DHS CISA Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/dhs-cisa/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Thu, 21 Apr 2022 20:53:22 +0000 en-US hourly 1 https://wordpress.org/?v=90065 200474804 FBI and NSA release a statement about attacks by Russian hackers https://gridinsoft.com/blogs/fbi-and-nsa-about-russian-hackers/ https://gridinsoft.com/blogs/fbi-and-nsa-about-russian-hackers/#respond Fri, 02 Jul 2021 16:48:18 +0000 https://blog.gridinsoft.com/?p=5667 The FBI and NSA claim that a group of Russian government hackers are brute-forcing companies and organizations around the world. The NSA, the Department of Homeland Security (DHS CISA), Cybersecurity and Infrastructure Protection Agency, the FBI and the UK National Cybersecurity Center (NCSC) issued a joint statement warning that the Russian “government hack group from… Continue reading FBI and NSA release a statement about attacks by Russian hackers

The post FBI and NSA release a statement about attacks by Russian hackers appeared first on Gridinsoft Blog.

]]>
The FBI and NSA claim that a group of Russian government hackers are brute-forcing companies and organizations around the world.

The NSA, the Department of Homeland Security (DHS CISA), Cybersecurity and Infrastructure Protection Agency, the FBI and the UK National Cybersecurity Center (NCSC) issued a joint statement warning that the Russian “government hack group from APT28 (aka Fancy Bear, Pawn Storm, Sednit, Strontium) actively brute-force the resources of public and private companies and organizations around the world.

From at least mid-2019 to early 2021, the 85th Main Center for Special Services of the GRU, also known as Unit 26165, used the Kubernetes cluster to conduct large-scale, distributed and anonymous brute force attacks against hundreds of targets in the public and private sector. The 85th GVC targeted much of this activity at organizations using Microsoft Office 365 cloud services, but attacks also targeted other service providers and on-premises mail servers using a variety of different protocols. This activity almost certainly continues to this day.the statement says.

If the brute-force was successful, the APT28 hackers used the compromised accounts to move laterally within the affected organizations’ networks. Specifically, the agencies say APT28 used compromised credentials along with various exploits for vulnerabilities in Microsoft Exchange, including RCE issues CVE-2020-0688 and CVE-2020-17144, combining them to gain access to internal mail servers.

FBI and NSA about Russian hackers
Attack scheme

These attacks reportedly went largely unnoticed as APT28 masked brute-force attacks via Tor or commercial VPN services including CactusVPN, IPVanish, NordVPN, ProtonVPN, Surfshark, and WorldVPN, and used Kubernetes clusters. Typically, brute-force was performed using a variety of protocols, including HTTP (S), IMAP (S), POP3, and NTLM, so attacks did not always go through the same channels.

The NSA states that between November 2020 and March 2021, hackers carried out attacks without using anonymization services, and as a result, the following IP addresses were identified:

  • 158.58.173[.]40
  • 185.141.63[.]47
  • 185.233.185[.]21
  • 188.214.30[.]76
  • 195.154.250[.]89
  • 93.115.28[.]161
  • 95.141.36[.]180
  • 77.83.247[.]81
  • 192.145.125[.]42
  • 193.29.187[.]60

APT28 attacks allegedly targeted cloud resources for a wide range of targets, including government organizations, think tanks, defense contractors, energy, logistics, legal companies, and so on.

Law enforcement officers do not disclose details about the victims.

Let me remind you that I also talked that NATO experimented with deceptive techniques to combat Russian hackers.

The post FBI and NSA release a statement about attacks by Russian hackers appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/fbi-and-nsa-about-russian-hackers/feed/ 0 5667
SolarWinds was hacked because its credentials were publicly available on GitHub https://gridinsoft.com/blogs/solarwinds-was-hacked-because-its-credentials-were-publicly-available-on-github/ https://gridinsoft.com/blogs/solarwinds-was-hacked-because-its-credentials-were-publicly-available-on-github/#respond Wed, 16 Dec 2020 22:07:35 +0000 https://blog.gridinsoft.com/?p=4857 Earlier this week was reported a massive attack on the supply chain that affected SolarWinds and its customers. SolarWinds may have been hacked because its credentials were publicly available on GitHub for a while. The list of victims continues to grow, and it is now known that hackers have compromised: American information security company FireEye;… Continue reading SolarWinds was hacked because its credentials were publicly available on GitHub

The post SolarWinds was hacked because its credentials were publicly available on GitHub appeared first on Gridinsoft Blog.

]]>
Earlier this week was reported a massive attack on the supply chain that affected SolarWinds and its customers. SolarWinds may have been hacked because its credentials were publicly available on GitHub for a while.

The list of victims continues to grow, and it is now known that hackers have compromised:

  • American information security company FireEye;
  • US Department of the Treasury;
  • US Department of Commerce National Informatics and Telecommunications Administration (NTIA);
  • National Institutes of Health, US Department of Health (NIH);
  • Agency for Cybersecurity and Infrastructure Protection, organized by the US Department of Homeland Security (DHS CISA);
  • Department of Homeland Security (DHS);
  • US Department of State.

Unknown hackers infected the Orion platform, designed for centralized monitoring and control, with SUNBURST (aka Solorigate) malware. Typically, Orion is used in large networks to track all IT resources such as servers, workstations, mobile phones and IoT devices.

Microsoft, FireEye and the US Department of Homeland Security Agency for Cybersecurity and Infrastructure Protection (DHS CISA) released their own indicators of compromise and instructions for working with infected systems.

Among the company’s 300,000 customers, only 33,000 are known to have used Orion, and all of them have already been notified of the incident. At the same time, according to SolarWinds, an infected version of the Orion platform was installed on 18,000 clients.

SolarWinds has not officially disclosed exactly how the hackers managed to infiltrate its network. Many medias drew attention to the statements of cybersecurity researcher Vinoth Kumar, who claims that the credentials from the SolarWinds update server were freely available in the company’s official GitHub repository back in 2018. According to Kumar, he noticed this leak in November, and the password for the server was simple: “solarwinds123”.

Using these credentials, I was able to upload the file to the company’s server, thus proving the system was insecure, about which I notified SolarWinds about in November 2020. As a result, the leak was fixed on November 22.wrote Kumar.

The researcher does not state that this particular credential played any role in the hacking of the Orion platform, but admits that it is possible. The fact is that the malicious Orion binaries were nevertheless signed, which points at a wider compromise of the company’s network.

If they had access to the build servers, they would not need FTP credentials. But if they just got hold of the signing certificate and credentials from FTP, they could modify the .dll, sign it and upload it to the FTP server.Kumar told The Register.

The theory of leaked credentials is also confirmed by the Reuters news agency, according to whose sources, access to SolarWinds systems for a long time has been for sale on the darknet.

Meanwhile, ZDNet, citing its own industry sources, writes that Microsoft and its partners have seized control of the domain that played a major role in compromising SolarWinds and gave it a sinkhole.

The domain avsvmcloud [.] Com served as the command-and-control server for the SUNBURST malware, which spread across the networks of 18,000 SolarWinds clients via the malicious version of Orion.according to journalists ZDNet.

Sources of the publication describe this operation as “protective”, aimed at preventing malware operators from sending new commands to infected computers.

Let me also remind you that Microsoft accused Russia and North Korea of attacks on pharmaceutical companies.

The post SolarWinds was hacked because its credentials were publicly available on GitHub appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/solarwinds-was-hacked-because-its-credentials-were-publicly-available-on-github/feed/ 0 4857
CISA experts warned about the growth of LokiBot infostealer activity https://gridinsoft.com/blogs/cisa-experts-warned-about-the-growth-of-lokibot-infostealer-activity/ https://gridinsoft.com/blogs/cisa-experts-warned-about-the-growth-of-lokibot-infostealer-activity/#respond Wed, 23 Sep 2020 16:37:26 +0000 https://blog.gridinsoft.com/?p=4322 Specialists from the Agency for Cybersecurity and Infrastructure Protection, organized by the US Department of Homeland Security (DHS CISA), warned about growth of activity of LokiBot infostealer aka Loki and Loki PWS; not to be confused with the Trojan of the same name for Android), which has been increasing since July this year. ZDNet journalists… Continue reading CISA experts warned about the growth of LokiBot infostealer activity

The post CISA experts warned about the growth of LokiBot infostealer activity appeared first on Gridinsoft Blog.

]]>
Specialists from the Agency for Cybersecurity and Infrastructure Protection, organized by the US Department of Homeland Security (DHS CISA), warned about growth of activity of LokiBot infostealer aka Loki and Loki PWS; not to be confused with the Trojan of the same name for Android), which has been increasing since July this year.

ZDNet journalists note that Malwarebytes experts also drew attention to the surge in LokiBot activity, confirming the findings of CISA specialists.

LokiBot infostealer activity growth

LokiBot is one of the most dangerous infostealers at the moment. The Trojan has been known to cybersecurity experts since the mid-2010s.

For many years, its source code was distributed on hacker forums completely free of charge, which made LokiBot one of the most popular password stealing tools (mainly among low and medium-skilled cybercriminals).

Currently, several hack groups actively use malware at once, spreading it using a variety of methods, from email spam to hacked installers and malicious torrent files.

“By infecting victims’ computers, LokiBot focuses on finding locally installed applications and retrieving credentials from their internal databases. For example, LokiBot steals data from browsers, email clients, FTP applications and cryptocurrency wallets”, – inform DHS CISA researchers.

Today LokiBot is no longer just an info-stealer, but a more complex threat. Thus, the malware is equipped with a keylogger that intercepts keystrokes in real time (in order to steal passwords that are not always stored in the internal database of the browser), and a utility for creating screenshots (usually used to capture documents after they have been opened on a computer victims). In addition, LokiBot also acts as backdoor, allowing hackers to launch other malware on infected hosts.

The data stolen by LokiBot usually ends up on underground marketplaces. According to KELA analysts, LokiBot is one of the main providers of credentials for the Genesis marketplace.

In 2019, SpamHaus experts named LokiBot the malware with the most active command servers, Any.Run experts placed LokiBot in 4th place in the ranking of the most common threats in 2019, and in the SpamHaus ranking for the first half of 2020, LokiBot confidently occupies second place.

The post CISA experts warned about the growth of LokiBot infostealer activity appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/cisa-experts-warned-about-the-growth-of-lokibot-infostealer-activity/feed/ 0 4322