Energetic Bear ! Strikes US

The US government said today that a Russian state-sponsored hacking group has targeted and successfully breached US government networks , said by advisory of CISA & FBI

Intruders identified as Russian hacker group, Energetic Bear a codename used by the cybersecurity industry. Other names for the same group also include TEMP.Isotope, Berserk Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala.

The two agencies said Energetic Bear “successfully compromised network infrastructure, and as of October 1, 2020, exfiltrated data from at least two victim servers.”

Networking Gear has been the target of attack

Russian hackers used publicly known vulnerabilities to breach networking gear, pivot to internal networks, elevate privileges, and steal sensitive data.

Targeted devices included Citrix access gateways (CVE-2019-19781), Microsoft Exchange email servers (CVE-2020-0688), Exim mail agents (CVE 2019-10149), and Fortinet SSL VPNs (CVE-2018-13379).

To move laterally across compromised networks, they used the Zerologon vulnerability in Windows Servers (CVE-2020-1472) to access and steal Windows Active Directory (AD) credentials.

Below are some of the details that are compromised and ex-filtrated by the group

  • Sensitive network configurations and passwords.
  • Standard operating procedures (SOP), such as enrolling in multi-factor authentication (MFA).
  • IT instructions, such as requesting password resets.
  • Vendors and purchasing information.
  • Printing access badges.

This recent malicious activity has been directed at SLTT government networks, there may be some risk to elections information housed on SLTT government networks. But nothing known to be till now.

Haldiram’s renowned Snack maker. Hit by Unknown

Hackers have allegedly stolen crucial data of popular food and snack company Haldiram’s and have demanded Rs 7,50,000

The unidentified accused hacked the server of the company based in the industrial Sector 62 of Noida using a cyber malware popularly called possible Ransomware Attack.

The cyber attack took place on the intervening night of October 12 and 13 and the hackers may have stolen “entire or substantial data” of the company which runs several restaurants and outlets.

The complaint made by a Haldiram’s official said that an IT official of Haldiram’s consequently accessed the Firewall programme on the company’s servers and found some traffic generating from servers, showing certain IP addresses.

The officials of the company found out that some programme was being executed on the aforementioned servers and all the data of the company was being diverted from and going out from the servers of the company. Before disconnecting the entire connection substantial data has been exfilterated

The company said its official raised a complaint with its data security and cyber security firm, Trend Micro, and alleged that all files and sensitive data of the firm had been encrypted by the hacker, thereby, preventing its officials from interacting with their files, data, applications and systems.

It said that the hackers, to give effect to a pre-planned criminal conspiracy, have not only stolen data from the servers and systems of the company but have also contacted company officials through certain servers to illegally extort money to provide back the access to the company’s own data and to delete the stolen data from the servers and systems.

The data includes but not limited to financial, HR, sales/purchase and other data/information)

Mac ,Linux Malwares are like Sweet Pancakes

Threat actors continuously updating their code with new threat vectors and obfuscation techniques is nothing new. A surge in malware targeting particular device groups reveals much about the shifting paradigm.

TeamTNT reinforces Black-T

TeamTNT is known to exfiltrate AWS credential files on compromised cloud systems and mine for Monero (XMR). 

  • Unit 42 researchers came with a new variant of cryptojacking malware named Black-T, the brainchild of the TeamTNT cybercrime group, boosting its capabilities against Linux systems.
  • The added potential includes memory password scraping via mimipy (works on Windows/Linux/OSX) and mimipenguin (Linux desktop)—two open-source Mimikatz equivalents targeting *NIX desktops.

IPStorm prepares for thunders

The IPStorm botnet has been targeting Windows systems until now. Its size has quadrupled from around 3,000 systems in May 2019 to more than 13,500 devices by September end.

  • IPStorm now boasts of newer versions targeting Android, Linux, and Mac devices.
  • Linux and Mac devices are infected after the gang performs a brute-force technique against SSH services.
  • However, the Android systems are infected when the malware scans the internet for devices that had left their ADB (Android Debug Bridge) port exposed online.

FinSpy’s malware spin

A new surveillance campaign was reported targeting Egyptian civil society organizations.

  • FinSpy, also known as FinFisher, used new variants that target macOS and Linux users. The spyware already had tools for Windows, iOS, and Android users.
  • Besides keylogging, call interception, and screen recording, the malware’s additional capabilities included stealing emails by installing a malicious add-on to Apple Main and Thunderbird and collecting Wi-Fi network information.

Concluding phrase

Cybercriminals unfurling tools targeting Linux and Mac devices put a dent in the broadly held opinion that those operating systems are more secure and not susceptible to malicious code, unlike others. Experts recommend checking network settings and avoiding using unnecessary online applications to ensure safety. Other useful tips include configuring the firewall, filtering traffic, and protecting locally stored SSH keys used for network services.

Microsoft takes down election hacking

Microsoft has disrupted a massive hacking operation that it said could have indirectly affected election infrastructure.

The company said Monday it took down the servers behind Trickbot, an enormous malware network that criminals were using to launch other cyberattacks, including a strain of highly potent ransomware.

Microsoft said it obtained a federal court order to disable the IP addresses associated with Trickbot’s servers, and worked with telecom providers around the world to stamp out the network. The action coincides with an offensive by US Cyber Command to disrupt the cybercriminals, at least temporarily, according to The Washington Post.

Microsoft (MSFT) acknowledged that the attackers are likely to adapt and seek to revive their operations eventually. But, Microsoft said, the company’s efforts reflect a “new legal approach” that may help authorities fight the network going forward.
Trickbot allowed hackers to sell what Microsoft said was a service to other hackers — offering them the capability to inject vulnerable computers, routers and other devices with other malware.
That includes ransomware, which Microsoft and US officials have warned could pose a risk to websites that display election information or to third-party software vendors that provide services to election officials.

“Adversaries can use ransomware to infect a computer system used to maintain voter rolls or report on election-night results, seizing those systems at a prescribed hour optimized to sow chaos and distrust,” Microsoft VP of security Tom Burt wrote in a blog post.

Ransomware seizes control of target computers and freezes them until victims pay up — though experts urge those affected by ransomware not to encourage hackers by complying with their demands. The Treasury Department has warned that paying ransoms could violate US sanctions policy.

He added: “We have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems.”
A separate technical report by Microsoft on Monday said Trickbot has been used to spread the Ryuk ransomware. Security experts say Ryuk has been attacking 20 organizations per week, and was reportedly the ransomware that Universal Health Services, one of the nation’s largest hospital companies.

Trickbot has also been used to spread false and malicious emails containing malware that tried to lure victims in with messaging surrounding Black Lives Matter and Covid-19.

Microsoft said Trickbot has infected more than 1 million computing devices globally since 2016 and that its operators have acted on behalf of both governments and criminal organizations, but their exact identity remains ambiguous.

Taking down Trickbot follows a series of attacks that became highly publicized in recent weeks: One targeting Tyler Technologies, a software vendor used by numerous local governments, and Universal Health Services, one of the nation’s largest hospital companies. A statement on Tyler Technologies’ website has said the company does not directly make election software and the software it does produce that is used by election officials to display voting information is separate from its internal systems that were affected by the attack.
Ransomware could pose a risk to the election process if systems designed to support voting are brought down, according to Check Point threat analyst Lotem Finkelsteen, but so far experts regard it as “mainly a hypothetical threat right now


Source : CNN