From mwheeler at flashpoint-intel.com Mon May 2 09:31:58 2022 From: mwheeler at flashpoint-intel.com (Matthew Wheeler) Date: Mon, 2 May 2022 09:31:58 -0400 Subject: [BreachExchange] Fourth Circuit Holds Statements About Importance of Data Security Not Actionable Message-ID: https://www.insideclassactions.com/2022/04/29/fourth-circuit-holds-statements-about-importance-of-data-security-not-actionable/ The Fourth Circuit’s opinion last week in In re Marriott International, Inc., — F.4th —-, No. 21-1802 (4th Cir. Apr. 21, 2022), could prove useful to companies facing data breach class actions. Following a data breach of the Starwood guest reservation system, Marriott investors brought securities claims alleging that the purported failure to disclose vulnerabilities in Starwood’s IT systems rendered certain public statements false or misleading. For example, the investors argued that Marriott’s statement that “the integrity and protection of customer, employee, and company data is critical to us as we use such data for business decisions and to maintain operational efficiency” was misleading because it gave the “impression that Marriott was securing and protecting the customer data acquired from Starwood.” The district court rejected this argument after finding that the challenged statements “did not assign a quality to Marriott’s cybersecurity that it did not have.” The Fourth Circuit affirmed. It rejected the investors’ reliance on district court cases holding that statements describing the strength of security measures may be false if the measures are actually deficient because “Marriott made no such representation.” Instead, the Fourth Circuit agreed with the district court that a statement about the importance a company places on data security is not a representation about the quality or effectiveness of its security measures. The Fourth Circuit also acknowledged that “[t]he fact that a company has suffered a security breach does not demonstrate that the company did not place significant emphasis on maintaining a high level of security.” This case is an important precedent for dismissing complaints alleging false statements concerning data security. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mwheeler at flashpoint-intel.com Tue May 3 08:48:36 2022 From: mwheeler at flashpoint-intel.com (Matthew Wheeler) Date: Tue, 3 May 2022 08:48:36 -0400 Subject: [BreachExchange] New Hacker Group Pursuing Corporate Employees Focused on Mergers and Acquisitions Message-ID: https://thehackernews.com/2022/05/new-hacker-group-pursuing-corporate.html A newly discovered suspected espionage threat actor has been targeting employees focusing on mergers and acquisitions as well as large corporate transactions to facilitate bulk email collection from victim environments. Mandiant is tracking the activity cluster under the uncategorized moniker UNC3524, citing a lack of evidence linking it to an existing group. However, some of the intrusions are said to mirror techniques used by different Russia-based hacking crews like APT28 and APT29. "The high level of operational security, low malware footprint, adept evasive skills, and a large Internet of Things (IoT) device botnet set this group apart and emphasize the 'advanced' in Advanced Persistent Threat," the threat intelligence firm said in a Monday report. The initial access route is unknown but upon gaining a foothold, attack chains involving UNC3524 culminate in the deployment of a novel backdoor called QUIETEXIT for persistent remote access for as long as 18 months without getting detected in some cases. What's more, the command-and-control domains — a botnet of internet-exposed IP camera devices, likely with default credentials — are designed to blend in with legitimate traffic originating from the infected endpoints, suggesting attempts on the part of the threat actor to stay under the radar. "UNC3524 also takes persistence seriously," Mandiant researchers pointed out. "Each time a victim environment removed their access, the group wasted no time re-compromising the environment with a variety of mechanisms, immediately restarting their data theft campaign." Also installed by the threat actor is a secondary implant, a web shell, as a means of alternate access should QUIETEXIT stop functioning and for propagating the primary backdoor on another system in the network. The information-gathering mission, in its final stage, entails obtaining privileged credentials to the victim's mail environment, using it to target the mailboxes of executive teams that work in corporate development. "UNC3524 targets opaque network appliances because they are often the most unsecure and unmonitored systems in a victim environment," Mandiant said. "Organizations should take steps to inventory their devices that are on the network and do not support monitoring tools." -------------- next part -------------- An HTML attachment was scrubbed... URL: From mwheeler at flashpoint-intel.com Wed May 4 08:39:28 2022 From: mwheeler at flashpoint-intel.com (Matthew Wheeler) Date: Wed, 4 May 2022 08:39:28 -0400 Subject: [BreachExchange] State of Ransomware shows huge growth in threat and impacts Message-ID: https://www.continuitycentral.com/index.php/news/technology/7275-state-of-ransomware-shows-huge-growth-in-threat-and-impacts Sophos has released its annual survey and review of real-world ransomware experiences in its ‘State of Ransomware 2022’ report. This shows that 66 percent of organizations surveyed were hit with ransomware in 2021, up from 37 percent in 2020. The average ransom paid by organizations that had data encrypted in their most significant ransomware attack, increased nearly fivefold to reach $812,360, with a threefold increase in the proportion of organizations paying ransoms of $1 million or more. 46 percent of the organizations that had data encrypted paid the ransom to get their data back, even if they had other means of data recovery, such as backups. The report summarizes the impact of ransomware on 5,600 mid-sized organizations in 31 countries across Europe, the Americas, Asia-Pacific and Central Asia, the Middle East, and Africa, with 965 sharing details of ransomware payments. “Alongside the escalating payments, the survey shows that the proportion of victims paying up also continues to increase, even when they may have other options available,” said Chester Wisniewski, principal research scientist at Sophos. “There could be several reasons for this, including incomplete backups or the desire to prevent stolen data from appearing on a public leak site. In the aftermath of a ransomware attack there is often intense pressure to get back up and running as soon as possible. Restoring encrypted data using backups can be a difficult and time-consuming process, so it can be tempting to think that paying a ransom for a decryption key is a faster option. It’s also an option fraught with risk. Organizations don’t know what the attackers might have done, such as adding backdoors, copying passwords and more. If organizations don’t thoroughly clean up the recovered data, they’ll end up with all that potentially toxic material in their network and potentially exposed to a repeat attack.” Key findings include: Ransom payments are higher – In 2021, 11 percent of organizations said they paid ransoms of $1 million or more, up from 4 percent in 2020, while the percentage of organizations paying less than $10,000 dropped to 21 percent from 34 percent in 2020. More victims are paying the ransom – In 2021, 46 percent of organizations that had data encrypted in a ransomware attack paid the ransom. 26 percent of organizations that were able to restore encrypted data using backups in 2021 also paid the ransom. The impact of a ransomware attack can be immense – the average cost to recover from the most recent ransomware attack in 2021 was $1.4 million. It took on average one month to recover from the damage and disruption. 90 percent of organizations said the attack had impacted their ability to operate, and 86 percent of private sector victims said they had lost business and/or revenue because of the attack. Many organizations rely on cyber insurance to help them recover from a ransomware attack – 83 percent of mid-sized organizations had cyber insurance that covers them in the event of a ransomware attack – and, in 98 percent of incidents, the insurer paid some or all the costs incurred (with 40 percent overall covering the ransom payment). 94 percent of those with cyber insurance said that their experience of getting it has changed over the last 12 months, with higher demands for cyber security measures, more complex or expensive policies and fewer organizations offering insurance protection. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mwheeler at flashpoint-intel.com Tue May 17 08:25:36 2022 From: mwheeler at flashpoint-intel.com (Matthew Wheeler) Date: Tue, 17 May 2022 08:25:36 -0400 Subject: [BreachExchange] Hacker And Ransomware Designer Charged For Use And Sale Of Ransomware, And Profit Sharing Arrangements With Cybercriminals Message-ID: https://www.shorenewsnetwork.com/2022/05/16/hacker-and-ransomware-designer-charged-for-use-and-sale-of-ransomware-and-profit-sharing-arrangements-with-cybercriminals/ A criminal complaint was unsealed today in federal court in Brooklyn, New York, charging Moises Luis Zagala Gonzalez (Zagala), also known as “Nosophoros,” “Aesculapius” and “Nebuchadnezzar,” a citizen of France and Venezuela who resides in Venezuela, with attempted computer intrusions and conspiracy to commit computer intrusions. The charges stem from Zagala’s use and sale of ransomware, as well as his extensive support of, and profit sharing arrangements with, the cybercriminals who used his ransomware programs. Breon Peace, United States Attorney for the Eastern District of New York, and Michael J. Driscoll, Assistant Director-in-Charge, Federal Bureau of Investigation, New York Field Office (FBI), announced the charges. “As alleged, the multi-tasking doctor treated patients, created and named his cyber tool after death, profited from a global ransomware ecosystem in which he sold the tools for conducting ransomware attacks, trained the attackers about how to extort victims, and then boasted about successful attacks, including by malicious actors associated with the government of Iran,” stated United States Attorney Peace. “Combating ransomware is a top priority of the Department of Justice and of this Office. If you profit from ransomware, we will find you and disrupt your malicious operations.” “We allege Zagala not only created and sold ransomware products to hackers, but also trained them in their use. Our actions today will prevent Zagala from further victimizing users. However, many other malicious criminals are searching for businesses and organizations that haven’t taken steps to protect their systems – which is an incredibly vital step in stopping the next ransomware attack,” stated Assistant Director-in-Charge Driscoll. As charged in the criminal complaint, Zagala, a 55-year-old cardiologist who resides in Ciudad Bolivar, Venezuela, has designed multiple ransomware tools—malicious software that cybercriminals use to extort money from companies, nonprofits and other institutions, by encrypting those files and then demanding a ransom for the decryption keys. Zagala sold or rented out his software to hackers who used it to attack computer networks. One of Zagala’s early products, a ransomware tool called “Jigsaw v. 2,” had, in Zagala’s description, a “Doomsday” counter that kept track of how many times the user had attempted to eradicate the ransomware. Zagala wrote: “If the user kills the ransomware too many times, then its clear he won’t pay so better erase the whole hard drive.” Beginning in late 2019, Zagala began advertising a new tool online—a “Private Ransomware Builder” he called “Thanos.” The name of the software appears to be a reference to a fictional cartoon villain named Thanos, who is responsible for destroying half of all life in the universe, as well as a reference to the figure “Thanatos” from Greek mythology, who is associated with death. The Thanos software allowed its users to create their own unique ransomware software, which they could then use or rent for use by other cybercriminals. The user interface for the Thanos software is shown below:[1] The screenshot shows, on the right-hand side, an area for “Recovery Information,” in which the user can create a customized ransom note. Other options include a “data stealer” that specifies the types of files that the ransomware program should steal from the victim computer, an “anti-VM” option to defeat the testing enviornments used by security researchers, and an option, as advertised, to make the ransomware program “self-delete.” Rather than simply sell the Thanos software, Zagala allowed individuals to pay for it in two ways. First, a criminal could buy a “license” to use the software for a certain period of time. The Thanos software was designed to make periodic contact with a server in Charlotte, North Carolina that Zagala controlled for the purpose of confirming that the user had an active license.[2] Alternatively, a Thanos customer could join what Zagala called an “affiliate program,” in which he provided a user access to the Thanos builder in exchange for a share of the profits from Ransomware attacks. Zagala received payment both in fiat currency and cryptocurrency, including Monero and Bitcoin. Zagala advertised the Thanos software on various online forums frequented by cybercriminals, using screennames that referred to Greek mythology. His two preferred nicknames were “Aesculapius,” referring to the ancient Greek god of medicine, and “Nosophoros,” meaning “disease-bearing” in Greek. In public advertisements for the program, Zagala bragged that ransomware made using Thanos was nearly undetectable by antivirus programs, and that “once encryption is done,” the ransomware would “delete itself,” making detection and recovery “almost impossible” for the victim. In private chats with customers, Zagala explained to them how to deploy his ransomware products—how to design a ransom note, steal passwords from victim computers, and set a Bitcoin address for ransom payments. As Zagala explained to one customer, discussing Jigsaw: “Victim 1 pays at the given btc [Bitcoin] address and decrypts his files.” Zagala also noted that “there is a punishment… [i]f user reboots. For every rerun it will punish you with 1000 files deleted.” After Zagala explained all the features of the software, the customer replied: “Sir, I really need to say this . . . You are the best developer ever.” Zagala responded: “Thank you that is nice to hear[.] Im very flattered and proud.” Zagala had only one request: “If you have time and its not too much trouble to you please describe your experience with me” in an online review. On or about May 1, 2020, a confidential human source of the FBI (CHS-1) discussed joining Zagala’s “affiliate program.” Zagala responded: “Not for now. Don’t have spots.” But Zagala offered to license the software to CHS-1 for $500 a month with “basic options,” or $800 with “full options.” On or about October 7, 2020, CHS-1 asked Zagala how to establish an affiliate program of his own using Thanos. Zagala responded with a short tutorial on how to set up a ransomware crew. He explained that CHS-1 should find people “versed…in LAN hacking” and supply them with a version of the Thanos ransomware that was programmed to expire after a given period of time.[3] Zagala said that he personally had “a maximum of between 10-20” affiliates at a given time, and “sometimes only 5.” He added that hackers approached him for his software after they had gained access to a victim network: “they come with access to [b]ig LAN, I check and then I accept[.] they lock several big networks and we wait…If you lock networks without tape or cloud (backups)[,] almost all pay[.]” Zagala further explained that, sometimes, a victim network turned out to have an unexpected backup: “so no point in locking because they have backups, so in that case we only exfiltrate data,” referring to stealing victim information. Zagala further added that he had an associate who “knows how to corrupt tapes,” meaning backups, and how to “disable[] AV,” meaning antivirus software. Finally, Zagala offered to give CHS-1 an additional two weeks free after CHS-1’s one-month license expired, explaining “because 1 month is too little for this business…sometimes you need to work a lot to get good profit.” Zagala’s customers favorably reviewed his products. One individual posted a message praising Thanos in July 2020, writing “i bought the ransomware from nosophoros and it is very powerful,” and claiming that he had used Zagala’s ransomware to infect a network of approximately 3000 computers. And, in December 2020, another user wrote a post in Russian: “We have been working with this product for over a month now, we have a good profit! Best support I’ve met.” Zagala has publicly discussed his knowledge that his clients used his software to commit ransomware attacks, including by linking to a news story about an Iranian state-sponsored hacking group’s use of Thanos to attack Israeli companies. In or around November 2021, Zagala began using a third screenname – “Nebuchadnezzar.” In chats with a second confidential source of the FBI (CHS-2), Zagala stated that he had switched aliases to preserve “OPSEC… operational security” because “malware analysts are all over me.” On or about May 3, 2022, law enforcement agents conducted a voluntary interview of a relative of Zagala who resides in Florida and whose PayPal account was used by Zagala to receive illicit proceeds. The individual confirmed that Zagala resides in Venezuela and had taught himself computer programming. The individual also showed agents contact information for Zagala in his phone that matched the registered email for malicious infrastructure associated with the Thanos malware. If convicted, the defendant faces up to five years’ imprisonment for attempted computer intrusion, and five years’ imprisonment for conspiracy to commit computer intrusions. The government’s case is being handled by the Office’s National Security and Cybercrime Section. Assistant United States Attorneys David K. Kessler and Alexander F. Mindlin are in charge of the prosecution. The Defendant: MOISES LUIS ZAGALA GONZALEZ Age: 55 Ciudad Bolivar, Venezuela E.D.N.Y. Docket No. 21-M-276 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mwheeler at flashpoint-intel.com Tue May 17 08:28:43 2022 From: mwheeler at flashpoint-intel.com (Matthew Wheeler) Date: Tue, 17 May 2022 08:28:43 -0400 Subject: [BreachExchange] Fifth of Businesses Say Cyber-Attack Nearly Broke Them Message-ID: https://www.infosecurity-magazine.com/news/fifth-of-businesses-cyber-attack/ A fifth of US and European businesses have warned that a serious cyber-attack nearly rendered them insolvent, with most (87%) viewing compromise as a bigger threat than an economic downturn, according to Hiscox. The insurer polled over 5000 businesses in the US, UK, Ireland, France, Spain, Germany, the Netherlands and Belgium to compile its annual Hiscox Cyber Readiness Report. It revealed the potentially catastrophic financial damage that a serious cyber-attack can wreak. The number claiming to have nearly been brought down by a breach increased 24% compared to the previous year. Nearly half (48%) of respondents said they suffered an attack over the past 12 months, a 12% increase from the previous report’s findings. Perhaps unsurprisingly, businesses in seven out of eight countries see cyber as their biggest threat. Yet perception appears to vary greatly depending on whether an organization has suffered a serious compromise or not. While over half (55%) of total respondents said they view cyber as a high-risk area, the figure among companies that have not yet suffered an attack is just 36%. While spending on cybersecurity is increasing, on average, up 60% per company year-on-year, so is the cost of attacks. Hiscox calculated the median cost at around $17,000 – up 29% year-on-year. More concerning given the new era of hybrid working is that almost two-thirds of respondents (62%) agreed that their business was more vulnerable to an attack as a result of employees working from home. This increased to 69% in companies with more than 250 employees. “Business owners will have spent years growing and investing in their business, but one cyber-attack could reduce what they have built to financial rubble,” warned Hiscox Cyber CEO, Gareth Wharton. “Remote working is not going away, and has impacted the volume of cyber-attacks as cyber-criminals gain access via cloud servers, so it is vital that businesses take the necessary steps to protect themselves against the complexity and speed of cyber-attacks.” Wharton added that with phishing emails remaining a top threat vector, organizations should focus efforts on improving their staff awareness training. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mwheeler at flashpoint-intel.com Wed May 18 08:27:27 2022 From: mwheeler at flashpoint-intel.com (Matthew Wheeler) Date: Wed, 18 May 2022 08:27:27 -0400 Subject: [BreachExchange] FBI and NSA say: Stop doing these 10 things that let the hackers in Message-ID: https://www.zdnet.com/article/fbi-and-nsa-say-stop-doing-these-10-things-that-let-the-hackers-in/ Cyber attackers regularly exploit unpatched software vulnerabilities, but they "routinely" target security misconfigurations for initial access, so the US Cybersecurity and Infrastructure Security Agency (CISA) and its peers have created a to-do list for defenders in today's heightened threat environment. CISA, the FBI and National Security Agency (NSA), as well as cybersecurity authorities from Canada, New Zealand, the Netherlands, and the UK, have compiled a list of the main weak security controls, poor configurations, and poor security practices that defenders should implement to thwart initial access. It also contains the authorities' collective recommended mitigations. "Cyber actors routinely exploit poor security configurations (either misconfigured or left unsecured), weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim's system," CISA says. The list of actions includes all obvious candidates, such as enabling multi-factor authentication (MFA) on key systems, such as virtual private networks (VPNs), but which are prone to misconfigurations when implemented in complex IT environments. For example, last year Russian hackers combined a default policy shared by multiple MFA solutions and a Windows printer privilege of escalation flaw to disable MFA for active domain accounts and then establish remote desktop protocol (RDP) connections to Windows domain controllers. This complexity can also be seen in the choice of, deployment and use of VPNs, whose adoption escalated after the pandemic struck. Recent research by Palo Alto Networks found that 99% of cloud services utilize excessive permissions, against the well-known principle of least privilege to limit opportunities for attackers to breach a system. The security controls outlined in CISA's list serve as a useful checklist for organizations, many of which deployed remote-working IT infrastructure hastily due to the pandemic, and amid today's heightened geopolitical tensions due to Russia's invasion of Ukraine. It also follows the EU joining the US-Five Eyes in jointly blaming the Russian military on this year's cyberattack against Viasat's European satellite broadband users. As noted in the joint alert, attackers commonly exploit public-facing applications, external remote services, and use phishing to obtain valid credentials and exploit trusted relationships and valid accounts. The joint alert recommends MFA is enforced for everyone, especially since RDP is commonly used to deploy ransomware. "Do not exclude any user, particularly administrators, from an MFA requirement," CISA notes. Incorrectly applied privileges or permissions and errors in access control lists can prevent the enforcement of access control rules and could give unauthorized users or system processes access to objects. Of course, make sure software is up to date. But also don't use vendor-supplied default configurations or default usernames and passwords. These might be 'user friendly' and help the vendor deliver faster troubleshooting, but they're often publicly available 'secrets'. The NSA strongly urges admins to remove vendor-supplied defaults in its network infrastructure security guidance. "Network devices are also often pre-configured with default administrator usernames and passwords to simplify setup," CISA notes. "These default credentials are not secure – they may be physically labeled on the device or even readily available on the internet. Leaving these credentials unchanged creates opportunities for malicious activity, including gaining unauthorized access to information and installing malicious software." CISA notes that remote services, such as VPNs, lack sufficient controls to prevent unauthorized access. Defenders should add access control mechanisms like MFA to reduce risks. Also, put the VPN behind a firewall, and use IDS and IPS sensors to detect suspicious network activity. Other key problems include: strong password policies are not implemented; open ports and internet-exposed services that can be scanned via the internet by attackers; failure to detect or block phishing using Microsoft Word and Excel documents booby-trapped with malicious macros; and poor endpoint detection and response. CISA's recommendations include control access measures, implanting credential hardening, establishing centralized log management, using antivirus, employing detection tools and searching for vulnerabilities, maintaining configuration management programs, and implementing patch management. CISA also recommends adopting a zero-trust security model, but this is likely a long-term goal. US federal agencies have until 2024 to make significant headway on this aim. The full list of security 'don'ts' includes: Multifactor authentication (MFA) is not enforced. Incorrectly applied privileges or permissions and errors within access control lists. Software is not up to date. Use of vendor-supplied default configurations or default login usernames and passwords. Remote services, such as VPNs, lack sufficient controls to prevent unauthorized access. Strong password policies are not implemented. Cloud services are unprotected. Open ports and misconfigured services are exposed to the internet. Failure to detect or block phishing attempts. Poor endpoint detection and response. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mwheeler at flashpoint-intel.com Wed May 18 08:28:20 2022 From: mwheeler at flashpoint-intel.com (Matthew Wheeler) Date: Wed, 18 May 2022 08:28:20 -0400 Subject: [BreachExchange] U.S. Warns Against North Korean Hackers Posing as IT Freelancers Message-ID: https://thehackernews.com/2022/05/us-warns-against-north-korean-hackers.html Highly skilled software and mobile app developers from the Democratic People's Republic of Korea (DPRK) are posing as "non-DPRK nationals" in hopes of landing freelance employment in an attempt to enable the regime's malicious cyber intrusions. That's according to a joint advisory from the U.S. Department of State, the Department of the Treasury, and the Federal Bureau of Investigation (FBI) issued on Monday. Targets include financial, health, social media, sports, entertainment, and lifestyle-focused companies located in North America, Europe, and East Asia, with most of the dispatched workers situated in China, Russia, Africa, and Southeast Asia. The goal, the U.S. agencies warn, is to generate a constant stream of revenue that sidesteps international sanctions imposed on the nation and help serve its economic and security priorities, including the development of nuclear and ballistic missiles. "The North Korean government withholds up to 90 percent of wages of overseas workers which generates an annual revenue to the government of hundreds of millions of dollars," the guidance noted. Some of the core areas where DPRK IT workers have been found to engage are software development; crypto platforms; graphic animation; online gambling; mobile games; dating, AI, and VR apps; hardware and firmware development; biometric recognition software; and database management. DPRK IT workers are also known to take on projects that involve virtual currency, reflecting the country's continued interest in the technology and its history of targeted attacks aimed at the financial sector. North Korean Hackers Posing as IT Freelancers Additionally, they are said to abuse the privileged access obtained as contractors to provide logistical support to North Korean state-sponsored groups, share access to virtual infrastructure, facilitate the sale of stolen data, and assist in money laundering and virtual currency transfers. Besides deliberately obfuscating their identities, locations, and nationality online by using VPNs and misrepresenting themselves as South Korean citizens, potential red flags indicating the involvement of DPRK IT workers are as follows - Multiple logins into one account from various IP addresses in a short period Logging into multiple accounts on the same platform from one IP address Logged into accounts continuously for one or more days at a time Use of ports such as 3389 that are associated with remote desktop sharing software Using rogue client accounts on freelance work platforms to boost developer account ratings Multiple developer accounts receiving high ratings from one client account in a short time Frequent money transfers through payment platforms to China-based bank accounts, and Seeking payment in virtual currency In one instance highlighted in the advisory, North Korean developers working for an unnamed U.S. company carried out an unauthorized theft of over $50,000 in 30 small installments without the firm's knowledge over the course of several months. "Hiring or supporting the activities of DPRK IT workers poses many risks, ranging from theft of intellectual property, data, and funds to reputational harm and legal consequences, including sanctions under both United States and United Nations authorities," the U.S. State Department said. The advisory also comes as the department announced a $5 million reward last month for information that leads to the disruption of North Korea's cryptocurrency theft, cyber-espionage, and other illicit nation-state activities. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mwheeler at flashpoint-intel.com Tue May 31 08:37:28 2022 From: mwheeler at flashpoint-intel.com (Matthew Wheeler) Date: Tue, 31 May 2022 08:37:28 -0400 Subject: [BreachExchange] Interpol Nabs 3 Nigerian Scammers Behind Malware-based Attacks Message-ID: https://thehackernews.com/2022/05/interpol-nabs-3-nigerian-scammers.html Interpol on Monday announced the arrest of three suspected global scammers in Nigeria for using remote access trojans (RATs) such as Agent Tesla to facilitate malware-enabled cyber fraud. "The men are thought to have used the RAT to reroute financial transactions, stealing confidential online connection details from corporate organizations, including oil and gas companies in South East Asia, the Middle East and North Africa," the International Criminal Police Organization said in a statement. One of the scammers in question, named Hendrix Omorume, has been charged and convicted of three counts of financial fraud and has been sentenced to a 12-month prison term. The two other suspects are still on trial. The three Nigerian individuals, who are aged between 31 and 38, have been apprehended for being in possession of fake documents such as fraudulent invoices and forged official letters. The law enforcement said that the suspects systematically used Agent Tesla to breach business computers and divert financial transactions to bank accounts under their control. Interpol A .NET-based advanced malware that first appeared in 2014, Agent Tesla primarily gets delivered through phishing emails and has capabilities such as keylogging, screen capture, form-grabbing, credential stealing, and exfiltrating other sensitive information. The arrests follow a sting operation conducted simultaneously in two different locations in the Nigerian cities of Lagos and Benin City, with private sector intelligence provided by cybersecurity company Trend Micro. The operation is also part of a global law enforcement operation codenamed "Killer Bee" involving Interpol and authorities from 11 different countries across Southeast Asia, including Brunei, Cambodia, Indonesia, Laos, Malaysia, Myanmar, Philippines, Singapore, Thailand, and Vietnam. The development also comes close on the heels of the alleged leader of the SilverTerrier BEC cybercrime gang in a separate operation dubbed Delilah. It was preceded by two related operations called Falcon I and Falcon II in 2020 and 2021. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mwheeler at flashpoint-intel.com Tue May 31 08:38:29 2022 From: mwheeler at flashpoint-intel.com (Matthew Wheeler) Date: Tue, 31 May 2022 08:38:29 -0400 Subject: [BreachExchange] Hackers are Selling US University Credentials Online, FBI Says Message-ID: https://tech.co/news/hackers-are-selling-us-university-credentials-online-fbi-says The Federal Bureau of Investigation has warned US universities and colleges that it has found banks of login credentials and other data relating to VPN access circulating on cybercriminals forums. The fear is that such data will be sold and subsequently used by malicious actors to orchestrate attacks on other accounts owned by the same students, in the hope they've reused the same credentials. The news is the latest reminder of the importance of having long, unique passwords, and equally, why using technology like password managers is the safest way forward. Stolen VPN Credentials on Criminal Forums “The FBI has observed incidents of stolen higher education credential information posted on publically accessible online forums or listed for sale on criminal marketplaces,” the intelligence service said in a briefing on the issue. As of January 2022, the document reads, Russian criminals have been posting network credentials and VPN accesses relating to a long list of different US education institutions on online forums. According to the FBI, they’ve been fetching “multiple thousands” of US dollars. This wouldn’t be the first case of this either – the FBI notes that in 2017, “cybercriminals targeted universities to hack .edu accounts by cloning university login pages and embedding a credential harvester link in phishing emails.” More recently, in May 2021, “over 36,000 email and password combinations (some of which may have been duplicates) for email accounts ending in .edu were identified on a publically available instant messaging platform.” There were additional incidents from 2020 referenced in the same report. Why Are These Credentials Valuable? If you’re a hacker, once you’re able to obtain the credentials for a single account belonging to one individual, the chances you’re able to access other private accounts belonging to the same person drastically increased. Cybercriminals are banking on the fact that some of the college students they have stolen credentials from will have recycled the same login details for use on other accounts. In this case, cybercriminals are banking on the fact that some of the college students they have stolen credentials from will have recycled the same login details for use on other accounts.- which forms the basis for brute force and credential stuffing attacks. This is not a bad bet to place either, from their perspective – the whole reason those attacks exist in the first place is the high prevalence of repeated passwords. How do I protect my Business from this Sort of Threat? Although this attack seems to be orientated around students’ personal accounts, businesses are much more likely to be targeted simply because it's a more profitable endeavor for cybercriminals to pursue. The FBI’s list of recommended steps to take include all the classics – keeping your systems up to date, implementing multi-factor authentication, and using strong and unique passwords. The safest way to store passwords – whilst ensuring they’re long enough to be secure – is using a password manager. That way, you’ll only have to remember a single password to your account with your chosen password manager (as well as a couple of other bits of security information), yet you’ll be protected on all of your accounts. There are password managers for both Businesses and consumers, and making sure you’re protected at work and at home is the smartest thing to do. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mwheeler at flashpoint-intel.com Tue May 31 08:40:25 2022 From: mwheeler at flashpoint-intel.com (Matthew Wheeler) Date: Tue, 31 May 2022 08:40:25 -0400 Subject: [BreachExchange] SideWinder Hackers Launched Over a 1, 000 Cyber Attacks Over the Past 2 Years Message-ID: https://thehackernews.com/2022/05/sidewinder-hackers-launched-over-1000.html An "aggressive" advanced persistent threat (APT) group known as SideWinder has been linked to over 1,000 new attacks since April 2020. "Some of the main characteristics of this threat actor that make it stand out among the others, are the sheer number, high frequency and persistence of their attacks and the large collection of encrypted and obfuscated malicious components used in their operations," cybersecurity firm Kaspersky said in a report that was presented at Black Hat Asia this month. SideWinder, also called Rattlesnake or T-APT-04, is said to have been active since at least 2012 with a track record of targeting military, defense, aviation, IT companies, and legal firms in Central Asian countries such as Afghanistan, Bangladesh, Nepal, and Pakistan. Kaspersky's APT trends report for Q1 2022 published late last month revealed that the threat actor is actively expanding the geography of its targets beyond its traditional victim profile to other countries and regions, including Singapore. SideWinder has also been observed capitalizing on the ongoing Russo-Ukrainian war as a lure in its phishing campaigns to distribute malware and steal sensitive information. SideWinder Hackers The adversarial collective's infection chains are notable for incorporating malware-rigged documents that take advantage of a remote code vulnerability in the Equation Editor component of Microsoft Office (CVE-2017-11882) to deploy malicious payloads on compromised systems. Furthermore, SideWinder's toolset employs several sophisticated obfuscation routines, encryption with unique keys for each malicious file, multi-layer malware, and splitting command-and-control (C2) infrastructure strings into different malware components. The three-stage infection sequence commences with the rogue documents dropping a HTML Application (HTA) payload, which subsequently loads a .NET-based module to install a second-stage HTA component that's designed to deploy a .NET-based installer. This installer, in the next phase, is both responsible for establishing persistence on the host and loading the final backdoor in memory. The implant, for its part, is capable of harvesting files of interest as well as system information, among others. No fewer than 400 domains and subdomains have been put to use by the threat actor over the past two years. To add an additional layer of stealth, the URLs used for C2 domains are sliced into two parts, the first portion of which is included in the .NET installer and the latter half is encrypted inside the second stage HTA module. "This threat actor has a relatively high level of sophistication using various infection vectors and advanced attack techniques," Noushin Shabab of Kaspersky said, urging that organizations use up-to-date versions of Microsoft Office to mitigate such attacks. -------------- next part -------------- An HTML attachment was scrubbed... URL: