CL0P, the ransomware gang executing the attacks, added both Schneider Electric and Siemens Energy to its leak site on Tuesday. Siemens confirmed that it was targeted; Schneider said it is investigating the group’s claims.

Since early June, the hacking campaign has added more than 100 victims after CL0P began to take advantage of a vulnerability in MOVEit, a widely used file transfer tool from Progress Software. Multiple federal agencies, including two Department of Energy entities, have been affected by the vulnerability, federal authorities have said. Additional reporting has indicated that the Department of Agriculture may have had a “possible breach” and the Office of Personnel Management is also affected.

Both Siemens Energy and Schneider Electric are among the largest vendors in industrial control systems, though there is little indicated of what information the hackers may have pilfered. Cybersecurity and Infrastructure Security Agency Director Jen Easterly has previously said that the MOVEit campaign appears to be largely opportunistic and the stolen files may be limited to what was in the software at the time the bug was exploited.

“As far as we know, the actors are only stealing information that is specifically being stored on the file transfer application at the precise time that the intrusion occurred,” Easterly said on June 15.

“Regarding the global data security incident, Siemens Energy is among the targets. Based on the current analysis, no critical data has been compromised and our operations have not been affected. We took immediate action when we learned about the incident,” a Siemens spokesperson said in an email.

A Schneider spokesperson said that the company became aware of the vulnerability on May 30 and “promptly deployed available mitigations to secure data and infrastructure and have continued to monitor the situation closely.”

“Subsequently, on June 26th, 2023, Schneider Electric was made aware of a claim mentioning that we have been the victim of a cyber-attack relative to MOVEit vulnerabilities. Our cybersecurity team is currently investigating this claim as well,” the spokesperson said in an email.

Since the Russian-speaking CL0P began publicizing its victims, state and local governments appear to have been heavily affected by the campaign as at least seven have been hit, including the nation’s largest public-employee pension fund the California Public Employees’ Retirement System. Over the weekend, around 45,000 New York City public school students had their personal data stolen which included information like Social Security numbers, StateScoop reported.

The State Department has offered a $10 million reward for information leading to the actors linking to the CL0P ransomware gang.

The post Two major energy corporations added to growing MOVEit victim list appeared first on CyberScoop.

The National Security Cyber Section — NatSec Cyber, for short — has been approved by Congress and will elevate cyberthreats to “equal footing” with other major national security issues, including counterterrorism and counterintelligence, Assistant Attorney General for National Security Matt Olsen said in remarks at the Hoover Institution in Washington.

The new section enables the agency to “increase the scale and speed of disruption campaigns and prosecutions of nation-state cyberthreats as well as state-sponsored cybercriminals, associated money launderers, and other cyber-enabled threats to national security,” Olsen said.

The NatSec Cyber center arrives at time of growing concern about nation-state cyberattacks especially originating from Russia and China. Last week, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, warned Americans to be prepared for a major Chinese cyberattack. “This, I think, is the real threat that we need to be prepared for, and to focus on, and to build resilience against,” she said at an event in Washington.

However, the section has been many months in the making. It comes out of Deputy Attorney General Lisa Monaco’s July 2022 Comprehensive Cyber Review meant to review the agency’s approach to cyber-related matters and develop “actionable recommendations to enhance and expand the Department’s efforts.” It also tracks with a main theme of President Biden’s cybersecurity strategy, which calls for cross-agency collaboration to fight cybercrime.

The DOJ has taken a more proactive and aggressive approach to cyber-related prosecutions over the past two years, even when the agency’s actions preclude traditional prosecutions and convictions. Monaco described the shift in strategy in April on stage at the RSA Conference in San Francisco, saying that there is now “a bias toward action to disrupt and prevent, to minimize that harm if it’s ongoing,” with the goal “to take that action to prevent that next victim.”

The first major example of the policy shift was the April 2021 FBI action to proactively disable web shells related to Chinese-aligned efforts to exploit vulnerable Microsoft Exchange Servers, Monaco said. Another example of the proactive nature of DOJ actions was the April 2022 FBI operation that hobbled a Russian military intelligence-directed botnet that the FBI and DOJ determined could have enabled follow-on malicious activity.

The new unit within the DOJ will “give us the horsepower and organizational structure we need to carry out key roles of the Department in this arena,” Olsen said. “NatSec Cyber prosecutors will be positioned to act quickly, as soon as the FBI or an IC partner identifies a cyber-enabled threat and to support investigations and disruptions from the earliest stages.”

The post DOJ establishes cybercrime enforcement unit as U.S. warnings mount over Chinese hacking appeared first on CyberScoop.

Ruslan Magomedovich Astamirov, 20, was taken into custody on Wednesday, a spokesperson for U.S. Attorney Philip Sellinger, from the District of New Jersey, told CyberScoop after the DOJ unsealed a criminal complaint in the case.

LockBit, which emerged in January 2020, was the most active ransomware variant in 2022 in terms of victims claimed on the group’s data leak site, U.S. cybersecurity officials said in a June 14 advisory. Known LockBit attacks accounted for 16% of state, local, tribal and tribunal government ransomware attacks reported in the U.S. in 2022, as well as roughly 20% of known government ransomware attacks in Australia, Canada and New Zealand, the advisory said. Since January 2020 the group is associated with approximately $91 million in ransoms paid in the U.S., the advisory said.

Astamirov’s case will be tried out of New Jersey, which is handling the cases of two other men accused of participating in LockBit ransomware attacks: Mikhail Vasiliev, a dual Russian and Canadian national, was arrested in November, and Mikhail Pavlovich Matveev, also known as Wazawaka, was indicted in May for alleged roles in LockBit attacks along with other cyber activities. Matveev, a Russian national, remains at large.

“Astamirov is the third defendant charged by this office in the LockBit global ransomware campaign, and the second defendant to be apprehended,” U.S. Attorney Sellinger said in a statement. “The LockBit conspirators and any other ransomware perpetrators cannot hide behind imagined online anonymity. We will continue to work tirelessly with all our law enforcement partners to identify ransomware perpetrators and bring them to justice.”

The announcement comes a day after the joint advisory from top cybersecurity officials in the U.S. and their counterparts in multiple countries detailing the threat from LockBit, which the advisory said was the most deployed ransomware variant in 2022. The variant is associated more than 1,400 attacks in the U.S. and around the world, according to the Department of Justice.

According to the complaint filed by prosecutors, Astamirov owned and controlled email addresses, an IP address and a cloud services account associated with the deployment of LockBit attacks. Astamirov “executed” attacks on victims in Florida, Tokyo, Virginia, France and Kenya dating back to August 2020, according to the complaint. Astamirov received at least 80 percent of the ransom payment made in Bitcoin with one of the attacks, the complaint alleges.

FBI agents interviewed Astamirov in May and searched several devices, including his phone and a laptop computer, according to the complaint.

The post Russian national arrested in Arizona, charged for alleged role in LockBit ransomware attacks appeared first on CyberScoop.

The hackers would compromise an email account of an employee for a given company, bypass Microsoft Office 365 authentication, and gain persistent access to the account. Then, they would use that account to to go after other targets.

“The phishing mails spread in a worm-like fashion from one targeted company to others and within each targeted company’s employees,” researchers with the Israeli cybersecurity firm said in a report published Tuesday. “All analyzed emails contain the same structure, only differing in their title, senders’ account and company, and attached link.”

Sygnia’s investigation revealed that the attack was part of a broad campaign that potentially impacted dozens of organizations — the company would not say exactly how many — around the world in a sprawling campaign of business email compromise, or BEC.

The report comes on the heels of a recent FBI public service announcement estimating that BEC compromises were linked to more than $50 billion in actual and attempted losses across more than 275,000 attacks between 2013 and 2022. The FBI reported that between December 2021 and December 2022 there was a 17% increase in identified actual and attempted losses worldwide, with a particular focus on the real estate sector.

“In the past few years, Sygnia’s IR teams have engaged in numerous incidents in which world-wide organizations were targeted by BEC attacks,” Sygnia’s researchers wrote in their report. “While some of these attacks were focal and concentrated, some were widely spread and affected massive number of cross-sectors victims.”

In the campaign detailed on Thursday, targets were sent an email with a link to a “shared document,” leading to a file sharing website with a previously compromised legitimate company name in the URL. Trying to view the document brought up a page showing that the contents were protected by Cloudflare, a tactic likely designed to prevent proactive analysis of the site showing where it would lead, the researchers said.

Getting through the Cloudflare wall led to a fraudulent Microsoft authentication site generated by a phishing kit, which was being hosted on a domain with varying IP addresses over time, with the most recent dating to January 2023. Records associated with the domain itself had been updated on June 2, suggesting an ongoing campaign.

In all, the investigation revealed more than 170 domains and subdomains connected to the attacker’s infrastructure, with further analysis revealing nearly 100 malicious files communicating back to the infrastructure, some of which were related to the FormBook infostealer malware family, the researchers said.

The post Researchers unpack massive email scam targeting dozens of companies appeared first on CyberScoop.

Alexey Bilyuchenko, 43, and Aleksandr Verner, 29, allegedly gained unauthorized access in 2011 to a server holding wallets belonging to the exchange and continued to launder funds through 2017. At the time, Mt. Gox was the largest cryptocurrency exchange in existence, handling a majority of bitcoin transactions globally.

The theft — valued at some $450 million — was the biggest ever suffered by the cryptocurrency industry at that point and led to Mt. Gox’s bankruptcy in 2014.

“Alexey Bilyuchenko and Aleksandr Verner thought they could outsmart the law by using sophisticated hacks to steal and launder massive amounts of cryptocurrency, a novel technology at the time, but the charges unsealed demonstrate our ability to tenaciously pursue these alleged criminals, no matter how complex their schemes, until they are brought to justice,” Damian Williams, the U.S. attorney for the Southern District of New York, said in a statement.

As part of the money laundering scheme, prosecutors allege that Bilyuchenko and Verner entered into a fraudulent contract with a bitcoin brokerage service in the Southern District of New York to liquidate and transfer more than $6.6 million to overseas bank accounts.

Prosecutors allege that Bilyuchenko used proceeds from Mt. Gox to conspire with Russian national Alexander Vinnik to operate BTC-e, one of the world’s largest cryptocurrency exchanges and a key money laundering hub for cybercriminals. Vinnik was arrested in Greece in 2017 on a 21-count indictment related to BTC-e, which allegedly helped launder more than $4 billion in criminal proceeds.

Between 2011 to 2017 BTC-e served more than one million users worldwide and received criminal proceeds of “numerous computer intrusions and hacking incidents, ransomware events, identity theft schemes, corrupt public officials, and narcotics distribution rings,” according to the U.S. Justice Department.

Vinnik was extradited to the United States in August and has recently lobbied to be a part of a prisoner swap between Russia and the United States that might include the imprisoned U.S. journalist Evan Gershkovich.

On Friday, the Northern District of California also charged Bilyuchenko with money laundering conspiracy and operating an unlicensed money services business that prosecutors allege was used to enable criminal activity, including ransomware attacks and malicious hacking.

“Bilyuchenko and his co-conspirators will learn that the Department of Justice has long arms and an even longer memory for crimes that harm our communities,” Ismail J. Ramsey, the U.S. attorney for the Northern District of California said in a statement.

The post DOJ charges two Russian nationals with historic Mt. Gox hack appeared first on CyberScoop.

The ongoing campaign — dubbed Operation Magalenha — initially relied on cloud service providers like DigitalOcean and Dropbox, but as these firms have tightened rules on how their services are used, the operation has pivoted to the Russia-based web hosting provider TimeWeb, researchers Aleksandar Milenkoski and Tom Hegel said in a report released Thursday. The operation began at the start of this year, but the bulk of the attacks took place last month.

The Brazilian malware ecosystem has a rich history, first catching the attention of the information security industry nearly a decade ago as increasingly sophisticated hacking groups based in Brazil carried out operations together with malware developers based abroad, including in Eastern Europe and Russia. Brazil continues to be the epicenter of potent financially-focused malware, such as a grouping of four banking trojans dubbed the “Tetrade” by Kaspersky researchers in 2020.

Operation Magalenha illustrates the persistent nature of the Brazilian cybercriminal underground and the evolving threat posed by its threat actors. These groups demonstrate “a consistent capacity to update their malware arsenal and tactics, allowing them to remain effective in their campaigns,” Milenkoski and Hegel write in their report.

Operation Magalenha represents the latest iteration of a broader group of financially motivated hacking efforts that began in 2021, the researchers said.

Its latest iteration relies on a pair of backdoors deployed simultaneously to give the attacker control over infected machines. Dubbed “PeepingTitle,” the backdoors allow the attacker to monitor window interaction, take unauthorized screenshots, terminate processes and deploy additional malware, such as data exfiltration tools.

“Their capacity to orchestrate attacks in Portuguese and Spanish-speaking countries in Europe, Central, and Latin America suggests an understanding of the local financial landscape and a willingness to invest time and resources in developing targeted campaigns,” the researchers conclude.

The post Brazilian hackers target Portuguese financial institutions appeared first on CyberScoop.

The group — tracked widely as FIN7 but by Microsoft as Sangria Tempest (formerly ELBRUS) — had not been linked to a ransomware campaign since late 2021, Microsoft’s Threat Intelligence Center said in a series of Thursday-night tweets. But in recent attacks the group deployed the Cl0p ransomware variant against multiple unnamed targets, following on the group’s track record of using multiple ransomware strains in its attacks.

FIN7 deployed REvil and Maze, DarkSide and BlackMatter ransomware variants against targets in the past, Mandiant reported in April 2022 as part of its transition away from breaking into corporate systems and payment networks and a greater focus on ransomware operations.

FIN7 has a long history in the cybercrime world. According to the FBI, the group’s operations date to at least 2015, and FIN7 has targeted some 100 U.S. companies with attacks designed to steal payment credentials and other data that can be used or sold for profit. The group is believed to have developed the ransomware strain that was used to attack Colonial Pipeline in 2021, an incident that resulted in fuel deliveries being disrupted along the Eastern Seaboard and drew attention to the widespread problem of ransomware attacks.

In April 2022, a federal judge in Seattle sentenced the Ukrainian national Denys Iarmak to five years in prison for his connections to FIN7 activity between November 2016 and November 2018.

The group has been linked to a pair of fake companies used to recruit potential employees. One, called Bastion Secure — which used the logo BS — recruited programmers, system administrators and bug finders, the Wall Street Journal reported in October 2021. FIN7 previously established a different fake company, Combi Security, for similar purposes, the U.S. Department of Justice said in August 2018.

The post FIN7 returns with new ransomware attacks appeared first on CyberScoop.

So far, this unnamed group that is at least publicly claiming to be driven by anti-capitalist sentiment and its own brand of cyber benevolence is largely targeting users of Zimbra, an online workplace collaboration tool.

“Unlike traditional ransomware groups, we’re not asking you to send us money,” read the text of one ransom note posted April 2 on an online forum for Zimbra users. “We just dislike corporations and economic inequality. We simply ask that you make a donation to a non-profit that we approve of. It’s a win-win, you can probably get a tax deduction and good PR from your donation if you want.”

The group is using ransomware dubbed MalasLocker by Bleeping Computer, the tech news site that also hosts forums where users began reporting in April that Zimbra had suffered a series of compromises. Separately, users of a dedicated Zimbra forum began complaining about ransomware issues beginning in late March, Bleeping Computer reported.

The ransomware outfit’s dark web website lists three companies as victims, alongside a list of 170 other entities listed as “Defaulters.” The group’s tactics came to light Wednesday after Distributed Denial of Secrets, a transparency advocacy and journalism website that hosts hacked data, wrote about the group’s hack of the Harita Group, an Indonesian mining and natural resource extraction conglomerate.

A representative for Synacor, the company that owns Zimbra, could not be reached for comment. Emails for the group posted by forum users were nonfunctional Thursday.

The ransomware group wrote that it won’t target companies based in Africa, Latin America “and other colonized countries, with the exception of a few big ones of foreign investors or shitty industries.” The group will target small companies in the U.S., Russia and Europe “excluding Ukraine as they’re dealing with enough shit at the moment.”

“We don’t think they are all bad, just that their relative prosperity is built on theft and we will steal back what we can,” the group wrote. “Anyways we don’t care, we have as much sympathy for them as they have for us. They can pay and get their files decrypted, or not and get them leaked. “

Entities targeted by the group can either provide proof they donated to a charity or give the money to the group, who will then donate it to charity, the group said.

“Ransomware is an excellent tool for hacktivists for the same reasons it’s an excellent tool for for-profit extortionists: entry barriers are low and it has the potential to cause massive disruption,” Brett Callow, a threat analyst with cybersecurity firm Emsisoft, told CyberScoop in an online message Thursday.

The group has a long, emoji-filled message on the front page of its website under the heading “Somos malas… podemos ser peores” (We are bad … we can be worse), a message used as part of feminist protests in various places around the world. The message on the group’s site references rich-on-poor class warfare and describes hacking as a means of fighting back.

“They break and rewrite the law as they please. Laws that only serve to legitimize and perpetuate a system of death. Literally – mass extinctions in exchange for short-term profits for a few. In their senseless quest for money and power, they concede nothing – except when we have the power to force them to. That’s the power of a riot, the power of a union, the power of general strikes, of collective action, of sabotage, of fire, and of hacks.”

The message includes a series of questions the group poses to itself and answers, including whether their efforts are effective, whether they’re going to give money to charity and why they’re going through all the effort of messaging in this way when ransomware victims routinely pay profit-motivated ransomware groups.

“It will make some companies unwilling to pay us, but we aren’t writing it for them,” the group wrote. “We are writing it for other kids in Africa, Latin America, Palestine, and the world over: ransomware should not be the business of a few russian (sic) groups as now, it is a tool for all of us, to uplift our communities through robbing the countries that have pillaged ours.”

The group’s hack of the Harita Group, for instance, which DDoSecrets reported as totaling 510 gigabytes, included a message saying the Harita Group will do anything “that’ll make them a profit through destroying their countries’ environment,” and references its connections to Swiss based conglomerate Glencore, which has been tied to widespread bribery and corruption in Africa, according to the U.K.’s Serious Fraud Office, and fuel price manipulation in the U.S, according to the Department of Justice.

While the group appears to be focusing on smaller organizations now, it clearly has bigger targets in mind.

“We’re just getting started and unfortunately the companies easily vulnerable to public exploits tend to be smaller companies and not the major multinationals,” the group wrote on its website. “We’re learning and developing our abilities as fast as we can to be able to go after more deserving targets.”

The post A different kind of ransomware demand: Donate to charity to get your data back appeared first on CyberScoop.

Two of the cases brought charges against procurement networks that U.S. law enforcement officials say were designed to help Russia violate American export control laws to obtain technology vitally important to national security such as quantum cryptography.

The charges come three months after the Commerce and DOJ launched the Disruptive Technology Strike Force in February with the goal of targeting illicit actors and protecting critical technologies from being used by nation-state adversaries. The Strike Force also involves 14 U.S. Attorneys Offices, the FBI, and Homeland Security Investigations and provides data and intelligence sharing to help members build cases.

“We are not going to stop every transfer of every sensitive technology…we’re not going to get to zero,” said Matthew G. Olsen, assistant attorney general of the Justice Department’s National Security Division. “But I think you’re seeing where the efforts of not only the United States but our allies and partners around the world to prevent the transfer of technology to Russia supportive of its war effort is having a significant and detrimental effect on the Russian economy and in particular on its military readiness.”

Among those charged in the series of cases announced Tuesday includes Nikolaos Bogonikolos, a Greek national allegedly recruited by Russia in 2017 to acquire sensitive materials. He was charged by the Eastern District of New York with smuggling technologies to Russia. According to the Justice Department, Bogonikolos told sellers that he was purchasing the technology for the Aratos Group, his group of several companies located in the Netherlands and Greece. Instead, U.S. officials charge, he shipped the technology to Russia where it was shared with nuclear and quantum research facilities as well as Russian intelligence agencies.

According to an indictment, Bogonikolos helped acquire items specifically ”to develop prototype quantum cryptographic complex information security equipment’ and ‘protected communications networks [to solve] civil and military tasks in the conditions of warfare.'” He was arrested in France last week and the U.S. is seeking to extradite him.

In a separate case, two Russian nationals were charged in Arizona for conspiring to violate the export control reform act to send parts to Russian airlines and to commit money laundering.

The Justice Department also announced charges against Weibao Wang, a former Apple software engineer who is facing six counts of theft or attempted theft of Apple’s autonomy source code, including plans for autonomous driving technology. Wang was just part of an estimated 2% of the company that had access to the databases involved. Wang was able to flee to country before being taken in by law enforcement, according to the DOJ.

Officials said that they expect the strike force to bring more cases in the coming months, noting that the theft of sensitive U.S. technology by adversaries was described as a top threat in the Director of National Intelligence’s annual threat assessment.

“I think we’re really doing what we can to make sure that these cases get the priority they need and deserve because,” said Matthew Axelrod, assistant secretary for export enforcement at the U.S. Commerce Department. “We want these right at the top of their pile and I think by the actions today we’re showing that they are.”

The post Justice and Commerce Department ‘strike force’ target theft of quantum, autonomous technologies appeared first on CyberScoop.