Four Chinese Nationals Working With the Ministry of State Security Charged With Global Computer Intrusion Campaign – Homeland Security Today

A federal grand jury in San Diego, California, returned an indictment in May charging four nationals and residents of the People’s Republic of China with a campaign to hack into the computer systems of dozens of victim companies, universities, and government entities in the United States and abroad between 2011 and 2018. The indictment, which was unsealed on Friday, alleges that much of the conspiracy’s theft was focused on information that was of significant economic benefit to China’s companies and commercial sectors, including information that would allow the circumvention of lengthy and resource-intensive research and development processes. The defendants and their Hainan State Security Department (HSSD) conspirators sought to obfuscate the Chinese government’s role in such theft by establishing a front company, Hainan Xiandun Technology Development Co., Ltd. (海南仙盾) (Hainan Xiandun), since disbanded, to operate out of Haikou, Hainan Province.

The two-count indictment alleges that Ding Xiaoyang (丁晓阳), Cheng Qingmin (程庆民) and Zhu Yunmin (朱允敏), were HSSD officers responsible for coordinating, facilitating and managing computer hackers and linguists at Hainan Xiandun and other MSS front companies to conduct hacking for the benefit of China and its state-owned and sponsored instrumentalities. The indictment alleges that Wu Shurong (吴淑荣) was a computer hacker who, as part of his job duties at Hainan Xiandun, created malware, hacked into computer systems operated by foreign governments, companies and universities, and supervised other Hainan Xiandun hackers.

The conspiracy’s hacking campaign targeted victims in the United States, Austria, Cambodia, Canada, Germany, Indonesia, Malaysia, Norway, Saudi Arabia, South Africa, Switzerland and the United Kingdom. Targeted industries included, among others, aviation, defense, education, government, health care, biopharmaceutical and maritime. Stolen trade secrets and confidential business information included, among other things, sensitive technologies used for submersibles and autonomous vehicles, specialty chemical formulas, commercial aircraft servicing, proprietary genetic-sequencing technology…


FBI ‘Drive-By’ Hacking Warning Suddenly Gets Real—Change This Critical Setting Today

When the FBI warned that hackers can use the smart gadgets you have at home “to do a virtual drive-by of your digital life,” it was smart connected gadgets they had in mind. This week’s report into a vulnerability with cheap smart plugs available on Amazon can be added to recent warnings about kitchen gadgets and security cameras.

But there was also a more worrying story this week—one that is much more of a concern. Reports suggested that a home internet router had been remotely attacked, exploiting its factory-set password to hijack an IP address to mask “illicit” activity. In my view, the specific attack alleged in these reports is implausible, but I agree that a router in such a default state is a very serious risk.

I don’t think people even understand what a router does,” warns ESET cyber guru Jake Moore. “Most people don’t want to change the password, let alone go into the settings on the router. Many people don’t even realize there are two passwords.”

And so, the highlighting of this issue this week is critical. Treat your router like your internet “mothership,” Moore says. “Lots of people haven’t changed their ISP for years, and so they’ll have an old router, possible six, even ten years old.” And that means that the security on the device itself is likely lacking, and you probably haven’t been into the settings, updated the firmware or changed the password for years—if ever.

Routers are computers, air traffic control systems for all the connections in your house. And while your WiFi SSID and password enable someone to join you network, that person needs to be nearby. Clearly, the router itself can be compromised remotely.

I have commented before on broader IoT security—give some thought to the number of devices you connect to your home internet, remember, each device is a bridge between your home and the outside world. Think that through.

For those you do connect—including computers, phones tablets, smart toys, kitchen gadgets, appliances, TVs and the rest, change all default passwords, and make each one unique—use a password manager or write them down. Update the firmware and enable auto-updates if…


NIST Releases Tips and Tactics for Dealing With Ransomware – Homeland Security Today

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being.

Used in cyberattacks that can paralyze organizations, ransomware is malicious software that encrypts a computer system’s data and demands payment to restore access. To help organizations protect against ransomware attacks and recover from them if they happen, the National Institute of Standards and Technology (NIST) has published an infographic offering a series of simple tips and tactics.

NIST’s advice includes:

  • Use antivirus software at all times — and make sure it’s set up to automatically scan your emails and removable media (e.g., flash drives) for ransomware and other malware.
  • Keep all computers fully patched with security updates.
  • Use security products or services that block access to known ransomware sites on the internet.
  • Configure operating systems or use third-party software to allow only authorized applications to run on computers, thus preventing ransomware from working.
  • Restrict or prohibit use of personally owned devices on your organization’s networks and for telework or remote access unless you’re taking extra steps to assure security.

NIST also advises users to follow these tips for their work computers:

  • Use standard user accounts instead of accounts with administrative privileges whenever possible.
  • Avoid using personal applications and websites, such as email, chat and social media, on work computers.
  • Avoid opening files, clicking on links, etc. from unknown sources without first checking them for suspicious content. For example, you can run an antivirus scan on a file, and inspect links carefully.

Unfortunately, even with protective measures in place, eventually a ransomware attack may still succeed. Organizations can prepare for this by taking steps to ensure that their information will not be corrupted or lost, and that normal operations can resume quickly.

NIST recommends that organizations follow these steps to accelerate their recovery:

  • Develop and implement an incident recovery plan with defined roles and strategies for decision making.
  • Carefully plan, implement and test a data backup and restoration strategy. It’s important not only to have secure backups of all your important data, but also to make sure that backups are kept…


Emotet malware forcibly removed today by German police update

Emotet malware forcibly removed today by German police update

Emotet, one of the most dangerous email spam botnets in recent history, is being uninstalled today from all infected devices with the help of a malware module delivered in January by law enforcement.

The botnet’s takedown is the result of an international law enforcement action that allowed investigators to take control of the Emotet’s servers and disrupt the malware’s operation.

Emotet was used by the TA542 threat group (aka Mummy Spider) to deploy second-stage malware payloads, including QBot and Trickbot, onto its victims’ compromised computers.

TA542’s attacks usually led to full network compromise and the deployment of ransomware payloads on all infected systems, including ProLock or Egregor by Qbot, and Ryuk and Conti by TrickBot.

How the Emotet uninstaller works

After the takedown operation, law enforcement pushed a new configuration to active Emotet infections so that the malware would begin to use command and control servers controlled by the Bundeskriminalamt, Germany’s federal police agency.

Law enforcement then distributed a new Emotet module in the form of a 32-bit EmotetLoader.dll to all infected systems that will automatically uninstall the malware on April 25th, 2021.

Malwarebytes security researchers Jérôme Segura and Hasherezade took a closer look at the uninstaller module delivered by law enforcement-controlled to Emotet servers.

After changing the system clock on a test machine to trigger the module, they found that it only deletes associated Windows services, autorun Registry keys, and then exits the process, leaving everything else on the compromised devices untouched.

“For this type of approach to be successful over time, it will be important to have as many eyes as possible on these updates and, if possible, the law enforcement agencies involved should release these updates to the open internet so analysts can make sure nothing unwanted is being slipped in,” Marcin Kleczynski, CEO of Malwarebytes, told BleepingComputer.

“That all said, we view this specific instance as a unique situation and encourage our industry partners to view this as an isolated event that required a special solution and not as an opportunity to set policy moving forward.”