The US Justice Department said Wednesday that the FBI surreptitiously sent commands to hundreds of infected small office and home office routers to remove malware China state-sponsored hackers were using to wage attacks on critical infrastructure.
The routers—mainly Cisco and Netgear devices that had reached their end of life—were infected with what's known as KV Botnet malware, Justice Department officials said.
[...] "To effect these seizures, the FBI will issue a command to each Target Device to stop it from running the KV Botnet VPN process," an agency special agent wrote in an affidavit dated January 9. "This command will also stop the Target Device from operating as a VPN node, thereby preventing the hackers from further accessing Target Devices through any established VPN tunnel.
[...] The takedown disclosed Wednesday isn't the first time the FBI has issued commands to infected devices without the owners' knowledge ahead of time. In 2021, authorities executed a similar action to disinfect Microsoft Exchange servers that had been compromised by a different China-state group tracked as Hafnium.
[...] In 2018, researchers reported that more than 500,000 SOHO routers had been compromised by sophisticated malware dubbed VPNFilter. The mass hack was later revealed to be an operation by a Russian-state group tracked as Sofacy. In that event, the FBI issued an advisory urging people to restart their routers to remove any possible infections. The agency also seized a domain used to control VPNFilter.
[...] This month's takedown comes as the Chinese government has stepped up attacks in recent years to compromise routers, cameras, and other network-connected devices to target critical infrastructure. warned of the trend in May last year. Researchers in the private sector have issued similar warnings.
Previously on SoylentNews:
Backdoored Firmware Lets China State Hackers Control Routers With "Magic Packets" - 20230930
Microsoft Comes Under Blistering Criticism for "Grossly Irresponsible" Security - 20230805
Malware Turns Home Routers Into Proxies for Chinese State-Sponsored Hackers - 20230518
US Warns of Govt Hackers Targeting Industrial Control Systems - 20220415
State Hackers Breach Defense, Energy, Healthcare Orgs Worldwide - 20211111
Microsoft Exchange Server Zero Day Hack Roundup - 20210316
Breached Water Plant Employees Shared Same Password, No Firewall - 20210211
Iranian Spies Accidentally Leaked Videos of Themselves Hacking - 20200716
Hackers Can Seize Control of Ballots Cast Using the Voatz Voting App, Researchers Say - 20200215
Microsoft Takes Court Action Against Fourth Nation-State Cybercrime Group - 20191231
"state actors" search on SoylentNews for even more: https://soylentnews.org/search.pl?threshold=0&query=state+actors
Related Stories
Microsoft takes court action against fourth nation-state cybercrime group.:
On December 27, a U.S. district court unsealed documents detailing work Microsoft has performed to disrupt cyberattacks from a threat group we call Thallium, which is believed to operate from North Korea. Our court case against Thallium, filed in the U.S. District Court for the Eastern District of Virginia, resulted in a court order enabling Microsoft to take control of 50 domains that the group uses to conduct its operations. With this action, the sites can no longer be used to execute attacks.
Microsoft's Digital Crimes Unit (DCU) and the Microsoft Threat Intelligence Center (MSTIC) have been tracking and gathering information on Thallium, monitoring the group's activities to establish and operate a network of websites, domains and internet-connected computers. This network was used to target victims and then compromise their online accounts, infect their computers, compromise the security of their networks and steal sensitive information. Based on victim information, the targets included government employees, think tanks, university staff members, members of organizations focused on world peace and human rights, and individuals that work on nuclear proliferation issues. Most targets were based in the U.S., as well as Japan and South Korea.
Like many cybercriminals and threat actors, Thallium typically attempts to trick victims through a technique known as spear phishing. By gathering information about the targeted individuals from social media, public personnel directories from organizations the individual is involved with and other public sources, Thallium is able to craft a personalized spear-phishing email in a way that gives the email credibility to the target. As seen in the sample spear-phishing email below, the content is designed to appear legitimate, but closer review shows that Thallium has spoofed the sender by combining the letters "r" and "n" to appear as the first letter "m" in "microsoft.com."
Arthur T Knackerbracket has found the following story:
Flaws in the blockchain app some states plan to use in the 2020 election allow bad actors to alter or cancel someone’s vote or expose their private info.
Security researchers have found key flaws in a mobile voting app that some states plan to use in the 2020 election that can allow hackers to launch both client- and server-side attacks that can easily manipulate or even delete someone’s vote, as well as prevent a reliable audit from taking place after the fact, they said.
A team of researchers at MIT released a security audit of Voatz—a blockchain app that already was used in a limited way for absentee-ballot voting in the 2018 mid-term elections—that they said bolsters the case for why internet voting is a bad idea and voting transparency is the only way to ensure legitimacy.
West Virginia was the first state to use Voatz, developed by a Boston-based company of the same name, in the mid-term election, marking the inaugural use of internet voting in a high-stakes federal election. The app primarily collected votes from absentee ballots of military service personnel stationed overseas. Other counties in Utah and Colorado also used the app last year in a limited way for municipal elections.
However, despite the company’s claim that the app has a number of security features that make it safe for such an auspicious use—including immutability via its use of a permissioned blockchain, end-to-end voting encryption, voter anonymity, device compromise detection, and a voter-verified audit trail–the MIT team found that any attacker that controls the user’s device through some very rudimentary flaws can brush aside these protections.
“We find that an attacker with root privileges on the device can disable all of Voatz’s host-based protections, and therefore stealthily control the user’s vote, expose her private ballot, and exfiltrate the user’s PIN and other data used to authenticate the server,” MIT researchers Michael A. Specter, James Koppe and Daniel Weitzner wrote in their paper (PDF), “The Ballot is Busted Before the Blockchain: A Security Analysis of Voatz, the First Internet Voting Application Used in U.S.Federal Elections.”
[...] One voting district in Washington state—Mason County–already has pulled its plans to use Voatz in November, according to the New York Times, while West Virginia is moving ahead with its plans to expand Voatz used to disabled voters, the paper reported.
MFA
Iranian Spies Accidentally Leaked Videos of Themselves Hacking:
When security researchers piece together the blow-by-blow of a state-sponsored hacking operation, they're usually following a thin trail of malicious code samples, network logs, and connections to faraway servers. That detective work gets significantly easier when hackers record what they're doing and then upload the video to an unprotected server on the open internet. Which is precisely what researchers at IBM say a group of Iranian hackers did.
[...] The IBM researchers say they found the videos exposed due to a misconfiguration of security settings on a virtual private cloud server they'd observed in previous APT35 activity. The files were all uploaded to the exposed server over a few days in May, just as IBM was monitoring the machine. The videos appear to be training demonstrations the Iran-backed hackers made to show junior team members how to handle hacked accounts. They show the hackers accessing compromised Gmail and Yahoo Mail accounts to download their contents, as well as exfiltrating other Google-hosted data from victims.
[...] But the videos nonetheless represent a rare artifact, showing a first-hand view of state-sponsored cyberspying that's almost never seen outside of an intelligence agency.
"We don't get this kind of insight into how threat actors operate really ever," says Allison Wikoff, a senior analyst at IBM X-Force whose team discovered the videos. "When we talk about observing hands-on activity, it's usually from incident response engagements or endpoint monitoring tools. Very rarely do we actually see the adversary on their own desktop. It's a whole other level of 'hands-on-keyboard' observation."
Breached water plant employees used the same TeamViewer password and no firewall:
The Florida water treatment facility whose computer system experienced a potentially hazardous computer breach last week used an unsupported version of Windows with no firewall and shared the same TeamViewer password among its employees, government officials have reported.
After gaining remote access [...] the unknown intruder increased the amount of sodium hydroxide—a caustic chemical better known as lye—by a factor of 100. The tampering could have caused severe sickness or death had it not been for safeguards the city has in place.
According to an advisory from the state of Massachusetts, employees with the Oldsmar facility used a computer running Windows 7 to remotely access plant controls known as a SCADA—short for “supervisory control and data acquisition”—system. What’s more, the computer had no firewall installed and used a password that was shared among employees for remotely logging in to city systems with the TeamViewer application.
Massachusetts officials wrote:
The unidentified actors accessed the water treatment plant’s SCADA controls via remote access software, TeamViewer, which was installed on one of several computers the water treatment plant personnel used to conduct system status checks and to respond to alarms or any other issues that arose during the water treatment process. All computers used by water plant personnel were connected to the SCADA system and used the 32-bit version of the Windows 7 operating system. Further, all computers shared the same password for remote access and appeared to be connected directly to the Internet without any type of firewall protection installed.
[....] The revelations illustrate the lack of security rigor found inside many critical infrastructure environments.
It was a 32-bit computer; so they wisely had Windows 7 instead of XP.
See also:
recent SoylentNews article about this, attempt to poison the water supply of residents in Oldsmar, Forida.
Microsoft exchange servers have been under attack in the past few days by a number of groups, including several known "state-sponsored and cyber-criminal hacking groups". They are targeting several zero-day vulnerabilities that have come to light. What I find interesting is the number of groups that all began exploiting these vulnerabilities at the same time. Additional groups have joined in on the hacking attempts, especially after Microsoft issued patches for the vulnerabilities, including ransomware organizations.
Below "the fold" is a roundup of the stories that have been submitted so far.
Arthur T Knackerbracket has processed the following story:
Cybersecurity firm Palo Alto Networks warned over the weekend of an ongoing hacking campaign that has already resulted in the compromise of at least nine organizations worldwide from critical sectors, including defense, healthcare, energy, technology, and education.
To breach the orgs networks, the threat actors behind this cyberespionage campaign exploited a critical vulnerability (CVE-2021-40539) in Zoho's enterprise password management solution known as ManageEngine ADSelfService Plus which allows remotely executing code on unpatched systems without authentication.
The attacks observed by Palo Alto Networks researchers started on September 17 with scans for vulnerable servers, nine days after the US Cybersecurity and Infrastructure Security Agency (CISA) warned it detected exploits used in the wild and one day after a joint advisory was published by CISA, the FBI, and the United States Coast Guard Cyber Command (CGCYBER).
Exploitation attempts began on September 22 after five days of harvesting info on potential targets who hadn't yet patched their systems.
"While we lack insight into the totality of organizations that were exploited during this campaign, we believe that, globally, at least nine entities across the technology, defense, healthcare, energy and education industries were compromised," the researchers said.
"Through global telemetry, we believe that the actor targeted at least 370 Zoho ManageEngine servers in the United States alone. Given the scale, we assess that these scans were largely indiscriminate in nature as targets ranged from education to Department of Defense entities."
Even though the researchers are working on attributing these attacks to a specific hacking group, they suspect that this is the work of a Chinese-sponsored threat group known as APT27 (also tracked as TG-3390, Emissary Panda, BRONZE UNION, Iron Tiger, and LuckyMouse).
US warns of govt hackers targeting industrial control systems:
A joint cybersecurity advisory issued by CISA, NSA, FBI, and the Department of Energy (DOE) warns of government-backed hacking groups being able to hijack multiple industrial devices using a new ICS-focused malware toolkit.
The federal agencies said the threat actors could use custom-built modular malware to scan for, compromise, and take control of industrial control system (ICS) and supervisory control and data acquisition (SCADA) devices.
"The APT actors' tools have a modular architecture and enable cyber actors to conduct highly automated exploits against targeted devices. Modules interact with targeted devices, enabling operations by lower-skilled cyber actors to emulate higher-skilled actor capabilities," the joint advisory reads.
"The APT actors can leverage the modules to scan for targeted devices, conduct reconnaissance on device details, upload malicious configuration/code to the targeted device, back up or restore device contents, and modify device parameters."
ICS/SCADA devices at risk of being compromised and hijacked include:
- Schneider Electric MODICON and MODICON Nano programmable logic controllers (PLCs)
- Omron Sysmac NJ and NX PLCs, and
- Open Platform Communications Unified Architecture (OPC UA) servers
DOE, CISA, NSA, and the FBI also found that state-sponsored hackers also have malware that leverages CVE-2020-15368 exploits to target Windows systems with ASRock motherboards to execute malicious code and move laterally to and disrupt IT or OT environments.
Malware turns home routers into proxies for Chinese state-sponsored hackers
Researchers have uncovered malicious firmware that can turn residential and small office routers into proxies for Chinese state-sponsored hackers. The firmware implant, discovered by Check Point Research, includes a full-featured backdoor that allows attackers to establish communication, issue commands, and perform file transfers with infected devices. The implant was found in TP-Link routers but could be modified to work on other router models.
The malware's main purpose is to relay traffic between infected targets and command-and-control servers, obscuring the origins and destinations of the communication. The control infrastructure was traced back to hackers associated with the Chinese government. By using a chain of infected devices, the attackers can hide the final command and control and make it difficult for defenders to detect and respond to the attack.
This technique of using routers and other IoT devices as proxies is a common tactic among threat actors. The researchers are unsure how the implant is installed on devices but suspect it could be through exploiting vulnerabilities or weak administrative credentials.
While the firmware image discovered so far only affects TP-Link devices, the modular design allows the threat actors to create images for a wider range of hardware. The article concludes with recommendations for users to check for potential infections and apply proactive mitigations such as patching routers and using strong passwords.
Microsoft has once again come under blistering criticism for the security practices of Azure and its other cloud offerings, with the CEO of security firm Tenable saying Microsoft is "grossly irresponsible" and mired in a "culture of toxic obfuscation."
The comments from Amit Yoran, chairman and CEO of Tenable, come six days after Sen. Ron Wyden (D-Ore.) blasted Microsoft for what he said were "negligent cybersecurity practices" that enabled hackers backed by the Chinese government to steal hundreds of thousands of emails from cloud customers, including officials in the US Departments of State and Commerce. Microsoft has yet to provide key details about the mysterious breach, which involved the hackers obtaining an extraordinarily powerful encryption key granting access to a variety of its other cloud services. The company has taken pains ever since to obscure its infrastructure's role in the mass breach.
Backdoored firmware lets China state hackers control routers with "magic packets"
Hackers backed by the Chinese government are planting malware into routers that provides long-lasting and undetectable backdoor access to the networks of multinational companies in the US and Japan, governments in both countries said Wednesday.
The hacking group, tracked under names including BlackTech, Palmerworm, Temp.Overboard, Circuit Panda, and Radio Panda, has been operating since at least 2010, a joint advisory published by government entities in the US and Japan reported. The group has a history of targeting public organizations and private companies in the US and East Asia. The threat actor is somehow gaining administrator credentials to network devices used by subsidiaries and using that control to install malicious firmware that can be triggered with "magic packets" to perform specific tasks.
The hackers then use control of those devices to infiltrate networks of companies that have trusted relationships with the breached subsidiaries.
"Specifically, upon gaining an initial foothold into a target network and gaining administrator access to network edge devices, BlackTech cyber actors often modify the firmware to hide their activity across the edge devices to further maintain persistence in the network," officials wrote in Wednesday's advisory. "To extend their foothold across an organization, BlackTech actors target branch routers—typically smaller appliances used at remote branch offices to connect to a corporate headquarters—and then abuse the trusted relationship of the branch routers within the corporate network being targeted. BlackTech actors then use the compromised public-facing branch routers as part of their infrastructure for proxying traffic, blending in with corporate network traffic, and pivoting to other victims on the same corporate network."
[...] To install their modified bootloader, the US and Japanese advisory said, the threat actors install an older version of the legitimate firmware and then modify it as it runs in memory. The technique overrides signature checks in the Cisco ROM monitor signature validation functions, specifically functions of Cisco's IOS Image Load test and the Field Upgradeable ROMMON Integrity test. The modified firmware, which consists of a Cisco IOS loader that installs an embedded IOS image, allows the compromised routers to make connections over SSH without being recorded in event logs.
(Score: 0) by Anonymous Coward on Friday February 02, @02:48AM
Tomorrow? Hippy Smokeware...
Do we really want the authorities to do this?
(Score: 2, Interesting) by Anonymous Coward on Friday February 02, @03:57AM
I get tons of network+port scans from Digital Ocean IP ranges (enough that I've put their ASN in a different category), so how do you figure who that is sponsored by?
There are plenty of motives for other criminals to create bot nets. After all wouldn't some ransomware groups be interested in deploying their stuff in juicy organizations (while avoiding others - if you're in Russia you probably will want to avoid pissing off Putin). Same for finding and selling secrets.
[1] Remember, security cameras are installed by the West. Surveillance cameras are installed by China and spy cameras by Russia... ;)
(Score: 5, Interesting) by Runaway1956 on Friday February 02, @04:02AM (5 children)
I'm reading "blah blah blah Netgear blah". Think, "Hey, I got one of those!" Click the link - read about two sentences - DUHHHH! I'm pretty sure this backdoor was eliminated when I installed DDWRT. I read the article anyway, only to find that the FBI has redacted any useful information. Whatever, unless the backdoor is hard coded into one of the chips, I think I'm probably good. If it IS hard coded, well, thanks for nothing FBI.
Found this:
https://www.trendmicro.com/en_us/research/21/a/vpnfilter-two-years-later-routers-still-compromised-.html [trendmicro.com]
Simple answer, a trusted firmware update eliminates the problem. Which kinda leads to the question, "How can we trust this trusted firmware, presumably written by the same people who built and sold the router to us originally?"
Better answer, in my case, I'm not using a firmware sourced from the manufacturer or the vendor.
(Score: 4, Insightful) by aafcac on Friday February 02, @05:11AM (3 children)
It's unclear to me who still thinks that the FBI is the good guys in just about any scenario. They're the ones that spend most of their time looking at child pornography and framing leftwing activists in order to help rig political races in the favor of rightwing candidates. There literally has not been a period of their existence where they haven't been rotten to the core.
(Score: 4, Interesting) by Anonymous Coward on Friday February 02, @05:21AM
Yeah. https://theintercept.com/2015/03/16/howthefbicreatedaterrorist/ [theintercept.com]
https://www.theguardian.com/world/2011/nov/16/fbi-entrapment-fake-terror-plots [theguardian.com]
Enough to spawn at least one movie: https://www.youtube.com/watch?v=nR08yvgwPjE [youtube.com]
With a track record like that, maybe some of those "Chinese state sponsored" hackers might even be sponsored by the FBI... Might even be ethnically Chinese... lulz.
(Score: 5, Informative) by crafoo on Friday February 02, @05:31AM
That's really so strange to me. You see the world in terms of "good guys" and left/right wing, blue/red team. That's just not how things work. That is all a WWE show. Smoke and mirrors to distract, confuse, and waste your life.
If you really want to get a look into how bad the FBI are, look into their involvement with The Finders, a child sex trafficking ring back in the 80s. Almost certainly still in operation today.
(Score: 1, Touché) by Anonymous Coward on Friday February 02, @06:13AM
https://au.news.yahoo.com/judge-slams-fbi-sting-tactics-233514736.html [yahoo.com]
Definitely State sponsored...
(Score: 5, Funny) by stratified cake on Friday February 02, @06:46AM
"How can we trust this trusted firmware, presumably written by the same people who built and sold the router to us originally?"
Easy, the trusted firmware only contains positive, good back doors approved by the white hats working for the "good ǵuys" (TM) that are totally safe and will never be used nefariously; never ever.
(Score: 5, Insightful) by pkrasimirov on Friday February 02, @07:12AM (1 child)
Interesting. There's an article about busting some Chinese APT and all of the comments so far are noise about "USA bad", "authorities bad", and "everything and everyone is bad anyway". This means that the psyop is worthwhile because the site is important and popular. Well, good job everyone who keeps this site operating! That's more than just applause from them; it is confirmation of relevancy and an indication of free speech in this forum.
(Score: 3, Insightful) by Anonymous Coward on Friday February 02, @01:38PM
Everyone knows that CCP are a nasty bunch of corrupt mafia types; but here we see evidence of the same thing in The Land of the Free which is way more interesting.
(Score: 5, Insightful) by VLM on Friday February 02, @01:12PM
Probably a false flag, and it was originally done by the FBI, and now they feel responsible because the security hole they created was too big, so they're closing it a little and blaming the Chinese of course.
Or interdepartmental warfare where the NSA or DSA did it and the FBI is doing the usual office politics nonsense and we'll just hand wave it all away as Chinese Derangement Syndrome.
I don't see the point of the Chinese breaking into something they made. Just bake a back door into it when it's manufactured.
(Score: 5, Touché) by Immerman on Friday February 02, @03:17PM (2 children)
I'm 100% confident that the FBI "counterhacked" routers across the country in order to stop a vague potential threat from China, and for no other reason, and didn't leave anything useful to their own routine illegal surveillance behind...
Aren't you?
(Score: 2) by Freeman on Friday February 02, @04:41PM
They (arstechnica, I presume) did mention that replacing the routers would be best. The type of infection is wiped with a reboot making replacement of the hardware somewhat optional. Doesn't protect against re-infection, though.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 2) by DannyB on Friday February 02, @05:21PM
It is for your own protection comrade.
When trying to solve a problem don't ask who suffers from the problem, ask who profits from the problem.
(Score: 3, Interesting) by Mojibake Tengu on Friday February 02, @06:30PM
This article is obviously a part of public distraction spin related to "Big Tech and the Online Child Sexual Exploitation Crisis" Senate Judiciary Committee hearing.
State owned (not sponsored :) Global News editorial reflects this current hacker campaign thusly:
How to interpret Washington's new version of 'hacker script': Global Times editorial
https://www.globaltimes.cn/page/202402/1306552.shtml [globaltimes.cn]
The best quote nails it:
Anxiety, that is.
Well, did you know some Chinese monsters feed selectively on spirits of high priests (Zhu Fu) or brains of enlightened buddhas (Golden Cicada)?
I bet you have no magical protection against these on your networks.
Respect Authorities. Know your social status. Woke responsibly.