“CISA, the FBI, and NSA encourage the cybersecurity community—especially critical infrastructure network defenders—to adopt a heightened state of awareness, conduct proactive threat hunting, and implement the mitigations identified in the advisory,” the advisory said.

Russian APT Actors

The federal agencies stated that Russian state-sponsored advanced persistent threat (APT) actors leveraged various attacking vectors like spearphishing, brute force, and exploiting known vulnerabilities to break into targeted network systems.

Vulnerabilities known to be exploited by Russian state-sponsored APT actors for initial access include:

• CVE-2018-13379 existed in FortiGate VPNs
• CVE-2019-1653 in Cisco router
• CVE-2019-2725 in Oracle WebLogic Server
• CVE-2019-7609 in Kibana
• CVE-2019-9670 in Zimbra software
• CVE-2019-10149 in Exim Simple Mail Transfer Protocol
• CVE-2019-11510 in Pulse Secure
• CVE-2019-19781 in Citrix
• CVE-2020-0688 in Microsoft Exchange
• CVE-2020-4006 VMWare (note: this was a zero-day at time.)
• CVE-2020-5902 F5 Big-IP
• CVE-2020-14882 Oracle WebLogic
• CVE-2021-26855 Microsoft Exchange

Targeted Sectors 

Russian actors reportedly targeted a variety of U.S. and international critical infrastructure organizations in the Defense, Health Care, Public Health, Energy, Telecommunications, and Government Facilities Sectors.

Also Read: Russia Blocks Tor Web Over Privacy Concerns

What to do if you become a victim of APT

The advisory stated that organizations detecting potential APT activity in their network systems should:

• Immediately isolate affected systems.
• Secure backups. Ensure your backup data is offline and secure. If possible, scan your backup data with an antivirus program to ensure it is free of malware.
• Collect and review relevant logs, data, and artifacts.
• Consider soliciting support from a third-party IT organization to provide subject matter expertise, ensure the actor is eradicated from the network, and avoid residual issues that could enable follow-on exploitation.

Mitigation

CISA, the FBI, and NSA recommended organizations implement the below security measures to increase their cyber resilience against rising threats:

• Develop internal contact lists. Assign main points of contact for a suspected incident and roles and responsibilities and ensure personnel knows how and when to report an incident.
• Minimize IT/OT security personnel availability gaps by identifying surge support for responding to an incident.
• Ensure IT/OT security personnel monitor key internal security capabilities and identify anomalous behavior. Flag any identified IOCs and TTPs for immediate response
• Create, maintain, and exercise a cyber incident response and continuity of operations plan.
• Require multi-factor authentication for all users, without exception.
• Require accounts to have strong passwords and do not allow passwords to be used across multiple accounts or stored on a system an adversary may have access to.
• Identify, detect, and investigate abnormal activity that may indicate lateral movement by a threat actor or malware.

The post Federal Agencies Release Advisory On Mitigating Security Threats From Russian APT Actors appeared first on CISO MAG | Cyber Security Magazine.

“You post your real phone number on some online platform. It’s common for scammers to target victims who use popular marketplace apps or websites to post items for sale. Want to get rid of that old couch? Post it on one of those popular re-sale sites, and hope someone likes your taste in style. Recently, we have also been getting reports of people who are getting targeted in other locations, including sites where you post about lost pets,” the FBI said in a statement.

Also Read: U.S. Consumers Lost $148 million to Gift Card Scams in 2021

Misuse of Google Voice

Google Voice authentication service allows users to set up a virtual phone number which is then used to make domestic and international calls or send and receive text messages. Threat actors often exploit these virtual numbers to launch various scams and frauds. Scammers could use compromised virtual phone numbers in fraudulent ads or other malicious activities to hide their real identities.

How Google Voice Scam Works

Fraudsters contact the stolen numbers via text or call showing false interest in buying the products advertised by the user. The attacker sends an authentication code from Google to the victim to confirm the authenticity. The attacker then asks the victim to provide the authentication code received. Here, the attacker is actually setting up a Google Voice account with the victim’s name using his contact number as verification. Once set up, scammers use that Google Voice account to perform various frauds against the victims and even leverage the authentication code to compromise the victim’s Gmail account.

Mitigation

The FBI recommends that victims of the Google Voice authentication scam visit Google’s support website to know how to regain control of their Google Voice account and the voice number. The agency also shared certain security measures to prevent such attacks from happening in the first place. These include:

• Never share a Google verification code with others.
• Only deal with buyers, sellers, and Fluffy-finders in person. If money is to exchange hands, make sure you use legitimate payment processors.
• Do not give out your email address to buyers/sellers conducting business via phone.
• Do not let someone rush you into a sale. If they press you to respond, they are likely trying to manipulate you into acting without thinking.

The post FBI Issues Warning About Google Voice Authentication Service Scamming Users appeared first on CISO MAG | Cyber Security Magazine.

The APT actors compromised the Desktop Central servers to drop a webshell that overrides a genuine function of Desktop Central. “The actor then downloads post-exploitation tools, enumerating domain users and groups conducting network reconnaissance, attempts lateral movement, and dumps credentials. The CVE-2021-44515 has been rated critical by Zoho. It addresses an authentication bypass vulnerability in the software that allows an adversary to bypass authentication and execute arbitrary code on Desktop Central servers,” the FBI said.

NEW: CVE-2021-44515 Zoho ManageEngine Desktop Central is vulnerable to authentication bypass, leading to remote code execution on the server, as exploited in the wild in December 2021. For Enterprise builds 10…. (click for more) Severity: CRITICAL https://t.co/oJBEt1StcT

— Threat Intel Center (@threatintelctr) December 16, 2021

The Exploits

• DLL sideloading
• Executing “live off the land” tools, e.g. bitsadmin
• Network scanning, e.g. nbtscan, nb.exe
• Powershell for command execution
• Persistence through Windows Service
• Downloading staged post-exploitation tools from other victim infrastructure
• Credential dumping, e.g. Mimikatz, comsvcs.dll, WDigest downgrade and pwdump

Mitigations

If organizations detect any activity related to these IOCs within their network, they are suggested to act immediately.

Zoho released a ManageEngine Desktop Central Security Advisory for the newly identified vulnerability CVE-2021-44515 on December 3, 2021.

In October 2021, the Cybersecurity and Infrastructure Security Agency (CISA) and FBI had warned about ongoing exploitation of the vulnerability in Zoho’s ManageEngine ServiceDesk Plus product. Tracked as CVE-2021-44077, the unauthenticated remote code execution vulnerability was known to affect all ServiceDesk Plus versions up to and including version 11305.

See also: FBI and CISA Warn About Actively Exploited Vulnerability in Zoho

Webshell Attack on a Rise

Per Microsoft, webshells are pervasive and popular with attackers due to their effectiveness and simple code. “A webshell is typically a small piece of malicious code written in typical web development programming languages (e.g., ASP, PHP, JSP) that attackers implant on web servers to provide remote access and code execution to server functions,” Microsoft said.

As a point of entry, the attackers install webshells on servers by exploiting security gaps, typically vulnerabilities in web applications and internet-facing servers. “These attackers scan the internet, often using public scanning interfaces like shodan.io, to locate servers to target. They may use previously fixed vulnerabilities that unfortunately remain unpatched in many servers, but they are also known to quickly take advantage of newly disclosed vulnerabilities,” explained Microsoft.

With these simple and hard-to-detect attack vectors, the security gaps continue to be exploited for months and are only discovered when they have more than made their presence felt.

The post New Zero Day in ManageEngine Desktop Central Servers Identified appeared first on CISO MAG | Cyber Security Magazine.

Per the flash alert, Cuba ransomware actors use “.cuba” extension for the encryption of the target files and infiltrate the network. The ransomware gang has supposedly demanded at least $74 million and received at least $43.9 million in ransom payments.

Cuba Ransomware Deployed by Hancitor

The Group-IB Threat Intelligence and Attribution team discovered that the threat actors actively use Hancitor to deploy Cuba ransomware. According to the team, Cuba ransomware has been active since at least January 2020. Its operators have a DLS site, where they post exfiltrated data from their victims who refused to pay the ransom. It added that the Hancitor downloader has been active since at least 2016 for dropping Pony and Vawtrak. As a loader, it has been used to download other malware families, such as Ficker stealer and NetSupport RAT, to compromised hosts. The Hancitor malware actors use phishing emails, Microsoft Exchange vulnerabilities, compromised credentials, or legitimate Remote Desktop Protocol (RDP) tools to gain initial access to a victim’s network. Subsequently, Cuba ransomware actors use legitimate Windows services — such as PowerShell, PsExec, and other unspecified services — and then leverage Windows Admin privileges to execute their ransomware and other processes remotely.

The Technical View

The FBI explained the technical working of the malicious ransomware. It stated, “Cuba ransomware, upon compromise, installs and executes a CobaltStrike beacon as a service on the victim’s network via PowerShell. Once installed, the ransomware downloads two executable files, which include “pones.exe” for password acquisition and “krots.exe,” also known as KPOT, enabling the Cuba ransomware actors to write to the compromised system’s temporary (TMP) file. Once the TMP file is uploaded, the “krots.exe” file is deleted and the TMP file is executed in the compromised network. The TMP file includes Application Programming Interface (API) calls related to memory injection that, once executed, deletes itself from the system. Upon deletion of the TMP file, the compromised network begins communicating with a reported malware repository located at Montenegro-based Uniform Resource Locator (URL) teoresp.com.”

Mitigations

Following mitigations have been suggested to ease the risk of compromise by Cuba ransomware:

• Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to have strong, unique passwords. Passwords should not be reused across multiple accounts or stored on the system where an adversary may have access.
• Require multi-factor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.
• Keep all operating systems and software up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.
• Remove unnecessary access to administrative shares, restrict privileges to only the necessary service or user accounts and perform continuous monitoring for anomalous activity.
• Use a host-based firewall to only allow connections to administrative shares via server message block (SMB) from a limited set of administrator machines.
• Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between — and access to — various subnetworks and by restricting adversary lateral movement.
• Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.
• Implement time-based access for accounts set at the admin level and higher. This is a process where a network-wide policy is set in place to automatically disable admin accounts at the AD level when the account is not in direct need. When the account is needed, individual users submit their requests through an automated process that enables access to a system, but only for a set timeframe to support task completion.
• Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities that run from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.
• Maintain offline backups of data, and regularly maintain backup and restoration. This practice will ensure the organization will not be severely interrupted, have irretrievable data.
• Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.

As the festive season witnesses a significant spike in premediated cybercrimes, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI remind all organizations – big or small – and critical infrastructure partners that malicious actor groups are proactively launching premeditated cyberattacks.

The authorities had issued advisories for organizations, especially critical infrastructure and services, to assess the current security posture and implement best practices and mitigations to attenuate the threat posed by cyberattacks.

Despite the alerts, we continue to see a rise in the number of ransomware attack victims. Many organizations give in to these demands to safeguard their reputation, critical information, data, and financial status.

Satya Gupta, Cofounder and CTO, Virsec, opined, “Critical infrastructure will remain a highly lucrative target. There is a subtle but massive change in attacker tactics that is taking place and we are at risk of being totally blindsided. Attackers are increasingly burrowing their attacks deep in the software runtime by exploiting vulnerabilities. Being deeper in the software’s runtime helps attackers evade early discovery as evidenced by this group’s method.”

“While many vulnerability disclosures are accompanied by a software patch, the most sophisticated attackers often leverage undisclosed vulnerabilities. In a recent interview, CISA Director Jen Easterly remarked that more than ‘90 percent of vulnerabilities exploited by ransomware have patches associated with them.’  What is left unsaid is that 10% attacks are vulnerabilities for which patches are not available. Irrespective, patching is not a successful security strategy. This is because even if a patch were available, many entities will drag their heels in deploying the patch.”

Government authorities have also prioritized ransomware attacks and are pressurizing ransomware groups to cease operations to address the growing menace.

See also: Biden Administration and Tech Giants Come Together to Raise Bar on Cybersecurity

Organizations need to be on a constant alert and review their security posture at a micro-level as threat actors are actively scouting for the smallest vulnerability and launching their vicious attack.

Gupta expressed, “The only way organizations can truly protect themselves is by deploying runtime security controls that take away the attacker’s ability to successfully exploit vulnerabilities. These controls will stop attackers, in milliseconds, from successfully exploiting vulnerabilities. This type of protection is not only possible, but mandatory if we want to prevent further successful ransomware attacks.”

The post Cuba Ransomware Infringed 49 Critical Infrastructure Entities appeared first on CISO MAG | Cyber Security Magazine.

Successful exploitation of this flaw could allow an attacker to upload executable files and place web shells that enable post-exploitation activities like compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files. While there is no information about the attackers behind this exploitation, the FBI and CISA suspect that advanced persistent threat (APT) actors are among those exploiting the vulnerability.

Also Read: CISA, FBI Ask Critical Infrastructure Partners to be Vigilant This Festive Season

While Zoho released the patch for this vulnerability on September 16, 2021, the FBI and CISA stated threat actors have been exploiting the CVE-2021-44077 flaw since October 2021.

The agencies also identified attackers using various tactics, techniques, and procedures (TTPs), including:

• Writing web shells to disk for initial persistence
• Obfuscating and Deobfuscating/Decoding Files or Information
• Conducting further operations to dump user credentials
• Living off the land by only using signed Windows binaries for follow-on actions
• Adding/deleting user accounts as needed
• Stealing copies of the Active Directory database (NTDS.dit) or registry hives
• Using Windows Management Instrumentation (WMI) for remote execution
• Deleting files to remove indicators from the host
• Discovering domain accounts with the net Windows command
• Using Windows utilities to collect and archive files for exfiltration
• Using custom symmetric encryption for command and control (C2)

Required Actions

The agencies urged organizations to report if they find the existence of any of the following scenarios:

• Identification of indicators of compromise as outlined above.
• Presence of webshell code on compromised ServiceDesk Plus servers.
• Unauthorized access to or use of accounts.
• Evidence of lateral movement by malicious actors with access to compromised systems.
• Other indicators of unauthorized access or compromise.

CISA and FBI urged organizations to be vigilant and patch their vulnerable networks with the recent updates.

The post FBI and CISA Warn About Actively Exploited Vulnerability in Zoho appeared first on CISO MAG | Cyber Security Magazine.

See also: How to Stay Digitally Safe This Black Friday and Cyber Monday

In a joint alert, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are alerting all organizations – big or small – and critical infrastructure partners that malicious actor groups are in full fire to launch premeditated cyberattacks during the holiday season.

“Recent history tells us that this could be a time when these persistent cyber actors halfway across the world are looking for ways — big and small — to disrupt the critical networks and systems belonging to organizations, businesses, and critical infrastructure,” the alert said.

Friendly reminder to remain vigilant to #ransomware and other cyber threats this holiday season. Cybercriminals don’t take off days! Follow our tips in our joint release with the @FBI: https://t.co/gFmiRTR2rK #StopRansomware https://t.co/KRnPXhNwaJ

— Cybersecurity and Infrastructure Security Agency (@CISAgov) November 24, 2021

Tessian researchers reveal that almost two-thirds (64%) of the top couriers are at risk of having their domains impersonated by scammers, as their email domains are not sufficiently protected against phishing, spoofing, or fraud. What’s more, only 20% of the top global couriers have configured DMARC (Domain-based Message Authentication, Reporting & Conformance) to its highest security level.

The FBI and CISA have stringent advice for organizations, especially critical infrastructure and services, to assess the current security posture and implement best practices and mitigations to attenuate the threat posed by cyberattacks this festive season.

CISA and the FBI Recommend

• Identify IT, security employees, for weekends and holidays who would be available to surge during these times in the event of an incident or ransomware attack.
• Implement multi-factor authentication for remote access and administrative accounts.
• Mandate strong passwords and ensure they are not reused across multiple accounts.
• If you use remote desktop protocol (RDP) or any other potentially risky service, ensure it is secure and monitored.
• Remind employees not to click on suspicious links and conduct exercises to raise awareness.

Caroline Wong, Chief Strategy Officer at Cobalt, opines, “Cybercriminals don’t take off for Thanksgiving holidays, and neither should your cybersecurity safety measures. To combat malicious attackers, business leaders should heed CISA’s warning and proactively search their systems for potential security vulnerabilities now before it’s too late. Year-round preventative security measures go a long way. It’s simple — you must identify your assets, find your security problems, and promptly fix those security problems. This will protect you when cybersecurity incidents occur, whether during the holidays or not.”

“People are expected to receive a lot of packages during the holiday season – and hackers take advantage of this by pretending to be FedEx, UPS, and Amazon, to trick victims into giving them personal information that they can use for personal gain. Remain vigilant to avoid falling prey to malicious actors’ ploys.”

Watch Out For

• Phishing scams, such as unsolicited emails posing as charitable organizations.

• Fraudulent sites spoofing reputable businesses — it is possible malicious actors will target sites often visited by users doing their holiday shopping online.

Being vigilant is imperative and not a choice. It is important to closely monitor your security posture before signing off for the season.

The post CISA, FBI Ask Critical Infrastructure Partners to be Vigilant This Festive Season appeared first on CISO MAG | Cyber Security Magazine.

In an alert from the Internet Crime Complaint Center (IC3), the #FBI warns of exploitation of a 0-day vulnerability in the FatPipe MPVPN device software going back to at least May 2021. https://t.co/xO7THvjxjf pic.twitter.com/COpLqF3ka8

— FBI Seattle (@FBISeattle) November 18, 2021

Report

FBI has requested users to report the existence of any of the following immediately:

• Identification of indicators of compromise.
• Presence of webshell code on compromised FatPipe WARP, MPVPN, and IPVPN appliances.
• Unauthorized access to or use of accounts.
• Evidence of lateral movement by malicious actors with access to compromised systems.
• Malicious IPs identified through the conducted log file searches and session activity.
• Suspicious or malicious .bash_history contents.
• Other indicators of unauthorized access or compromise.

Users must share any other information related to the vulnerability with the authorities.

Suggested Mitigations

Immediate action is suggested regarding the discovered FatPipe MPVPN zero-day compromise within the networks.

FatPipe released a patch and security advisory, FPSA006, on November 16, 2021, that fixes the vulnerability.

All FatPipe WARP, MPVPN, and IPVPN device software previous to releases 10.1.2r60p93 and 10.2.2r44p1 are at risk. The security advisory and additional details are available at the following URL: https://fatpipeinc.com/support/cve-list.php.

FBI strongly urges system administrators to upgrade their devices immediately and follow other FatPipe security recommendations, such as disabling UI and SSH access from the WAN interface (externally facing) when not actively using it.

Zero-day Exploits Rising Popularity

A recently published  CISO Mag article discussed how several cybercriminal groups are found buying zero-day vulnerabilities such as the zero day vulnerability in FatPipe MPVPN and leasing exploit-as-a-service models on dark web forums.

Per a report from Digital Shadows, several cybercriminal groups and state-sponsored actors are increasingly willing to purchase information on vulnerabilities and exploits from various cybercrime affiliates on the dark web. The market for zero-day vulnerabilities is reportedly high, as many ransomware operators are interested in buying them. Digital Shadows claim that the price range of zero-day flaws could go up to $10 million.

The post FBI Alerts About Zero-Day Vulnerability in the FatPipe MPVPN device software appeared first on CISO MAG | Cyber Security Magazine.

The malicious activity is believed to be the work of an Iranian state-sponsored advanced persistent threat (APT) group. The APT actors leveraged Fortinet FortiOS vulnerabilities from March 2021 and a remote code execution flaw affecting Microsoft Exchange Servers since October 2021 to gain initial access to systems to deploy ransomware. According to the advisory, the ACSC is also aware that this APT group has used the same Microsoft Exchange vulnerability in Australia.

The #FBI, @CISAgov, @CyberGovAU, and @NCSC warn of Iranian government-sponsored advanced persistent threat (APT) actors using #Microsoft and #Fortinet vulnerabilities to target U.S. critical infrastructure, including hospitals. Visit https://t.co/CZCe8yyAbg to read our alert.

— FBI (@FBI) November 17, 2021

“The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations. FBI, CISA, ACSC, and NCSC assess the actors are focused on exploiting known vulnerabilities rather than targeting specific sectors. These Iranian government-sponsored APT actors can leverage this access for follow-on operations, such as data exfiltration or encryption, ransomware, and extortion,” the advisory states.

The Attack

The advisory list the malicious tools used:

• Mimikatz for credential theft [TA0006]
• WinPEAS for privilege escalation [TA0004]
• SharpWMI (Windows Management Instrumentation)
• WinRAR for archiving collected data [TA0009, T1560.001]
• FileZilla for transferring files [TA0010]

Mitigations

The FBI, CISA, ACSC, and NCSC suggest the following mitigations to reduce the risk of compromise by this threat.

• Patch and Update Systems – Immediately patch software affected by vulnerabilities: CVE-2021-34473, CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591.
• Evaluate and Update Blocklists and Allowlists
• Implement and Enforce Backup and Restoration Policies and Procedures
• Implement Network Segmentation
• Secure User Accounts
• Implement Multi-Factor Authentication
• Use Strong Passwords
• Secure and Monitor RDP and other Potentially Risky Services
• Use Antivirus Programs
• Secure Remote Access
• Reduce Risk of Phishing

Will It Stop?

Federal authorities across regions have joined hands to create awareness and address the state-sponsored APTs targeting critical infrastructure. In October 2021, Microsoft exposed Iran-linked threat actors using password spraying techniques to break into defense technology companies in the U.S., Israel, and parts of the Middle East.

Per Quarterly Ransomware Index Spotlight Report (Q2 2021), there has been an increase in several key ransomware markers. Steady growth has been observed in the number of new APT groups using ransomware, an emergence of new ransomware families and Ransomware-as-a-Service (RaaS) offerings, and an increase of Common Weakness Enumerations (CWEs) associated with researched vulnerabilities.

The post CISA, NCSA, ACSC Warn of Iranian APT Actors Exploiting Microsoft and Fortinet Flaws appeared first on CISO MAG | Cyber Security Magazine.

The FBI has seen a rise in fraudsters maliciously using cryptocurrency ATMs and QR codes to receive payments from victims in various online scams, including impersonation schemes, romance schemes, and lottery schemes. In these scams, the attacker impersonates a legitimate entity from the government, law enforcement, a legal office, or a company and asks users to transfer the money via physical crypto ATMs and QR codes. The scammer then directs the victim to a physical cryptocurrency ATM to insert their money, purchase cryptocurrency, and use the provided QR code to auto-populate the recipient address.

In some cases, the fraudsters provide a malicious QR code linked to the attacker’s crypto wallet to the victim to use during the transaction. The scammers often maintain the communication online with the victim to provide step-by-step instructions until the payment is completed.

What is a QR Code?

A QR code is a barcode that allows a user to access information instantly by a digital device. QR codes store data as a series of pixels in a square-shaped grid and are primarily used to track details of a particular product in a supply chain.

What is a Crypto ATM?

A cryptocurrency ATM is a connected kiosk that allows users to purchase cryptocurrencies with deposited cash. The crypto ATMs rely on blockchain-based transactions that send cryptocurrencies to the user’s crypto wallets via QR codes.

Why Criminals Use Crypto ATMs and QR Codes

Receiving money illicitly via crypto wallets, transfers, and QR codes helps cybercriminals skip the security scans. Unlike bank transfers, the money sent via QR codes and crypto wallets immediately gets credited to the recipient’s account.

“Cryptocurrency’s decentralized nature creates challenges that make it difficult to recover. Once a victim makes the payment, the recipient instantly owns the cryptocurrency and often immediately transfers the funds into an account overseas. This differs from traditional bank transfers or wires, where a payment transaction can remain pending for one to two days before settlement. It can also make law enforcement’s recovery of the funds difficult and can leave many victims with a financial loss,” the PSA said.

What the FBI Suggests

While several users and businesses have legitimately used QR code payments, threat actors distributed malicious QR codes for cryptocurrency payments. The malware embedded in the QR code could automatically initiate fraudulent payments from the victim’s device by connecting to a malicious network. The FBI suggested specific security tips to prevent such payment threats, including:

• Do not send payment to someone you have only spoken to online, even if you believe you have established a relationship with the individual.
• Do not follow instructions from someone you have never met to scan a QR code and send payment via a physical cryptocurrency ATM.
• Do not respond to a caller who claims to be a representative of a company, where you are an account holder, and who requests personal information or demands cryptocurrency. Contact the number listed on your card or the entity directly for verification.
• Do not respond to a caller from an unknown telephone number who identifies as someone you know and requests cryptocurrency.
• Practice caution when an entity states they can only accept cryptocurrency and identifies as the government, law enforcement, a legal office, or a utility company. These entities will likely not instruct you to wire funds, send checks, send money overseas, or make deposits into unknown individuals’ accounts.
• Avoid cryptocurrency ATMs advertising anonymity and only require a phone number or e-mail. These cryptocurrency ATMs may be non-compliant with US federal regulations and may facilitate money laundering. Instructions to use cryptocurrency ATMs with these specific characteristics are a significant indicator of fraud.
• Suppose you are using a cryptocurrency ATM and the ATM operator calls you to explain that your transactions are consistent with fraud and advises you to stop sending money. In that case, you should stop or cancel the transaction.

The post Scammers Force Victims to Use Crypto ATMs and QR Codes: FBI appeared first on CISO MAG | Cyber Security Magazine.

Threat actors are now going beyond network and data vulnerability and leveraging an organization’s financial and market vulnerabilities. The FBI has assessed that the adversaries use significant financial events, such as mergers and acquisitions, to launch ransomware attacks.

“Threat ransomware actors are targeting companies involved in significant, time-sensitive financial events to incentivize ransom payment by these victims. Ransomware is often a two-stage process beginning with an initial intrusion through a Trojan malware, which allows an access broker to perform reconnaissance and determine how to best monetize the access,” the FBI said.

Threat actors scout for confidential, non-public information of the target and coerce the victim to relent to the ransom demands. The victims, in most cases, would concede as they are amid a significant financial event like stock valuation or a merger and acquisition, whereby the consequences of any leaked information could heavily impact the stock value of the company.

The #FBI assesses ransomware actors are likely using significant financial events like mergers and acquisitions to target and leverage victim companies. Review our PIN for related recommendations and steps to report a compromise. #RansomwareAware https://t.co/FAU8ATP9ZL

— FBI (@FBI) November 2, 2021

The FBI listed multiple ransomware cases from 2020 and 2021:

• In early 2020, a ransomware actor using the moniker “Unknown” made a post on the Russian hacking forum “Exploit” that encouraged using the NASDAQ stock exchange to influence the extortion process. Following this posting, unidentified ransomware actors negotiating a payment with a victim during a March 2020 ransomware event stated, “We have also noticed that you have stocks. If you will not engage us for negotiation we will leak your data to the nasdaq and we will see what’s gonna happen with your stocks.”
• Between March and July 2020, at least three publicly traded US companies actively involved in mergers and acquisitions were victims of ransomware during their respective negotiations. Of the three pending mergers, two of the three were under private negotiations.
• A November 2020 technical analysis of Pyxie RAT, a remote access trojan that often precedes Defray777/RansomEXX ransomware infections, identified several keyword searches on a victim’s network indicating an interest in the victim’s current and near future stock share price.
• In April 2021, Darkside ransomware actors posted a message on their blog site to show their interest in impacting a victim’s share price. The message stated, “Now our team and partners encrypt many companies that are trading on NASDAQ and other stock exchanges. If the company refuses to pay, we are ready to provide information before the publication, so that it would be possible to earn in the reduction price of shares. Write to us in ‘Contact Us’ and we will provide you with detailed information.”

Evolving Ransomware Techniques

From new malware variants to different hacking methods, threat actors constantly change their approaches to encrypt victims’ data and pressurize them into paying the ransom. To prove their power, the operators behind the Darkside ransomware group announced that they are leveraging new extortion tactics by targeting companies that are listed stock markets like NASDAQ. As reported in April 2021, the Darkside operators stated they are coaxing certain crooked stockbrokers to use insider information of their corporate targets to short-sell a victim company’s stock before disclosing the breach or leak any data. The operators believed that the impact of posting a traded company’s name on its website would cause the victim company’s stock price to fall and help insider traders make profits.

See also: Darkside Ransomware Gang Adopts New Extortion Technique by Targeting Stock Traders

Not conceding to ransom demands has been echoed by experts and authorities across industries, yet the victims’ willingness to pay for their compromised data has been the primary reason why we continue to see a surge in the attacks.

FBI warns that ransomware scammers are timing hacks to target stock-boosting events https://t.co/ehSpdeqmu6 #Money #Threats #DarkSide #FBI #ransomware via cyberscoopnews pic.twitter.com/fPbk1zJ0fr

— EdiAcoo (@AcooEdi) November 2, 2021

“Paying a ransom emboldens adversaries to target additional organizations, encourages other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities. Paying the ransom also does not guarantee that a victim’s files will be recovered. However, the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers. Regardless of whether you or your organization have decided to pay the ransom, the FBI urges you to report ransomware incidents to your local FBI field office. Doing so provides the FBI with the critical information they need to prevent future attacks by identifying and tracking ransomware attackers and holding them accountable under US law,” the FBI added.

FBI Recommends

• Back-up critical data offline.
• Ensure copies of critical data are in the cloud or on an external hard drive or storage device.
• Secure your back-ups and ensure data is not accessible for modification or deletion from the system where the original data resides.
• Install and regularly update anti-virus or anti-malware software on all hosts.
• Only use secure networks and avoid using public Wi-Fi networks.
• Use two-factor authentication for user login credentials, use authenticator apps rather than email as actors may be in control of victim email accounts, and do not click on unsolicited attachments or links in emails.
• Implement least privilege for file, directory, and network share permissions.

In an exclusive quote to CISO MAG, Bill Alderson, CTO, HOPZERO, said, “Sadly, the NSA, CIA, and FBI all losing their lawful intercept tools to hackers increased technical ability greatly.  As with any monetization method – they are increasing their market by simple research to find high stakes, high-visibility situations they can exploit. All is not lost.  Hackers are not omniscient, omnipotent, or omnipresent, as those technically deficient might think, that only AI can fix data compromise. And by AI Security success, those are easy pickings.  My solution rests with hop starvation reducing the attack surface of vital servers by over 99% reducing risk while catching ransomware and phish – hooking-em, cooking-em, and frying-em up in a pan.”

The post Ransomware Operators Leverage Financial Events Like M&A to Pressurize Victims: FBI appeared first on CISO MAG | Cyber Security Magazine.