Archive for FBI

« Older Entries

FBI Warns Of Device Code Phishing Attacks

Posted in Commentary with tags on May 22, 2026 by itnerd

The FBI has put out a warning about Kali365 and the spike in device code phishing attacks earlier this week:

Through the Kali365 platform subscription, cyber threat actors can capture “OAuth” tokens and gain persistent access to targeted individuals/entities’ Microsoft 365 environments. Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities.

But the deeper story is why this class of attack is so hard to catch. There’s no malicious link, no spoofed login page — just a legitimate OAuth flow handing attackers a valid token, bypassing everything traditional security is trained to flag.

Gidi Cohen, CEO & Co-founder, Bonfy.AI had this comment:

“The FBI’s warning is well-placed, and the recommended mitigations — conditional access policies, blocking device code flows — are the right first response. But they address the front door.

The harder question is what happens once an attacker is already inside a legitimate session. When a token is stolen, the attacker isn’t a stranger to the system anymore. They’re operating with valid credentials through authorized pathways. Traditional controls see a clean session. They don’t see intent.

That gap gets wider as AI enters the picture. Copilots and agents connected to M365 mean a compromised session isn’t just access to stored data — it’s a potential entry point into ongoing AI workflows, retrieval pipelines, and generated outputs that can surface sensitive information in ways that are much harder to detect.

The industry conversation tends to stop at authentication. It needs to extend to the data layer — what’s actually moving through these systems, what it contains, who it’s about, and whether that movement aligns with policy intent. Because by the time data is in motion, the authentication question has already been answered. Correctly or not.”

As mentioned, this technique is particularly dangerous because it exploits legitimate authentication workflows, making detection more difficult. Thus the mitigations that are recommended are vital to keeping your organization safe.

Leave a comment »

If Your Router Was Reset To Factory Defaults, You Need To Replace It NOW

Posted in Commentary with tags , , on May 12, 2026 by itnerd

Fun fact. Or maybe it’s not so fun. The Russians have been exploiting security vulnerabilities for years in home ad small office routers. In the process the Russians can use these routers to execute attacks at will. Thus the The FBI and NSA took the really unusual step of getting a court order in order to find and remotely reset these routers to kick the Russians out of these routers. Though there’s a catch to that which I will get to in a moment. From CNET:

Federal agencies, including the FBI and NSA, disclosed on April 7 that a unit of Russia’s military intelligence directorate, the GRU group known as APT28 or Fancy Bear, has been systematically compromising home and small office routers since at least 2024, using the access to intercept credentials, authentication tokens and sensitive communications. The agency took the unusual step of remotely resetting thousands of affected US devices under a court order, but officials are warning that without action from individual router owners, the problem is far from solved.

Here’s the catch. The routers in question aren’t getting security updates as well. So it is entirely likely that the Russians can simply come back and set up shop again if you leave the router in operation. Thus if your router gets reset remotely, it needs to be replaced. Immediately. As in now. Today.

If you’re wondering which routers are targeted, CNET can help you with that:

The UK’s National Cyber Security Centre includes a number of TP-Link routers specifically targeted by the hackers.

But I would not consider that list to be complete. Which is why you should replace your router if it factory reset remotely. Consider this a today problem.

1 Comment »

The Director Of The FBI Has Had His Email Pwned By Iranian Hackers

Posted in Commentary with tags , , on March 30, 2026 by itnerd

The Iranian hacker group Handala has claimed another victim. After pwning this company, Handala has now apparently pwned the personal email account of FBI director Kash Patel. Cybernews suggests that this is in revenge for the FBI taking down the group’s leak site.

“Today, once again, the world witnessed the collapse of America’s so-called security legends. While the FBI proudly seized our domains and immediately announced a $10 million reward for the heads of Handala Hack members, we decided to respond to this ridiculous show in a way that will be remembered forever,” the group wrote on its new leak site.

“All personal and confidential information of Kash Patel, including emails, conversations, documents, and even classified files, is now available for public download” Handala claimed, also boasting about the alleged “get” on its now 42nd Telegram channel.

The posted samples include nine personal photos of Patel and an alleged resume belonging to the FBI head.

The FBI has basically admitted that this is real, and if you’re Patel or the FBI, this has to be highly embarrassing. But honestly, I think that’s the least of their problems. Handala is clearly on a rampage and I fully expect to see more pwnage from this group over the coming weeks seeing as they are an Iran aligned group and will likely want to “flex” for those in the Iranian regime who back them.

Leave a comment »

FBI Warns Of Iran-Linked Threat Actors Using Telegram For Attacks

Posted in Commentary with tags , on March 23, 2026 by itnerd

The FBI has warned of Iran-linked Handala hackers using Telegram in malware attacks:

The Federal Bureau of Investigation (FBI) is releasing this FLASH to disseminate information on malicious cyber activity conducted by actors on behalf of the Government of Iran Ministry of Intelligence and Security (MOIS). Specifically, MOIS cyber actors are responsible for using Telegram as a command-and-control (C2) infrastructure to push malware targeting Iranian dissidents, journalists opposed to Iran, and other opposition groups around the world. This malware resulted in intelligence collection, data leaks, and reputational harm against the targeted parties. The FBI is releasing this information to maximize awareness of malicious Iranian cyber activity and provide mitigation strategies to reduce the risk of compromise.

Due to the elevated geopolitical climate of the Middle East and current conflict, the FBI is highlighting this MOIS cyber activity. The FBI assessed MOIS cyber actors are responsible for using Telegram as a C2 infrastructure to push malware targeting Iranian dissidents, journalists opposed to Iran, and other oppositional groups around the world. This FLASH warns network defenders and the public of continued malicious cyber activity by Iran MOIS cyber actors and outlines the tactics, techniques, and procedures (TTPs) used in this malware campaign.

Commenting on this news is Ensar Seker, CISO at SOCRadar

“The use of Telegram as command-and-control infrastructure is not surprising, it reflects a broader shift where threat actors deliberately blend malicious traffic into trusted, encrypted platforms. By leveraging a widely used application like Telegram, groups such as Handala significantly reduce the likelihood of detection, because security controls are often tuned to allow this traffic by default.

What makes this particularly concerning is the targeting profile. These operations are not opportunistic; they are highly intentional, focusing on journalists, dissidents, and opposition voices. This aligns with state-sponsored objectives, where cyber operations are used as an extension of intelligence gathering and influence campaigns rather than purely financial gain.

From a defensive standpoint, this highlights a critical gap: many organizations still rely too heavily on traditional indicators like IP blocking or domain reputation. When attackers operate inside legitimate platforms, defenders must shift toward behavioral detection, monitoring anomalies in application usage, data flows, and endpoint activity rather than trusting the platform itself.

The bigger implication is that encrypted messaging platforms are becoming dual-use infrastructure for both communication and covert operations. Security teams need to reassess their trust assumptions and implement visibility controls around sanctioned apps, including logging, anomaly detection, and strict access policies.

Ultimately, this is not about Telegram specifically, it’s about the normalization of “living off trusted services.” Organizations that fail to adapt to this model will continue to miss early-stage intrusions, especially those tied to advanced persistent threat actors with geopolitical motivations.”

This highlights the fact that warfare is different now because the battlefield has expanded to the cyber world. Thus you need to keep that in mind in order to keep your organization safe from this new generation of threats.

Leave a comment »

FBI seizes Handala data leak site after Stryker cyberattack

Posted in Commentary with tags on March 19, 2026 by itnerd

You might recall that a med tech company named Stryker got pwned in epic fashion by Iran based threat actors. Click here if you need to get the details on that. Now there’s news that the FBI has seized two websites used by the threat actors behind this attack who are known as Handala:

As of Thursday, the contents of a website where Handala publicized its hacks, as well as another website that the group used to dox dozens of people over their alleged ties to the Israeli military and defense contractors, such as Elbit Systems and NSO Group, were replaced by a banner announcing the law enforcement action. 

The seizure announcement did not say why the FBI and the Justice Department took down the websites. But the language in them appears to indicate U.S. authorities believed these sites were run by hackers linked to a foreign government.

“Law enforcement authorities determined this domain was used to conduct, facilitate, or support malicious cyber activities on behalf of, or in coordination with, a foreign state actor,” read the seizure announcement. “The United States Government has taken control of this domain to disrupt ongoing malicious cyber operations and prevent further exploitation.”

Brian Bell, CEO of FusionAuth, has provided the following commentary: 

“The Stryker attack demonstrates that authentication and authorization are not the same thing. Attackers didn’t need to break in. They walked through the front door with compromised credentials. The missing safeguard is contextual: organizations need systems that can recognize when a privileged action is anomalous and require additional verification at that moment, not just at login. Risk-based, step-up authentication is a necessary architectural layer for organizations managing sensitive infrastructure, not just a ‘nice-to-have.’ The FBI’s seizure of Handala’s infrastructure is welcome – but the next group will find a new front door. The architectural fix has to happen on the defender’s side.”

I applaud this. Actions like this won’t stop these groups, but it will make their lives a bit more miserable. But it would be better if organizations defended themselves so things do not escalate to this level.

Leave a comment »

FBI And CISA Issue Warning About Interlock Ransomware Gang

Posted in Commentary with tags , on July 23, 2025 by itnerd

The CISA and the FBI warned of escalating Interlock ransomware attacks targeting various businesses and critical infrastructure organizations through a double extortion model whereby actors encrypt systems after exfiltrating data, which increases pressure on victims to pay the ransom to both get their data decrypted and prevent it from being leaked.

You can find the warning here: https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-203a

Erich Kron, security awareness advocate at KnowBe4, commented:

“While a fairly new ransomware group, Interlock is working to make a name for themselves. Their use of compromised websites for drive-by malware downloads is not very common in the world of ransomware, but their use of social engineering certainly is. Convincing people to install updates or fixes, really just disguised malware, in ClickFix attacks and is not a new concept as fake updates or antivirus notifications have been around for years.

To counter the threat, organizations need to ensure their employees are aware of the campaigns and are taught to spot them, and that they are aware of the real and legitimate process the organization’s I.T. department uses to install patches or updates so they are not tricked into executing malware. A comprehensive Human Risk Management program is vital when dealing with human-centric attacks such as this, as is a good endpoint protection platform. Patching machines, browsers, and other software can help limit the ability for malware to launch and for bad actors to move around the network or elevate permissions as well.”

Interlock may be new, but they are causing quite the sensation. Likely because they have a track record of success if you want to call it that. You don’t want to be part of their success which means that you need to do everything you can to make sure that you’re not Interlock’s next victim.

Leave a comment »

FBI warns of cybercriminals stealing health data posing as fraud investigators 

Posted in Commentary with tags on June 30, 2025 by itnerd

The FBI has warned Americans of cybercriminals impersonating health fraud investigators to steal their sensitive information.

The Federal Bureau of Investigation (FBI) warns the public about criminals impersonating legitimate health insurers and their investigative team members. These criminals are sending emails and text messages to patients and health care providers, disguising them as legitimate communications from trusted health care authorities. The messages are designed to pressure victims into disclosing protected health information, medical records, personal financial details, or providing reimbursements for alleged service overpayments or non-covered services.

Commenting on this news is Erich Kron, Security Awareness Advocate at KnowBe4

“This tactic uses the authority of large insurers, or the threat of investigative team members to create a strong emotional response to their messages. Whether it’s fear of having made an error, or the happy feeling of hearing that you had overpaid and will be refunded, the manipulation of our emotions is their primary goal. Humans tend to make bad decisions when in a heightened emotional state, something that these attackers are looking to exploit. If you’re being told you’re getting money back for something, you’re likely to get excited and be willing to provide a credit card or bank account information for the “refund” or provide more information under the guise of confirming your identity. This tactic can be used to collect sensitive information such as Social Security numbers, physical addresses, email addresses, phone numbers, or much more, all of which can be sold on the dark web.”

“People should always be aware of their emotional state, and should train themselves to use a strong emotional response as a trigger to take a deep breath and look at things very clearly. This is where you’re liable to find out that email addresses don’t come from reputable sources, websites in links look odd, or any number of other things that could clue you into something being amiss.”

Remember, if someone is trying to pressure you into to something or use fear to get you to do something, you are likely dealing with a scammer. Which means you should run quickly in the other direction. Then you should report it to the authorities so that they can do their best to go after the perpetrators. That way, everyone is a tiny bit safer.

Leave a comment »

The FBI’s Data Handling Practices Ripped By The DoJ

Posted in Commentary with tags , on August 28, 2024 by itnerd

The FBI has faced significant lapses in handling and disposing of electronic storage media seized during investigations, according to a scathing audit by the Department of Justice’s Office of the Inspector General (OIG). The audit reveals that storage devices containing sensitive information, including national security data, Foreign Intelligence Surveillance Act (FISA) material, and documents classified as Secret, were often improperly labeled or not labeled at all, heightening the risk of loss or theft.

The OIG’s report was addressed to FBI Director Christopher Wray and underscores the gravity of these findings. Despite FBI protocols mandating strict procedures for labeling and securing such data, the agency failed to consistently adhere to these guidelines. The report highlights instances where media containing classified information was stored in unapproved containers or locations, significantly compromising security. Additionally, the FBI’s process for the destruction of these devices was found to be inadequate, with critical gaps that could potentially expose sensitive information to unauthorized access.

Cigent CGO Brett Hansen had this comment:

“Meeting mission requirements and the ever-evolving threat landscape can make ensuring the integrity of data throughout its lifecycle a daunting task. Organizations like the FBI first need to universally adopt proven techniques and technology for safeguarding vulnerable data at the edge. These include Hardware Full Drive Encryption with Pre-boot Authentication and Multi Factor Authentication. Proper disposal of data is also imperative and again there are technologies that can verify all data is permanently erased.”

The FBI of all people need to do a much better job of safeguarding data. Hopefully this report not only “encourages” them to do better. But sends a message to everyone else to step up their game.

Leave a comment »

BreachForums Has Been Pwned By The FBI

Posted in Commentary with tags on May 15, 2024 by itnerd

Cybercriminals will have to find a new place to brag about who they’ve pwned and facilitate the sale of data that they’ve swiped. Because BreachForums which is a well known site for doing both has itself been pwned by the FBI:

The seizure occurred on Wednesday morning, soon after the site was used last week to leak data stolen from a Europol law enforcement portal.

The website is now displaying a message stating that the FBI has taken control over it and the backend data, indicating that law enforcement seized both the site’s servers and domains.

“This website has been taken down by the FBI and DOJ with assistance from international partners,” reads the seizure message.

“We are reviewing this site’s backend data. If you have information to report about cyber criminal activity on BreachForums, please contact us,” continues the seizure banner.

The seizure message also shows the two forum profile pictures of the site’s administrators, Baphomet and ShinyHunters, overlaid with prison bars.

If law enforcement has gained access to the hacking forum’s backend data, as they claim, they would have email addresses, IP addresses, and private messages that could expose members and be used in law enforcement investigations.

But it doesn’t end there. The FBI also pwned the following:

The FBI has also seized the site’s Telegram channel, with law enforcement sending messages stating it is under their control.

It also appears that Baphomet who is one of the people who ran the site might have been arrested. I can’t confirm that at present. But I am sure further details will come out about this. But this is as I like to say, a non trivial event. While I am sure that something like BreachForums will pop up to fill this void, the fact that this site was taken down by the FBI is sure to send shockwaves through the hacking community.

Watch this space as I expect more details to appear shortly.

UPDATE: Tom Marsland, VP of Technology, Cloud Range, and Board Chairman of VetSec had this comment:

“For the second time, US and international law enforcement groups worked together to seize BreachForums, a popular data leak site. Just like with the collaboration between Microsoft, CISA, the FBI, and the NSA, this joint effort shows the importance of public and private sectors working together to secure the cyber domain.  While the information surrounding this seizure is new at this point, it is exciting to see continued efforts to thwart this activity. Inevitably, these actors will show up again in another place, as they did when RaidForums was seized in 2022, but cyber defenders seem ready and poised to seize assets again if they do.”

Leave a comment »

CISA, FBI, DHS Release Guidance For Limited Resourced Civil Society Organizations

Posted in Commentary with tags , , on May 15, 2024 by itnerd

Yesterday in partnership with the DHS, the FBI and numerous international agencies, CISA released a joint guidance document to help civil society organizations and individuals reduce the risk of cyber intrusions and encourage software manufactures to actively commit to implementing Secure by Design practices to help protect vulnerable and high-risk communities.

   “Civil society, comprised of organizations and individuals such as– nonprofit, advocacy, cultural, faith-based, academic, think tanks, journalist, dissident, and diaspora organizations, communities involved in defending human rights and advancing democracy–are considered high-risk communities. Often these organizations and their employees are targeted by state-sponsored threat actors who seek to undermine democratic values and interests,” CISA’s release read.

Civil society organizations and individuals are encouraged to implement the following best practices as defined by CISA’s Cross-Sector Cybersecurity Performance Goals:

  • Keep software and applications updated on devices and IT infrastructure
  • Use multifactor authentications and use strong passwords
  • Audit accounts and disable unused and unnecessary accounts
  • Disable user accounts and access to organizational resources for departing staff
  • Apply the Principle of Least Privilege
  • Exercise due diligence when selecting vendors, such as cloud services and MSPs
  • Manage architecture risks
  • Implement basic cybersecurity training
  • Develop and exercise incident response and recovery plans
  • Use encryption measures to protect all communications

Software manufacturers are strongly encouraged to embrace Secure by Design principles and mitigations to improve the security posture for their customers include:

  • Vulnerability management. Working to eliminate entire classes of vulnerability in their products
  • Enabling MFA by default in all products
  • Provide logging at no additional charge and alert customers of suspicious or anomalous behavior
  • Implement alerts so customers are aware of unsafe configurations, suspicious behavior, and malware
  • Include details of a Secure by Design program in corporate financial reports.

Dave Ratner, CEO, HYAS had this to say:

   “Security by design is a good practice to implement and goes hand-in-hand with the equivalent for enterprise network design — designing for cyber resiliency.  Too often security is an after-thought; with both security by design for software engineering, and cyber resiliency design for networks and organizations, the overall design becomes foundationally secure, and that’s exactly what is needed going forward to combat the continued onslaught of new and innovative attacks and risks.

What I like about this initiative is that it is targeting a group of people who likely don’t spend a lot of time and effort to make sure that they are secure. Yet they are low hanging fruit for threat actors. Hopefully this generates results and civil society organizations and individuals are better protected as a result.

Leave a comment »

« Older Entries