Malicious cyber actors use brute force techniques to discover valid credentials often through extensive login attempts, sometimes with previously leaked usernames and passwords or by guessing with variations of the most common passwords. While the brute force technique is not new, the GTsSS (85th Main Special Service Center) uniquely leveraged software containers to easily scale its brute force attempts. Once valid credentials were discovered, the GTsSS combined them with various publicly known vulnerabilities to gain further access into victim networks. This, along with various techniques allowed the actors to evade defenses and collect and exfiltrate various information in the networks, including mailboxes.
Recently, Kaseya, a well-known enterprise IT firm, is at the centre of the latest data encryption attack by REvil on its VSA product, software for remotely monitoring PCs, servers, printers, networks, and point-of-sale systems. Kaseya's VSA software had been used to spread ransomware that had encrypted "well over 1,000 businesses”. The attack exploited a zero-day or previously unknown vulnerability in Kaseya VSA. REVil has now demanded $70 million for a universal decryption tool to end the Kaseya attack. Ransomware is an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. Ransomware actors often target and threaten to sell or leak exfiltrated data or authentication information if the ransom is not paid. In recent years, ransomware incidents have become increasingly prevalent among the Nation’s state, local, tribal, and territorial (SLTT) government entities and critical infrastructure organizations.
The syndicates operates several fraudulent portals. The following are some of the identified phishing links, amongst others:
Members of the public are being asked to check their eligibility for the Covid-19 Survival Fund scheme and N-Power Batch-C Shortlisted Candidates for 2021, as well as click a link to apply for the CBN COVID-19 Loan by providing their account details on the portals in order to receive certain grants.
The list of Fortinet credentials was leaked for free by a threat actor known as 'Orange,' who is the administrator of the newly launched RAMP hacking forum and a previous operator of the Babuk Ransomware operation. Further analysis conducted by Advanced Intel shows that the IP addresses are for devices worldwide, with 2,959 devices located in the USA.
The attacks begins with fooling victims into opening malicious websites with social engineering tactics such as sending phishing emails and cybersquatting. After launching a malicious site on victims' browsers, attackers look for private IP addresses and ports that host vulnerable services prior to launching the DNS rebinding attack. The open ports provide details regarding exposed web applications behind IP addresses. Moreover, using the WebRTC method, malicious websites can scan the open web services inside local networks. After locating the targeted services, an attacker's website can launch the DNS rebinding attack inside an iframe. The first request obtains the rebinding payload from a malicious hostname. This attack script continues to trigger repeated resolution for hostname till it rebinds to the targeted IP address. Then iframe can communicate continuously with the internal service without the victim’s knowledge.
Cybercrime reporters attribute this global outage to a major DNS problem as DNS allows web addresses to take users to their desired web location which is currently inaccessible. A cybercrime reporter also explained that the DNS records that tell devices how to find Facebook and Instagram got withdrawn this morning from the global routing cables and it is unclear how this occurred. However, security experts tracking the situation observed that the outage was likely triggered by configuration error redirecting Facebook servers. It is also likely that the challenges could be as a result of an internal mistake, though sabotage by an insider could be theoretically possible.
An outside hack was viewed as less likely. A massive denial-of-service attack that could overwhelm one of the world's most popular sites, on the other hand, would require either coordination among powerful criminal groups or a very innovative technique.