Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label US Agencies. Show all posts

Food Product Shipments Could Be Stolen in BEC Attacks, US Food Companies Warned

 

The US Department of Agriculture (USDA), the Federal Bureau of Investigation (FBI), and the Food and Drug Administration Office of Criminal Investigations (FDA OCI) are all sounding the alarm about business email compromise (BEC) attacks that result in the theft of shipments of food items and ingredients. 

BEC is frequently used to steal money. Threat actors compromise email accounts at target firms, then target employees who handle payments by sending them phony emails instructing them to wire huge sums of money to bank accounts under the attackers' control. 

The threat actors, however, are utilizing spoofed emails and websites to mimic real businesses in the attacks aimed at the food and agricultural industry and order food products without paying for them. In the events that were seen, the thieves took cargo worth hundreds of thousands of dollars. 

“Criminals may repackage stolen products for individual sale without regard for food safety regulations and sanitation practices, risking contamination or omitting necessary information about ingredients, allergens, or expiration dates. Counterfeit goods of lesser quality can damage a company’s reputation,” the agencies caution in a public statement. 

Hackers may employ spear phishing and other ways to compromise email accounts at a real organization and send fake messages, or they may construct email accounts and websites that closely resemble those of actual businesses. 

When contacting the target businesses, the attackers may use the identities of real executives or workers, and they may utilize authentic corporate logos in their bogus emails and papers to lend credibility to their claims. 

Government agencies claim that threat actors may also fabricate credit applications in an effort to deceive the target company into giving credit. Attackers give valid firm information to the target business, which causes it to ship the ordered goods but never get paid for them. 

In one of the most recent attacks, a US sugar supplier was the target. She was asked to supply a truck full of sugar, but she recognized the fake email and got in touch with the real company to confirm it. 

A food distributor dispatched two full truckloads of powdered milk in a different attack after receiving an email from a forged account that used the real name of the chief financial officer of a large international snack food and beverage firm. The supplier received a $160,000 payment from the victim company. 

Another incident saw the attackers placing fraudulent orders for big supplies of powdered milk and other materials while posing as a US corporation, resulting in losses of over $430,000. 

A US food supplier and manufacturer was the target of a BEC attack in April that used a fake email from a legitimate business to send two shipments totaling more than $100,000 for which it never got paid. A food company in February received orders from four distinct scammers totaling roughly $600,000 but never got paid for them. 

Food and agriculture businesses are advised to independently verify the contact information of new suppliers or clients, look for signs of spoofing in links and email addresses, check the wording and grammar of all correspondence, confirm changes to invoices and payment details, be wary of orders and payments that seem to be urgently needed, ask for clarification on questions that seem suspicious, and train staff to recognize BEC scams.

Hive Ransomware Operators Extort $100m from Over 1,300 Firms Worldwide

 

The operators behind the Hive ransomware-as-a-service (RaaS) model have launched assaults against over 1,300 firms across the globe and received approximately $100 million in ransom payments as of November 2022, US government agencies stated in an alert. 

Active since June 2021, the malicious ransomware model has been employed in assaults against enterprises and critical infrastructure entities, including healthcare, government, communications, IT, and manufacturing organizations. 

"Hive ransomware has targeted a wide range of businesses and critical infrastructure sectors, including government facilities, communications, critical manufacturing, information technology, and — especially — Healthcare and Public Health (HPH)," read the joint advisory by the FBI, the US Cybersecurity and Infrastructure Security Agency, and the Department of Health and Human Services.

Modus Operandi 

Hive's RaaS campaign involves a mix of operators, who design and manage the malware, and affiliates, who are responsible for launching the assaults on victim networks by often purchasing initial access from initial access brokers (IABs). 

In most scenarios, securing a foothold involves the exploitation of ProxyShell vulnerabilities in Microsoft Exchange Server, followed by the detection and termination of processes linked to antimalware, backups, file copying, and deleting Windows event logs. 

Subsequently, the ransomware designs a file with the .key extension in the root directory – this file, which is unique to the system it was created on, is required for decryption. A ransom note is dropped into each exploited directory, warning targets not to tamper with the .key file, as that would restrict them from data recovery, and also asks victims to contact the hackers via live chat on a website accessible via the Tor browser. 

The ransomware actor also threatens victims that, if a ransom is not paid, data would be leaked publicly on the Tor site ‘HiveLeaks’. Threat analysts also detected crooks employing anonymous file-sharing sites to publish siphoned data. 

"Hive actors have been known to reinfect — with either Hive ransomware or another ransomware variant — the networks of victim organizations who have restored their network without making a ransom payment," the advisory further reads. 

According to the recent report published by cybersecurity firm Malwarebytes, the ransomware targeted seven victims in August 2022, 14 in September, and two other organizations in October, marking a fall in the operations from July, when the gang targeted 26 victims.

US Agencies Disables Russia-linked "Cyclops Blink" Botnet

 

The US Department of Justice (DoJ), working alongside the FBI and various other authorities, has successfully neutralized Cyclops Blink, a modular botnet operated by a malicious group known as Sandworm, which has been linked to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). 

In the court-authorized operation, the US agencies copied and removed malware from susceptible internet-linked firewall devices that Sandworm used for command and control (C2) of the underlying botnet. Although the operation did not involve access to the Sandworm malware on the thousands of underlying compromised devices worldwide, the DoJ said the disabling of the C2 mechanism severed those bots from the Sandworm C2 devices' control. 

 Cyclops Blink, which is believed to be the successor to VPNFilter, a botnet largely neglected after it was exposed by security experts in 2018 primarily targeted WatchGuard firewall appliances and ASUS routers, with the Sandworm group exploiting a previously discovered security loophole in WatchGuard's Firebox firmware as an initial access vector. 

"These network devices are often located on the perimeter of a victim's computer network, thereby providing Sandworm with the potential ability to conduct malicious activities against all computers within those networks," the DoJ added. 

WatchGuard Technologies issued a statement confirming it worked with the U.S. Justice Department to disrupt the botnet but did not disclose the number of devices affected - saying only that they represented "less than 1 percent of WatchGuard appliances.” 

The device manufacturer has published detection and remediation tools alongside recommendations for device owners to remove any malware infection and patch their devices to the latest versions of available firmware. 

The company has also updated its Cyclops Blink FAQs to provide details regarding CVE-2022-23176 (CVSS score: 8.8), which could "allow an unprivileged user with access to Firebox management to authenticate to the system as an administrator" and gain unauthorized remote access. Device manufacturer ASUS has also released firmware patches as of April 1, 2022, to mitigate the threat, recommending users to update to the latest version.