Just to prove that no one is safe from hackers, last Saturday the United States Federal Bureau of Investigation (FBI) confirmed that unidentified malicious actors had hacked into one of its mail servers to do so. explode hoax messages about a fake “sophisticated chain attack”.
This incident, which was first disclosed publicly by SpamHaus, a nonprofit threat intelligence organization, involved sending malicious warning emails with the subject line “Urgent: Actor Threat in Systems “from a legitimate FBI email address” [email protected][.]gov ”who framed the cyberattack on Vinny Troia, a security researcher and founder of dark web intelligence firms Night Lion Security and Shadowbyte, while claiming he was also affiliated with a hacking company named TheDarkOverlord.
In short, these hackers managed to hack into the FBI’s mail servers using an account held by a well-known cybersecurity expert only because he allegedly “decried” them in his book.
Another cybersecurity expert and former Washington Post reporter – Brian Krebs (of Krebs on Security), also received a private message from the hackers, detailed in an independent report that the “spam messages were sent by abusing a insecure code in an FBI online portal. designed to share information with national and local law enforcement authorities ”.
Pompompurin, as the alias of the online hacker, told Krebs that the breach was committed by taking advantage of a flaw in the FBI’s Law Enforcement Portal (LEEP) that not only allowed any individual to apply for an account, but had also disclosed this one. time-based password that is sent to the requester to confirm their registration, effectively allowing them to intercept and forge HTTP requests with their own bogus message to thousands of email addresses.
“The FBI is aware of a software misconfiguration that temporarily allowed an actor to exploit the Law Enforcement Enterprise Portal (LEEP) to send bogus emails,” the agency said in a statement.
“While the illegitimate e-mail originated from a server operated by the FBI, that server was dedicated to serving notifications for LEEP and was not part of the FBI’s corporate e-mail service. No actor has been able to access or compromise any data or personal information on the FBI network. “
Investigations are continuing although no harm appears to have been caused, but in my opinion it is in the best interests of the authorities to discourage such activity.
Imagine if someone broke into your house just to prove that your security was not up to par. You would still insist that the police arrest them and put them in jail or give them a heavy fine or both! No harm is still no excuse for breaking the law – maybe a few mitigating grounds, but I’m stepping into the area of expertise of lawyers here.
In other recent developments, Microsoft recently detailed the activities of six Iranian hacker groups that are behind waves of ransomware attacks that have been occurring every six to eight weeks since September 2020.
Russia is often seen as the hotbed of the biggest cybercriminal ransomware threats, but state-sponsored attackers from North Korea and Iran have also shown growing interest in ransomware, especially the potential financial benefits. Particularly in the case of North Korea, whose state-sponsored groups have already illegally collected at least US $ 50 million (105 million F) in ransomware payments over the past two years.
Microsoft has said that Iranian hacking groups use ransomware to raise funds or disrupt their targets, and are “patient and persistent” while engaging with their targets, despite using aggressive brute force attacks.
The most consistent of the six Iranian threat groups is the one Microsoft tracks as the Phosphorus (others call it APT35). Microsoft has been playing cat and mouse with the group for two years. Although initially known for cyber espionage, Microsoft details the group’s strategies for deploying ransomware to targeted networks, often using Microsoft’s Windows Disk Encryption tool BitLocker to encrypt victims’ files.
Last year, other cybersecurity firms detected an increase in ransomware from Iranian state-backed hackers using known Microsoft Exchange vulnerabilities to install persistent web shells on mail servers and Thanos ransomware.
According to Microsoft, Phosphorus was also targeting unpatched on-premises Exchange servers and Fortinet’s FortiOS SSL VPN in order to deploy ransomware.
In the second half of 2021, the group began researching the four Exchange flaws known as ProxyShell that were initially exploited as zero days by Beijing-backed hackers earlier this year.
A report by security specialist DFIR Report notes that Phosphorus used BitLocker on servers and DiskCryptor on PCs. Their business stood out because it did not rely on ransomware-as-a-service offerings that are popular among cybercriminals, and did not create custom encryptors in place of Microsoft’s own BitLocker program.
Their standard modus operandi is that after compromising the initial server (through a vulnerable VPN or an Exchange server), attackers moved sideways to a different system on the victim’s network to access more valuable resources. This was tracked by the Microsoft Threat Detection Center.
From there, the attackers deployed a script to encrypt drives on multiple systems using BitLocker, and then the victims were directed to go to a specific Telegram page to pay for the decryption key. As always and as emphasized by vendors, please keep your servers and applications up to date with patches to prevent cyber attacks from succeeding.
As noted in a previous article this year, the Iranian state-sponsored group is also attempting to steal credentials by sending “interview requests” to targeted individuals through emails containing tracking links to confirm if the user has opened the file. Once a response is received from the target user, attackers send a link to a list of interview questions and then a link to a fake Google meeting, which would steal login information.
Other groups mentioned in Microsoft’s report included an emerging Iranian hacking group that recently targeted Israeli and US organizations in the Persian Gulf with password spray attacks.
Microsoft points out that the adoption of the ransomware has helped Iranian hackers’ efforts to spy, disrupt and destroy, and to support physical operations. Their arsenal of attacks included ransomware, disk wipers, mobile malware, phishing, password spray attacks, massive vulnerability exploitation, and supply chain attacks.
Possibly in retaliation, a massive cyber attack in Iran late last month crippled gas stations across the country, disrupting fuel sales and degrading electronic billboards to display messages challenging the regime’s ability to distribute gasoline.
Social media posts and videos showed messages saying, “Khamenei! Where is our gas? a reference to the supreme leader of the country, Ayatollah Ali Khamenei. Other signs read “Free gasoline at Jamaran gas station,” with gas pumps displaying the words “cyberattack 64411” when attempting to purchase fuel, the semi-official news agency reported. of the Iranian Students’ News Agency (ISNA).
Although it is suspected that the cyber attack was “probably” sponsored by the state, Iranian investigators said it was too early to determine which country carried out the intrusions.
Although no country or group has so far claimed responsibility for the incident, the attacks mark the second time that digital billboards have been changed to display similar messages.
In July 2021, Iranian railways and the systems of the Ministry of Roads and Urban Development came under targeted cyber attacks, posting alerts about train delays and cancellations and urging passengers to call the phone number. 64411 for more information. It should be noted that the phone number belongs to Ali Khamenei’s office which is supposed to handle questions about Islamic law.
Cybersecurity firm Check Point later attributed the train attack to a threatening “opposition to the regime” actor who self-identifies as “Indra” – referring to the Hindu god of lightning, thunder and war – and who is said to have links to hacktivists and other cybercriminal groups, in addition to linking the malware to earlier attacks targeting Syrian oil companies in early 2020.
While most cyber attacks on critical infrastructure are believed to be the work of other nation states, the truth is that there is no magic shield that prevents a non-state sponsored entity from creating the same kind of havoc and damage to critical infrastructure in order to make a statement. In fact, in my opinion, nation states would tend to keep their cybersecurity breaches secret and use them in the event of actual war or as a bargaining chip in state level negotiations. And so, in cyberspace, these subtle and sometimes not-so-subtle conflicts perhaps continue to mirror the real world in many ways, but with global reach, sophisticated tools, and advanced technologies.
As the former Chinese general, strategist and philosopher Sun Tzu succinctly put it: “In combat, there are no more than two methods of attack – direct and indirect – yet these two combined give rise to a series. infinite number of maneuvers. As always, God bless you and stay safe in the digital and physical worlds.
- ILAITIA B. TUISAWAU is a private consultant in cybersecurity. The opinions expressed in this article are its own and are not necessarily shared by this journal. Mr. Tuisawau can be contacted at [email protected]