CyberSecurity news

FlagThis - #fbi

@therecord.media - 45d

DOJ Removes China's PlugX Malware from US Computers - The US DOJ and FBI removed PlugX malware from over 4,200 infected US computers, targeting command and control infrastructure of China-linked actors.
The U.S. Department of Justice, working with the FBI, has successfully removed the PlugX malware from over 4,250 infected computers within the United States. This multi-month operation targeted the command and control infrastructure used by hackers linked to the People's Republic of China (PRC). PlugX, a remote access trojan (RAT), has been used by the group known as Mustang Panda, or Twill Typhoon, since 2014, to infiltrate systems and steal information from victims across the U.S., Europe, and Asia, as well as Chinese dissident groups. The Justice Department obtained court orders to authorize the operation and eliminate the malware, which is known for its capability to remotely control and extract information from compromised devices. This action aimed to disrupt the ability of state-sponsored cyber threat actors from further malicious activities on affected networks.

The removal of PlugX involved a self-delete command that was developed by French cybersecurity firm Sekoia. The FBI tested the method before deploying it. This command deleted the malware from infected computers without impacting their legitimate functions or collecting any further content. The operation was conducted in partnership with French law enforcement, which also identified a botnet of infected devices in its own investigation. This international cooperation highlights the ongoing efforts to counteract nation-state cyber threats and protect U.S. cybersecurity. The owners of the affected devices have been notified of the actions through their internet service providers.

Recommended read:
References :
  • ciso2ciso.com: FBI Wraps Up Eradication Effort of Chinese ‘PlugX’ Malware – Source: www.darkreading.com
  • Threats | CyberScoop: Law enforcement action deletes PlugX malware from thousands of machines
  • The Hacker News: FBI Deletes PlugX Malware from 4,250 Hacked Computers in Multi-Month Operation
  • therecord.media: The Record reports DOJ deletes China-linked PlugX malware.
  • discuss.privacyguides.net: FBI Deletes PlugX Malware from 4,250 Hacked Computers in Multi-Month Operation
  • securityonline.info: “PlugX” Malware Deleted from Thousands of Computers in Global Operation
  • www.justice.gov: Justice.gov press release on international operation to delete PlugX malware.
  • www.scworld.com: Widespread PlugX malware compromise eradicated in law enforcement operation
  • securityaffairs.com: FBI deleted China-linked PlugX malware from over 4,200 US computers
  • CyberInsider: FBI Neutralizes PlugX Malware on 4,200 Computers in the U.S.
  • securityboulevard.com: Security Boulevard article on FBI Deletes PlugX Malware From Computers Infected by China Group
  • securityonline.info: “PlugX” Malware Deleted from Thousands of Computers in Global Operation
  • www.helpnetsecurity.com: FBI removed PlugX malware from U.S. computers
  • The Verge: FBI hacked thousands of computers to make malware uninstall itself
  • malware.news: PlugX malware deleted from thousands of systems by FBI
  • Malwarebytes: Malwarebytes blog post on PlugX removal operation.
  • www.bleepingcomputer.com: BleepingComputer reports on FBI wipes Chinese PlugX malware from over 4,000 US computers
  • www.techmeme.com: The US says the FBI hacked ~4.2K devices in the US to delete PlugX, malware used by China-backed hackers since 2014, after obtaining warrants in August 2024 (Carly Page/TechCrunch)
  • ciso2ciso.com: FBI Wraps Up Eradication Effort of Chinese ‘PlugX’ Malware – Source: www.darkreading.com
  • cyberpress.org: Cyberpress.org article about 4,000+ PCs Infected by Chinese Hackers with PlugX Malware
do son@securityonline.info - 74d

HiatusRAT Malware Targets Webcams and DVRs - The FBI warned about a new wave of HiatusRAT malware attacks targeting internet-facing Chinese-branded web cameras and DVRs.
The FBI has issued a warning regarding a new HiatusRAT malware campaign which is targeting web cameras and DVRs, particularly those made by Chinese manufacturers. The attackers are exploiting vulnerabilities like weak default passwords, and are using tools like Ingram and Medusa to gain unauthorized access. Once compromised the devices are used as proxies and converted into covert communication channels. This campaign is targeting IoT devices in the US, Australia, Canada, New Zealand, and the UK. System administrators are urged to limit the use of the affected devices or isolate them from the rest of the network to prevent further exploitation.

Recommended read:
References :
  • CyberInsider: FBI Warns of HiatusRAT Campaigns Targeting Web Cameras and DVRs
  • BleepingComputer: The FBI warned today that new HiatusRAT malware attacks are now scanning for and infecting vulnerable web cameras and DVRs that are exposed online.
  • : FBI advisory: The FBI released this Private Industry Notification (PIN) to highlight HiatusRAT scanning campaigns against Chinese-branded web cameras and DVRs.
  • securityaffairs.com: The FBI warns of HiatusRAT scanning campaigns against Chinese-branded web cameras and DVRs
  • www.bleepingcomputer.com: Bleeping Computer
  • malware.news: Vulnerable webcams, DVRs subjected to HiatusRAT intrusions
  • malware.news: Vogons, Task Scams, HiatusRat, Cellebrite, Deloitte, Quantum, Aaran Leyland, and More - SWN #438
  • www.csoonline.com: That cheap webcam? HiatusRAT may be targeting it, FBI warns
  • Industrial Cyber: The Federal Bureau of Investigation (FBI) published Tuesday a Private Industry Notification (PIN) to spotlight HiatusRAT scanning campaigns.
  • Cybernews: Malicious campaigns are attacking Chinese-branded IoT devices – web cameras and DVRs – to crack authentication.
  • securityonline.info: The FBI, in collaboration with CISA, has issued a new alert regarding the HiatusRAT malware campaign. The latest iteration of the campaign has shifted its focus to Internet of Things.
@www.justice.gov - 28d

US Dutch dismantle BEC fraud network - US and Dutch authorities dismantled a network of 39 domains used for Business Email Compromise (BEC) fraud, selling phishing toolkits and scam tools.
U.S. and Dutch law enforcement agencies have jointly dismantled a network of 39 domains and associated servers used in Business Email Compromise (BEC) fraud operations. The operation, codenamed "Operation Heart Blocker," took place on January 29th and targeted the infrastructure of a group known as "The Manipulaters," which also went by the name Saim Raza. This group operated online marketplaces originating from Pakistan, selling phishing toolkits, scam pages, email extractors, and fraud-enabling tools. The services marketed were utilized by transnational organized crime groups in the US who used these tools to target various victims with BEC schemes. These attacks tricked victim companies into making fraudulent payments which are estimated to have caused over $3 million in losses.

The seized domains and servers contained millions of records, including at least 100,000 pertaining to Dutch citizens. "The Manipulaters" marketed their services under various brands, including Heartsender, Fudpage, and Fudtools which specialized in spam and malware dissemination. The U.S. Department of Justice stated that Saim Raza-run websites not only sold the tools, but they also provided training to end users through instructional videos on how to execute schemes using the malicious programs, making them accessible to those without the technical expertise. The service was estimated to have thousands of customers. The tools were used to acquire victim user credentials which were then utilized to further the fraudulent schemes. Users can check to see if they were impacted by credential theft via a Dutch Police website.

Recommended read:
References :
  • ciso2ciso.com: U.S. and Dutch Authorities Dismantle 39 Domains Linked to BEC Fraud Network
  • krebsonsecurity.com: FBI, Dutch Police Disrupt ‘Manipulaters’ Phishing Gang
  • The Hacker News: U.S. and Dutch law enforcement agencies have announced that they have dismantled 39 domains and their associated servers as part of efforts to disrupt a network of online marketplaces originating from Pakistan.
  • ciso2ciso.com: The FBI and authorities in The Netherlands this week seized dozens of servers and domains for a hugely popular spam and malware dissemination service operating out of Pakistan.
  • ciso2ciso.com: The FBI and authorities in The Netherlands this week seized dozens of servers and domains for a hugely popular spam and malware dissemination service operating out of Pakistan.
  • : U.S. and Dutch Authorities Dismantle 39 Domains Linked to BEC Fraud Network
  • krebsonsecurity.com: FBI, Dutch Police Disrupt ‘Manipulaters’ Phishing Gang – Source: krebsonsecurity.com
  • www.trendingtech.news: Internationale samenwerking ontmantelt phishingnetwerk 'the manipulaters'
  • : FBI, Dutch Police Disrupt ‘Manipulaters’ Phishing Gang .S.DepartmentofJustice 'er-Do-WellNews
  • hackread.com: Joint US-Dutch operation dismantled the HeartSender cybercrime network.
  • www.justice.gov: Cybercrime websites selling hacking tools to transnational organized crime groups were seized.
  • thecyberexpress.com: The Cyber Express article about the Justice Department disrupting a cybercrime network selling hacking tools.
  • www.justice.gov: This website contains the latest news about cybersecurity incidents and attacks.
  • Information Security Buzz: DoJ, Dutch Authorities Seize 39 Domains Selling Malicious Tools
  • ciso2ciso.com: Law enforcement seized the domains of HeartSender cybercrime marketplaces – Source: securityaffairs.com
  • ciso2ciso.com: Law enforcement seized the domains of HeartSender cybercrime marketplaces
  • SecureWorld News: Secure World article about Operation Heart Blocker and the disruption of a phishing network.
@thecyberexpress.com - 37d

Ivanti CSA Vulnerabilities Exploited - Multiple critical vulnerabilities in Ivanti CSA are being actively exploited by Chinese state-sponsored actors, allowing attackers to gain unauthorized access and execute arbitrary code.
References: ciso2ciso.com , , thecyberexpress.com ...
US cybersecurity agencies, CISA and the FBI, have issued warnings regarding the active exploitation of four critical vulnerabilities within Ivanti Cloud Service Appliances (CSA). These flaws, designated as CVE-2024-8963, CVE-2024-9379, CVE-2024-8190, and CVE-2024-9380, are being leveraged by Chinese state-sponsored actors to breach vulnerable networks. The agencies released detailed technical information, including indicators of compromise (IOCs), highlighting that attackers are using two primary exploit chains to gain unauthorized access, execute arbitrary code, and implant webshells on victim systems.

Specifically, one exploit chain combines CVE-2024-8963, CVE-2024-8190, and CVE-2024-9380, while the other uses CVE-2024-8963 along with CVE-2024-9379. These vulnerabilities affect Ivanti CSA versions 4.6x before 519, and versions 5.0.1 and below for CVE-2024-9379 and CVE-2024-9380. Notably, CSA version 4.6 is end-of-life and does not receive security patches, making it particularly susceptible. The agencies urge organizations to apply patches promptly and implement robust security measures to defend against these active threats, further highlighting the speed at which disclosed vulnerabilities are weaponized.

Recommended read:
References :
  • ciso2ciso.com: FBI/CISA Share Details on Ivanti Exploits Chains: What Network Defenders Need to Know
  • : Four Critical Ivanti CSA Vulnerabilities Exploited—CISA and FBI Urge Mitigation
  • www.bleepingcomputer.com: CISA and the FBI warned today that attackers are still exploiting Ivanti Cloud Service Appliances (CSA) security flaws patched since September to breach vulnerable networks.
  • thecyberexpress.com: Four Critical Ivanti CSA Vulnerabilities Exploited—CISA and FBI Urge Mitigation
  • www.helpnetsecurity.com: Report on Cisco's fixes for ClamAV vulnerability and a critical Meeting Management flaw.
  • www.scworld.com: Ivanti CSA exploit chains examined in joint CISA, FBI advisory
  • CySec Feeds: CISA and FBI Release Advisory on How Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications
  • ciso2ciso.com: FBI/CISA Share Details on Ivanti Exploits Chains: What Network Defenders Need to Know – Source: www.securityweek.com
  • : Anatomy of an Exploit Chain: CISA, FBI Detail Ivanti CSA Attacks  – Source:cyble.com #'Cyber
  • securityonline.info: CISA and FBI Warn of Exploited Ivanti CSA Vulnerabilities in Joint Security Advisory
  • securityonline.info: CISA and FBI Warn of Exploited Ivanti CSA Vulnerabilities in Joint Security Advisory
  • ciso2ciso.com: Anatomy of an Exploit Chain: CISA, FBI Detail Ivanti CSA Attacks
Pierluigi Paganini@Security Affairs - 21h

LockBit Targets FBI Director with Alleged Leak - The LockBit ransomware group claimed to leak classified documents as a "birthday gift" to FBI Director Kash Patel, raising concerns about data breaches and targeting high-profile figures.
References: securityaffairs.com , The420.in ,
The LockBit ransomware group has targeted newly appointed FBI Director Kash Patel with an alleged "birthday gift" consisting of leaked classified documents. LockBitSupp, the group's alleged leader, posted a message on February 25, 2025, mocking Patel and claiming the group possesses sensitive data that could "destroy" the FBI. This incident raises serious cybersecurity concerns about potential data breaches targeting high-profile individuals and agencies.

The post, found on LockBit's dark leak blog, describes an "archive of classified information" containing over 250 folders of materials dating back to May 29, 2024. This stolen data is presented as a "guide, roadmap, and some friendly advice" to the new FBI Director. The ransomware cartel's actions represent a bold threat, highlighting the increasing sophistication and audacity of cybercriminals targeting government entities and their leadership.

Recommended read:
References :
  • securityaffairs.com: LockBit taunts FBI Director Kash Patel with alleged “Classifiedâ€� leak threat
  • The420.in: LockBit Targets FBI Director with Alleged Classified Leak
  • iHLS: In a chilling message posted on February 25, 2025, the alleged leader of the notorious LockBit ransomware group, LockBitSupp, issued a disturbing “birthday giftâ€� to Kash Patel, the newly appointed Director of the FBI.

Blogs

Research Tools