Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Hackers News. Show all posts
Ransomware
Cyber Crime Hackers News Leak LockBit LockBit 2.0 ransomware Ransomware

Angry Developer Leaks LockBit Ransomware Builder

 

The recently released 3.0 version of LockBit encryptor’s builder, called LockBit Black is leaked online. According to the Ransomware operator’s public representative LockBitSupp, this leak is not executed by a hacker, rather, it is the work of some disgruntled developer. 

About LockBit Black Builder 

The latest version, LockBit Black was under the testing phase till June and comprised numerous advanced features, such as auto-analysis, a ransomware bug bounty program, and newer methods of extortion. 

The builder included a password-protected 7z archive LockBit3Builder, it comprised four files – a batch file, a builder, a modifiable configuration file, and an encryption key generator. The files allow one to build the executable code to launch their own operation, such as encryptor, decryptor, and tools to execute the decryptor in a specific way.  

LockBit Ransomware’s Builder Leaks

A recently registered Twitter account by the handle @ali_qushji is under scrutiny by the security researchers of 3xport, as the Twitter user Ali Qushji claims that his team has gotten hold of LockBit servers and found a builder for the LockBit 3.0 ransomware encryptor. 

“Unknown person @ali_qusji said his team has hacked the LockBit servers and found the possible builder of LockBit Black (3.0) ransomware” the Tweet read. 

On September 10, the researchers at VX-Underground were allegedly contacted by a user named protonleak (@protonleaks1), who shared a copy of the builder. The research agency further claimed that the ransomware group was not hacked, but the private ransomware builder code was leaked by one of the group’s developers. 

The developer was allegedly hired by the LockBit ransomware group, he was discontented with the ransomware operator’s leadership, and leaked the builder in response. 

"We reached out to LockBit ransomware group regarding this and discovered this leaker was a programmer employed by LockBit ransomware group [...] They were upset with LockBit leadership and leaked the builder." VX-Underground tweeted. 

Threat to the Ransomware Operators

According to John Hammond, a security researcher at Huntress Labs, "This leak of the builder software commoditizes the ability to configure, customize, and ultimately generate the executables to not only encrypt but decrypt files[...] Anyone with this utility can start a full-fledged ransomware operation."   

The leak consequently is a threat to ransomware operators, as the builder code is now accessible to other ransomware operators. As a result, many new versions of the builder will soon be circulated by the operators. Moreover, the leaked builder will give security researchers a chance to conduct a better analysis of the ransomware, and develop advanced software that could tackle future attacks.
Read more »
Russia
Cyber Crime Hackers News Russia

Foreign hackers began to disguise themselves as “Russians” more often

Specialists of the information security company Positive Technologies found out that foreign groups of hackers organized and motivated for targeted attacks, the so-called Advanced Persistent Threat (APT), began to use infrastructure elements located on the territory of the Russian Federation more often in attacks on Russian organizations.

APT is a complex targeted threat that is regularly organized by entire states. Positive Technologies registered three such incidents in the spring of 2021. This number of attacks has never happened before.

“Over the past year, we have mostly observed this behavior among hacker groups with Asian roots,” said Denis Kuvshinov, head of the information security threat research at the Positive Technologies security expert center.

As the expert explained, hackers need access to equipment on the territory of the Russian Federation primarily to mask their activity during attacks. By doing this, malicious traffic is passed off as local, that is, trusted. Local traffic is often less closely analyzed by security services than foreign traffic.

The victims of attackers can also be different, it depends on which group is working. For example, Asian hackers are most likely to target state-owned enterprises.

“We expect the attacks to target government facilities and critical infrastructure,” said Anastasia Tikhonova, Head of the Threat Intelligence Complex Threat Research Group at Group-IB.

According to Positive Technologies, Russian equipment can also be used by foreign hackers for attacks abroad. In this case, the infrastructure elements serve as a disguise for “Russian hackers”.

“The cases of “government Russian hackers” are taken by the CIA or the FBI, who have difficulties in relations with their Russian colleagues. The government allocates even more money for cybersecurity. Everyone is happy,” the expert explained.

Read more »
Hacking News
Cyber Attacks Hacker Group ChamelGang Hackers News Hacking News

Cybersecurity experts have discovered a new hacker group

Cybersecurity experts have discovered a new hacker group ChamelGang, which attacks institutions in ten countries around the world, including Russia. Since March, Russian companies in the fuel and energy sector and the aviation industry have been targeted, at least two attacks have been successful. Experts believe that pro-government groups may be behind the attacks.

According to Positive Technologies, the first attacks were recorded in March. Hackers are interested in stealing data from compromised networks.

India, the United States, Taiwan and Germany were also victims of the attacks. Compromised government servers were discovered in those countries.

The new group was named ChamelGang from the word chameleon, as hackers disguise malware and network infrastructure as legitimate services. The grouping tools include the new, previously undescribed ProxyT malware, BeaconLoader and the DoorMe backdoor, which allows a hacker to gain access to the system.

In one of the attacks, the hackers first attacked the subsidiary, and two weeks later, the parent company. They found out the password of the local administrator on one of the servers and penetrated the company's network using the Remote Desktop Protocol (RDP). Hackers remained undetected on the corporate network for three months and during that time gained control over most of the network, including critical servers and nodes.

In the second attack in August, attackers took advantage of a chain of related vulnerabilities in Microsoft Exchange to penetrate the infrastructure. Hackers were in the organization's infrastructure for eight days and did not have time to cause significant damage.

Kaspersky Lab cybersecurity expert Alexey Shulmin confirmed the targeted nature of the attack and the wide geography of victims. He added that some grouping utilities have an interface in Chinese.

Experts believe that attacks on strategically important industrial facilities, including the fuel and energy sector and the aviation industry, are often carried out by cyber mercenaries and pro-government groups.

Read more »
Russian Hackers
Cyber Security Hackers News REvil Russian Cyber Security Russian Hackers

Russian hacker confirmed the resurrection of the most famous Russian hacker group REvil

 A Russian hacker who collaborated with the well-known REvil group confirmed that cybercriminals returned to active work after a two-month break. He named political reasons the main reason for the temporary suspension of their activities. This refutes the claims of REvil members themselves, who explained this with precautions after the disappearance of one of the community members.

An anonymous cybercriminal said that the group initially planned only to suspend its activities, but not to end it completely. According to him, this step was due to the difficult geopolitical situation.

"They told key business partners and malware developers that there was no cause for concern and that cooperation would not be suspended for long," the hacker said.  Answering the question about the influence of the Russian leadership on the decision of the most famous group of the country to hide for a while, the Russian hacker noted that such an option is hardly possible. According to him, there is no evidence to suggest any connection between REvil and the government or intelligence services of Russia or other countries. Moreover, no one discusses such a topic on a serious level on the darknet.

"It is not surprising that the hacker group responsible for high—profile attacks on American infrastructure took precautions after the conversation between the US and Russian presidents," the anonymous hacker stressed. "Geopolitical factors are always taken into account in a business of this level, although this is the first time I have encountered a situation where a group has been forced to curtail its activities relatively unexpectedly".

REvil's return was announced last week when the group's site on the darknet became active again after two months of downtime. Shortly after that, community members stated in messages on one of the Russian forums that the temporary suspension was dictated by precautionary measures. They were allegedly caused by the disappearance of one of the REvil members: "We backed up and disabled all the servers. We thought he had been arrested. We waited — he didn't show up, and we restored everything from backups."

Read more »
Russian Cyber Security
Bank Information Security Cyber Attacks DDOS Attacks Hackers News Russia Russian Cyber Security

Hackers switched to combined cyber attacks on the Russian financial sector

Experts began to note the particular interest of cybercriminals in the Russian banking sector as early as mid-summer 2021. In July, the Bank of Russia reported about the risks of "infecting" financial institutions through members of their ecosystems.

In August, FinCERT noted a series of large-scale DDoS attacks on at least 12 major Russian banks, processing companies and Internet service providers. The requests came from the USA, Latin America and Asia.

In early September, the Russian financial sector was attacked again. So, large banks and telecom operators that provide them with communication services were attacked.

Since August 9, the Russian Cyber Threat Monitoring Center (SOC) of the international service provider Orange Business Services has recorded a big increase in the number of requests. Attackers combine not only well-known attacks such as TCP SYN, DNS Amplification, UDP Flood and HTTPS Flood, but also only recently discovered ones, for example, DTLS Amplification.

In total, more than 150 attacks were recorded during the month, from August 9 to September 9, 2021. At the same time, their intensity is constantly increasing. Criminals are constantly trying to increase the power of attacks in the hope that telecom providers will not be able to clean up traffic in such large volumes.

In addition, the attackers used large international botnets. So, SOC Orange Business Services identified one of the networks based in Vietnam and South America, with more than 60 thousand unique IP addresses, and which was used to organize attacks like HTTPS Flood on the 3D Secure payment verification service.

The attackers also used the HTTPS Flood attack to make it impossible to use the banks' application, in this case, the attack was carried out from the IP addresses of Russia, Ukraine and France.

“Based on how persistently and ingeniously cybercriminals act, we can say that we are dealing with a complex planned action aimed at destabilizing at least the Russian financial market,” said Olga Baranova, COO of Orange Business Services in Russia and the CIS.


Read more »
Hackers News
Data Breach Database Leaked Hackers News

Hackers put up for sale the passports of more than 1.3 million Russians

The hackers posted an 809 GB archive with more than 1.3 million scans of passports of Russian citizens, which were stolen as a result of hacking the servers of the cosmetics company Oriflame, on the Cybercriminal Forum RaidForums.

The company's website reports that on July 31 and August 1, it was subjected to a series of cyberattacks, which led to unauthorized access to the company's information systems. At the same time, Oriflame assured that bank account numbers, phone numbers, passwords and commercial transactions of users were not affected by the attack.

The company admits that not only customers from Russia, but also from other CIS countries and Asia were affected. Oriflame has strengthened its cybersecurity measures and is investigating the incident with the participation of law enforcement agencies.

"Probably, the company refused to buy the data from the attackers, so now they are being put into public access," adds Ashot Oganesyan, the founder of the DLBI data leak intelligence service.

It is noted that earlier the seller posted on the Cybercriminal Forum scans of documents of Oriflame clients in Georgia and Kazakhstan and claimed that he has data of the participants of the system from 14 countries in his hands.

Experts speculate that the hackers got it as a result of an attack using vulnerabilities on a corporate site. The leak could have come from a backup copy of the file storage.

A database of 1.3 million copies of passport scans on the black market would cost hundreds of thousands of dollars. Fake documents can be used to take out a microloan, register domains in the .ru zone, SIM cards or wallets of payment systems.

Oriflame leak is not the first among the companies developing network marketing. In 2020, the data of 19 million customers and employees of Avon, including names, phone numbers, dates of birth, e-mail and addresses, became publicly available.

Read more »
Hacking News
Data Breach Data Leakage Database Leaked Hackers News Hacking News

Hacker gained access into a major CIS drug marketplace

Part of the database of the forum and its owners is available free of charge, the hackers offered to purchase the rest for 1 bitcoin. Experts hope that the action will allow a series of arrests and deal a major blow to the drug trade.

According to the leaked data, the owner and developer of the forum is a citizen of Latvia Artem Shvedov, one of the former developers is Roman Kukharenko, registered in the Moscow region, and the current administrator is a citizen of Ukraine Alexander Prokhozhenko.

Cybersecurity experts pointed out that in 99% of cases a person, whose name domain and hosting such resources are registered, may not even know about it.

According to Blockchair, a total of 20.57 bitcoins (about $1 million) went through the Legalizer forum's cryptocurrency wallet. At the same time, it is associated with larger wallets. More than 5.3 thousand bitcoin (about $248 million) passed through one of them.

In addition, the email address given by the hacker who hacked Legalizer matches the contact whose user calls himself a Russian-speaking hacker and an information security specialist at the shadow site o3shop.

An analyst of the operational monitoring group Angara Professional Assistance said that usually shadow forums are hacked "because of competition or partner revenge." In his opinion, the attack on Legalizer may be related to the redistribution of the drug market or extortion.

The expert admitted that hacking Legalizer can lead to arrests.

State borders may also become an obstacle for law enforcement agencies. Although the forum is oriented at the Russian-speaking audience from the CIS, it may be physically located on servers hosted in a country where drugs are legal.

Read more »
Technology
Hackers News Tech News Technology

Bot that helps hackers write code

 The Copilot service developed by Microsoft and GitHub specialists, designed to simplify the work of programmers, can be used by hackers to create malicious software

Copilot, created by GitHub based on artificial intelligence, acts like keyboards on mobile devices.

GitHub introduced this service at the end of June, and its development required the help of OpenAI. Copilot is expected to make life easier for developers.

So, during the development of the service, specialists trained it on billions of lines of code. And now, when a developer writes code, GitHub Copilot gives suggestions that can be used for more productive coding.

Russian cybersecurity experts believe that innovation of GitHub may be useful not only for software developers, but also for cybercriminals.

According to experts, the new program may make it easier for hackers to write code, and they will be able to do it faster. Consequently, the number of authors of such code may increase.

Denis Legezo, a senior cybersecurity expert with Kaspersky Lab, noted that any technology, including Copilot, cannot be good or bad in itself. It is important for what purposes a person uses it. The expert did not rule out that the new program, as a convenient and accessible development tool, can also be used by cybercriminals.

The GIS expert Nikolay Nashivochnikov told about the danger of using a new bot for programmers by hackers.

"As we can see, new services simplify the life of not only white hat hackers, but also black hat. If the hackers manage to introduce a dangerous design into the Copilot system, and it starts offering developers to insert this vulnerability into their code, as a result, we can get a more widespread vulnerability," said Mr. Nashivochnikov.

Experts also talk about the possibility of banal theft of someone else's code. In about 0.1% of cases, the code will be literally taken from the training sample. In the remaining 99.9% of cases, the service uses a training sample as a basis for synthesizing something new.


Read more »
Subscribe to: Posts (Atom)