28 January 2023

IMAGINE THAT >> Federal agencies hacked using legitimate remote desktop tools



CISA, the NSA, and MS-ISAC warned today in a joint advisory that attackers are increasingly using legitimate remote monitoring and management (RMM) software for malicious purposes.

More worryingly, CISA discovered malicious activity within the networks of multiple federal civilian executive branch (FCEB) agencies using the EINSTEIN intrusion detection system after the release of a Silent Push report in mid-October 2022.

This activity was linked to the "widespread, financially motivated phishing campaign" reported by Silent Push and was detected on "many other FCEB networks" after first being spotted on a single FCEB network in mid-September 2022.

  •  

    CISA: Federal agencies hacked using legitimate remote desktop tools

    CISA, the NSA, and MS-ISAC warned today in a joint advisory that attackers are increasingly using legitimate remote monitoring and management (RMM) software for malicious purposes.


    www.bleepingcomputer.com

    US offers $10M bounty for Hive ransomware links to foreign governments

    Sergiu Gatlan
    7 - 9 minutes

    Hive

    The U.S. Department of State today offered up to $10 million for information that could help link the Hive ransomware group (or other threat actors) with foreign governments.

    In November, the FBI revealed that this ransomware operation had extorted around $100 million from over 1,500 companies since June 2021.

    "If you have information that links Hive or any other malicious cyber actors targeting U.S. critical infrastructure to a foreign government, send us your tip via our Tor tip line. You could be eligible for a reward," the State Department's Rewards for Justice Twitter account said. 

    "For information on the identification or location of any person who, while acting at the direction of a foreign government, participates in malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act."

    "Send us your information on Signal, Telegram, WatshApp, or via our Tor-based tip line."

    During the last two years, the State Department also offered rewards of up to $15 million for tips that could help locate members of the Conti [12], REvil (Sodinokibi), and Darkside ransomware operations.

    The State Department offers these rewards as part of its Transnational Organized Crime Rewards Program (TOCRP), through which over $135 million in rewards have been paid since 1986.

    Rewards for Justice Hive reward tweet

    Disrupted after FBI infiltrated Hive's servers

    This offer comes after Hive ransomware's Tor websites were seized today as part of an international law enforcement operation. 

    The Justice Department revealed that the FBI infiltrated Hive servers at a hosting provider in California last July and secretly monitored the operation for six months (Dutch police gained access to backup servers hosted in the Netherlands).

    As a result, the FBI could warn targets as it learned about attacks before they occurred and distribute over 1,300 decryption keys to Hive victims, thus saving them at least $130 million in ransom payments.

    Besides decryption keys, the FBI also discovered Hive communication records, malware file hashes, and information on 250 Hive affiliates.

    The gang's Tor payment and data leak sites now display an animated seizure banner warning other ransomware gangs of this coordinated action and listing the law enforcement organizations and countries involved in this international takedown operation.

    "This hidden site has been seized. The Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action taken against Hive Ransomware," the seizure notice reads.

    "This action has been taken in coordination with the United States Attorney's Office for the Middle District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice with substantial assistance from Europol."



    Related Articles:

    The Week in Ransomware - January 27th 2023 - 'We hacked the hackers'

    Ransomware attack at Louisiana hospital impacts 270,000 patients

    US Health Dept warns of Venus ransomware targeting healthcare orgs

    FBI: Hive ransomware extorted $100M from over 1,300 victims

    Ransomware access brokers use Google ads to breach your network

  • No comments: