Security News

The Federal Bureau of Investigation says ransomware gangs have breached the networks of at least 649 organizations from multiple US critical infrastructure sectors last year, according to the Internet Crime Complaint Center 2021 Internet Crime Report. The actual number is likely higher given that the FBI only started tracking reported ransomware incidents in which the victim a critical infrastructure sector organization in June 2021.

The FBI's Internet Crime Complaint Center released its annual report compiled from 847,376 complaints it received in 2021. There were 19,954 BEC complaints to the IC3 in 2021 that accounted for approximately $2.4bn in losses.

FBI warns of cyberattacks using AvosLocker ransomware. The FBI and US Treasury are advising organizations to beware of a specific strain of ransomware aimed at critical infrastructure sectors in the United States.

The AvosLocker ransomware has targeted multiple victims across the country, according to the joint advisory [PDF] issued late last week by the FBI, Treasury Department and Financial Crimes Enforcement Network. Palo Alto Networks' Unit 42 researchers in July 2021 wrote about an advertisement they saw on Dread, which they described as a "Reddit-like dark web discussion forum," for a new RaaS called AvosLocker, outlining features of the ransomware and letting affiliates who leverage the malware know that AvosLocker operators would handle the negotiation and extortion practices.

The Federal Bureau of Investigation warns of AvosLocker ransomware being used in attacks targeting multiple US critical infrastructure sectors. "AvosLocker is a Ransomware as a Service affiliate-based group that has targeted victims across multiple critical infrastructure sectors in the United States including, but not limited to, the Financial Services, Critical Manufacturing, and Government Facilities sectors," the FBI said [PDF].

CISA and the FBI said today they're aware of "Possible threats" to satellite communication networks in the US and worldwide. Today's security advisory also warned US critical infrastructure organizations of risks to SATCOM providers' customers following network breaches.

"As early as May 2021, Russian state-sponsored cyber actors took advantage of a misconfigured account set to default protocols at a non-governmental organization, allowing them to enroll a new device for MFA and access the victim network," the agencies said. The attack was pulled off by gaining initial access to the victim organization via compromised credentials - obtained by means of a brute-force password guessing attack - and enrolling a new device in the organization's Duo MFA. It's also noteworthy that the breached account was un-enrolled from Duo due to a long period of inactivity, but had not yet been disabled in the NGO's Active Directory, thereby allowing the attackers to escalate their privileges using the PrintNightmare flaw and disable the MFA service altogether.

The FBI says Russian state-backed hackers gained access to a non-governmental organization cloud after enrolling their own device in the organization's Duo MFA following the exploitation of misconfigured default multifactor authentication protocols. To breach the network, they used credentials compromised in a brute-force password guessing attack to access an un-enrolled and inactive account, not yet disabled in the organization's Active Directory.

The Ragnar Locker ransomware gang has so far infected at least 52 critical infrastructure organizations in America across sectors including manufacturing, energy, financial services, government, and information technology, according to an FBI alert this week. The crew steals sensitive data, encrypts the victim's systems, and threatens to leak the stolen documents if the ransom to restore the files isn't paid.

The US Federal Bureau of Investigation says the Ragnar Locker ransomware gang has breached the networks of at least 52 organizations from multiple US critical infrastructure sectors. "As of January 2022, the FBI has identified at least 52 entities across 10 critical infrastructure sectors affected by RagnarLocker ransomware, including entities in the critical manufacturing, energy, financial services, government, and information technology sectors," the federal law enforcement agency said [PDF].