Mandiant says China-backed hackers exploited Barracuda zero-day to spy on governments
Security researchers at Mandiant say China-backed hackers are likely behind the mass-exploitation of a recently discovered security flaw in Barracuda Networks’ email security gear, which prompted a warning to customers to remove and replace affected devices.
Mandiant, which was called in to run Barracuda’s incident response, said the hackers exploited the flaw to compromise hundreds of organizations likely as part of an espionage campaign in support of the Chinese government.
Almost a third of the targeted organizations are government agencies, Mandiant said in a report published Thursday.
Last month, Barracuda discovered the security flaw affecting its Email Security Gateway (ESG) appliances, which sit on a company’s network and filter email traffic for malicious content. Barracuda issued patches and warned that hackers had been exploiting the flaw since October 2022. But the company later recommended customers remove and replace affected ESG appliances, regardless of patch level, suggesting the patches failed or were unable to block the hacker’s access.
In its latest guidance, Mandiant also warned customers to replace affected gear after finding evidence that the China-backed hackers gained deeper access to networks of affected organizations.
Barracuda has about 200,000 corporate customers around the world.
Mandiant is attributing the hacks to an as-yet-uncategorized threat group it calls UNC4841, which shares infrastructure and malware code overlaps with other China-backed hacking groups. Mandiant’s researchers say the threat group exploited the Barracuda ESG flaws to deploy custom malware, which maintains the hackers’ access to the devices while it exfiltrates data.
According to its report, Mandiant said it found evidence that UNC4841 “searched for email accounts belonging to individuals working for a government with political or strategic interest to [China] at the same time that this victim government was participating in high-level, diplomatic meetings with other countries.”
Given that a large portion of the targets were government entities, the researchers said this supports their assessment that the threat group has an intelligence-gathering motivation, rather than conducting destructive data attacks.
Mandiant’s chief technology officer Charles Carmakal said the hacks targeting Barracuda customers is the “broadest cyber espionage campaign” known to be conducted by a China-backed hacking group since the mass-exploitation of Microsoft Exchange servers in 2021, which Mandiant also attributed to China.
Liu Pengyu, a spokesperson for the Chinese Embassy in Washington D.C., said the allegations that the Chinese government supports hacking is “completely distorting the truth.”
“The Chinese government’s position on cyber security is consistent and clear. We have always firmly opposed and cracked down on all forms of cyber hacking in accordance with the law,” the spokesperson said, while also accusing the U.S. government of violating international law by carrying out similar espionage activities, but without providing evidence for the claims.
Mandiant says China-backed hackers exploited Barracuda zero-day to spy on governments by Zack Whittaker originally published on TechCrunch
How the US dismantled a malware network used by Russian spies to steal government secrets
The U.S. government said it has disrupted a long-running Russian cyber espionage campaign that stole sensitive information from the U.S. and NATO governments, an operation that took the feds almost 20 years,
The Justice Department announced on Tuesday that an FBI operation successfully dismantled the “Snake” malware network used by Turla, a notorious hacking group long affiliated with Russia’s Federal Security Service (FSB). Turla was previously linked to cyberattack targeting U.S. Central Command, NASA, and the Pentagon.
U.S. officials describe Snake as the “most sophisticated cyber espionage tool in the FSB’s arsenal”.
The DOJ and its global partners identified the Snake malware in hundreds of computer systems in at least 50 countries. Prosecutors said the Russian spies behind the Turla group used the malware to target NATO member states — and other targets of the Russian government — as far back as 2004.
In the United States, the FSB used its sprawling network of Snake-infected computers to target industries including education, small businesses and media organizations, along with critical infrastructure sectors including government facilities, financial services, manufacturing and communications. The FBI said it obtained information indicating that Turla had also used Snake malware to target the personal computer of a journalist at an unnamed U.S. news media company who had reported on the Russian government.
Prosecutors added that Snake persists on a compromised computer’s system “indefinitely,” despite efforts by the victim to neutralize the infection.
After stealing sensitive documents, Turla exfiltrated this information through a covert peer-to-peer network of Snake-compromised computers in the U.S. and other countries, the DOJ said, making the network’s presence harder to detect.
From Brooklyn to Moscow
According to the FBI’s affidavit, U.S. authorities monitored the malware’s spread for several years, along with the Turla hackers who operated Snake from FSB facilities in Moscow and the nearby city of Ryazan.
The FBI said it developed a tool called “Perseus” — the Greek hero who slayed monsters — that allowed its agents to identify network traffic that the Snake malware had tried to obfuscate.
Between 2016 and 2022, FBI officials identified the IP addresses of eight compromised computers in the U.S., located in California, Georgia, Connecticut, New York, Oregon, South Carolina and Maryland. (The FBI said it also alerted local authorities to take down Snake infections on compromised machines located outside of the United States.)
With the victim’s consent, the FBI obtained remote access to some of the compromised machines and monitored each for “years at a time.” This allowed the FBI to identify other victims in the Snake network, and to develop capabilities to impersonate the Turla operators and issue commands to the Snake malware as if the FBI agents were the Russian hackers.
Then this week, after obtaining a search warrant from a federal judge in Brooklyn, New York, the FBI was given the green light to mass-command the network to shut down.
The FBI used its Perseus tool to mimic Snake’s built-in commands, which when transmitted by Perseus from an FBI computer, “will terminate the Snake application and, in addition, permanently disable the Snake malware by overwriting vital components of the Snake implant without affecting any legitimate applications or files on the subject computers.”
The affidavit said the FBI used Perseus to trick the Snake malware to self-delete itself on the very computers it had infected. The FBI says it believes this action has permanently disabled the Russian-controlled malware on infected machines and will neutralize the Russian government’s ability to further access the Snake malware currently installed on the compromised computers.
The feds warned that if it hadn’t taken action to dismantle the malware network when it did, the Russian hackers could have learned “how the FBI and other governments were able to disable the Snake malware and harden Snake’s defenses.”
While the FBI has disabled the Snake malware on compromised computers, the DOJ warned that the Russian hackers could still have access to compromised machines, since the operation did not search for or remove any additional malware or hacking tools that the hackers may have placed on victim networks. The feds also warned that Turla frequently deploys a “keylogger” on victims’ machines to steal account authentication credentials, such as usernames and passwords, from legitimate users.
U.S. cybersecurity agency CISA launched a 48-page joint advisory to help defenders detect and remove Snake malware on their networks.
Read more:
- How the feds caught a notorious credit card fraudster
- Hackers are breaking into AT&T email accounts to steal cryptocurrency
- Google disrupts malware that steals sensitive data from Chrome users
- How the FBI caught the BreachForums admin
How the US dismantled a malware network used by Russian spies to steal government secrets by Carly Page originally published on TechCrunch
After New Zealand, Australia bans TikTok on official devices
Australia joined a long list of western countries banning TikTok on official devices today. Attorney-General Mark Dreyfus announced the move and said the prohibition will be implemented “as soon as practicable.”
In the announcement, Dreyfus said that the decision was taken “after receiving advice from intelligence and security agencies.”
Additionally, Australia also made changes to its Protective Security Policy Framework (PSPF) noting that TikTok poses a security threat because of its data collection practices.
“The TikTok application poses significant security and privacy risks to non-corporate Commonwealth entities arising from an extensive collection of user data and exposure to extrajudicial directions from a foreign government that conflicts with Australian law,” the directive said.
The authorities said that it will allow the use of the short video app for “a legitimate business reason” and on a separate “standalone device.”
Australia’s move is in line with neighbor New Zeland and other Five Eyes collective members the US, the UK, and Canada — all of which have banned TikTok’s usage on official devices. Separately, the EU and Belgium have also prohibited the ByteDance-owned app on the devices of authorities.
TikTok didn’t comment on the story immediately.
Last month, TikTok CEO Shou Zi Chew testified before the U.S Congress in a grueling five-hour session. In the hearing, Chew tried to assure lawmakers that Chinese authorities don’t have access to U.S. users’ data.
“Let me state this unequivocally: ByteDance is not an agent of China or any other country,” he said.
ByteDance is under pressure from the Biden administration to sell off TikTok US or face an embargo. Meanwhile, TikTok is on a $1.5 billion charm offensive under “Project Texas” to appease the U.S. authorities and squash their doubts about data transparency.
After New Zealand, Australia bans TikTok on official devices by Ivan Mehta originally published on TechCrunch
Today’s startups should terrify you
A steady stream of new startups pitch their ideas, concepts, products and services on a daily basis to TechCrunch reporters: Startups that claim to predict when employees might want to leave for a new job; that think they can detect depression using someone’s voice; that experiment by using chatbots on patients with depression; that scrape the internet for faces to allow police to carry out facial recognition surveillance.
And more than most of these startups terrify me.
Much of the focus today is on TikTok, the viral video-sharing app owned by Chinese firm ByteDance, which faces bans over fears that the data it collects will end up in the hands of the Chinese government.
It’s not an unreasonable fear, especially with over a billion users worldwide using the app. But TikTok isn’t the only company capable of sharing data with China. Thousands of American apps and companies share our information with advertisers and data brokers, which also expose that data to China, in large part because nothing exists to curb the sharing or selling of data to anyone who wants it, from startups to authoritarian regimes.
But while lawmakers and the government endlessly fixate about TikTok and China, they continue to neglect the larger problem, and that’s at home. The scary calls are coming from inside America’s house.
All startups vie to be the next generation of Amazons, Ubers, Facebooks, and Googles, and look up to these American tech giants with dollar signs in their eyes. But if money is the metric to go by, it’s worth looking at how the Amazons, Ubers, Facebooks and Googles got here. It’s through our data that so many tech giants (though not all) made their billions. Some call it innovation and disruption; others see it as exploitation.
Just look at the mess that the first-generation of tech titans have made. We’ve seen how our data is used by companies to consolidate power, like market or user share, to make money. When Amazon isn’t oppressing its workers by meticulously tracking their toilet habits, it’s using data to push out competitors and small businesses to favor its own sales. Uber played fast and loose with its security and privacy practices for years then tried to cover up a massive data breach. Facebook was used to incite a literal genocide that in part led to a whole corporate rebrand. And Google’s data practices pretty much keeps the U.S. Justice Department’s antitrust division in business.
These data-hungry tech companies have compromised our security, eroded our privacy, tracked us, sold our data, lost our data, monopolized the competition, driven out small businesses, and put entire populations at risk.
A paucity of legislation and regulation have allowed American tech companies to thrive and grow, enriched by our personal information and data we created, including anything from where we go to what we buy, to the people we communicate with to the content we consume. If the adage that data is the new currency is true, it’s no wonder why tech companies keep getting richer. There are few rules for what companies can do with our information, but plenty of profit-making playbooks to work from. Every day a new tranche of startups have our data in their sights, but as consumers facing today’s technology, what hope do we have when the conditions for our security and privacy are worse?
As unlikely as it is, a national TikTok ban would not stop Americans’ data from ending up in China. The data has to be stemmed at the source — by not allowing American tech companies to collect gobs of data from people’s devices to begin with.
America stands alone as one of the few superpowers without a data protection or privacy law. It is this uncontrolled and unregulated environment that allows Americans’ data to end up in the hands of China or anyone who will pay for it. Creating a federal privacy law that spans the entire country and getting it to actually work isn’t easy. It’s why each state legislates differently.
California was the first state to offer strong consumer and data protections to its residents, granting Californians the rights to access, modify and delete the data that companies collect on them. California’s consumer privacy law is regarded as one of the strongest in the country — because it worked. Companies in the state, home to Silicon Valley and its tech titans, had to comply and carve out deep exceptions to millions of Californians of their data collection practices. But that still leaves the millions of remaining Americans with no privacy protections.
Only a handful of states have followed in California’s steps, but few new laws have reached the same bar, thanks to the corrupt (or lazy) lawmakers that watered down the draft bills in their states to serve the interests of the lobbying companies. Meanwhile, the tech lobby is fervently backing a federal law with the aim of creating a weaker set of rules across the U.S. to replace the patchwork of state laws, including California’s.
Startups today should scare you because of their near-unfettered and unbridled ability to do almost anything with our information and face little to no repercussions. Even where tech giants have historically flouted their own security and privacy promises, regulators are under-resourced and massively outnumbered, and don’t have the enforcement powers to meaningfully hold repeat offenders accountable.
Without guardrails in place to protect our data, the startups of today and tomorrow are doomed to make the same mistakes of yesteryear.
Today’s startups should terrify you by Zack Whittaker originally published on TechCrunch
FBI confirms it’s investigating a cyber incident on its own network
The U.S. Federal Bureau of Investigation has confirmed that it’s investigating malicious cyber activity on its own network.
CNN reported on Friday that hackers compromised an FBI computer system at the agency’s New York field office, citing people briefed with the matter. The brief report added that the incident involved a computer system used in investigations of images of child sexual exploitation.
In a statement given to TechCrunch, FBI spokesperson Manali Basu confirmed that the agency had contained the “isolated incident,” which it continues to investigate.
“The FBI is aware of the incident and is working to gain additional information,” the spokesperson said. “This is an isolated incident that has been contained. As this is an ongoing investigation the FBI does not have further comment to provide at this time.”
There remains a number of unknowns about the incident. It’s not immediately clear when the intrusion occurred, or how the FBI was compromised. The nature of the incident, which doesn’t appear to have yet been claimed by any major cybercriminal organization, also remains unclear at the time of publication.
The FBI declined to answer our specific questions.
This isn’t the first time the FBI has been compromised. In November 2021, a threat actor compromised the FBI’s external email system to send thousands of spam emails warning of a fake cyberattack to hundreds of thousands of organizations.
FBI confirms it’s investigating a cyber incident on its own network by Carly Page originally published on TechCrunch
Taiwan fines car renting giant iRent for customer data spill
Taiwanese authorities have fined car rental and ride sharing giant iRent after TechCrunch revealed the company was spilling customers’ data and identity documents onto the open web for months.
According to local media reports, iRent, which is owned by Taiwanese auto conglomerate Hotai Motor, received two separate fines for failing to adequately protect the data of more than 400,000 customers.
In a press release on Thursday, Taiwan’s highways division under the transport ministry said iRent violated the country’s data protection rules and fined the company NT$200,000 (about $6,600). The company was also ordered to improve its security by the end of February or face further fines.
Meanwhile, the government of Taiwan’s capital city Taipei also imposed a maximum fine of NT$90,000 (about $3,000), for failing to “fulfill its management responsibilities,” for which the agency described the circumstances as “serious.”
The fines landed days after TechCrunch revealed that iRent left an exposed database containing reams of customer information on the internet but without a password. Security researcher Anurag Sen found the exposed database, but iRent took a week — and the swift intervention of the Taiwanese government — to respond. A short time after TechCrunch alerted Taiwan’s digital ministry about the company’s security lapse, the exposed database was secured.
The database contained customers’ full names, cell phone numbers, email and home addresses, partial credit card numbers, and at least 100,000 customer identification documents, as well as selfies, signatures, and rental vehicle details. The database was updating with new customer data in real-time.
Days after the database was secured, Taiwanese government inspectors were sent to investigate the company, and found that iRent did not have an adequate security plan in place.
“The bureau will continue to urge motor transport operators to implement user personal information protection and corporate social responsibility to protect consumer rights,” said Taiwan’s highways division in a statement.
Following the incident, Taiwan’s vice premier Cheng Wen-tsan said that the fine against iRent was “too light,” and that the government planned to propose a law amendment aimed at increasing fines by ten-fold for private companies found to have spilled people’s personal information.
Taiwan fines car renting giant iRent for customer data spill by Zack Whittaker originally published on TechCrunch
US, UK sanction 7 alleged members of infamous Russian Trickbot hacking gang
In a first-of-its-kind coordinated action, authorities in the United States and the United Kingdom have sanctioned seven individuals allegedly behind the infamous Russia-based cybercrime gang Trickbot.
The action, which marks the first time that British officials have issued sanctions against suspected ransomware operators, saw the U.S. Treasury and the U.K. Foreign Office levy sanctions against the Russian hackers allegedly connected to a single network behind the Conti and Ryuk ransomware variants, as well as the infamous Trickbot banking trojan. This also marks the first time authorities have linked the Conti, Ryuk, and Trickbot to a single criminal organization.
U.K. authorities also assess that the individuals have links to the Russia-based cybercriminal group known as Evil Corp, which was also sanctioned by U.S. Treasury in December 2019.
The latest sanctions mean the seven individuals — named as Vitaly Kovalev, Valery Sedletski, Valentin Karyagin, Maksim Mikhailov, Dmitry Pleshevskiy, Mikhail Iskritskiy and Ivan Vakhromeyev — had their assets frozen, travel bans imposed, and are barred from transacting with U.S. organizations. That also bars Americans from paying any ransom to the sanctioned entities. U.S. authorities have also charged Kovalev, described as a senior figure within Trickbot who is known online as “Bentley” and “Ben,” with conspiracy to commit bank fraud and eight counts of bank fraud.
As the seven individuals are all based in Russia, which does not extradite its citizens, arrests by U.S. or U.K law enforcement are unlikely.
The U.K. National Crime Agency says the group was responsible for extorting at least £27 million ($33m) from 149 UK victims, including hospitals, schools, businesses and local authorities. In its announcement, the Treasury noted that Trickbot targeted hospitals and healthcare centers, launching a wave of ransomware attacks against hospitals across the U.S. during the height of the COVID-19 pandemic. Trickbot was also linked to the September ransomware attack on the Los Angeles Unified school District, or LAUSD, the second-largest district in the United States.
In a recent announcement, the U.S. government said that Conti — which rebranded from Ryuk in 2020 — had carried out more than 1,000 ransomware operations targeting U.S. and international critical infrastructure, including law enforcement agencies, emergency medical services, and 911 dispatch centers. Most recently, the gang infiltrated 27 government institutions in Costa Rica and demanded a $20 million ransom.
The Treasury on Thursday also said that current members of the Trickbot are associated with Russian intelligence. “The Trickbot Group’s preparations in 2020 aligned them to Russian state objectives and targeting previously conducted by Russian Intelligence Services,” it said. “This included targeting the U.S. government and U.S. companies.”
The U.K. National Cyber Security Centre, part of GCHQ, also assessed that it is “highly likely” that key members maintain links to Russian intelligence services. “The targeting of certain organizations, such as the International Olympic Committee, by the group almost certainly aligns with Russian state objectives,” it said.
This latest takedown comes just weeks after law enforcement agencies in the U.S. and Europe announced that they had seized the infrastructure behind Hive, one of the most prolific ransomware operations. Hive is responsible for attacks on Costa Rica’s public health service and New York-based emergency response and ambulance service provider Empress EMS.
US, UK sanction 7 alleged members of infamous Russian Trickbot hacking gang by Carly Page originally published on TechCrunch
Meet the prolific Russian espionage crew hacking spymasters and lawmakers
A notorious hacking group with alleged ties to Russian intelligence services has claimed its latest victim: British lawmaker Stewart McDonald.
McDonald, a Member of Parliament for his constituency in Glasgow South, told BBC News that he fears he had been the victim of a “disinformation” campaign after his personal email account was “hacked by Russia.” McDonald said the hackers sent a document purporting to include a military update on Ukraine, but when opened contained a phishing page that tricked him into entering his email address and password.
The intrusion is believed to be linked to the prolific “Seaborgium” hacking group, also referred to as “Cold River” and “Calisto.”
Seaborgium may not be as well-known as Russia’s Fancy Bear or Sandworm hackers, but it is rapidly making a name for itself. The U.K. government has warned of the group’s “ruthless” attempts to pursue its victims, and security researchers say the gang’s growing list of targets — including politicians, defense, and government organizations — suggests Seaborgium is closely tied to the Russian state.
Who is Seaborgium?
The Seaborgium hacking group has been active since at least 2017 and is known for conducting long-running cyber espionage campaigns against NATO countries, particularly the U.S. and the United Kingdom, but also further afield as the Baltics, the Nordics, and Eastern Europe.
Microsoft’s Threat Intelligence Center, or MSTIC, which has tracked the group since its inception, assesses that Seaborgium is a Russia-based group with “objectives and victimology” that align closely with Russian state interests.
“While we cannot rule out that supporting elements of the group may have current or prior affiliations with criminal or other non-state ecosystems, MSTIC assesses that information collected during Seaborgium intrusions likely supports traditional espionage objectives and information operations as opposed to financial motivations,” Microsoft researchers said.
French threat intelligence startup Sekoia.io, which tracks the group as “Calisto,” said in December that while there is an absence of technical evidence linking Seaborgium to known Russian hacking groups, it found that the hacking group “contributes to Russian intelligence collection about identified war crime-related evidence and/or international justice procedures.”
Who does Seaborgium target?
Seaborgium has historically targeted sectors including academia, defense, governmental organizations, NGOs and think tanks, as well as politicians, journalists and activists.
In May 2022, Google’s Threat Analysis Group, which tracks Seaborgium as “Cold River,” attributed a hack-and-leak operation that saw a trove of emails and documents stolen and leaked from high-level Brexit proponents, including Sir Richard Dearlove, the former head of the U.K. foreign intelligence service MI6. The stolen documents were spread on social media to amplify a false narrative that Brexit proponents were behind a conspiracy to oust a then-sitting prime minister.
In January, it was revealed that Seaborgium also targeted scientists at three U.S. nuclear research labs — Brookhaven, Argonne, and Lawrence Livermore Laboratories — last year.
Microsoft’s threat intelligence unit MSTIC says it has also seen Seaborgium targeting Ukraine’s government sector in the months leading up to Russia’s invasion in February 2022, along with organizations involved in supporting roles for the war in Ukraine. Seaborgium has targeted former intelligence officials, experts in Russian affairs, and Russian citizens abroad, suggesting the hacking group is also involved in domestic surveillance.
Microsoft said some 30% of Seaborgium activity targets personal email accounts.
What are Seaborgium’s motives?
The main goal of Seaborgium’s intrusions — which typically impersonate real people and use phishing lures with the aim of stealing a victim’s email account password — are for espionage and information operations. That’s when stolen information is strategically leaked to shape narratives in specific countries for certain reasons. Microsoft researchers say the group is unlikely to be financially motivated.
The U.K.’s National Cyber Security Center, which acts as the U.K.’s technical authority on cyber threats, said in a recent advisory that Seaborgium tends to select its targets based on the perceived level of their access to information of interest to the hackers, such as politicians, journalists and activists.
In a statement to TechCrunch, an NCSC spokesperson said it was investigating the incident involving the compromise of McDonald’s email account. “An incident has been reported to us and we are providing the individual with support,” said the spokesperson, who did not provide a name. “The NCSC regularly provides security briefings and guidance to parliamentarians to help them defend against the latest cyber threats. This includes expert advice for MPs and their staff available on the NCSC website.”
McDonald and the SNP did not respond to TechCrunch’s questions.
Read more:
- Russian ‘WhisperGate’ hackers are using new data-stealing malware to target Ukraine
- US offers bounty for Sandworm, the Russian hackers blamed for destructive cyberattacks
- Hackers behind SolarWinds are hiding malware in Google Drive
- Russia-backed hackers attempt to disconnect substations
- Russian hackers already targeted a Missouri senator up for reelection in 2018
Meet the prolific Russian espionage crew hacking spymasters and lawmakers by Carly Page originally published on TechCrunch
Beam raises $6.4M to help citizens access safety net funds
Beam, a startup that helps citizens access government financial aid, has raised $6.4 million in Series A funding.
The company, previously known as Edquity, helps deliver funds across a wide array of programs, like emergency cash assistance, rental relief and public utility benefits.
“We fundamentally work to transmit critical services and resources to those in need,” said David Helene, CEO of Beam.
The company’s Series A funding comes as the company said it saw a greater need to provide disadvantaged communities with financial support following the COVID-19 pandemic. Beam said the funds will be used to expand its headcount and further develop its platforms. The round was led by Potencia Ventures, with participation from Spring Point Partners, American Family Insurance Institute for Corporate and Social Impact, Imaginable Futures, Lumina Impact Ventures, Michelson Runway, and Schmidt Futures.
Beam, when partnered with governments, operates as the end-to-end cash assistance administration system, which handles applications, ID verification, case decisions, and payments.
“Our system has a single system of records,” said Helene. “Our intent is to create the least amount of friction and the most dignity for those that are interacting with applications in the system.” Beam said it allows applicants to receive funds by bank account, a prepaid card, or online services like Zelle to serve communities equitably.
Beam says it has helped process over $180 million to about 300,000 households. The company currently has operations in 16 states with 57 governments.
Beam raises $6.4M to help citizens access safety net funds by Andrew Mendez originally published on TechCrunch