6-25-19 On Monday night researchers at Boston-based cybersecurity firm Cybereason revealed the results of tracking a years-long cyber-espionage campaign they've called Operation Soft Cell, which they say targeted the networks of at least 10 cellular providers around the world. And while researchers' visibility into that hacking campaign is incomplete, they say it appears to be a prolific but highly targeted espionage campaign likely based in China. In one of the 10 breaches that affected a Cybereason customer the researchers say they found that the hackers had gained deep access to the victim's network and stolen gigabytes of metadata related to 20 specific individuals' phone usage and location.
Cybereason says that the company found no evidence that the hackers stole the actual content of communications from victims, but the firm's principal security researcher, Amit Serper, argues that the metadata alone—device and SIM identifiers, call records, and which cell tower a phone connected to at any given time—can provide a frighteningly high-resolution picture of a target's life. …
When the researchers reconstructed the timeline of that attack they found that the spies had exploited a vulnerable web service to gain an initial foothold on the victim company's network and then used a customized version of the common tool Mimikatz to pull usernames and passwords out of target machines' memory, using those credentials and repeating the process to spread from one machine to another until they obtained domain administrator access, giving them full control of the company's network. "At that point, they became the shadow IT department," Serper says.
Eventually the hackers even installed their own VPN system on the network so that they could enter at will over an encrypted connection. Cybereason says that the spies ultimately accessed a "call detail record" or CDR database, encrypting and stealing data related to 20 specific individuals they had chosen to track….
Cybereason believes the hackers behind the cellular provider incident are likely working in service of the Chinese government. In the process of their espionage campaign the intruders used a set of tools that Cybereason and others associate with Chinese state spies, including a web-shell called China Chopper, the Poison Ivy remote-access trojan, and the scanning tool nbtscan. Despite the hackers' broad targeting, they didn't seem to target any victims in mainland China. And the apparent focus on infrastructure-targeted spying also fits with the tactics of Chinese hackers, who have compromised everything from cloud service providers to software supply chains for the purpose of stealthy espionage.
Stealing metadata, Serper says, is hardly an unprecedented trick for intelligence agencies. But he says that 10 cellular providers targeted in the same operation is more rare. "We know how intelligence services operate, and it’s not something we haven’t seen before," Serper says. "But we haven’t seen this scale."
Analysts at security firms Crowdstrike and FireEye say they couldn't confirm Cybereason's findings, but the two firms noted that they have in fact seen broad targeting of cellular providers including by Russian and Iranian state-sponsored hackers, both for tracking individuals and for bypassing two-factor authentication, intercepting the SMS messages sent to phones as a one-time passcode. "I wouldn’t be surprised to learn that a Chinese actor has targeted 10 telecom providers," says John Hultquist, who leads threat intelligence at FireEye. "They're moving toward the backbone, hitting providers with access to a lot of data instead of going after targets in onesies and twosies. They gain a higher level of access and limit their exposure." https://www.wired.com/story/chinese-hackers-carrier-metadata/
.........................................................
11-28-18 charged with extorting millions of dollars through them--the two addresses belonged to Faramarz Shahi Savandi and
Mohammad Mehdi Shah Mansouri (shown) who allegedly created the SamSam ransomware software. The Justice Department unsealed an indictment against both men today, alleging that they collected $6 million by targeting more than 200 victims--including the cities of Atlanta, Georgia, and Newark, New Jersey.
SamSam began infecting computers in 2015, and it’s been linked to expensive and temporarily devastating attacks on hospitals and infrastructure . Like other ransomware, SamSam encrypted users’ machines and ordered them to funnel money — sometimes tens of thousands of dollars--to a bitcoin account. The Treasury Department says the two accounts above processed over 7,000 transactions although not all were necessarily related to SamSam.
In a press conference US Attorney Craig Carpenito told reporters that Savandi and Mansouri “worked hard to identify the most vulnerable targets that they could….Money is not their sole objective,” he claimed. “They’re seeking to harm our institutions and critical infrastructure. They’re trying to impact our way of life.”
One of Savandi and Mansouri’s most high-profile alleged crimes was an attack on Atlanta in March 2018. Major basic municipal functions were affected, including the ability to pay water bills or parking tickets, although Atlanta’s emergency services remained functional. Altogether the Justice Department lists attacks in 43 US states.
.........................................................................................
Mansouri is an Iranian male with a date of birth of September 24, 1991. He has brown hair and brown eyes and was born in Qom, Iran. https://www.fbi.gov/wanted/cyber/samsam-subjects
............................................................................................
3-6-19 Cyberattacks linked to Iranian hackers have targeted thousands of people at more than 200 companies over the past two years, MicrosoftCorp. said, part of a wave of computer intrusions from the country that researchers say has hit businesses and government entities around the globe.
The campaign, the scope of which hadn’t previously been reported, stole corporate secrets and wiped data from computers. It caused damages estimated at hundreds of millions of dollars in lost productivity and affected oil-and-gas companies, heavy-machinery manufacturers and international conglomerates in more than a half-dozen countries including Saudi Arabia, Germany, the U.K., India and the U.S., according to researchers at Microsoft, which deployed incident-response teams to some of the affected companies. “These destructive attacks…are massively destabilizing events,” said John Lambert, the head of Microsoft’s Threat Intelligence Center.
Microsoft traced the attacks to a group it calls Holmium. It is one of several linked by other researchers over the past year to hackers in Iran, a country that many security researchers say aspires to join Russia and China as one of the world’s premier cyber powers. Some of Holmium’s hacking was done by a group that other security companies call APT33, Microsoft said. Iran “denies any involvement in cyber crimes against any nation,” said a spokesman for Iran’s mission to the United Nations in an email. https://www.wsj.com/articles/iranian-hackers-have-hit-hundreds-of-companies-in-past-two-years-11551906036
…..............…..............…..............
…..............…..............…..............
No comments:
Post a Comment