Tag Archive for: Bear

Fancy Bear sniffs out Ubiquiti router users


The American authorities have warned users of Ubiquiti’s EdgeRouter products that they may be at risk of being targeted by the Russian state threat actor Fancy Bear, also known as APT28 and Forest Blizzard/Strontium.

In a coordinated advisory, to which partner agencies including the UK’s National Cyber Security Centre (NCSC) and counterparts in Belgium, Brazil, France, Germany, Latvia, Lithuania, Norway, Poland and South Korea also put their signatures, the FBI, National Security Agency (NSA) and US Cyber Command urged users of the affected products to be on their guard.

Fancy Bear, and Forest Blizzard (Strontium), have used compromised EdgeRouters globally to harvest credentials, collect NTLMv2 digests, proxy network traffic, and host spear phishing landing pages and custom tools,” read the advisory.

Users of EdgeRouters have been told to perform a factory reset, upgrade to the latest firmware version, change default usernames and credentials, and implement strategic firewall rules on WAN-side interfaces.

Ubiquiti EdgeRouters have become popular among users and threat actors alike thanks to a user-friendly, Linux-based operating system. Unfortunately, they also contain two highly dangerous flaws – the devices often ship with default credentials and have limited firewall protections, and they do not automatically update their firmware unless the user has configured them to do so.

Fancy Bear is using compromised routers to harvest victim credentials, collect digests, proxy network traffic and host spear phishing landing pages and other custom tools. Targets of the operation include academic and research institutions, embassies, defence contractors and political parties, located in multiple countries of interest to Russian intelligence, including Ukraine.

“No part of a system is immune to threats,” said NSA cyber security director Rob Joyce. “As we have seen, adversaries have exploited vulnerabilities in servers, in software, in devices that connect to systems, in user credentials, in any number of ways. Now, we see Russian state-sponsored cyber actors abusing compromised routers and we are joining this CSA to provide mitigation recommendations.”

Dan Black,…

Source…

“Fancy Bear Goes Phishing” charts the evolution of hacking


Fancy Bear Goes Phishing. By Scott Shapiro. Farrar, Straus and Giroux; 432 pages; $30. Allen Lane; £25

In 1928 many countries signed the Kellogg-Briand pact, which outlawed war. Though often derided as hopelessly idealistic, it had important consequences. Until then, war had been a lawful way for states to settle their differences; by contrast, economic sanctions were illegal. After the second world war, the document served as the legal basis for the Nuremberg trials. A draft of the United Nations charter included its terms almost verbatim.

The status of computer hacking in international law is now similarly irrational. Espionage is basically legal; interfering in the internal affairs of another state is not. Yet when does cyber-espionage tip into cybercrime or even cyber-warfare? If definitions are slippery, preventing cyber-attacks is even harder. They can be ordered by one country, perpetrated by a civilian in a second, using computers in a third to disable those in a fourth, with tracks hidden along the way. To some, the prefix “cyber” suggests the associated wrongs are as resistant to regulation as old-fashioned war can seem to be.

Scott Shapiro, a professor at Yale Law School and erstwhile computer programmer, is well-placed to tackle these quandaries. He is also the co-author of “The Internationalists”, a history of the Kellogg-Briand pact published in 2017. His new book chronicles the internet’s vulnerability to intrusion and attack by forensically examining five hacks that typify different kinds of threat.

Russia, if you’re listening

It begins with the Morris Worm, the internet’s first worm (ie, a self-replicating piece of code that slithers from computer to computer). It came about in 1988 through an experiment-gone-wrong by an American graduate student, which exploited the openness of networked computers. Next comes Dark Avenger, a virus that destroyed computer data in the 1990s. Third is the hack in 2005 of Paris Hilton’s mobile-phone data, which revealed nude photos of the celebrity. The hacker didn’t compromise the phone but rather servers in the cloud on which the images were stored.

The book’s most outrageous and troubling attacks are its last two,…

Source…

Pegasus spyware observed in Thailand. New North Korean ransomware group. Cozy Bear uses online storage services.


At a glance.

  • Pegasus spyware observed in Thailand.
  • New North Korean ransomware group.
  • Cozy Bear uses online storage services.
  • A new technique against air-gapped systems.

Pegasus spyware observed in Thailand.

Researchers at the University of Toronto’s Citizen Lab have observed the Pegasus spyware being used in “an extensive espionage campaign targeting Thai pro-democracy protesters, and activists calling for reforms to the monarchy.” The spyware targeted at least thirty people between October 2020 and November 2021, and coincided with pro-democracy protests in Thailand. Citizen Lab doesn’t definitively attribute the campaign to the Thai government, but they believe it’s unlikely that another nation-state would be interested in these targets:

“Conducting such an extensive hacking campaign against high profile individuals in another country is risky and runs the possibility of discovery, especially given the well-known previous cases where Pegasus infections were publicly discovered and publicly disclosed.

“In addition, the victimology, and in some cases the timing of the infections, reflects information that would be easily available to the Thai authorities, such as non-public relationships and financial activity, but substantially more challenging for other governments to obtain.”

New North Korean ransomware group.

Microsoft warns that a North Korean threat actor that calls itself “H0lyGh0st” is targeting small and midsize businesses in several countries with ransomware. The victims include “manufacturing organizations, banks, schools, and event and meeting planning companies.” Microsoft tracks the threat actor as DEV-0530, and notes that it’s not clear if Pyongyang is behind the operation or if North Korean government employees are acting independently for their own financial gain:

“The first possibility is that the North Korean government sponsors this activity. The weakened North Korean economy has become weaker since 2016 due to sanctions, natural disasters, drought, and the North Korean government’s COVID-19 lockdown from the outside world since early 2020. To offset the losses from these economic setbacks, the North Korean government could have sponsored cyber actors stealing from…

Source…

Solana price ‘bear flag’ paints $50 target as Wormhole hack exposes security hole


Solana (SOL) became one of the worst performers among the top cryptocurrencies on Feb. 3 as traders assessed its links with the second-biggest hack to date.

$325M worth of wETH gone

SOL price dropped by 5.50% to below $96.50 as Wormhole, a bridge between Solana and Ethereum blockchains, reportedly lost $325 million worth of Wrapped Ethereum (wETH) due to a technical vulnerability.

Prior to the hack on Wednesday, SOL was trading as high as $112.

In detail, hackers tricked a series of Solana’s smart contracts into signing illicit transactions digitally posing as “guardians,” reported blockchain researcher Kelvin Fichter on Feb. 2, the night after the hack. He wrote:

“The attacker made it look like the guardians had signed off on a 120K deposit into Wormhole on Solana, even though they hadn’t. All the attacker needed to do now was to make their “play” money real by withdrawing it back to Ethereum.”

Wormhole said that it would add Ethereum’s native token Ether (ETH) “over the next hours” to back wETH on the Solana network on a 1:1 basis. However, the project did not clarify the source of the funds that would be used to buy ETH tokens.

Bear flag triggered

The selloff in the Solana market across the last 24 hours came closer to triggering a bearish continuation setup that may send the SOL price down by another 50%.

Dubbed “bear flag,” the pattern emerges when the price consolidates sideways/higher after a strong downside move, called “flagpole.” In a perfect world, the price eventually breaks below the consolidation range and falls by as much as the flagpole’s length.

So far, SOL/USD has been forming the same bear flag pattern, as shown in the chart below.

SOL/USD daily price chart featuring bear flag setup….

Source…