The US Department of Homeland Security (DHS) and the FBI issued a joint alert on SamSam attacks targeting critical infrastructure.
The US Department of Homeland Security (DHS) and the FBI published a joint alert on the activity associated with the infamous SamSam ransomware.
In March 2018, computer systems in the City of Atlanta were infected by ransomware, the cyber attack was confirmed by the City officials.
The ransomware infection has caused the interruption of several city’s online services, including “various internal and customer-facing applications” used to pay bills or access court-related information.
One of the latest attacks hit the port of San Diego in September, the incident impacted the processing park permits and record requests, along with other operations.
In February, SamSam ransomware infected over 2,000 computers at the Colorado Department of Transportation (DOT), the DOT has shut down the infected workstations.
In August, Sophos security firm published a report the SamSam ransomware, its experts tracked Bitcoin addresses managed by the crime gang and discovered that crooks had extorted nearly $6 million from the victims since December 2015 when it appeared in the threat landscape.
“SamSam has earned its creator(s) more than US$5.9 Million since late 2015.
74% of the known victims are based in the United States. Other regions known to have
suffered attacks include Canada, the UK, and the Middle East.” reads the report published by Sophos.
“The largest ransom paid by an individual victim, so far, is valued at US$64,000, a
significantly large amount compared to most ransomware families.”
Sophos tracked the Bitcoin addresses reported in all the SamSam versions it has spotted and discovered that 233 victims paid an overall amount of $5.9 million, the security firm also estimated that the group is netting around $300,000 per month.
A few days ago, the U.S. DoJ charged two Iranian men, Faramarz Shahi Savandi (34) and Mohammad Mehdi Shah Mansouri (27), over their alleged role in creating and spreading the infamous SamSam ransomware.
According to the joint report, most of the victims were located in the United States.
“The SamSam actors targeted multiple industries, including some within critical infrastructure. Victims were located predominately in the United States, but also internationally.” reads the alert.
“Network-wide infections against organizations are far more likely to garner large ransom payments than infections of individual systems. Organizations that provide essential functions have a critical need to resume operations quickly and are more likely to pay larger ransoms.”
SamSam actors leverage vulnerabilities in Windows servers to gain persistent access to the target network and make lateral movements to infect other hosts on the network.
According to the report, attackers used the JexBoss Exploit Kit to compromise JBoss applications. Threat actors use Remote Desktop Protocol (RDP) to gain persistent access to victims’ networks, they use brute force attacks and stolen login credentials.
After obtaining access to the victim’s network, attackers escalate privileges then they drop and execute the malware.
“After gaining access to a particular network, the SamSam actors escalate privileges for administrator rights, drop malware onto the server, and run an executable file, all without victims’ action or authorization. While many ransomware campaigns rely on a victim completing an action, such as opening an email or visiting a compromised website, RDP allows cyber actors to infect victims with minimal detection.” continues the alert.
According to the experts, attackers used stolen RDP credentials that were bought from darknet marketplaces. and used in attacks within hours of purchasing the credentials.
The alert also technical details and the following recommendations to mitigate the threat:
- Audit your network for systems that use RDP for remote communication. Disable the service if unneeded or install available patches. Users may need to work with their technology venders to confirm that patches will not affect system processes.
- Verify that all cloud-based virtual machine instances with public IPs have no open RDP ports, especially port 3389, unless there is a valid business reason to keep open RDP ports. Place any system with an open RDP port behind a firewall and require users to use a virtual private network (VPN) to access that system.
- Enable strong passwords and account lockout policies to defend against brute force attacks.
- Where possible, apply two-factor authentication.
- Regularly apply system and software updates.
- Maintain a good back-up strategy.
- Enable logging and ensure that logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days and review them regularly to detect intrusion attempts.
- When creating cloud-based virtual machines, adhere to the cloud provider’s best practices for remote access.
- Ensure that third parties that require RDP access follow internal policies on remote access.
- Minimize network exposure for all control system devices. Where possible, disable RDP on critical devices.
- Regulate and limit external-to-internal RDP connections. When external access to internal resources is required, use secure methods such as VPNs. Of course, VPNs are only as secure as the connected devices.
- Restrict users’ ability (permissions) to install and run unwanted software applications.
- Scan for and remove suspicious email attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
- Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
The post DHS and FBI published a joint alert on SamSam Ransomware appeared first on Security Affairs.
Last week on Malwarebytes Labs, we took a look at our cybersecurity predictions for 2019, we explained why Malwarebytes participated in AV testing and how we took part in an joint take down of massive ad fraud botnets, warned that ESTA registration websites still lurk in paid ads on Google, discussed what 25 years of webcams have brought us, and reported about the Marriott breach that impacted 500 million customers.
Other cybersecurity news:
- LinkedIn violated data protection by using 18 million email addresses of non-members to buy targeted ads on Facebook. (Source: TechCrunch)
- Researchers created fake “master” fingerprints to unlock smartphones. (Source: Motherboard)
- Uber slapped with £385K ICO fine for major breach. (Source: InfoSecurty Magazine)
- Rogue developer infects widely-used NodeJS module to steal Bitcoins. (Source: The Hacker News)
- When the FBI (and not the fraudsters) make a fake FedEx website. (Source: Graham Cluley)
- Microsoft warns about two apps that installed root certificates then leaked the private keys. (Source: ZDNet)
- Social media scraping app Predictim banned by Facebook and Twitter. (Source: NakedSecurity)
- Tech support scam: Call centers shut down by Indian police in collaboration with Microsoft. (Source: TechSpot)
- Germany detects new cyberattack targeting politicians, military, and embassies. (Source: DW)
- It’s time to change your password again as Dell reveals attempted hack. (Source: Digital Trends)
Stay safe, everyone!
The United States Department of Justice has charged two Iranian nationals with allegedly developing and using SamSam ransomware against their targets in the United States and Canada to carry out computer hacking and extortion scheme from Iran. Both Mohammad Mehdi Shah Mansouri, 27 and Faramarz Shahi Savandi, 34 have been charged with six counts together with one count of conspiracy […]
This is a post from HackRead.com Read the original post: Feds charge 2 Iranian hackers behind SamSam ransomware attacks
On Wednesday, a group of ten individuals including the head of the group received a total of 30 years sentence. The group was involved in installation of card skimmers on gas pumps across five states in the US including main cities of Northeast Ohio. Through card skimmers, credit card detail of thousands of people was […]
This is a post from HackRead.com Read the original post: Gang sentenced for installing card skimmers on gas pumps & stealing data
The FBI announced that it dismantled a large Internet advertising fraud network, and arrested eight people:
A 13-count indictment was unsealed today in federal court in Brooklyn charging Aleksandr Zhukov, Boris Timokhin, Mikhail Andreev, Denis Avdeev, Dmitry Novikov, Sergey Ovsyannikov, Aleksandr Isaev and Yevgeniy Timchenko with criminal violations for their involvement in perpetrating widespread digital advertising fraud. The charges include wire fraud, computer intrusion, aggravated identity theft and money laundering. Ovsyannikov was arrested last month in Malaysia; Zhukov was arrested earlier this month in Bulgaria; and Timchenko was arrested earlier this month in Estonia, all pursuant to provisional arrest warrants issued at the request of the United States. They await extradition. The remaining defendants are at large.
It looks like an impressive piece of police work.
Details of the forensics that led to the arrests.
How are scammers stealing your money through Google Maps? Why did the FBI create a fake FedEx website? And how are US senators hoping to stop Grinch bots ruining Christmas?
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.
And don’t miss our special bonus interview about passwords with Rachael Stockton of LastPass.
8 suspects behind 3VE have also been identified. Last year in August, the Federal Bureau of Investigation organized a secret meet-up between cybersecurity and digital advertising experts in its Manhattan federal building. This included Google and nearly 20 tech firms while there were nearly 30 attendees at the meeting. The agenda of the meeting was to […]
This is a post from HackRead.com Read the original post: FBI & Google shut down largest-ever Ad fraud scheme ‘3VE’
On November 27, the US Department of Justice announced the indictment of eight individuals involved in a major ad fraud case that cost digital advertisers millions of dollars. The operation, dubbed 3ve, was the combination of the Boaxxe and Kovter botnets, which the FBI—in collaboration with researchers in the private sector, including one of our own at Malwarebytes—was able to dismantle.
The US CERT advisory indicates that 3ve was controlling over 1.7 million unique IP addresses between both Boaxxe and Kovter at any given time. Threat actors rely on different tactics to generate fake traffic and clicks, but one of the most common is to infect legitimate computers and have them silently mimic a typical user’s behavior. By doing so, fraudsters can generate millions of dollars in revenue while eroding trust in the online advertising business.
This criminal enterprise was quite sophisticated in that it had many evasion techniques that not only made it difficult to detect the presence of ad fraud, but also clean up affected systems. Kovter in particular is a unique piece of malware that goes to great lengths to avoid detection and even trick analysts. Its fileless nature to maintain persistence has also made it more challenging to disable.
Malwarebytes, along with several other companies, including Google, Proofpoint, and ad fraud detection company White Ops, was involved in the global investigation into these ad fraud botnets. We worked with our colleagues at White Ops, sharing our intelligence and samples of the Kovter malware. We were happy to be able to leverage our telemetry, which proved to be valuable for others to act upon.
Even though cybercriminal enterprises can get pretty sophisticated, this successful operation proves that concerted efforts between both the public and private sectors can defeat them and bring perpetrators to justice.
The full report on 3ve, co-authored by Google and White Ops, with technical contributions from Proofpoint and others, can be downloaded here.
The post Malwarebytes helps take down massive ad fraud botnets appeared first on Malwarebytes Labs.
Even though the number of users affected by Facebook's most recent hack was lowered to 29 million, from 50 million, it's still safe to say the attack was worse than originally thought. That's because we now know that the breach, which Facebook revealed a couple of weeks ago, exposed very detailed information of 14 million of those users, including their username, birthdate, gender, location, relationship status, religion, hometown, self-reported current city, education, work, the devices they used to access Facebook and the last 10 places they checked into (or were tagged in) on the site. The attackers, whose identities Facebook won't reveal because of an ongoing FBI investigation, were also able to view which people/Pages were followed by these 14 million users, as well as their 15 most recent searches on Facebook.
On August 1st, the US Attorney for the Western District of Washington, Annette Hayes, and the FBI Seattle Special Agent in Charge, Jay Tabb, along with main Justice's head of the Computer Crimes and Intellectual Property Section (CCIPS), Deputy Attorney General Downing, gave a fascinating press conference about the FIN7 or Carbanak Group case. (The link shows the 31 minute press conference on YouTube, where closed captioning is available.)
As AG Downing explained it, the FIN7 group would use a combination of emails and telephone calls to encourage people involved in catering or group reservations to open their malicious emails. Imagine that your job is booking hotel rooms for group travel, or handling large catering deliveries for business meetings from your restaurant. A new potential customer calls and says "I'd like to book forty hotel rooms for our sports team that is coming to play in a tournament in your town next month. What email should I send the details to?" Or "We're having an event at my office and need to order lunch for sixty people. I know that I could use the online order form, but would you mind if I just sent you an email with the details?" (I've done the latter myself when ordering FIFTY pizzas from Dominos!)
What sales person is NOT GOING TO OPEN THAT ATTACHMENT? Right. Every single one will do so! Here's the flow of the attack that was shared at the Press Conference:
|(Image from FBI Seattle FBI Office)|
|Spear-phishing Email Image from justice.gov|
|Spear-phishing Email Image from justice.gov|
Is This Joker's Stash?
|Trend Micro (click for full article)|
|Sonic Drive-In cards being sold on Joker's Stash (image from krebsonsecurity.com)|
Three Ukrainian mastermind arrested
|The superseding indictment of Fedor Gladyr|
|Dmytro Fedorov Indictment|
|FIN7 Attacked at least 3600 locations of 100+ US businesses|
Rezi recruited Eliot Pereira and Melissa Rios, below, who each in turn recruited others.
Defendant #1: Eliot Pereira, b.1993 - opened "Eliot Products & Arts, Inc." and recruited and managed mules.
Defendant #2: Natalie Armona - opened "Armona Furniture Design Concept & Textile" and recruited and managed multiple mules and recruiters, including defendants #5, #8, #9, #10, and #12.
Defendant #3: Melissa Rios, b. 1996 - opened "Taihan Fiberoptics, Inc." and recruited #2
Defendant #4: Bryant Ortega, b. 1996 - opened "Bryant Tech Deals" and recruited and managed multiple mules, including Defendant #7. (4631 West 9th Court, Hialeah, FL 33012)
Defendant #5: Angelo Santa Cruz, b. 1994 - opened "ASC Worldwide, Inc" and recruited and managed multiple mules, including Defendants #6 & #11.
Defendant #6: Alexis Fernandez Cruz, b. 1992 - opened "Alexis Universal, Inc."
Defendant #7: Roberto Carlos Gracia, b. 1994 - opened RCG Deals, Inc.
Defendant #8: Jose E. Rivera, b. 1989 - opened Rivera Worldwide, Inc.
Defendant #9: Angeles De Jesus Angulo, b. 1996 - opened Angeles Premier Trades, Inc.
Defendant #10: Jennifer Ruiz, b. 1994 - opened Josette Quality, Inc.
Defendant #11: Yirielkys Pacheco Fernandez, b. 1984 - opened YF Nationwide, Inc.
Defendant #12: Sebastian Loayza, b. 1994 - opened Sure Trades, Inc.
This case starts off with a criminal complaint from the Miami office of the United States Secret Service.
It begins with his overview of the case, which is worth quoting here:
"Federal law enforcement agents have been investigating numerous business email compromise and spear phishing scams wherein various fraudsters targeted employees with access to company finances and tricked them into making wire transfers to bank accounts thought to belong to trusted partners -- except in fact, the accounts were shell companies controlled by the fraudsters.
Different people played different roles in the scheme. Some of the co-conspirators hacked into and took control over certain victim companies' business email accounts without the knowledge or consent of the true email account holders, or created email accounts similar to, but slightly different from, real business email accounts. Using the sham or compromised email accounts, the fraudsters then sent emails soliciting payments, claiming that funds were owed, and representing that payments for services rendered by the victim companies should be redirected to different accounts.
Other co-conspirators, known as money mules, opened shell companies and bank accounts into which the funds were fraudulently transferred, and then withdrew the fraud proceeds in cash, or wired the fraud proceeds into their foreign and domestic bank accounts. Several money mules progressed to recruiting and managing other mules."
Natalie Armona may have been a good choice for Melissa to recruit based on her work. Here's a Facebook post of hers from last year! But by the dates, she had been in the money mule business quite a while before landing this job as a Junior Processor at a lending firm.
Armona's TD Bank accountThe complaint begins by telling the story of Natalie ARMONA, who opened a business, Armona Furniture Design Concept & Textile Inc., incorporating the business in Florida using her home address and opening a business checking account at TD Bank. She was the sole signatory, and used her true social security number on the account. The account was opened on December 9, 2106 and received its first wire December 14, 2016, from a scammed medical center (Victim Company A). After taking out her commission in cash ($5,500) using her true Florida drivers license number as identity confirmation, Armona wired the rest of the money to "Flame Land International Limited" in Hong Kong.
On December 21, 2016, Armona's TD Bank account received an ACH for $724,395. Armona again paid herself first, withdrawing $10,508 in person. Three wires went out. $288,301 to "Caplan Sp Zoo" in Warszawa, Poland. $194,110 to the same. $94,218 to "Baolifeng Intl Trading Limited" in Shenzhen, China. Armona paid herself twice more, once for $5,500 and once for $9400. On December 27, 2016, she dipped three more times, for $800, $3800, and $9900.
Armona's SunTrust Bank accountOn December 9, 2016, Armona Furniture opened a SunTrust Bank account. On December 30th she got an inbound ACH of $35,170 from a Pennsylvania sign company. Also on December 30th, she got an incoming wire from Kukutula Development Company LLC in Koloa, Hawaii in the amount of $59,850. On January 3, 2017, Armona withdrew $35,170. On January 13, 2017, SunTrust closed the account for fraud with a balance of $59,850.
ASC WorldWideA collaborating witness told the Miami Electronic Crimes Task Force that he had been recruited by Armona and had opened a shell company in the name ASC WorldWide, with accounts at TD Bank and Suntrust Bank. Among other activities, he used email-based scams to cause $80,000 to be wired.
After a few successful jobs, the suspect said that Armona told him he could earn extra money by recruiting others into the scam. He agreed to allow the USSS to record his emails, phone calls, and any text or WhatsApp communications involving others in the scheme.
The Ortega Case
(Ortega was arrested Jan 25, 2018)
The Pereira CaseThe third case, Feb 23, 2018, has an affidavit from Miami's FBI office from an agent who previously served as a Computer Scientist in the Philadelphia office! Pereira ran several schemes against companies by impersonating their officers, including Fakhoury Law Group (Troy, Michigan), High Tech Lending (San Diego, California), Gaumer Company (Houston, Texas), Park Corporation (Cleveland, Ohio), and Zija International (Lehi, Utah.) Each of those companies received fraudulent emails, claiming to be from an executive of their own company, ordering that wires be sent to accounts controlled by "OS Fly Tech Incorporated." Pereira hired an unnamed middle man to set up additional corporate accounts at Bank of America, Wells Fargo, SunTrust Bank, and Regions Bank. The Middleman says that Pereira was working with an unknown male who he called "Rezi." This would be the same person that Cynthia Rodriguez was working for (see Operation Wire Wire: The South Florida Cases, Part 1) Roda Taher. Pereira and Rezi gave one of their mules an email firstname.lastname@example.org to use.
As shown above, nearly $1M in wires were sent to company accounts at Bank of America, SunTrust Bank, TD Bank, and Wells Fargo Bank in September and October of 2016. Pereira and his middleman communicated through WhatsApp and Email. (954.554.5501 / email@example.com / firstname.lastname@example.org )
The Big PictureRoda Taher, AKA Ressi, AKA Rezi, was the manager and supervisor of a criminal organization in the Southern District of Florida and elsewhere. He recruited all of the defendants in this case, encouraged them to open shell accounts and receive illegally transferred funds, some of which they directly wired to China, Poland, and elsewhere.
The case involves 30 distinct financial transactions:
|2||02SEP2016||Eliot Pereira||$89,630 from OS Fly Tech's Wells Fargo account to China|
|3||30NOV2016||Melissa Rios||$13,844 from Tiahan Fiberoptics Inc's TD Bank account to Huzhou Nanmei Textile|
|4||23DEC2016||Natalie Armona||$288,301 from Armona Furniture's TD Bank account to Caplan Sp Zoo in Warszawa Poland|
|4||23DEC2016||Natalie Armona||$194,110 from Armona Furniture's TD Bank account to Caplan Sp Zoo in Warszawa Poland|
|5||23DEC2016||Natalie Armona||$288,301 from Armona Furniture's TD Bank account to Caplan Sp Zoo in Warszawa Poland|
|6||23DEC2016||Natalie Armona||$94,218 from Armona Furniture's TD Bank account to Baolifeng Intl. Trading Limited in Shenzhen China|
|7||12JAN2017||Natalie Armona||$44,618 from Armona Furniture's TD Bank account to Hangzhou Jieenda Textile Co Ltd in China|
|8||07MAR2017||Bryant Ortega||$94,110 from Bryant Tech Deal's SunTrust account to Huge Elite Limited in Shanghai, China|
|9||08MAR2017||Bryant Ortega||$128,705 from Bryant Tech Deal's SunTrust account to Huge Elite Limited in Shanghai, China|
|10||08MAR2017||Bryant Ortega||$6,200 from Bryant Tech Deal's SunTrust account|
|11||28MAR2017||Bryant Ortega||$179,302 from Bryant Tech Deal's SunTrust account to Lofty Ease Limited in Shanghai, China|
|12||14APR2017||Roberto Carlos Garcia||$3,500 from RCG Deals Inc's Bank of America account|
|13||17APR2017||Roberto Carlos Garcia||$112,000 from RCG Deals Inc's Bank of America account to KT and G Corp|
|14||17APR2017||Roberto Carlos Garcia||$7,000 from RCG Deals Inc's Bank of America account|
|15||17APR2017||Roberto Carlos Garcia||$3,000 from RCG Deals Inc's Bank of America account|
|16||28APR2017||Jennifer Ruiz||$39,841 from Josette Quality Inc's TD Bank account to Huzhou Nanmei Textile Co. Ltd.|
|17||28APR2017||Jennifer Ruiz||$3,400 from Josette Quality Inc's TD Bank account|
|18||04MAY2017||Roberto Carlos Garcia||$100 from RCG Deals Inc's Bank of America account|
|19||26OCT2017||Angelo Santa Cruz||$88,950 from ASC Worldwide's Chase Bank account to Niche Holding Ltd.|
|20||26OCT2017||Angelo Santa Cruz||$7,000 from ASC Worldwide's Chase Bank account|
|21||01NOV2017||Alexis Fernandez Cruz||$8,600 from Alexis Universal Inc's TD Bank account|
|22||07NOV2017||Angelo Santa Cruz||$96,500 from ASC Worldwide's TD Bank account to Zhejiang Oudi Machine Co. Ltd.|
|23||07NOV2017||Angelo Santa Cruz||$8,500 from ASC Worldwide's TD Bank account|
|24||09NOV2017||Alexis Fernandez Cruz||$8,500 from Alexis Universal Inc's SunTrust Bank account|
|25||21NOV2017||Yirielkys Pacheco Fernandez||$34,810 from YF Nationwide Inc's Chase Bank account to Nantong Gomaa International Co. Ltd.|
|26||06DEC2017||Yirielkys Pacheco Fernandez||$88,528 from YF Nationwide Inc's Chase Bank account|
|27||30NOV2017||Jose E. Rivera||$54,210 from Rivera Worldwide Inc's Bank of America account to Zhejiang Senhuang Trading in Zhejiang, China|
|28||30NOV2017||Jose E. Rivera||$6,100 from Rivera Worldwide Inc's Bank of America account|
|29||03JAN2018||Angeles De Jesus Angulo||$79,400 from Angeles Premier Trades Inc's Wells Fargo Bank account to Farstar International Ltd|
|30||03JAN2018||Angeles De Jesus Angulo||$8,600 from Angeles Premier Trades Inc's Wells Fargo Bank account|
Altogether, this group is charged with laundering more than $5,000,000.
The case is scheduled to be heard in Jury Trial beginning on June 25, 2018 before Judge Marcia G. Cooke in Miami, Florida.
Tomorrow (June 13, 2018) two of the defendants are meeting to change their plea. Jennifer Ruiz and Yirielkys Pacheco Fernandez have decided they may not want the 20 year sentence that all of them are facing as part of a conspiracy to commit money laundering at this level!