Tag Archive for: tens

What Tens of Thousands of Machines Witness

/in


Collaborative Security

Disclaimer: This article is meant to give insight into cyber threats as seen by the community of users of CrowdSec.

What can tens of thousands of machines tell us about illegal hacker activities?

Do you remember that scene in Batman – The Dark Knight, where Batman uses a system that aggregates active sound data from countless mobile phones to create a meta sonar feed of what is going on at any given place?

It is an interesting analogy with what we do at CrowdSec. By aggregating intrusion signals from our community, we can offer a clear picture of what is going on in terms of illegal hacking in the world.

After 2 years of activity and analyzing 1 million intrusion signals daily from tens of thousands of users in 160 countries, we start having an accurate “Batman sonar” global feed of cyber threats. And there are some interesting takeaways to outline.

A cyber threat with many faces

First of all, the global cyber threat is highly versatile. What do we see when looking at the types of attacks reported, their origin, and the Autonomous Systems (AS) behind the malicious IP addresses?

Scanners and Brute force attempts are still the most popular intrusion vectors our community sees and rank #1. Pretty logic, as surveillance is the first step to a more advanced intrusion. The scanning activities seen by our community are mostly port scans or HTTP-based probings.

Amongst the different intrusion types used by hackers, brute force attempts on sensitive services (SSH, email, admin URLs, etc.) is #2. Not breakthrough information, but when studies show that brute force attacks are accounted for 6% of cyber attacks in the world, it is not surprising to see it as dominant, especially since it is still one of the easiest and cheapest ones to automate and deploy (hello script kiddies). Because it is pretty easy to counter, one would think it rarely works, but hey, 6%!

Collaborative Security

Log4J is still not yet a done deal

Amongst the most popular exploit attempts our community sees, we have Log4j. You indeed enjoyed last year’s storm on how a simple open-source logging utility for Apache with a vulnerability took over the cybersecurity world and caused endless headaches to cybersecurity experts. And, of course,…

Source…

High-Level Organizer of Notorious Hacking Group Sentenced to Prison for Scheme that Compromised Tens of Millions of Debit and Credit Cards | OPA

/in


A Ukrainian national was sentenced today in the Western District of Washington to 10 years in prison for his high-level role in the criminal work of the hacking group FIN7.

Fedir Hladyr, 35, served as a manager and systems administrator for FIN7. He was arrested in Dresden, Germany, in 2018, at the request of U.S. law enforcement and was extradited to Seattle, Washington. In September 2019, he pleaded guilty to one count of conspiracy to commit wire fraud and one count of conspiracy to commit computer hacking.

“The defendant and his conspirators compromised millions of financial accounts and caused over a billion dollars in losses to Americans and costs to the U.S. economy,” said Acting Assistant Attorney General Nicholas L. McQuaid of the Justice Department’s Criminal Division. “Protecting businesses – both large and small – online is a top priority for the Department of Justice. The department is committed to working with our international partners to hold such cyber criminals accountable, no matter where they reside or how anonymous they think they are.”

“This criminal organization had more than 70 people organized into business units and teams.  Some were hackers, others developed the malware installed on computers, and still others crafted the malicious emails that duped victims into infecting their company systems,” said Acting U.S. Attorney Tessa M. Gorman of the Western District of Washington. “This defendant worked at the intersection of all these activities and thus bears heavy responsibility for billions in damage caused to companies and individual consumers.”

“These cyber thieves orchestrated an elaborate network of hackers and systems to infiltrate businesses and exploit consumers’ personal information,” said Special Agent in Charge Donald M. Voiret of the FBI’s Seattle Field Office. “Their specialized skills to target certain industries amplified the damage exponentially. Thanks to the hard work of law enforcement partners both in the U.S. and overseas, these fraudsters are not beyond our reach and cannot hide from the law.”

According to documents filed in the case, since at least 2015, members of FIN7 (also referred to as…

Source…

Tens of thousands of US organizations hit in ongoing Microsoft Exchange hack

/in


A stylized skull and crossbones made out of ones and zeroes.

Tens of thousands of US-based organizations are running Microsoft Exchange servers that have been backdoored by threat actors who are stealing administrator passwords and exploiting critical vulnerabilities in the email and calendaring application, it was widely reported. Microsoft issued emergency patches on Tuesday, but they do nothing to disinfect systems that are already compromised.

KrebsOnSecurity was the first to report the mass hack. Citing multiple unnamed people, reporter Brian Krebs put the number of compromised US organizations at at least 30,000. Worldwide, Krebs said there were at least 100,000 hacked organizations. Other news outlets, also citing unnamed sources, quickly followed with posts reporting the hack had hit tens of thousands of organizations in the US.

Assume compromise

“This is the real deal,” Chris Krebs, the former head of the Cybersecurity and Infrastructure Security Agency, said on Twitter, referring to the attacks on on-premisis Exchange, which is also known as Outlook Web Access. “If your organization runs an OWA server exposed to the internet, assume compromise between 02/26-03/03.” His comments accompanied a Tweet on Thursday from Jake Sullivan, the White House national security advisor to President Biden.

Hafnium has company

Microsoft on Tuesday said on-premises Exchange servers were being hacked in “limited targeted attacks” by a China-based hacking group the software maker is calling Hafnium. Following Friday’s post from Brian Krebs, Microsoft updated its post to say that it was seeing “increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors beyond HAFNIUM.”

Katie Nickels, director of intelligence at security firm Red Canary, told Ars that her team has found Exchange servers that were…

Source…