Tag: targeting | SpinSafe

Research reveals a resurfaced botnet targeting end-of-life devices

April 4, 2024/in Internet Security

Research from the Black Lotus Labs team at Lumen Technologies has identified multi-year efforts to target end-of-life (EoL) and IoT devices. Small home and small office routers are a particular target of this campaign, which is associated with an updated version of malware known as TheMoon.

“As we’ve expanded the types of devices that have operating systems in them, we haven’t kept up with the lessons learned from desktop and server computing, namely that automatic updates are the norm. This problem is exacerbated by consumers using devices for much longer periods of time than manufacturers want,” says John Bambenek, President at Bambenek Consulting. “By using security updates as leverage for buying new products, the net result is infected devices that are used in cybercrime. Criminals have all the time in the world to be patient, they are already netting a strong cash flow and there are more infectable devices than they have time to exploit.”

TheMoon emerged in 2014 and has been operating quietly ever since. Between January and February of 2024, it has grown to more than 40,000 bots across 88 countries. Many of these bots are deployed as the foundation of a cybercriminal-focused proxy service called Faceless.

Faceless is a malicious service, offering anonymity services to cybercriminals for a negligible price. Malicious actors utilizing Faceless services can divert their traffic to hide their origins.

Jason Soroko, the Senior Vice President of Product at Sectigo, says, “Routers and other networking equipment that use passwords have been easy victims to pray and spray attacks for years. It is unfortunate that stronger forms of authentication are not common. What’s new here is the usage of proxy networks for C2 traffic obfuscation. It shows that de-anonymizing Tor and VPN traffic is not only happening, but has been successfully used against attackers.”

Source…

What is Volt Typhoon? A cybersecurity expert explains the Chinese hackers targeting US critical infrastructure

April 1, 2024/in Computer Security

Volt Typhoon is a Chinese state-sponsored hacker group. The United States government and its primary global intelligence partners, known as the Five Eyes, issued a warning on March 19, 2024, about the group’s activity targeting critical infrastructure.

The warning echoes analyses by the cybersecurity community about Chinese state-sponsored hacking in recent years. As with many cyberattacks and attackers, Volt Typhoon has many aliases and also is known as Vanguard Panda, Bronze Silhouette, Dev-0391, UNC3236, Voltzite and Insidious Taurus. Following these latest warnings, China again denied that it engages in offensive cyberespionage.

Volt Typhoon has compromised thousands of devices around the world since it was publicly identified by security analysts at Microsoft in May 2023. However, some analysts in both the government and cybersecurity community believe the group has been targeting infrastructure since mid-2021, and possibly much longer.

Volt Typhoon uses malicious software that penetrates internet-connected systems by exploiting vulnerabilities such as weak administrator passwords, factory default logins and devices that haven’t been updated regularly. The hackers have targeted communications, energy, transportation, water and wastewater systems in the U.S. and its territories, such as Guam.

In many ways, Volt Typhoon functions similarly to traditional botnet operators that have plagued the internet for decades. It takes control of vulnerable internet devices such as routers and security cameras to hide and establish a beachhead in advance of using that system to launch future attacks.

Operating this way makes it difficult for cybersecurity defenders to accurately identify the source of an attack. Worse, defenders could accidentally retaliate against a third party who is unaware that they are caught up in Volt Typhoon’s botnet.

Why Volt Typhoon matters

Disrupting critical infrastructure has the potential to cause economic harm around the world. Volt Typhoon’s operation also poses a threat to the U.S. military by potentially disrupting power and water to military facilities and critical supply chains.

FBI Director…

Source…

Ransomware attackers are increasingly targeting backups — so make sure yours are protected

April 1, 2024/in Internet Security

When deploying ransomware on a target system, threat actors will almost always look to compromise the backups, too.

Organizations that lose their backups end up paying a lot more in ransom demands, and losing even more in the recovery process, a new report from cybersecurity researchers Sophos has claimed, highlighting the importance of keeping the backups safe.

The company surveyed almost 3,000 IT and cybersecurity professionals, whose organizations suffered a ransomware attack in 2023. Almost all (94%) respondents said the attackers went after their backups, too, rising to 99% in state and local government, the media, leisure, and entertainment sectors.

Higher demands

Organizations in the energy, oil and gas, and utilities, were most likely to lose their backups to ransomware (79%), followed by education (71%). Across all sectors, the researchers said, more than half (57%) of all compromise attempts were successful.

As a result, the ransom demands grew. Victims whose backups were compromised received, on average, more than two times the ransom demand of those who kept their backups safe. The median ransom demand was around $2.3M (backups compromised) and $1M (backups not compromised).

What’s more, organizations with compromised backups were almost twice as likely to pay the ransom, compared to those with safe backups (67% compared to 36%). The median ransom payment for organizations with compromised backups was also double – $2 million versus $1.062 million. These firms were also unable to negotiate down the ransom payment, as the attackers were well-aware of the strong position they held during the negotiations.

“Backups are a key part of a holistic cyber risk reduction strategy,” the researchers said. “If your backups are accessible online, you should assume that adversaries will find them. Organizations would be wise to take regular backups and store in multiple locations; be sure to add MFA (multi-factor authentication) to your cloud backup accounts to help prevent attackers from gaining access, practice recovering from backups; and secure your backups.”

Source…

Chinese Hackers Indicted in New York for Targeting Government

March 26, 2024/in Computer Security

(TNS) — A band of hackers sent a years-long barrage of malicious e-mails to U.S. politicians, government officials, and private companies as part of a Chinese espionage and intelligence operation, federal prosecutors in Brooklyn said.

The feds on Monday announced the indictment of seven members of a Chinese state-run hacking operation, known in the cyber security community as Advanced Persistent Threat 31, running out of Wuhan since 2010. The indicted suspects all live in China, and have not been arrested by U.S. law enforcement agents.

The group sent tens of thousands of phishing e-mails to government and political officials in the U.S., as well as their family members and other contacts, usually pretending to be from prominent American journalists, according to the indictment.

The e-mails had links to what looked like real news articles, but opening the e-mail would activate a tracking link, sending location, device and network data back to a server controlled by the hackers.

They’d then use that info to target home routers and electronic devices, the feds allege.

“This case serves as a reminder of the ends to which the Chinese government is willing to go to target and intimidate its critics, including launching malicious cyber operations aimed at threatening the national security of the United States and our allies,” Attorney General Merrick Garland said Monday.

The targets included White House officials and their spouses, officials with the departments of Justice, Commerce, Treasury and State, and senators from both parties across 10 states. The hackers also tried their e-mail schemes on defense contractors, political strategists, commentators and advocates, according to the feds.

In May 2020, the hackers targeted staffers for a presidential campaign — the indictment wouldn’t say which campaign — and sent out tracking e-mails to more political campaigns that November, the feds allege.

Dissidents critical of the Chinese government and their supporters also found themselves in the hackers’ crosshairs, the feds said.

They also used custom malware and “zero-day exploits,” so named because they take…

Source…

Tag Archive for: targeting

Why Volt Typhoon matters