Tag Archive for: foiled

Hacker Infected & Foiled by Own Infostealer

/in


Malicious actor “La_Citrix” built a reputation on gaining access to organizations’ Citrix remote desktop protocol (RDP) VPN servers and selling them off to the highest bidder on Russian-language Dark Web forums.

The threat actor was using an infostealer to rip off credentials in campaigns dating back to 2020 — until La_Citrix accidentally infected his own computer with the malware and sold off his own data, along with a cache of other stolen data, to threat researchers with Hudson Rock who were lurking on the Dark Web to gather threat intelligence.

The first clue that there was something unusual afoot was when Hudson Rock’s API detected a single user in the stolen data who appeared as an employee at nearly 300 different companies, the report explained.

Surprisingly, it was discovered that this threat actor orchestrated all of the hacking incidents using his personal computer, and browsers installed on that computer stored the corporate credentials used for the various hacks,” Hudson Rock’s report noted.

Ujpon digging further, Hudson Rock’s team was quickly able to ascertain the threat actor’s identity, along with his address, phone, as well as evidence of his malicious activities.

“Hudson Rock will forward the data to relevant law enforcement agencies,” the report added.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Source…

Foiled hospital hack shows scope of cyber threats

/in


The recent disclosure by the FBI director of that agency’s successful thwarting of an Iranian-backed cyberattack of Boston’s Children’s Hospital should serve as a stark warning of what another hostile government might do in retaliation for this country’s support of Ukraine.

Now more than three months into the invasion of that sovereign country, Russia, squeezed by tightening Western sanctions, has probably unleashed its own cyberattack campaign against the U.S. and other NATO countries.

Luckily for Children’s Hospital, the FBI, according to Director Christopher Wray, had been tipped off by an arm of U.S. intelligence about the imminent threat back in August of last year.

Over the next 10 days, according to the Bureau, the FBI’s Boston Division met with representatives from the hospital seven times, “to provide support to Boston Children’s Hospital and address any concern with the (advanced persistent threat) actors’ activity.”

An advanced persistent threat is one that hides in a computer network, sometimes for years, before finally activating and providing access to systems. The term is generally used to describe activity by hackers with connection to a government.

That cyber victory occurred just months after a string of embarrassing hacks into a major gasoline distribution network and a key U.S. information technology firm.

The Colonial Pipeline hacking, perpetrated by the Russian-speaking hacking group DarkSide, left thousands of Americans without gasoline for days. Not long after, an attack perpetrated by Russian cybercriminal group REvil on JBS, the world’s largest meat supplier, shut down multiple processing plants.

But the most serious breach of our national security – that we know of — occurred at SolarWinds, a vital U.S. information technology firm that provides network monitoring software used by Fortune 500 firms and government agencies, including parts of the Pentagon, the Department of Homeland Security, the State Department, the Department of Energy, the National Nuclear Security Administration and the Treasury.

As Reuters first reported in December 2020, SolarWinds sustained a cyberattack that spread to its clients and went undetected…

Source…

U.S. FBI says it foiled a cyberattack by Russian hackers

/in


By Sarah N. Lynch



FILE PHOTO: FBI headquarters building is seen in Washington

© Reuters/YURI GRIPAS
FILE PHOTO: FBI headquarters building is seen in Washington

WASHINGTON (Reuters) – The U.S. Federal Bureau of Investigation has wrested control of thousands of routers and firewall appliances away from Russian military hackers by hijacking the same infrastructure Moscow’s spies were using to communicate with the devices, U.S. officials said on Wednesday.

An unsealed redacted affidavit described the unusual operation as a pre-emptive move to stop Russian hackers from mobilizing the compromised devices into a “botnet” – a network of hacked computers that can bombard other servers with rogue traffic.

“Fortunately, we were able to disrupt this botnet before it could be used,” U.S. Attorney General Merrick Garland said.

The targeted botnet was controlled through malware called Cyclops Blink, which U.S. and UK cyberdefense agencies had publicly attributed in late February to “Sandworm,” allegedly one of the Russian military intelligence service’s hacking teams that has repeatedly been accused of carrying out cyberattacks.

Cyclops Blink was designed to hijack devices made by WatchGuard Technologies Inc and ASUSTeK Computer Inc , according to research by private cybersecurity firms. It provides Russian services with access to those compromised systems, offering the ability to remotely exfiltrate or delete data or turn the devices against a third party.

FBI Director Chris Wray told reporters the FBI, with court approval, secretly reached into thousands of routers and firewall appliances to delete the malware and reconfigure the devices.

“We removed malware from devices used by thousands of mostly small businesses for network security all over the world,” Wray said. “We shut the door the Russians had used to get into them.”

The affidavit noted that U.S. officials launched an awareness campaign “to inform owners of WatchGuard devices of the steps they should take to remediate infections or vulnerabilities” and yet less than half the devices had been fixed to expel the hackers.

The affidavit noted that the FBI had carried out its work in cooperation with WatchGuard.

The announcement came amid a…

Source…

Fraudsters Go for Olympics Gold Attacking Streaming Sites, but are Foiled by Arkose Labs

/in


Since the establishment of the Olympic Games in ancient Greece in 776 B.C., the event has been an occasion for athletes and competitors from around the world to test their skills against the very best. This year, while many of us marveled at the amazing feats in gymnastics, track & field, swimming, and more, some fraudsters were attacking streaming sites to show off their skills in the realm of credential stuffing. While they aimed for gold in this particular dark art, they were foiled by Arkose Labs. 

The Arkose Labs platform protects one of the most prominent and popular streaming media platforms, which also was one of the platforms that broadcast the Olympic games. During the games, Arkose Labs detected a much higher spike in traffic coming to the streaming platform than normal. Much of this, however, was not simply an increase in viewers coming to watch feats of athletic strength and speed, but fraudsters performing credential stuffing attacks. In fact, credential stuffing attacks spiked by 52% during the week of the opening ceremony, peaking during the closing ceremony. 

Credential stuffing is one of the major attacks that powers account takeover fraud. It is when fraudsters use automation to run millions of username and password combinations on accounts until they get a match. Years of data breaches have exposed these usernames and passwords, and large lists can be purchased on the Dark Web for relatively little. Some even post them for free on sites like Pastebin. 

Account takeover attacks are highly popular among fraudsters because of the numerous ways they can be monetized. They can drain money from an account or steal personal information and resell it to other criminals. They can use the compromised accounts to launder or move stolen money obtained from another crime. And there are many industry-specific paths to monetization as well.

RECOMMENDED RESOURCE

A New Approach to Fraud Prevention

In attacking streaming sites, fraudsters often seek to launch mass attacks at scale, since these accounts are not as lucrative as, say, financial accounts. This means fraudsters need volume to make money and gain access to as many accounts as possible to resell…

Source…