Tag Archive for TLP Amber

FBI Cyber Division Bulletin: Cyber Criminal Group Threatens Schools and Students

Since April 2016, a loosely affiliated group of highly trained hackers calling themselves TheDarkOverlord (TDO) have conducted various extortion schemes with a recent focus on the public school system. TDO used remote access tools to breach school district networks and then proceeded to steal sensitive data. To extort money from its victims, including students, TDO threatened violence or the release of stolen sensitive data.

FBI Cyber Bulletin: IP Addresses and Domains Used by Iran-Based Cyber Actors to Attack Victims Worldwide

The FBI assesses a group of malicious cyber actors—likely located in Iran—use Virtual Private Server infrastructure hosted in the United States to compromise government, corporate, and academic computer networks based in the Middle East, Europe and the United States. This infrastructure is used in conjunction with identified malicious domains to support a broad cyber campaign which likely includes the use of e-mail spear phishing, social engineering, and malicious Web sites (“watering hole attack”). These cyber actors almost certainly have been involved in this activity since at least early-2015.

FBI Cyber Bulletin: Android Malware Phishing for Financial Institution Customer Credentials

The FBI has identified two Android malware families, SlemBunk and Marcher, actively phishing for specified US financial institutions’ customer credentials. The malware monitors the infected phone for the launch of a targeted mobile banking application to inject a phishing overlay over the legitimate application’s user interface. The malware then displays an indistinguishable fake login interface to steal the victim’s banking credentials. According to cyber threat industry reports, both malware families have targeted foreign financial institutions since 2014, gradually broadening the list to include Western banks, and offered the malware for lease or purchase, respectively, in underground forums. At least as of December 2015, the malware expanded its configuration to include the Android package names of US financial institutions.

FBI Bulletin: Criminals Hacking Law Firms to Steal Information for Insider Trading

A financially motivated cyber crime insider trading scheme targets international law firm information used to facilitate business ventures. The scheme involves a hacker compromising the law firm’s computer networks and monitoring them for material, non-public information (MNPI). This information, gained prior to a public announcement, is then used by a criminal with international stock market expertise to strategically place bids and generate a monetary profit.

(U//FOUO) MS-ISAC Intel Paper: Common Cyber Threats to Universities

The Multi-­State Information Sharing and Analysis Center (MS-­ISAC) assesses with high confidence that cyber threat actors routinely target universities, for the purposes of financial gain, notoriety, or entertainment, and often to gain access to personally identifiable information (PII) and/or sensitive research. MS-­ISAC believes universities are inherently more vulnerable to cyber targeting than other state, local, tribal, and territorial (SLTT) government entities, due to the non-­restrictive research environment with less compartmentalization and less access restriction, which results in more opportunity for infection, and when infection occurs, easier transmission through a network.

FBI Cyber Bulletin: Chinese Hackers Targeting U.S. Navy Contractors

The FBI has obtained information regarding a group of cyber actors who have compromised and stolen sensitive military information from US cleared defense contractors (CDCs) through cyber intrusions. This group utilizes infrastructure emanating from China to conduct their nefarious computer network exploitation (CNE) activities. Information obtained from victims and subsequent analysis indicates that they were targeted based on their US Navy Seaport Enhanced contracts. The actors did not target information pertaining to a specific contract but instead stole all information that they accessed via their malicious cyber activities. Any activity related to this group detected on a network should be considered an indication of a compromise requiring extensive mitigation and contact with law enforcement.