Tag Archive for: Infrastructure

Phobos Ransomware Aggressively Targeting U.S. Critical Infrastructure


U.S. Critical Infrastructure

U.S. cybersecurity and intelligence agencies have warned of Phobos ransomware attacks targeting government and critical infrastructure entities, outlining the various tactics and techniques the threat actors have adopted to deploy the file-encrypting malware.

“Structured as a ransomware as a service (RaaS) model, Phobos ransomware actors have targeted entities including municipal and county governments, emergency services, education, public healthcare, and critical infrastructure to successfully ransom several million in U.S. dollars,” the government said.

The advisory comes from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC).

Active since May 2019, multiple variants of Phobos ransomware have been identified to date, namely Eking, Eight, Elbie, Devos, Faust, and Backmydata. Late last year, Cisco Talos revealed that the threat actors behind the 8Base ransomware are leveraging a Phobos ransomware variant to conduct their financially motivated attacks.

There is evidence to suggest that Phobos is likely closely managed by a central authority, which controls the ransomware’s private decryption key.

Attack chains involving the ransomware strain have typically leveraged phishing as an initial access vector to drop stealthy payloads like SmokeLoader. Alternatively, vulnerable networks are breached by hunting for exposed RDP services and exploiting them by means of a brute-force attack.

Cybersecurity

A successful digital break-in is followed by the threat actors dropping additional remote access tools, taking advantage of process injection techniques to execute malicious code and evade detection, and making Windows Registry modifications to maintain persistence within compromised environments.

“Additionally, Phobos actors have been observed using built-in Windows API functions to steal tokens, bypass access controls, and create new processes to escalate privileges by leveraging the SeDebugPrivilege process,” the agencies said. “Phobos actors attempt to authenticate using cached password hashes on victim machines until they reach domain administrator access.”

The e-crime…

Source…

U.S. Government Disrupts Botnet People’s Republic Of China Used To Conceal Hacking Of Critical Infrastructure


FBI News:

A December 2023 court-authorized operation has disrupted a botnet of hundreds of U.S.-based small office/home office (SOHO) routers hijacked by People’s Republic of China (PRC) state-sponsored hackers.

The hackers, known to the private sector as “Volt Typhoon”, used privately-owned SOHO routers infected with the “KV Botnet” malware to conceal the PRC origin of further hacking activities directed against U.S. and other foreign victims.

These further hacking activities included a campaign targeting critical infrastructure organizations in the United States and elsewhere that was the subject of a May 2023 FBI, National Security Agency, Cybersecurity and Infrastructure Security Agency (CISA), and foreign partner advisory.

The same activity has been the subject of private sector partner advisories in May and December 2023, as well as an additional secure by design alert released recently by CISA.

The vast majority of routers that comprised the KV Botnet were Cisco and NetGear routers that were vulnerable because they had reached “end of life” status; that is, they were no longer supported through their manufacturer’s security patches or other software updates. The court-authorized operation deleted the KV Botnet malware from the routers and took additional steps to sever their connection to the botnet, such as blocking communications with other devices used to control the botnet.

“The Justice Department has disrupted a PRC-backed hacking group that attempted to target America’s critical infrastructure utilizing a botnet,” Attorney General Merrick B. Garland said. “The United States will continue to dismantle malicious cyber operations – including those sponsored by foreign governments – that undermine the security of the American people.”

“In wiping out the KV Botnet from hundreds of routers nationwide, the Department of Justice is using all its tools to disrupt national security threats – in real time,” Deputy Attorney General Lisa O. Monaco said.  “Today’s announcement also highlights our critical partnership with the private sector – victim reporting is key to fighting cybercrime, from home offices to our most critical…

Source…

Chinese hackers’ 5-years in US infrastructure


Volt Typhoon, a group of Chinese hackers, has resided in critical industry networks for 5+ years.
  • Per US-led advisory, Volt Typhoon, a group of Chinese hackers, has been operating within critical industry networks for 5+ years.
  • The advisory shows compromised environments span the continental US and Guam, involving allied agencies from Australia, Canada, the UK, and New Zealand.
  • FBI Director Wray warns Congress that Chinese hackers are poised to strike US infrastructure and cause harm to citizens.

In the shadowy field of cyber-espionage, one name has emerged as a persistent thorn in the side of US critical infrastructure: Volt Typhoon. For at least five years, this enigmatic group of Chinese hackers has covertly infiltrated critical IT networks across America, sending shockwaves through the nation’s security apparatus. Believed to be backed by the Chinese government, it operates with stealth and precision, targeting a wide array of sectors vital to the nation’s infrastructure. 

No sector is immune from its prying eyes, from communications and energy to transportation systems and water facilities. Who exactly are the members of Volt Typhoon, and what have they been doing in the heart of US critical infrastructure for half a decade? Let’s delve into the clandestine world of cyber-warfare and geopolitical maneuvering.

What has the Volt Typhoon been doing?

In a joint advisory published on Wednesday, the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and FBI revealed that the state-sponsored group of hackers from China had infiltrated networks spanning aviation, rail, mass transit, highway, maritime, pipeline, water, and sewage sectors. 

This alarming development signals a strategic shift from their usual cyber-espionage tactics to a focus on pre-positioning for potential destructive cyberattacks in times of conflict or crisis. The advisory, jointly signed by cybersecurity agencies from the UK, Australia, Canada, and New Zealand, follows a similar…

Source…

U.S. DoJ Dismantles Warzone RAT Infrastructure, Arrests Key Operators


Feb 11, 2024NewsroomMalware / Cybercrime

Warzone RAT Infrastructure

The U.S. Justice Department (DoJ) on Friday announced the seizure of online infrastructure that was used to sell a remote access trojan (RAT) called Warzone RAT.

The domains – www.warzone[.]ws and three others – were “used to sell computer malware used by cybercriminals to secretly access and steal data from victims’ computers,” the DoJ said.

Alongside the takedown, the international law enforcement effort has arrested and indicted two individuals in Malta and Nigeria for their involvement in selling and supporting the malware and helping other cybercriminals use the RAT for malicious purposes.

The defendants, Daniel Meli (27) and Prince Onyeoziri Odinakachi (31) have been charged with unauthorized damage to protected computers, with the former also accused of “illegally selling and advertising an electronic interception device and participating in a conspiracy to commit several computer intrusion offenses.”

Cybersecurity

Meli is alleged to have offered malware services at least since 2012 through online hacking forums, sharing e-books, and helping other criminals use RATs to carry out cyber attacks. Prior to Warzone RAT, he had sold another RAT known as Pegasus RAT.

Like Meli, Odinakachi also provided online customer support to purchasers of Warzone RAT malware between June 2019 and no earlier than March 2023. Both individuals were arrested on February 7, 2024.

Warzone RAT, also known as Ave Maria, was first documented by Yoroi in January 2019 as part of a cyber attack targeting an Italian organization in the oil and gas sector towards the end of 2018 using phishing emails bearing bogus Microsoft Excel files exploiting a known security flaw in the Equation Editor (CVE-2017-11882).

Sold under the malware-as-a-service (Maas) model for $38 a month (or $196 for a year), it functions as an information stealer and facilitates remote control, thereby allowing threat actors to commandeer the infected hosts for follow-on exploitation.

Some of the notable features of the malware include the ability to browse victim file systems, take screenshots, record keystrokes, steal victim usernames and passwords, and activate the computer’s webcams without the…

Source…