Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label FBI. Show all posts
Multi-Factor Authentication (MFA)
CISA Cyber Security Cybersecurity measures FBI FIDO Hackers MFA mobile phone Multi-Factor Authentication (MFA)

CISA's Enhanced Mobile Security Recommendations Following U.S. Telecom Breach

 



The Cybersecurity and Infrastructure Security Agency (CISA) issued updated recommendations in December 2024 aimed at enhancing mobile phone cybersecurity. Following a significant hack involving major U.S. telecom companies like AT&T, Verizon, and Lumen Technologies, these guidelines focus on adopting more secure multifactor authentication (MFA) methods. 
  
Understanding MFA and Its Vulnerabilities 
 
Multifactor authentication (MFA) is a popular cybersecurity measure requiring users to provide additional verification beyond a password. Common practices include:
  • Text Message Verification: Receiving a one-time code via SMS.
  • Device-Based Approvals: Confirming login attempts on associated devices.
However, CISA has raised concerns about the vulnerability of certain MFA techniques, particularly text-based verification. Text message-based MFA, while convenient, is susceptible to interception by hackers. 

The breach highlighted flaws in text messaging systems, particularly when messages were sent between incompatible platforms like Android and iPhone. Malicious actors exploited these weaknesses to intercept authentication codes and gain unauthorized access to user accounts. While CISA continues to advocate for MFA, it strongly urges users to shift away from text-based methods. 

  
Recommendations for Safer Alternatives 

 
CISA recommends adopting authenticator apps as a more secure MFA option. These apps generate time-sensitive codes that operate independently of messaging systems, making them less prone to interception. However, they remain vulnerable to phishing attacks, where users may be tricked into revealing sensitive information. 

For users seeking the most secure MFA solution, CISA suggests transitioning to phishing-resistant methods like the FIDO (Fast Identity Online) protocol. Developed by the FIDO Alliance, this technology eliminates traditional passwords and uses:
  • Digital Passkeys: Unique codes linked to user accounts.
  • Physical USB Devices: Hardware keys that connect to computers.
The FIDO protocol also supports PINs and biometric identifiers like fingerprints and facial recognition, providing a robust defense against phishing attempts. 

CISA’s latest recommendations highlight the growing need for stronger cybersecurity measures. By moving away from text-based MFA and adopting secure alternatives like authenticator apps and the FIDO protocol, users can better protect their personal information and maintain digital security in an increasingly interconnected world.
Read more »
TraderTraitor
Bitcoin Cyber Attacks CyberCrime Cybersecurity CyberThreat DMM FBI Ginco lazarus TraderTraitor

Bitcoin Heist in Japan Attributed to North Korean Cybercriminals

 


A joint alert from the FBI, the Department of Defense (D.O.D.) Cyber Crime Center and the National Police Agency of Japan reveal that a North Korean threat group carried out a significant cryptocurrency theft from Japan's crypto firm DMM in May 2024. The group, referred to as TraderTraitor—also known as Jade Sleet, UNC4899, and Slow Pisces — is believed to be linked to the Lazarus Group, a notorious hacking collective with ties to Pyongyang authorities.

The Lazarus Group, infamous for high-profile cyberattacks, gained notoriety for hacking Sony Pictures in retaliation for the 2009 film The Interview, which mocked North Korean leader Kim Jong Un. Their recent activities, however, focus on cryptocurrency theft, leveraging advanced social engineering techniques and malicious code.

Social Engineering and the Ginco Incident

In late March 2024, a TraderTraitor operative posing as a recruiter contacted an employee of Ginco, a Japanese cryptocurrency wallet software company, via LinkedIn. Disguised as part of a pre-employment process, the operative sent a malicious Python script under the guise of a coding test. The employee unknowingly uploaded the script to their GitHub account, granting the attackers access to session cookie information and Ginco’s wallet management system.

The attackers intercepted legitimate transaction requests from DMM employees by maintaining this access. This led to the theft of over 4,500 bitcoins, valued at $308 million. The funds were traced to accounts managed by the TraderTraitor group, which utilized mixing and bridging services to obfuscate the stolen assets.

North Korea's Financial Strategy and Cryptocurrency Exploitation

With international sanctions severely restricting North Korea's access to global financial systems, the regime increasingly relies on cybercrime and cryptocurrency theft for revenue generation. Due to their decentralized and pseudonymous nature, cryptocurrency presents a lucrative target for laundering stolen funds and bypassing traditional banking systems.

Chainalysis Findings

Blockchain intelligence firm Chainalysis attributed the DMM Bitcoin hack to North Korean actors. The attackers exploited weaknesses in the platform's infrastructure to perform unauthorized withdrawals. The stolen cryptocurrency was routed through multiple intermediary addresses and processed via the Bitcoin CoinJoin mixing service to conceal its origins. Portions of the funds were further transferred through various bridge services before being channelled to HuiOne Guarantee, a website linked to the Cambodian conglomerate HuiOne Group, a known facilitator of cybercrime.

Additional Findings by AhnLab Security Intelligence Center

The AhnLab Security Intelligence Center (ASEC) has reported another North Korean threat actor, Andariel — part of the Lazarus Group — deploying a backdoor known as SmallTiger. This tool has been used in campaigns parallel to those executed by TraderTraitor, highlighting the group's continued evolution in cybercrime tactics.

The coordinated alert from international agencies underscores the urgent need for enhanced cybersecurity measures within the cryptocurrency industry to counter sophisticated threats like those posed by the Lazarus Group and its affiliates.


Read more »
phishing
Cyber Security Email Scams FBI Gmail Outlook phishing

How to Protect Yourself from Email Scams: FBI’s Top Tips for Staying Safe

 



While phishing scams are on the rise over the holiday period, the FBI has reminded Gmail, Outlook, Apple Mail, and other services users to be more alert. More phishing schemes are becoming common as criminals use the festive season rush as an opportunity to target more people. Here is how the FBI has warned its citizens against phishing attacks:.

It has generally entailed scamming emails that request the stealing of personal information or even money. Scammers try to deceive a victim with deals they will promise; discounted products, gift cards, or exclusive offers, amongst others. These appear quite legitimate, mimicking familiar brands with realistic logos and designs. With AI tools, it is now more possible for cybercriminals to generate messages that are shiny and polished yet professional-looking, targeting the most vigilant users in their deception.

Three Things to Check in Every Email

To counter these scams, the FBI points out three important checks:  

1. Check the Sender's Email Address: Look closely at the sender's email address. Scammers often use addresses that mimic real ones but with minor changes, like replacing a letter or adding extra characters.

2. Inspect Links Before Clicking: Hover over any link in the email to see where it leads. If the URL looks suspicious or doesn’t match the claimed source, avoid clicking it.  

3. Look for Errors: Scammers sometimes make spelling or grammatical mistakes in emails and URLs. These errors can signal that an email is fake.  

Additional Safety Tips  

The FBI also advises:

  • Avoid disclosing passwords and any form of financial information to any email. No business firm will ask for this type of information through email. 
  • Don't open attachments or click on links coming from unknown senders.  
  • Set up two-factor authentication (2FA) on your accounts for extra protection.
  • Share as little personal information on social media as possible, to make it harder for fraudsters to guess your passwords.

AI In the Wake Of Scams

The more advanced AI technology makes the scammers create the most realistic phishing schemes. This way, they can use artificial intelligence to design fake emails, replicate the look of an official email, or extract confidential information from documents or images. All this puts a bigger burden on users when trying to spot scams.

What Can You Do?

Tech companies, such as Google, have been increasing their efforts to secure users. For example, the majority of phishing attempts in Gmail are blocked, and the service provides direction to help users identify scams. Google instructs users to slow down before acting on an email by verifying its claims independently and reporting anything suspicious.

This has proven true for phishing attacks, and growing sophistication is only outpaced by awareness. Take some time and understand emails before rushing to execute a 

response to urgent messages. As a result, your sensitive information is safe and can therefore have a secure online experience. 




Read more »
Verizon
AT&T Chinese Hackers Cybbercrime Cyber Attacks Cyberhackers Cyberthreatm Salt Typhoon Hacks FBI Verizon

Salt Typhoon Hack: A Grave Threat to U.S. Telecommunications

 


The Chinese state-sponsored hacking group Salt Typhoon has been implicated in one of the most severe breaches in U.S. telecommunications history. Sensitive information, including call logs, timestamps, phone numbers, and location data, was compromised across the networks of at least eight major telecom carriers, including AT&T and Verizon. Despite the scale of the intrusion, many affected consumers remain uninformed about the breach.

Scope and Impact of the Breach

According to reports, Salt Typhoon’s hacking campaign has targeted high-value intelligence figures, including presidential candidates Donald Trump and Kamala Harris, as well as Senator Chuck Schumer's office. The FBI estimates that millions of users’ metadata, particularly in the Washington, D.C., area, were accessed. Yet, most affected individuals have not been notified, raising serious privacy concerns.

AT&T and Verizon, the most severely impacted companies, have faced backlash for their limited response to the breach. Privacy groups have criticized the telecom giants for failing to comply with the Federal Communications Commission (FCC) mandate requiring companies to inform customers of breaches that could cause significant harm, such as identity theft or financial loss.

Telecom Industry’s Response

While high-value targets were promptly alerted, the majority of users whose data was compromised were not informed. In an interview with NBC, Alan Butler, executive director of the Electronic Privacy Information Center, condemned the carriers’ "deficient practices." He emphasized the need for transparency, urging companies to notify all affected customers, regardless of whether their metadata or the actual content of their communications was accessed.

Charter Communications, a midsize internet service provider, has taken a relatively open approach, acknowledging infiltration by Salt Typhoon. According to Chief Security Officer Jeff Simon, access by the hackers has since been cut off, and no customer information was reportedly accessed. In contrast, other companies like Lumen, another internet service provider, have downplayed or refused to disclose the extent of the breach.

Ongoing Threats and Legislative Action

Cybersecurity experts warn that Salt Typhoon continues to target U.S. telecom networks and IT infrastructure. Government agencies are closely monitoring the situation to mitigate further risks. Lawmakers are now considering stricter cybersecurity regulations to compel telecom companies to adopt robust practices and provide detailed breach notifications to consumers.

However, some companies targeted by Salt Typhoon claim the hackers did not gain substantial information. For example, Lumen stated that federal partners found no evidence of ongoing activity in its networks.

Consumer Awareness and Future Outlook

While telecom companies have yet to adequately address these breaches, consumers must stay informed about security risks by following news updates on data breaches. Public pressure is likely to drive industry-wide changes, prompting carriers like AT&T and Verizon to adopt comprehensive notification systems for all affected users.

The Salt Typhoon breach serves as a wake-up call for the telecommunications industry to prioritize data security. Enhanced transparency, stricter cybersecurity regulations, and informed decision-making will be crucial to safeguarding sensitive information in an increasingly digital world.

Read more »
Salt Typhoon
Android Apple FBI iMessage Privacy RCS Salt Typhoon

FBI Warns of Security Risks in RCS Messaging

 

The FBI has issued a warning to Apple and Android device users regarding potential vulnerabilities in Rich Communication Services (RCS). While RCS was designed to replace traditional SMS with enhanced features, a critical security flaw has made it a risky option for messaging. Currently, RCS messages exchanged between Apple and Android devices lack end-to-end encryption, exposing users to potential cyber threats.

Why RCS Messaging is Problematic

Apple introduced RCS support to its iMessage app with iOS 18 to facilitate seamless communication between iPhone and Android users. However, unlike secure messaging apps like Signal or WhatsApp, RCS lacks end-to-end encryption for messages exchanged across these platforms. This absence of encryption leaves sensitive information vulnerable to interception by unauthorized individuals, including hackers and rogue actors.

The FBI’s warning follows a significant breach known as the Salt Typhoon attack, which targeted major U.S. telecommunications carriers. This breach highlighted the vulnerabilities in unencrypted messaging systems. In response, both the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency have recommended using secure messaging platforms to mitigate such risks.

The GSMA, which oversees RCS technology, is actively working to implement end-to-end encryption for RCS messages. While progress has been made through industry collaboration, no specific timeline has been provided for the rollout of these crucial security updates.

Secure Alternatives for Messaging

Until RCS achieves full encryption, users are advised to switch to secure messaging apps that offer robust end-to-end encryption. Popular options include:

  • WhatsApp: Provides end-to-end encryption for text, voice, and video communications.
  • Signal: Known for its focus on privacy and strong encryption standards.
  • Telegram: Offers encrypted messaging with additional privacy features like Secret Chats.

In related news, Apple users are urged to update their devices to iOS 18.2 to address a critical vulnerability in the Apple Password app. This flaw could potentially expose sensitive user information, making the update essential for enhanced security.

While the integration of RCS messaging aims to enhance cross-platform communication, the current lack of encryption poses significant risks. As the industry works toward resolving these vulnerabilities, users are encouraged to rely on secure messaging apps and keep their devices updated with the latest security patches. Taking proactive steps and making informed decisions remain vital for ensuring safety in the digital landscape.

Read more »
User Tracking
Data DEA FBI FTC Location Privacy surveillance User Tracking

FTC Stops Data Brokers from Unlawful User Location Tracking

FTC Stops Data Brokers from Unlawful User Location Tracking


Data Brokers Accused of Illegal User Tracking

The US Federal Trade Commission (FTC) has filed actions against two US-based data brokers for allegedly engaging in illegal tracking of users' location data. The data was reportedly used to trace individuals in sensitive locations such as hospitals, churches, military bases, and other protected areas. It was then sold for purposes including advertising, political campaigns, immigration enforcement, and government use.

Mobilewalla's Allegations

The Georgia-based data broker, Mobilewalla, has been accused of tracking residents of domestic abuse shelters and protestors during the George Floyd demonstrations in 2020. According to the FTC, Mobilewalla allegedly attempted to identify protestors’ racial identities by tracing their smartphones. The company’s actions raise serious privacy and ethical concerns.

Gravy Analytics and Venntel's Accusations

The FTC also suspects Gravy Analytics and its subsidiary Venntel of misusing customer location data without consent. Reports indicate they used this data to “unfairly infer health decisions and religious beliefs,” as highlighted by TechCrunch. These actions have drawn criticism for their potential to exploit sensitive personal information.

Unlawful Data Collection Practices

The FTC revealed that Gravy Analytics collected over 17 billion location signals from more than 1 billion smartphones daily. The data was allegedly sold to federal law enforcement agencies such as the Drug Enforcement Agency (DEA), the Department of Homeland Security (DHS), and the Federal Bureau of Investigation (FBI).

Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, stated, “Surreptitious surveillance by data brokers undermines our civil liberties and puts servicemembers, union workers, religious minorities, and others at risk. This is the FTC’s fourth action this year challenging the sale of sensitive location data, and it’s past time for the industry to get serious about protecting Americans’ privacy.”

FTC's Settlements

As part of two settlements announced by the FTC, Mobilewalla and Gravy Analytics will cease collecting sensitive location data from customers. They are also required to delete the historical data they have amassed about millions of Americans over time.

The settlements mandate that the companies establish a sensitive location data program to identify and restrict tracking and disclosing customer information from specific locations. These protected areas include religious organizations, medical facilities, schools, and other sensitive sites.

Additionally, the FTC’s order requires the companies to maintain a supplier assessment program to ensure consumers have provided consent for the collection and use of data that reveals their precise location or mobile device information.

Read more »
Information Breach
Cyberattacks CyberCrime Cyberhackers Cyberthreats Data Breach Electric Ireland FBI GNCCB Information Breach

Woman Charged in Electric Ireland Customer Information Breach

An Irish national utility service provider, Electric Ireland, is investigating a significant data breach involving customer information. This breach, first reported last year, has led to arrests and an ongoing investigation by the Garda National Cyber Crime Bureau (GNCCB) and the Garda National Economic Crime Bureau (GNECB). The incident has raised concerns about the misuse of personal and financial data and potential risks for affected customers.

Details of the Data Breach

Electric Ireland disclosed that an employee of a company working on its behalf may have inappropriately accessed data from approximately 8,000 residential customer accounts. The compromised information includes personal and financial details, potentially exposing customers to fraud. While the company has not released the names of affected customers, it is actively identifying and contacting individuals who may be at risk. The breach has left many customers concerned about identity theft and financial security.

Electric Ireland has apologized for the breach and is providing guidance to impacted customers. Those not contacted by the company are advised to remain cautious and avoid taking immediate action until they receive official communication. In addition, Electric Ireland has encouraged customers to report any fraudulent activity related to their accounts and to consult their banks for potential security measures.

Investigative Efforts by Authorities

The Garda National Cyber Crime Bureau and GNECB are at the forefront of the investigation. The GNCCB specializes in analyzing digital evidence and has collaborated with international agencies like Europol, Interpol, and the FBI in similar cases. During the probe, investigators discovered evidence on the phone of a Nigerian national allegedly linked to the breach. Further scrutiny led to a focus on his girlfriend and her associates, indicating a wider network of individuals potentially involved in the unauthorized access of data.

The GNECB, which handles financial crime cases, is assessing the fraud's extent and coordinating with Electric Ireland to mitigate the impact on customers. Despite limited details from the authorities, the case highlights the growing challenges of safeguarding sensitive data in an increasingly digital landscape.

Company Response and Customer Guidance

In addition to addressing the data breach, Electric Ireland is dealing with separate issues of overcharging due to incorrect tariff rates and smart meter data errors. The company has issued apologies for these errors and is offering credit notes to affected customers. Regulatory authorities are reviewing the matter to ensure compliance and prevent similar occurrences in the future.

Electric Ireland remains committed to transparency and is collaborating with Garda Síochána to resolve the breach. Customers are urged to stay vigilant, monitor their financial accounts, and report any suspicious activities to the company and their banks.

Read more »
United States
Cyber Security Cyberespionage FBI Salt Typhoon Telecommunication United States

US Telecoms Warned of Chinese Cyber Espionage Threat

 


The White House recently brought together U.S. telecommunications executives to discuss a cyberespionage campaign attributed to Chinese-backed hackers. The attacks have been described by experts as the "worst telecom hack in U.S. history," compromising major telecom providers and targeting national security intelligence.

According to reports, the FBI said several breaches had occurred at telecommunications companies where attackers made off with sensitive data including call records and communications that the hackers could access due to government-mandated backdoors. The intrusion, according to reports, was done by a group code-named Salt Typhoon that has connections to China's Ministry of State Security. It is said to have engaged in espionage activities against officials from U.S. presidential campaigns.

The key telecom providers like AT&T, Verizon, and Lumen have been listed as victims of this cyberattack. Recently, T-Mobile has also revealed that its networks have been breached, though it claimed no customer data was compromised. The hackers did not only target U.S. companies but also stretched their reach to allied nations whose identities remain undisclosed.

Senator Mark Warner, chair of the Senate Intelligence Committee, called these attacks some of the most serious he's seen. He reported that the FBI had informed fewer than 150 people - mostly in Washington - whose communications were compromised. Some telecom companies are still working to get the attackers out of their networks, showing just how persistent these intrusions are. 


Techniques and Long-Term Goals

Salt Typhoon uses advanced tactics to infiltrate systems and maintain long-term access. They include vulnerability exploitation in common devices like Cisco routers and Microsoft Exchange servers. Researchers also found that this group uses legitimate tools to carry out their malicious activities, hence making it challenging to be detected.

Since at least 2020, this group has targeted not only the U.S. but also nations such as Brazil, India, and Taiwan. Their primary focus remains on gathering intelligence from telecommunications networks, government systems, and military organizations.

To mitigate such attacks, the FBI and CISA have been offering technical support to victims. U.S. Cyber Command has amplified operations aimed at disrupting the ability of Chinese cyber actors globally and, consequently, reducing the incidence and impact of such attacks.

This has also raised fears about broader objectives, including possible disruption of Western infrastructure in case tensions over Taiwan or any other issue are to rise further. According to FBI Director Christopher Wray, "China's hacking capabilities are larger than those of any other nation and present a significant challenge to our nation's cybersecurity defenses.".

In response to the growing threats, the Senate has scheduled a classified briefing in December to discuss further measures. The meeting underlines the urgent need to strengthen cybersecurity across critical sectors.


Read more »
Threat Intelligence
Cyber Security FBI Security flaw Tech Firms Threat Intelligence

Hackers Are Sending Fake Police Data Requests To Tech Giants To Steal People's Private Data

 

The FBI has issued a warning that hackers are collecting sensitive user information, such as emails and contact details, from US-based tech firms by hacking government and police email addresses in order to file "emergency" data requests. 

The FBI's public notice filed last week is an unusual admission by the federal government regarding the threat posed by phoney emergency data requests, a legal process designed to assist police and federal authorities in obtaining information from firms in order to respond to immediate threats to people's safety or properties.

The misuse of emergency data requests is not new, and it has drawn significant attention in recent years. The FBI now warns that it noticed an "uptick" in criminal posts online advertising access to or carrying out false emergency data requests around August and is going public to raise awareness.

“Cyber-criminals are likely gaining access to compromised US and foreign government email addresses and using them to conduct fraudulent emergency data requests to US based companies, exposing the personal information of customers to further use for criminal purposes,” reads the FBI’s advisory. 

Police and law enforcement in the United States often require some form of legal basis to seek and acquire access to private data stored on company laptops. Typically, police must provide sufficient proof of a potential crime before a U.S. court will grant a search warrant authorising them to collect that information from a private corporation. 

Police can issue subpoenas, which do not require a court appearance, requesting that businesses access restricted amounts of information about a user, such as their username, account logins, email addresses, phone numbers, and, in some cases, approximate location. 

There are also emergency requests, which allow police enforcement to gather a person's information from a firm in the event of an immediate threat and there is insufficient time to secure a court order. Federal authorities claim that some cybercriminals abuse these emergency requests.

The FBI stated in its advisory that it had spotted many public posts from known hackers in 2023 and 2024 claiming access to email accounts used by US law enforcement and several foreign governments. According to the FBI, this access was later used to issue fake subpoenas and other legal demands to corporations in the United States in search of private user data kept on their systems. 

The cybercriminals were able to pass for law enforcement by sending emails to businesses asking for user data using hacked police accounts. False threats, such as allegations of human trafficking and, in one instance, the warning that a person would "suffer greatly or die" until the company in issue returned the requested information, were mentioned in some of the requests.

The FBI claimed that because the hackers had gained access to law enforcement accounts, they were able to create subpoenas that appeared authentic and forced companies to divulge user data, including phone numbers, emails, and usernames. However, the FBI noted that not all fraudulent attempts to submit emergency data demands were successful.
Read more »
User Security
cookie theft Cyber Security FBI Gmail Users User Security

FBI Cautioned Gmail Users Regarding Cookie Theft

 

The FBI has warned users of popular email providers such as Gmail, Outlook, Yahoo, and AOL regarding a surge in online criminal activity that compromises email accounts, including those secured by multifactor authentication (MFA). 

Online criminals lure people into visiting suspicious websites or clicking on phishing links, which then download malicious applications onto their computers. One of the most common tactics they employ to gain access to email accounts is cookie theft. 

These session or security cookies, often known as "remember me" cookies, store login information to make it easier to access frequently visited websites and accounts. Cookie theft enables attackers to access users' accounts without requiring their username, password, or MFA. The FBI claims that this strategy works especially well when a user selects the "Remember this device" checkbox during login.

“This problem affects all email platforms with web logins, although Gmail, Outlook, Yahoo, and AOL are the largest targets,” notes cybersecurity expert Zak Doffman. “It also impacts other types of accounts such as shopping sites and financial platforms.” Google has been warning users about cookie theft and developing new ways to prevent it. However, the threat remains significant, as fraudsters develop new techniques. 

FBI warn users

The FBI advises users to take the following precautions to secure their accounts: 

  • Clear your internet browser's cookies on a regular basis. 
  • When logging into websites, avoid choosing the "Remember Me" checkbox.
  • Do not access unsecured websites or click on dubious links.
  • Check your account settings for recent device login history on a regular basis.

Despite the flaws identified in their warning, the FBI emphasises that MFA remains one of the best actions users can take to secure their accounts. Google agrees, describing security cookies as "fundamental to the modern web" because of their utility, but conceding that they are a tempting target for hackers. 

Organisations should also implement MFA on all platforms. Amazon just executed MFA to its workplace email service, WorkMail. Though it took a long time to implement, it is a positive step towards better safety. Finally, any type of multi-factor authentication is preferable to simply typing a password. 

Users should take all necessary precautions to safeguard their accounts by combining the newest security tools with sound security practices. Report cybercrime to the FBI's Internet Crime Complaint Centre (IC3) if you believe you have been a victim. The official FBI website has more thorough advice on how to safeguard your online safety.
Read more »
Threat Intelligence
Cyber Security Dutch Police FBI Infostealer Threat Intelligence

Redline And Meta Infostealers Targeted in Operation Magnus

 

The Dutch National Police claimed on Monday that they had secured "full access" to all servers employed by the Redline and Meta infostealers, two of the most common cybercrime tools on the internet.

Infostealer malware is a major cybersecurity issue that is frequently sold as a malware-as-a-service tool. It infects users' devices and harvests information such as credit card numbers and autofill password data. 

Cybercriminals who use the infostealer then bundle the information into logs, which are sold on credential marketplaces to fraudsters and other criminals looking to breach any organisations whose login information has been compromised.

Earlier this week on Monday, the Dutch National Police, in collaboration with the FBI and other partner agencies in the United States, Australia, and the United Kingdom, announced the disruption of these two infostealers on a website for "Operation Magnus," which includes a timer promising "more news" counting down to noon on Tuesday, Dutch local time. 

A video on the site that mimics the criminals' own marketing claims that the police have supplied a "final update" for both the Redline and Meta infostealer strains, adding that the multinational operation "gained full access to all Redline and Meta servers." The video shows the depth of this access, including many administrator panels, the malware source code, and what appears to be a large number of usernames for people who use the malware-as-a-service tool. 

“Involved parties will be notified, and legal actions are underway,” reads the site, while the video adds, alongside a graphic of cuffed hands: “Thank you for installing this update. We’re looking forward to seeing you soon.” 

Cybercriminals find ways

In conjunction with the disruption operations, the US Justice Department unsealed charges against Maxim Rudometov, one of RedLine's developers and administrators.

According to the Attorney's Office for the Western District of Texas, Rudometov may face a maximum sentence of 35 years if convicted of access device fraud, conspiracy to commit computer intrusion, and money laundering. This follows a series of operations by law enforcement agencies aimed at disrupting the activities of high-profile cybercrime groups around the world.

In December 2023, US officials seized the leak site of ALPHV/BlackCat, one of the most prolific ransomware collectives in recent years, in what was regarded as a severe blow to the outfit.
Read more »
Online Security
cookie theft Cookies Cyber Security cybercriminals FBI Hacking https MFA Bypass Online Security

FBI Warns of Cybercriminals Stealing Cookies to Bypass Security

 

Cybercriminals are now targeting cookies, specifically the “remember-me” type, to gain unauthorized access to email accounts. These small files store login information for ease of access, helping users bypass multi-factor authentication (MFA). However, when a hacker obtains these cookies, they can use them to circumvent security layers and take control of accounts. The FBI has alerted the public, noting that hackers often obtain these cookies through phishing links or malicious websites that embed harmful software on devices. Cookies allow websites to retain login details, avoiding repeated authentication. 

By exploiting them, hackers effectively skip the need for usernames, passwords, or MFA, thus streamlining the process for unauthorized entry. This is particularly concerning as MFA typically acts as a crucial security measure against unwanted access. But when hackers use the “remember-me” cookies, this layer becomes ineffective, making it an appealing route for cybercriminals. A primary concern is that many users unknowingly share these cookies by clicking phishing links or accessing unsecured sites. Cybercriminals then capitalize on these actions, capturing cookies from compromised devices to access email accounts and other sensitive areas. 

This type of attack is less detectable because it bypasses traditional security notifications or alerts for suspicious login attempts, providing hackers with direct, uninterrupted access to accounts. To combat this, the FBI recommends practical steps, including regularly clearing browser cookies, which removes saved login data and can interrupt unauthorized access. Another strong precaution is to avoid questionable links and sites, as they often disguise harmful software. Additionally, users should confirm that the websites they visit are secure, checking for HTTPS in the URL, which signals a more protected connection. 

Monitoring login histories on email and other sensitive accounts is another defensive action. Keeping an eye on recent activity can help users identify unusual login patterns or locations, alerting them to possible breaches. If unexpected entries appear, changing passwords and re-enabling MFA is advisable. Taking these actions collectively strengthens an account’s defenses, reducing the chance of cookie-based intrusions. While “remember-me” cookies bring convenience, their risks in today’s cyber landscape are notable. 

The FBI’s warning underlines the importance of digital hygiene—frequently clearing cookies, avoiding dubious sites, and practicing careful online behavior are essential habits to safeguard personal information.
Read more »
Privacy
Cell Phone Digital Privacy Encryption FBI Privacy

Encryption Battle: FBI's Year-Long Struggle with Mayor's Cellphone

Encryption Battle: FBI's Year-Long Struggle with Mayor's Cellphone

Recently, there's been some buzz around New York City Mayor Eric Adams and his cellphone. Federal investigators seized his phone almost a year ago during a corruption investigation, but they can't unlock it. Adams says he forgot his phone password, making it a big problem for the investigators.

About the Encryption Battle

Prosecutors in the case against Mayor Adams, which involves alleged illegal payments from the Turkish government, disclosed that the FBI has been unable to unlock Adams' personal phone, even after nearly a year since it was confiscated. 

This phone is one of three devices taken from Adams, but his personal phone was seized a day later than the other two official devices. By then, Adams had changed the phone's passcode from a four-digit PIN to a six-digit code—a step he says was to prevent staffers from accidentally or intentionally deleting information. He also claims to have immediately forgotten the new code.

Our phones hold a lot of personal information—text messages, call logs, emails, and more. This makes them valuable for investigations but also raises privacy concerns. The case of Adams' phone highlights a bigger issue: the tension between privacy and security.

On one side, law enforcement needs access to information for their investigations. On the other side, everyone has a right to privacy and the security of their personal data. This balance is tricky and often leads to debates.

For the feds, not being able to access Adams' phone is a setback. Digital evidence can be crucial in cases, and a locked smartphone is a big challenge. This isn't the first time authorities have faced this problem. There have been many cases where they struggled to unlock phones, sparking debates about their power to compel individuals to reveal passwords.

Privacy Concerns

From a privacy viewpoint, Adams' case is a win. It shows how strong modern encryption is in protecting personal data. Even if someone is a public figure under investigation, the technology protects their data from unauthorized access. This is reassuring for anyone concerned about the privacy and security of their own devices.

But there's also an ethical side. If Adams genuinely forgot his password, it shows human vulnerability. Forgetting passwords is common, and it reminds us how much we rely on technology. But if the forgotten password is an excuse, it raises questions about the moral obligations of those in power.

The seriousness of the case

This case also highlights the importance of understanding and managing our digital lives. As our phones become extensions of ourselves, knowing how to secure them, remember passwords, and understand the legal implications is crucial. 

Mayor Eric Adams' locked phone case is a picture of the larger digital privacy debate. It shows the power of encryption and the ongoing struggle between privacy and security. 

Read more »
Salt Typhoon
China Cyber Attacks Cyberattack Cybersecurity Data Breach FBI Hacking internet providers Routers Salt Typhoon

Chinese Government-Linked Hackers Infiltrate U.S. Internet Providers in 'Salt Typhoon' Attack

 

Hackers linked to the Chinese government have reportedly breached several U.S. internet service providers, according to The Wall Street Journal. Investigators are calling the cyberattack "Salt Typhoon," which occurred just a week after the FBI dismantled another China-backed operation called "Flax Typhoon." That attack targeted 200,000 internet-connected devices such as cameras and routers.

In the Salt Typhoon incident, hackers infiltrated broadband networks to access sensitive information held by internet service providers. Sources close to the matter told WSJ that unlike past attacks focused on disrupting infrastructure, this one seems to be aimed at gathering intelligence. FBI Director Christopher Wray had warned at the Aspen Cyber Summit that China would persist in targeting U.S. organizations and critical infrastructure, either directly or through proxies.

Chinese cyberattacks have been ongoing, but their complexity and precision have escalated, intelligence officials told the WSJ. Earlier this year, Wray described China's hacking program as the largest in the world, surpassing all other major nations combined.

China has denied involvement in these attacks. Liu Pengyu, spokesperson for the Chinese embassy in Washington, accused U.S. intelligence agencies of fabricating evidence linking China to the Salt Typhoon breach.

The WSJ report revealed that investigators are focusing on Cisco Systems routers, though a Cisco spokesperson said there is no evidence of their involvement. Microsoft is also looking into the attack. Lumen Technologies, the parent company of CenturyLink and Quantum Fiber, recently detected malware in routers that could expose customers' passwords but did not specify which ISPs were affected.

Although there's no indication that individual customers’ data was the target, you can take basic precautions:

  • Change your passwords regularly—especially your Wi-Fi router's password.
  • Consider identity theft protection services, which monitor your credit and banking activity.
  • Review your credit reports regularly to catch any suspicious activity.
Read more »
Payment Fraud
Cyber Security FBI Financial crime Fraud Detection FTC GDPR Online Payment Fraud Payment Fraud

The Rising Threat of Payment Fraud: How It Impacts Businesses and Ways to Counter It

 

Payment fraud continues to be a significant and evolving threat to businesses, undermining their profitability and long-term sustainability. The FBI reports that between 2013 and 2022, companies lost around $50 billion to business email compromise, showing how prevalent this issue is. In 2022 alone, 80% of enterprises faced at least one payment fraud attempt, with 30% of affected businesses unable to recover their losses. These attacks can take various forms, from email interception to more advanced methods like deep fakes and impersonation scams. 

Cybercriminals exploit vulnerabilities, manipulating legitimate transactions to steal funds, often without immediate detection. Financial losses from payment fraud can be devastating, impacting a company’s ability to pay suppliers, employees, or even invest in growth opportunities. Investigating such incidents can be time-consuming and costly, further straining resources and leading to operational disruptions. Departments like finance, IT, and legal must shift focus to tackle the issue, slowing down core business activities. For example, time spent addressing fraud issues can cause delays in projects, damage employee morale, and disrupt customer services, affecting overall business performance. 

Beyond financial impact, payment fraud can severely damage a company’s reputation. Customers and partners may lose trust if they feel their financial information isn’t secure, leading to lost sales, canceled contracts, or difficulty attracting new clients. Even a single fraud incident can have long-lasting effects, making it difficult to regain public confidence. Businesses also face legal and regulatory consequences when payment fraud occurs, especially if they have not implemented adequate protective measures. Non-compliance with data protection regulations like the General Data Protection Regulation (GDPR) or penalties from the Federal Trade Commission (FTC) can lead to fines and legal actions, causing additional financial strain. Payment fraud not only disrupts daily operations but also poses a threat to a company’s future. 

End-to-end visibility across payment processes, AI-driven fraud detection systems, and regular security audits are essential to prevent attacks and build resilience. Companies that invest in these technologies and foster a culture of vigilance are more likely to avoid significant losses. Staff training on recognizing potential threats and improving security measures can help businesses stay one step ahead of cybercriminals. Mitigating payment fraud requires a proactive approach, ensuring businesses are prepared to respond effectively if an attack occurs. 

By investing in advanced fraud detection systems, conducting frequent audits, and adopting comprehensive security measures, organizations can minimize risks and safeguard their financial health. This preparation helps prevent financial loss, operational disruption, reputational damage, and legal consequences, thereby ensuring long-term resilience and sustainability in today’s increasingly digital economy.
Read more »
Microsoft
Botnet Cyber Crime FBI Flax Typhoon IoT Microsoft

FBI Shuts Down Chinese Linked Botnet Campaign in a Joint Operation

FBI Joint Operation 

The FBI has cracked down on a vast botnet operation linked to a Chinese hacking group, the attackers targeted government agencies, universities, and other entities in the US. 

The Five Eyes intelligence alliance issued a joint report alerting organizations to take safety measures after finding the botnet was used to deploy DDoS attacks and compromise organizations in the US.

Flax Typhoon Involved

Talking about the threat at the Aspen Cyber Summit, Chris Wray, FBI director, said the operation was launched by the Flax Typhoon group, the attackers deployed malware on more than 200,000 customer devices. In a joint operation, the FBI and US Department of Justice were able to take hold of botnet’s infrastructure, 50% of the compromised devices were found in the US.

The hijacked devices- cameras, internet routers, and video recorders, made a large botnet to steal crucial data. The attacks were similar to another botnet campaign operated by the Volt Typhoon group, it also used web-connected devices to make a botnet that hijacked systems and stole sensitive data. 

But Flax Typhoon’s botnet also compromised a larger range of devices, compared to the router-based network by Volt Typhoon.

Flax Typhoon group disguises itself as an information security company but has a long history of working with close links to the Chinese government, says Wray.

“They represent themselves as an information security company—the Integrity Technology Group. But their chairman has publicly admitted that for years his company has collected intelligence and performed reconnaissance for Chinese government security agencies.”

Rise in State-sponsored Attacks

Although the operation was a success, says Wray, he warns that threats of state-sponsored attacks from China still exist.  Wray warned that although this operation was a success, the wider ecosystem of state-affiliated cyber attacks out of China was still alive and well.

“This was another successful disruption, but make no mistake — it’s just one round in a much longer fight. The Chinese government is going to continue to target your organizations and our critical infrastructure, either by their own hand or concealed through their proxies, and we’ll continue to work with our partners to identify their malicious activity, disrupt their hacking campaigns, and bring them to light,” Wray said.

According to a Microsoft report from 2023, Flax Typhoon has been in the game since 2021. Other reports suggest the group has been active since 2020. In the initial years, the Flax Typhoon attacked government agencies, critical manufacturing, the education sector, and IT firms in Taiwan.
Read more »
Seattle Port
Black hat CISA Cyber Crime Cyberattacks CyberCrime Cybersecurity FBI Medical Breach Ransomware Rhysida Ransomware Seattle Port

Rhysida Ransomware Hits Seattle Port in August Attack

 


As part of its investigation, the Port of Seattle, which operates Seattle-Tacoma International Airport in the city, has determined that the Rhysida ransomware gang is responsible for the cyberattack that allowed it to reach its systems last month, causing travel delays for travellers. There has been a ransomware attack targeting the Port of Seattle as early as Friday, the Port announced in a statement. 

As a result of the attack, which happened on August 24, the Port (which is also responsible for operating Seattle-Tacoma International Airport) announced that "certain system outages have indicated a possibility of a cyberattack." It is important to note that the SEA Airport and its associated facilities remained open after the storm, but passenger displays, Wi-Fi, check-in kiosks, ticketing, baggage, and reserved parking were impacted, as well as the flySEA application and the Port website.

According to a press release that was released on September 13, the Port reported that most of the affected systems had been restored within a week of the attack taking place. As of yet, the Port of Dusseldorf has not been able to relaunch the external website or the internal portals that were offline after securing the impacted systems and finding no signs of additional malicious activity. 

As far as Port systems were concerned, this incident was a "ransomware" attack by Rhysida, a criminal organization that specializes in cybercrime. Since that day, no new unauthorized activity has been conducted on those systems. In a press release, they stressed that it was safe to fly to Seattle-Tacoma International Airport and use the port's maritime facilities. 

During this time, the Port's decision to take systems offline was accompanied by the ransomware gang's encryption of the ones that were not isolated in time, resulting in a series of outages impacting a variety of services and systems, including baggage, check-in kiosks, ticketing, wireless Internet, passenger display boards, the Port of Seattle website, flySEA app, and reservations. 

A ransomware attack believed to have been launched by the Rhysida hacker group can be blamed for encrypting some of the data on the Port's computer systems using the ransomware. It was the result of this encryption and the Port's response to isolate the impacted systems as soon as possible that there were delays at the Sea-Tac Airport with baggage services, check-in kiosks, ticketing, Wi-Fi, displays, the Port's website and the flySEA app having issues. 

The majority of these issues have since been resolved; however, the airport's website and internal portals remain down as of this writing, as stated in an update posted by the Port of Los Angeles. In the wake of the cyber attack at the airport, the Port of Los Angeles is still unsure exactly how much or what kind of data was taken by the attackers, but the Port cannot afford to pay the ransom demand. There are no details about what kind of data have been compromised in the attack; however, the data may likely be of great value due to the sector of the business in which the agency operates. 

There is also another reason that the Port of Seattle is such a hotbed of automation and machine learning technologies, which means it's a goldmine for attackers in terms of data. In the world of ransomware, Rhysida is one of the more well-known gangs, especially for the way they target organizations that run critical systems for which downtime is not an option. 

A hacker group known as the Black Hat Network has in the past targeted healthcare organizations such as the Lurie Children's Hospital and Prospect Medical Holdings as targets. As of May 2024, the number of patients affected by this massive data breach had increased from a few hundred to nearly a million. The company claimed that the Singing River ransomware attack occurred in September 2023.

In addition to educational institutions and the manufacturing industry, the HHS Health Sector Cybersecurity Coordination Center has also reported that the group has targeted the Chilean army, as well as universities and hospitals, according to the report. Health and Human Services (HHS) in the United States has implicated Rhysida in an attack against healthcare organizations in the country. 

As CISA and the FBI made their warnings at the same time, different industries and sectors of society were being targeted by opportunistic attacks by this cybercrime gang at the same time. In November, Rhysida ransomware operators successfully breached Insomniac Games, a subsidiary of Sony, and subsequently leaked 1.67 TB of confidential documents on the dark web. This occurred after the game development studio declined to meet the group’s demand for a $2 million ransom. 

Rhysida's affiliates have also been involved in attacks on several other high-profile organizations. The City of Columbus, Ohio, MarineMax (the world's largest retailer of recreational boats and yachts), and the Singing River Health System have all fallen victim to this ransomware group. In particular, Singing River Health System reported that almost 900,000 individuals were notified of a data breach resulting from an August 2023 ransomware attack, in which sensitive personal information was compromised.
Read more »
FBI
Crypto Fraud Crypto scams cryptocurrency cryptocurrency scams Cyber Attacks CyberCriminal FBI

Cryptocurrency Scams Surge in 2023, FBI Reports Record $5.6 Billion in Losses

 

Despite cryptocurrency no longer dominating the headlines like it did during the 2021 to 2022 boom, cybercriminals are still leveraging it to generate billions of dollars in fraudulent income every year. According to the FBI, 2023 was the most lucrative year on record for cryptocurrency scammers, highlighting the growing scale of these crimes. 

In a report released by the FBI in 2023, it was revealed that cryptocurrency scams accounted for over $5.6 billion in losses, based on more than 69,000 complaints filed with the FBI’s Internet Crime Complaint Center (IC3). This represents a 45% increase from the previous year, demonstrating that despite market fluctuations, scams related to digital currencies are not slowing down. While the broader cryptocurrency market experienced turbulence in 2022, with the collapse of firms like Celsius, Terraform Labs, and the bankruptcy of FTX, scammers have continued to exploit the industry. 

The FBI’s report underscores that the losses from cryptocurrency scams now constitute more than half of the total losses from all online scams reported in 2022. This is a staggering statistic that demonstrates just how prevalent these schemes have become. Investment fraud remains the most common form of cryptocurrency scam, accounting for $3.96 billion of the total losses in 2023. This marks a sharp rise from the $2.57 billion lost to similar scams in 2022. The increasing sophistication of these scams has made it difficult for many people to discern legitimate investment opportunities from fraudulent ones. 

Interestingly, different types of scams tend to affect various age groups in different ways. For instance, those in their 30s and 40s were most frequently targeted by cryptocurrency investment frauds. However, individuals aged 60 and above suffered the most significant losses, with more than $1.6 billion reported by this age group alone. This data highlights the need for increased awareness and protective measures, especially for older individuals who may be more vulnerable to these scams. It’s crucial to note that the actual total of losses is likely much higher than the FBI’s report, as many victims do not report the crimes. 

FBI Director Christopher Wray urged people to report scams even if they did not suffer financial loss. According to Wray, doing so helps law enforcement stay ahead of criminals and their increasingly complex methods of defrauding people using emerging technologies. As cryptocurrency scams continue to grow in size and sophistication, it serves as a reminder that the need for strong cybersecurity measures and public awareness around digital currencies is more critical than ever. Reporting scams can not only help victims but also protect others from falling prey to similar fraudulent schemes.
Read more »
Security
cyber attack Cyber Attacks FBI IT Industry Passwords Ransomware Security

IT Manager Faces Charges for Locking Computers to Demand Money


 

A recent case has highlighted that ransomware threats can sometimes come from within an organisation. Daniel Rhyne, a 57-year-old IT administrator from Kansas City, Missouri, has been accused of holding his own company hostage by locking down their systems and demanding a ransom to restore access.

The incident occurred in November last year when Rhyne was employed at an industrial company based in Somerset County, New Jersey. According to the Federal Bureau of Investigation (FBI), Rhyne allegedly took control of the company’s network by resetting the passwords of network administrator accounts as well as those of hundreds of employees. He then proceeded to delete critical backups and locked out both servers and workstations, crippling the organisation’s operations.

An hour after initiating the attack, Rhyne allegedly sent an email to the company's employees informing them of the situation and demanding a ransom in exchange for unlocking the systems. The FBI claims this was an attempt at extortion, with Rhyne threatening further damage if his demands were not met.

Rhyne’s actions were investigated by the FBI, and he has been charged with multiple counts, including extortion, intentional damage to a protected computer, and wire fraud. Should he be convicted of all charges, he faces up to 35 years in prison and a $500,000 fine, as reported by The Register.

Several pieces of evidence were gathered by the FBI to support their case against Rhyne. For instance, he allegedly used a tool known as PsPasswd, a Windows Sysinternals utility, to reset user passwords. The new password set for the accounts was "TheFr0zenCrew!", a telling detail that investigators believe connects him directly to the attack. Rhyne also reportedly kept a hidden virtual machine (VM) on his company-issued laptop, allowing him to maintain remote access to the network's administrative controls.

Adding to the case, the FBI noted that Rhyne's digital activities prior to the attack were suspicious. He allegedly used his work laptop to search for ways to alter administrator passwords via command-line tools, which are often used by IT professionals to manage networks remotely. Investigators claim that on the day of the attack, Rhyne was seen logging into his work laptop, conducting these searches, and reviewing company password spreadsheets while also accessing the hidden VM.

The fact that he used his company-issued laptop to perform these actions leaves a strong digital trail linking him to the crime. The FBI’s detailed investigation paints a clear picture of how the attack was executed, utilising common IT tools to gain unauthorised control over the company’s systems.

If Rhyne is found guilty, his actions could serve as a warning to organisations about the potential for internal threats. It highlights the need for companies to have strong security protocols in place, not just to defend against external hackers but also to safeguard against malicious insiders who have privileged access to sensitive systems.

This case illustrates how cyberattacks are evolving and how attackers, even those within the organisation, can exploit their knowledge and access to launch devastating attacks. Organisations must remain vigilant and continually monitor for suspicious behaviour, no matter the source, to protect their critical digital infrastructure.


Read more »
Law Enforcement
Chinese espionage Christopher Wray Cyber Security domestic terrorism FBI international terrorism Law Enforcement

FBI Director Christopher Wray Highlights Unprecedented Threat Landscape and Importance of Law Enforcement Partnerships

 

FBI Director Christopher Wray emphasized the unprecedented level of diverse threats facing the nation, describing it as a time when multiple threats are simultaneously elevated, a situation he finds unparalleled in his career. In an exclusive interview during his visit to the FBI’s Minneapolis field office, Wray highlighted the importance of partnerships among law enforcement agencies and other entities as they navigate challenges ranging from domestic and international terrorism to Chinese espionage, intellectual property theft, and foreign election interference.

Wray expressed concern about the cumulative impact of these threats and the burden they place on law enforcement, noting that collaboration across agencies is crucial for overcoming these challenges. His concerns have been consistent, particularly following the October 7th Hamas attack in Israel, which he warned could inspire extremist activities similar to those seen during ISIS's rise.

The FBI is also grappling with security issues related to the southern U.S. border, where individuals with alleged ties to the Islamic State were detained in June for immigration violations. Additionally, the agency is addressing foreign interference in U.S. elections, with recent incidents involving Iranian cyberattacks on political campaigns.

While Wray refrained from discussing specific investigations, he underscored the necessity of public-private partnerships in combating cyber threats, particularly those targeting election systems. He stressed the importance of information sharing to effectively connect the dots and address these complex challenges.

Wray also noted the rising violence against law enforcement officers, pointing out the troubling statistic of an officer being killed every five days, with four such deaths occurring in Minnesota alone in 2024. The FBI itself has not been immune to such violence, as demonstrated by a fatal encounter at its Cincinnati office following the Mar-a-Lago search.

In response to these growing threats, the FBI has strengthened its traditional partnerships with state and local law enforcement while also forging new collaborations with businesses and academic institutions. These efforts aim to bolster cybersecurity and protect intellectual property, with a particular focus on leveraging artificial intelligence to counter AI-enabled threats. Wray emphasized that AI, when used effectively, could be a powerful tool in defending against the misuse of technology by adversaries.
Read more »
Subscribe to: Posts (Atom)