Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Group-IB. Show all posts
Ransomware
Cyberattacks CyberCrime Cybersecurity Dark Web Group-IB malware Nokayawa Group RaaS Ransomware

From Concealed to Revealed: Dark Web Slip-Up Exposes Ransomware Mastermind





A group of researchers responded to an ad offering the opportunity to join up with a RaaS operation and found themselves attending a cybercriminal job interview held by an organization that is one of the most active threat actors in the affiliate market today. At least five strains of ransomware have been created by the same individual known as "farnetwork". 

A Group-IB threat researcher posing as a member of the Nokoyawa ransomware group eventually became able to unmask the criminal after giving too many specifics to a Person-IB threat researcher pretending to be one of its affiliates.

Aside from being known by the alias of jingo, it has also been identified as jsworm and farnetwork, along with razvrat, piparuka, and piparuka. Upon learning that the undercover researcher had demonstrated they could not only escalate their privileges but also use ransomware to encrypt files and finally demand hard cash to get an encryption key, farnetwork was ready to reveal more details. 

The researcher at Group-IB, during his correspondence with the researcher from Farnetwork, discovered that Farnetwork already had a foothold in various enterprise networks, and was just looking for someone to help them take the next step - namely, deploying the ransomware and collect the money collected. 

There is a deal that would allow Group IB's team to make money by extorting money from victims and then giving 65% of the money to the Nokoyawa affiliate as well as 20% to the botnet owner and 15% to the ransomware owner. 

According to Group-IB's latest report, Nokayawa was only the latest ransomware operation farnetwork had been executing, and it was only the most recent of several, it explained. After a lengthy discussion with the threat actor, the team was able to assemble enough information about farnetwork's ransomware activities for the entire year of 2019. 

During their meeting with Farnetwork, the researchers were told that the company had been the recipient of ransomware payments totalling as much as $1 million in the past, as it has previously operated with Nefilim and Karma ransomware. 

There is also evidence that the crook has experience working with NEMTY and Hive. Group-IB has reported that it was behind JSWORM, Karma, Nemty, and Nefilim ransomware strains between 2019 and 2021 according to its Report on Ransomware Group. 

In addition, the report states that the RaaS program offered by Nefilim is responsible for over 40 victims alone. Farnetwork, which had been a part of the Nokoyawa operation since 2022, had found a new home with the company by last February and was actively recruiting affiliates for the program. 

In terms of the timeline of operations and the factors that have had an impact on this market, there is no doubt that farnetwork has made a significant contribution to the RDaaS market across the globe over the past couple of years. 

The RaaS operation at Nokoyawa has since been shuttered, and Farnetwork has announced it will retire soon. However, Group-IB researchers believe that he is going to appear again with another strain of ransomware shortly.
Read more »
Vulcan Cyber
AI ChatGPT Cybersecurity Firms Dark Web Data Breach Group-IB Inforstealers OpenAI Vulcan Cyber

100K+ ChatGPT Login Credentials Leaked to the Dark Web


A Singaporean cybersecurity company discovered that over the last few year, login credentials of more than 100,000 online users using chatbot like ChatGPT has been leaked and traded in the Dark Web.

According to the security researchers, infostealers illicitly acquire collect just anything, be it information of a target machine, cookies and browser history, documents and so on. Hackers frequently make money off of this kind of bounty by reselling it on the Dark Web as well as using it themselves. For instance, logs containing the user names and passwords of victims for some popular applications are frequently transmitted to online markets.

According to a blog post by cybersecurity firm Group-IB published on June 20, over 101,000 devices with compromised logins for OpenAI's flagship bot and were later traded on the Dark Web.

The aforementioned figure is apparently is “the number of logs from stealer-infected devices that Group-IB analyzed,” according to Dmitry Shestakov, Group-IB threat intelligence head.

“Every log contained at least one combination of login credential and password for ChatGPT,” he added.

A peak was apparently seen in May last year, where nearly 27,000 ChatGPT-related information was made available on the illegal marketplaces.

Less than 5,000 infected devices out of the whole sample size could be tracked back to North America. The two countries with the highest percentage of Asian origins were India (12,632) and Pakistan (9,217). Brazil (6,531), Vietnam (4,771), and Egypt (4,558) were other nations where a large number of ChatGPT credentials were disclosed.

However, compromised ChatGPT logins may well be the tip of the iceberg, since the cases of Web stealers are on a constant surge.

The researchers monitored 2,766 Dark Web stealer logs including compromised accounts in December of last year, the first month ChatGPT was made available to the general public. The following month, it went over 11,000, and two months later, doubled. The figure increased to 26,802 by May.

To conclude, this trendline is obviously jutting in one direction.

However, according to senior technical engineer at Vulcan Cyber, Mike Parkin, "Infostealers can be an issue, at least in part, because they're not as outwardly destructive as, say, ransomware, which is hard to miss. A well obfuscated infostealer can be much harder to detect, precisely because it doesn't make itself known." Reason being, its more likely for firm to ignore than some other types of malware, where they are likely to discover their sensitive data has been stolen only after it is too late.

Read more »
Phishing Attacks
APT attacks APT Group Cyber Attacks Dark Pink Dark Pink attacks Group-IB Phishing Attacks

Dark Pink: New APT Group Targets Asia-Pacific, Europe With Spear Phishing Attacks


A new wave of advanced persistent threat (APT) attacks has been discovered, that is apparently launched by a threat group named Dark Pink. 

The attack was launched between June and December 2022 and has been targeting countries in the Asia-Pacific, such as Cambodia, Vietnam, Malaysia, Indonesia, and the Philippines. Along with these, one European country, Bosnia and Herzegovina was also targeted. 

Details Of The Attack 

The attack was first discovered by Albert Priego, a Group-IB malware analyst, and was labeled ‘The Dark Pink.’  This APT group has also been named Saaiwc Group by a Chinese cybersecurity researcher. 

Researchers from Group-IB found activity on Dark Pink's GitHub account, which suggests that Dark Pink's operations may be traced as far back as mid-2021. However, from mid to late 2022, the group's activity increased significantly. 

In regards to the attack, the Group-IB stated in a blog post that the Dark Pink operators are “leveraging a new set of tactics, techniques, and procedures rarely utilized by previously known APT groups.” Furthermore, Group-IB wrote of a custom toolkit "featuring four different infostealer: TelePowerBot, KamiKakaBot, Cucky, and Ctealer." 

These infostealers are being utilized by the threat group to extract important documents stored inside government and military networks. 

Group-IB discovered one of Dark Pink's spear-phishing emails that were used to obtain the initial access. In this case, the threat actor purported to be a candidate for a PR and communications intern position. The threat actor may have scanned job boards and used this information to construct highly relevant phishing emails when they mention in the email that they found the position on a jobseeker website. 

This simply serves to highlight how precisely these phishing emails are crafted in to appear so dangerous. 

Reportedly, Dark Pink possesses the ability to exploit the USB devices linked to compromised systems. Moreover, Dark Pink can also access the messengers installed on the infected computers. 

Dark Pink APT Group Remains Active 

The Dark Pink APT group still remains active. Since the attacks continued until the end of 2022, Group-IB is still investigating the issue and estimating its size. 

The company hopes to unveil the operators’ identity, and states in the blog post that the initial research conducted on the incident should "go a long way to raising awareness of the new TTPs utilized by this threat actor and help organizations to take the relevant steps to protect themselves from a potentially devastating APT attack." 

Read more »
Visa
C2C Conti Ransomware Data Breach Dropbox Group-IB remote access Russia Source Code disclosure vulnerability Visa

Russian Groups are Plagued by OldGremlin Ransomware Threat

 

The new cyber-crime squad, known as OldGremlin, is actively targeting banks, medical institutions, software developers, and industrial firms, among other targets. The gang differentiates from all other ransomware groups by launching a limited number of campaigns – just under five since early 2021 – which solely target Russian firms and employ proprietary backdoors developed in-house.

OldGremlin has claimed ransoms as large as $3 million from one of its victims, despite being less active, which may indicate the ransomware business is approaching moonlighting. Two phishing attacks that were conducted near the end of March 2022 constitute the most current OldGremlin activities. It might be too early to say how many organizations were attacked, but security experts say roughly one Russian mining corporation is on the list of victims. The adversary did not deviate from its previously observed strategy of exploiting trending news topics to gain initial access. 

As per cybersecurity experts at Singapore-based cybersecurity firm Group-IB, this time OldGremlin scammed a senior auditor at a Russian financial organization, advising that the Visa and Mastercard payment service systems will be suspended due to recent sanctions placed on Russia.

The email directed recipients to a malicious Dropbox document that downloads TinyFluff, a backdoor that opens the Node.js interpreter and grants the attacker remote access to the target system. The email then allowed OldGremlin remote access to the machine via a malicious file that used a backdoor known as "TinyFluff," which the gang upgraded from a prior backdoor known as "TinyNode." The target receives a ransom note once the attacker has gained access to the system and has access to system data. A mining business, according to Group-IB, is one of the possible victims. 

Another well-known ransomware group, NB65, has been trying to frustrate Russian operations, including the alleged theft of 900,000 emails and 4,000 files from the state-owned television and radio broadcasting network VGTRK. In March, the organization exploited released source code from the Conti Ransomware gang – a Russia-linked threat actor — to create distinct ransomware for the first time. 

The researchers can study the directives for these steps of the assault using a traffic sniffer because they are provided in cleartext.
  • Gathering data on the infected system or device. 
  • Collecting information about the drives that are connected.
  • Executing a command in the cmd.exe shell and passing the output to the command and control server (C2) 
  • Receiving information about the system's installed plugins.
  • Obtaining information about files on the system drive's specified folders puts an end to the Node.js interpreter.
  • Before executing the last step of the assault, TinyCrypt/TinyCryptor, the group's proprietary ransomware payload, OldGremlin can spend months within the infiltrated network. 
The gang only ran one phishing effort in 2021, but it was enough to keep them occupied for the entire year as it gave them initial access to a network of various firms. Apart from the target Russian mining company, Group-IB believes that a higher number of OldGremlin victims will be discovered this year as a result of the group's March phishing operation. 
 
The researchers believe OldGremlin has Russian-speaking members based on the evidence they collected and after examining the quality of the phishing emails and decoy papers. They called the group's understanding of the Russian terrain "astonishing." OldGremlin defies the mold by focusing solely on Russian businesses including banks, industrial corporations, medical institutions, and software producers.
Read more »
Ukraine
Anonymous Cyber Security CyberWar DDOS Attack Government Sites Group-IB Hacker group Russia Ukraine

Expert Opinion: The Consequences of the War of the Hacker Group Anonymous against Russia

 

Anonymous hacktivists announced on Twitter about the beginning of the war with Russia because of the special operation in Ukraine. The group is known for its massive DDoS attacks, declassification of government documents, and hacking of politicians' accounts. Information security experts told how Anonymous can harm Russia. 


Information security experts are confident that a real threat may be hiding behind the Anonymous statement. "Government websites, government online services such as Gosuslugi, email, social media accounts of politicians, websites and IT infrastructure of state banks and defense companies can be attacked", said Sergey Nenakhov, head of the information security audit department of Infosecurity a Softline Company. 

According to him, this community has repeatedly manifested itself earlier in hacktivism, hacking government websites, e-mails of politicians from different countries. They also manifested themselves in the online fight against the Islamic State organization (it is banned in Russia), obtaining and publishing information about members of the terrorist organization. 

Group-IB noted that the danger lies in the fact that other groups, including pro-state hacker groups targeting critical infrastructure facilities, may operate under the guise of Anonymous. 
"As for Anonymous, they act as follows: first, in public communities, for example, on Twitter, they call for attacks on certain organizations as part of a particular campaign. In order for users to easily identify these attacks, they usually use special hashtags for each event and the hashtag Anonymous. These campaigns can be joined by young hackers without professional skills and abilities. However, the strength of such actions lies precisely in the mass character of hacktivists," the company explained.

Fedor Dbar, commercial director of Security Code, believes that much will depend on whom the group will carry out the attacks. "The most serious consequences could be caused by attacks on critical information infrastructure (CII) facilities, but it cannot be said that tomorrow we will be left without electricity or electricity."
Read more »
Winter Olympics
Cyber Fraud Fraudulent Scheme Group-IB Phishing and Spam Tokyo Olympics Winter Olympics

Group-IB Found 140 Resources with Fraudulent Schemes under the Guise of Olympic Games Broadcasts

 

Group-IB experts have identified 140 resources in the network that, under the guise of live broadcasts of the Winter Olympic Games in Beijing, redirect users to fraudulent and phishing sites. Most of the dangerous resources are already blocked. 

"After the opening of the XXIV Winter Olympic Games in Beijing, the specialists of the Information Security Incident Response Center (CERT-GIB) found 140 active resources that were used to host illegal broadcasts, and therefore for scamming and phishing. In total, 289 sites could potentially be involved in the scheme," said experts. 

The largest fraudulent network is Kinohoot, which includes over a hundred resources. During the Summer Olympic Games in Tokyo, CERT-GIB specialists found 120 resources of the same type created for conducting fraudulent live broadcasts. 

Group-IB explained that the user sees on one of the pages of the hacked resource a video player window with an embedded link to the live broadcast and symbols of the Winter Olympic Games. Users must register, enter the phone numbers and indicate a special access code to watch the broadcast. This leads the victim to phishing resources. 

Attackers can offer users to participate in the drawing of free access to broadcasts, and to receive a cash prize, the user must pay a conversion fee, which is usually 300-500 rubles ($4-7), and enter bank card data on a phishing resource, or send an SMS to the specified number. Instead of broadcasting, the victim is connected to various paid services and subscriptions. 

"Such Internet scams have been known for quite a long time, but scammers constantly adjust their schemes to popular or significant events in the world and, of course, use newly registered domains for this. In this scheme, in order to gain the trust of the victim, the redirect is often placed on legitimate hacked sites, for example, universities (Ecuadorian Universidad Esp ritu Santo or Indonesian Universitas Muhammadiyah Yogyakarta), charitable foundations and non-profit organizations (African Studies Association)," said the head of CERT-GIB Alexandra Kalinina. 

Group-IB experts recommend to follow sporting contests of the Olympic Games only on official resources, as well as to be wary of draws and not to enter the data of bank cards and personal data on suspicious sites.

Read more »
Russian Hackers
Cyber Attacks Darknet Group-IB Ransomware REvil REvil Hacker group Russian Hackers

The Reaction of Russian Hackers to the Arrests of REvil Became Known


Russian hackers have made their own security issues a priority after the arrests of other cybercriminals, including from the REvil group. Dmitry Volkov, CEO, and founder of Group-IB spoke about this reaction of the darknet to the events taking place. "Security and anonymity have become priorities after the precedents with the shutdown of REvil servers, the arrests of members of the group, as well as the detention in Russia of criminals who helped to cash out the incomes of cybercriminals. Another catalyst for this was the release of the fight against ransomware to the state level,” Mr. Volkov said. 

At the same time, partner programs that distribute ransomware on the dark web have become more closed. Now only those who are personally acquainted with its organizer can take part in such a project. According to Group-IB analysts, all this is happening against the background of the consolidation of the darknet around ransomware and the groups involved in it. 

"The entire criminal underground unites around ransomware. Everyone found a job: both those who sell access to hacked companies, those who attack them, and those who negotiate for ransom or post stolen data on the darknet. New groups will constantly appear in this market, reassembled from previous associations," Mr. Volkov is sure. 

According to Group-IB, the main list of victims at the country level, as well as the industry preferences of hackers remained unchanged. Globally, almost half of ransomware attacks are in the US (49.2 percent in 2021). Canada (5.6 percent) and France (5.2 percent) followed closely behind. Manufacturing enterprises are most often attacked (9.6 percent of attacks), the real estate sector (9.5 percent), and the transport industry (8.2 percent). 

"This became apparent after the ransomware attack on a hospital in Germany, which killed a person, and also after the attack on the Colonial Pipeline, which attracted the attention of US authorities. At the same time, individual groups, of course, can violate these unspoken prohibitions,” Mr. Volkov concluded.
Read more »
United States
Carding Cyber Crime Group-IB Hacker group Russia Russian Hacker The Infraud Organization United States

Suspected Founder of Hacker Group The Infraud Organization Arrested in Moscow

 

It became known that Russia will not extradite the possible leader of the hacker group The Infraud Organization to the United States. Russian FSB officers and Russian law enforcement agencies, with the assistance of US law enforcement agencies, detained four members of the hacker group The Infraud Organization on January 22. Prior to that, the alleged founder Andrei Novak was put on the wanted list in the United States on charges of cyber fraud. 

According to the FSB, Novak has been arrested, and three other alleged hackers have been placed under house arrest. The investigation continues to identify other members of The Infraud Organization. The detained members of the group are accused of illegal access to computer information and illegal turnover of payment funds. 

Russia has no plans to extradite Andrei Novak, the possible leader of the international hacker group The Infraud Organization, to the United States. Thus, Russian law prohibits the extradition of citizens of one's own country to a foreign state. 

It is noted that if among the detained members of the organization there is a person without Russian citizenship, then after the investigation of a criminal case in Russia and the trial he will be extradited to the country where the case was opened against him. 

It is worth noting that in February 2018, it was reported that law enforcement officers detained 13 persons in the United States accused of involvement in a criminal scheme, the damage from which amounted to at least $530 million. In total, 36 people have been charged, and one Russian, Andrei Novak, was included in this list. 

The detained 13 people are citizens of the United States, Australia, Great Britain, France, Italy, and Serbia. The criminal group was organized by a citizen of Ukraine in 2010. 

The company Group-IB, which in Russia is engaged in the investigation and prevention of cybercrime (its founder Ilya Sachkov was arrested in Russia on charges of treason), said at the time that the defendants were not an organized group, but united on hacker sites solely to carry out attacks. Group-IB suggested that their main field of activity could be carding. In addition, cybercriminals could manage cardershops (sites for the sale of bank cards), sell accounts and accounts.
Read more »
Subscribe to: Posts (Atom)