Microsoft takes down election hacking

Microsoft has disrupted a massive hacking operation that it said could have indirectly affected election infrastructure.

The company said Monday it took down the servers behind Trickbot, an enormous malware network that criminals were using to launch other cyberattacks, including a strain of highly potent ransomware.

Microsoft said it obtained a federal court order to disable the IP addresses associated with Trickbot’s servers, and worked with telecom providers around the world to stamp out the network. The action coincides with an offensive by US Cyber Command to disrupt the cybercriminals, at least temporarily, according to The Washington Post.

Microsoft (MSFT) acknowledged that the attackers are likely to adapt and seek to revive their operations eventually. But, Microsoft said, the company’s efforts reflect a “new legal approach” that may help authorities fight the network going forward.
Trickbot allowed hackers to sell what Microsoft said was a service to other hackers — offering them the capability to inject vulnerable computers, routers and other devices with other malware.
That includes ransomware, which Microsoft and US officials have warned could pose a risk to websites that display election information or to third-party software vendors that provide services to election officials.

“Adversaries can use ransomware to infect a computer system used to maintain voter rolls or report on election-night results, seizing those systems at a prescribed hour optimized to sow chaos and distrust,” Microsoft VP of security Tom Burt wrote in a blog post.

Ransomware seizes control of target computers and freezes them until victims pay up — though experts urge those affected by ransomware not to encourage hackers by complying with their demands. The Treasury Department has warned that paying ransoms could violate US sanctions policy.

He added: “We have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems.”
A separate technical report by Microsoft on Monday said Trickbot has been used to spread the Ryuk ransomware. Security experts say Ryuk has been attacking 20 organizations per week, and was reportedly the ransomware that Universal Health Services, one of the nation’s largest hospital companies.

Trickbot has also been used to spread false and malicious emails containing malware that tried to lure victims in with messaging surrounding Black Lives Matter and Covid-19.

Microsoft said Trickbot has infected more than 1 million computing devices globally since 2016 and that its operators have acted on behalf of both governments and criminal organizations, but their exact identity remains ambiguous.

Taking down Trickbot follows a series of attacks that became highly publicized in recent weeks: One targeting Tyler Technologies, a software vendor used by numerous local governments, and Universal Health Services, one of the nation’s largest hospital companies. A statement on Tyler Technologies’ website has said the company does not directly make election software and the software it does produce that is used by election officials to display voting information is separate from its internal systems that were affected by the attack.
Ransomware could pose a risk to the election process if systems designed to support voting are brought down, according to Check Point threat analyst Lotem Finkelsteen, but so far experts regard it as “mainly a hypothetical threat right now

Source : CNN

Fancy Bear 🐻 APT 28 Back to action

The Russian military intelligence hackers known as Fancy Bear or APT28 wreaked havoc on the 2016 election.Ever since, the cybersecurity community has been waiting for the day they would return to sow more chaos. Just in time for the 2020 election, that day has come. According to Microsoft, Fancy Bear has been ramping up its election-targeted attacks for the past full year.

Microsoft published a blog post revealing that it has seen Russia’s Fancy Bear hackers, which Microsoft calls Strontium, targeting more than 200 organizations since September 2019. The targets include many election-adjacent organizations, according to researchers at Microsoft’s Threat Intelligence Center.

“The activity we are announcing today makes clear that foreign activity groups have stepped up their efforts targeting the 2020 election as had been anticipated,” Microsoft’s blog post reads. “Microsoft has been monitoring these attacks and notifying targeted customers for several months, but only recently reached a point in our investigation where we can attribute the activity to Strontium with high confidence.”

Microsoft’s blog post also details politically focused hacking campaigns by a Chinese group known as Zirconium or APT31, as well as an Iranian group known as Phosphorous or APT35. The Chinese campaign’s attacks have included 150 successful breaches of organizations in the last six months,

The Iranian campaign, according to Microsoft, has attempted to gain access to multiple accounts of people involved in the 2020 presidential election, as well as multiple members of Trump’s administration and campaign staff in May and June of this year. Those Trump-targeted intrusions were unsuccessful, Microsoft adds.

But it’s Russia’s latest attacks that are the most troubling, according to threat intelligence firm FireEye. That’s because, unlike Iran or China, the Russian military intelligence agency known as the GRU—and specifically the GRU team known as Fancy Bear, believed to be GRU Unit 26165—has a history of going beyond traditional spying to carry out political hack-and-leak operations

The new round of Fancy Bear hacking also shows that the group has evolved since 2016. While it’s still working to steal victims’ account credentials, it has moved on from the email-based spear-phishing attacks linking to fake login pages of the kind that tricked the earlier elections

Those two tactics “have likely allowed them to automate aspects of their operations,” which would let them scale up their targeting. Microsoft also notes that the hackers have evolved their attempts to avoid detection, rotating through more than a thousand IP addresses in their hacking spree, using the anonymity software Tor, and constantly jettisoning IP addresses and adding new ones.

But while the latest Microsoft findings name Russian, Chinese, and Iranian hackers in equal measure, FireEye director of intelligence warns that Americans shouldn’t fall into the trap of thinking those three potential wild cards carry equal risk for American democracy. “APT28 is the threat that really matters here,” Hultquist says. “They have the history, the motivation, and the means to actually interfere.”