U.S. Seizes Domain Names Used in Spear-Phishing Campaign With Mimicked @USAID Emails

13 Going on 14 — GFM: https://gofund.me/32671a27

 

Via USDOJ:
Justice Department Announces Court-Authorized Seizure of Domain Names Used in Furtherance of Spear-Phishing Campaign Posing as U.S. Agency for International Development

On or about May 25, malicious actors commenced a wide-scale spear-phishing campaign leveraging a compromised USAID account at an identified mass email marketing company. Specifically, the compromised account was used to send spear-phishing emails, purporting to be from USAID email accounts and containing a “special alert,” to thousands of email accounts at over one hundred entities.

Upon a recipient clicking on a spear-phishing email’s hyperlink, the victim computer was directed to download malware from a sub-domain of theyardservice[.]com. Using that initial foothold, the actors then downloaded the Cobalt Strike tool to maintain persistent presence and possibly deploy additional tools or malware to the victim’s network. The actors’ instance of the Cobalt Strike tool received C2 communications via other subdomains of theyardservice[.]com, as well as the domain worldhomeoutlet[.]com. It was those two domains that the Department seized pursuant to the court’s seizure order.
[…]
On May 28, pursuant to court orders issued in the Eastern District of Virginia, the United States seized two command-and-control (C2) and malware distribution domains used in recent spear-phishing activity that mimicked email communications from the U.S. Agency for International Development (USAID). This malicious activity was the subject of a May 27 Microsoft security alert, titled “New sophisticated email-based attack from Nobelium,” and a May 28 FBI and Cybersecurity and Infrastructure Security Agency joint cybersecurity advisory.

The Department’s seizure of the two domains was aimed at disrupting the malicious actors’ follow-on exploitation of victims, as well as identifying compromised victims. However, the actors may have deployed additional backdoor accesses between the time of the initial compromises and last week’s seizures.

 

Pro-ISIS Hackers Post Alleged “Kill” List With 43 Names Including @StateDept Names

Updated: 2:58 am ET
[twitter-follow screen_name=’Diplopundit’ ]

 

In August last year, we blogged about the Purported ISIS ‘Hit List’ With 1,482 Targets including State Department names. Now, according to  Vocativ, hackers with a pro-ISIS group calling themselves the United Cyber Caliphate have distributed a “kill” list on Monday that appears to include dozens of U.S. government personnel.

The list features 43 names of people linked to the State Department, the Department of Homeland Security and the departments of defense, energy, commerce and health and services. It also identifies the U.S. embassies in Santiago and Kathmandu—as well as the Department of the Navy in Gulfport, Mississippi—as targets.

The purported “hit list” last year reportedly included personnel data of more than 1,482 members of the U.S. military, NASA, the FBI, the Port Authority of New York and New Jersey, and the State Department.  Technology security expert, Troy Hunt,  wrote at that time that “nothing makes headlines like a combination of ISIS / hackers / terrorism!” and had taken a closer look with an analysis here.  How many of these names are from “pastes” that have been reproduced or recycled or new? Whatever the answer, this is a trend that will probably continue into the foreseeable future. Reports like this should be a periodic reminder to review your/your family members privacy settings and digital footprint regularly.

 

#