Category Archives: FBI

Targeted online messaging dissuading young gamers from getting involved in cybercrime

Highly-targeted messaging campaigns from law enforcement can be surprisingly effective at dissuading young gamers from getting involved in cybercrime, a new study has suggested. Law enforcement interventions The study, by researchers from the University of Cambridge and University of Strathclyde, looked at four different types of law enforcement interventions, the first evaluation of the their effectiveness for this particular type of cybercrime. They found that while high-profile arrests and sentencing of cybercriminals only lead to … More

The post Targeted online messaging dissuading young gamers from getting involved in cybercrime appeared first on Help Net Security.

Feds Shut Down Largest Dark Web Child Abuse Site; South Korean Admin Arrested

The United States Department of Justice said today that they had arrested hundreds of criminals in a global crackdown after taking down the largest known child porn site on the dark web and tracing payments made in bitcoins. With an international coalition of law enforcement agencies, federal officials have arrested the administrator of the child sexual abuse site, 23-year-old Jong Woo Son of

FBI Warns of Cyber Attacks on Multi-Factor Authentication

The FBI is warning businesses about a new series of cyberattacks that can circumvent multi-factor authentication (MFA).

In a Private Industry Notification (PIN), the FBI warned businesses that “cyber actors” had been observed, “circumventing multi-factor authentication through common social engineering and technical attacks.” The report went on to describe several scenarios where hackers bypassed MFA protections, accessing target networks and stored data. The methods used were SIM swapping, phishing, and newer hacking tools such as Muraena and Necrobrowser.

Multi-factor authentication, where a user’s login and password is supplemented with a token, one-time access code, or other means of verification is widely regarded as an effective baseline for enterprise cybersecurity; a recent study by Microsoft stated that, when deployed properly, it can block 99.9% of attacks on businesses. 

While the FBI still recommends multi-factor authentication, calling it a “strong and effective security measure to protect online accounts,” the PIN suggests boosting their effectiveness via workplace training to identify social engineering scams such as email-based phishing links and phony websites, as well as implementing more sophisticated forms of authentication.

Read the PIN here.

The post FBI Warns of Cyber Attacks on Multi-Factor Authentication appeared first on Adam Levin.

FBI warns about high-impact Ransomware attacks on U.S. Organizations

The U.S. Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) warns organizations about high-impact ransomware attacks.

In a wake of the recent string of attacks against cities, school districts and hospitals, the U.S. Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) issued organizations about high-impact ransomware attacks.

“Ransomware attacks are becoming more targeted, sophisticated, and costly, even as the overall frequency of attacks remains consistent.” reads the public service announcement published by the IC3.

“Since early 2018, the incidence of broad, indiscriminant ransomware campaigns has sharply declined, but the losses from ransomware attacks have increased significantly, according to complaints received by IC3 and FBI case information. Although state and local governments have been particularly visible targets for ransomware attacks, ransomware actors have also targeted health care organizations, industrial companies, and the transportation sector.”

The FBI has observed cyber organizations using multiple techniques to deliver ransomware, including phishing campaigns and the exploitation of Remote Desktop Protocol (RDP) and software vulnerabilities.

The authorities discourage victims from paying a ransom because there is no guarantee that files will be decrypted. Sometimes crooks don’t decrypt them after the payment, in other cases security issues in the encryption process, or in the malware development, make it impossible to decrypt the data.

FBI urges victims to report the incident to the local FBI field office and to ic3.gov to receive the necessary support.

“Regardless of whether you or your organization have decided to pay the ransom, the FBI urges you to report ransomware incidents to law enforcement.” continues the announcement. “Doing so provides investigators with the critical information they need to track ransomware attackers, hold them accountable under U.S. law, and prevent future attacks.”

Reporting the ransomware attacks to the FBI will help law enforcement to track the crooks behind the campaign and to collect the indicators of compromise associated with the threat.

Below the cyber defense best practices shared by the FBI:

• Regularly back up data and verify its integrity
• Focus on awareness and training
• Patch the operating system, software, and firmware on devices
• Enable anti-malware auto-update and perform regular scans
• Implement the least privilege for file, directory, and network share permissions
• Disable macro scripts from Office files transmitted via email
• Implement software restriction policies and controls
• Employ best practices for use of RDP
• Implement application whitelisting
• Implement physical and logical separation of networks and data for different org units
• Require user interaction for end-user apps communicating with uncategorized online assets

Pierluigi Paganini

(SecurityAffairs – FBI, ransomware)

The post FBI warns about high-impact Ransomware attacks on U.S. Organizations appeared first on Security Affairs.

Russians Hack FBI Comms System

Yahoo News reported that the Russians have successfully targeted an FBI communications system:

American officials discovered that the Russians had dramatically improved their ability to decrypt certain types of secure communications and had successfully tracked devices used by elite FBI surveillance teams. Officials also feared that the Russians may have devised other ways to monitor U.S. intelligence communications, including hacking into computers not connected to the internet. Senior FBI and CIA officials briefed congressional leaders on these issues as part of a wide-ranging examination on Capitol Hill of U.S. counterintelligence vulnerabilities.

These compromises, the full gravity of which became clear to U.S. officials in 2012, gave Russian spies in American cities including Washington, New York and San Francisco key insights into the location of undercover FBI surveillance teams, and likely the actual substance of FBI communications, according to former officials. They provided the Russians opportunities to potentially shake off FBI surveillance and communicate with sensitive human sources, check on remote recording devices and even gather intelligence on their FBI pursuers, the former officials said.

It's unclear whether the Russians were able to recover encrypted data or just perform traffic analysis. The Yahoo story implies the former; the NBC News story says otherwise. It's hard to tell if the reporters truly understand the difference. We do know, from research Matt Blaze and others did almost ten years ago, that at least one FBI radio system was horribly insecure in practice -- but not in a way that breaks the encryption. Its poor design just encourages users to turn off the encryption.

BEC Scams Cost Victims $26B over a Three-Year Period, Finds FBI

The Federal Bureau of Investigation (FBI) found that business email compromise (BEC) scams cost victims a combined total of $26 billion in losses over a three-year period. On 10 September, the FBI’s Internet Crime Complaint Center (IC3) published a public service announcement in which it revealed that BEC scams had caused $26,201,775,589 in global losses. […]… Read More

The post BEC Scams Cost Victims $26B over a Three-Year Period, Finds FBI appeared first on The State of Security.

‘Satori’ IoT Botnet Operator Pleads Guilty

A 21-year-old man from Vancouver, Wash. has pleaded guilty to federal hacking charges tied to his role in operating the “Satori” botnet, a crime machine powered by hacked Internet of Things (IoT) devices that was built to conduct massive denial-of-service attacks targeting Internet service providers, online gaming platforms and Web hosting companies.

Kenneth “Nexus-Zeta” Schuchman, in an undated photo.

Kenneth Currin Schuchman pleaded guilty to one count of aiding and abetting computer intrusions. Between July 2017 and October 2018, Schuchman was part of a conspiracy with at least two other unnamed individuals to develop and use Satori in large scale online attacks designed to flood their targets with so much junk Internet traffic that the targets became unreachable by legitimate visitors.

According to his plea agreement, Schuchman — who went by the online aliases “Nexus” and “Nexus-Zeta” — worked with at least two other individuals to build and use the Satori botnet, which harnessed the collective bandwidth of approximately 100,000 hacked IoT devices by exploiting vulnerabilities in various wireless routers, digital video recorders, Internet-connected security cameras, and fiber-optic networking devices.

Satori was originally based on the leaked source code for Mirai, a powerful IoT botnet that first appeared in the summer of 2016 and was responsible for some of the largest denial-of-service attacks ever recorded (including a 620 Gbps attack that took KrebsOnSecurity offline for almost four days).

Throughout 2017 and into 2018, Schuchman worked with his co-conspirators — who used the nicknames “Vamp” and “Drake” — to further develop Satori by identifying and exploiting additional security flaws in other IoT systems.

Schuchman and his accomplices gave new monikers to their IoT botnets with almost each new improvement, rechristening their creations with names including “Okiru,” and “Masuta,” and infecting up to 700,000 compromised systems.

The plea agreement states that the object of the conspiracy was to sell access to their botnets to those who wished to rent them for launching attacks against others, although it’s not clear to what extent Schuchman and his alleged co-conspirators succeeded in this regard.

Even after he was indicted in connection with his activities in August 2018, Schuchman created a new botnet variant while on supervised release. At the time, Schuchman and Drake had something of a falling out, and Schuchman later acknowledged using information gleaned by prosecutors to identify Drake’s home address for the purposes of “swatting” him.

Swatting involves making false reports of a potentially violent incident — usually a phony hostage situation, bomb threat or murder — to prompt a heavily-armed police response to the target’s location. According to his plea agreement, the swatting that Schuchman set in motion in October 2018 resulted in “a substantial law enforcement response at Drake’s residence.”

As noted in a September 2018 story, Schuchman was not exactly skilled in the art of obscuring his real identity online. For one thing, the domain name used as a control server to synchronize the activities of the Satori botnet was registered to the email address nexuczeta1337@gmail.com. That domain name was originally registered to a “ZetaSec Inc.” and to a “Kenny Schuchman” in Vancouver, Wash.

People who operate IoT-based botnets maintain and build up their pool of infected IoT systems by constantly scanning the Internet for other vulnerable systems. Schuchman’s plea agreement states that when he received abuse complaints related to his scanning activities, he responded in his father’s identity.

“Schuchman frequently used identification devices belonging to his father to further the criminal scheme,” the plea agreement explains.

While Schuchman may be the first person to plead guilty in connection with Satori and its progeny, he appears to be hardly the most culpable. Multiple sources tell KrebsOnSecurity that Schuchman’s co-conspirator Vamp is a U.K. resident who was principally responsible for coding the Satori botnet, and as a minor was involved in the 2015 hack against U.K. phone and broadband provider TalkTalk.

Multiple sources also say Vamp was principally responsible for the 2016 massive denial-of-service attack that swamped Dyn — a company that provides core Internet services for a host of big-name Web sites. On October 21, 2016, an attack by a Mirai-based IoT botnet variant overwhelmed Dyn’s infrastructure, causing outages at a number of top Internet destinations, including Twitter, Spotify, Reddit and others.

The investigation into Schuchman and his alleged co-conspirators is being run out the FBI field office in Alaska, spearheaded by some of the same agents who helped track down and ultimately secure guilty pleas from the original co-authors of the Mirai botnet.

It remains to be seen what kind of punishment a federal judge will hand down for Schuchman, who reportedly has been diagnosed with Asperger Syndrome and autism. The maximum penalty for the single criminal count to which he’s pleaded guilty is 10 years in prison and fines of up to $250,000.

However, it seems likely his sentencing will fall well short of that maximum: Schuchman’s plea deal states that he agreed to a recommended sentence “at the low end of the guideline range as calculated and adopted by the court.”

DHS and FBI Joint Analysis Report Confirms FireEye’s Assessment that Russian Government Likely Sponsors APT28 and APT29

On Dec. 29, 2016, the Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) released a Joint Analysis Report confirming FireEye’s long held public assessment that the Russian government likely sponsors the groups that we track as Advanced Persistent Threat (APT) 28 and APT29. We have tracked and profiled these groups through multiple investigations, endpoint and network detections, and continuous monitoring, allowing us to understand the groups’ malware, operational changes and motivations. This intelligence has been critical to protecting and informing our clients and exposing this threat.

FireEye first publicly announced that the Russian government likely sponsors APT28 in a report released in October 2014. APT28 has pursued military and political targets in the U.S. and globally, including U.S. political organizations, anti-doping agencies, NGOs, foreign and defense ministries, defense attaches, media outlets, and high profile government and private sector entities. Since at least 2007, APT28 has conducted operations using a sophisticated set of malware that employs a flexible, modular framework allowing APT28 to consistently evolve its toolset for future operations. APT28’s operations closely align with Russian military interests and the 2016 breaches, and pursuant public data leaks demonstrate the Russian government's wide-ranging approach to advancing its strategic political interests.

In July 2015, we released a report focusing on a tool used by APT29, malware that we call HAMMERTOSS. In detailing the sophistication and attention to obfuscation evident in HAMMERTOSS, we sought to explain how APT29’s tool development effort defined a clandestine, well-resourced and state-sponsored effort. Additionally, we have observed APT29 target and breach entities including government agencies, universities, law firms and private sector targets. APT29 remains one of the most capable groups that we track, and the group’s past and recent activity is consistent with state espionage.

The Joint Analysis Report also includes indicators for another group we (then iSIGHT Partners) profiled publicly in 2014: Sandworm Team. Since 2009, this group has targeted entities in the energy, transportation and financial services industries. They have deployed destructive malware that impacted the power grid in Ukraine in late 2015 and used related malware to affect a Ukrainian ministry and other financial entities in December 2016. Chiefly characterized by their use of the well-known Black Energy trojan, Sandworm Team has often retrofitted publicly available malware to further their offensive operations. Sandworm Team has exhibited considerable skill and used extensive resources to conduct offensive operations.