Tag Archive for: feds

That home router botnet the Feds took down? Moscow’s probably going to try again • The Register

/in


Authorities from eleven nations have delivered a sequel to the January takedown of a botnet run by Russia on compromised Ubiquiti Edge OS routers – in the form of a warning that Russia may try again, so owners of the devices should take precautions.

Revealed in February, the takedown was led by US authorities and at the time was said to have “disabled” a campaign staged by Russia’s GRU military intelligence unit. The crew cracked the SOHO routers and infected them with malware named Moobot – a variant of the infamous Mirai malware.

Moobot allowed GRU and its minions to install and run scripts to build a 1,000-strong botnet, which it used for power phishing, spying, credential harvesting, and data theft.

Given the triumphant tone of the takedown announcement, Ubiquiti users may have felt they were no longer at risk.

But on Tuesday the FBI issued a joint advisory [PDF] on behalf of the US, Belgium, Brazil, France, Germany, Latvia, Lithuania, Norway, Poland, South Korea, and the United Kingdom. The document urges Ubiquiti owners to get patching.

“Owners of relevant devices should take the remedial actions described below to ensure the long-term success of the disruption effort and to identify and remediate any similar compromises,” the document cautions.

Those actions are:

  • Perform a hardware factory reset;
  • Upgrade to the latest firmware version;
  • Change any default usernames and passwords;
  • Implement strategic firewall rules on WAN-side interfaces.

The advisory also offers more detail on how GRU – specifically 85th Main Special Service Center (GTsSS), also known as APT28, Fancy Bear, and Forest Blizzard (Strontium) – went about its dirty deeds.

At the time of the takedown, US authorities remarked that this botnet differed from past GRU efforts in that it used off-the-shelf malware. The advisory reveals that APT28 also wrote its own package for this heist.

Called MASEPIE, the malware was directed by the Ubiquiti-based botnet and is described as “a small Python backdoor capable of executing arbitrary commands on victim machines.”

“Data sent to and from the EdgeRouters was encrypted using a randomly generated 16-character AES key,” the advisory…

Source…

After years of losing, it’s finally feds’ turn to troll ransomware group

/in


After years of losing, it’s finally feds’ turn to troll ransomware group

Getty Images

After years of being outmaneuvered by snarky ransomware criminals who tease and brag about each new victim they claim, international authorities finally got their chance to turn the tables, and they aren’t squandering it.

The top-notch trolling came after authorities from the US, UK, and Europol took down most of the infrastructure belonging to Lockbit, a ransomware syndicate that has extorted more than $120 million from thousands of victims around the world. On Tuesday, most of the sites Lockbit uses to shame its victims for being hacked, pressure them into paying, and brag of their hacking prowess began displaying content announcing the takedown. The seized infrastructure also hosted decryptors victims could use to recover their data.

The dark web site Lockbit once used to name and shame victims, displaying entries such as "press releases," "LB Backend Leaks," and "LockbitSupp You've been banned from Lockbit 3.0."
Enlarge / The dark web site Lockbit once used to name and shame victims, displaying entries such as “press releases,” “LB Backend Leaks,” and “LockbitSupp You’ve been banned from Lockbit 3.0.”

this_is_really_bad

Authorities didn’t use the seized name-and-shame site solely for informational purposes. One section that appeared prominently gloated over the extraordinary extent of the system access investigators gained. Several images indicated they had control of /etc/shadow, a Linux file that stores cryptographically hashed passwords. This file, among the most security-sensitive ones in Linux, can be accessed only by a user with root, the highest level of system privileges.

Screenshot showing a folder named
Enlarge / Screenshot showing a folder named “shadow” with hashes for accounts including “root,” “daemon,” “bin,” and “sys.”

Other images demonstrated that investigators also had complete control of the main web panel and the system Lockbit operators used to communicate with affiliates and victims.

Screenshot of a panel used to administer the Lockbit site.
Enlarge / Screenshot of a panel used to administer the Lockbit site.
Screenshot showing chats between a Lockbit affiliate and a victim.
Enlarge / Screenshot showing chats between a Lockbit affiliate and a victim.

The razzing didn’t stop there. File names of the images had titles including: “this_is_really_bad.png,” “oh dear.png,” and “doesnt_look_good.png.” The seized page also teased the upcoming doxing of LockbitSupp, the moniker of the main…

Source…

Feds: Androxgh0st Botnet Is Targeting AWS, Office 365, and Azure Credentials

/in


Federal cybersecurity officials are warning server and website owners of a spike in Androxgh0st malware, which is targeting Amazon Web Services (AWS), Microsoft Office 365, SendGrip, and Twilio credentials.

The botnet has been around since late 2022 and is often used to steal credentials for use in spam or crypto-mining. According to FortiGuard Labs, the botnet has control of approximately 30,000 devices as of this week, though that’s down from 50,000 in the first week of January.

The botnet is capable of abusing the Simple Mail Transfer Protocol (SMTP) as well as application programming interfaces (APIs), according to a report from the Cybersecurity and Infrastructure Security Agency (CISA). Bleeping Computer says SendGrip and Twilio credentials can be “used by threat actors to conduct spam campaigns impersonating the breached companies.”

Recommended by Our Editors

CISA outlines how to check and see if your server is compromised and alternative monikers that you may see instead of Androxgh0st. The FBI and CISA also posted several mitigations that organizations can take to ensure that they stay safe from the botnet. They include:

  • Keep all operating systems, software, and firmware up to date. Specifically, ensure that Apache servers are not running versions 2.4.49 or 2.4.50.

  • Verify that the default configuration for all URIs is to deny all requests unless there is a specific need for it.

  • Ensure that any live Laravel applications are not in “debug” or testing mode. Remove all cloud credentials from ENV files and revoke them.

  • On a one-time basis for previously stored cloud credentials, and on an ongoing basis for other types of credentials that cannot be removed, review any platforms or services that have credentials listed in the ENV file for unauthorized access or use.

  • Scan the server’s file system for unrecognized PHP files.

  • Review outgoing GET requests (via cURL command) to file hosting sites.

Like What You’re Reading?

Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.

This newsletter may contain advertising, deals, or affiliate links….

Source…

Feds disrupt major ransomware group targeting schools, law firms, hospitals

/in


The U.S. Department of Justice has disrupted a major ransomware group — and enabled some people to restore their systems — with South Florida playing a central role in the cybercrime investigation, authorities said.

The FBI this month seized several websites operated by the Blackcat ransomware group, launched a disruption campaign, and “gained visibility” into the group’s computer network, according to an affidavit supporting a search warrant unsealed Tuesday in the Southern District of Florida.

The FBI developed a decryption tool that allowed its field offices nationwide and international law enforcement partners to offer more than 500 affected victims the capability to restore their computer systems, the Justice Department said. To date, the FBI has saved victims from ransom demands totaling approximately $68 million.

“In disrupting the BlackCat ransomware group, the Justice Department has once again hacked the hackers,” said Deputy Attorney General Lisa Monaco in a statement Tuesday.

The FBI Miami Field Office is leading the investigation and the case involves federal prosecutors in Miami.

The Blackcat ransomware group is also known as ALPHV or Noberus. Ransomware is malicious software that denies individuals access to computer systems until one pays a ransom. Typically, cybercriminals encrypt an individual’s computer and then demand a ransom before decrypting it. Payment is usually requested in cryptocurrency and to addresses controlled by the criminals.

“With a decryption tool provided by the FBI to hundreds of ransomware victims worldwide, businesses and schools were able to reopen, and health care and emergency services were able to come back online,” she noted. “We will continue to prioritize disruptions and place victims at the center of our strategy to dismantle the ecosystem fueling cybercrime.”

A message from a ransomware attack. The FBI disrupted a major ransomware group — Blackcat — with South Florida playing a central role in the cybercrime investigation, authorities said.A message from a ransomware attack. The FBI disrupted a major ransomware group — Blackcat — with South Florida playing a central role in the cybercrime investigation, authorities said.

A message from a ransomware attack. The FBI disrupted a major ransomware group — Blackcat — with South Florida playing a central role in the cybercrime investigation, authorities said.

Over the past 18 months, ALPHV/Blackcat has become the second most prolific ransomware in the world based on the hundreds of millions of dollars in ransom paid by victims, the…

Source…