Category: CISA

In the event of a cyber-attack on your company’s IT infrastructure, it’s crucial to report the incident in detail to law enforcement using the Voluntary Cyber Incident Reporting Portal, even if reporting is not mandated for your organization.

This portal set up by America’s Cyber Defense Agency not only facilitates reporting but also serves as a valuable resource for businesses. It provides guidance on whom to report to, the importance of reporting, and how to communicate the incident to the public. Additionally, the Cybersecurity and Infrastructure Security Agency (CISA) offers support through this platform, helping firms understand proactive security measures that can reduce cyber risks. The portal also tracks information on exploited vulnerabilities and provides updates on available fixes.

By centralizing the reporting of cyber incidents, the U.S. government demonstrates its commitment to helping organizations understand how reporting and responding to incidents can significantly deter criminal activity.

“The portal offers unique resources and tools to aid response and recovery,” stated Jeff Greene, Executive Assistant Director for Cybersecurity at CISA. He emphasized that this platform will support law enforcement in investigating, tracking, and prosecuting cybercriminals, which in turn helps to prevent future attacks.

The CISA Services Portal is a key component of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), which was proposed in March 2024 and is set to launch in October 2025.

The Department of Homeland Security (DHS) anticipates that its CISA component will receive at least 25,000 reports in its first year and will serve all 300,000 organizations across 16 sectors.

Jen Easterly, Director of CISA in 2022, praised the website, noting that it is designed not to name, shame, or blame but to provide support and ensure the privacy of victims.

The post CISA offers Voluntary Cyber Incident Reporting Portal appeared first on Cybersecurity Insiders.

Cyber threats are constantly evolving, targeting the very foundation of our nation’s security and economy. To combat this ever-present challenge, the Cybersecurity and Infrastructure Security Agency (CISA) recently launched a proactive program called Shields Up. The program’s core tenets emphasize the importance of continuous preparedness, collaboration, and adaptation to combat evolving cyber threats.

Shields Up and Shields Ready: Building a Comprehensive Defense

CISA’s Shields Up program furnishes organizations with the tools and resources necessary to implement robust cybersecurity practices. This includes recommendations for shoring up defenses, like maintaining offline data backups and crafting incident response plans. The Shields Ready program is a specific aspect and essential expansion of this initiative, focusing on elements such as heightened readiness or specific sector protection. Shields Ready addresses known cyber threats and utilizes CISA’s intelligence arm to communicate steps and tactics to improve cyber readiness and reduce the risk of a successful attack.

The development of programs like Shields Up and Shields Ready indicates several critical aspects of CISA’s cybersecurity approach:

  • Proactive Stance: CISA focuses on a proactive rather than reactive approach to cybersecurity threats. By providing tools, resources, and guidance in advance, the expectation is to prevent cyber incidents before they occur.
  • Comprehensive Readiness: CISA encourages organizations to be perpetually prepared for cyber threats, not just respond when attacked. This involves continuous monitoring, updating, and strengthening of cybersecurity defenses. This aligns with many of the Executive Orders over the last 24 months on data supply chain and security standards and is in line with the NIST 2.0 Cyber Framework.
  • Collaboration and Partnership: CISA’s programs emphasize the importance of collaboration between the government, private sector companies, and various governmental agencies. With cyber threats changing daily, this partnership between the government and industry is imperative. Without cooperation and information sharing, we will not be able to protect our infrastructure.
  • Adaptation to Emerging Threats: By evolving and expanding programs like Shields Up, CISA is demonstrating its commitment to adapting to the evolving nature of cyber threats while utilizing the government’s power to assist industry. This is critical to staying ahead of nation-state cyber activities, ransomware attacks, and other forms of cybercrime.
  • Education & Awareness: These initiatives elevate our sense of urgency and raise awareness to educate stakeholders about the importance of cybersecurity, promote best practices, and assist organizations in understanding their vital role in national security.

Why Proactive Preparation Matters

Given the speed and volume at which cyberattacks are happening today, government agencies should, must, and are expected to be prepared for cyber incidents ahead of time to ensure resilience. There are several crucial reasons for doing so.

Firstly, ensuring resilience for critical infrastructure is paramount. Government agencies play a vital role in protecting these systems, which underpin national security, economic stability, and public safety. A successful cyberattack could cripple essential services, cause significant financial damage, or even compromise national security.

Secondly, safeguarding sensitive information is critical. Government agencies manage a wealth of sensitive data, including personal information of citizens, classified national security data, and other confidential records. Protecting this data from breaches is essential to maintain public trust in government operations and national security. A stark example of the consequences of a data breach is the OPM hack, where millions of security clearance records were compromised. This incident not only exposed private citizens to identity theft risks but also raised concerns about potential misuse of stolen data for creating deepfakes or other malicious activities.

Thirdly, proactive measures are crucial for ensuring continuity of operations. Cyberattacks can disrupt the functioning of government agencies, hindering the delivery of essential public services. From water supply and food safety systems to transportation and other everyday services, a cyberattack can cause significant disruption. Proactive preparation ensures that these critical functions continue uninterrupted even in the face of an attack.

Furthermore, rapid response capabilities are essential. When a cyberattack occurs, an agency’s ability to respond quickly and effectively is vital. CISA provides guidance on developing clear incident response plans, ensuring trained personnel are available to implement them and establishing clear communication channels for government-wide coordination and information sharing during a crisis.

By setting a high standard for cybersecurity practices, government agencies serve as a model for others to follow. CISA plays a leadership role in establishing cybersecurity standards and promoting robust cyber defenses. This not only protects government assets but also fosters collaboration with the private sector and other stakeholders in adopting strong cybersecurity measures.

Finally, the ever-evolving nature of cyber threats necessitates constant adaptation. Attackers continuously develop new methods to exploit vulnerabilities. Proactive preparation requires ongoing efforts to update cybersecurity measures and stay ahead of these evolving threats, particularly advanced persistent threats.

Securing Our Future

The ever-present threat of cyberattacks demands a proactive defense. CISA’s Shields Up and Shields Ready programs exemplify this approach, empowering those who manage critical infrastructure with the tools they need, while fostering collaboration to build a strong defense. These dynamic programs, aligned with national security priorities, ensures the resilience of government services and the uninterrupted delivery of essential services we rely on daily. Preparation for cyber incidents is not just about defense; it’s about ensuring public trust in government operations and the effective functioning of government itself. By working together, government agencies, industry leaders, and CISA can stay ahead of cyber threats and safeguard the foundation of our nation’s security and economy.

The post CISA’s Shields Up and Shields Ready Programs: A Proactive Approach to Cybersecurity for Critical Infrastructure appeared first on Cybersecurity Insiders.

A recent study by Lineaje has uncovered a startling lack of preparedness among organizations for the upcoming U.S. Cybersecurity & Infrastructure Agency’s (CISA) Secure Software Development Attestation Form deadline. The research, conducted at RSA Conference 2024, reveals that a mere 20% of companies are ready to meet the June 11, 2024, compliance deadline, a critical component of Executive Order (EO) 14028.

EO 14028, which mandates software producers to work with the U.S. government to confirm the deployment of key security practices, has been a focal point following a surge in software supply chain attacks. In 2023, these attacks affected over 2,700 U.S. organizations, marking a 58% increase from the previous year and underscoring the urgency of compliance.

Despite the clear risks and the mandate for Software Bills of Materials (SBOMs) since May 2021, Lineaje’s survey indicates that 84% of companies have yet to implement SBOMs into their development process. This gap in action suggests a disconnect between government cybersecurity efforts and industry implementation.

  • 65% of security professionals are unfamiliar with EO 14028.
  • 56% cite security vulnerabilities as their top concern, yet compliance adherence follows at only 22%.
  • 60% use open-source software, but only 16% are confident in its security.

Budget constraints and staffing shortages are cited as primary barriers to securing software and adopting necessary tools, with 45% pointing to budget limitations and 36% to lack of staffing resources.

This report serves as a wake-up call for the industry to prioritize cybersecurity compliance and awareness, as the consequences of inaction could be dire for both individual organizations and national security at large.

The post Upcoming June 11th CISA Deadline Exposes Widespread Unpreparedness in Software Security Compliance appeared first on Cybersecurity Insiders.

In February of this year, the Cybersecurity and Infrastructure Security Agency (CISA) revealed that its systems had been compromised by hackers, exploiting vulnerabilities within Ivanti products utilized by the federal agency.

According to a CISA spokesperson, flaws within Ivanti Connect Secure and Ivanti Policy Secure Gateways are being actively exploited by hackers. Businesses employing these software platforms are advised to remain vigilant regarding cybersecurity developments, as these vulnerabilities could permit hackers to manipulate configuration settings and tamper with security measures on registered devices, potentially resulting in the theft of Personally Identifiable Information (PII).

This breach raises concerns about the security of CISA, the primary agency responsible for investigating cybercrimes, and may lead to a loss of trust in its operations in the near future.

In a concerning turn of events, hackers have recently exposed approximately 70 million records associated with AT&T users, offering them for sale online. These records, containing sensitive information such as social security numbers, dates of birth, addresses, emails, and phone numbers, were apparently obtained through cyber attacks targeting the telecom giant in 2021.

The exact motive behind this recent data dump remains unclear. However, it’s worth noting that in August 2021, a cybercriminal group known as ‘Shiny Hunters’ claimed responsibility for breaching AT&T’s database and stealing records of over 70 million users. Subsequently, they advertised the sale of this data for $1 million.

Initially, AT&T dismissed media reports of the breach as unsubstantiated. However, in January 2022, the telecom company confirmed the validity of the leak.

Adding to the turmoil, another cybercriminal group recently asserted that they had compromised data pertaining to over 9 million wireless customers. Upon investigation by the internet service provider, it was discovered that the criminals had accessed customer proprietary network information in January 2023.

The post CISA Hacked and over 70m files leaked online from AT&T database appeared first on Cybersecurity Insiders.

Three Americans were charged this week with stealing more than $400 million in a November 2022 SIM-swapping attack. The U.S. government did not name the victim organization, but there is every indication that the money was stolen from the now-defunct cryptocurrency exchange FTX, which had just filed for bankruptcy on that same day.

A graphic illustrating the flow of more than $400 million in cryptocurrencies stolen from FTX on Nov. 11-12, 2022. Image: Elliptic.co.

An indictment unsealed this week and first reported on by Ars Technica alleges that Chicago man Robert Powell, a.k.a. “R,” “R$” and “ElSwapo1,” was the ringleader of a SIM-swapping group called the “Powell SIM Swapping Crew.” Colorado resident Emily “Em” Hernandez allegedly helped the group gain access to victim devices in service of SIM-swapping attacks between March 2021 and April 2023. Indiana resident Carter Rohn, a.k.a. “Carti,” and “Punslayer,” allegedly assisted in compromising devices.

In a SIM-swapping attack, the crooks transfer the target’s phone number to a device they control, allowing them to intercept any text messages or phone calls sent to the victim, including one-time passcodes for authentication or password reset links sent via SMS.

The indictment states that the perpetrators in this heist stole the $400 million in cryptocurrencies on Nov. 11, 2022 after they SIM-swapped an AT&T customer by impersonating them at a retail store using a fake ID. However, the document refers to the victim in this case only by the name “Victim 1.”

Wired’s Andy Greenberg recently wrote about FTX’s all-night race to stop a $1 billion crypto heist that occurred on the evening of November 11:

“FTX’s staff had already endured one of the worst days in the company’s short life. What had recently been one of the world’s top cryptocurrency exchanges, valued at $32 billion only 10 months earlier, had just declared bankruptcy. Executives had, after an extended struggle, persuaded the company’s CEO, Sam Bankman-Fried, to hand over the reins to John Ray III, a new chief executive now tasked with shepherding the company through a nightmarish thicket of debts, many of which it seemed to have no means to pay.”

“FTX had, it seemed, hit rock bottom. Until someone—a thief or thieves who have yet to be identified—chose that particular moment to make things far worse. That Friday evening, exhausted FTX staffers began to see mysterious outflows of the company’s cryptocurrency, publicly captured on the Etherscan website that tracks the Ethereum blockchain, representing hundreds of millions of dollars worth of crypto being stolen in real time.”

The indictment says the $400 million was stolen over several hours between November 11 and 12, 2022. Tom Robinson, co-founder of the blockchain intelligence firm Elliptic, said the attackers in the FTX heist began to drain FTX wallets on the evening of Nov. 11, 2022 local time, and continuing until the 12th of November.

Robinson said Elliptic is not aware of any other crypto heists of that magnitude occurring on that date.

“We put the value of the cryptoassets stolen at $477 million,” Robinson said. “The FTX administrators have reported overall losses due to “unauthorized third-party transfers” of $413 million – the discrepancy is likely due to subsequent seizure and return of some of the stolen assets. Either way, it’s certainly over $400 million, and we are not aware of any other thefts from crypto exchanges on this scale, on this date.”

The SIM-swappers allegedly responsible for the $400 million crypto theft are all U.S. residents. But there are some indications they had help from organized cybercriminals based in Russia. In October 2023, Elliptic released a report that found the money stolen from FTX had been laundered through exchanges with ties to criminal groups based in Russia.

“A Russia-linked actor seems a stronger possibility,” Elliptic wrote. “Of the stolen assets that can be traced through ChipMixer, significant amounts are combined with funds from Russia-linked criminal groups, including ransomware gangs and darknet markets, before being sent to exchanges. This points to the involvement of a broker or other intermediary with a nexus in Russia.”

Nick Bax, director of analytics at the cryptocurrency wallet recovery firm Unciphered, said the flow of stolen FTX funds looks more like what his team has seen from groups based in Eastern Europe and Russian than anything they’ve witnessed from US-based SIM-swappers.

“I was a bit surprised by this development but it seems to be consistent with reports from CISA [the Cybersecurity and Infrastructure Security Agency] and others that “Scattered Spider” has worked with [ransomware] groups like ALPHV/BlackCat,” Bax said.

CISA’s alert on Scattered Spider says they are a cybercriminal group that targets large companies and their contracted information technology (IT) help desks.

“Scattered Spider threat actors, per trusted third parties, have typically engaged in data theft for extortion and have also been known to utilize BlackCat/ALPHV ransomware alongside their usual TTPs,” CISA said, referring to the group’s signature “Tactics, Techniques an Procedures.”

Nick Bax, posting on Twitter/X in Nov 2022 about his research on the $400 million FTX heist.

Earlier this week, KrebsOnSecurity published a story noting that a Florida man recently charged with being part of a SIM-swapping conspiracy is thought to be a key member of Scattered Spider, a hacking group also known as 0ktapus. That group has been blamed for a string of cyber intrusions at major U.S. technology companies during the summer of 2022.

Financial claims involving FTX’s bankruptcy proceedings are being handled by the financial and risk consulting giant Kroll. In August 2023, Kroll suffered its own breach after a Kroll employee was SIM-swapped. According to Kroll, the thieves stole user information for multiple cryptocurrency platforms that rely on Kroll services to handle bankruptcy proceedings.

KrebsOnSecurity sought comment for this story from Kroll, the FBI, the prosecuting attorneys, and Sullivan & Cromwell, the law firm handling the FTX bankruptcy. This story will be updated in the event any of them respond.

Attorneys for Mr. Powell said they do not know who Victim 1 is in the indictment, as the government hasn’t shared that information yet. Powell’s next court date is a detention hearing on Feb. 2, 2024.

Earlier this week, KrebsOnSecurity revealed that the darknet website for the Snatch ransomware group was leaking data about its users and the crime gang’s internal operations. Today, we’ll take a closer look at the history of Snatch, its alleged founder, and their claims that everyone has confused them with a different, older ransomware group by the same name.

According to a September 20, 2023 joint advisory from the FBI and the U.S. Cybersecurity and Infrastructure Security Administration (CISA), Snatch was originally named Team Truniger, based on the nickname of the group’s founder and organizer — Truniger.

The FBI/CISA report says Truniger previously operated as an affiliate of GandCrab, an early ransomware-as-a-service offering that closed up shop after several years and claims to have extorted more than $2 billion from victims. GandCrab dissolved in July 2019, and is thought to have become “REvil,” one of the most ruthless and rapacious Russian ransomware groups of all time.

The government says Snatch used a customized ransomware variant notable for rebooting Microsoft Windows devices into Safe Mode — enabling the ransomware to circumvent detection by antivirus or endpoint protection — and then encrypting files when few services are running.

“Snatch threat actors have been observed purchasing previously stolen data from other ransomware variants in an attempt to further exploit victims into paying a ransom to avoid having their data released on Snatch’s extortion blog,” the FBI/CISA alert reads. It continues:

“Prior to deploying the ransomware, Snatch threat actors were observed spending up to three months on a victim’s system. Within this timeframe, Snatch threat actors exploited the victim’s network moving laterally across the victim’s network with RDP for the largest possible deployment of ransomware and searching for files and folders for data exfiltration followed by file encryption.”

New York City-based cyber intelligence firm Flashpoint said the Snatch ransomware group was created in 2018, based on Truniger’s recruitment both on Russian language cybercrime forums and public Russian programming boards. Flashpoint said Truniger recruited “pen testers” for a new, then-unnamed cybercrime group, by posting their private Jabber instant messenger contact details on multiple Russian language coding forums, as well as on Facebook.

“The command requires Windows system administrators,” Truniger’s ads explained. “Experience in backup, increase privileges, mikicatz, network. Details after contacting on jabber: truniger@xmpp[.]jp.”

In at least some of those recruitment ads — like one in 2018 on the forum sysadmins[.]ru –the username promoting Truniger’s contact information was Semen7907. In April 2020, Truniger was banned from two of the top Russian cybercrime forums, where members from both forums confirmed that Semen7907 was one of Truniger’s known aliases.

[SIDE NOTE: Truniger was banned because he purchased credentials to a company from a network access broker on the dark web, and although he promised to share a certain percentage of whatever ransom amount Truniger’s group extracted from the victim, Truniger paid the access broker just a few hundred dollars off of a six-figure ransom].

According to Constella Intelligence, a data breach and threat actor research platform, a user named Semen7907 registered in 2017 on the Russian-language programming forum pawno[.]ru using the email address tretyakov-files@yandex.ru.

That same email address was assigned to the user “Semen-7907” on the now defunct gaming website tunngle.net, which suffered a data breach in 2020. Semen-7907 registered at Tunngle from the Internet address 31.192.175[.]63, which is in Yekaterinburg, RU.

Constella reports that tretyakov-files@yandex.ru was also used to register an account at the online game stalker[.]so with the nickname Trojan7907.

There is a Skype user by the handle semen7907, and which has the name Semyon Tretyakov from Yekaterinburg, RU. Constella also found a breached record from the Russian mobile telephony site tele2[.]ru, which shows that a user from Yekaterinburg registered in 2019 with the name Semyon Sergeyvich Tretyakov and email address tretyakov-files@ya.ru.

The above accounts, as well as the email address semen_7907@mail.ru, were all registered or accessed from the same Yekaterinburg Internet address mentioned previously: 31.192.175.63. The Russian mobile phone number associated with that tele2[.]ru account is connected to the Telegram account “Perchatka,” (“glove” in Russian).

BAD BEATS

Reached via Telegram, Perchatka (a.k.a. Mr. Tretyakov) said he was not a cybercriminal, and that he currently has a full-time job working in IT at a major company (he declined to specify which).

Presented with the information gathered for this report (and more that is not published here), Mr. Tretyakov acknowledged that Semen7907 was his account on sysadmins[.]ru, the very same account Truniger used to recruit hackers for the Snatch Ransomware group back in 2018.

However, he claims that he never made those posts, and that someone else must have assumed control over his sysadmins[.]ru account and posted as him. Mr. Tretyakov said that KrebsOnSecurity’s outreach this week was the first time he became aware that his sysadmins[.]ru account was used without his permission.

Mr. Tretyakov suggested someone may have framed him, pointing to an August 2023 story at a Russian news outlet about the reported hack and leak of the user database from sysadmins[.]ru, allegedly at the hands of a pro-Ukrainian hacker group called CyberSec.

“Recently, because of the war in Ukraine, a huge number of databases have been leaked and finding information about a person is not difficult,” Tretyakov said. “I’ve been using this login since about 2013 on all the forums where I register, and I don’t always set a strong password. If I had done something illegal, I would have hidden much better :D.”

[For the record, KrebsOnSecurity does not generally find this to be the case, as the ongoing Breadcrumbs series will attest.]

A Semyon Sergeyvich Tretyakov is listed as the composer of a Russian-language rap song called “Parallels,” which seems to be about the pursuit of a high-risk lifestyle online. A snippet of the song goes:

“Someone is on the screen, someone is on the blacklist
I turn on the timer and calculate the risks
I don’t want to stay broke And in the pursuit of money
I can’t take these zeros Life is like a zebra –
everyone wants to be first Either the stripes are white,
or we’re moving through the wilds I won’t waste time.”

Mr. Tretyakov said he was not the author of that particular rhyme, but that he has been known to record his own rhythms.

“Sometimes I make bad beats,” he said. “Soundcloud.”

NEVER MIND THE DOMAIN NAME

The FBI/CISA alert on Snatch Ransomware (PDF) includes an interesting caveat: It says Snatch actually deploys ransomware on victim systems, but it also acknowledges that the current occupants of Snatch’s dark and clear web domains call themselves Snatch Team, and maintain that they are not the same people as Snatch Ransomware from 2018.

Here’s the interesting bit from the FBI/CISA report:

“Since November 2021, an extortion site operating under the name Snatch served as a clearinghouse for data exfiltrated or stolen from victim companies on Clearnet and TOR hosted by a bulletproof hosting service. In August 2023, individuals claiming to be associated with the blog gave a media interview claiming the blog was not associated with Snatch ransomware and “none of our targets has been attacked by Ransomware Snatch…”, despite multiple confirmed Snatch victims’ data appearing on the blog alongside victims associated with other ransomware groups, notably Nokoyawa and Conti.”

Avid readers will recall a story here earlier this week about Snatch Team’s leaky darknet website based in Yekaterinburg, RU that exposed their internal operations and Internet addresses of their visitors. The leaked data suggest that Snatch is one of several ransomware groups using paid ads on Google.com to trick people into installing malware disguised as popular free software, such as Microsoft TeamsAdobe ReaderMozilla Thunderbird, and Discord.

Snatch Team claims to deal only in stolen data — not in deploying ransomware malware to hold systems hostage.

Representatives of the Snatch Team recently answered questions from Databreaches.net about the claimed discrepancy in the FBI/CISA report.

“First of all, we repeat once again that we have nothing to do with Snatch Ransomware, we are Security Notification Attachment, and we have never violated the terms of the concluded transactions, because our honesty and openness is the guarantee of our income,” the Snatch Team wrote to Databreaches.net in response to questions.

But so far the Snatch Team has not been able to explain why it is using the very same domain names that the Snatch ransomware group used?

Their claim is even more unbelievable because the Snatch Team members told Databreaches.net they didn’t even know that a ransomware group with that name already existed when they initially formed just two years ago.

This is difficult to swallow because even if they were a separate group, they’d still need to somehow coordinate the transfer of the Ransomware group’s domains on the clear and dark webs. If they were hoping for a fresh start or separation, why not just pick a new name and new web destination?

“Snatchteam[.]cc is essentially a data market,” they continued. “The only thing to underline is that we are against selling leaked information, sticking to the idea of free access. Absolutely any team can come to us and offer information for publication. Even more, we have heard rumors that a number of ransomware teams scare their clients that they will post leaked information on our resource. We do not have our own ransomware, but we are open to cooperation on placement and monetization of dates (sic).”

Maybe Snatch Team does not wish to be associated with Snatch Ransomware because they currently believe stealing data and then extorting victim companies for money is somehow less evil than infecting all of the victim’s servers and backups with ransomware.

It is also likely that Snatch Team is well aware of how poorly some of their founders covered their tracks online, and are hoping for a do-over on that front.