The NSA, the Department of Homeland Security (DHS CISA), Cybersecurity and Infrastructure Protection Agency, the FBI and the UK National Cybersecurity Center (NCSC) issued a joint statement warning that the Russian “government hack group from APT28 (aka Fancy Bear, Pawn Storm, Sednit, Strontium) actively brute-force the resources of public and private companies and organizations around the world.

If the brute-force was successful, the APT28 hackers used the compromised accounts to move laterally within the affected organizations’ networks. Specifically, the agencies say APT28 used compromised credentials along with various exploits for vulnerabilities in Microsoft Exchange, including RCE issues CVE-2020-0688 and CVE-2020-17144, combining them to gain access to internal mail servers.

These attacks reportedly went largely unnoticed as APT28 masked brute-force attacks via Tor or commercial VPN services including CactusVPN, IPVanish, NordVPN, ProtonVPN, Surfshark, and WorldVPN, and used Kubernetes clusters. Typically, brute-force was performed using a variety of protocols, including HTTP (S), IMAP (S), POP3, and NTLM, so attacks did not always go through the same channels.

The NSA states that between November 2020 and March 2021, hackers carried out attacks without using anonymization services, and as a result, the following IP addresses were identified:

• 158.58.173[.]40
• 185.141.63[.]47
• 185.233.185[.]21
• 188.214.30[.]76
• 195.154.250[.]89
• 93.115.28[.]161
• 95.141.36[.]180
• 77.83.247[.]81
• 192.145.125[.]42
• 193.29.187[.]60

APT28 attacks allegedly targeted cloud resources for a wide range of targets, including government organizations, think tanks, defense contractors, energy, logistics, legal companies, and so on.

Law enforcement officers do not disclose details about the victims.

Let me remind you that I also talked that NATO experimented with deceptive techniques to combat Russian hackers.

The post FBI and NSA release a statement about attacks by Russian hackers appeared first on Gridinsoft Blog.

The list of victims continues to grow, and it is now known that hackers have compromised:

• American information security company FireEye;
• US Department of the Treasury;
• US Department of Commerce National Informatics and Telecommunications Administration (NTIA);
• National Institutes of Health, US Department of Health (NIH);
• Agency for Cybersecurity and Infrastructure Protection, organized by the US Department of Homeland Security (DHS CISA);
• Department of Homeland Security (DHS);
• US Department of State.

Unknown hackers infected the Orion platform, designed for centralized monitoring and control, with SUNBURST (aka Solorigate) malware. Typically, Orion is used in large networks to track all IT resources such as servers, workstations, mobile phones and IoT devices.

Microsoft, FireEye and the US Department of Homeland Security Agency for Cybersecurity and Infrastructure Protection (DHS CISA) released their own indicators of compromise and instructions for working with infected systems.

Among the company’s 300,000 customers, only 33,000 are known to have used Orion, and all of them have already been notified of the incident. At the same time, according to SolarWinds, an infected version of the Orion platform was installed on 18,000 clients.

SolarWinds has not officially disclosed exactly how the hackers managed to infiltrate its network. Many medias drew attention to the statements of cybersecurity researcher Vinoth Kumar, who claims that the credentials from the SolarWinds update server were freely available in the company’s official GitHub repository back in 2018. According to Kumar, he noticed this leak in November, and the password for the server was simple: “solarwinds123”.

The researcher does not state that this particular credential played any role in the hacking of the Orion platform, but admits that it is possible. The fact is that the malicious Orion binaries were nevertheless signed, which points at a wider compromise of the company’s network.

The theory of leaked credentials is also confirmed by the Reuters news agency, according to whose sources, access to SolarWinds systems for a long time has been for sale on the darknet.

Meanwhile, ZDNet, citing its own industry sources, writes that Microsoft and its partners have seized control of the domain that played a major role in compromising SolarWinds and gave it a sinkhole.

Sources of the publication describe this operation as “protective”, aimed at preventing malware operators from sending new commands to infected computers.

Let me also remind you that Microsoft accused Russia and North Korea of attacks on pharmaceutical companies.

The post SolarWinds was hacked because its credentials were publicly available on GitHub appeared first on Gridinsoft Blog.

ZDNet journalists note that Malwarebytes experts also drew attention to the surge in LokiBot activity, confirming the findings of CISA specialists.

LokiBot is one of the most dangerous infostealers at the moment. The Trojan has been known to cybersecurity experts since the mid-2010s.

For many years, its source code was distributed on hacker forums completely free of charge, which made LokiBot one of the most popular password stealing tools (mainly among low and medium-skilled cybercriminals).

Currently, several hack groups actively use malware at once, spreading it using a variety of methods, from email spam to hacked installers and malicious torrent files.

“By infecting victims’ computers, LokiBot focuses on finding locally installed applications and retrieving credentials from their internal databases. For example, LokiBot steals data from browsers, email clients, FTP applications and cryptocurrency wallets”, – inform DHS CISA researchers.

Today LokiBot is no longer just an info-stealer, but a more complex threat. Thus, the malware is equipped with a keylogger that intercepts keystrokes in real time (in order to steal passwords that are not always stored in the internal database of the browser), and a utility for creating screenshots (usually used to capture documents after they have been opened on a computer victims). In addition, LokiBot also acts as backdoor, allowing hackers to launch other malware on infected hosts.

The data stolen by LokiBot usually ends up on underground marketplaces. According to KELA analysts, LokiBot is one of the main providers of credentials for the Genesis marketplace.

In 2019, SpamHaus experts named LokiBot the malware with the most active command servers, Any.Run experts placed LokiBot in 4th place in the ranking of the most common threats in 2019, and in the SpamHaus ranking for the first half of 2020, LokiBot confidently occupies second place.

The post CISA experts warned about the growth of LokiBot infostealer activity appeared first on Gridinsoft Blog.