Fancy Bear

Microsoft president asks Trump to “push harder” against Russian hacks

china, Cybersecurity, Fancy Bear, hacking, microsoft, russia, Security, syndication / Tim Belzer / November 22, 2024

Smith testified before the US Senate in September that Russia, China, and Iran had stepped up their digital efforts to interfere in global elections this year, including in the US.

However, Microsoft’s own security standards have come under fire in recent months. A damning report by the US Cyber Safety Review Board in March said its security culture was “inadequate,” pointing to a “cascade… of avoidable errors” that last year allowed Chinese hackers to access hundreds of email accounts, including those belonging to senior US government security officials, that were hosted on Microsoft’s cloud systems.

Microsoft chief executive Satya Nadella has said in response that the company would prioritize security “above all else,” including by tying staff remuneration to security.

The company is also making changes to its Windows operating system to help its customers recover more quickly from incidents such as July’s global IT outage caused by CrowdStrike’s botched security update.

Beyond cyber security, Smith said it was “a little early” to determine the precise impact of a second Trump administration on the technology industry. Any anticipated liberalization of M&A regulation in the US would have to be weighed up against continued scrutiny of dealmaking in other parts of the world, he said.

Smith also reiterated his plea for the US government to “help accelerate exports of key American digital technologies,” especially to the Middle East and Africa, after the Biden administration imposed export controls on AI chips, fearing the technology could leak to China.

“We really need now to standardize processes so that American technology can reach these other parts of the world as fast as Chinese technology,” he said.

Microsoft president asks Trump to “push harder” against Russian hacks Read More »

DOJ quietly removed Russian malware from routers in US homes and businesses

Biz & IT, china, DDoS, department of justice, DoJ, Fancy Bear, fbi, routers, russia, Security, ubiquiti / Kris Guyer / February 18, 2024

Fancy Bear —

Feds once again fix up compromised retail routers under court order.

Kevin Purdy – Feb 16, 2024 4: 37 pm UTC

Ethernet cable plugged into a router LAN port — Getty Images

More than 1,000 Ubiquiti routers in homes and small businesses were infected with malware used by Russian-backed agents to coordinate them into a botnet for crime and spy operations, according to the Justice Department.

That malware, which worked as a botnet for the Russian hacking group Fancy Bear, was removed in January 2024 under a secret court order as part of “Operation Dying Ember,” according to the FBI’s director. It affected routers running Ubiquiti’s EdgeOS, but only those that had not changed their default administrative password. Access to the routers allowed the hacking group to “conceal and otherwise enable a variety of crimes,” the DOJ claims, including spearphishing and credential harvesting in the US and abroad.

Unlike previous attacks by Fancy Bear—that the DOJ ties to GRU Military Unit 26165, which is also known as APT 28, Sofacy Group, and Sednit, among other monikers—the Ubiquiti intrusion relied on a known malware, Moobot. Once infected by “Non-GRU cybercriminals,” GRU agents installed “bespoke scripts and files” to connect and repurpose the devices, according to the DOJ.

The DOJ also used the Moobot malware to copy and delete the botnet files and data, according to the DOJ, and then changed the routers’ firewall rules to block remote management access. During the court-sanctioned intrusion, the DOJ “enabled temporary collection of non-content routing information” that would “expose GRU attempts to thwart the operation.” This did not “impact the routers’ normal functionality or collect legitimate user content information,” the DOJ claims.

“For the second time in two months, we’ve disrupted state-sponsored hackers from launching cyber-attacks behind the cover of compromised US routers,” said Deputy Attorney General Lisa Monaco in a press release.

The DOJ states it will notify affected customers to ask them to perform a factory reset, install the latest firmware, and change their default administrative password.

Christopher A. Wray, director of the FBI, expanded on the Fancy Bear operation and international hacking threats generally at the ongoing Munich Security Conference. Russia has recently targeted underwater cables and industrial control systems worldwide, Wray said, according to a New York Times report. And since its invasion of Ukraine, Russia has focused on the US energy sector, Wray said.

The past year has been an active time for attacks on routers and other network infrastructure. TP-Link routers were found infected in May 2023 with malware from a reportedly Chinese-backed group. In September, modified firmware in Cisco routers was discovered as part of a Chinese-backed intrusion into multinational companies, according to US and Japanese authorities. Malware said by the DOJ to be tied to the Chinese government was removed from SOHO routers by the FBI last month in similar fashion to the most recently revealed operation, targeting Cisco and Netgear devices that had mostly reached their end of life and were no longer receiving security patches.

In each case, the routers provided a highly valuable service to the groups; that service was secondary to whatever primary aims later attacks might have. By nesting inside the routers, hackers could send commands from their overseas locations but have the traffic appear to be coming from a far more safe-looking location inside the target country or even inside a company.

Similar inside-the-house access has been sought by international attackers through VPN products, as in the three different Ivanti vulnerabilities discovered recently.

DOJ quietly removed Russian malware from routers in US homes and businesses Read More »