Updated on 2022-12-16: FBI’s vetted information sharing network InfraGard hacked
InfraGard, a program run by the FBI to build partnerships that allow cyber and physical threat information to be shared with the private sector, was compromised. A database of some 80,000 members are for sale on an English-speaking cybercrime forum. The hackers responsible broke in impersonating a financial industry CEO who was vetted by the FBI itself. (Ouch.) See, maybe if the FBI embraced encryption a little more, it wouldn’t have its name attached to so many embarrassing headlines. Read more:
- FBI’s Vetted Info Sharing Network ‘InfraGard’ Hacked
- Hacker claims breach of FBI’s critical-infrastructure portal
- InfraGard, FBI Program for Critical Infrastructure Cybersecurity, Breached by Hackers
Installation of the application needs physical access and noone is using n-day exploits to remote install the applications. The monitoring should be the same but their "stealthiness" is worse. The only exact functionality that I could think of is parsing of icloud backups.
— Vangelis tix Stykas (@evstykas) December 12, 2022
Updated on 2022-12-15: FBI InfraGard hacked
A hacker used stolen PII data for a fin-tech CEO and has gained access to the FBI’s InfraGard portal. Using that access, the threat actor has compiled and is now selling a database that contains the contact information for more than 80,000 InfraGard members.
Updated on 2022-12-13
Threat actors were found selling a database with the contact information of over 80,000 InfraGard members, an FBI program. Read more: FBI’s Vetted Info Sharing Network ‘InfraGard’ Hacked
Oveview: InfraGard Database Spotted for Sale on Cybercrime Forum
The user database of the FBI’s InfraGard has been offered for sale on a cybercrime forum. The database contains contact information for 80,000 public- and private-sector InfraGard members who hold positions in physical and cybersecurity at organizations that comprise the country’s critical infrastructure.
Note
- Two shortfalls enabled the access to be granted. First, the impersonated executive’s identity wasn’t sufficiently verified, second, the MFA options were leveraged to allow a second factor that hacker controlled. (Email in this case.) Both of these processes were implemented with what was deemed as an acceptable level of risk. The identity information was correct, and likely validated via on-line services, much like loan applications, and having multiple MFA options reduces account lockout scenarios. The attack risks/threats were likely very different when these decisions were made. When engineering services similar to this, keep an eye on threats and trends, revisiting your decisions and updating controls as the threat environment changes.
- The fact that individuals’ data is for sale on a cybercrime forum is not the worrying aspect of this story, after all our data is being bought and sold constantly. The concern is that criminals now have details of those people who are involved in a trusted network and can exploit that to scam or exploit the inherent trust relationships people may have in that network. It is always useful therefore to remind staff, particularly senior staff, to be always mindful of communications they receive from others.
- OK, NewsBites readers: warn yourselves you are likely to see really well-crafted phishing attacks from members of your InfraGard chapter…
- The release onto the cybercrime forum was to be expected. On the surface, the material is of limited value as it is publicly findable. However, given the amount of material, its value to a buyer is the reduction in time to create cyber target packages.
- Many of those in the population were trusted by most other members; the essential purpose of the association is to create a level of trust. That trust is diminished by this publication. Furthermore, the association of name, e-mail and enterprise is sensitive and may be used to dupe other members of the enterprise in social engineering attacks. While I am in that database, I am not associated with any enterprise. The site is not responsive, so I cannot check my profile, but I do not think there is any information in it that is not available on LinkedIn.
Read more in
