*Note: This information is provided by the FBI to assist cyber security specialists protect against the persistent malicious actions of cyber criminals. The CCI is happy to share this information to further information sharing initiatives. The information is provided without any guaranty or warranty and is for use at the sole discretion of the recipients.

TLP: WHITE

This FLASH Report is is an update to the report the FBI released on 14 October 2020, Alert Number MU-000136-MW. The FLASH has been updated to include additional technical details and a blog post by SonarQube addressing this issue.

Since April 2020, unidentified cyber actors have actively targeted vulnerable SonarQube instances to access source code repositories of US government agencies and private businesses. The actors exploit known configuration vulnerabilities, allowing them to gain access to proprietary code, exfiltrate it, and post the data publicly. The FBI has identified multiple potential computer intrusions that correlate to leaks associated with SonarQube configuration vulnerabilities.

On 31 July 2020, SonarQube released a blog post addressing this issue, which can be accessed at https://blog.sonarsource.com/public-response-code-leaks

Download FBI Flash

The FBI encourages the reporting of information related to suspicious or criminal activity to your local FBI field office or the FBI’s 24/7 Cyber Watch (CyWatch). Field office contacts can be identified at www.fbi.gov/contact-us/field-offices. CyWatch can be contacted by phone at (855) 292-3937 or by email at CyWatch@fbi.gov.

By reporting any related information to FBI CyWatch, you are assisting in sharing information that allows the FBI to track malicious actors and coordinate with private industry and the United States Government to prevent future intrusions and attacks.

*Note: This information is provided by the FBI to assist cyber security specialists protect against the persistent malicious actions of cyber criminals. The CCI is happy to share this information to further information sharing initiatives. The information is provided without any guaranty or warranty and is for use at the sole discretion of the recipients.

TLP: WHITE

On 20 November, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) published an FBI Flash (Alert MU-000140-MW) disclosing a number of IOCs associated with Ragnar Locker Ransomware.

The FBI first observed Ragnar Locker ransomware in April 2020, when unknown actors used it to encrypt a large corporation’s files for an approximately $11 million ransom and threatened to release 10 TB of sensitive company data. Since then, Ragnar Locker has been deployed against an increasing list of victims, including cloud service providers, communication, construction, travel, and enterprise software companies. The FBI is providing details of Ragnar Locker ransomware to assist with understanding the code and identifying the activity. Ragnar Locker actors first obtain access to a victim’s network and perform reconnaissance to locate network resources, backups, or other sensitive files for data exfiltration. In the final stage of the attack, actors manually deploy the ransomware, encrypting the victim’s data.

Download FBI Flash

If you find any of these indicators on your networks or have related information, please contact FBI CYWATCH immediately.

• Email: cywatch@fbi.gov

• Phone: 1-855-292-3937

By reporting any related information to FBI CyWatch, you are assisting in sharing information that allows the FBI to track malicious actors and coordinate with private industry and the United States Government to prevent future intrusions and attacks.

*Note: This information is provided by the FBI to assist cyber security specialists protect against the persistent malicious actions of cyber criminals. The CCI is happy to share this information to further information sharing initiatives. The information is provided without any guaranty or warranty and is for use at the sole discretion of the recipients.

TLP: WHITE

On 22 October 2020, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) published a joint Cybersecurity Advisory (Alert AA20-296B) warning that Iranian advanced persistent threat (APT) actors are likely intent on influencing and interfering with the U.S. elections to sow discord among voters and undermine public confidence in the U.S. electoral process. APT actors are creating fictitious media sites and spoofing legitimate media sites to spread anti-American propaganda and misinformation about voter suppression.

The Cybersecurity Advisory followed a joint press conference from the Director of National Intelligence (DNI) and FBI Director on election security, alerting the American public that Iran had taken specific actions to influence public opinion relating to the 2020 U.S. Presidential Election.

The FBI is now providing a list of indicators of compromise (IOCs) pertaining to a threat group, assessed to be located in Iran, conducting operations aimed at influencing and interfering in the 2020 U.S. Presidential Election.

Download FBI Flash