(TLP:CLEAR) FBI Releases Multiple Alerts on Credential Theft and Evolving Ransomware Intrusion Techniques

Summary: The FBI recently released two cyber FLASH reports and a Public Service Announcement (PSA) highlighting evolving tactics used by cyber threat actors to gain access to victim environments, bypass authentication protections, conduct social engineering campaigns, and support ransomware-related intrusions. The reports address the use of phishing-as-a-service (PhaaS) platforms targeting Microsoft 365 accounts, as well as social engineering schemes involving threat actors impersonating IT personnel. Ransomware actors are also using anonymization infrastructure to conduct reconnaissance and compromise victim systems.

Analyst Note: Collectively, the reports reinforce ongoing concerns regarding credential theft, remote access abuse, identity-focused attacks, and the increasing use of legitimate services and tools to evade detection. The FBI FLASH reports in particular contain relevant information mapping threat actor tactics to the MITRE ATT&CK® framework and include indicators of compromise (IOCs) useful for members’ defense efforts. WaterISAC encourages members to review the reports which can help utilities understand and defend against current tactics used by threat actors.

Original Sources:

• FBI FLASH: Silent Ransom Group Impersonating IT Personnel through Social Engineering
• FBI FLASH: “First VPN Service” Used by Ransomware Actors to Compromise Systems
• FBI PSA: Kali365 Phishing-as-a-Service Kit Hijacks Microsoft 365 Access Tokens

Additional Reading:

• Ransomware Resilience – Understanding Ransomware Behaviors and the Typical Ransomware Attack Chain

Related WaterISAC PIRs: 6, 7, 7.1, 10, 10.1, 10.2, 12