This major criminal hacking group just switched to ransomware attacks

A widespread hacking operation that has been targeting organisations around the world in a phishing and malware campaign which has been active since 2016 has now switched to ransomware attacks, reflecting how successful ransomware has become a money-making tool for cyber criminals.

Dubbed FIN11, the campaign has been detailed by cybersecurity researchers at FireEye Mandiant, who describe the hackers as a ‘well-established financial crime group’ which has conducted some of the longest running hacking campaigns.

The group started by focusing attacks on banks, retailers and restaurants but has grown to indiscriminately target a wide range of sectors in different locations around the world, sending thousands of phishing emails out and simultaneously conducting attacks against several organisations at any one time.

For example, in just one week, Mandiant observed concurrent campaigns targeting pharmaceuticals, shipping and logistics industries in both North America and Europe.

But despite attacks targeting a wide variety of organisations around the world, many of the initial phishing campaigns are still customised on a target by target basis for the maximum possible chance of encouraging a victim to download a malicious Microsoft Office attachment which says macros must been enabled.

This starts an infection chain which creates multiple backdoors into compromised systems, as well as the ability to grab admin credentials and move laterally across networks.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) 

FIN11 campaigns initially revolved around embedding themselves into networks in order to steal data, with researchers noting that the hacking group commonly deployed BlueSteal, a tool used to steal banking information from Point-of-Sale (POS) terminals.

With finances being the focus of the group, it’s likely FIN11 sold this information to other cyber criminals on the dark web, or simply exploited the details for their own gain.

Microsoft takes down hacking network with potential to disrupt election

microsoft-logo-phone-american-flag-3079

Microsoft obtained a court order to disrupt the largest botnet in the world.


Angela Lang/CNET

This story is part of Elections 2020, CNET’s coverage of the run-up to voting in November.

A group of tech companies dismantled a powerful hacking tool used by Russian attackers just three weeks before the US presidential election. On Monday, Microsoft announced actions against Trickbot, a Russian botnet that’s infected more than a million computers since 2016 and that’s behind scores of ransomware attacks. 

Cybersecurity experts have raised concerns about ransomware attacks casting doubt on election results. While a ransomware attack wouldn’t change votes and could only lock up machines, the chaos stirred by a cyberattack could create uncertainty about the outcome of the results. 

Election officials in most states have offline backup measures in the event of a ransomware attack, but have a harder time tackling the disinformation that comes with getting hacked. Ransomware attacks are also a concern for counties because they don’t have many cybersecurity resources.

Ransomware attacks have steadily increased over the four years since Trickbot came online, and they’ve targeted municipal institutions like schools, courts and hospitals. Trickbot, the world’s largest botnet, is believed to be behind last month’s ransomware attack on Universal Health Services, which locked up computers in hundreds of hospitals in the US.

Trickbot hasn’t affected any election infrastructure yet, and US officials have noted that there haven’t been significant cyberattacks against the US election, but the takedown announced Monday closes off a powerful tool that Russian hackers could’ve used to interfere with the election. 


Now playing:
Watch this:

CISA director: Paper record key to keeping 2020 election…



5:22

“We have now cut off key infrastructure so those operating Trickbot will no