Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Online Hack. Show all posts

Notorious Lazarus Hacking Outfit Linked to a $60 Million Alphapo Crypto Theft

 

The latest attack on payment processing site Alphapo, in which the attackers stole over $60 million in cryptocurrency, is attributed by blockchain researchers to the North Korean Lazarus hacker gang.

The hack on Sunday, July 23rd, targeted Alphapo, a centralised cryptocurrency payment provider for gaming websites, e-commerce subscription services, and other online platforms. The initial sum stolen is thought to have been $23 million. Over 6 million USDT, 108k USDC, 100.2 million FTN, 430k TFL, 2.5k ETH, and 1,700 DAI were stolen from hot wallets, most likely as a result of a private key leak. The total cash taken from Alphapo has already reached $60,000,000, according to data from Dune Analytics, which was also spotted by renowned crypto chain investigator "ZackXBT" earlier this week. 

Furthermore, ZackXBT claimed that the heist looks to have elements of a Lazarus attack and supported the claim by stating that Lazarus leaves "a very distinct fingerprint on-chain," but no additional information was provided. 

The $35 million Atomic Wallet theft, the $100 million Harmony Horizon hack, and the $617 million Axie Infinity theft were all attributed to the North Korean threat actor known as The Lazarus Group, which has ties to the North Korean government. 

Typically, Lazarus employs fake job offers to tempt employees of crypto companies to open malicious files, compromise their devices, and steal their login information.

This opens up a potential attack route into the victim's employer's network, where they can gain access without authorization and meticulously plan and carry out expensive attacks. 

Laundering attempts were made through Bitget, Bybit, and other services, according to analysts monitoring the flow of stolen money to cryptocurrency exchanges. Lazarus is also renowned for utilising specialised services for mixing small amounts of cryptocurrencies. 

The attackers probably took the private keys that gave them access to the wallets, Dave Schwed, COO of the blockchain security firm Halborn, stated.

"While we lack specifics, it seems that the alleged "hack" likely pertains to the theft of private keys. This inference comes from observing the movement of funds from independent hot wallets and the sudden halting of trading," he explained. "Moreover, the subsequent transactions have led ZachXBT, a renowned "on-chain sleuth", to surmise that North Korea's notorious Lazarus group is the perpetrator of this attack. Given their history of similar exploits, I find myself agreeing with this theory."

Here's Why Cybercriminals are Shifting Their Base from Tor to Telegram

 

Cybercrime is a rapidly evolving field. Threat actors, ransomware gangs, malware authors, and others are quickly leaving the "traditional" dark web (Tor sites) and relocating to shady Telegram channels that are dedicated to crimes.

This article will look at the reasons threat actors are abandoning Tor and offer comprehensive advice on how to monitor Telegram conversations effectively. 

Why are threat actors switching to Telegram from Tor? 

The majority of cybercrime activity today takes place on contemporary social media platforms and outside of the conventional dark web. Numerous factors, including the monetization of cybercrime, increased law enforcement inspection of Tor sites, and the general slowness of Tor, contributed to the change. We will discuss each in turn.

Exit scams are rare 

The marketplace serves as a clearinghouse, which is both one of the main benefits and drawbacks of conventional dark web marketplaces. Usually, there is a 14-day hold on transactions during which the exchange keeps the cryptocurrency and the buyer can ask for compensation if they are defrauded. The problem is that market owners frequently store millions of dollars in cryptocurrencies at any given moment, which makes it very tempting to commit exit scams and steal the money held.

Modern social media features

Telegram has an edge over Tor websites in the following areas: 

Emojis, direct private chats, a phone app, and other nice-to-have features are among the many features that make Telegram one of the fastest and most popular modern social networking platforms. 

Even less technical knowledge is needed to locate cybercrime channels and complete transactions than with Tor, democratising the availability of cybercrime data.

Numerous platforms exist that give free "samples" of credentials, stealer logs, breach data, and other data that allow customers to quickly "validate" the efficacy of the vendors' solutions. 

Perceived privacy 

It is well known that law enforcement agencies closely monitor the sites, forums, and marketplaces on the Tor network. Users are aware that when they create a forum post or marketplace listing, it may be viewed by business security teams, several law enforcement agencies, and other parties.

In contrast, Telegram appears to offer perceived anonymity because of the vast number of channels dedicated to crimes, the lack of IP monitoring available to security and LE specialists, and the apparent transience of messages. 

Telegram channels for various forms of cybercrime 

Telegram channels typically focus on a single form of illicit activity, in contrast to older dark web marketplaces. A criminal may be able to purchase combolists, drugs, firearms, credit card details, and a variety of other illegal commodities on a dark web market. 

Bitcoin transactions 

Utilising third-party services, it is possible to send payments in bitcoin using the Telegram client. As a result, attackers can use the Telegram app to receive bitcoin payments. Despite the possible dangers, it's crucial to remember that Telegram is not inherently bad and can be used for good reasons as well. Telegram is a popular platform for collaboration and communication among people and businesses, and it can be a helpful tool for maintaining relationships. 

Nation state cyberterrorism 

Nation-state hacktivist channels make up the final group of channels that are very important for cybersecurity teams. Particularly since the start of the crisis in Ukraine, channels like Bloodnet, Killnet, Noname47, Anonymous Sudan, and others have experienced explosive growth in popularity. These channels frequently choose predetermined targets, frequently important infrastructure in NATO nations, and attempt to hack websites, DDoS crucial services, and leak company data. 

As a result of Telegram's high levels of privacy and anonymity, resilience to censorship, and potential for disseminating propaganda and false information, threat actors are increasingly choosing it as their preferred platform, which is concerning. Authorities and individuals must be aware of these threats and take action to safeguard both themselves and others.

Crimeware-as-a-Service on the Rise; Here's How to Protect Yourself

 

The global rate of cybercrime is rising. Cybercriminals exhibit no indications of slowing down, as evidenced by the recent rise in harmful web extensions (especially in the US) and the persistence of risky phishing and malware attacks—in part because of the quickly expanding Crimeware-as-a-Service (CaaS) sector. 

These terms, which also go by the names malware-as-a-service and cybercrime-as-a-service, describe the developing and incredibly lucrative practise of offering cyber goods and services to other criminals on the dark web. CaaS enables nearly anyone to buy or rent software capable of distributing harmful malware in a matter of minutes, eliminating the need to acquire the technical know-how necessary to support large-scale attacks.

For instance, attackers can now purchase phishing kits for as little as $40, which deceive victims into clicking links or accessing malicious websites that then infect their devices. On the dark web, malicious software is also easily accessible for larger-scale attacks. The Eternity Stealer, an infostealer accessible for just $260 a year and capable of extracting usernames, emails, and credit card details, is one well-known and frequently-sold malware with recent significant usage. 

The expansion of this criminal ecosystem, which sees new CaaS products appear on a regular basis, poses a serious threat to consumer safety and privacy. Users are sharing more information online than ever before, from social networking and online shopping to working and studying from home, and the CaaS market makes this information more susceptible to attackers. 

Market competition will probably increase demand for new and more sophisticated spyware, leading to the emergence of next-generation dangers that even the most informed consumer will have difficulties identifying. 

The average family hasn't made the same investments in cybersecurity practises as enterprises have, making them great candidates for the inflow of bad actors that CaaS permits. Although it may not seem like a high priority for hackers, consumers who are at home using their phone or computer to browse the internet are actually much simpler targets. Many cybercriminals have increased their consumer attacks, seeing home networks as the ideal window to access far more protected business networks, especially with the continued use of remote work. 

We anticipate industry growth in the upcoming years, particularly around novel and emerging platforms like bitcoin and the metaverse, even though the CaaS business is expanding in traditional regions of the criminal world. By advocating for more cyber education and awareness, training adult users on how to spot common risks like phishing, and instilling a culture of safety in the next generation from an early age, we can proactively seek to limit the harm it causes. 

The next stage is to implement the same calibre of cybersecurity measures across household networks that businesses do. The vulnerability of consumers to cybercrime has never been greater, so it is time for them to make the investments in defences required to thwart upcoming attacks before they fall prey, comprising three essential components: 

Endpoint protection system

Endpoint security is the best choice for home users to defend themselves against next-generation online attacks. These systems are made to protect the user device endpoints, which are frequently used by hackers as entry points and are used to communicate with other devices and end users over a network. Endpoint security measures, which were once regarded to be primarily useful for businesses, are now becoming increasingly important for consumers, especially in light of the rising number of hacker attempts to access corporate networks via home networks.

DNS filtering 

The IP address that computers use to load a webpage is translated from the domain name of a website via the domain name system (DNS). Customers can block suspicious URLs, stop hackers from tracking their behaviour, and filter out explicit information by using a DNS filter, which is readily available online. As a result, browsing is more safe and worry-free overall. 

Use of VPN 

Consumers' online activity is accessible to their internet service provider (ISP), search engines, governmental organisations, and any websites they visit, regardless of where or how they use the internet, whether at home or through a public Wi-Fi network. The IP address of the user's device is still accessible even when utilising a private mode on browsers, proving that this is true. 

The only effective option to maintain online privacy is to use a VPN, which uses encryption technology to mask users' identities. VPNs are simple to set up and use, allowing customers to surf privately, bypass geo-blocks, and access content from all over the world. 

As long as consumers do not invest in better cyber understanding and tools, the CaaS business will expand. However, we do not have to all become victims. Let us pause this narrative and use this opportunity to increase home user cyber education and protections, making the internet a safer and more pleasurable environment for all.

School Kids are Stealing NFTs Worth Millions of Dollars to Purchase Roblox Skins

 

Being wary of journalists can be a good thing at times. Take the case of Orbiter Finance. A claimed journalist from a crypto news website contacted one of its Discord moderators last month and requested that they complete out a form. The moderator had no idea that this uncomplicated action would give someone else control of their Discord server.

Once inside, the offender froze other admins' access to the system and restricted community members' ability to submit messages. Everyone who clicked on the phoney airdrop announcement was taken to a phishing website intended to steal their NFTs. The plan was successful. They quickly took NFTs and tokens worth $1,000,000 while the squad was only onlookers.

"We were so concerned," Gwen, a business development manager at Orbiter Finance, said in an interview. "If we cause any damage to [our community members], we will just lose their trust."

The Orbiter attack is only one of many recent examples involving NFT drainers and compromised Discord servers or Twitter accounts. Data obtained by NFT researcher and security specialist OKHotshot shows that at least 900 Discord servers have been infiltrated for phishing attempts since December 2021, with a noticeable uptick in the previous three months.

According to statistics obtained by PeckShield and several dashboards on Dune Analytics by Scam Sniffer and others, such assaults have hit at least 32,000 victim wallets over the last nine months. Attackers have stolen NFTs and tokens worth a total of $73 million.

Culprits behind the attacks 

These methods frequently involve wheeling and dealing in a growing drainer code black market. The masterminds behind the phishing assaults first go to Telegram and Discord, where they can identify channels hosted by the creators of various drainers. 

They contact the developer and acquire the drainer, which is a set of code that can be installed into websites, while often agreeing to give the developer 20-30% of the proceeds. Then, using their own tactics, such as the fake news site stated above, they will hijack a Discord server or Twitter account and advertise a false website containing the NFT drainer code in order to steal NFTs and whatever else they can get their hands on. 

That is, when they are not preoccupied with homework. 

"95% of them are kids below the age of 18 who are still in high school," said Plum, a pseudonymous security researcher who works on the trust and safety team at NFT marketplace OpenSea, adding that the frequency of attacks tends to spike around the Summer holidays. 

“I personally have talked to quite a few of them and know they’re still in school,” stated Plum. “I’ve seen pictures and videos of various of them from their schools. They talk about their teachers, how they’re failing their classes or how they need to do homework.” 

These kids appear to make little effort to conceal their newfound wealth. “They'll buy a laptop, some phones, shoes and spend vast amounts of money on Roblox. They all play Roblox for the most part. So they'll buy the coolest gear for their Roblox avatar, video games, skins and things like that,” Plum added. 

Plum went on to say that they frequently buy gift cards with cryptocurrency on the gift card marketplace Bitrefill, spend thousands of dollars on Uber Eats, buy luxury clothes, pay individuals to do their homework for them, and even buy automobiles they can't drive yet. They also enjoy gambling. 

The exploiters try to hide their tracks by paying people in lower-income countries to use their personal information to register on exchanges, obscuring the trail when they cash out, according to Plum. They claim that if law enforcement had been interested in arresting them, at least some of them should have been apprehended by now because they leave adequate evidence of their actions.

Plum mused on why offenders believe they can get away with such crimes, saying that "they feel invincible, they have God mode — that no-one can touch them." 

While countries such as North Korea are also involved in phishing operations against NFTs, Plum claims that they normally employ their own drainers and are less connected with drainers for sale. The NFT drainers' creators, who in some cases carry out assaults using their own technology, are a little more elusive, but their pseudonymous profiles leave a unique trail. 

The growing problem of NFT drainers

Monkey, one of the first NFT drainers, launched their Telegram channel in August. But it wasn't until October that it really got going. According to PeckShield, their technology was utilised to steal 2,200 NFTs worth $9.3 million and an additional $7 million in tokens over the next few months. 

Monkey chose to retire on February 28th. Its creator stated in a parting message that "all young cyber criminals should not lose themselves in the pursuit of easy money." They advised its customers to use Venom, a competitor drainer. 

Venom was a worthy opponent. It was another of the first drainers, and it was used to steal over 2,000 NFTs from over 15,000 victims throughout time. Customers of the drainer employed 530 phishing sites to perform attacks on crypto projects such as Arbitrum, Circle, and Blur, netting a total of $29 million in NFTs, ether, and different currencies.

While Venom was one of the first NFT drainers to go multichain, security experts say they failed miserably. However, their drainer was the first to be used to steal NFTs from the NFT marketplace Blur. 

Inferno, which was used to steal $9.5 million from 11,000 victims, and Pussy, which was used to steal $14 million from 3,000 victims, were two other rivals. Customers of Angel, which began on a Russian hacking forum, used it to steal $1 million from over 500 victims in the form of NFTs and various tokens, most notably compromising the Twitter account of crypto wallet Zerion. 

However, the drainers' operation stays the same, with a few tweaks here and there. Plum believes that the solution rests in safety-oriented wallet extensions, which are successful in protecting wallets. It is also prudent to use and preserve multiple wallets in cold wallets.

Threat Actors Launch a New Wave of Mass-Hacks Against Business File Transfer Tool

 

Security experts are raising the alarm after hackers were detected using a recently identified vulnerability in a well-known file transfer tool that is used by thousands of organisations to start a new wave of massive data exfiltration assaults. 

The flaw affects Progress Software's MOVEit Transfer managed file transfer (MFT) software, which enables businesses to transmit huge files and datasets over the internet. Ipswitch is a subsidiary of Progress Software.

Last week on Wednesday, Progress acknowledged that it had found a vulnerability in MOVEit Transfer that "could lead to escalated privileges and potential unauthorised access to the environment," and it advised customers to turn off internet traffic to their MOVEit Transfer environments. 

All consumers are being urged to promptly apply patches that are now accessible by Progress. 

The U.S. cybersecurity agency CISA is also advising U.S. organisations to implement the required patches, follow Progress' mitigating recommendations, and look for any malicious behaviour. 

The popularity of popular enterprise systems has made corporate file-transfer technologies an increasingly appealing target for hackers who want to steal data from numerous victims. 

The impacted file transfer service is used by "thousands of organisations around the world," according to the company's website, but Jocelyn VerVelde, a representative for Progress through an outside public relations firm, declined to specify how many organisations use it. More than 2,500 MOVEit Transfer servers are visible on the internet, according to Shodan, a search engine for publicly exposed devices and databases. Most of these servers are based in the United States, but there are also many more in the United Kingdom, Germany, the Netherlands, and Canada. 

Security researcher Kevin Beaumont claims that the vulnerability also affects users of the MOVEit Transfer cloud platform. According to Beaumont, some "big banks" are also thought to be MOVEIt customers and at least one disclosed instance is linked to the U.S. Department of Homeland Security. Several security firms claim to have already seen indications of exploitation.

According to Mandiant, "several intrusions" involving the exploitation of the MOVEit vulnerability are under investigation. Charles Carmakal, the chief technical officer of Mandiant, acknowledged that Mandiant had "seen evidence of data exfiltration at multiple victims." 

According to a blog post by cybersecurity firm Huntress, one of its clients has observed "a full attack chain and all the matching indicators of compromise." 

Meanwhile, the security research company Rapid7 said that it has seen indications of data theft and misuse from "at least four separate incidents." According to Rapid7's senior manager of security research, Caitlin Condon, there is evidence that suggests attackers may have started automated exploitation. 

While the exact start date of exploitation is unknown, threat intelligence firm GreyNoise claims to have seen scanning activity as early as March 3. The company advises customers to check their systems for any signs of possible unauthorised access that may have happened during the last 90 days. 

The perpetrator of the widespread MOVEit server exploitation is still unknown. 

The attacker's actions were "opportunistic rather than targeted," according to Rapid7's Condon, who also speculated that this "could be the work of a single threat actor throwing one exploit indiscriminately at exposed targets."

Has Your Password Been Compromised? Here’s How to Find Out

 

If your online accounts have been hacked, you may be thinking about what to do next. There are multiple ways to find out if your accounts were hacked — and the severity of the breach. 

HaveIBeenPwned 

Have I Been Pwned, a searchable data breach database was created by Troy Hunt, a Microsoft regional director, and MVP in December 2013. With 1.5 lakh visitors every day, and three million email subscribers it is, by far, the biggest and most popular method to find out if your password has been stolen. 

You start by simply entering your email address or username, and within seconds details of any data breaches that your credentials were stolen will appear. However, the site won't tell you which sites the password was found on since this could make it possible for someone to piece together a username and password that hasn't been changed yet. 

DNS Hijack 

 A domain name system (DNS) hijack is another way that hackers can find out if their victims are using a particular website. DNS hijacks redirect your computer’s web browser to an entirely different website — usually, one that looks like the real website you’re trying to reach. 

History Scan 

You can also check your browser’s activity history to see if a hacker accessed your computer via your browser. See if there are any entries that indicate that someone used your computer to visit a website your browser normally doesn’t go to. 

Mitigation Tips 

You can't protect against everything. The most important thing you can do is to always keep your personal information secure. And even if you do everything right, there is always a chance that you'll get hacked. A breach is a catastrophe for any business, not just one dealing with large amounts of sensitive data. 

The more you know about hacks and how to mitigate them, the better equipped you are to respond to a breach. There are a number of ways to protect your online accounts, including using a password manager, two-factor authentication, and multi-factor authentication. 

If you do not think your account was accessed by someone other than you, the best thing to do is to log out of all sessions and change your password. And activate two-factor authentication, which will cut down on the likelihood that someone will gain access to your account, even if they have your password. Once you're sure that you didn't have unauthorized access to your account, you can get back to business as usual. 

There are other ways, too, that you can protect yourself from online threats, including installing your operating system's built-in protection or using a virtual private network (VPN). And if you do think your account was accessed by someone other than you, make sure to report it as a potential hacking attempt.