Chinese Threat Actors Target NY MTA, Surge in Brokerage Account Hacks, Fake Encrypted Chat Platform Anom Lures Criminals, Ransomware Attacks Prioritized as Terrorism

1.  Chinese Threat Actors Target New York’s MTA

• Chinese-sponsored threat actors leveraged Pulse Secure vulnerabilities to compromise systems belonging to the New York Metropolitan Transportation Authority (MTA). It is unclear why state-sponsored actors targeted the MTA. Still, security experts investigating the case speculate that China may be trying to obtain sensitive information on U.S. transit networks to gain an advantage in the international rail car industry.
• Although MTA officials claim that threat actors stole no sensitive data, its organization is the largest transportation network in the U.S., with over 15.3 million users around New York City, including bus and railway networks and tunnel and bridge management services. Therefore, a corrective countermeasure is critical to prevent future incidents.
• Therefore, security researchers believe that this security incident was an information-gathering operation whereby said threat actor might have created backdoors in MTA’s systems for future use. As a precaution, the MTA has made the 3,700 users on its systems change their passwords.

Expert Commentary: State-sponsored threat actors continue to leverage the Pulse Secure vulnerability to compromise critical infrastructures worldwide. According to the FBI and MTA, the threat actors held access to the compromised systems until April 20th, 2021; therefore, it is unclear how long they were inside the MTA networks. Historically, most organizations don’t implement security patches up to 90-120 days after being released. Therefore, although Pulse Secure released patches for this vulnerability, it appears that the MTA might have failed to implement said patches to secure their operational networks.

Learn More

2.  A Surge in Brokerage Account Hacks Directly Impact Americans

• Financial services appear to be one of the most targeted industries globally, as cybercriminals leverage social engineering and other tactics to steal sensitive credentials. Recently, however, threat actors decided to bypass the increasingly strict security controls within the financial services industry to mount direct attacks against individual investors.
• Security experts in the financial services industry reported that between 2019 and 2020, individual account-takeover frauds increased by 250%. This massive spike was attributed to the proliferation of mobile devices and applications and reduced physical interaction between financial institutions and customers due to the COVID-19 pandemic.
• Although account owners have been advised to incorporate defensive cybersecurity measures to protect their financial assets, the Security and Exchange Commission (SEC) holds brokerage firms accountable for not closely monitoring and reporting fraudulent cyber activities.

Expert Commentary: The SEC is concerned that financial institutions are not fully disclosing security incidents within their organizations, even though said incidents get thwarted by a security expert. In an era where information sharing is taking center stage as a deterrent measure against cybercrime, heavily targeted industries such as healthcare and financial services must become the face of information sharing to garner government support needed to secure critical assets.

Learn More

3. The FBI Created a Fake Encrypted Chat Platform to Lure Criminals

• In a cyber-offensive campaign that lasted for three years, the FBI and the Australian Federal Police collaborated to create a fictitious end-to-end encrypted chat platform called Anom. This chat platform was exclusively sold to criminals, allowing international law enforcement agencies to eavesdrop on online criminal activities.
• According to the FBI, the Anom platform grew to service more than 12,000 encrypted devices belonging to over 300 criminal groups operating in more than 100 countries, including organized crime, motorcycle gangs, and international drug trafficking cartels.
• Following the collection and analysis of 27 million incriminating messages on the Anom platform, law enforcement agents arrested 800 people. In addition, they seized 8 tons of cocaine, 22 tons of cannabis, 2 tons of synthetic drugs, 6 tons of synthetic drug precursors, 250 illegal firearms, 55 luxury vehicles, and over $48 million in various worldwide currencies and cryptocurrencies.

Expert Commentary: The collaboration between law enforcement agencies worldwide has improved in recent years, especially as cybercriminals continue to mount multi-jurisdictional cyberattacks against critical infrastructures. However, this particular collaboration was successful because the FBI leveraged the knowledge and expertise of individual criminals to dismantle large-scale criminal networks around the world. The Anom chat platform was made possible because of the FBI’s assistance from the CEO of an encrypted messaging platform (Phantom Secure), who was arrested for marketing customized communication devices to criminal organizations. This cyber-offensive campaign was one of the most significant international law enforcement collaborations involving key U.S. allies, including Austria, Canada, Denmark, Estonia, Finland, Germany, Hungary, Lithuania, New Zealand, the Netherlands, Norway, Sweden, and the United Kingdom.

Learn More

4.  Ransomware Attacks in the U.S. will be Prioritized as Terrorism

• As a result of the recent ransomware attacks by state-sponsored threat actors targeting U.S.-based critical infrastructures, the U.S. government has officially decided to give ransomware investigations the same priority as terrorism. This specialized focus entails the erection of central command in Washington, D.C., a federally funded task force group assigned to tracking and collecting information related to ransomware incidents across the country and a response measured per national security standards.
• Although security experts welcome the new prioritization efforts, the lack of adequate incident reporting and information sharing by affected companies remains a significant roadblock for effectively dismantling the stronghold of ransomware attackers.
• According to the U.S. Department of Justice (DOJ), raising ransomware investigations to the same level as terrorism will enable Congress to allocate resources to critical analyses to develop efficient detective, preventive, and corrective countermeasures for assuring U.S. national security expressly.

Expert Commentary: Sometimes, government-related initiatives are often affected by political and bureaucratic influence, thus establishing the possibility of slower ransomware investigations. As a result, many organizations might hesitate to involve themselves with a government-managed incident prioritization. Instead, we will likely continue to see private companies choosing to handle incident response procedures in-house and paying ransom demands to return to work. Thus, although most security experts appreciate the federally elevated prioritization of ransomware investigation, the success of a government-managed ransomware mitigation program rests in the hands of private companies.

Learn More

5.  U.S. Government Recovers $4.4MM Ransom Payment From the Colonial Pipeline Ransomware Attack

• Following the ransomware attack on Colonial Pipeline’s critical infrastructure, the FBI launched a campaign to shut down the DarkSide ransomware group by seizing payment servers, web domains, and other incriminating digital assets. However, the shutdown occurred after Colonial Pipeline was forced to pay a $4.4 million ransom to the cybercriminals in exchange for a decryption key.
• According to the U.S. justice department, the FBI successfully obtained access and control of a private key attributed to DarkSide’s Bitcoin wallet, which housed the ransom payment made by Colonial Pipeline. As a result, the FBI managed to recover 63.7 bitcoins of the 75 bitcoins payment sent to the cybercriminal group.
• Although it is unclear how the FBI obtained access to the private key, this recovery is the first time the federal government has publicly reported that it has recovered ransom payment paid to a cybercriminal operation.

Expert Commentary: While the source of the private key used to retrieve Colonial Pipeline’s ransom payment is still unknown, the growing trend of ransomware attacks encourages a more offensive approach from law enforcement. Many security experts conclude that the FBI might have retrieved said private key from one of the seized payment servers, which prompted the DarkSide threat group to abandon their cybercriminal operation.

Learn More