Feds hack LockBit, LockBit springs back. Now what?

Days after it was knocked offline by a sweeping, years-in-the-making law enforcement operation, the notorious Russia-based LockBit ransomware group has returned to the dark web with a new leak site complete with a number of new victims. In a verbose, borderline-rambling statement published Saturday, the remaining LockBit administrator blamed its own negligence for last week’s […]

© 2024 TechCrunch. All rights reserved. For personal use only.

Tech giants sign voluntary pledge to fight election-related deepfakes

Tech companies are pledging to fight election-related deepfakes as policymakers amp up pressure. Today at the Munich Security Conference, vendors including Microsoft, Meta, Google, Amazon, Adobe and IBM signed an accord signaling their intention to adopt a common framework for responding to AI-generated deepfakes intended to mislead voters. Thirteen other companies, including AI startups OpenAI, […]

© 2024 TechCrunch. All rights reserved. For personal use only.

FTC seeks to modify rule to combat deepfakes

Spurred by the growing threat of deepfakes, the FTC is seeking to modify an existing rule that bans the impersonation of businesses or government agencies to cover all consumers. The revised rule — depending on the final language, and the public comments that the FTC receives — might also make it unlawful for a GenAI […]

© 2024 TechCrunch. All rights reserved. For personal use only.

Lawmakers revise Kids Online Safety Act to address LGBTQ advocates’ concerns

The Kids Online Safety Act (KOSA) is getting closer to becoming a law, which would make social platforms significantly more responsible for protecting children who use their products. With 62 Senators backing the bill, KOSA seems poised to clear the Senate and progress to the House. KOSA creates a duty of care for social media […]

© 2024 TechCrunch. All rights reserved. For personal use only.

X to allow paid political ads, lifting Twitter’s earlier ban

X this week confirmed it’s lifting its ban on paid political ads — a move it committed to earlier this year, shortly after Elon Musk took over the social network previously known as Twitter. The company had originally banned such ads back in 2019 under then-CEO Jack Dorsey’s management, claiming at the time that “political […]

Mandiant says China-backed hackers exploited Barracuda zero-day to spy on governments

Security researchers at Mandiant say China-backed hackers are likely behind the mass-exploitation of a recently discovered security flaw in Barracuda Networks’ email security gear, which prompted a warning to customers to remove and replace affected devices.

Mandiant, which was called in to run Barracuda’s incident response, said the hackers exploited the flaw to compromise hundreds of organizations likely as part of an espionage campaign in support of the Chinese government.

Almost a third of the targeted organizations are government agencies, Mandiant said in a report published Thursday.

Last month, Barracuda discovered the security flaw affecting its Email Security Gateway (ESG) appliances, which sit on a company’s network and filter email traffic for malicious content. Barracuda issued patches and warned that hackers had been exploiting the flaw since October 2022. But the company later recommended customers remove and replace affected ESG appliances, regardless of patch level, suggesting the patches failed or were unable to block the hacker’s access.

In its latest guidance, Mandiant also warned customers to replace affected gear after finding evidence that the China-backed hackers gained deeper access to networks of affected organizations.

Barracuda has about 200,000 corporate customers around the world.

Mandiant is attributing the hacks to an as-yet-uncategorized threat group it calls UNC4841, which shares infrastructure and malware code overlaps with other China-backed hacking groups. Mandiant’s researchers say the threat group exploited the Barracuda ESG flaws to deploy custom malware, which maintains the hackers’ access to the devices while it exfiltrates data.

According to its report, Mandiant said it found evidence that UNC4841 “searched for email accounts belonging to individuals working for a government with political or strategic interest to [China] at the same time that this victim government was participating in high-level, diplomatic meetings with other countries.”

Given that a large portion of the targets were government entities, the researchers said this supports their assessment that the threat group has an intelligence-gathering motivation, rather than conducting destructive data attacks.

Mandiant’s chief technology officer Charles Carmakal said the hacks targeting Barracuda customers is the “broadest cyber espionage campaign” known to be conducted by a China-backed hacking group since the mass-exploitation of Microsoft Exchange servers in 2021, which Mandiant also attributed to China.

Liu Pengyu, a spokesperson for the Chinese Embassy in Washington D.C., said the allegations that the Chinese government supports hacking is “completely distorting the truth.”

“The Chinese government’s position on cyber security is consistent and clear. We have always firmly opposed and cracked down on all forms of cyber hacking in accordance with the law,” the spokesperson said, while also accusing the U.S. government of violating international law by carrying out similar espionage activities, but without providing evidence for the claims.

Mandiant says China-backed hackers exploited Barracuda zero-day to spy on governments by Zack Whittaker originally published on TechCrunch

How the US dismantled a malware network used by Russian spies to steal government secrets

The U.S. government said it has disrupted a long-running Russian cyber espionage campaign that stole sensitive information from the U.S. and NATO governments, an operation that took the feds almost 20 years,

The Justice Department announced on Tuesday that an FBI operation successfully dismantled the “Snake” malware network used by Turla, a notorious hacking group long affiliated with Russia’s Federal Security Service (FSB). Turla was previously linked to cyberattack targeting U.S. Central Command, NASA, and the Pentagon.

U.S. officials describe Snake as the “most sophisticated cyber espionage tool in the FSB’s arsenal”.

The DOJ and its global partners identified the Snake malware in hundreds of computer systems in at least 50 countries. Prosecutors said the Russian spies behind the Turla group used the malware to target NATO member states — and other targets of the Russian government — as far back as 2004.

In the United States, the FSB used its sprawling network of Snake-infected computers to target industries including education, small businesses and media organizations, along with critical infrastructure sectors including government facilities, financial services, manufacturing and communications. The FBI said it obtained information indicating that Turla had also used Snake malware to target the personal computer of a journalist at an unnamed U.S. news media company who had reported on the Russian government.

Prosecutors added that Snake persists on a compromised computer’s system “indefinitely,” despite efforts by the victim to neutralize the infection.

After stealing sensitive documents, Turla exfiltrated this information through a covert peer-to-peer network of Snake-compromised computers in the U.S. and other countries, the DOJ said, making the network’s presence harder to detect.

From Brooklyn to Moscow

According to the FBI’s affidavit, U.S. authorities monitored the malware’s spread for several years, along with the Turla hackers who operated Snake from FSB facilities in Moscow and the nearby city of Ryazan.

The FBI said it developed a tool called “Perseus” — the Greek hero who slayed monsters — that allowed its agents to identify network traffic that the Snake malware had tried to obfuscate.

Between 2016 and 2022, FBI officials identified the IP addresses of eight compromised computers in the U.S., located in California, Georgia, Connecticut, New York, Oregon, South Carolina and Maryland. (The FBI said it also alerted local authorities to take down Snake infections on compromised machines located outside of the United States.)

With the victim’s consent, the FBI obtained remote access to some of the compromised machines and monitored each for “years at a time.” This allowed the FBI to identify other victims in the Snake network, and to develop capabilities to impersonate the Turla operators and issue commands to the Snake malware as if the FBI agents were the Russian hackers.

Then this week, after obtaining a search warrant from a federal judge in Brooklyn, New York, the FBI was given the green light to mass-command the network to shut down.

The FBI used its Perseus tool to mimic Snake’s built-in commands, which when transmitted by Perseus from an FBI computer, “will terminate the Snake application and, in addition, permanently disable the Snake malware by overwriting vital components of the Snake implant without affecting any legitimate applications or files on the subject computers.”

The affidavit said the FBI used Perseus to trick the Snake malware to self-delete itself on the very computers it had infected. The FBI says it believes this action has permanently disabled the Russian-controlled malware on infected machines and will neutralize the Russian government’s ability to further access the Snake malware currently installed on the compromised computers.

The feds warned that if it hadn’t taken action to dismantle the malware network when it did, the Russian hackers could have learned “how the FBI and other governments were able to disable the Snake malware and harden Snake’s defenses.”

While the FBI has disabled the Snake malware on compromised computers, the DOJ warned that the Russian hackers could still have access to compromised machines, since the operation did not search for or remove any additional malware or hacking tools that the hackers may have placed on victim networks. The feds also warned that Turla frequently deploys a “keylogger” on victims’ machines to steal account authentication credentials, such as usernames and passwords, from legitimate users.

U.S. cybersecurity agency CISA launched a 48-page joint advisory to help defenders detect and remove Snake malware on their networks.

Read more:

How the US dismantled a malware network used by Russian spies to steal government secrets by Carly Page originally published on TechCrunch