Tag Archive for: feds

Ransomware gang QakBot resurfaces after Feds’ botnet takedown

/in


Evidence suggests the notorious Qakbot malware gang continued staging cyberattacks in August, even as authorities seized its infrastructure and dismantled the formidable botnet it had built up over several years.

Before the FBI-led operation that took down the botnet, QakBot (also known as “QBot,” “QuackBot” and “Pinkslipbot”) was the most common malware loader seen by ReliaQuest, accounting for 30% of all loaders its researchers observed in the first seven months of this year.

While authorities seized infrastructure and financial assets belonging to the gang in August, researchers warned at the time that because arrests were not made, key members of the gang were likely to regroup and continue committing cybercrimes.

In an Oct. 5 blog post Cisco Talos said it believed the gang had been distributing Ransom Knight ransomware and the Remcos backdoor via phishing emails in the weeks prior to the take-down. The post said while the multi-agency raid took down the group’s command-and-control servers, it had not impacted their spam delivery infrastructure.

Cisco Talos made the link between Qakbot and the Ransom Knight ransomware-as-a-service malware by connecting metadata found in a malicious LNK file attached to an email lure used in the latest campaign with a machine used in previous Qakbot campaigns.

The research team had previously used LNK file metadata to identify and track threat actors, including those behind Qakbot. In August, the month of the takedown, it discovered a LNK file used in a Ransom Knight campaign that had been created on a they machine previously identified as being used in Qakbot campaigns.

Cisco Talos said it found other similarities between the new campaign and some common traits used in the Qakbot group’s earlier campaigns. These included “themes of urgent financial matters” used in the filenames of the LNK files victims were duped into opening – for example: “NOT-paid-Invoice-26-August.pdf.lnk”.

“We do not believe the Qakbot threat actors are behind the [Ransom Knight] ransomware-as-a-service offer, but are simply customers of the service,” threat researcher Guilherme Venere wrote in the post.

“As this new operation has been ongoing…

Source…

Feds Warn About Snatch Ransomware

/in


Fraud Management & Cybercrime
,
Ransomware

US Agency Advisory Sheds Light on the Group’s Activities

Prajeet Nair (@prajeetspeaks) •
September 21, 2023    

Feds Warn About Snatch Ransomware
Image: Shutterstock

The Snatch ransomware group is targeting a wide range of critical infrastructure sectors, including the defense industrial base, food and agriculture, and information technology sectors, according to a new alert issued by U.S. authorities.

See Also: OnDemand | SaaS: The Gaping Hole in Your Disaster Recovery Plan

The group first appeared in 2018 and operates on a ransomware-as-a-service model, conducting operations involving data exfiltration and double extortion.

A joint advisory from the Cybersecurity and Infrastructure Security Agency and the FBI on Wednesday said that the group was earlier referred to as Team Truniger, based on the nickname of a key group member, Truniger, who operated as a GandCrab affiliate (see: Alleged GandCrab Distributor Arrested in Belarus).

Snatch threat actors employ different methods to gain access to and maintain persistence on a victim’s network. Their affiliates primarily rely on exploiting weaknesses in Remote Desktop Protocol for brute-forcing and gaining administrator credentials to victims’ networks.

In some instances, Snatch affiliates have sought out compromised credentials from criminal forums or marketplaces and gained persistence on a victim’s network by compromising an administrator account and establishing connections over HTTPS to a command-and-control server located on a Russian bulletproof hosting service.

The group also used previously stolen data bought from other ransomware actors to harass victims into paying extortion by threatening to release the data on its leak site.

Snatch uses different tactics, techniques and procedures to…

Source…

Feds Fear Flipper Zero Use By Far-Right Documents Show

/in


Police departments in major cities have been put on alert over the Flipper Zero hacking tool and expressed concern over its potential use by racially motivated extremists, documents obtained by the Daily Dot show.

In an April 6, 2023 bulletin from the South Dakota Fusion Center (SDFC), which compiles and shares intelligence with law enforcement regarding perceived domestic threats, warnings were given about the possibility of extremist groups seeking to utilize the popular device.

“The NYPD Intelligence and Counterterrorism Bureau (ICB) assesses that racially and ethnically motivated violent extremists (REMVEs) may seek to exploit the hacking capabilities of a new cyber penetration tester, known as the Flipper Zero, in order to bypass access control systems,” the bulletin states.

flipper zero

REMVEs are described as any “loosely organized movement of individuals and groups that espouse some combination of racist, anti-Semitic, xenophobic, Islamophobic, misogynistic, and homophobic ideology,” a report from the Rand Corporation states.

“The majority of REMVE actors are motivated by cultural nationalism or White supremacy—beliefs that Caucasian or ‘Aryan’ peoples represent superior races, and that ‘White culture’ is superior to other cultures,” the report adds.

In the intelligence bulletin, which the Daily Dot obtained through the Freedom of Information Act (FOIA), the NYPD ICB is said to be monitoring discussions of the Flipper Zero on the messaging app Telegram among groups such as “domestic and international hackers, hobbyists, doomsday preppers, and most notably, REMVEs and accelerationists.”

The Flipper Zero is a portable and digital multi-tool that can hack everything from radio protocols to access control systems. The device is capable of cloning RFID cards, such as those used to open hotel rooms, and has been shown to be able to bypass the security on certain brands of electronic safes. While the device is able to perform some impressive feats, its capabilities have also been greatly exaggerated in staged TikTok videos.

While the NYPD ICB admits that it has not observed REMVEs “explicitly discuss the potential for Flipper Zero…

Source…

Sen. Ron Wyden wants feds to investigate Microsoft for cyber failings enabling Chinese hack

/in


Sen. Ron Wyden wants federal investigators to probe Microsoft’s cybersecurity services that the Oregon Democrat said enabled a China-linked hack of the Biden administration.

China-based cyberattackers stole email data in a hacking campaign this year directed at the U.S. government that disrupted the Commerce Department, according to government officials and Microsoft.

As federal officials investigate those breaches, Mr. Wyden said Microsoft deserves most of the blame. He contended that in a letter to federal agencies last week requesting they hold the Big Tech company accountable.

“While Microsoft’s engineers should never have deployed systems that violated such basic cybersecurity principles, these obvious flaws should have been caught by Microsoft’s internal and external security audits,” the senator wrote. “That these flaws were not detected raises questions about what other serious cybersecurity defects these auditors also missed.”

Source…