Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Russian Cyber Security. Show all posts

Ukraine Hacks ATMs Across Russia in Massive Cyberattack



On July 23, 2024, a massive cyberattack launched by Ukrainian hackers targeted Russian financial institutions, disrupting ATM services across the country. According to a source within Ukrainian intelligence, the attack is “gaining momentum” as it continues to cripple banking services. By July 27, the fifth day of the cyberattack, customers of several prominent Russian banks found themselves unable to withdraw cash. When attempting to use ATMs, their debit and credit cards were immediately blocked, leaving them stranded without access to their funds. 

The intelligence source, who provided written comments to the Kyiv Post, indicated that the attack had affected numerous banks, including Dom.RF, VTB Bank, Alfa-Bank, Sberbank, Raiffeisen Bank, RSHB Bank, Rosbank, Gazprombank, Tinkoff Bank, and iBank. The widespread disruption has caused significant inconvenience for customers and highlighted vulnerabilities within Russia’s financial infrastructure. The source in Ukrainian intelligence mocked the situation, suggesting that the Kremlin’s long-desired “import substitution” might now include reverting to wooden abacuses, paper savings books, and cave paintings for accounting. 

This remark underscores the scale of the disruption and the potential for outdated methods to replace modern financial technologies temporarily. The cyberattack represents a significant escalation in the ongoing cyber conflict between Ukraine and Russia. While cyberattacks have been frequent on both sides, the targeting of ATM services and the subsequent blocking of debit and credit cards mark a notable shift towards directly impacting ordinary citizens’ daily lives. This attack not only disrupts financial transactions but also instills a sense of insecurity and distrust in the reliability of banking systems. 

The list of affected banks reads like a who’s who of Russia’s financial sector, including both state-owned and private institutions. The inability to withdraw cash from ATMs during the attack has put pressure on these banks to quickly resolve the issues and restore normal services to their customers. However, the continued nature of the cyberattack suggests that solutions may not be forthcoming in the immediate future. The Ukrainian hackers’ ability to sustain such a large-scale cyberattack over several days indicates a high level of coordination and technical expertise. It also raises questions about the preparedness and resilience of Russian banks’ cybersecurity measures. 

As the attack progresses, it is likely that both sides will escalate their cyber capabilities, leading to further disruptions and countermeasures. The broader implications of this cyberattack are significant. It highlights the increasingly blurred lines between cyber warfare and traditional warfare, where digital attacks can cause real-world consequences. The disruption of banking services serves as a stark reminder of how dependent modern societies are on digital infrastructure and the potential vulnerabilities that come with it. 

In response to the ongoing cyberattack, Russian banks will need to bolster their cybersecurity defenses and develop contingency plans to mitigate the impact of such attacks in the future. Additionally, international cooperation and dialogue on cybersecurity norms and regulations will be crucial in preventing and responding to similar incidents on a global scale. As the situation develops, the cyber conflict between Ukraine and Russia will likely continue to evolve, with both sides seeking to leverage their technological capabilities to gain an advantage. The ongoing cyberattack on Russian ATMs is a clear demonstration of the disruptive potential of cyber warfare and the need for robust cybersecurity measures to protect critical infrastructure.

DDoS Attacks Disrupt Major Russian Banks: Ukraine Claims Responsibility

 

Several major Russian banks experienced distributed denial-of-service (DDoS) attacks, disrupting their online services and mobile apps. On Wednesday, local media reported that state-owned VTB Bank was among those affected. The bank informed the state news agency TASS that an attack “planned from abroad” caused disruptions for its clients trying to access online services. 

The Russian Agricultural Bank also reported being targeted by a DDoS attack on Tuesday. However, the bank noted that the impact was minimal due to their implementation of an enhanced system to combat such attacks. Gazprombank, the third-largest private bank in Russia, faced difficulties with its app’s transaction services due to the attack, though the issue was quickly resolved. Other banks, including Alfa Bank, Rosbank, and Post Bank, were also reportedly affected. 

On Wednesday, Ukraine’s military intelligence (HUR) claimed responsibility for the DDoS campaign targeting the Russian banking sector. An anonymous source within HUR, speaking to Ukrainian media, mentioned that the attacks also affected several Russian payment systems and large telecom operators such as Beeline, Megafon, Tele2, and Rostelecom. While this claim has not been independently verified, the HUR official stated that the attack “is still ongoing and far from over.” 

This incident is part of a series of cyberattacks by Ukrainian entities against Russian targets. In October, pro-Ukrainian hackers and Ukraine’s security service (SBU) claimed to have breached Russia’s largest private bank, Alfa-Bank. In January, data allegedly belonging to 30 million Alfa-Bank customers was released by attackers involved in the breach. Earlier this year, the hacker group Blackjack, in cooperation with the SBU, breached a Moscow internet provider in retaliation for a Russian cyberattack on Ukraine’s largest telecom company, Kyivstar. 

While not all reports from Ukrainian hackers or intelligence officials can be independently verified, the recent DDoS attacks on Russian banks had noticeable consequences, despite Russian claims of minimal impact. DDoS attacks are generally easier to mitigate, but this campaign stands out for its broad impact on multiple financial institutions and service providers. The ongoing cyber warfare between Ukraine and Russia underscores the escalating digital conflict between the two nations. Both sides have been leveraging cyber capabilities to disrupt each other’s critical infrastructure. 

The recent attacks highlight the necessity for robust cybersecurity measures and swift response strategies to minimize the impact on essential services and ensure the security of digital transactions. As cyber threats evolve, both nations will likely continue to enhance their defenses to protect against such incursions.

KillNet: Pro-Russian Threat Actors Claims Responsiblity for 14 DDoS Attacks on U.S. Airports

 

On Monday, a pro-Russian hackers group ‘KillNet reportedly claimed to be behind the DDoS attacks, that temporarily took down the websites of several U.S. airports.
 
A similar case was witnessed by Atlanta International Airport. Consequently, users were unable to access the websites for a few hours during the campaign. Though, the attacks did not have any impact on flight operations.
 
The Los Angeles International Airport (LAX) authority informed about a threat on their website to the Transportation Security Administration and the FBI.
 
"The service interruption was limited to portions of the public facing FlyLAX.com website only. No internal airport systems were compromised and there were no operational disruptions," a spokesperson stated in an emailed statement. Adding to the statement, she said the airport’s IT Team has restored all services and is investigating the cause.
 
Later, the hacker group apparently posted the list of the hacked airport websites on Telegram that included 14 targeted domains, urging hackers to participate in the DDoS attack.
 
The Airport websites impacted by the group include Los Angeles International, Chicago O’Hare, Hartsfield-Jackson Atlanta International Airport, the Los Angeles International Airport (LAX), the Chicago O’Hare International Airport (ORD), the Orlando International Airport (MCO), the Denver International Airport (DIA), the Phoenix Sky Harbor International Airport (PHX), and the sites of airports in Kentucky, Mississippi, and Hawaii.
 
In a Telegram post on Monday, Killnet listed other U.S. sites that could be the next potential victims of similar DDoS attacks, such as sea terminals and logistics facilities, weather monitoring centers, health care systems, subway systems, and exchanges and online trading systems.
 
Apparently, this DDoS attack was not the first attack by KillNet as KillNet has previously targeted many other countries that were against the Russian invasion of Ukraine. These NATO countries include Italy, Romania, Estonia, Lithuania, and Norway.
 
KillNet's DDoS attacks and those urging other threat actors to carry out are an example of what security experts determine is the tendency in recent years of geopolitical tensions, to be permeated the cyber world. As per the speculations, this campaign against the US and other NATO countries, for instance, instigates days after an explosion demolished a section of a major bridge connecting Russia to the Crimean Peninsula.

Russia- Linked Sandworm Enacted Ukrainian Telecoms for Injecting Malicious Code


It was discovered that a Russian-based hacker known as Sandworm, impersonating Ukrainian telecommunications, targeted its entities and injected malware into them, leading to software infections throughout the country. 
 
The Sandworm is a group of hackers that are closely connected with the foreign military intelligence service of the Russian government called the GRU as a military unit 7445. It is an Advanced Persistent Threat (APT) group, which was responsible for several cyberattacks including on Ukrainian energy infrastructure. 
 
The recorded future was spying over the operations of government as well as private sectors. As per the report of “recorded future”, the rise in activities of Sandworm has been noticed since August 2022, tracked by the Computer emergency response team of Ukraine (CERT-UA). It is obvious from the frequency with which the Sandworm has been observed employing DNS domains for control and command infrastructure that it is a ruse to attack Ukrainian computers. 
 
Recorded Future further added in the report that, the APT group found a new infrastructure of UAC-0113, which imitates the operators such as Datagroup, and EuroTrans Telecom, which were responsible for placing DarkCrystal RAT, previously. 
 
The Recorded Future’s report entails “Identified staging infrastructure continues the trend of masquerading as telecommunication providers operating within Ukraine and delivers malicious payloads via an HTML smuggling technique that deploy Colibri Loader and Warzone RAT malware.” 
 
This new infrastructure of Advanced persistent threat group UAC-0113 distributed the commodity malicious ISO Colibri Loader and Warzone RAT by using HTML smuggling. This smuggling technique uses legalized features of HTML and JavaScript to inject malicious codes under security controls. 
 
The super-hacker team of Russia, Sandworm, is popularly known for its cyberattacks on the Ukrainian electrical grid in 2015 and 2016. In further research, it was also found responsible for the dropping of a botnet known as “Cyclops Blink”, which subjugated internet-connected firewall devices, etc from WatchGuard and ASUS. 
 
This APT group had also captured U.S. software under its cyberattacks, due to which the U.S government announced a reward of $10 million for providing the information of the hackers behind this Russian threat actor group. 
 
There are several examples of domains being used as masquerade such as the domain “datagroup[.]ddns[.]net”, tracked by CERT-UA, in June. It impersonated the data group as its online portal. Another example of deception is Kyivstar, in which the domain “kyiv-star[.]ddns[.net” was used by Sandworm against Ukrainian telecom services.

Group-IB revealed 50 fraud schemes with fake investments

Analysts of Group-IB Company which specializes in cyber-security revealed more than 50 schemes of fake investment projects and more than 8 thousand domains connected with fraudulent infrastructure.

Fraudsters offer those who want to get rich quick to invest in cryptocurrencies, buying stocks of oil and gas companies, gold, pharmaceuticals, and other assets. Such schemes have been recorded by experts since at least 2016, but they became widespread in 2018-2020. Moreover, in the last nine months, there have been 163% more domains registered for fake investment projects than in all previous years.

CERT-GIB's 24/7 Cyber Incident Response Center has identified over 50 templates of landing pages with a variety of ready-made investment scenarios about how to invest money to "get rich quick without much effort."

Scammers illegally copied the style of popular news resources, such as Russia 24, RT, and RBC, to design their websites.

According to the Group-IB report, "as soon as a novice investor takes the "bait," he is directed to a survey site from a "well-known bank." As a rule, all of them are associated with trading in "crypto", fiat currencies, precious metals, minerals, natural resources, pharmaceuticals. Almost every project promises fantastic earnings - from 300 thousand to 10 million rubles per month".

Scammers ensure that the victim leaves his contact details. After that, a "personal consultant" calls the victim back, who offers to register in the system to make a profit. But for this victim needs to make a deposit of $250 or more.

Then the "investor" is shown his personal account in the system with the profit figures and trading results. However, these figures are "drawn", it is impossible to withdraw virtual money.

The "personal consultant" also asks the victim for bank card details and allegedly sends a request to the bank for approval of the deposit. In fact, the money is simply debited from the account.

In December, Group-IB experts estimated that monthly user losses from targeted fraud through surveys and sweepstakes worldwide amounted to $80 million.

Russians will face even more serious cyber threats in 2022

In particular, users should be wary of targeted ransomware attacks. Moreover, the damage will increase, not limited to the demand for ransom for encrypted data. Phishing and other types of attacks using social engineering will also remain popular with cybercriminals. In addition, attempts to hack smart devices are expected to rise.

Experts warned that business will become the most obvious target for attackers. The main blow will fall on supply chains, which are a weak link in protection due to the large number of participants in the process - contractors, contractors and business partners.

In December, it was reported that the barriers in Russian courtyards turned out to be a source of cyber threats. A vulnerability has been found in the device management system of the private company AM Video, which leads to the leakage of personal data. According to analysts, the discovered error allowed anyone to gain access to any of the company's facilities. To do this, it was necessary to log into a test account and select the identifier (ID) of cameras or barriers. The system provided access to all user data - names, addresses, phone numbers and car brands. Through the website, it was possible to block or open the entrance to the territory of the house, send notifications to residents on mobile phones and use their personal data.

Earlier it became known that 12 programs were found in the Google Play app store for Android devices that steal banking data from infected devices. Applications mimic document scanners and QR codes. After installing the application on the user's device, the program itself decides whether to download the virus to the phone. If the decision is positive, then the malicious code gets to the victim through a fake request to update the program.

Russian experts have discovered the largest botnet in the history of the Internet

Hackers have combined several botnets to carry out the most powerful DDoS attacks on the Network. Experts of the Russian company StormWall, a company specializing in protecting businesses from cyber threats, have recorded attacks with a capacity of more than 1 Tbit /s, lasting for several days. Most often, they affected companies in the entertainment sector, retail, publishing houses and the fintech sector.

StormWall reported that the attacks were carried out using a new botnet consisting of several tens of thousands of servers with different versions of operating systems, as well as webcams, routers, smart TVs.

Since the botnet includes different devices based on different operating systems, it can be concluded that they are infected in different ways. Each attack had approximately the same power, but at the same time different geographical distribution, which indicates that not one botnet was used, but several combined into a single control system.

According to experts, the botnet's resources were divided between several users who could launch DDoS attacks simultaneously. At the same time, to launch the attack, each attacker used not the entire botnet, but a part of it. But even a part allowed organizing an attack with a capacity of several hundred gigabits per second.

According to Artem Tereshchenko, Development Director of VAS Experts, today the Internet security resources are at a fairly high level, and in order to hack them, you need to generate as much traffic as possible.

Experts believe that the botnet poses risks for both technology companies that provide their services over the Internet and for their customers. The purpose of the botnet is not just to harm, but to seize the personal data of users and commercial data of the company itself.

According to StormWall experts, hackers are combining botnets in order to get the maximum attack power that can even penetrate DDoS protection. 

Software for hacking online cinemas is in open access

There was code repository published in Github for illegally downloading movies from Netflix, Amazon Video, Apple TV+, and other popular platforms. The published scripts allow you to bypass the protection technology used by Russian online cinemas, among others and download video content.

The authors of the TorrentFreak portal reported that on December 28, the software appeared on the international developer platform GitHub for free downloading content from major video services such as Netflix, Apple TV+, Amazon Video, Disney+ others. So, a user named Widevinedump published a code to bypass Widevine's DRM protection technology and posted 12 scripts that allow you to download paid content in resolution up to 720p from popular video services.

According to Karen Ghazaryan, Director General of the Internet Research Institute, almost every Internet browser has support for solutions that prevent illegal copying of files: Microsoft PlayReady or Adobe DRM. The DRM bypass technology, according to the expert, can also be applied to Russian online cinemas.

 “It will not be widely used, the mechanism requires special competencies, but professional pirates may well. So the number of movies and TV series uploaded to torrents will increase, which is very useful before the holidays, ”Mr. Ghazaryan believes.

Sergey Nenakhov, head of the cybersecurity audit department at Infosecurity a Softline Company, explains that Russian online cinemas mainly use the same technologies — Widevine from Google and FairPlay from Apple, some additionally embed watermarks in the video to identify leaks.

"But pirates can also make changes to the video stream, adding their own noise and "spoiling" watermarks to confuse the tracks," he adds.

According to experts, given the current level of availability of pirated content in the Russian Federation, this is unlikely to significantly change the situation.

The source code of the Public Services Portal of the Russian Federation was made publicly available

On December 25, a publication appeared on the Cybersec hacker website, in which the author posted the source code of Public Services Portal in open access. According to him, the data was downloaded from resources from mos.ru subdomains.

The author of Cybersec discovered an open repository containing the source code of Public Services Portal in the format.git and unencrypted. In addition to the source code, the leak contains ESIA certificates that can be used to hack accounts.

After studying the code, it turned out that the Public Services Portal was created on the Bitrix engine, and the ESIA authorization system was based on OpenID. The author noted that his study will help to find other vulnerabilities of the system and close them or wrap them in his side and steal user data.

Also in the article, the author said that before publication he turned to the administration of Public Services Portal to tell about the data leak. However, they only asked him for a detailed description of the leak and its confirmation, and after that they stopped responding at all.

The head of the analytical center specializing in information security, Zecurion, Vladimir Ulyanov, said that most likely the fault is the usual human factor. In such cases, it is always either someone simply made a mistake due to lack of competence or carelessness and allowed the code to be disclosed, or it is a deliberate leak of information from those who have access to the source code.

Ashot Oganesyan, the founder of the DLBI data leak intelligence and monitoring service, said that user data did not get into the Network. However, it cannot be ruled out that the compromised code will allow attackers to gain access to them in the future.

 

Hacker group attacked a bank's correspondent account in the Central Bank of Russia

For the first time in three years, the company's cybersecurity specialists Group-IB have identified a successful attack on the interbank transfer system of the AWP KBR (automated workstation of a client of the Bank of Russia).

In February 2021, the attackers carried out a hacker attack against one of the banks and stole funds, gaining access to the interbank transfer system of the AWP KBR. Analysts of the cybersecurity company Group-IB associate the hacking with the activities of the MoneyTaker group involved in previous similar attacks.

According to the Group-IB report, the attack began in June 2020 "through the compromise of a company affiliated with the bank," after which the bank's internal network was investigated for six months. 

In 2021, the attackers registered fake domain names using the name of the bank and the zone .org and .com, not .ru. After that, the attackers "stole digital keys and later used them to sign payments passing through the transport gateway of the Bank of Russia."

Hackers were able to steal more than 500 million rubles ($6.7 million). 

The experts emphasized that in the future, an increase in the number of such crimes is expected. “Taking into account the fact that we are more and more involved in electronic payments, then there will be more and more attempts to violate the law in this area”, said Nikolay Kulbaka, Financial Analyst and Associate Professor of Economics at RANEPA.

It is interesting to note that the hacker group Moneymaker was able to steal money from a Russian bank from its account in the Central Bank for the first time since 2018. Then more than 58 million rubles ($781 thousand) were withdrawn from the account of PIR Bank to the Central Bank. In the same year, the Central Bank revoked the license from PIR Bank due to violations of anti-laundering legislation.

Theft of personal data of Russians will be taken under control

The Ministry of Finance of Russia will take control of the theft and leakage of the personal data of citizens. The agency has signed a contract with TC Integration, which will monitor the darknet, hacker forums, and Telegram channels.

The amount of the contract of the Ministry of Finance is 24.3 million rubles ($326,000). Monitoring of personal data leaks should start working already at the end of January 2022.

TS Integration will manually and automatically collect information about the appearance of personal data on the darknet, tracking "cybercriminal forums with both open and restricted access", Telegram channels and hacker resources, applications for data exchange between software developers. In addition, the contractor will monitor the media reporting data theft. At least 300 resources are subject to monitoring, including those located in the Tor network.

It is assumed that the company will send weekly reports to the Ministry of Finance on all leaks, and on critical ones - on a daily basis, as well as to conduct a statistical analysis of the darknet. The Ministry will be able to transfer information about the identified leaks to the authorities, telecom operators and state-owned companies, which may be a potential source of information about citizens.

Experts believe that the monitoring system will make it possible to timely find and stop at an early stage the leakage of personal data, their sale or posting in the public domain, as well as respond in a timely manner and initiate an investigation.

Earlier, the head of the State Duma Committee on Information Policy, Information Technologies and Communications, Alexander Khinshtein, said that virtual space is becoming more and more real, and problems arising in the digital environment can carry not imaginary, but tangible threats. He called personal data leaks one of the most pressing topics.

Footage from thousands of hacked CCTV cameras sold online in Russia

Thousands of private CCTV cameras have been hacked in Russia, said Igor Bederov, head of the Information and Analytical Research department at T.Hunter. According to him, many of these devices are located in hotels, massage rooms, salons where intimate haircuts and depilation are done.

This is evidenced by the fact that there are many Telegram channels, VK publics and forums on the Web, where they sell access to hacked cameras or videos from them.

One of these channels published an advertisement for the sale of access to video from more than 300 cameras from other people's bedrooms, washrooms, medical offices, salons, changing rooms. Price — 600 rubles ($8). Thousands of screenshots from such cameras have been published as advertisements on the channel: one shows a naked woman on a massage table, the other shows a man doing intimate depilation.

“Owners of hotels, beauty salons and other types of businesses put cameras in their premises for security purposes. Often such cameras are located directly in the rooms or offices where intimate services are carried out. At the same time, they are not always properly protected,” Igor Bederov explained the reason for such leaks.

According to open sources, vulnerable cameras are located all over the world. Accesses are often sold by subscription. But this is not the only way to monetize hacked devices. For example, recently the media wrote about the sale of an archive of video from surveillance cameras in Russian hotels and saunas for 15 TB.

Experts said that in some cases such frames are used to blackmail the heroes of the video or the owners of the cameras. Various services are often used to identify people from photos. If people are not identified, hackers can always find the organization where these cameras are installed by metadata.

Oleg Bakhtadze-Karnaukhov, an independent researcher on the darknet, claims that most often attackers hack cameras with network port 37777.

It is very easy to protect the device at the same time — just change the factory settings. However, according to expert, this basic rule is often ignored.


Platforms for hiring “white hackers” may be created in Russia

 The service should become an intermediary between companies that want to check their information systems for security, and hackers who will receive a reward for hacking them. So, Rostelecom and Positive Technologies became interested in similar vulnerability search projects. But experts doubt the success of the projects: Russian companies, unlike foreign ones, often do not have budgets for such services, and they often simply do not respond to reports of vulnerabilities.

A representative of Positive Technologies said that the company plans to launch a platform in Russia in May 2022 that will become an aggregator of programs for “ethical hackers” to search for vulnerabilities, so-called bug bounty. As part of such programs, hackers receive rewards from companies for vulnerabilities found in their IT networks, systems, and applications.

Now, “white hackers” in most cases are looking for tasks on the international HackerOne platform. The interviewed experts expressed doubts about the advisability of creating a similar Russian service. In particular, Mikhail Sergeev, a leading engineer at CorpSoft24, pointed out that Russian business does not have the necessary budgets, and often large companies that can afford such a service “do not respond to reports of bugs found.”

“Launching a bug bounty program requires additional financial costs and a certain level of maturity of information security processes, which reduces the list of potential customers of such a platform in Russia”, added Ilya Shalenkov, head of the KPMG cybersecurity services group. The demand for such a service by Russian developers implies that they accept the “right to make a mistake.”

In August, it was reported that the Poly Network cryptocurrency platform, which lost several hundred million dollars as a result of hacking, decided to reward the hacker. Poly Network thanked the hacker for hacking the system and stealing $610 million. She offered him a reward of 500 thousand dollars. The statement did not specify in what form the money would be paid. It was also not specified whether the hacker accepted the award.


Hacker group RedCurl attacked a large Russian online store

Commercial espionage remains a rare phenomenon, but the success of this group can set a new trend.

The cybersecurity company Group-IB has discovered traces of new attacks by RedCurl hackers engaged in commercial espionage and theft of corporate documentation from companies from various industries. This time, the victim of the group was a Russian retailer, one of the top 20 largest online stores in Russia.

The company notes that it discovered a new Russian-speaking group last year, in the period from 2018 to 2020, it carried out 26 attacks, 14 victim organizations from different countries were identified. Among the hackers' targets are construction, financial, consulting companies, retailers, banks and insurance, legal organizations located in Russia, Ukraine, the UK, Germany, Canada, and Norway. In 2021, the attacks resumed.

According to experts, commercial espionage remains a rare phenomenon, but the success of this group can set a new trend. The company's specialists noted that since the beginning of 2021, 4 attacks have been recorded.

A feature of the group is the sending of phishing emails to different departments of the organization on behalf of the HR team. After a computer is infected, information about the victim's infrastructure begins to be collected on the organization's network; criminals are interested in the version and name of the infected system, the list of network and logical drives, and the list of passwords.

Experts note that the actions and methods of RedCurl are unique for Russian-speaking hackers, for example, from the moment of infection to data theft, it takes from 2 to 6 months. The group does not use standard means of remote control of compromised devices. Infection, attachment to an infected device, promotion on the network, and theft of documents are carried using self-written and several public tools.

The group does not encrypt the infrastructure of the victim company, does not withdraw money from accounts, and does not demand a ransom for stolen data. This may indicate that hackers are rewarded from other sources, and their goal is to secretly extract valuable information. According to the company, RedCurl is interested in business correspondence, personal files of employees, documentation on various legal entities, and court cases.


"Ransomware" screen on trams and TV billboards in Russia turn out to be ad from cyber security firm

According to Positive Technologies, provocative street art first appeared, mimicking ransomware malware. So, fictional windows of the Windows interface were depicted on trams with the inscription “All passengers with sad faces. This tram has been hacked,” it was written on the walls “We will return the wall for 3 BTC (bitcoin),” and on the TV screens — “Right now we will steal Antey.”

A few days later, the images were replaced by others, which had the QR code of the Positive Technologies company's manifesto video about the need to pay attention to information protection.

According to Positive Technologies, with the help of an unusual campaign, the company tried to attract the attention of people and organizations to cybersecurity problems, which have become especially acute recently.

“In 2020, compared to 2019, the number of unique cyber incidents increased by 51%. Seven out of ten attacks were targeted. Most often, cybercriminals attacked government and medical institutions, as well as industrial enterprises,” Positive Technologies reports.

Information security experts note that the number of cyberattacks in the world has increased by 40% this year compared to the previous one. As for Russia, the number of cyberattacks has increased even more significantly — by 54%.

“The concept of art is that we visually convey the process of a hacker attack. The information environment already affects the real one. The main desire is to show through clear and simple images that everything can be hacked in the modern world. And do not underestimate such threats, because while you are reading this text, someone can hack you,” said one of the artists.

The number of DDoS attacks on Russian companies has increased 2.5 times since the beginning of the year

The press service of Rostelecom reported that the number of DDoS attacks on Russian companies in the three quarters of 2021 increased 2.5 times compared to the same period last year.

According to the report, “the main targets of the attackers were financial organizations, the public sector, as well as the sphere of online commerce. The number of DDoS attacks on data centers and gaming, which were the focus of hackers a year ago, has decreased”.

The largest number of attacks occurred in Moscow, their share was 60% of the total number of incidents, the shares of other regions did not exceed 7%.

The company added that the number of DDoS attacks on banks increased by 3.5 times, almost 90% of them occurred in September.

The number of DDoS attacks in the online trading segment increased by 20%. The number of DDoS attacks on the public sector also doubled in August and September compared to the same period in 2020.

“Every year, the power and complexity of DDoS attacks increases. This is due to the active use of larger-scale botnets by hackers. They consist of a variety of devices, and more and more vulnerabilities are used to hack them,” said Timur Ibragimov, head of the Anti-DDoS and WAF platform of Solar MSS cybersecurity services at Rostelecom-Solar.

According to him, in particular, in September, the attackers organized the largest DDoS attack using the Meris botnet, the estimated scale of which is 200 thousand devices. “Such attacks are already directed at well-protected organizations and companies whose resources can only be disabled by a very powerful DDoS. For example, it can be banks, large industrial or energy enterprises, etc.,” he added.

It is worth noting that, according to Atlas VPN, the number of DDoS attacks worldwide in the first half of the year increased by 11%, reaching 5.4 million. Thus, the number of attacks in the first half of the year turned out to be a record.

The Consulate General of the Russian Federation in Ukraine called the hacking of its accounts an information provocation

 The Consulate General of Russia in Kharkiv (Ukraine) considers the hacking of its pages on social networks as an information provocation. “The issue regarding this incident will be resolved between Ukraine and Russia at the diplomatic level,” Igor Demyanenko, the head of the Consulate General, said on Thursday.

“We took it as an informational provocation that does not show Ukraine's compliance with the Vienna Convention on Consular Relations,” he said, adding that “the issue will be resolved through diplomatic channels between the Russian Foreign Ministry and the Ukrainian Foreign Ministry.”

Mr. Demyanenko said that such a situation had developed for the first time, and confirmed that access to the accounts of the Consulate General in social networks had already been restored. And the official website of the diplomatic mission posted a message stating that the information previously published by the attackers on the pages of the Consulate General is invalid.

At the same time, he noted that after the incident, the number of subscribers on the pages of the Consulate General increased fivefold.

Earlier on Thursday, it became known about the hacking of the accounts of the Consulate General of the Russian Federation in Kharkov on social networks Instagram and Facebook: congratulations on the Day of Defenders of Ukraine (October 14) appeared on the consulate's page, the record also contained provocative statements addressed to the Russian leadership allegedly on behalf of the consulate staff. After the hacker attack, the Consulate General lost access to account management. The Embassy of the Russian Federation in Kiev sent a note verbale to the Ministry of Foreign Affairs of Ukraine with a request to launch an investigation by the Ukrainian competent authorities.

The US did not invite Russia and China to an online conference on combating cybercrime

The US National Security Council organized virtual meetings this week to discuss countering ransomware operators. In total, 30 countries were invited to the conference, including Ukraine, Mexico, Israel, Germany, and the UK, however, Russia and China were not invited to the discussion.

The cyber threat posed by ransomware is increasingly worrying people at the highest level. The ransoms have already reached over $400 million in 2020 and $81 million in the first quarter of 2021.

US President Joe Biden announced in early October that representatives from more than 30 countries will work together to fight back against cybercriminals distributing ransomware. This initiative was the result of very dangerous and large-scale attacks by ransomware operators that recently hit Colonial Pipeline and Kaseya.

It is interesting to note that recently Russian Deputy Foreign Minister Sergei Ryabkov made it clear that Moscow is interested in discussing the problem of ransomware viruses with Washington, but does not want contacts to be limited only to this topic. “American colleagues are still trying to focus all their work on what interests them,” he complained at the time.

Despite the previously announced cooperation in the field of cybersecurity between Moscow and Washington, no one expected Russian official representatives at the meetings. The organizers of the meetings did not invite China and Russia.

Perhaps the reason lies in a misunderstanding that arose at a certain stage. The United States has repeatedly asked Russia to take measures against ransomware operators located in the country. White House Press Secretary Jen Psaki even promised that Washington itself would deal with these cyber groups if the Kremlin could not.

Half of the Russian websites of small and medium-sized enterprises have vulnerabilities

According to Tinkoff, almost half (46%) of online resources for SMEs in Russia have cybersecurity issues.

The most critical of the most common errors is the weak protection of cloud storage, threatening data leakage (identified in more than a quarter of organizations).

These disappointing statistics are based on the analysis of more than 40 thousand sites and databases of small companies / individual entrepreneurs. The most vulnerable areas in terms of information security were areas such as consulting, retail, and IT (44% of the problems found).

Most often (in 33% of cases) SMEs make domain verification errors. Such mistakes provoke the capture of a resource through data substitution.

The second place in the rating is taken by the threat of confidential information leakage arising from open access to the database or from the use of a weak password (27%). The ability to obtain a key by a simple brute-force attack allows an attacker to obtain personal data of customers and company employees, trade secrets, source codes of programs, etc.

The third most frequent cybersecurity error, according to Tinkoff, is SSL Unknown subject (15%). Such a problem during SSL-certificate verification threatens with interception and disclosure of data (MITM attack).

The researchers also found that the resources of SMEs are poorly protected from attacks by cryptographers (9%).

The top five problems also included another common error — an expired SSL certificate (7%). When the browser shows that the certificate is invalid, the site may fall out of access; as a result, the company loses potential customers.

“Unfortunately, cybersecurity is poorly developed in Russia and business does not realize how important it is to protect data. Firstly, the services of good and competent specialists are very expensive; secondly, after the crisis, companies direct working capital primarily for the purchase of goods and current needs,” comments Pavel Segal, First Vice President of “OPORA Russia”.

Putin demanded to protect children from harmful information on the Internet

Russian President Vladimir Putin demanded to protect children from harmful information on the Internet. He believes that this is a very urgent problem that the whole world is solving now. According to the president, there are people who, for their own profit, drive minors to suicide.

“As for information resources, I believe that our schools should use state information resources. This does not mean at all that we should reduce the space of freedom to a minimum. Not at all,” the Russian leader clarified.

Putin reminded that personal data of users are collected by all information resources, “so we should take care to ensure the safety of children and citizens in the online space”.

“And here, of course, only the state can be asked for their rational use and for ensuring the safety of people. Therefore, information resources in schools should be state-owned,” the president explained.

“We know, unfortunately, that all sorts of shameless people who do not think about anything but profit use the Internet to make a profit to the maximum. And, sorry for the bad manners, they didn't care about the fate of people and children. Therefore, this is where children are driven to suicide, here is child pornography,” Putin explained.

He also positively assessed the initiative of domestic Internet companies to create their own public organization to ensure the information hygiene of minors. “We will continue to support and help this,” the president concluded.  

On September 1, Putin said that the state and society should join efforts to create a safe online space for children. He expressed hope that global digital platforms will be involved in ensuring the safety of children online.