Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label FBI. Show all posts

US Telecoms Warned of Chinese Cyber Espionage Threat

 


The White House recently brought together U.S. telecommunications executives to discuss a cyberespionage campaign attributed to Chinese-backed hackers. The attacks have been described by experts as the "worst telecom hack in U.S. history," compromising major telecom providers and targeting national security intelligence.

According to reports, the FBI said several breaches had occurred at telecommunications companies where attackers made off with sensitive data including call records and communications that the hackers could access due to government-mandated backdoors. The intrusion, according to reports, was done by a group code-named Salt Typhoon that has connections to China's Ministry of State Security. It is said to have engaged in espionage activities against officials from U.S. presidential campaigns.

The key telecom providers like AT&T, Verizon, and Lumen have been listed as victims of this cyberattack. Recently, T-Mobile has also revealed that its networks have been breached, though it claimed no customer data was compromised. The hackers did not only target U.S. companies but also stretched their reach to allied nations whose identities remain undisclosed.

Senator Mark Warner, chair of the Senate Intelligence Committee, called these attacks some of the most serious he's seen. He reported that the FBI had informed fewer than 150 people - mostly in Washington - whose communications were compromised. Some telecom companies are still working to get the attackers out of their networks, showing just how persistent these intrusions are. 


Techniques and Long-Term Goals

Salt Typhoon uses advanced tactics to infiltrate systems and maintain long-term access. They include vulnerability exploitation in common devices like Cisco routers and Microsoft Exchange servers. Researchers also found that this group uses legitimate tools to carry out their malicious activities, hence making it challenging to be detected.

Since at least 2020, this group has targeted not only the U.S. but also nations such as Brazil, India, and Taiwan. Their primary focus remains on gathering intelligence from telecommunications networks, government systems, and military organizations.

To mitigate such attacks, the FBI and CISA have been offering technical support to victims. U.S. Cyber Command has amplified operations aimed at disrupting the ability of Chinese cyber actors globally and, consequently, reducing the incidence and impact of such attacks.

This has also raised fears about broader objectives, including possible disruption of Western infrastructure in case tensions over Taiwan or any other issue are to rise further. According to FBI Director Christopher Wray, "China's hacking capabilities are larger than those of any other nation and present a significant challenge to our nation's cybersecurity defenses.".

In response to the growing threats, the Senate has scheduled a classified briefing in December to discuss further measures. The meeting underlines the urgent need to strengthen cybersecurity across critical sectors.


Hackers Are Sending Fake Police Data Requests To Tech Giants To Steal People's Private Data

 

The FBI has issued a warning that hackers are collecting sensitive user information, such as emails and contact details, from US-based tech firms by hacking government and police email addresses in order to file "emergency" data requests. 

The FBI's public notice filed last week is an unusual admission by the federal government regarding the threat posed by phoney emergency data requests, a legal process designed to assist police and federal authorities in obtaining information from firms in order to respond to immediate threats to people's safety or properties.

The misuse of emergency data requests is not new, and it has drawn significant attention in recent years. The FBI now warns that it noticed an "uptick" in criminal posts online advertising access to or carrying out false emergency data requests around August and is going public to raise awareness.

“Cyber-criminals are likely gaining access to compromised US and foreign government email addresses and using them to conduct fraudulent emergency data requests to US based companies, exposing the personal information of customers to further use for criminal purposes,” reads the FBI’s advisory. 

Police and law enforcement in the United States often require some form of legal basis to seek and acquire access to private data stored on company laptops. Typically, police must provide sufficient proof of a potential crime before a U.S. court will grant a search warrant authorising them to collect that information from a private corporation. 

Police can issue subpoenas, which do not require a court appearance, requesting that businesses access restricted amounts of information about a user, such as their username, account logins, email addresses, phone numbers, and, in some cases, approximate location. 

There are also emergency requests, which allow police enforcement to gather a person's information from a firm in the event of an immediate threat and there is insufficient time to secure a court order. Federal authorities claim that some cybercriminals abuse these emergency requests.

The FBI stated in its advisory that it had spotted many public posts from known hackers in 2023 and 2024 claiming access to email accounts used by US law enforcement and several foreign governments. According to the FBI, this access was later used to issue fake subpoenas and other legal demands to corporations in the United States in search of private user data kept on their systems. 

The cybercriminals were able to pass for law enforcement by sending emails to businesses asking for user data using hacked police accounts. False threats, such as allegations of human trafficking and, in one instance, the warning that a person would "suffer greatly or die" until the company in issue returned the requested information, were mentioned in some of the requests.

The FBI claimed that because the hackers had gained access to law enforcement accounts, they were able to create subpoenas that appeared authentic and forced companies to divulge user data, including phone numbers, emails, and usernames. However, the FBI noted that not all fraudulent attempts to submit emergency data demands were successful.

FBI Cautioned Gmail Users Regarding Cookie Theft

 

The FBI has warned users of popular email providers such as Gmail, Outlook, Yahoo, and AOL regarding a surge in online criminal activity that compromises email accounts, including those secured by multifactor authentication (MFA). 

Online criminals lure people into visiting suspicious websites or clicking on phishing links, which then download malicious applications onto their computers. One of the most common tactics they employ to gain access to email accounts is cookie theft. 

These session or security cookies, often known as "remember me" cookies, store login information to make it easier to access frequently visited websites and accounts. Cookie theft enables attackers to access users' accounts without requiring their username, password, or MFA. The FBI claims that this strategy works especially well when a user selects the "Remember this device" checkbox during login.

“This problem affects all email platforms with web logins, although Gmail, Outlook, Yahoo, and AOL are the largest targets,” notes cybersecurity expert Zak Doffman. “It also impacts other types of accounts such as shopping sites and financial platforms.” Google has been warning users about cookie theft and developing new ways to prevent it. However, the threat remains significant, as fraudsters develop new techniques. 

FBI warn users

The FBI advises users to take the following precautions to secure their accounts: 

  • Clear your internet browser's cookies on a regular basis. 
  • When logging into websites, avoid choosing the "Remember Me" checkbox.
  • Do not access unsecured websites or click on dubious links.
  • Check your account settings for recent device login history on a regular basis.

Despite the flaws identified in their warning, the FBI emphasises that MFA remains one of the best actions users can take to secure their accounts. Google agrees, describing security cookies as "fundamental to the modern web" because of their utility, but conceding that they are a tempting target for hackers. 

Organisations should also implement MFA on all platforms. Amazon just executed MFA to its workplace email service, WorkMail. Though it took a long time to implement, it is a positive step towards better safety. Finally, any type of multi-factor authentication is preferable to simply typing a password. 

Users should take all necessary precautions to safeguard their accounts by combining the newest security tools with sound security practices. Report cybercrime to the FBI's Internet Crime Complaint Centre (IC3) if you believe you have been a victim. The official FBI website has more thorough advice on how to safeguard your online safety.

Redline And Meta Infostealers Targeted in Operation Magnus

 

The Dutch National Police claimed on Monday that they had secured "full access" to all servers employed by the Redline and Meta infostealers, two of the most common cybercrime tools on the internet.

Infostealer malware is a major cybersecurity issue that is frequently sold as a malware-as-a-service tool. It infects users' devices and harvests information such as credit card numbers and autofill password data. 

Cybercriminals who use the infostealer then bundle the information into logs, which are sold on credential marketplaces to fraudsters and other criminals looking to breach any organisations whose login information has been compromised.

Earlier this week on Monday, the Dutch National Police, in collaboration with the FBI and other partner agencies in the United States, Australia, and the United Kingdom, announced the disruption of these two infostealers on a website for "Operation Magnus," which includes a timer promising "more news" counting down to noon on Tuesday, Dutch local time. 

A video on the site that mimics the criminals' own marketing claims that the police have supplied a "final update" for both the Redline and Meta infostealer strains, adding that the multinational operation "gained full access to all Redline and Meta servers." The video shows the depth of this access, including many administrator panels, the malware source code, and what appears to be a large number of usernames for people who use the malware-as-a-service tool. 

“Involved parties will be notified, and legal actions are underway,” reads the site, while the video adds, alongside a graphic of cuffed hands: “Thank you for installing this update. We’re looking forward to seeing you soon.” 

Cybercriminals find ways

In conjunction with the disruption operations, the US Justice Department unsealed charges against Maxim Rudometov, one of RedLine's developers and administrators.

According to the Attorney's Office for the Western District of Texas, Rudometov may face a maximum sentence of 35 years if convicted of access device fraud, conspiracy to commit computer intrusion, and money laundering. This follows a series of operations by law enforcement agencies aimed at disrupting the activities of high-profile cybercrime groups around the world.

In December 2023, US officials seized the leak site of ALPHV/BlackCat, one of the most prolific ransomware collectives in recent years, in what was regarded as a severe blow to the outfit.

FBI Warns of Cybercriminals Stealing Cookies to Bypass Security

 

Cybercriminals are now targeting cookies, specifically the “remember-me” type, to gain unauthorized access to email accounts. These small files store login information for ease of access, helping users bypass multi-factor authentication (MFA). However, when a hacker obtains these cookies, they can use them to circumvent security layers and take control of accounts. The FBI has alerted the public, noting that hackers often obtain these cookies through phishing links or malicious websites that embed harmful software on devices. Cookies allow websites to retain login details, avoiding repeated authentication. 

By exploiting them, hackers effectively skip the need for usernames, passwords, or MFA, thus streamlining the process for unauthorized entry. This is particularly concerning as MFA typically acts as a crucial security measure against unwanted access. But when hackers use the “remember-me” cookies, this layer becomes ineffective, making it an appealing route for cybercriminals. A primary concern is that many users unknowingly share these cookies by clicking phishing links or accessing unsecured sites. Cybercriminals then capitalize on these actions, capturing cookies from compromised devices to access email accounts and other sensitive areas. 

This type of attack is less detectable because it bypasses traditional security notifications or alerts for suspicious login attempts, providing hackers with direct, uninterrupted access to accounts. To combat this, the FBI recommends practical steps, including regularly clearing browser cookies, which removes saved login data and can interrupt unauthorized access. Another strong precaution is to avoid questionable links and sites, as they often disguise harmful software. Additionally, users should confirm that the websites they visit are secure, checking for HTTPS in the URL, which signals a more protected connection. 

Monitoring login histories on email and other sensitive accounts is another defensive action. Keeping an eye on recent activity can help users identify unusual login patterns or locations, alerting them to possible breaches. If unexpected entries appear, changing passwords and re-enabling MFA is advisable. Taking these actions collectively strengthens an account’s defenses, reducing the chance of cookie-based intrusions. While “remember-me” cookies bring convenience, their risks in today’s cyber landscape are notable. 

The FBI’s warning underlines the importance of digital hygiene—frequently clearing cookies, avoiding dubious sites, and practicing careful online behavior are essential habits to safeguard personal information.

Encryption Battle: FBI's Year-Long Struggle with Mayor's Cellphone

Encryption Battle:  FBI's Year-Long Struggle with Mayor's Cellphone

Recently, there's been some buzz around New York City Mayor Eric Adams and his cellphone. Federal investigators seized his phone almost a year ago during a corruption investigation, but they can't unlock it. Adams says he forgot his phone password, making it a big problem for the investigators.

About the Encryption Battle

Prosecutors in the case against Mayor Adams, which involves alleged illegal payments from the Turkish government, disclosed that the FBI has been unable to unlock Adams' personal phone, even after nearly a year since it was confiscated. 

This phone is one of three devices taken from Adams, but his personal phone was seized a day later than the other two official devices. By then, Adams had changed the phone's passcode from a four-digit PIN to a six-digit code—a step he says was to prevent staffers from accidentally or intentionally deleting information. He also claims to have immediately forgotten the new code.

Our phones hold a lot of personal information—text messages, call logs, emails, and more. This makes them valuable for investigations but also raises privacy concerns. The case of Adams' phone highlights a bigger issue: the tension between privacy and security.

On one side, law enforcement needs access to information for their investigations. On the other side, everyone has a right to privacy and the security of their personal data. This balance is tricky and often leads to debates.

For the feds, not being able to access Adams' phone is a setback. Digital evidence can be crucial in cases, and a locked smartphone is a big challenge. This isn't the first time authorities have faced this problem. There have been many cases where they struggled to unlock phones, sparking debates about their power to compel individuals to reveal passwords.

Privacy Concerns

From a privacy viewpoint, Adams' case is a win. It shows how strong modern encryption is in protecting personal data. Even if someone is a public figure under investigation, the technology protects their data from unauthorized access. This is reassuring for anyone concerned about the privacy and security of their own devices.

But there's also an ethical side. If Adams genuinely forgot his password, it shows human vulnerability. Forgetting passwords is common, and it reminds us how much we rely on technology. But if the forgotten password is an excuse, it raises questions about the moral obligations of those in power.

The seriousness of the case

This case also highlights the importance of understanding and managing our digital lives. As our phones become extensions of ourselves, knowing how to secure them, remember passwords, and understand the legal implications is crucial. 

Mayor Eric Adams' locked phone case is a picture of the larger digital privacy debate. It shows the power of encryption and the ongoing struggle between privacy and security. 

Chinese Government-Linked Hackers Infiltrate U.S. Internet Providers in 'Salt Typhoon' Attack

 

Hackers linked to the Chinese government have reportedly breached several U.S. internet service providers, according to The Wall Street Journal. Investigators are calling the cyberattack "Salt Typhoon," which occurred just a week after the FBI dismantled another China-backed operation called "Flax Typhoon." That attack targeted 200,000 internet-connected devices such as cameras and routers.

In the Salt Typhoon incident, hackers infiltrated broadband networks to access sensitive information held by internet service providers. Sources close to the matter told WSJ that unlike past attacks focused on disrupting infrastructure, this one seems to be aimed at gathering intelligence. FBI Director Christopher Wray had warned at the Aspen Cyber Summit that China would persist in targeting U.S. organizations and critical infrastructure, either directly or through proxies.

Chinese cyberattacks have been ongoing, but their complexity and precision have escalated, intelligence officials told the WSJ. Earlier this year, Wray described China's hacking program as the largest in the world, surpassing all other major nations combined.

China has denied involvement in these attacks. Liu Pengyu, spokesperson for the Chinese embassy in Washington, accused U.S. intelligence agencies of fabricating evidence linking China to the Salt Typhoon breach.

The WSJ report revealed that investigators are focusing on Cisco Systems routers, though a Cisco spokesperson said there is no evidence of their involvement. Microsoft is also looking into the attack. Lumen Technologies, the parent company of CenturyLink and Quantum Fiber, recently detected malware in routers that could expose customers' passwords but did not specify which ISPs were affected.

Although there's no indication that individual customers’ data was the target, you can take basic precautions:

  • Change your passwords regularly—especially your Wi-Fi router's password.
  • Consider identity theft protection services, which monitor your credit and banking activity.
  • Review your credit reports regularly to catch any suspicious activity.

The Rising Threat of Payment Fraud: How It Impacts Businesses and Ways to Counter It

 

Payment fraud continues to be a significant and evolving threat to businesses, undermining their profitability and long-term sustainability. The FBI reports that between 2013 and 2022, companies lost around $50 billion to business email compromise, showing how prevalent this issue is. In 2022 alone, 80% of enterprises faced at least one payment fraud attempt, with 30% of affected businesses unable to recover their losses. These attacks can take various forms, from email interception to more advanced methods like deep fakes and impersonation scams. 

Cybercriminals exploit vulnerabilities, manipulating legitimate transactions to steal funds, often without immediate detection. Financial losses from payment fraud can be devastating, impacting a company’s ability to pay suppliers, employees, or even invest in growth opportunities. Investigating such incidents can be time-consuming and costly, further straining resources and leading to operational disruptions. Departments like finance, IT, and legal must shift focus to tackle the issue, slowing down core business activities. For example, time spent addressing fraud issues can cause delays in projects, damage employee morale, and disrupt customer services, affecting overall business performance. 

Beyond financial impact, payment fraud can severely damage a company’s reputation. Customers and partners may lose trust if they feel their financial information isn’t secure, leading to lost sales, canceled contracts, or difficulty attracting new clients. Even a single fraud incident can have long-lasting effects, making it difficult to regain public confidence. Businesses also face legal and regulatory consequences when payment fraud occurs, especially if they have not implemented adequate protective measures. Non-compliance with data protection regulations like the General Data Protection Regulation (GDPR) or penalties from the Federal Trade Commission (FTC) can lead to fines and legal actions, causing additional financial strain. Payment fraud not only disrupts daily operations but also poses a threat to a company’s future. 

End-to-end visibility across payment processes, AI-driven fraud detection systems, and regular security audits are essential to prevent attacks and build resilience. Companies that invest in these technologies and foster a culture of vigilance are more likely to avoid significant losses. Staff training on recognizing potential threats and improving security measures can help businesses stay one step ahead of cybercriminals. Mitigating payment fraud requires a proactive approach, ensuring businesses are prepared to respond effectively if an attack occurs. 

By investing in advanced fraud detection systems, conducting frequent audits, and adopting comprehensive security measures, organizations can minimize risks and safeguard their financial health. This preparation helps prevent financial loss, operational disruption, reputational damage, and legal consequences, thereby ensuring long-term resilience and sustainability in today’s increasingly digital economy.

FBI Shuts Down Chinese Linked Botnet Campaign in a Joint Operation

FBI Joint Operation 

The FBI has cracked down on a vast botnet operation linked to a Chinese hacking group, the attackers targeted government agencies, universities, and other entities in the US. 

The Five Eyes intelligence alliance issued a joint report alerting organizations to take safety measures after finding the botnet was used to deploy DDoS attacks and compromise organizations in the US.

Flax Typhoon Involved

Talking about the threat at the Aspen Cyber Summit, Chris Wray, FBI director, said the operation was launched by the Flax Typhoon group, the attackers deployed malware on more than 200,000 customer devices. In a joint operation, the FBI and US Department of Justice were able to take hold of botnet’s infrastructure, 50% of the compromised devices were found in the US.

The hijacked devices- cameras, internet routers, and video recorders, made a large botnet to steal crucial data. The attacks were similar to another botnet campaign operated by the Volt Typhoon group, it also used web-connected devices to make a botnet that hijacked systems and stole sensitive data. 

But Flax Typhoon’s botnet also compromised a larger range of devices, compared to the router-based network by Volt Typhoon.

Flax Typhoon group disguises itself as an information security company but has a long history of working with close links to the Chinese government, says Wray.

“They represent themselves as an information security company—the Integrity Technology Group. But their chairman has publicly admitted that for years his company has collected intelligence and performed reconnaissance for Chinese government security agencies.”

Rise in State-sponsored Attacks

Although the operation was a success, says Wray, he warns that threats of state-sponsored attacks from China still exist.  Wray warned that although this operation was a success, the wider ecosystem of state-affiliated cyber attacks out of China was still alive and well.

“This was another successful disruption, but make no mistake — it’s just one round in a much longer fight. The Chinese government is going to continue to target your organizations and our critical infrastructure, either by their own hand or concealed through their proxies, and we’ll continue to work with our partners to identify their malicious activity, disrupt their hacking campaigns, and bring them to light,” Wray said.

According to a Microsoft report from 2023, Flax Typhoon has been in the game since 2021. Other reports suggest the group has been active since 2020. In the initial years, the Flax Typhoon attacked government agencies, critical manufacturing, the education sector, and IT firms in Taiwan.

Rhysida Ransomware Hits Seattle Port in August Attack

 


As part of its investigation, the Port of Seattle, which operates Seattle-Tacoma International Airport in the city, has determined that the Rhysida ransomware gang is responsible for the cyberattack that allowed it to reach its systems last month, causing travel delays for travellers. There has been a ransomware attack targeting the Port of Seattle as early as Friday, the Port announced in a statement. 

As a result of the attack, which happened on August 24, the Port (which is also responsible for operating Seattle-Tacoma International Airport) announced that "certain system outages have indicated a possibility of a cyberattack." It is important to note that the SEA Airport and its associated facilities remained open after the storm, but passenger displays, Wi-Fi, check-in kiosks, ticketing, baggage, and reserved parking were impacted, as well as the flySEA application and the Port website.

According to a press release that was released on September 13, the Port reported that most of the affected systems had been restored within a week of the attack taking place. As of yet, the Port of Dusseldorf has not been able to relaunch the external website or the internal portals that were offline after securing the impacted systems and finding no signs of additional malicious activity. 

As far as Port systems were concerned, this incident was a "ransomware" attack by Rhysida, a criminal organization that specializes in cybercrime. Since that day, no new unauthorized activity has been conducted on those systems. In a press release, they stressed that it was safe to fly to Seattle-Tacoma International Airport and use the port's maritime facilities. 

During this time, the Port's decision to take systems offline was accompanied by the ransomware gang's encryption of the ones that were not isolated in time, resulting in a series of outages impacting a variety of services and systems, including baggage, check-in kiosks, ticketing, wireless Internet, passenger display boards, the Port of Seattle website, flySEA app, and reservations. 

A ransomware attack believed to have been launched by the Rhysida hacker group can be blamed for encrypting some of the data on the Port's computer systems using the ransomware. It was the result of this encryption and the Port's response to isolate the impacted systems as soon as possible that there were delays at the Sea-Tac Airport with baggage services, check-in kiosks, ticketing, Wi-Fi, displays, the Port's website and the flySEA app having issues. 

The majority of these issues have since been resolved; however, the airport's website and internal portals remain down as of this writing, as stated in an update posted by the Port of Los Angeles. In the wake of the cyber attack at the airport, the Port of Los Angeles is still unsure exactly how much or what kind of data was taken by the attackers, but the Port cannot afford to pay the ransom demand. There are no details about what kind of data have been compromised in the attack; however, the data may likely be of great value due to the sector of the business in which the agency operates. 

There is also another reason that the Port of Seattle is such a hotbed of automation and machine learning technologies, which means it's a goldmine for attackers in terms of data. In the world of ransomware, Rhysida is one of the more well-known gangs, especially for the way they target organizations that run critical systems for which downtime is not an option. 

A hacker group known as the Black Hat Network has in the past targeted healthcare organizations such as the Lurie Children's Hospital and Prospect Medical Holdings as targets. As of May 2024, the number of patients affected by this massive data breach had increased from a few hundred to nearly a million. The company claimed that the Singing River ransomware attack occurred in September 2023.

In addition to educational institutions and the manufacturing industry, the HHS Health Sector Cybersecurity Coordination Center has also reported that the group has targeted the Chilean army, as well as universities and hospitals, according to the report. Health and Human Services (HHS) in the United States has implicated Rhysida in an attack against healthcare organizations in the country. 

As CISA and the FBI made their warnings at the same time, different industries and sectors of society were being targeted by opportunistic attacks by this cybercrime gang at the same time. In November, Rhysida ransomware operators successfully breached Insomniac Games, a subsidiary of Sony, and subsequently leaked 1.67 TB of confidential documents on the dark web. This occurred after the game development studio declined to meet the group’s demand for a $2 million ransom. 

Rhysida's affiliates have also been involved in attacks on several other high-profile organizations. The City of Columbus, Ohio, MarineMax (the world's largest retailer of recreational boats and yachts), and the Singing River Health System have all fallen victim to this ransomware group. In particular, Singing River Health System reported that almost 900,000 individuals were notified of a data breach resulting from an August 2023 ransomware attack, in which sensitive personal information was compromised.

Cryptocurrency Scams Surge in 2023, FBI Reports Record $5.6 Billion in Losses

 

Despite cryptocurrency no longer dominating the headlines like it did during the 2021 to 2022 boom, cybercriminals are still leveraging it to generate billions of dollars in fraudulent income every year. According to the FBI, 2023 was the most lucrative year on record for cryptocurrency scammers, highlighting the growing scale of these crimes. 

In a report released by the FBI in 2023, it was revealed that cryptocurrency scams accounted for over $5.6 billion in losses, based on more than 69,000 complaints filed with the FBI’s Internet Crime Complaint Center (IC3). This represents a 45% increase from the previous year, demonstrating that despite market fluctuations, scams related to digital currencies are not slowing down. While the broader cryptocurrency market experienced turbulence in 2022, with the collapse of firms like Celsius, Terraform Labs, and the bankruptcy of FTX, scammers have continued to exploit the industry. 

The FBI’s report underscores that the losses from cryptocurrency scams now constitute more than half of the total losses from all online scams reported in 2022. This is a staggering statistic that demonstrates just how prevalent these schemes have become. Investment fraud remains the most common form of cryptocurrency scam, accounting for $3.96 billion of the total losses in 2023. This marks a sharp rise from the $2.57 billion lost to similar scams in 2022. The increasing sophistication of these scams has made it difficult for many people to discern legitimate investment opportunities from fraudulent ones. 

Interestingly, different types of scams tend to affect various age groups in different ways. For instance, those in their 30s and 40s were most frequently targeted by cryptocurrency investment frauds. However, individuals aged 60 and above suffered the most significant losses, with more than $1.6 billion reported by this age group alone. This data highlights the need for increased awareness and protective measures, especially for older individuals who may be more vulnerable to these scams. It’s crucial to note that the actual total of losses is likely much higher than the FBI’s report, as many victims do not report the crimes. 

FBI Director Christopher Wray urged people to report scams even if they did not suffer financial loss. According to Wray, doing so helps law enforcement stay ahead of criminals and their increasingly complex methods of defrauding people using emerging technologies. As cryptocurrency scams continue to grow in size and sophistication, it serves as a reminder that the need for strong cybersecurity measures and public awareness around digital currencies is more critical than ever. Reporting scams can not only help victims but also protect others from falling prey to similar fraudulent schemes.

IT Manager Faces Charges for Locking Computers to Demand Money


 

A recent case has highlighted that ransomware threats can sometimes come from within an organisation. Daniel Rhyne, a 57-year-old IT administrator from Kansas City, Missouri, has been accused of holding his own company hostage by locking down their systems and demanding a ransom to restore access.

The incident occurred in November last year when Rhyne was employed at an industrial company based in Somerset County, New Jersey. According to the Federal Bureau of Investigation (FBI), Rhyne allegedly took control of the company’s network by resetting the passwords of network administrator accounts as well as those of hundreds of employees. He then proceeded to delete critical backups and locked out both servers and workstations, crippling the organisation’s operations.

An hour after initiating the attack, Rhyne allegedly sent an email to the company's employees informing them of the situation and demanding a ransom in exchange for unlocking the systems. The FBI claims this was an attempt at extortion, with Rhyne threatening further damage if his demands were not met.

Rhyne’s actions were investigated by the FBI, and he has been charged with multiple counts, including extortion, intentional damage to a protected computer, and wire fraud. Should he be convicted of all charges, he faces up to 35 years in prison and a $500,000 fine, as reported by The Register.

Several pieces of evidence were gathered by the FBI to support their case against Rhyne. For instance, he allegedly used a tool known as PsPasswd, a Windows Sysinternals utility, to reset user passwords. The new password set for the accounts was "TheFr0zenCrew!", a telling detail that investigators believe connects him directly to the attack. Rhyne also reportedly kept a hidden virtual machine (VM) on his company-issued laptop, allowing him to maintain remote access to the network's administrative controls.

Adding to the case, the FBI noted that Rhyne's digital activities prior to the attack were suspicious. He allegedly used his work laptop to search for ways to alter administrator passwords via command-line tools, which are often used by IT professionals to manage networks remotely. Investigators claim that on the day of the attack, Rhyne was seen logging into his work laptop, conducting these searches, and reviewing company password spreadsheets while also accessing the hidden VM.

The fact that he used his company-issued laptop to perform these actions leaves a strong digital trail linking him to the crime. The FBI’s detailed investigation paints a clear picture of how the attack was executed, utilising common IT tools to gain unauthorised control over the company’s systems.

If Rhyne is found guilty, his actions could serve as a warning to organisations about the potential for internal threats. It highlights the need for companies to have strong security protocols in place, not just to defend against external hackers but also to safeguard against malicious insiders who have privileged access to sensitive systems.

This case illustrates how cyberattacks are evolving and how attackers, even those within the organisation, can exploit their knowledge and access to launch devastating attacks. Organisations must remain vigilant and continually monitor for suspicious behaviour, no matter the source, to protect their critical digital infrastructure.


FBI Director Christopher Wray Highlights Unprecedented Threat Landscape and Importance of Law Enforcement Partnerships

 

FBI Director Christopher Wray emphasized the unprecedented level of diverse threats facing the nation, describing it as a time when multiple threats are simultaneously elevated, a situation he finds unparalleled in his career. In an exclusive interview during his visit to the FBI’s Minneapolis field office, Wray highlighted the importance of partnerships among law enforcement agencies and other entities as they navigate challenges ranging from domestic and international terrorism to Chinese espionage, intellectual property theft, and foreign election interference.

Wray expressed concern about the cumulative impact of these threats and the burden they place on law enforcement, noting that collaboration across agencies is crucial for overcoming these challenges. His concerns have been consistent, particularly following the October 7th Hamas attack in Israel, which he warned could inspire extremist activities similar to those seen during ISIS's rise.

The FBI is also grappling with security issues related to the southern U.S. border, where individuals with alleged ties to the Islamic State were detained in June for immigration violations. Additionally, the agency is addressing foreign interference in U.S. elections, with recent incidents involving Iranian cyberattacks on political campaigns.

While Wray refrained from discussing specific investigations, he underscored the necessity of public-private partnerships in combating cyber threats, particularly those targeting election systems. He stressed the importance of information sharing to effectively connect the dots and address these complex challenges.

Wray also noted the rising violence against law enforcement officers, pointing out the troubling statistic of an officer being killed every five days, with four such deaths occurring in Minnesota alone in 2024. The FBI itself has not been immune to such violence, as demonstrated by a fatal encounter at its Cincinnati office following the Mar-a-Lago search.

In response to these growing threats, the FBI has strengthened its traditional partnerships with state and local law enforcement while also forging new collaborations with businesses and academic institutions. These efforts aim to bolster cybersecurity and protect intellectual property, with a particular focus on leveraging artificial intelligence to counter AI-enabled threats. Wray emphasized that AI, when used effectively, could be a powerful tool in defending against the misuse of technology by adversaries.

This Security Researcher Infiltrated the LockBit Ransomware Outfit and Exposed its Leader

 

As part of a larger plan to gather intelligence and stop cybercrime from within, security researchers are actively pursuing and even infiltrating the groups that commit cybercrimes. To win the trust of cybercriminals, they frequently adopt a James Bond image, fabricating identities and conducting covert operations. Here is the account of one such investigator. 

Cybersecurity expert Jon DiMaggio has uncovered the mysterious boss of the infamous LockBit ransomware group in a story that reads like a contemporary cyber thriller. Under the guise of a cybercriminal, DiMaggio managed to penetrate the inner ring of the gang and identify its leader, Dmitry Khoroshev, before the authorities could make his identity public. This remarkable operation, which DiMaggio detailed at Def Con, is a tale involving tactical deception as well as the psychological toll that such a game can take. 

DiMaggio, a researcher at Analyst1, began his infiltration by creating sockpuppet identities to contact with people associated with LockBitSupp, Khoroshev's online identity. DiMaggio was able to create a realistic cybercriminal personality by monitoring chats and learning about the gang's culture and preferences. Despite his initial refusal to join the group, DiMaggio continued contact with LockBitSupp and developed a close connection. He engaged in informal chats, enquiring about the gang's operations and strategies. 

DiMaggio submitted a report on his discoveries in January 2023, detailing his infiltration and the burning of his fictitious personas. Surprisingly, LockBitSupp took it lightly, even joking about it in forums, which piqued DiMaggio's interest. The relationship turned into a friendly rivalry, with LockBitSupp utilising DiMaggio's LinkedIn photo as an avatar in forums. DiMaggio also mocked the gang by trying to extort them, which raised concerns among several cybercriminals. 

During this time, DiMaggio noticed that LockBitSupp went missing for roughly 12 days. Upon returning, LockBitSupp appeared agitated but continued to communicate with DiMaggio. At the same time, LockBit claimed responsibility for a cyberattack on a Chicago children's hospital, their second after targeting Toronto's SickKids. These activities frustrated DiMaggio so much that he nearly sent an angry mail to LockBitSupp, expressing his intention to pursue him. However, the researcher eventually decided against it.

After law authorities took down LockBit's website, DiMaggio focused on identifying LockBitSupp. An anonymous tip led him to a Yandex email address, which let him track down Dmitry Khoroshev. Unexpectedly, the police updated the seized LockBit website, declaring their intention to divulge the name of LockBitSupp, the administrator. 

At this point, DiMaggio, who had established a working connection with the FBI as a private business partner, contacted them to say that he had identified Khoroshev as LockBit's administrator. DiMaggio intended to prepare a report on his findings and asked the FBI for advice on whether he should postpone publishing it. He reasoned that if the FBI told him to wait, it would probably corroborate that he had identified the right person. However, the FBI recommended him to wait. 

As the Department of Justice prepared to divulge LockBitSupp's name, DiMaggio completed his report. Eventually, the DOJ appointed Dmitry Khoroshev as LockBit's head, allowing DiMaggio to reveal his own detailed findings. 

"This was my first time doxing somebody. And well, they released his name, I released everything else on this dude. I had where he lived, I had his phone numbers, current and previous," DiMaggio stated. "And boy, it was difficult to not just call this guy up on the phone, having his legitimate phone number prior to the indictment, just to see if I had the right guy, but I didn't.” 

DiMaggio sent Khoroshev a note telling him to call it quits from malicious activities. “LockBitSupp, you are a smart guy. You said it's not about the money anymore, and you want to have a million victims before you stop, but sometimes you need to know when to walk away. It is that time, my old friend," DiMaggio wrote. 

Since then, DiMaggio has not heard from Khoroshev. Despite the fact that nothing has happened, he has heard rumours that Khoroshev seeks payback.

From Code to Chaos: BlackSuit Ransomware and The CDK Global Cyber Crisis


In recent days, the automotive industry has been hit by a significant IT outage that has disrupted operations for car dealerships across North America. The culprit? The notorious BlackSuit ransomware gang. In this blog post, we’ll delve into the details of the attack, its impact, and what it means for CDK Global and its customers.

The Incident

According to people familiar with the situation, the BlackSuit ransomware gang is responsible for CDK Global's significant IT failure and interruption to car dealerships throughout North America.

The conversations follow the BlackSuit ransomware assault, which led CDK to lock down its IT infrastructure and data centers, including its car dealership platform, to prevent the attack from spreading. The company attempted to restore services on Wednesday, but a second cybersecurity attack forced it to shut down all IT systems again.

The Attack

CDK Global, a leading provider of technology solutions for auto dealerships, found itself in the crosshairs of cybercriminals

While the company has yet to officially confirm the ransomware attack, multiple sources indicate that BlackSuit is behind the incident. The attack likely exploited vulnerabilities in CDK’s systems, leading to widespread disruption.

Impact on Dealerships

Two of the largest public car dealership companies, Penske Automotive Group and Sonic Automotive, disclosed that they, too, were impacted by the outages.

The fallout from the CDK Global outage has been substantial. Car dealerships rely heavily on CDK’s software for inventory management, sales, and customer service. 

With the systems down, dealers have had to resort to manual processes, including pen-and-paper record-keeping. Imagine the chaos in a busy dealership trying to manage sales, service appointments, and parts inventory without their usual digital tools.

Data Theft Concerns

Beyond the immediate operational challenges, there are serious concerns about data theft. Ransomware attacks often involve stealing sensitive information before encrypting files and demanding a ransom.

CDK Global must now investigate whether customer data, financial records, or other critical information has been compromised. The potential fallout from such a breach could be long-lasting and damaging.

Response and Recovery

In November 2023, the FBI and CISA published in a joint advisory that Royal and BlackSuit's encryptors use similar strategies and have coding overlaps.

CDK Global’s response to the attack is crucial. They need to assess the extent of the breach, restore systems, and enhance security measures. Communication with affected dealerships is equally important. Dealers need transparency about the situation, timelines for resolution, and guidance on how to navigate the outage.

Young Hacker Linked to Scattered Spider Group Detained


 

Spanish police, aided by the FBI, have made a major breakthrough in combating cybercrime by arresting a 22-year-old man in Palma de Mallorca. The suspect, Tyler Buchanan from Dundee, Scotland, is believed to be a leading figure in the notorious hacking group Scattered Spider. Authorities apprehended Buchanan on June 15 while he was trying to board a flight to Italy. At the time of his arrest, he reportedly controlled $27 million in bitcoin.

Scattered Spider has been responsible for several major cyberattacks over the past two years. These include a significant attack on MGM Resorts in 2023 and breaches affecting companies like Twilio, LastPass, GitLab, Apple, and Walmart. Buchanan is suspected to have played a crucial role in these incidents. He is listed among the top SIM swappers, which is a technique used to take over phone numbers and access sensitive information.

This arrest follows the detention of another key Scattered Spider member, Michael Noah Urban, earlier this year. Urban was charged with stealing over $800,000 in cryptocurrency from multiple victims between 2022 and 2023. Both Buchanan and Urban are part of a broader group of young hackers, usually between 19 and 22 years old, known as 'the Community' or 'the Com'. This global network of hackers often shares their techniques and boasts about their exploits.

In May 2024, the FBI announced a crackdown on Scattered Spider, which had been targeting insurance companies since April. The arrests of Buchanan and Urban show that these efforts are making an impact. However, experts believe that the group's activities are unlikely to stop completely. Cybersecurity specialist Javvad Malik from KnowBe4 explained that cybercriminal groups are often decentralised, meaning they can quickly replace arrested members and continue their operations.

Malik pointed out that groups like Scattered Spider are resilient due to their decentralised nature. The knowledge and tools they use, such as SIM swapping, are widely shared within the cybercrime community. Online tutorials, forums, and dark web marketplaces ensure that these methods continue to spread, even when key individuals are arrested. This means that the group can persist and even grow despite law enforcement efforts.

Although the recent arrests may temporarily disrupt Scattered Spider's activities, experts predict the group will soon resume its operations with new leaders. The capture of Tyler Buchanan is a victory for law enforcement but also a reminder of the ongoing and evolving threat posed by cybercriminal organisations.


Hill Briefing on Encryption Canceled Suddenly by FBI

 


Based on emails reviewed by POLITICO, the FBI abruptly cancelled two large Hill briefings scheduled for this week about encryption, without telling staffers who were invited. A two-day virtual briefing on “warrant-proof encryption” was scheduled for congressional staff last week. The FBI had invited congressional staff to the briefings last week. During the briefings, a variety of topics would have been discussed, such as how encryption could pose challenges to the FBI in its investigations of "violent crimes against children and transnational organized crime." 

According to Politico, the FBI's second series on "priority topics" for Capitol Hill staffers was scheduled to focus on how encryption has made it difficult for the FBI to investigate "violent crimes against children and transnational organized crime," as part of its priority topics series. There has been no update on the reason for the cancellation of the two briefings, which were planned for Tuesday and Thursday, since last month when the first meeting focused on the fentanyl crisis. The FBI said that they are hopeful of rescheduling the briefings to a future date. 

They are the second in a series of FBI "priority topics" briefings that will be held on the Hill for all Hill staff, as indicated by a copy of the invitation that was reviewed by POLITICO. As part of the first briefing in the series held in February, the FBI's Office of Congressional Affairs announced that the encryption event would be indefinitely delayed. The briefing was focused on fentanyl. Despite the FBI's efforts, technology companies, such as Apple, should provide a backdoor so law enforcement officers can access encrypted data legally if they have a search warrant. 

There are, however, concerns from tech companies that adding a backdoor to social media sites could lead to hackers and other cybercriminals accessing private data more easily. A report from the FBI asserts that the encryption software employed by applications such as Signal makes it much harder for criminals, including terrorists and child sex traffickers, to monitor the conversations on those apps. It has been confirmed that the FBI will hold briefings on its efforts to improve warrant-proof encryption on June 18th and June 20th. However, some circumstances are out of the FBI’s control. However, the FBI has decided to postpone the briefings. 

According to the email, the bureau will reschedule the event, however. Continuing to explain the importance of the FBI's involvement in informing Congress on a wide range of issues, the email continues, that the firm sincerely apologizes for any inconvenience this event may cause for those who are planning to attend. The postponement of the event is likely to be attributed to political pressure, according to one Republican Hill staffer who spoke candidly on condition of anonymity. The issue is politically awkward for Biden's administration, which has made it more likely for the postponement to occur. According to the aide, the briefing was cancelled out of the blue. “It is important for this administration not to let people talk about these issues in an election season which might revolve around precisely those issues.” 

The issue of encryption is a controversial one, particularly among progressives, as it is a very contentious topic. The FBI has been warning for several years now that enhanced privacy protections being implemented by popular app platforms, such as Signal, are putting them at risk of losing sight of communications from terrorists, criminal organizations, and child abuse traffickers through enhanced privacy protections. There has been a long tradition for the bureau to urge companies to develop so-called back doors so that they can lawfully access encrypted communications if a search warrant is obtained, but this trend has picked up in recent years with the proliferation of online child sexual abuse material. 

As a result, some tech companies, security researchers, and privacy advocates have argued that it is impossible to do so without introducing new vulnerabilities which can be exploited by state hackers or cybercriminals, so these companies, security researchers, and privacy advocates have resisted. As a result of a rise in commercial data brokers, smart cameras and more connected devices that hoover up private information, they claim that law enforcement agencies are now able to have access to more personal information than ever before due to the increase in connected devices. 

A wide range of technology companies, including Apple, provide encrypting platforms for communication among themselves. According to an FBI spokesperson, the DOJ will be contacted for further comment on this article. A DOJ representative told the Associated Press that political issues were not the cause behind the cancellation of the event. A spokesperson for the Department of Interior, in response to the request for a congressional staff briefing, commented that it is a ridiculous leap based on the scheduling of the briefing, given the Department's and Bureau's strong and consistent position on this issue, they added.

FBI Reveals 7,000 Decryption Keys to Combat LockBit Ransomware

 

In a major development against cybercrime, the US Federal Bureau of Investigation (FBI) has disclosed the recovery of over 7,000 decryption keys to assist victims of the notorious LockBit ransomware gang. This revelation follows a disruptive international law enforcement operation against LockBit earlier this year. In February 2024, an international law enforcement effort, codenamed Operation Cronos, targeted LockBit’s infrastructure. 

This operation led to the takedown of LockBit’s data leak website and the seizure of 34 servers containing extensive data on the gang’s activities. Investigators uncovered more than 2,500 decryption keys from these servers, which the FBI is now offering to victims. The data gathered also facilitated the development of a free decryption tool for the LockBit 3.0 Black Ransomware. 

LockBit's Global Impact 

LockBit operates a ransomware-as-a-service model, providing tools to a network of affiliates who carry out cyberattacks globally. By 2022, LockBit had become the most deployed ransomware variant worldwide, causing billions of dollars in damages to victims, according to Bryan Vorndran, the FBI’s cyber assistant director. 

Further he said, “These LockBit scams run the way local thugs used to demand ‘protection money’ from storefront businesses. LockBit affiliates steal and encrypt data, demanding payment for its return. Even if the ransom is paid, victims are often subjected to further extortion as the criminals retain copies of the data and may demand additional payments to prevent its release online. 

FBI's Assistance to Victims 

The FBI is proactively reaching out to known LockBit victims, encouraging those affected to visit the Internet Crime Complaint Center. While the recovered decryption keys enable victims to regain access to their data, Vorndran cautioned that this does not prevent LockBit from potentially selling or releasing the data in the future.
“When companies are extorted and choose to pay to prevent the leak of data, you are paying to prevent the release of data right now—not in the future,” he said. 

Continued Threat 

The fight against ransomware is marked by ongoing challenges. Despite the significant strides made with Operation Cronos, the threat from LockBit remains. In 2022, authorities arrested LockBit associate Mikhail Vasiliev, who received a four-year prison sentence in March 2024. 

Additionally, last month, authorities identified the elusive LockBit leader as 31-year-old Russian national Yuryevich Khoroshev. Vorndran's warning underscores the persistent threat: “Even if you get the data back from the criminals, you should assume it may one day be released, or you may one day be extorted again for the same data.”

Behind the Breach: How ARRL Fought Back Against Cyber Intruders


The American Radio Relay League (ARRL), the primary body for amateur radio in the United States, has released new details about the May 2024 cyberattack. The ARRL cyberattack took down its Logbook of the World (LoTW), leaving many members dissatisfied with the organization's perceived lack of information.

ARRL Targeted in Sophisticated Cyber Attack

According to a recent ARRL update, on or around May 12, 2024, the company was attacked by a rogue international cyber gang via its network. When the ARRL cyberattack was discovered, the organization quickly contacted the FBI and enlisted the assistance of third-party specialists in the investigation and cleanup efforts.

The FBI classified the ARRL cyberattack as "unique," owing to its nature of infiltrating network devices, servers, cloud-based services, and PCs.

ARRL's management swiftly formed an incident response team to contain the damage, repair servers, and test apps for appropriate operation.

In a statement, ARRL reiterated its commitment to resolve the issue: thank you for being patient and understanding as our staff works with an exceptional team of specialists to restore full operation to our systems and services. We will continue to provide members with updates as needed and to the degree possible."

The Attack

The cyber attack on ARRL was well-coordinated and multifaceted:

  • Infiltration: The attackers gained unauthorized access to ARRL’s network devices and servers. They exploited vulnerabilities, likely through phishing emails or compromised credentials.
  • Scope: The attack affected various systems, including communication channels, member databases, and administrative tools. The attackers aimed to disrupt services and compromise sensitive information.
  • Attribution: While ARRL has not publicly disclosed the identity of the cyber group, experts believe it to be an international entity with advanced capabilities.

ARRL’s Response

  • Emergency Measures: ARRL immediately isolated affected systems, shut down compromised servers, and engaged cybersecurity experts to assess the damage.
  • Collaboration with Law Enforcement: The organization promptly reported the incident to the FBI, which launched an investigation. Cooperation with law enforcement agencies is crucial in such cases.
  • Transparency: ARRL communicated transparently with its members, providing regular updates via email, website announcements, and social media. Transparency builds trust and helps members stay informed.
  • Recovery Efforts: ARRL worked tirelessly to restore services. Backups were crucial for data recovery, and the organization implemented additional security measures.

Lessons Learned

  • Vigilance: Organizations, regardless of size, must remain vigilant against cyber threats. Regular security audits, employee training, and robust incident response plans are essential.
  • Collaboration: Cybersecurity is a collective effort. Collaboration with law enforcement, industry peers, and security experts enhances resilience.
  • Communication: Transparent communication during a crisis fosters trust and ensures that affected parties receive timely information.
Despite ARRL's efforts, many members believed that the organization was not open with information. A Facebook user wrote a lengthy article criticizing ARRL's communication technique.

FBI Takes Down Massive Global Army of Zombie Computer Device

 

In a significant victory against cybercrime, an international law enforcement team has successfully dismantled the massive "911 S5" botnet, which has been operational for almost a decade. This extensive network, believed to be the largest of its kind globally, involved approximately 19 million compromised computers. As part of the operation, authorities also apprehended a Chinese national linked to the botnet. 

The huge botnet, active in over 190 countries, was rented out to hackers for various illegal activities. FBI Director Christopher Wray pointed out its global impact, mentioning it facilitated financial fraud, identity theft, and even gave access to child exploitation materials. The Department of Justice added that the botnet was involved in bomb threats and cyberattacks, causing potential losses in billions of dollars. 

It was also connected to more than 613,000 IP addresses in the US. Authorities seized internet equipment and assets and took action against YunHe Wang, believed to be the botnet's leader, and his partners, according to Wray. 

What is Botnet Attack? 

Botnets are networks of compromised computers or connected devices, infected with malware by cybercriminals, who then exploit them for malicious purposes. These devices form a "zombie army," operating without the knowledge of their owners. 

Common Botnet Attacks 

Brute Force Attack: A brute force attack is employed by cybercriminals when they lack the target's password(s). This technique involves rapidly and repeatedly guessing passwords using specialized software. The malware interacts directly with the targeted service, providing real-time feedback on password attempts. Additionally, attackers may leverage leaked credentials or personal information to enhance their guessing efforts. 

Distributed Denial of Service (DDoS) Attacks: One of the most prevalent botnet attacks is the Distributed Denial of Service (DDoS) attack. This type of attack overwhelms a service with excessive web traffic, causing it to crash and disrupting normal operations. A notable example is the 2016 Mirai botnet attack, which targeted the domain name service provider Dyn, leading to significant outages and performance issues for major websites like Twitter and Soundcloud in various regions. 

Spam and Phishing Botnets: These attacks are often used to send out massive amounts of spam emails as part of phishing campaigns. These emails aim to deceive recipients into divulging sensitive information or login credentials. Phishing not only compromises individual accounts but can also help expand the botnet by infecting more devices. 

Device Bricking: These attacks involve infecting devices with malware that deletes their contents, often to cover up evidence of a primary attack. This process renders the devices completely inoperative, essentially turning them into "bricks." These attacks are typically carried out in multiple phases, ultimately leaving the affected devices useless. 

What Can You Do? 

Keep Software Updated: Regularly update system and device software, especially on lesser-used devices. Apply updates immediately upon release. 

Secure IoT Configurations: Change default login credentials and remove outdated, unused devices from the network to eliminate potential attack vectors. 

Limit Device Access: Restrict and monitor access to IoT devices. Segregate or air-gap IoT devices from critical systems to minimize attack impact. 

Enhance Authentication: Enable multi-factor authentication and limit the number of users with access to IoT devices.