General Worldwide activity:

1st: FBI is investigating a cybersecurity incident on its network

Overview: The U.S. Federal Bureau of Investigation (FBI) is reportedly investigating malicious cyber activity on the agency’s network. The federal law enforcement agency says it already contained the “isolated incident” and is working to uncover its scope and overall impact. “The FBI is aware of the incident and is working to gain additional information,” the U.S. domestic intelligence and security service told BleepingComputer. “This is an isolated incident that has been contained. As this is an ongoing investigation the FBI does not have further comment to provide at this time.” CNN first reported on Friday that this was a hacking incident involving an FBI New York Field Office computer system used to investigate child sexual exploitation.

Breakdown: Normally at this level of a hack on a governmental organization, we barely get any real details until potentially years later. It is great to see sharing on this level of breaches, both for the general awareness that attacks are constant at this level, some of them are going to be successful, no matter the resources you have available on your “bench” and that sharing what you can when it happens benefits everyone in the long run, so we are all aware of the process. Especially in the case of the incident last fall, where infrastructure that would normally be a trusted source by most businesspeople in the U.S. coming from the official FBI email systems, was in this case abused and sending spam.

2nd: Hyundai and Kia issue software upgrades to thwart killer TikTok car theft hack

Overview: Korean car-makers Hyundai and Kia will issue software updates to some of their models after a method of stealing them circulated on TikTok, leading to many thefts and even some deaths. The “Kia Challenge” started circulating in mid-2022 and explained that it’s possible to remove the steering column covering on some Hyundai and Kia models by force, exposing a slot that fits a USB-A plug. Turning the plug activates its ignition, allowing thieves to drive away. Videos depicting the hack went viral, leading to huge spikes in thefts of the vulnerable models around the world. The United States National Highway Traffic Safety Administration (NHTSA) on Tuesday stated it is aware of “at least 14 reported crashes and eight fatalities” resulting from the hack.

Breakdown: Car hacking has grown into a very interesting area of research, as new automobiles have essentially turned into computers that you can drive. While many still see this kind of activity as “stunt hacking” in certain instances when done in a controlled environment, but here we have a valid, easy to abuse vulnerability in two popular car manufactures with close to four million affected vehicles. The technique has been popularized on social media because of the ease of exploitation and is leading to multiple very dangerous situations. Luckily it has been taken very seriously and we have a quick response from the companies able to put in a fix.

3rd: Expect more sanctions and hacking operations on ransomware groups, top Justice official says

Overview: U.S. law enforcement and its international allies will continue to target ransomware actors with more sanctions and with more hacking operations, Deputy Attorney General Lisa Monaco said Friday. Delivering the closing keynote at the Munich Cyber Security Conference in Germany, Monaco described the Justice Department’s collaboration with international partners as “very important” and stressed that everything from “export controls, sanctions, sanctions enforcement, evasion enforcement — all of this takes critical work with our partners.” “Every single notable cyber disruption, whether it’s ransomware networks that we’ve taken down, whether it’s the disruption of the GRU botnet, as we did with the operation CyclopsBlink last year, all of these things … the Hydra darknet marketplace that we took down with the help of our German colleagues — thank you very much — everything we are doing in this space has an international aspect,” Monaco said. Last month the FBI and Justice Department said they had “hacked the hackers” behind the Hive ransomware group and been secretly monitoring the criminals since July 2022.

Breakdown: Advanced Persistent Threat and other related governmentally sanctioned attacker groups are in very little danger of actual arrests on the global stage as long as they stay reasonably anonymous and within their home countries. One of the few ways to take a real legal stand against attacker groups is to “name and shame” them with sanctions outing specific individuals if attribution is possible at some point, and by calling out the behavior in public on the world stage for everyone to hear. Details on attacks being shared, from a historical perspective and any technical information, are also a huge help as we discussed in our first story today. Sharing details in the sanctions documents allows all of us to gain more knowledge and an awareness of attacker groups, their methods, and the code/malware/toolsets they are using to perform those attacks to create better defenses.

4th: Cloudflare says it blocked a new record strength DDoS attack

Overview: Hackers are once again breaking records with some huge distributed denial of service (DDoS(opens in new tab)) attacks, with DDoS mitigation firm Cloudflare claiming it recently blocked an attack that, at its peak, exceeded 71 million requests per second (rps). That made the attack the largest reported HTTP DDoS incident ever, surpassing the previous one (a 46 million rps attack from June 2022) by more than a third (35%). This specific incident was HTTP/2-based and deployed more than 30,000 IP addresses, Cloudflare further said. It was part of a larger campaign, consisting of “dozens” of hyper-volumetric incidents, most of which peaked at around 50–70 million rps.

Breakdown: DDoS attacks have really fallen out of the hype cycle of news in the past few years due to companies such as Cloudflare removing the real dangers of these attacks because of their ability to mitigate the long-term effects even at a massive scale. The only group really using DDoS attacks lately as an attempt to cause trouble has been KillNet, and they have been almost 100% unsuccessful in causing any real harm outside of some company web pages being unavailable for a couple hours at a time. Massive DDoS attacks are still happening, which is why I think it is important we maintain a level of awareness of activity, if nothing else to see the insane scale they have reached to even show up as an event to be discussed.

5th: Hackers start using Havoc post-exploitation framework in attacks

Overview: Security researchers are seeing threat actors switching to a new and open-source command and control (C2) framework known as Havoc as an alternative to paid options such as Cobalt Strike and Brute Ratel. Among its most interesting capabilities, Havoc is cross-platform and it bypasses Microsoft Defender on up-to-date Windows 11 devices using sleep obfuscation, return address stack spoofing, and indirect syscalls. Like other exploitation kits, Havoc includes a wide variety of modules allowing pen testers (and hackers) to perform various tasks on exploited devices, including executing commands, managing processes, downloading additional payloads, manipulating Windows tokens, and executing shellcode. All of this is done through a web-based management console, allowing the “attacker” to see all of their compromised devices, events, and output from tasks.

Breakdown: New C2 frameworks have been a thing the last couple months, and here we have a discussion on another one being exploited for attacks. Adding this in here to add it to the list of abused resources and for everyone to be aware of the development on these kinds of tools. It is an open-source tool, with a link to the source code right in the article, if you are interested in the exact functionality of the tool along with a basic tech breakdown on why it is now being abused.

Contact Us

contact@hunterstrategy.net

Our Website

Top five Cyber Threat Intel stories of the week: 02/13 to 02/17/2023