Google and FBI warn of ransomware group that sends fake IT workers to hack victims in person
Google and FBI warn of ransomware group that sends fake IT workers to hack victims in person
谷歌与 FBI 发出警告:勒索软件团伙派遣假冒 IT 人员进行线下黑客攻击
A ransomware gang has escalated its attacks on law firms by sometimes sending fake IT workers in person to the victims’ offices, where the imposters steal data directly from the victims’ computers using USB drives or help other gang members connect to the computers remotely, according to Google and the FBI. 根据谷歌和美国联邦调查局(FBI)的消息,一个勒索软件团伙近期升级了对律师事务所的攻击手段,有时会派遣假冒的 IT 工作人员亲自前往受害者的办公室。这些冒充者利用 USB 闪存盘直接从受害者电脑中窃取数据,或协助团伙其他成员远程连接这些电脑。
On Friday, Google’s cybersecurity teams Mandiant and Google Threat Intelligence Group published a new report accusing the cybercriminal gang known as Silent Ransom Group of attempting to steal victims’ information “using physical, in-person access” in attacks from January through May of this year that targeted “dozens” of victims. 上周五,谷歌旗下的网络安全团队 Mandiant 和谷歌威胁情报小组(Google Threat Intelligence Group)发布了一份新报告,指控名为“Silent Ransom Group”的网络犯罪团伙在今年 1 月至 5 月期间,通过“物理接触”的方式试图窃取受害者信息,受害者人数多达“数十人”。
“Mandiant has investigated various matters where adversaries planted insiders, bribed employees, or physically entered buildings to facilitate cyberattacks,” Mandiant chief technology officer Charles Carmakal told TechCrunch in a statement, adding that the company has seen this tactic used in other cases over the years as well. Mandiant 首席技术官 Charles Carmakal 在一份声明中告诉 TechCrunch:“Mandiant 调查过多种案件,攻击者通过安插内鬼、贿赂员工或直接进入建筑物来实施网络攻击。”他补充说,该公司多年来在其他案例中也观察到过这种策略。
Last month, the FBI published an alert warning that Silent Ransom Group had been targeting law firms with social engineering and phishing attacks pretending to be IT support employees. But in some cases, the group sent fake IT support personnel to the victims’ offices, where they connected to employees’ computers and used USB drives or remote access tools to steal data such as contracts, personal information like Social Security numbers, and financial and tax records. 上个月,FBI 发布预警称,Silent Ransom Group 一直在通过冒充 IT 支持人员进行社会工程学和网络钓鱼攻击,目标直指律师事务所。但在某些案例中,该团伙会派遣假冒的 IT 支持人员前往受害者办公室,连接员工电脑,并利用 USB 驱动器或远程访问工具窃取合同、社会安全号码等个人信息,以及财务和税务记录。
An FBI spokesperson told TechCrunch: “We can confirm we have seen multiple instances of individuals impersonating IT support who have gained or attempted to gain physical in-person access to victim companies’ offices and/or devices as part of Silent Ransom Group’s scheme to exfiltrate data.” FBI 发言人向 TechCrunch 表示:“我们可以证实,我们已经发现多起个人冒充 IT 支持人员的案例,他们作为 Silent Ransom Group 数据窃取计划的一部分,成功或试图获得对受害者公司办公室和/或设备的物理访问权限。”
In what is now a common extortion tactic — one that does not involve actually encrypting the victims’ data as in traditional ransomware attacks — the gang has its own leak site, where it threatens victims with publishing their stolen data, and then publishes it if the victim doesn’t pay. 这已成为一种常见的勒索手段——它不像传统勒索软件攻击那样加密受害者数据,而是建立了自己的泄密网站,威胁受害者如果不支付赎金,就会公开窃取的数据,并最终付诸行动。
That often happens after the hackers email victims directly to threaten them. “In case of ignorance or no agreement, We will notify your employees, partners and customers, after which We will publish your data,” the hackers wrote to one victim, according to Google. 这种情况通常发生在黑客直接向受害者发送威胁邮件之后。据谷歌称,黑客曾向一名受害者写道:“如果你们无视或未达成协议,我们将通知你们的员工、合作伙伴和客户,随后我们将公开你们的数据。”
According to Google’s report, the hackers also use more traditional methods, such as phishing emails, follow-up phone calls, and social engineering. The cybercriminals pretend to be the company’s IT support to trick victims into granting access to their computers. 根据谷歌的报告,黑客还使用更传统的方法,如钓鱼邮件、后续电话和社交工程学。这些网络罪犯冒充公司的 IT 支持人员,诱骗受害者授予他们电脑访问权限。
“The callers use a variety of verbal instructions to guide target behavior. Under the guise of addressing a security issue or aiding with a corporate data migration project, they build trust and direct the target to join a screen-sharing session,” Google’s researchers wrote. 谷歌的研究人员写道:“来电者使用各种口头指令来引导目标行为。他们以解决安全问题或协助企业数据迁移项目为幌子,建立信任并引导目标加入屏幕共享会话。”
The hackers then bypass security controls by convincing victims to download and open screen-sharing applications, or by using screen-sharing features in apps like Zoom or Microsoft Teams. 随后,黑客通过说服受害者下载并打开屏幕共享应用程序,或利用 Zoom、Microsoft Teams 等应用中的屏幕共享功能,绕过安全控制。
While hackers most of the time steal data remotely via malware or phishing attacks, these cases show that some hackers are now willing to take their crimes one step further, mixing traditional hacking techniques with physical intrusions in what is a novel and significant escalation. 虽然黑客大多数时候是通过恶意软件或钓鱼攻击远程窃取数据,但这些案例表明,一些黑客现在愿意将犯罪行为更进一步,将传统的黑客技术与物理入侵相结合,这是一种新颖且重大的升级。