Tag Archive for: russian

Attempted Hack of R.N.C. and Russian Ransomware Attack Test Biden

/in


Last month, Mr. Biden used the summit with Mr. Putin to make the case that ransomware was emerging as an even larger threat, causing the kind of economic disruption that no state could tolerate. Mr. Biden specifically cited the halting of the flow of gasoline on the East Coast after an attack on Colonial Pipeline in June, as well as the shutdown of major meat-processing plants and earlier ransomware attacks that paralyzed hospitals.

The issue has become so urgent that it has begun shifting the negotiations between Washington and Moscow, raising the control of digital weapons to a level of urgency previously seen largely in nuclear arms control negotiations. On Tuesday, the White House press secretary, Jen Psaki, said American officials will meet with Russian officials next week to discuss ransomware attacks — a dialogue the two leaders had agreed upon at their summit in Geneva.

On Saturday, as the attacks were underway, Mr. Putin gave a speech timed to the rollout of Russia’s latest national security strategy that outlines measures to respond to foreign influence. The document claimed that Russian “traditional spiritual-moral and cultural-historical values are under active attack from the U.S. and its allies.”

While the strategy reaffirmed Moscow’s commitment to using diplomacy to resolve conflicts, it stressed that Russia “considers it legitimate to take symmetrical and asymmetric measures” to prevent “unfriendly actions” by foreign states.

The remarks, cybersecurity experts said, were Mr. Putin’s response to the summit with Mr. Biden.

“Biden did a good job laying down a marker, but when you’re a thug, the first thing you do is test that red line,” said James A. Lewis, a cybersecurity expert at the Center for Strategic and International Studies in Washington. “And that’s what we’re seeing here.”

Mr. Lewis added that “low-end penalties” like sanctions had been exhausted. “The White House will have to use more aggressive measures, whether that is something in cyberspace, or a more painful legal or financial maneuver,” he said.

Stronger measures have long been debated, and occasionally used. When Russian…

Source…

U.S., U.K. intel: Russian military hacking attempts “certainly still ongoing”

/in


United States and United Kingdom intelligence agencies said in a report Thursday that Russian military hackers over the last three years have tried to access the computer networks of “hundreds of government and private sector targets worldwide” and warned that those “efforts are almost certainly still ongoing.”

Why it matters: The security agencies cautioned that the military cyber unit, best known for hacking the Democratic National Committee and other political targets during the 2016 election, is still focusing on political consultants, political parties and think tanks, though they did not specify any targets by name.

  • The report is a joint advisory to network defenders published by the U.S. National Security Agency (NSA), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Federal Bureau of Investigation (FBI), and the U.K.’s National Cyber Security Centre (NCSC).

How it works: The agencies said hackers working for Russia’s General Staff Main Intelligence Directorate 85th Main Special Service Center (GTsSS) first attempts to gain login credentials to governmental or private-sector networks by conducting “widespread, distributed, and anonymized brute force access attempts” using Kubernetes.

  • The hackers can then use the valid credentials it obtains to expand their access to the targeted network, evade detection and defenses and ultimately access and exfiltrate protected data, including information from emails.
  • While brute-force password guessing campaigns are not new, the NSA said the “GTsSS uniquely leveraged software containers to easily scale its brute force attempts.”

What they’re saying: “The advisory warns system administrators that exploitation is almost certainly ongoing,” the NSA said. “Targets have been global, but primarily focused on the United States and Europe.”

  • “Targets include government and military, defense contractors, energy companies, higher education, logistics companies, law firms, media companies, political consultants or political parties, and think tanks.”

The big picture: The report comes on the heels of a summit between President Biden and Russian President Vladimir Putin, during which Biden threatened to use the U.S.’…

Source…

John Anthony Smith: Russian Speaking REvil Group Is Actively Causing Widespread Cyber Terror

/in


(John Anthony Smith, president of the fast-growing Conversant Group on the Southside, advises on Internet security after an attack by a Russian criminal gang on a U.S. pipeline company that caused many gas stations to run dry for several days).

Similar in some ways to the global SolarWinds breach that occurred last year, threat actors have once again breached another system used for monitoring, patching, and remote administration.[1]  On Friday, it became publicly known that Kaseya, a well-known player in Remote Monitoring and Management (RMM) tools, had succumbed to a supply chain compromise.  Kaseya’s RMM, known as VSA, is commonly used by Managed Service Providers to manage, monitor, and patch their customers’ infrastructures. 

 

REvil Group was able to breach Kaseya’s VSA system and use that system to destroy backups and subsequently encrypt over 200 organizations’ data.  Kaseya VSA by the nature of how its system works has highly privileged access to the infrastructures in which it is deployed, as it is used to monitor, manage, and patch systems.  Thus, REvil was able to orchestrate this malicious attack nearly unthwarted by security controls.  On Friday, Kaseya sent out a warning of a potential attack and urged customers to shut down their servers running the service.  According to Kaseya’s web site, more than 40,000 organizations use their products.

 

REvil is demanding $50,000 in ransom from smaller companies and $5 million from larger ones.[2]  REvil is a Russian speaking hacking group that is highly active, and they are the same group of threat actors that successfully collected an $11 million ransom from JBS Meats.  It is widely believed that REvil operates from Russia, and this recent compromise comes on the heels of President Joe Biden’s meeting with Russian President Vladimir Putin in Geneva.  It is obvious that Biden’s conversation has invoked little action, at least thus far, in reigning in REvil’s continued attacks.

 

Ransomware attacks have spiked in the past 1.5 years with $412 million in ransom payments being paid last year alone, and…

Source…

Russian military targeted passwords in wide-ranging hacking campaign, US and UK officials say

/in


For months, Russian military hackers have engaged in a campaign to compromise the passwords of people employed in sensitive jobs at hundreds of organizations worldwide including US and European government and military agencies, US and British national security officials said Thursday.



a close up of a hand holding a remote control

© NICOLAS ASFOURI/AFP/AFP via Getty Images


The extensive effort also targeted political parties, government offices, defense contractors, energy companies, think tanks, law firms, media outlets and universities, the officials said.

Loading...

Load Error

The password-hacking campaign, which official believe is almost certainly still ongoing, is part of a broader effort by Russia’s GRU to collect information from a wide range of sensitive targets, said a joint advisory by the National Security Agency, the FBI, the Department of Homeland Security and the UK’s GCHQ.

It is distinct from other Russian operations in cyberspace such as the SolarWinds campaign — which was instead carried out by Russia’s foreign intelligence service, the SVR, and relied on malicious code secretly embedded in trusted software rather than direct attacks on user passwords.

This campaign, which involved attempts to break the passwords of people affiliated with major organizations worldwide, began in mid-2019 and while aspects of it have been publicly reported, the US government is attributing it to Russia’s military intelligence agency, the GRU, for the first time this week.

The advisory released Thursday does not specify how often these attacks were successful, but it does say that the actors “have used” identified account credentials in conjunction with known vulnerabilities.

“The bread and butter of this group is routine collection against policy makers, diplomats, the military, and the defense industry and these sorts of incidents don’t necessarily presage operations like hack and leak campaigns,” according to John Hultquist, VP of Analysis, Mandiant Threat Intelligence. “Despite our best efforts we are very unlikely to ever stop Moscow from spying.”

One high-profile example of the campaign was disclosed last September, when Microsoft said it had detected attacks on passwords belonging to tens of thousands of…

Source…