FBI Security Alerts

Re: FBI Security Alerts

A new phishing campaign is attempting to lure victims into downloading the latest version of a malware trojan – and it has links to one of the most prolific cyber-criminal operations active in the world today.

The Bazar trojan first emerged last year and a successful deployment of the trojan malware can provide cyber criminals with a backdoor into compromised Windows systems, allowing them to control the device and gain additional access to the network in order to collect sensitive information or deliver malware, including ransomware.

Now cybersecurity researchers at Fortinet have identified a new variant of Bazar trojan, which has been equipped with anti-analysis techniques to make the malware harder for anti-virus software to detect.

These include hiding the malicious APIs in the code and only calling on them when needed, additional code obfuscation, and even encrypting certain strings of the code to make it more difficult to analyse.
The new techniques were added to Bazar towards the end of January and coincided with a phishing campaign designed to distribute the updated version of the malware.

Re: FBI Security Alerts

Federal prosecutors charge three North Korean hackers accused of conspiring to steal more than $1.3 billion


Federal prosecutors charged three North Korean hackers with conspiring to steal more than $1.3 billion from banks and companies around the world, the Justice Department announced Wednesday.

In an indictment unsealed in California, authorities described a range of brazen operations carried out by the trio from 2014 to 2020, targeting high-profile movie studios and cryptocurrency traders with sophisticated technology that national security officials said underscored the country's status as a leading cybercrime threat.

Members of a military intelligence agency, the three hackers are accused of carrying out the 2014 attack on Sony in retaliation for a movie that lampooned the North Korean leader, as well as a devastating hit on the central bank of Bangladesh in 2016, which netted the rogue nation some $81 million.

They're also said to have orchestrated digital heists of cryptocurrency and intrusions of ATMs using novel strands of malware.
"As laid out in today's indictment, North Korea's operatives, using keyboards rather than guns, stealing digital wallets of cryptocurrency instead of sacks of cash, are the world's leading bank robbers," said John Demers, the head of the Justice Department's National Security Division, at a news conference.

As Western sanctions have crippled the North Korean economy, the Justice Department has warned that the country is developing some of the most advanced capabilities to steal money online, distinguishing it from other US adversaries across the globe.

"The scope of these crimes by the North Korean hackers is staggering. They are the crimes of a nation-state that has stopped at nothing to extract revenge and obtain money to prop up its regime," said Tracy Wilkison, the acting US attorney in Los Angeles.

Officials acknowledged Wednesday that the new charges and wanted posters distributed by the FBI online are not likely to result in the arrest of the hackers, but national security officials favor publicizing charges like these as part of a "name and shame" campaign that draws attention to the issue and serves as a warning to hackers that authorities are watching.

The FBI and Department of Homeland Security also on Wednesday released a joint advisory and analysis of some of the malware produced and deployed by the North Koreans in their cryptocurrency heists that authorities said was designed to provide the public with information on how to avoid intrusions and remedy any infections.

The unsealing of the indictment was timed to coincide with the announcement of a plea deal reached in a related case involving a Canadian-American citizen who allegedly laundered money for the North Korean hackers, Justice Department officials said.

Ghaleb Alaumary was a high-level and trusted money launderer for the North Koreans who, according to a plea agreement, conspired to steal and launder tens of millions of dollars from cyber bank heists.

Alaumary and others laundered the money through bank accounts, wire transfers and by converting it to cryptocurrency, according to Jesse Baker, special agent in charge of the Secret Service's Los Angeles field office.

"This laundering was sophisticated and really extensive, but these methods left an information trail. We really had to collect the dots in order to connect the dots," Baker said.

Re: FBI Security Alerts

COMMERCE, Mich., Feb. 22, 2021 /PRNewswire/ -- Nuspire, a leading managed security services provider (MSSP), today announced the release of its 2020 Q4 and Year in Review Threat Landscape Report. Sourced from its 90 billion traffic logs, the report outlines new cybercriminal activity and tactics, techniques and procedures (TTPs) with additional insight from its threat intelligence partner, Recorded Future.

"The volume of sophisticated attacks seen throughout 2020 highlight the criticality of business intelligence and cybersecurity detection and response to improving organizational cyber readiness," said Craig Robinson, Program Director, Security Services at IDC. "Nuspire's latest report puts into perspective the changing nature of cyberattacks. Security leaders must be ready for unexpected situations, consistently revisiting and revamping their cybersecurity strategies."

2020 was a chaotic year that shifted the threat landscape and changed the way many organizations manage their business operations. In addition to increasingly sophisticated and frequent attacks, Nuspire security experts observed a massive spike in malware with Visual Basic for Applications (VBA) agent activity, which overshadowed all other malware variants identified throughout the year. The report also found a consistent increase of exploitation events trough 2020 with an overall growth of 116% as attackers continued to leverage newly disclosed vulnerabilities.

"The SolarWinds attack shook the cybersecurity community to its core and should serve as a reminder to organizations small or large that security must be a priority within every aspect of the business," said John Ayers, Nuspire Chief Strategy Product Officer. "As attack techniques continue to evolve and the frequency of attacks increases, it's critical for business success to understand the changing threat landscape and how to protect themselves from cyberthreats."

During Q4 security experts uncovered a 10,000% increase in ransomware activity—the largest spike in activity Nuspire has observed to date. Ransomware operators targeted some of the most vulnerable moments in time, including the U.S. Presidential Election, the holidays, and continued to leverage year-long themes, such as the COVID-19 pandemic. Additionally, exploit attacks saw a whopping 68% increment this quarter as a result of a numerous SMB brute force login attempts, activity spiked over 90,000% in bursts throughout the quarter.

Additional notable findings from Nuspire's 2020 Q4 and Year in Review Threat Landscape Report include:

• Although malware activity was on a slow decline at the beginning of 2020, activity sharply increased in Q4, reaching its highest point through the year in September. VBA Trojans were the most commonly observed malware at 95%, suggesting either numerous malspam campaigns were launched or a large-scale one was instigated by unknown operators. Nuspire expects that VBA agent activity will continue to overshadow other variants as VBA are often the first stage of infection.
• Throughout 2020, Nuspire observed a consistent increase of exploitation events with DoublePulsar reigning as the top utilized technique. However, Q4 saw the largest volume of activity in December with SMB Login Brute Force attempts, closely followed by HTTP Server Authorization Buffer Overflow attacks.
• Botnet and Exploit activity remained fairly consistent throughout the year with the largest contenders being ZeroAccess Botnet, which made a significant appearance in May, and DoublePulsar staying at the top of the exploit activity list in 2020.
• In Q4, attackers increased attempts to exploit new vulnerabilities as they were disclosed. This escalation was driven by the release of known vulnerability in over 49,000 Fortinet devices on the dark web and APT groups - which also targeted the SSL-VPN Vulnerability (CVE-2018-13379). Shortly after this list was release, activity attempting to exploit this vulnerability increased by 4,176%.

Re: FBI Security Alerts

'Active threat' after Microsoft hack -White House

The White House is calling it an active threat, promising a ‘whole of government response’

CISA issues emergency directive to agencies: Deal with Microsoft Exchange zero-days now

Updated: Patch now, or disconnect Microsoft Exchange servers from the internet.


This week, Microsoft warned that four zero-day vulnerabilities in Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019 are being actively exploited by a suspected state-sponsored advanced persistent threat (APT) group from China called Hafnium.

Exchange Online is not affected by the bugs. However, Exchange Server is software used by government agencies and the enterprise alike, and so Microsoft's warning to apply provided patches immediately should not be ignored.

In light of this, CISA's directive -- made through legal provisions for the agency to issue emergency orders to other US government bodies when serious cybersecurity threats are detected -- demands that federal agencies tackle the vulnerabilities now.


CISA says that partner organizations have detected "active exploitation of vulnerabilities in Microsoft Exchange on-premise products."
"Successful exploitation of these vulnerabilities allows an attacker to access on-premises Exchange Servers, enabling them to gain persistent system access and control of an enterprise network," the agency says.

'Zero-day' vulnerabilities is geek speak for previously unknown.

Hafnium mainly target US entities in infectious disease research, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs, according to Microsoft. The group also primarily operates from leased virtual private servers (VPS) in the United States, it added.

Re: FBI Security Alerts

Microsoft’s big email hack: What happened, who did it, and why it matters


One week ago, Microsoft disclosed that Chinese hackers were gaining access to organizations’ email accounts through vulnerabilities in its Exchange Server email software and issued security patches.


The hack will probably stand out as one of the top cybersecurity events of the year, because Exchange is still widely used around the world. It could lead companies to spend more on security software to prevent future hacks, and to move to cloud-based email instead of running their own email servers in-house.


IT departments are working on applying the patches, but that takes time and the vulnerability is still widespread. On Monday, internet security company Netcraft said it had run an analysis over the weekend and observed over 99,000 servers online running unpatched Outlook Web Access software.


Do the flaws affect cloud services like Office 365?


No. The four vulnerabilities Microsoft disclosed do not affect Exchange Online, Microsoft’s cloud-based email and calendar service that’s included in commercial Office 365 and Microsoft 365 subscription bundles.


What are the attackers targeting?


The group has aimed to gain information from defense contractors, schools and other entities in the U.S., Burt wrote. Victims include U.S. retailers, according to security company FireEye, and the city of Lake Worth Beach, Fla., according to the Palm Beach Post. The European Banking Authority said it had been hit.




Does this have anything do with SolarWinds?


No, the attacks on Exchange Server do not seem to not related to the SolarWinds threat, to which former Secretary of State Mike Pompeo said Russia was probably connected. Still, the disclosure comes less than three months after U.S. government agencies and companies said they had found malicious content in updates to Orion software from information-technology company SolarWinds in their networks.


What’s Microsoft doing?


Microsoft is encouraging customers to install the security patches it delivered last week. It has also released information to help customers figure out if their networks had been hit.


“Because we are aware of active exploits of related vulnerabilities in the wild (limited targeted attacks), our recommendation is to install these updates immediately to protect against these attacks,” Microsoft said in a blog post.


On Monday the company made it easier for companies to treat their infrastructure by releasing security patches for versions of Exchange Server that did not have the most recent available software updates. Until that point, Microsoft had said customers would have to apply the most recent updates before installing the security patches, which delayed the process of dealing with the hack.


“We are working closely with the CISA [the Cybersecurity and Infrastructure Security Agency], other government agencies, and security companies to ensure we are providing the best possible guidance and mitigation for our customers,” a Microsoft spokesperson told CNBC in an email on Monday. “The best protection is to apply updates as soon as possible across all impacted systems. We continue to help customers by providing additional investigation and mitigation guidance. Impacted customers should contact our support teams for additional help and resources.”


What are the implications?


The cyberattacks could end up being beneficial for Microsoft. Besides making Exchange Server, it sells security software that clients might be inclined to start using.


“We believe this attack, like SolarWinds, will keep cybersecurity urgency high and likely bolster broad-based security spending in 2021, including with Microsoft, and speed the migration to cloud,” KeyBanc analysts led by Michael Turits, who have the equivalent of a buy rating on Microsoft stock, wrote in a note distributed to clients on Monday.


But many Microsoft customers have already switched to cloud-based email, and some companies rely on Google’s cloud-based Gmail, which is not affected by the Exchange Server flaws. As a result, the impact of the hacks could have been worse if they had come five or 10 years ago, and there won’t necessarily be a race to the cloud as a result of Hafnium.


“I meet a lot of organizations, big and small, and it’s more the exception than the rule when somebody’s all on prem,” said Ryan Noon, CEO of e-mail security start-up Material Security.

Re: FBI Security Alerts

A sophisticated attack on Microsoft Corp.’s widely used business email software is morphing into a global cybersecurity crisis, as hackers race to infect as many victims as possible before companies can secure their computer systems.

The attack, which Microsoft has said started with a Chinese government-backed hacking group, has so far claimed at least 60,000 known victims globally, according to a former senior U.S. official with knowledge of the investigation.

Washington is preparing its first major moves in retaliation against foreign intrusions over the next three weeks, the New York Times reported, citing unidentified officials. It plans a series of clandestine actions across Russian networks -- intended to send a message to Vladimir Putin and his intelligence services -- combined with economic sanctions. President Joe Biden could issue an executive order to shore up federal agencies against Russian hacking, the newspaper reported.

Initially, the Chinese hackers appeared to be targeting high value intelligence targets in the U.S., Adair said. About a week ago, everything changed. Other unidentified hacking groups began hitting thousands of victims over a short period, inserting hidden software that could give them access later, he said.

“They went to town and started doing mass exploitation -- indiscriminate attacks compromising exchange servers, literally around the world, with no regard to purpose or size or industry,” Adair said. “They were hitting any and every server that they could.”

The attacks were so successful -- and so rapid -- that the hackers appear to have found a way to automate the process.

Microsoft said customers that use its cloud-based email system are not affected.

The use of automation to launch very sophisticated attacks may mark a new, frightening era in cybersecurity, one that could overwhelm the limited resources of defenders

Re: FBI Security Alerts

O c'mon we really don't need this kind of crap here in tech forums! This fits straight into Rants raves etc.

Re: FBI Security Alerts

Large Florida school district hit by ransomware attack, hackers demanded $40M

The district initially had 'no intention' of paying the ransom, but after two weeks, offered to pay $500G


The computer system hacked
Broward County Public Schools said in a statement Thursday that there is no indication that any personal information has been stolen and that it made no extortion payment to the ransomware gang, which as an apparent pressure tactic last week posted screenshots of its online negotiations with the district to its site on the dark web.

The FBI usually investigates such attacks, but said Thursday it would not confirm if it was investigating this one.

Re: FBI Security Alerts

The most galling thing about ransomware isn't that someone developed it, but that people, organisations, and businesses STILL haven't seen the value in some kind of data backup. Backup software is generally cheap, reliable (if tested), and highly flexible.

Paying the ransom is worthless since it reinforces the behaviour, often doesn't get you your data back, doesn't protect you from being re-infected, and still leaves the risk of additional malware on your network left behind as an additional payload.

Protecting data always seems expensive until you absolutely need it, and then it's too late.

Sent from my BlackBerry using Tapatalk

Re: FBI Security Alerts


... this thread throws light on the very sophisticated, well funded cyber bad actors who are trying to extort money from your customers everyday 24/7, just one click away.

These bad actors face very little threat from prosecution and can be unworldly clever at how to devise new attack methods.

You need to know the cyber defences of the products you service and how they keep pace with the constantly threat environment.

You need to change the the default Admin passwords of all devices you service to a consistent different password that you have written down and stored in two places.

My brother in law brought me his new computer yesterday with a password lock on it. The only way he could get it to unlock was to call a 1(800) Scammer to unlock it for $ and who knows what downloaded onto your computer searching for passwords and bank account numbers.

I tried for an hour to defeat this but in the my advise was to take it to a tech repair shop where they will probably format the SSD and reinstall Win 10 Home.

Everyday now copiers are viewed as part of the defence/weakness against/by hackers and malware.

Re: FBI Security Alerts

Smart dealers have expanded their product portfolio to include Off Site data storage and Cyber defence products.

In every sales quote that I make, I always add in some cyber defences as a monthly fee. You can get a lot for $50.00 month. In many way it is like a Surge Suppressor, if it saves one attack in five years, it pays for itself.

Re: FBI Security Alerts

The risk you run is making sure you have some kind of rider in your agreement stating that even with extra security there is still the risk of attacks.

Technology is at the point where an antivirus or antimalware software isn't as effective as it used to be. Most attacks now leverage out of date software or unpatched vulnerabilities to then make an attack leveraging another vulnerability. Antivirus is just one level of defence, along with robust patching, software control, and principle of least privilege for any user system.

Even third-party antivirus will soon be a thing of the past, just like software firewalls back after Service Pack 2 of XP. The AV engine of Windows 10 is the same as Microsoft's pay product which merely allows for a central management console, on-demand remote scanning, and reporting. Plus, even antivirus software has been used as a means of attacking systems because of the kernel level hooks they often need.

Standard in all of our support is that any computer with an end of life operating system or software will not be covered without some kind of verifiable compensating controls (no internet access, separate network, limited access, etc).

The biggest challenge is often the tech people understanding the need for security, but the purse strings are controlled by people who don't see the value of something that doesn't immediately show a return on the company's balance sheet.

Sent from my BlackBerry using Tapatalk

Re: FBI Security Alerts

... the best IT Admins in the world quickly admit that they can no longer guarantee that their Networks will not be hacked. The goal now is to rapidly identify and isolate the attack.