamed source in infosec reportedly told Bleeping Computer last week to watch for confirmation that Steelcase had suffered a ransomware attack.

The group behind the hack was none other than the infamous Ryuk operatives known to infect companies with the BazarLoader and TrickBot trojans.

The company has confirmed the incident, without naming names, in a filing with the US Securities and Exchange Commission (SEC).

“On October 22, 2020, Steelcase Inc. (the “Company”) detected a cyberattack on its information technology systems,” the disclosure reads. “The Company promptly implemented a series of containment measures to address this situation including temporarily shutting down the affected systems and related operations.”

“The Company is actively engaged in restoring the affected systems and returning to normal levels of operations,” Steelcase adds.“At this time, the Company is not aware of any data loss from its systems or any other loss of assets as a result of this attack. Although cyberattacks can be unpredictable, the Company does not currently expect this incident will have a material impact on its business operations or its financial results.”

Not being aware of any data loss doesn’t equate to no data loss, so it’s not out of the question that Ryuk actors could claim responsibility for the hack and try to extort Steelcase by threatening to sell or publish their data.

Steelcase’s core business pillar is production of office furniture and is the largest such player in the industry, with facilities and factories in the Americas, Europe, Asia, the Middle East, Australia and Africa. The company also churns out architectural and technology products for various work and academic environments, as well as for the healthcare and retail industries.

Donald Trump’s Campaign Website Seized by Hackers Running Cryptocurrency Scam

Donald Trump’s campaign website was hijacked by hackers who claimed to have evidence discrediting the president and proving his cooperation with foreign actors to manipulate the November elections.

“we have evidence that completely discredits mr trump as president. proving his criminal involvement and cooperation with foreign actors manipulating the 2020 elections,” the hackers wrote, in broken English.

On Tuesday, criminals seized and defaced DonaldJTrump.com, posted a message reading “this site was seized” alongside the logos of the Federal Bureau of Investigation and Department of Justice.

Before the website was taken down, visitors were greeted with a message vilifying the president and condemning what it called “fake news” spread by the Trump administration.

“the world has had enough of the fake-news spreaded daily by president Donald j trump. It is time to allow the world to know truth,” the message reads.

The hackers went on to say they have compromised multiple devices of Trump’s relatives, revealing classified information proving that the president’s cabinet is involved in the origin of COVID-19.

“multiple devices were compromised that gave full access to trump and relatives. most internal and secret conversations strictly classified information is exposed proving that the trump-gov is involved in the origin of the corona virus,” the attackers added.

The post continued with what seems to be a cryptocurrency scam that urges visitors to decide whether the stolen information should be made public or not.
The hackers included two cryptocurrency wallet links associated with Monero and asked people to “vote.” Whichever link raised the most amount of money will determine their next move.

Tim Murtaugh, Director of Communications for President Trump’s re-election campaign, has also confirmed the attack, stating that no data has been stolen.

“Earlier this evening, the Trump campaign website was defaced and we are working with law enforcement authorities to investigate the source of the attack. There was no exposure to sensitive data because none of it is actually stored on the site. The website has been restored,” Murtaugh tweeted.

Louisiana National Guard Called in to Deal with Cyberattacks, Report Claims

The state of Louisiana called in the National Guard to stop a few ransomware attacks affecting government offices, according to a Reuters report.

With less than a week until US general elections on November 3, the state of Louisiana faces a serious ransomware problem directly affecting some government offices. The situation is so bad that the National Guard was called in to deal with the situation.

Since the general elections are just a week away, the possibility that the events are somehow related can’t be dismissed. The local government officials are not saying anything about the current situation, and they won’t even confirm the little that’s already out there.

The Reuters report mentions that the infection occurred through a RAT (remote access trojan) that’s usually deployed through infected emails. The investigation revealed that parts of the trojan’s code belong to KimJongRat, a malware used by North Korean hackers. This particular piece of code is available on public repositories, so the link to North Korea is not clear.

Also, the first information confirms that the infection was stopped in its tracks and that it didn’t affect many offices. Neither the state’s police, the governor nor the Louisiana National Guard wanted to comment on the situation, stating only that it’s an ongoing investigation.

At this point, it’s difficult to determine the true intentions of the attackers. Ransomware attacks are common, especially in the public sector, and the threat actors may be only looking for a ransom, with no connection to the elections.

Recently, US security officials issued a warning regarding the use of ransomware in attacks against the election system, which is why the Louisiana official has to treat the situations as if that’s the case.

Personal Information of Google Employees Exposed in Data Breach at Immigration Law Firm

Immigration law firm Fragomen, Del Rey, Bernsen & Loewy has disclosed a data breach that compromised personal identifiable information of current and former Google employees.

In a notice filed with the California Attorney General’s Office, the New York-based law firm claimed an unauthorized individual accessed a file containing information relating to I-9 employment information on a “limited number” of Google employees.

“We recently became aware of suspicious activity within our computer network,” the notice reads. “While our investigation is ongoing, we discovered that an unauthorized third party gained access to a single file containing personal information relating to I-9 employment verification services. This file contained personal information for a discrete number of Googlers (and former Googlers), including you.”

The company did not say how many employees were affected or what type of information was accessed. However, Form I-9 is used to verify the identity and employment authorization of individuals working in the US, and can include an employee’s name, address, date of birth, email address, phone number, Social Security number, passport number and driver’s license data.

Since the information is highly sensitive, current and ex-employees could suffer attacks such as identity theft and fraud.

Although, Fragomen said it will provide a free 12-month credit monitoring subscription to all affected Google employees, victims should start checking their credit reports for fraud.

As with any data breach, it’s advised to closely monitor Inboxes for unsolicited correspondence, and look out particularly for spear-phishing emails appearing to come from Fragomen, Google or the US government.

Amazon Fires Employee For Leaking Customer Data

Amazon Fires Employee For Leaking Customer Data

  • Retail giant doesn’t disclose how many customers have been affected
  • Users should be on their guard against fraudulent and phishing emails

Multiple Amazon customers turned to social media to describe how they had received a notification from the online retail giant that their email addresses have been leaked to an unnamed third party.

Emails sent by Amazon to customers admit that a rogue employee unlawfully passed on users’ personal email details to a third-party, violating the company’s rules:

Part of the email reads:

“We are writing to let you know that your e-mail address was disclosed by an Amazon employee to a third-party in violation of our policies. As a result, we have fired the employee, referred them to law enforcement, and are supporting law enforcement criminal prosecution.”

Amazon goes on to explain that no information beyond users’ email addresses was breached, and that it is not asking customers to take any actions in response.

Nonetheless, it’s understandable that Amazon customers who receive the warning might feel alarmed.

If a third-party gained access to some Amazon customers’ email addresses they could be used to send spam, or even to send potentially convincing phishing emails posing as Amazon in an attempt to steal passwords.

Furthermore, a report from Motherboard suggests that the security breach may actually be connected to more than one insider. A statement received by the website from Amazon, referred to the perpetrators in the plural:

“The individuals responsible for this incident have been fired. We have referred the bad actors to law enforcement and are supporting their criminal prosecution.”

Notably, Amazon has made no official statement giving an indication of just how many customer email addresses have been breached, or which department the rogue employee or employees may have worked, or where in the world they might reside.

Of course there are most likely a wide range of job roles within Amazon’s customer service department which might have valid access to customers’ email addresses – and perhaps other sensitive information – as they answer questions and resolve issues related to users’ accounts.

And that makes it all the more important for companies to take an uncompromising stance against workers who exploit their access to customer data by, for instance, selling it to a third party.

Amazon has proven itself willing to punish staff in the past when customer privacy has been violated.

For instance, at the beginning of 2020, the retailer told US senators that it had fired four employees who had accessed videos recorded by customers’ Ring doorbells.

One week later Amazon sent a similar email to that sent in recent days, revealing that it had fired a number of employees after customer email addresses as well as phone numbers were shared with an unnamed third-party without permission.

Sadly there is little individuals can do to prevent a malicious insider from exploiting information that has been shared with an online retailer, but you can take steps to protect yourself from attack by being on the guard for malicious emails pretending to come from a company.

Amazon’s customer service department advises customers to report fraudulent and scam emails they receive that pretend to come from Amazon by sending them – preferably as an attachment – to stop-spoofing@amazon.com

Cybercrooks Hijack Nando’s Customer Accounts to Make Fraudulent Meal Purchases

Fans of the popular Nando’s UK eateries have fallen prey to a credential stuffing attack that drained hundreds of pounds sterling out of their bank accounts.

According to several UK media outlets, cybercriminals hijacked multiple customer accounts of the Peri-Peri chicken restaurant chain. They then placed large food orders after changing their corresponding phone numbers.

While some orders do not exceed £60, one customer said she lost £670 in fraudulent meal purchases.

The restaurant chain has acknowledged the attack, saying its systems have not been compromised in any way.

“While our systems have not been hacked, unfortunately some individual Nando customer accounts have been accessed by a party or parties using a technique called ‘credential-stuffing,’ whereby the customer’s email address and password have been stolen from somewhere else and, if they use the same details with us, used to access their Nando’s accounts,” the company said.

According to one report, a group of young individuals placed two massive in-store orders after initially failing to use compromised accounts to finalize their purchase.

“My card was compromised and used in your Finsbury Park location in London, whereas I am in Leeds. It looks like my Nando’s account was compromised to make this payment/ charge. Can you help!?” one customer tweeted.

“Can you explain to me how my Nando’s account has been hacked? Currently in lockdown in Wales with my bank card in my hand … but apparently ordering a sit down meal in Croydon.. Little help?” another customer added.

With Covid-19 restrictions across the country, Nando’s diners must place their orders online or use a QR code and then fill in their payment details. However, most customers claimed that their payment details were not stored in their customer account.

The restaurant chain said it will reimburse victims and improve its ability to detect fraud and malicious activity.

“We take immediate action to refund anyone who has been impacted and secure those affected Nando’s accounts,” Nando’s added. “We have made and are continuing to make investments to improve our detection and prevention of suspicious and malicious activity. We apologise to our customers who have been impacted by this.”

‘Eris Loris’ Hacker Spammed Millions of ‘Among Us’ Games with Pro-Trump Messages, YouTube Channel Ads

Over the past three days, popular indie game Among Us has undergone a series of spam attacks affecting millions of online games.

The attack, dubbed “Eris Loris,” impacted public North American lobbies with spam messages that appear in the game’s chat log. Most messages urge users to subscribe to the YouTube and Discord channels of a person called Eris Loris, and vote for Donald Trump in the 2020 presidential elections.

However, hybrid messages have also spawned, in which Loris threatens to “hack your device” or “blow up your phone” if you don’t subscribe to his online channels.

InnerSloth, the developers of the online social murder-mystery game, have acknowledged the attack on their official Twitter page:

“Hello everyone, We’re are super duper aware of the current hacking issue and we’re looking into it. We will be pushing out an emergency server update so people who are in game will get kicked from games. Please play private games or with people that you trust!!!Bare with us!!” InnerSloth said in a tweet posted on October 23.

The developers have advised players to join only private games or play with people they know and trust. It’s also imperative not to subscribe to the infamous YouTube channel or participate in the comment section of the videos posted by Eris Loris. If you join a public lobby, ban Eris Loris or anyone who sends the trademark message.

According to Kotaku, an online gaming reviews website, Loris acknowledged the hack, saying he was curious to see peoples’ reactions.

“I was curious to see what would happen, and personally I found it funny,” Loris said. “The anger and hatred is the part that makes it funny. If you care about a game and are willing to go and spam dislike some random dude on the internet because you cant play it for 3 minutes, it’s stupid.”

Forest Willard, one of the games’ programmers, tweeted yesterday that an anti-hack fix is being rolled out.

“Alright, wave 2 of anti-hacks are going out: Wave 1 did fix impersonation, this is why the prominent hack now is just chat spam and mass despawn (black room) Wave 2 should fix both of these. We’ll see where we need to go from there,” Willard said.

Posts navigation

1 2 3 4 68 69 70
Scroll to top