China's Salt Typhoon Cyberspies Continue Their Years-long Hacking Campaign

 

Be highly alert of the China-based APT threat actors, like Salt Typhoon (and of the others too).

If you use the following products then DO patch them immediately:

Ivanti Connect Secure and Ivanti Policy Secure: CVE-2024-21887 & CVE-2023-46805.

Palo Alto Networks PAN-OS GlobalProtect: CVE-2024-3400

Cisco Internetworking Operating System (IOS) XE: CVE-2023-20273 & CVE-2023-20198

Cisco IOS and IOS XE: CVE-2023-20198 & CVE-2018-0171

https://bit.ly/4n3jIZA

"...Brett Leatherman (FBI Assistant Director) told media outlets that Salt Typhoon targeted more than 600 organizations across 80 countries."

"The international coalition also called out three China-based entities affiliated with Salt Typhoon – Sichuan Juxinhe Network Technology, Beijing Huanyu Tianqiong Information Technology, and Sichuan Zhixin Ruijie Network Technology – that it accused of providing cyber products and services to China's Ministry of State Security and People's Liberation Army."

"In addition to the four US agencies (FBI, CISA, National Security Agency, and Department of Defense Cyber Crime Center), the UK's National Cyber Security Centre plus government agencies in Australia, Canada, New Zealand, the Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, Poland, and Spain also co-issued the security alert."

"'In addition to targeting telecommunications, reported targeting of hospitality and transportation by this actor could be used to closely surveil individuals,' he said. 'Information from these sectors can be used to develop a full picture of who someone is talking to, where they are, and where they are going.'"

Cobalt Strike Crackdown of Europol

International joint operations are strongly needed against the bad guys.

Europol announced that a week-long operation at the end of June dropped nearly 600 IP addresses that supported illegal copies of Cobalt Strike.

Cobalt Strike is a commercial penetration testing tool for red team operations, featuring a command and control framework, the Beacon payload for post-exploitation, and supports attack vectors like spear-phishing. It emulates advanced threats to test and enhance cybersecurity defenses.

https://bit.ly/3XWM66f

"Europol said the disruptive action, dubbed Operation Morpheus, is the culmination of work that began three years ago. It was carried out with partners in the private sector between June 24 and 28."

"A total of 690 IP addresses were flagged to online service providers in 27 countries. By the end of the week, 593 of these addresses had been taken down."

"This investigation was led by the UK National Crime Agency and involved law enforcement authorities from Australia, Canada, Germany, the Netherlands, Poland, and the United States. Europol coordinated the international activity and liaised with the private partners."

"Cobalt Strike has long been the tool of choice for cybercriminals, including as a precursor to ransomware. It is also deployed by nation-state actors, such as Russian and Chinese [groups], to facilitate intrusions in cyber espionage campaigns."

"According to its telemetry, China hosts 43.85 percent of Cobalt Strike resources. To put that in context, the next biggest distributor is the US with a 19.08 percent share."

"Since Fortra bought Cobalt Strike in 2020, it has made strides in ensuring criminals don't get access to legitimate versions of its tools. For example, it soon started vetting all applicants vigorously before giving licenses out, but cracked versions in hard-to-reach places like China may prove difficult to eradicate for good."

The Developer of Trickbot Malware Is Sentenced For 5 Years

 Another cyber criminal is arrested for having infected some hospitals in USA.

The individual, extradited from South Korea in 2021, is sentenced to five years in prison for developing the Trickbot malware.

The Trickbot malware caused tens of millions of dollars in losses in USA.

https://bit.ly/3ukR1Sj

"A former Trickbot developer has been sent down for five years and four months for his role in infecting American hospitals and businesses with ransomware and other malware, costing victims tens of millions of dollars in losses."

"Dunaev also confessed to writing code used to steal secrets from infected computers. Between October 2018 and February 2021 alone, the crew defrauded victims out of more than $3.4 million, the court documents claim.

According to the UK National Crime Agency, the gang has extorted at least $180 million (£145 million) from people and organizations worldwide."

Justice over IP (JoIP)?

 If you use Justice over IP (JoIP) then you do have to be much more careful. Judical systems have not been a primary target for most of the hackers most of the time but this does not mean that they are not vulnerable and won't ever be hacked. If you are in the IP world then you need to take measures against bad guys. Otherwise it might result finding you or your company on the front pages of the internet media the next day.

As the well-known saying goes, "Justice delayed, justice denied," a new version of this saying may emerge if judicial systems are not adequately protected: "Justice hacked, case files exposed."

Well, this concern became a reality in Australia towards the end of 2023 when the court system of Victoria (CSV), Australia, fell victim to a suspected ransomware attack in which audiovisual recordings of court hearings may have been accessed. "From legal proceedings to potential YouTube fodder."

https://bit.ly/3tQy5KL

"The court system of Victoria, Australia, was subject to a suspected ransomware attack in which audiovisual recordings of court hearings may have been accessed."

"The incident began on December 8 and attackers may have accessed hearings between November 1 and December 21, with a small number of recordings generated before this range also potentially compromised."

"Concerns exist over the potential leaking of information from particularly sensitive cases heard during the last two months of 2023."

"Speaking to ABC News, security expert Robert Potter said the attack is likely the work of the Russia-based Qilin ransomware group."

"If the incident is playing out as Potter says, it means the court recordings may be leaked online if CSV refuses to meet the attacker's demands."

"Like many countries, Australia officially advises against organizations paying ransoms. The country is also part of the International Counter Ransomware Initiative (CRI), which is working toward a joint pledge to refuse ransom payments at the government level."

FBI vs. BlackCat

Ransomware attacks keep increasing. It is quite limited what local or international authorities can do against these attacks. The authorities intervene mostly after the ransomware attacks occurred and most of the time it is too late for after you got hit by a ransomware gang.

So be aware that it is YOU who can prevent ransomware attacks and it must be YOU who take actions against the ransomware gangs. DO take actions before you got hit. Allocate enough budget for cyber security before it's too late.

Well, it seems that cat-and-mouse-game between local or international authorities and ransomware gangs won't come to an end in the near future. (You guess who is the cat and who is the mouse in this game.)

Close to the end of the last year (2023), FBI seized the website of a ransomware gang, who are known as BlackCat or AlphV, and obtained some decryptor keys. The cat seems to have nine lives and the gang denied this partly and claimed that they are still -almost- fully operational though.

https://bit.ly/48Fq0av

"The FBI created a decryption tool for the ransomware used by the gang known as BlackCat and/or AlphV, as part of a wider disruption campaign against the extortionists.

The existence of the decryptor was revealed in a Tuesday announcement by the United States Department of Justice that reports the FBI has offered the tool to over 500 orgs and believes $68 million of ransom payments were avoided as a result."

"...The Feds said they were able to access 946 public-private key pairs for Tor-hidden sites the BlackCat gang used to communicate with victims and host its blog,..."

"In other words, it sounds as though the Feds were not only able to seize and shut down the ransomware-as-a-service crew's dark-web presence, agents also obtained enough internal info to provide decryption assistance to victims..."

"The FBI operation was carried out in partnership with the plod in the UK and Australia, and Europol. Their probe into AlphV is ongoing and authorities have advised a reward may be offered to those who offer further information about the crew."

"The gang, believed to be Russian, today boasted it had "unseized" its main dark-web site by pointing it at a web server the miscreants control, rather than an FBI one. The crew used its restored blog to name new alleged victims of its ransomware."

"The FBI's claim of offering a decryptor to more than 500 victims has also been watered down by the group. According to the criminals, the number sits more at the 400 mark while still leaving 3,000 without a decryptor key."

Australia's Medibank Ransomware Attack

 

Australian health insurer Medibank suffered a ransomware attack where the names, dates of birth, addresses, phone numbers and email addresses of 9,7 million customers is -allegedly- leaked. (Quite huge amount of data.)

In this ransomware attack, the victim's files are not encrypted but threatened to be exposed. The ransomware gang began to expose some information in the internet to be more persuasive that they really have the data.

Medibank refused to pay the ransom in order not to encourage such attacks. (Brave but risky decision which I think a correct decision.)

It is believed that the attack is carried on by the ransomware gans REvil or BlogXXX.

And yeah... It is seen one more time that cyber security is not a game or not an abstract concept. On the contrary, cyber threats are real and can have serious effects on our real lives.

https://www.theregister.com/2022/11/07/medibank_breach_n0_ransom_payment/

"Australian health insurer Medibank – which spent October discovering a security incident was worse than it first thought – has announced it will not pay a ransom to attackers that made off with personal info describing nearly ten million customers."

"Medibank also confirmed that primary identity documents, such as drivers licenses, were not accessed for most of its clients – but around 1.8 million international customers weren't so lucky and also had details of the visas that permit them to reside in Australia exposed. The Australian national health scheme (Medicare) ID numbers of 2.8 million customers were also leaked."