Tag Archive for: agencies

Russian hackers exploiting ‘poorly maintained’ Cisco routers for malware, security agencies warn

/in


Pixabay


RESEARCH TRIANGLE PARK –  A group of Russian hackers known as APT28 also known as Fancy Bear is deploying malware in the West by exploiting what cybersecurity agencies in the U.S. and U.K.  call “poorly maintained Cisco routers.”

The group is described as a “highly skilled threat actor.”

Here is the joint warning announcement and explanation:

“The UK National Cyber Security Centre (NCSC), the US National Security Agency (NSA), US Cybersecurity and Infrastructure Security Agency (CISA) and US Federal Bureau of Investigation (FBI) are releasing this joint advisory to provide details of tactics, techniques and procedures (TTPs) associated with APT28’s exploitation of Cisco routers in 2021.

“We assess that APT28 is almost certainly the Russian General Staff Main Intelligence Directorate (GRU) 85th special Service Centre (GTsSS) Military Intelligence Unit 26165. APT28 (also known as Fancy Bear, STRONTIUM, Pawn Storm, the Sednit Gang and Sofacy) is a highly skilled threat actor.”

To download the UK PDF version of this report:

To download the US PDF version of this report:

Earlier Activity

Previously attributed the following activity to APT28:

Related APT28 links

 

Source…

Hackers used legitimate remote help-desk tools to scam multiple US federal agencies

/in


TL;DR: The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a joint warning that threat actors (TA) are ramping up a hacking/phishing campaign employing legitimate remote monitoring and management (RMM) software. The CISA notes that it has discovered multiple attacks within federal civilian executive branch (FCEB) networks.

In September 2022, the CISA performed audits on several FCEB networks and found them to have been victim to a “widespread, financially motivated phishing campaign.” A month later, security researchers at Silent Push reported on a “typosquatting” trojan campaign involving several trusted domains, including PayPal, Microsoft, Geek Squad, and Amazon. On Wednesday, CISA confirmed several federal staff members had fallen for the help-desk-themed phishing campaign.

“[We] assess that since at least June 2022, cyber criminal actors have sent help desk-themed phishing emails to FCEB federal staff’s personal, and government email addresses,” the alert reads.

The scams are a bit more sophisticated than the typical phishing emails most people ignore. Dubbed “callback phishing,” emails are sent out that appear legitimate, like the one above from “Geek Squad.” The emails take the form of a high-priced subscription auto-renewal notice and list a number to call to cancel the automatic charge or a link to a “first-stage malicious domain.” These are pages that mimic legitimate businesses like PayPal. The URLs are also disguised, for example, paypalsec.com.

When targets call the number or visit the domain, they are convinced to download legitimate RMM help-desk software form a second stage domain, the CISA specifically named ScreenConnect and AnyDesk. The bad actors use portable executables to bypass security protections preventing employees from installing software. Portable executables are .exe files that will run without being installed on the computer, and most desktop-sharing software have these.

Once the TAs have access to the target through the RMM software, they attempt to execute a refund scam. This attack involves convincing the…

Source…

Hack puts Latin American security agencies on edge

/in


MEXICO CITY — A massive trove of emails from Mexico’s Defense Department is among electronic communications taken by a group of hackers from military and police agencies across several Latin American countries, Mexico’s president confirmed Friday.

The acknowledgement by President Andrés Manuel López Obrador comes after Chile’s government said last week that emails had been taken from its Joint Chiefs of Staff.

The Mexican president spoke at his daily news conference following a local media report that the hack revealed previously unknown details about a health scare he had in January.

López Obrador downplayed the hack, saying that “there’s nothing that isn’t known.” He said the intrusion apparently occurred during a change of Defense Department systems.

But Chile was so concerned by the breach to its own systems that it called its defense minister back from the United States last week where she was attending the United Nations General Assembly with President Gabriel Boric.

The 10 terabytes of data taken by the group also include emails from the militaries in El Salvador, Peru and Colombia, as well as El Salvador’s National Police. The Mexico portion of the data appeared to be the largest.

A group of anonymous, self-described social justice warriors who call themselves Guacamaya say they use hacking to expose injustice and corruption in defense of Indigenous peoples. Hackers using the same name previously hacked and released the emails of a mining company long accused of human rights and environmental abuses in Guatemala.

In a statement accompanying the most recent action, the group complained of the plundering of Latin America, which it refers to as Abya Yala, by colonizers and the continuing extractivist goals of the “Global North.”

The group issued a 1,400-word comunique saying that the militaries and police of Latin American countries, often with extensive training by the United States, are used by governments “to keep their inhabitants prisoner.”

“The police minimize the risk that the people exercise their honorable right to protest, to destroy the system that oppresses them,” the group wrote.

The group said it would make the documents available to…

Source…

Govt. Agencies Seize Domains Used for Selling Credentials

/in


Cybercrime
,
Cybercrime as-a-service
,
Fraud Management & Cybercrime

DOJ: Now-Shuttered Site Sold Data Obtained from 10,000 data breaches

Prajeet Nair (@prajeetspeaks) •
June 4, 2022    

Govt. Agencies Seize Domains Used for Selling Credentials

The U.S. Department of Justice and the FBI announced that it has seized three domains after an international investigation that found these domains selling stolen personal information and providing access to conduct distributed denial-of-service attack on victim networks.

See Also: OnDemand | Understanding Human Behavior: Tackling Retail’s ATO & Fraud Prevention Challenge

The three seized internet domain names include weleakinfo.to and two related domain names, ipstress.in and ovh-booter.com.

“Today, the FBI and the Department stopped two distressingly common threats: websites trafficking in stolen personal information and sites which attack and disrupt legitimate internet businesses,” says Matthew M. Graves, U.S. Attorney for the District of Columbia. “Cybercrime often crosses national borders. Using strong working relationships with our international law enforcement partners, we will address crimes like these that threaten privacy, security, and commerce around the globe.”

WeLeakInfo.to Website

The site operated as a database and search engine, with the stolen data indexed so that users could search the files and information “illegally obtained in over 10,000 data breaches containing seven billion indexed records – including, for example, names, email addresses, usernames, phone numbers, and passwords for online accounts,” the DOJ…

Source…