The Daily Decrypt
Student Loan Forgiveness Scam, Thwarting Russian Sandworm, and Defending Against Cisco-Reported Brute-Force Attacks

Today, we discuss the deceptive world of the “Financial Hardship Department Scam,” where unsuspecting Americans are tricked into revealing personal data with the false promise of government aid. Explore the intricacies of this scam and how to protect yourself from becoming a victim. This episode also sheds light on the alarming strategies of Russian Sandworm hackers and global brute-force attacks targeting VPN and SSH services, revealing a complex cybersecurity landscape.

Original URLs:

Follow us on Instagram:

Thanks to Jered Jones for providing the music for this episode.

Logo Design by

Tags for the Episode: Financial Hardship Department Scam, cybersecurity, Russian Sandworm hackers, brute-force attacks, VPN, SSH, email scams, government subsidies scam, cyber threats, cyber protection, Mandiant, Cisco

Search Phrases:

  1. How to protect against Financial Hardship Department Scam
  2. What is the Financial Hardship Department Scam
  3. Russian Sandworm hackers in US utilities
  4. Cisco alert on brute-force attacks
  5. Cybersecurity threats in 2024
  6. Email scams involving government aid
  7. Preventing cyber attacks on VPN and SSH
  8. How Russian hackers disguise as hacktivists
  9. Identifying and preventing email scams
  10. Latest cybersecurity reports from Cisco and Mandiant



Americans are being targeted by a sophisticated scam from the Financial Hardship Department, which promises government subsidies and stimulus checks as a facade to steal personal information and money. Stick around cause we’re gonna give them a call.

Russian sandworm hackers, disguised as hacktivist groups, have infiltrated water utilities in the United States and Europe, executing sophisticated cyberattacks that manipulate public narratives in favor of Russia according to recent findings by Mandiant.

And finally, Cisco has issued an alert on a sharp rise in global brute force attacks targeting VPN and SSH services, revealing a sophisticated threat landscape that exploits Tor exit nodes and various anonymizing proxies since March 18th of 2024.

What steps can organizations take to protect their networks from these global brute force attacks?

So in recent news, a concerning scam from the Financial Hardship Department is targeting Americans across the country. This was actually brought to my attention from my mother. She reported something suspicious to her IT department, which is me. She received an email with the subject that was her full name,

and inside the email was a very compelling argument.

That she was entitled to some sort of student loan forgiveness plan, and the money is available right away.

And this specific scam isn’t necessarily breaking news, but this type of scam, this category of scam, is very effective

and very prevalent.

And this is because of a thing called OSINT, or Open Source Intelligence, where people can use information they find online about you in order to get you to do things. So, if someone wrote you an email And they knew exactly how much student debt you had, and they knew your full name, and they knew you ran to school.

You might be more enticed to give them a call, respond to the email, or even click a link.

If you’re interested in seeing this email and walking through all of the key indicators that this is not a legit email, and it is in fact a scam, I’m going to be posting a reel a little bit later today on our Instagram that we’ll have the email and we’re going to go through each one of the indicators that this is a scam so that you can help protect yourself against this scam.

But just a high level, the email came from someone at hotmail. com. Nobody with any clout is going to email you from a personal email address. Step one.

All right. Number two, there’s a sense of urgency. It says that you have a case open, but for only one more day. So give us a call back at this number.

And just for fun, I went ahead and gave this number a call using my google voice number and was ready to record it and talk to them and see what they were gonna try to get out of me and maybe give them some fake information. The email was received yesterday and since then the number has been decommissioned.

Calling the scammer. Bummer.

There are also some weird formatting issues with this email. And then at the bottom, it says you opted into advertising services, provides an address,

and then it provides a URL to unsubscribe.

This specific email is formatted so poorly that the URL doesn’t even become clickable.

But they’re trying to get you on two directions here. They’re trying to get you to call and give up your information. And they’re trying to get you to click this unsubscribe link. Now that kind of gets your wheels turning, doesn’t it? Most emails have unsubscribe links, and most of them are from emails you might not even recognize.

You just want to get them out of your inbox.

Now trust me, I am all for inbox sanitization and organization, but clicking unsubscribe links as a habit is a bad one. Clicking any links in an email is a bad habit. And yes, unsubscribe is URL that could take you wherever you want. And usually, when you’re about to click it, you’re kind of in a hurry, you’re not really checking, you’re not thinking about it.

So attackers know this,

and they’re going to send you something you really don’t want, and they’re going to provide a link to unsubscribe. Probably don’t click it. Instead, send it to spam. Send it to junk.

Train your inbox to send that somewhere else where you don’t have to worry about it.

Even if the unsubscribe link isn’t malicious, it can serve a different purpose. It can let attackers or scammers know that that email address is active. And might actually ramp up the amount of spam, scam emails, or newsletters you may get because people are interested in buying your email address if they know it’s an active email address.

So now you’ve just confirmed it, they might go sell it to some other people. It might actually increase the amount of spam you get. There is a service called unroll. me

that can help consolidate and manage email subscriptions efficiently. It allows you to view all your subscriptions in one place and makes it easy to unsubscribe from them.

Another thing you can do is use alias emails. So if you’re an iPhone user, The iPhone will often prompt you to mask your email address. It’s a good idea because you can delete that email address at any time. If you start getting spam from it, you can also use tools like fast mail or start mail, and just generate a new email address that forwards to your normal email address.

This will also help protect you and your privacy online because they’re not just mapping one email address to your identity. Now they have to map tons and tons to keep track of you. So it’ll help reduce trackers on Google. It’ll help reduce. The efficacy of certain attacks when your password is breached on the dark web.

So for more tips and tricks, and for a further analysis on these scam emails, be Instagram later today.

Cybersecurity firm Mandiant has exposed how the notorious Sandworm hacking group linked to Russian military intelligence, has camouflaged its cyberattacks by masquerading as hacktivist groups.

The Russian ensemble, known by aliases such as Black Energy, Seashell Blizzard, and Voodoo Bear, has been active since 2009, and their operations are accredited to Unit 74455 of Russian’s GRU.

Mandian’s latest findings suggest that Sandworm operates under several online personas to launch data leaks and disrupt operations. Notably, three hacktivist branded telegram channels named Zaxnet Team, Cyber Army of Russia Reborn, and SolSopec, that’s Russian, have been instrumental in disseminating pro Russian narratives and misleading the audience about the origin of the cyberattacks.

These personas act independently, yet share a common goal of aligning their activities with Russian interests.

So, before we move on, just a quick note on hacktivism. There are a few main motivators for attackers when placing an attack. Money, power, fame. And activism is a pretty popular one.

So to help give an idea of what a hacktivist organization would be like, it’s maybe a pro Ukraine organization that’s working to

spread the truth about what’s going on in a foreign war,

and so they might be trying to actually hack the Russian government to help Ukraine, or something like that. Their motivation is not money, so they’re not out there trying to get credentials to their bank accounts and stuff like that. They’re trying to work towards their organization’s mission, which is to spread the truth about foreign wars in favor of a certain country.


these Russian attackers that are responsible for many attacks on U. S. critical infrastructure, especially water utilities, are gaining footholds by pretending to be a hacktivist group. Maybe they’re pro Russia, maybe they’re pro Ukraine. They’re doing what they can to try to sway public opinion in Russia’s favor,

which involves all sorts of propaganda that I’m not even aware of.

But Mandiant’s report extends beyond the facade of hacktivism. They have traced back multiple cyber incidents to Sandworm,

including attacks on water utilities in the U. S. and Poland, and hydroelectric facilities in France. The authenticity of these intrusion remains under investigation, but confirmation of related malfunctions by U. S. utility officials lends proof. Furthermore, Sandworm’s influence operations are designed to bolster Russian wartime objectives by seeding misinformation and creating an illusion of widespread support for the war.

The sophistication of these tactics illustrates a strategic shift from direct sabotage in Ukraine, where they targeted critical infrastructure like state networks and the power grid, to a more nuanced cyber espionage and intrusion. influence operations. Mandiant also highlights APT44’s activities over the past year including targeting NATO countries electoral systems and engaging in intelligence collection to aid Russian military efforts. The threat posed by APT44 is severe, with ongoing operations focused on Ukraine and an elevated risk of interference in upcoming national elections and significant political events worldwide.

So this election season, especially in the United States, is going to be absolutely crazy.

The simplicity of access that these foreign, quote, hacktivists or propaganda pushers have over the United States is huge. It’s palpable. They can just create TikToks about something you’re interested in, which is Ukraine and

the things that are happening in this foreign war, and you share it, and the more it gets shared, the more validity it accumulates in people’s eyes.

And this rapid consumption of social media has almost completely forgotten about citing sources or doing any sort of further research into what you just saw on a 60 second video clip. So I encourage you personally to, I mean, first of all,

don’t spend too much time on social media. If you get, if you catch yourself doom scrolling, try to get off and go on a walk. And second of all, think about everything you watch as if it were a lie. How could this video be lying to you right now? How could this video be stretching the truth? You know, are these videos actually shot where they are?

Are they in front of a green screen?

What sources do these people have? to claim what they’re saying. Is what they’re saying promoting a specific narrative? Maybe for Russia, maybe for Ukraine. And if so, that increases the likelihood that what they’re saying is stretched or slightly untrue.

So just as we have to look at every email with a lot of scrutiny, make sure we don’t click any bad links, we also have to look at everything we consume because our brains are very vulnerable to what we see. And the internet right now is just pushing what we already believe, further enforcing our misbeliefs.

There’s been a notable spike in brute force attacks globally, as reported by Cisco.

Specifically targeting devices such as VPNs, or virtual private networks, web application authentication interfaces, and SSH services.

Cisco Talos experts pinpointed that these attacks have been originating from Tor exit nodes and various anonymizing tunnels and proxies since at least March 18th of 2024. The implication of these attacks are serious, potentially leading to unauthorized network access, account lockouts, or even denial of service conditions.

A range of devices have come under siege, including popular VPN solutions like Cisco Secure Firewall VPN, Checkpoint, Fortinet, SonicWall, along with RD web services and brands such as Mikrotik, Draytek, and Ubiquiti. Stomp’s foot on Ubiquiti. Cisco Talos has identified that the brute forcing attempts not only utilize generic credentials, but Also valid usernames tied to specific organizations, indicating a methodical approach to this cybersecurity threat.

The attack traffic, as analyzed, predominantly flows through known proxy services such as TOR, VPNgate, IPDEA proxy, BigMama proxy, SpaceProxies, NexusProxy, ProxyRack, etc. And details on the IP addresses and the credentials used in these attacks have been compiled and made accessible for the concerned parties to bolster their defenses.

So check out the show notes if you want more IOCs of this, so that you can maybe set up some signature detections or behavior detections, etc.

In parallel to these brute force incidents, Cisco has raised alarms about password spray attacks, etc. targeting remote access VPN services as well. This trend was highlighted alongside a recent disclosure from Fortinet FortiGuard labs reporting the exploitation of a patched vulnerability in TP Link Archer AX21 routers by DDoS botnet malware facilities.

Which brings us back to our SoHo days, right? If you’re running one of these routers, make sure it’s patched. Make sure your home router is up to date. You don’t want to be getting DDoS’d by a botnet. Or you don’t want to be part of the botnet that does the de tossing, excuse me. Security researchers, Cara Lin and Vincent Lee from FortiGuard Labs underscore the continuous threat posed by botnets, which exploit IOT vulnerabilities relentlessly.

They strongly advise users to remain vigilant against DDoS botnets and to apply patches promptly.

Cisco has provided several recommendations to mitigate the risks associated with these type of cyberattacks. These include enabling logging, okay, securing default remote access VPN profiles, and blocking connection attempts from identified malicious sources. Specific guidance involves implementing interface level ACLs using the shun command and configuring control plane ACLs to further fortify network defenses against unauthorized access attempts.

Moreover, Cisco suggests considering additional hardening implementations for RAVPN, such as adopting certificate based authentication to enhance the security posture against these ongoing cyber threats. So I will definitely be taking a. Much deeper look at these IOCs for my own personal network,

because yeah, this can apply to enterprises and this can apply to tech enthusiasts who set up VPNs to access their own home network. So let’s, uh, not to point any fingers at myself, but that’s definitely something I want to avoid being compromised. So if you’re hearing this, IOCs in the show notes and let’s stay ahead of this.

And that’s all we got for you today.

Tomorrow, we’re going to be releasing just a discussion episode about the key takeaways from HackspaceCon, which occurred last weekend. The two co hosts from this podcast were lucky enough to be able to attend and boy, were we inspired. So if you’re interested in hacking satellites or what kind of vulnerabilities satellites have.

Or other things that I never considered from a non space background. Be sure to check that episode out tomorrow.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.