Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Cyberspace. Show all posts

MCA to Strike Off 400 Chinese Companies for Fraud in India

 

The Ministry of Corporate Affairs (MCA) is preparing to strike off as many as 400 Chinese companies operating in India due to severe financial irregularities and incorporation-related fraud. These companies, which primarily deal in online loans and job services, are spread across 17 states, including key areas such as Delhi, Mumbai, Chennai, Bengaluru, Uttar Pradesh, and Andhra Pradesh. According to a report by Moneycontrol, which cited an anonymous government official, the action is expected to be completed within the next three months. 

The MCA has been investigating nearly 600 Chinese companies, focusing on those involved in digital lending and online job platforms. The official stated that the investigation phase has concluded, revealing that 300 to 400 of these companies are likely to be struck off the register. 

The primary reasons for this drastic action include predatory lending practices, financial fraud, and violations of India’s financial regulations. These Chinese companies have come under scrutiny for a variety of reasons. Many of them have been accused of engaging in aggressive tactics to recover loans, imposing exorbitant interest rates on borrowers, and resorting to harassment. 

Additionally, several companies have been found to have Indian directors but operate with Chinese bank accounts, with no recorded financial transactions in India. This has raised suspicions of money laundering and other financial crimes. Furthermore, some companies were not found at their registered office addresses, while others were discovered to be investing in businesses unrelated to their stated purpose, further indicating potential financial fraud. 

Under Section 248 of the Companies Act, the process of striking off a company from the register takes approximately three months. The MCA first issues a notice to the company, allowing time for a response. If the company fails to respond, a second notice is sent after one month. Should there be no reply even then, the company is removed from the register.  

This sweeping action by the MCA underscores the Indian government’s ongoing efforts to regulate the digital lending space and ensure financial transparency, particularly in light of the growing concerns around the proliferation of predatory lending apps in the country.

Cyber Militarization: Navigating the Digital Battlefield

Technology and the internet are now ubiquitous, creating vulnerabilities and enabling the militarization of cyberspace. This trend poses a number of threats to global security, including accidental or deliberate conflict between states, empowerment of non-state actors, and new arms races. The international community must cooperate to address this issue, developing norms and rules, building trust, and investing in cybersecurity.

Cyberspace once considered a relatively neutral domain for communication and information sharing, is now increasingly becoming a battlefield where nation-states vie for power and influence. The articles linked in this discussion shed light on the complex issue of militarization in cyberspace.

Kaspersky, a leading cybersecurity company, delves into the subject in their blog post, "How to Deal with Militarizing Cyberspace." They emphasize the growing concerns about the use of cyberspace for military purposes, such as cyberattacks and espionage. This article emphasizes the need for international cooperation and cybersecurity measures to address the challenges posed by this evolving landscape.

In the blog post from EasyTech4All, titled "The Inevitability of Militarization of CyberAI," the focus is on the convergence of artificial intelligence and cyber warfare. It highlights the significant role AI plays in enhancing military capabilities in cyberspace. This shift underlines the need for discussions and regulations to govern the use of AI in military operations.

Additionally, the document from the Cooperative Cyber Defence Centre of Excellence (CCDCOE) titled "The Militarization Of Cyberspace" offers an in-depth examination of the historical context and evolution of militarization in cyberspace. It explores the various facets of this phenomenon, from the development of offensive cyber capabilities to the establishment of cyber commands in military structures.

The militarization of cyberspace raises critical questions about the use of cyber tools for aggressive purposes, the potential for escalation, and the importance of international agreements to prevent cyber warfare. The interconnectedness of the global economy and critical infrastructure further amplifies the risks associated with cyber warfare.

To address these challenges, a multi-faceted approach is essential. This includes the development of international norms and regulations governing cyber warfare, cooperation between nations, investment in cybersecurity, and continuous monitoring of cyber threats.

Cyberspace militarization is a complex and evolving issue that requires our attention. By exploring the articles and materials provided, we gain a glimpse into the many facets of this challenge, from its historical roots to the use of AI in warfare. As technology advances, it becomes increasingly important to use cyberspace in an ethical and responsible manner. It is up to us all to ensure that the digital realm remains a force for good and progress, rather than a catalyst for instability and conflict.

China's Assessment of Micron's Security Was Rejected

 


As a result of Micron's failure to pass a security review, the Chinese government has banned the company from supplying memory chips to local industries that are critical to the country. 

The Chinese cyberspace regulator has announced that it will bar operators of key infrastructure from buying products made by American memory chipmaker Micron Technology Inc. (MU.O). Micron Technology Inc. is an American memory chip maker with international reach. 

Washington is looking to cut off Beijing's access to the most advanced semiconductors to limit its access to the United States' advanced chip manufacturing facilities. Despite the ongoing chip war between the two nations, the probe represents the latest effort by investigators to escalate the crisis. 

As a result of the incident, China tightened its enforcement of anti-espionage and national security laws, tightening its control over international espionage. 

In a report by the news agency Reuters, the US government has instituted a series of export controls on certain American components and chipmaking tools to prevent them from being used to advance China's military capabilities, following a series of export controls by the USA on certain American components and chipmaking tools. 

There was an additional phase in the bitter chip war between the United States and China. Washington was attempting to prevent Beijing from having access to top-of-the-line semiconductors and the latest technology.    

Chinese authorities launched a review of Micron, one of the world's largest chip manufacturers, in March last year. This was following several complaints related to its products available in the country.   

From transportation to healthcare, critical information infrastructure is broadly defined as the network infrastructure that supports the system of the country.   

On Monday, shares in several local chipmaker-related companies rose as a result of the move. Shares in corporations including Gigadevice Semiconductors, Ingenic Semiconductors, and Shenzhen Kaifa Technology opened up by 3% to 8% on Monday, according to Reuters. 

Based on Micron's financials for the year ended March 31, 2013, it was estimated that China contributed approximately 10 percent of Micron's USD 30.8 billion revenue. 

It was unclear whether the cybersecurity watchdog's decision would affect sales to foreign customers since a large portion of Micron products sold in the country were purchased by foreign manufacturers, analysts said earlier. Even if the decision does affect sales, the effect may not be felt for some time. 

Earlier this year, the Chinese government announced that it would pay more attention to protecting the critical infrastructure of its information systems by enforcing stricter data security regulations. There has been a recent intensification of its enforcement of its anti-espionage and data security laws, which have been implemented as well. 

During the last year, China and the United States stepped up their chip war by imposing restrictions on Chinese access to high-end chips, chipmaking equipment, and software used in the design of semiconductors. Yangtze Memory Technologies Co Ltd, a rival of Micron, was also placed on a blacklist by the United States government. 

Despite the high level of risk that the Chinese armed forces and intelligence services may possess technology that could be used in developing advanced military equipment, Washington cited national security concerns and insisted that it wanted to prevent the acquisition of such technology. 

One of the largest chip manufacturers in the world, Micron, has been surveyed by Chinese authorities regarding products sold within the country by the company. 

Based on the review, the Cyberspace Administration of China (CAC) concluded that Micron's products pose significant security risks to China's critical information infrastructure supply chain, affecting the safety and security of the country's key infrastructure, an influence that could adversely affect China's national security. 

Several manufacturers of semiconductor technology equipment, such as the Netherlands and Japan, have recently announced new restrictions on the export of certain products, although neither of them named China as a major source of these restrictions. 

There has been a lot of opposition from Beijing to Washington's controversial move, which Beijing has called "bully tactics" and declared as "technological terrorism", saying it is not only strengthening its resolve to self-sufficiency in the sector but also strengthening US business interests.

There have been billions of dollars invested in domestic chip companies over the past few decades by the Chinese government to build up a robust semiconductor industry domestically. 

It is expected that by the year 2030, the chip industry in the world will generate a $1 trillion market, a figure that can be attributed to the fact that chips are the lifeblood of modern global economies, powering everything from cars to smartphones. 

In response to the ban, the United States opposes it; Micron is committed to engaging in negotiations with China. There was strong opposition to the Micron ban from the US Commerce Department. 

A spokesperson for the Commerce Department said in a statement that "we strongly oppose restrictions that have no basis in fact." China claims that they are open to a transparent regulatory framework and that they are committed to a transparent regulatory framework, which contradicts this action, along with raids and targetings of other American firms that have been reported in the past. 

It is now the department's responsibility to clarify the actions of the Chinese authorities in Beijing directly through direct communication with them.  

Beijing, which is China's largest manufacturer of semiconductors, has been forbidden from buying cutting-edge semiconductors as part of the US-China trade dispute. It's the latest escalation between the two countries. 

Despite Micron's review by the CAC, the company said it was looking forward to engaging with Chinese authorities in further discussions following its receipt of the review. The company said in a statement that it is evaluating the conclusion of the investigation and determining what we should do next.

APT Groups Tomiris and Turla Target Governments

 


As a result of an investigation under the Advanced Persistence Threat (APT) name Tomiris, the group has been discovered using tools such as KopiLuwak and TunnusSched that were previously linked to another APT group known as Turla. 

Positive results are the result of an investigation conducted into the Tomiris APT group. This investigation focused on an intelligence-gathering campaign in Central Asia. As a possible method to obstruct attribution, the Russian-speaking actor used a wide array of malware implants that were created rapidly and in all programming languages known to man to develop the malware implants. A recently published study aims to understand how the group uses malware previously associated with Turla, one of the most notorious APT groups. 

Cyberspace is a challenging environment for attribution. There are several ways highly skilled actors throw researchers off track with their techniques. These include masking their origins, rendering themselves anonymous, or even misrepresenting themselves as part of other threat groups using false flags. Adam Flatley, formerly Director of Operations at the National Security Agency and Vice President for Intelligence at [Redacted], explains this in excellent depth. Adam and his team can determine their real identities only by taking advantage of threat actor operational security mistakes. 

Based on Kaspersky's observations, the observed attacks were backed by several low-sophisticated "burner" implant attacks using different programming languages, regularly deployed against the same targets by using basic but efficient packaging and distribution techniques as well as deployed against the same targets consistently. Tomiris also uses open-source or commercial risk assessment tools. 

In addition to spear-phishing emails with malicious content attached (password-protected archives, malicious documents, weaponized LNKs), Tomiris uses a wide range of other attack vectors. Tomiris' creative methods include DNS hijacking, exploiting vulnerabilities (specifically ProxyLogon), suspected drive-by downloads, etc. 

To steal documents inside the CIS, the threat actor targets governments and diplomatic entities within that region. There have been instances where victims have turned up in other regions (overseas as the Middle East and Southeast Asia) only to be foreigners representing the countries of the Commonwealth of Independent States, a clear indication of Tomiris's narrow focus on the region. 

An important clue to figuring out what's happening is the targeting. As Delcher explained, Tomiris focuses on government organizations in CIS, including the Russian Federation. However, in the cybersecurity industry, some vendors refer to Turla as a Russian-backed entity. A Russian-sponsored actor would not target the Russian Federation, which does not make sense. 

According to Delcher, it is not simply an educational exercise to differentiate between threat actors and legitimate actors. A stronger defense can be achieved through the use of such software. There may be some campaigns and tools that need to be re-evaluated in light of the date Tomiris started utilizing KopiLuwak. In addition, there are several tools associated with Turla.

Threat from Cyberspace Pushing Data Budgets Up and Delaying Digital Transformation

 

A new report has revealed that the cost of data backup is rising due to the growing threat from cybercrime. This includes the requirement to guarantee the consistency and dependability of hybrid cloud data protection in order to counteract potential losses from a ransomware attack. 

More than 4,300 IT leaders were polled for the Data Protection Trends Report, and many of them claimed that there was a "availability gap" between how quickly their businesses needed a system to be recovered and how quickly IT could get it back online. This issue is serious because, according to the survey, 85% of respondents experienced a cyberattack in the previous year. 

Making sure the data protection provided by Infrastructure as a Service and Software as a Service solutions corresponds with that provided by workloads focused on data centres was one of the top priorities for IT leaders polled for the survey this year.

More than half of those surveyed in the study, which was commissioned by data protection software vendor Veeam, also mentioned a "protection gap" between the amount of data they can lose and the frequency with which IT protects it. These gaps, according to more than half of those surveyed, have led them to consider switching primary data protection providers this year.

Many of those surveyed claimed that ransomware is "winning," with cyberattacks causing the most significant outages for businesses in 2020, 2021, and 2022, despite all of these efforts to increase backup reliability and spend on cybersecurity tools. 

Hackers' increasing threat to data budgets

In the past 12 months, at least 85% of all study participants reported experiencing an attack, up from 76% the year before. Data recovery was noted as a major concern, with many claiming that only 55% of encrypted data was recoverable following a ransomware attack.

This was partially due to the increase in attacks. Due to the strain that ransomware protection and recovery put on budgets and staff, it is also harder to implement digital transformation. Resources intended for digital transformation initiatives have been diverted as IT teams must concentrate on the unstable cyber security landscape. 

According to Veeam's researchers, cyberattacks "not only drain operational budgets from ransoms to recovery efforts, but they also reduce organisations' ability to modernise for their future success, forcing them to pay for prevention and mitigation of the status quo."

With 52% of respondents already using containers and 40% of organisations planning to do so soon, Kubernetes is proving to be one of the major forces behind bettering data security strategies. Despite this, the report's authors discovered that most organisations only protect the underlying storage rather than the workloads themselves. 

The CTO and senior vice president of product strategy at Veeam, Danny Allan, stated that "IT leaders are facing a dual challenge. They are building and supporting increasingly complex hybrid environments, while the volume and sophistication of cyberattacks is increasing. This is a major concern as leaders think through how they mitigate and recover business operations from any type of disruption.”

Web3: Cybercrime May Come to an End, Here’s How

 

Cybercrime has increasingly surged at a high rate in the U.S. Annually, cybercrime amounts to damage worth trillion dollars. One of the top cyber threats has been digital identity theft, in which threat actors leverage the stolen personal information of the victims, with the intent of causing financial havoc. 
The issue of cybercrime has persisted over the years and is certainly not going away anytime soon. In regard to the issue, the CEO of Sony, said, “the solution to cybercrime isn’t two-factor identification or your mother’s maiden name. The solution to cybercrime lies in the transition to Web3.” 

What is Web3?  


Web3, also known as Web 3.0 serves as the succeeded iteration of the internet after Web 2.0. While Web 2.0 is marked as a centralized internet model in which most of the data, content, and other services are controlled by some of the internet giants, also referred to as ‘Big Tech.’ 

WWe3 on the other hand can be described as a decentralised version of the internet, allowing users to communicate with one another in a secure, peer-to-peer environment.  

How are users vulnerable to Web2? 

Since a “digital identity” in Web2 includes more than just a username and a profile picture, a user is supposed to enter a verifiable email address in order to create an identity.  

Certainly, there is no limit to how many email addresses can one user make. Most of the users have multiple email addresses, serving different purposes, such as personal usage, work communication, spam filtering, etc. 

As there is no method to confirm that the person logging in is who they claim to be, beyond the two-factor identification, employing this means anyone with the credentials can get into any of these emails.  

Adding to the misery, once a company gets hold of a user’s personal data, he practically has no control over it. Thus, personal information is sold for the sake of targeted adverts. The data access and secondary sale increase the opportunities for a threat actor to exploit it. 


How is Web3 solving the problem?  


Login security: Centralized authorities would not control the user in the future. It will be as simple as utilising a biometric unlock with the use of DIDs and Blockchain-backed verification.  

Bots are always searching the internet for stray credentials that they may use to access bank accounts, emails, and other accounts. This will be stopped in its tracks by consolidated digital identities that are accessed by biometric logins.  

Control and Monetization of User Data


With the consolidated digital identity, a user can now utilize the data as they see fit, since he has overall control over who sees the data and who has to pay for the same. For an instance, one could build a decentralised ad network on Web3 and allow users to either opt in or out of the system.  

Although, Web3’s growing popularity is being considered the ‘next big revolution’, in digital tech, for its take on making lives easier for the unbanked and others involved in it. It still needs much improvement in regard to risks pertaining to the loopholes and potential vulnerabilities that could cause a great many problems in the future.

Russian Group Attack on Bulgarian Refugee Agency

 

A ransomware group that shares strong ties with Russia warned on Wednesday that it will publicly post the files it has stolen from the Bulgarian government agency that is responsible for the refugee management.

LockBit 2.0 published a notice on the dark website saying it had files from the Bulgarian State Agency for Refugees under the Council of Ministers. “All available data will be published!” the notice read under the group’s trademark bright red countdown clock, which has a May 9 publication date. It's worth noting that there was no specific post for a ransom demand. 

According to the Sofia Globe, a news organization in the country’s capital, nearly 5.7 million Ukrainian refugees have fled their country since February and approximately 230,000 fled to Bulgaria, while 100,700 are remaining in the country. 

The official website of the agency remains active, however, a notice on the site’s home page reads, “due to network problems, the e-addresses of the State Agency for Refugees at the Council of Ministers are temporarily unavailable.”

Press contacted an official for a comment on the same matter but the agency didn’t immediately respond to the email. Later, a spokesperson at the Bulgarian embassy in Washington, D.C., said that he did not have information on the incident and would look into the matter. 

LockBit 2.0 is an updated version of LockBit, a ransomware variant that first was spotted in September 2019, as per the cybersecurity firm Emsisoft. Originally known as ABCD ransomware, LockBit is famous for the file extension appended to encrypted files, with the extension later updating to “LockBit”.  Moreover, in September, the group made headlines for launching its own leak website. 

“This is simply the latest in a very long list of hits on organizations which provide critical services...,” said Brett Callow, a threat analyst at Emsisoft. 

“...Hospitals, [search and rescue], fire departments, and charities for the disabled have all been targeted. The individuals involved with ransomware are conscienceless scumbags and the sooner we find a way to deal with the problem, the better.”

Britain’s National Health Service Hit by Massive Phishing Campaign

 

The National Health Service (NHS) of the United Kingdom witnessed a large phishing campaign for months. The threat actors have been using official NHS accounts to send phishing emails to unsuspecting third parties, it became a massive campaign in March. 

However, the campaign could have been much larger, as INKY reported in their findings. It’s safe to say that the total iceberg was much bigger than the tip we saw, INKY added. 

“We have processes in place to continuously monitor and identify these risks. We address them in collaboration with our partners who support and deliver the national NHSmail service. NHS organizations running their own email systems will have similar processes and protections in place to identify and coordinate their responses, and call upon NHS Digital assistance if required." 

NHS released the statement after INKY shared its findings with the institution. Further, NHS and its investigation bench have released statements, in which it said that their team was able to discover that the group did not compromise the mail server but rather individually hijacked accounts. 

It is between October 2021 and March 2022, that INKY successfully detected 1,157 phishing emails originating from NHSMail, the NHS email system for employees based in England and Scotland. Last year, this service was changed from an on-premise installation to Microsoft Exchange Online. This security change could have been a factor in the attack. 

After the finding, INKY had reported it to the NHS on April 13, and by April 14, the institution witnessed a sharp decline in the number of attacks, as the NHS took measures to curb them. However, INKY users were still receiving a few phishing emails from the NHS mail domain. 

Following the attack, INKY has shared information regarding phishing campaign tricks which makes things easier for the group to lure the target. The threat actors use brand logos and trademarks to impersonate well-known brands. 

Credential harvesting and hijacked accounts play a key role in malicious activities. The group has further suggested Email users always check a sender’s email address carefully before sending and opening attachments.

IsaacWiper, The Third Wiper Spotted Since the Beginning of The Russian Invasion

 

Recently, ESET cyber researchers have discovered a new data wiper, named as IsaacWiper, that is being used against an unnamed Ukrainian government network after Russia’s invasion of Ukraine. 

After the HermeticWiper attack, the new wiper came to light on 24th February within an organization that was not infected with the HermeticWiper malware (aka KillDisk.NCV), which contaminated hundreds of machines in the country on February 23. 

The cybersecurity firms ESET and Broadcom’s Symantec have discovered that the infections followed the DDoS attacks against various Ukrainian websites, including the Cabinet of Ministers, Ministry of Foreign Affairs, and Rada. 

“With regard to IsaacWiper, we are currently assessing its links, if any, with HermeticWiper. It is important to note that it was seen in a Ukrainian governmental organization that was not affected by HermeticWiper,” Jean-Ian Boutin, ESET Head of Threat Research, said. In a new blog post, the company stated that the IsaacWiper attack likely “started shortly after the Russian military invasion and hit a Ukrainian governmental network.” 

The organization has revealed the technical details of the second attack on 1st March. It said that based on the observations it looks like the attacks were planned for months, though the organization did not name any particular entity or group for the attack. IsaacWiper and HermeticWiper have no code similarities and the former is less sophisticated than the latter. 

Once the network is infected, IsaacWiper starts by enumerating the physical drives and calls DeviceIoControl with the IOCTL IOCTL_STORAGE_GET_DEVICE_NUMBER to get their device numbers. 

Then IsaacWiper wipes the first 0x10000 bytes of each disk using the ISAAC pseudorandom generator. The ESET has published concluded analysis report,  saying that “at this point, we have no indication that other countries were targeted. However, due to the current crisis in Ukraine, there is still a risk that the same threat actors will launch further campaigns against countries that back the Ukrainian government or that sanction Russian entity.” 

Android Malware in Google Play Stealing Victim's Data

 

Cyber threat intelligence warned the users that an Android banking malware ‘TeaBot’ stealing users' private data and SMS messages has been downloaded thousands of times via Google Play Store. According to the experts, 'TeaBot,' is an Android banking trojan that first came to be known at the beginning of 2021 as a trojan designed to steal victims' text messages. 

According to the online fraud management and prevention solution Cleafy, in the initial phase, TeaBot was distributed through smashing campaigns using a predefined list of lures, such as VLC Media Player, TeaTV, DHL and UPS, and others. 

Following the incident, the researchers said that "In the last months, we detected a major increase of targets which now count more than 400 applications, including banks, crypto exchanges/wallets, and digital insurance, and new countries such as Russia, Hong Kong, and the US." 

From February, TeaBot Trojan has started supporting new foreign languages including Russian, Mandarin Chinese, and Slovak. It helps cybercriminals in displaying custom messages during the installation phases. 

On February 21, the Threat Intelligence and Incident Response (TIR) team from Cleafy has detected an application and published it on the official Google Play Store, which was acting as a dropper application delivering TeaBot with a fake update procedure. Once downloaded by the user, the dropper will ask them to update immediately through a popup message. 

"The dropper lies behind a common QR Code & Barcode Scanner and it has been downloaded more than 10,000 times. All the reviews display the app as legitimate and well-functioning," the team added.

Nvidia Confirms Company Data Was Stolen in a Breach

 

Last week Chipmaker company Nvidia witnessed a cyberattack that breached its network. The company has confirmed that the intruders got access to proprietary information data and employee login data. 
As the breach came to light last week, the organization attributed the security breach to a threat group called "Lapsus$".

“We are aware that the threat actor took employee credentials and some Nvidia proprietary information from our systems and has begun leaking it online,” the company said in a statement. 

However, as of now, Nvidia didn’t produce any specific details of the stolen data. Meanwhile, LAPSUS$, the alleged culprit, has claimed that it has looted 1TB of data, including files related to the hardware and software belonging to the organization. Following the incident, Lapsus$ started demanding ransom in cryptocurrency in order to prevent the data from being published online. However, Nvidia has not confirmed its stance or response to the demands made by the hackers. 

The primary purpose of a ransomware attack is to encrypt the victim's credentials and threaten to permanently delete it unless a ransom is paid, often in Bitcoin due to the relative anonymity that cryptocurrency provides. Additionally, the threat groups use Ransomware attacks to steal the victim’s data and then threaten to release sensitive details in public unless certain demands are met. Either way, it amounts to extortion. 

According to the sources, the organization did not confirm technical details yet, therefore, it is difficult to confirm anything as of present. However, as a matter of concern, the information related to the attack continues to trickle out. For instance, some of the leaked data contain references to future GPU architectures, including Blackwell. Also, an anonymous source has apparently sent what they claim is proof of stolen DLSS source code to the folks at TechPowerUp. 

"We are investigating an incident. Our business and commercial activities continue uninterrupted. We are still working to evaluate the nature and scope of the event and don’t have any additional information to share at this time," NVIDIA initially said.

Microsoft: Russian FSB Hackers Compromising Ukraine Since October

 

Microsoft recently reported that a group of cybercriminals that are controlled by Russian intelligence known as Gamredon has been targeting various organizations in Ukraine, including a western government entity. 

The group is behind a streak of spear-phishing emails attacking Ukrainian entities since October 2021. Linked by Ukraine's security (SSU) and secret (SBU) services to Russia's Federal Security Service (FSB), the country's domestic intelligence service, this cybercriminal group is also known as Armageddon, ACTINIUM, and Primitive Bear. 

According to the report, in recent months, the military advisers and cyber threat experts from the United States and other allies have been sent to Ukraine to help defend against Russian forces, now massed on the neighboring country's borders. 

In a report issued on Friday, Microsoft Corp (MSFT.O) said the group has been designed to obtain private data from various departments of the government entities, military, and non-governmental organizations in Ukraine since the last October. The report has shown a screenshot of one such attempt, in which an email can be seen, embedded with malicious links, impersonated as an official notification from the World Health Organization (WHO) on the COVID-19 pandemic. 

"MSTIC has observed ACTINIUM targeting organizations in Ukraine spanning government, military, non-government organizations (NGO), judiciary, law enforcement, and non-profit, with the primary intent of exfiltrating sensitive information, maintaining access, and using acquired access to move laterally into related organizations," Microsoft added. 

"Since October 2021, ACTINIUM has targeted or compromised accounts at organizations critical to emergency response and ensuring the security of Ukrainian territory, as well as organizations that would be involved in coordinating the distribution of international and humanitarian aid to Ukraine in a crisis." 

In November, Ukrainian security services had publicly imputed Gamaredon to a team of Russian Federal Security Service intelligence from Crimea. In this regard, the Russian Embassy in Washington did not respond immediately. 

“They were officers of the ‘Crimean’ FSB, as well as traitors who sided with the enemy during the occupation of the peninsula in 2014,” Ukraine's security service said in a November news release, publicizing leaked audio of the hackers.

Walmart Dissects New 'Sugar' Ransomware

 

The cyber threat researchers’ team at retail giant Walmart has found a new variant of ransomware named Sugar, which is available to threat actors as a ransomware-as-a-service (RaaS). 

Ransomware as a Service (RaaS) is a way for threat actors to make a lot of money from ransomware while reducing their own efforts. According to the data, this new variant of ransomware was initially dictated in November 2021, but the organization had no technical details before. 

The Sugar ransomware format is written in Delphi and also borrows objects from the other families of ransomware. Furthermore, unlike the other ransomware families, the new variant Sugar primarily targets individual computers instead of entire enterprises networks, but it is equally dangerous, especially since it is offered as a RaaS. Walmart said in its findings that the threat actors are using crypter which is one of the most interesting features of Sugar. 

The crypter is being used because it has code reuse from the ransomware itself which makes it significantly more interesting than your typical crypter. It also employs a modified version of the RC4 encryption. Because of that, the team of researchers thinks there are possibilities that the Sugar ransomware and its crypter are controlled by the same threat group, or the crypter is being offered to affiliates as part of the service. 

“The malware is written in Delphi but the interesting part […] was the reuse of the same routine from the crypter as part of the string decoding in the malware, this would lead us to believe that they have the same dev and the crypter is probably part of the build process or some service the main actor offers to their affiliates,” Walmart’s researchers noted. 

Why is Ransomware as a Service so dangerous? 

In just a few years Ransomware as a Service (RaaS) has become very prevalent among cybercriminals since its first attack, Cryptolocker, was identified in 2013. Researchers said that 3-4 new ransomware families are now being distributed through RaaS channels. 

It has been observed that the number of cases has been increased in recent years and at large numbers, networks are being compromised, which is a highly alarming behavior that indicates the involvement of professional malicious actors.