The FBI and NSA have published today a joint security alert containing details about a new strain of Linux malware that the two agencies say was developed and deployed in real-world attacks by Russia’s military hackers.
The two agencies say Russian hackers used the malware, named Drovorub, was to plant backdoors inside hacked networks.
Based on the evidence the two agencies have collected, FBI and NSA officials claim the malware is the work of APT28 (Fancy Bear, Sednit), a codename given to the hackers operating out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main SpecialService Center (GTsSS).
Through their joint alert, the two agencies hope to raise awareness in the US private and public sectors so IT administrators can quickly deploy detection rules and prevention measures.
The owner of controversial video-sharing app TikTok has a September 15 deadline to either sell to a US company or see the service banned from the US market, following President Donald Trump’s executive order that labelled the platform as a national emergency.
Microsoft threw its hat in the ring prior to the official announcement from the president, saying it wanted to scoop up TikTok and add world-class security, privacy, and digital safety protections to the app if it did.
It soon reportedly joined forces with Walmart to co-bid for the Chinese company’s US, Canadian, Australian, and New Zealand operations.
Microsoft officials had characterised the discussions as preliminary, noting it was not intending to provide any further updates on the discussions until there was a definitive outcome.
But in approaching the deadline, ByteDance said it would not include TikTok’s algorithm as part of the sale, according to a South China Morning Post report. The Chinese company has also told Microsoft it would not be its new owner.
Most online attacks could be easily avoided by following basic cyber security advice, Australia’s national cyber security bureau has said – even as it warned that the impact and severity of things like ransomware attacks are getting worse and worse.
Cybercriminals follow the money, said the Australian Cyber Security Centre (ACSC) in its annual report for 2019-20, published earlier this week.
Over the past 12 months the ACSC has observed real-world impacts of ransomware incidents, which have typically originated from a user executing a file received as part of a spearphishing campaign, said the agency, adding that after the initial breach attackers typically try to exploit remote desktop-type apps to hunt for anything worth stealing – or deleting.
Fairfax County Public Schools (FCPS), the 10th largest school division in the US, was recently hit by ransomware according to an official statement published on Friday evening.
The school district is also the largest in the Baltimore-Washington Metropolitan Area and it has a budget of $3.1 billion approved for 2021.
FCPS has over 188,000 current students and approximately 25,000 full-time employees working in 198 schools and centers within the U.S. commonwealth of Virginia.
FBI involved in the ongoing investigation
At the moment the exact date when the ransomware impacted FCPS’s network is not yet known but the school district says that it collaborating with the FBI to determine what ransomware gang is behind the attack.
The Development Bank of Seychelles (DBS) was hit by ransomware according to a press statement published earlier today by the Central Bank of Seychelles (CBS).
DBS was founded in 1977 as a joint venture by the Seychelles government and several other shareholders including the European Investment Bank, Standard Chartered Bank, Barclays Bank, Deutsche Investitions und Entwicklungsgesellschaft (DEG), and Caisse Francaise de Cooperation.
Since then, the government and DBS bought the shares of Barclays Bank and DEG, giving the Seychelles government control of 60,50% of the bank’s shares.
Ransomware attack disclosed on Wednesday
According to the press release published today by CBS, the Development Bank of Seychelles reported the ransomware attack on September 9, 2020.
“Since then, CBS has been engaging with DBS to establish the exact nature and circumstances of the incident and closely monitor the developments, including the possible impact on DBS’ operations,” the press release reads.
“The CBS has stressed on the need for DBS to maintain communication with its clients and other stakeholders, particularly within the banking sector, throughout this process.”
CBS added that “engagement with DBS will also endeavor to identify areas of vulnerability that could have led to the ransomware attack.”
CBS also said that it will provide more details to the public after the ongoing investigation finds more on the attack that impacted the Development Bank of Seychelles’ systems.
BleepingComputer has reached out to the Development Bank of Seychelles for more information on the attack but has not heard back.
The Russian military intelligence hackers known as Fancy Bear or APT28 wreaked havoc on the 2016 election, breaking into the Democratic National Committee and Hillary Clinton’s campaign to publicly leak their secrets. Ever since, the cybersecurity community has been waiting for the day they would return to sow more chaos. Just in time for the 2020 election, that day has come. According to Microsoft, Fancy Bear has been ramping up its election-targeted attacks for the past full year.
On Thursday, Microsoft published a blog post revealing that it has seen Russia’s Fancy Bear hackers, which Microsoft calls Strontium, targeting more than 200 organizations since September 2019. The targets include many election-adjacent organizations, according to researchers at Microsoft’s Threat Intelligence Center, including political campaigns, advocacy groups, think tanks, political parties, and political consultants serving both Republicans and Democrats. Microsoft named the German Marshall Fund of the United States and the European People’s Party as two of the hackers’ targets. The company otherwise declined to publicly name victims or say how many of the attempted intrusions had been successful, though it said that its security measures had prevented the majority of attacks.
Microsoft said today that Chinese, Iranian, and Russian state-sponsored hackers had tried to breach email accounts belonging to people associated with the Biden and Trump election campaigns.
The “majority of these attacks” were detected and blocked, according to Tom Burt, Corporate Vice President for Customer Security & Trust at Microsoft.
Burt disclosed the incidents in a blog post today after Reuters reported yesterday some of the Russian attacks against the Biden camp.
In a comprehensive blog post, Burt revealed additional attacks and also confirmed a DNI report from August that claimed that Chinese and Iranian hackers were also targeting the US election process.
According to Microsoft, the attacks carried out by Russian hackers were linked back to a group that the company has been tracking under the name of Strontium and the cyber-security industry as APT28 or Fancy Bear.
“I have nothing to hide” was once the standard response to surveillance programs utilizing cameras, border checks, and casual questioning by law enforcement.
Privacy used to be considered a concept generally respected in many countries — at least, in the West — with a few changes to rules and regulations here and there often made only in the name of the common good.
SeaChange International, a US-based leading supplier of video delivery software solutions, has confirmed a ransomware attack that disrupted its operations during the first quarter of 2020.
The company is traded on NASDAQ as SEAC and it has locations in Poland and Brazil. Its customer list includes telecommunications companies and satellite operators such as the BBC, Cox, Verizon, AT&T, Vodafone, Direct TV, Liberty Global, and Dish Network Corporation.
SeaChange also says that its Framework Video Delivery Platform currently powers hundreds of on-premise and cloud live TV and video on demand (VOD) platforms with more than 50 million subscribers in over 50 countries.
April ransomware attack now confirmed
BleepingComputer learned of the attack on SeaChange’s servers during April 2020 when a ransomware gang posted screenshots of files they claimed to have stolen from the company’s servers.
Among those screenshots, we found a cover letter with a Pentagon video-on-demand service proposal.
When BleepingComputer reached out to the US Department of Defense (DoD) to ask if they were aware of a SeaChange breach, the DoD declined to comment saying that it doesn’t share info on potential network intrusions or related investigations.