Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Russian Hacker. Show all posts
Spear Phishing
Business Security Cyber Attacks Malicious Campaign Russian Hacker Spear Phishing

Microsoft Warns of Russian Spear-Phishing Campaign Targeting Multiple Organizations

 

Microsoft Threat Intelligence has discovered a new attack campaign by Russian hacker group Midnight Blizzard, targeted at thousands of users from over 100 organisations. The attack uses spear-phishing emails that contain RDP configuration files, allowing perpetrators to connect to and potentially compromise the targeted systems. 

The malicious campaign targeted thousands of users from higher education, defence, non-governmental organisations, and government institutions. Dozens of nations have been impacted, mainly in the United Kingdom, Europe, Australia, and Japan, consistent with previous Midnight Blizzard phishing attacks. 

In the most recent Midnight Blizzard assault campaign, victims received meticulously targeted emails including social engineering lures related to Microsoft, Amazon Web Services, and the concept of Zero Trust. 

According to Microsoft Threat Intelligence, the emails were sent using email addresses from legitimate organisations obtained by the threat actor during earlier breaches. Every email included an RDP configuration file signed with a free LetsEncrypt certificate and included multiple sensitive parameters. When the user accessed the file, an RDP connection was established with an attacker-controlled system. 

The threat actor could then use the established RDP connection to acquire information regarding the targeted device, such as files and folders, connected network drives, and peripherals such as printers, microphones, and smart cards. 

It would also allow for the collection of clipboard data, web authentication via Windows Hello, passkeys and security keys, and even point-of-sale devices. Such a link may also enable the threat actor to install malware on the targeted device or mapped network share(s). 

Outbound RDP connections were established to domains constructed to deceive the victim into thinking they were AWS domains. Amazon, which is collaborating with the Ukrainian CERT-UA to combat the threat, began grabbing affected domains immediately in order to stop operations. Meanwhile, Microsoft alerted all impacted customers who had been targeted or compromised.
Read more »
Russian Hacker
APT29 AWS Cyber Attacks Phishing Campaign Russian Hacker

Amazon Identified Internet domains Exploited by Russian APT29

 

The leading advanced persistent threat group in Russia has been phishing thousands of targets in businesses, government agencies, and military institutions. 

APT29 (also known as Midnight Blizzard, Nobelium, and Cozy Bear) is one of the world's most prominent threat actors. It is well known for the historic breaches of SolarWinds and the Democratic National Committee (DNC), which are carried out by the Russian Federation's Foreign Intelligence Service (SVR). It has recently breached Microsoft's codebase and political targets in Europe, Africa, and beyond. 

"APT29 embodies the 'persistent' part of 'advanced persistent threat,'" notes Satnam Narang, senior staff research engineer at Tenable. "It has persistently targeted organizations in the United States and Europe for years, utilizing various techniques, including spear-phishing and exploitation of vulnerabilities to gain initial access and elevate privileges. Its modus operandi is the collection of foreign intelligence, as well as maintaining persistence in compromised organizations in order to conduct future operations.”

In the same vein, the Computer Emergency Response Team of Ukraine (CERT-UA) recently found APT29 phishing Windows credentials from government, military, and commercial sector targets in Ukraine. After comparing notes with authorities in other nations, CERT-UA discovered that the campaign had expanded across "a wide geography."

It is not surprising that APT29 would target sensitive credentials from geopolitically influential and diversified organisations, according to Narang. However, "the one thing that does kind of stray from the path would be its broad targeting, versus [its typical more] narrowly focused attacks.” 

AWS and Microsoft

Malicious domain names that were intended to seem to be linked to Amazon Web Services (AWS) were used in the August campaign. The emails received from these domains simulated to give recipients advice on how to set up zero trust architecture and combine AWS with Microsoft services. Despite the charade, AWS stated that neither Amazon nor its customers' AWS credentials were the target of the attackers.

The attachments to those emails revealed what APT29 was really looking for: configuration files for Remote Desktop, Microsoft's application for implementing the Remote Desktop Protocol. RDP is a common remote access technique used by regular consumers and hackers. 

"Normally, attackers will try to brute force their way into your system or exploit vulnerabilities, then have RDP configured. In this case, they're basically saying: 'We want to establish that connection [upfront],'" Narang added. 

Launching one of these malicious attachments would have resulted in an immediate outbound RDP connection to an APT29 server. But that wasn't all: the files contained a number of other malicious parameters, such that when a connection was established, the perpetrator gained access to the target computer's storage, clipboard, audio devices, network resources, printers, communication (COM) ports, and more, as well as the ability to execute custom malicious scripts.
Read more »
WinRAR
Aerospace APT29 CVE vulnerability Data Breach Foreign policy Russia-Ukraine War Russian Hacker Software Bug supply chain security Ukraine WinRAR

APT29 Strikes: WinRAR Exploits in Embassy Cyber Attacks

During the latest wave of cyberattacks, foreign embassies have been the target of a malicious group known as APT29. They have employed a highly complex attack method that takes advantage of weaknesses in WinRAR, a widely used file compression software. There have been shockwaves throughout the cybersecurity world due to this worrisome disclosure, leading to immediate action to strengthen digital defenses.

According to reports from cybersecurity experts, APT29 has ingeniously employed the NGROK feature in conjunction with a WinRAR exploit to infiltrate embassy networks. The NGROK service, designed for secure tunneling to localhost, has been repurposed by hackers to conceal their malicious activities, making detection and attribution a formidable challenge.

WinRAR, a widely used application for compressing and decompressing files, has been targeted due to a specific vulnerability, identified as CVE-2023-38831. This flaw allows the attackers to execute arbitrary code on the targeted systems, giving them unfettered access to sensitive information stored within embassy networks.

The attacks, initially discovered by cybersecurity researchers, have been corroborated by the Ukrainian National Security and Defense Council (RNBO). Their November report outlines the APT29 campaigns, shedding light on the extent of the damage inflicted by these cyber intruders.

The fact that foreign embassies are specifically being targeted by this onslaught is very disturbing. Because these organizations handle so much private, political, and diplomatic data, they are often the focus of state-sponsored cyber espionage. The attackers' capacity to take advantage of flaws in popular software, such as WinRAR, emphasizes the necessity of constant watchfulness and timely software updates to reduce any threats.

Cybersecurity professionals advise companies, particularly those in delicate industries like diplomacy, to conduct extensive security assessments, quickly fix holes, and strengthen their defenses against ever-evolving cyber attacks in reaction to these disclosures. The APT29 attacks highlight the significance of a multi-pronged cybersecurity strategy that incorporates advanced threat detection methods, personnel awareness training, and strong software security procedures.

International cybersecurity organizations must work together as governments struggle with the ever-changing world of cyber threats. The APT29 attacks are a sobering reminder that the digital sphere has turned into a combat zone and that, in order to preserve diplomatic relations and maintain national interests, defense against such threats necessitates a united front.

Read more »
USB
Cyber Crime Flash drive Malicious Software Russian Hacker USB

Preventing a USB Killer Threat

A USB Killer is a USB drive that was altered to emit an electrical surge that can break or destroy hardware when a modified flash drive is plugged into a computer's USB port.

The concept for USB Killers was created by a Russian researcher named Dark Purple with the stated objective to eliminate delicate computer parts. When a USB Killer device is inserted into a USB port, it draws power from the devices' USB power sources and stores it in its own capacitors. It holds this procedure until a high voltage is reached. Once finished, it discharges the accumulated negative 220 volts of high voltage onto the USB data pins. An estimated 215–220 volts can be produced by the USB Killers that are now on the market. The host device's circuitry is harmed or destroyed as a result.

Its capacitors rapidly accumulate this enormous voltage. As long as the gadget is connected and hasn't been damaged to the point that it can no longer charge itself, the charge/discharge cycle also continues numerous times per second.

This approach makes nearly any unprotected equipment susceptible to high voltage attack. For years, malicious software has been spread via USB sticks, including viruses that can infect computers. This is probably because they are easy and affordable to design and buy. Unaware users frequently utilize them to store and transport data.


A USB Killer Attack: How to Prevent It

1. Keep Unknown Drives Out of the Plug

Social engineering, or using deceptive techniques to persuade people to connect a malicious device, is at the heart of many USB risks.

2. When possible, turn off USB ports

If it is possible, disabling USB ports is a great way to stop USB attacks, including USB Killer attacks.

3. Register online

A computer's virtual environment that hosts a mockup of your computer inside of your computer. It won't have an impact on your data or network if you connect to the drive and open it in the virtual environment.

It swiftly ruins a PC once you plug it into a USB port. Moreover, refraining from using unknown USB devices on computers is the greatest approach to stop USB Killers from causing PC damage. The majority of USB-related attacks can be effectively prevented by following the best cybersecurity measures. For complete security, you can physically cap and disable the USB ports in your business.

Even measures implemented to guard against USB assaults are not 100% secure. Never trust unknown disks, periodically examine those you do use, and utilize security features like passwords, PIN codes, and data encryption. Ideally, being informed of the strategies that hackers employ as well as having strong hardware and software security can keep you safe from any unpleasant digital illnesses.

Read more »
Vulnerabilities and Exploits
FBI LockBit LockBit 3.0 Phishing Attacks Ransomware Attacks. Russian Hacker User Privacy Vulnerabilities and Exploits

Following a Breach at ION Group, LockBit Hackers Received a Ransom

LockBit hackers who took credit for a severe hack at financial data company ION claim that a ransom was paid, although they would not specify the sum or provide any proof that the payment had been transferred. Meanwhile, the ION Group chose not to comment on the situation. 

The British spying intelligence agency GCHQ's National Cyber Security Agency told Reuters there's nothing further to add. A key to access the files should be provided by the hacking gang if a ransom is paid. As per cybersecurity experts, ransomware often demands the individual file-by-file decryption of computer servers, which can involve days or weeks. Additionally, a machine that has had its data decrypted cannot be trusted after that point and must be wiped clean and rebuilt from scratch. PCs often speed up the process.

After a business pays a ransom, additional ransomware gangs might try to extort them once more by using the company's IT system flaws. Considering to be completely secure, ransomware victims might seek to redesign their technical infrastructure.

In addition, victims' files are kidnapped by LockBit, the group behind the ION assault, which also demands payment by February 4 to prevent their disclosure.

Ransoms should not be paid, according to the National Cyber Security Centre of the UK, 42 of ION's clients were impacted by the early-morning Tuesday attack. Eventually, it caused several banks and brokers in Europe and the US to conduct some trades manually, thus setting them back for decades. About the attack, the FBI has contacted ION management.

LockBit Ransomware Group

In certain cases, the affiliate of LockBit 3.0 is required to start the ransomware binary using a 32-character password. The typical assault procedure consists of infecting the device, encrypting files, removing specific services, and changing the device's background image.

The information can be offered for sale on the dark web if the ransom is not paid. Cobalt Strike, a security testing tool, and a series of malware attacks have been linked to LockBit 3.0's abuse of Windows Defender.

Operating with affiliates who may lack the means to develop and launch attacks, LockBit uses a ransomware-as-a-service (RaaS) business model. The associated hacker in this case receives a percentage of the ransom, based on a December 2022 warning from the U.S. Department of Health & Human Services.

Among the most expensive and disruptive concerns for businesses globally in recent years has been ransomware. Several ransomware groups not only encrypt a victim's files in exchange for a ransom payment, but they also steal data and threaten to expose it online as an added inducement to pay up.

Numerous brokers have experienced difficulties as a result of the exchange-traded financial derivatives trading and clearance being impacted by the ransomware attack on ION. Reuters reports that among the numerous ION customers whose operations have been interrupted are ABN Amro Clearing and Intesa Sanpaolo, the largest bank in Italy.

Read more »
User Privacy
Cyber Crime FSB Russia-Ukraine War Russian Hacker Scam User Privacy

Russian Scam Industry Expands as a Result of Mobilization

 

After experiencing setbacks on the Ukrainian front, Russian President Vladimir Putin ordered a partial mobilization. Russian men who are eligible for enlistment have turned to illegal channels that grant them fabricated exemptions, whereas those fleeing the country to neighboring regions have turned to using identity masking tools.

Due to the aforesaid circumstance, it is now highly profitable for people to sell illegal services. In a similar vein, scammers and hackers see a good opportunity to take advantage of anxious people in haste.

Cybercriminals selling fake documents on the dark web, Telegram, and other encrypted channels are the initial scams to attempt to profit from the situation.

The scammers have even gone to the point of actively publicizing their phony services on social media and making direct contact with individuals through channels that preach about mobilization. The hackers allegedly offer people certificates of ineligibility for military duty, which they claim will enable them to avoid enlistment, according to a report by RIA Novosti.

For the recruitment officers to never hunt for the buyer, the agreement also calls for updating the regional enlistment office's database within 48 hours. The scammers demand 27,000 rubles ($470) in exchange for the same, as well as a copy of the client's passport.

Once the funds are paid, the con artists cut off contact with the victim and probably utilize the identity they have stolen to commit more fraud or sell it on the dark web. These advertisements claim to be able to produce fake HIV and hepatitis certificates for 33,000 and 38,000 rubles ($630), respectively.

According to Russian news site Kommersant, there is a 50% increase in demand for so-called 'gray' SIM cards as a result of the widespread migration of Russians. These SIM cards support 'pay-as-you-use' plans and thus are compatible with the networks of MTS, MegaFon, Beeline, Tele2, and Yota. Since the government can use regular SIMs to trace young men liable for military duty and potentially halt them at the border, Russians are eagerly looking for these cards.

IMEI (International Mobile Equipment Identity), is a special 15-digit number that is connected to the device's hardware instead of the SIM card. Roskomsvoboda, a Russian internet rights group, says there have been numerous cases of people being forced by FSB officers to divulge their IMEI numbers while entering Georgia, Kazakhstan, and Finland. IMEI monitoring is aided by using telecommunication stations for approximate location triangulation. 

Law enforcement has used IMEI for several years, and tracking software that promises to find your lost or stolen device also employs it. Except for a few Huawei, Xiaomi, and ZTE models that store the IMEI in a rewritable memory region in violation of the technology's rules and allow users to flash it with specific tools, assigned IMEIs are not interchangeable or editable.

As an alternative, Roskomvoboda advises evacuating Russians to either submit a burner phone at the border or purchase a new device once they have left the nation.


Read more »
VMware
Cyber Secuirty Cyber Security Darknet Double extortion Linux Ransomware Attacks. Russian Hacker VMware

ESXi , Linux, and Windows Systems at Risk From New Luna Ransomware

Luna is a brand-new ransomware family that was written in Rust, making it the third strain to do so after BlackCat and Hive, according to Kaspersky security researchers

The experts who examined the ransomware's command-line options believe that Luna is a reasonably straightforward ransomware program. 

Luna ransomware

This interesting encryption method combines x25519 with AES. The researchers discovered that the Linux and ESXi samples, which are compiled using the identical source code, differ only slightly from the Windows version.

Darknet forum advertisements for Luna imply that the ransomware is only meant to be used by affiliates who speak Russian. Due to spelling errors in the ransom note that are hard-coded into the malware, its main creators are also thought to be of Russian descent.

The Luna ransomware is also able to avoid automated static code analysis attempts by utilizing a cross-platform language.

"The source code used to compile the Windows version and the Linux and ESXi samples are identical. The remaining code is almost unchanged from the Windows version" the researchers added. Luna "confirms the trend for cross-platform ransomware," the researchers wrote, pointing out how hackers are able to target and strike at scale while avoiding static analysis, thanks to the platform flexibility of languages like Golang and Rust.

Nevertheless, considering that Luna is a recently identified criminal organization and its activities are still being constantly monitored, there is very little knowledge available regarding the victimology trends.

Black Basta

Researchers have also revealed information about the Black Basta ransomware group, which modified its software to target ESXi systems. By adding compatibility for VMware ESXi, various ransomware families, including LockBit, HelloKitty, BlackMatter, and REvil, hope to increase their potential targets.

The double-extortion attack model is used by Black Basta, a ransomware operation that has been operational since April 2022.

Researchers from Kaspersky said that operators had introduced a new feature that relies on launching the computer in safe mode before encrypting data and imitating Windows Services in order to maintain persistence.

Black Basta can avoid detection from a variety of endpoint security solutions by starting Windows in safe mode.




Read more »
Windows
C2C Cyber Attacks IBM X-Force Linux Palo Alto Networks' Unit 42 Russian Hacker Windows

Backdoor Installed by HelloXD Ransomware , Directed Windows and Linux Devices

 

HelloXD is ransomware that first appeared in November 2021 and does double extortion assaults. Researchers discovered several variations that affect Windows and Linux computers. 

According to a recent analysis from Palo Alto Networks Unit 42, the malware's creator has developed a new encryptor with unique packing for detection avoidance and encryption algorithm tweaks. This is a substantial deviation from the Babuk code, indicating the author's goal to create a new ransomware strain with possibilities and characteristics to allow for more attacks. 

HelloXD ransomware threat 

HelloXD first emerged to the public on November 30, 2021, and is based on Babuk's leaked code, which was published in September 2021 on a Russian-language cybercrime site. 

Palo Alto Networks Unit 42 security researchers Daniel Bunce and Doel Santos said, "Unlike other ransomware, this ransomware does not have an active leak site; instead, it prefers to direct the infected victim to negotiations via Tox chat and onion-based messaging instances." 

The operators of the ransomware family are no exception since they used double extortion to extort cryptocurrencies by exfiltrating a victim's personal data, encrypting key, performing cyber espionage, and threatening to publish it.MicroBackdoor is an open-source malware used for command-and-control (C2) communications to browse the infected system, exfiltrate files, execute orders, and remove traces, according to its developer Dmytro Oleksiuk. 

In March 2022, the Belarusian threat actor nicknamed Ghostwriter (aka UNC1151) used multiple forms of the implant in its cyber operations against Ukrainian governmental agencies. The features of MicroBackdoor allow a hacker to explore the file system, upload and download files, run commands, and delete traces of its activity from compromised PCs. 

Hello XD is a harmful ransomware project in its early stages that is now being deployed in the field. Although infection volumes aren't high now, its active and targeted development paves the way for a more harmful state. By piecing together the actor's digital trail, Unit 42 said it connected the likely Russian vendor behind HelloXD — who passes by the online aliases x4k, L4ckyguy, unKn0wn, unk0w, _unkn0wn, and x4kme — to further cybercriminals like selling proof-of-concept (PoC) exploits and custom Kali Linux distributions using malicious software. 

During 2019 and 2021, the average lifespan of an enterprise ransomware attack — that is, the period between initial access and ransomware distribution — decreased by 94.34 percent, from nearly two months to just 3.85 days, according to a new report by IBM X-Force.

The role of initial access brokers (IABs) in getting access to victim networks and then selling that access to associates, who then misuse the foothold to install ransomware payloads, has been attributed to the enhanced speed and efficiency trends in the ransomware-as-a-service (RaaS) ecosystem. 

Overall, the data theft by threat actor appears skilled and capable of moving Hello XD forward, so analysts should keep a close eye on its progress.
Read more »
Ukraine
C&C Conti Ransomware malware RaaS Russian Hacker Ukraine

Ukrainian Security Researcher  Source Code for New Conti Malware Has Been Exposed

 

The source code of a fresh version of the Conti ransomware has been disclosed by a Ukrainian security researcher. This is the latest in a string of leaks sparked by the criminal group's support for Russia. Conti is a ransomware gang based in Russia which uses a ransomware-as-a-service (RaaS) business model. While some ransomware demands are in the millions of dollars, Coveware thinks the average Conti demand is just over $765,000. 

The renowned Conti ransomware organization published a statement soon after Russia launched its incursion of Ukraine, warning this was prepared to strike the key infrastructure of Russia's adversaries in revenge for any assaults on Russia. 

In response, an anonymous user created the "Conti Leaks" Twitter account and began distributing materials supposedly stolen from the cybercrime ring. The first set of disclosures included correspondence sent within the Conti organization in the preceding year. More chat logs, credentials, email addresses, C&C server information, and source code for the Conti ransomware and other malware were included in the second phase. 

After a period of inactivity of more than two weeks, the Twitter account resurfaced over the weekend, releasing what looks to be the source code for a newer version of Conti. Previously, some speculated that the leaker was a Ukrainian security researcher, while others speculated that he was a rogue employee of the Conti group. Messages were leaked and shared. 

The discharge of ransomware source code, particularly for advanced operations such as Conti, can have catastrophic consequences for corporate networks and consumers. This is due to the fact other threat actors frequently exploit the disclosed raw code to create their own ransomware attacks. In the past, a researcher released the source code for ransomware called 'Hidden Tear,' which was soon adopted by several threat actors to begin various operations.
Read more »
Telegram
Botnet C2C Crypto Wallet Fortinet Mallicious URLs malware Russian Hacker Telegram

Telegram Abused By Raccoon Stealer

 

As per a post released by Avast Threat Labs this week, Raccoon Stealer, which was first identified in April 2019, has added the capacity to keep and update its own genuine C2 addresses on Telegram's infrastructure. According to researchers, this provides them with a "convenient and trustworthy" command center on the network which they can alter on the fly. 

The malware, which is thought to have been built and maintained by Russian-linked cybercriminals, is primarily a credential stealer, but it is also capable of a variety of other nefarious activities. Based on commands from its C2, it can collect not just passwords but also cookies, saved logins and input data from browsers, login credentials from email services and messengers, crypto wallet files, data from browser plug-ins and extensions, and arbitrary files. 

As per the reports, Buer Loader and GCleaner were used to distribute Raccoon. Experts suspect it is also being distributed in the guise of false game cheats, patches for cracked software (including Fortnite, Valorant, and NBA2K22 hacks and mods), or other applications, based on some samples. 

Given since Raccoon Stealer is for sale, the only limit to its distribution methods is the imagination of the end-users. Some samples are spread unpacked, while others are protected by malware packers like Themida. It is worth mentioning whether certain samples were packed by the same packer five times in a row.

Within Telegram, the newest version of Raccoon Stealer talks with C2: According to the post, there are four "crucial" parameters for its C2 communication which are hardcoded in every Raccoon Stealer sample. Details are as follows:
  • MAIN KEY, which has changed four times throughout the year;
  • Telegram gate URLs with channel names; 
  • BotID, a hexadecimal string that is always sent to the C2; 
  • TELEGRAM KEY, a decryption key for the Telegram Gate C2 address. 

The malware decrypts MAIN KEY, which it uses to decrypt Telegram gates URLs and BotID, before hijacking Telegram for its C2. According to Martyanov, the stealer then utilizes the Telegram gate to connect to its real C2 via a series of inquiries to eventually allow it to save and change actual C2 addresses utilizing the Telegram infrastructure. 

The stealer can also transmit malware by downloading and executing arbitrary files in response to an instruction from C2. Raccoon Stealer spread roughly 185 files totaling 265 megabytes, including downloaders, clipboard crypto stealers, and the WhiteBlackCrypt ransomware, according to Avast Threat Labs.
Read more »
Ukraine Websites
Anonymous Cyber Security Government Killnet RaHDit Russia Russia-Ukraine War Russian Hacker Ukraine Websites

Ukrainian Government Websites Shut Down due to Cyberattack

 

Ukrainian state authorities' websites have stopped working. At the moment, the website of the Ukrainian president, as well as resources on the gov.ua domain are inaccessible. 
According to the source, a large-scale cyberattack by the Russian hacker group RaHDit was the reason. A total of 755 websites of the Ukrainian authorities at the gov.ua domain were taken offline as a result of the attack. 

Hackers posted on government websites an appeal written on behalf of Russian soldiers to soldiers of the Armed Forces of Ukraine and residents of Ukraine. "The events of the last days will be the subject of long discussions of our contemporaries and descendants, but the truth is always the same! It is absolutely obvious that what happened is a clear example of what happens when irresponsible, greedy, and indifferent to the needs of their people come to power," they wrote. 

Another of the hacked websites published an appeal on behalf of Zelensky. In it, the President of Ukraine allegedly stated that he had agreed to sign a peace treaty with Russia. "This is not treason to Ukraine, to the Ukrainian spirit, it is exclusively for the benefit of the Ukrainian people," the banner said. 

The third message called on civilians to "refuse to support national radical formations formed under the guise of territorial defense." It was warned that any attempts to create armed gangs would be severely suppressed. In another announcement, Ukrainian soldiers were asked not to open fire on the Russian army and lay down their weapons: "Return fire will kill you. You are guaranteed life, polite treatment, and a bus home after the war." 

This information could not be confirmed. Currently, when entering government websites, it is reported that access to them cannot be obtained.

Earlier it became known that Russian hackers from the Killnet group hacked the website of the Anonymous group, which had previously declared a cyberwar against Russia. They urged Russians not to panic and not to trust fakes. 

On February 25, hackers from Anonymous announced their decision to declare a cyberwar against Russia due to the start of a special operation in the Donbas. The attackers attacked Russian Internet service providers and government websites. They also hacked the websites of major media outlets: TASS, Kommersant, Izvestia, Forbes, Mela, Fontanka. 

As a reminder, the special operation in Ukraine began in the morning of February 24. This was announced by Russian President Vladimir Putin.
Read more »
Ukraine
API BazarBackdoor Conti Ransomware Cyber Attacks Emsisoft FBI Russian Hacker Ukraine

Ukrainian Researcher Released  Software for Conti Ransomware

 

Conti, the notorious ransomware gang, is now the subject of cyberattacks following its proclamation early last week, it wholeheartedly supports Russia's continuing invasion of neighboring Ukraine, with the most recent blow being the public release of its source code. 

This comes only days after an archive comprising well over a year's worth of instant conversations between members of Conti, believed to be based in Russia, was leaked: speaking 400 files and tens of thousands of lines of Russian-language internal chat logs. Messages from January 2021 to February 27 of such a year can be found in the internal communication files.

Its analysis cited a cybersecurity bulletin issued jointly by the Cybercrime and Infrastructure Agency (CISA) and the FBI over the weekend, which warned Russia's attack on Ukraine – which also included cyberattacks on the Ukrainian government and key infrastructure organizations – could spill over Ukraine's borders, especially in the wake of US and allied sanctions. 

Throughout the night, ContiLeaks began publishing more information, including the source code for the gang's administration panel, the BazarBackdoor API, storage server screenshots, and more. A password-protected folder including the source code for the Conti ransomware encryptor, decryptor, and function Object() { [native code] } was one component of the release to get people interested.While the leaker did not reveal the password publicly, another researcher cracked it soon after, giving everyone access to the Conti ransomware malware files' source code. 

The code may not provide more information if you are a reverse engineer. For those who can program in C but not reverse engineer, the source code contains a wealth of information about how the malware operates. While this is beneficial for security research, having this code available to the public has its pitfalls. Threat actors immediately coopt the code to establish their own operations, as we observed when the HiddenTear (for "educational purposes") and Babuk malware source code was leaked. 

In May, the FBI issued a five-page [PDF] warning to American firms about Conti ransomware assaults on healthcare and first-responder networks, citing at least 16 such attacks by Conti in the previous year and ransom demands as high as $25 million. 

"As a result of Russia's invasion, cybercrime organizations such as Conti have taken sides, with the assumption that many of these organizations are linked to Russia and perhaps to Russian intelligence", Brett Callow, a vulnerability analyst at Emsisoft, a cybersecurity firm based in New Zealand, stated.
Read more »
Ukraine
Cyber Security DDOS Attacks ISP Russian Hacker Satellite Ukraine

Viasat Claims Delay on a "Cyber Event"

 

Viasat Inc., an American communications provider, claims its satellite internet services in Ukraine and Europe are being disrupted by a "cyber incident." 

Based in Carlsbad, California, Viasat offers high-speed satellite broadband access and secure networking systems to military and commercial customers throughout the United States and around the world. The problem stems from Viasat's purchase of the Ka-SAT satellite from the satellite's launcher and former owner, Eutelsat, in April 2021. 

"While we attempt to restore service to affected consumers, we're also looking into and evaluating our European network and systems to figure out what's causing the problem. We're also putting further network safeguards in place to avoid any further consequences." authorities stated. 

According to the firm, the interruption began on February 24, the day Russia invaded Ukraine, and it contacted "law enforcement and government partners," adding it had "no indication of consumer data is implicated." In a statement to PaxEx.Aero, another ISP, Germany-based EUSANET, the company said it was suffering problems as well. 

An insider told British news channel Sky News that the interruptions were triggered by a distributed denial of service (DDoS) attack. The number of Viasat users in Ukraine is unknown, and the firm has declined to specify how many are affected. Subsequently, Viasat's stock was up 3.5 percent in lunchtime trade Monday, trading at around $45. 

To optimize service area, Viasat operates huge satellites in geosynchronous orbit, which means people are stationary at a location roughly 35,000 kilometers from Earth.

This is the conventional method of providing broadband access from space, but a number of businesses, including SpaceX's Starlink, are investing in constructing networks in low-Earth orbit which use hundreds or thousands of satellites.
Read more »
Ukraine Websites
Bank Hacking Cyber Attacks DDOS Attacks GRU Mirai botnet Russian Hacker UK Ukraine Websites

DDoS Assaults on Ukrainian Banking Elite has Resumed Yet Again


Cyberattacks took down Ukrainian official and bank websites, prompting the government to declare a statewide state of emergency amid growing fears that Russian President Vladimir Putin could launch a full-scale military invasion of Ukraine. The websites of Privatbank (Ukraine's largest bank) and Oschadbank (the State Savings Bank) were also blasted in the onslaught and brought down Ukrainian government sites as well, according to Internet monitor NetBlocks. 

"At around 4 p.m., another massive DDoS attack on the state commenced. We have relevant data from several banks," stated Mykhailo Fedorov, Minister of Digital Transformation, who also mentioned the parliament website had been hacked. Hackers were prepared to conduct big attacks on government organizations, banks, and the defense sector, as Ukrainian authorities said earlier this week. 

SSSCIP and other national cybersecurity authorities in Ukraine are currently "working on countering the assaults, gathering and evaluating information." According to the Computer Emergency Response Team of Ukraine (CERT-UA), the attackers used DDoS-as-a-Service platforms and numerous bot networks, including Mirai and Meris, to carry out the DDoS attacks on February 15th. The DDoS attacks were traced to Russia's Main Directorate of the General Staff of the Armed Forces on the same day, according to the White House. 

"We have technical information indicating ties the Russian main intelligence directorate, or GRU," Deputy National Security Advisor for Cyber Anne Neuberger stated. "Known GRU infrastructure was spotted delivering huge volumes of communication to Ukraine-based IP addresses and domains." 

Neuberger went on to say as, despite the "limited impact," the strikes can be considered as "setting the framework" for more disruptive attacks, which could coincide with a possible invasion of Ukraine's territory. 

The UK government also blamed Russian GRU hackers for the DDoS strikes last week which targeted Ukrainian military and state-owned bank websites. Following a press release from Ukraine's Security Service (SSU), which also had its website hacked, the country was attacked by a "huge wave of hybrid warfare." The SSU announced earlier this month so, during January 2022, it stopped over 120 cyberattacks aimed at Ukrainian governmental entities.
Read more »
Ukraine
Cyber Actors Data Breach DDOS Attacks Denial of Service vulnerability GRU Russian Hacker Ukraine

Russia Suspected of Espionage Against Ukraine Via Two Big Nations

 

On Friday, the White House suspected Russia of being behind recent cyberattacks on Ukraine's defense department and banking institutions. 

The statement by Anne Neuberger, the White House's top cyber official, was the most precise attribution of culpability for the cyber breaches which have occurred as tensions between Russia and Ukraine have risen. Although the attacks this week had a "limited impact" since Ukrainian officials were able to swiftly restore its networks, Neuberger believes hackers were laying the framework for future devastating invasions. 

As tensions between Russia and Ukraine rise, Britain has joined the United States in criticizing the GRU military intelligence agency for the widespread denial-of-service attacks. The strike, according to the British Foreign Office, "showed a persistent disdain for Ukrainian integrity." This is just another example of Russia's aggressive behavior toward Ukraine."

Russians may also be laying the foundations for more disruptive measures in the event of a Ukrainian invasion. Neuberger remarked, "We expect more destabilizing or damaging cyber action if Russia decides to continue its invasion of Ukraine, and we're working closely with friends and partners to guarantee to be prepared to call out the behavior and respond." 

The United States was publicly criticizing Russia because it needed to "call out the action swiftly." "The international community must be ready to expose harmful cyber operations and hold actors accountable for any disruptive or damaging cybersecurity threats," Neuberger added. 

The widespread breach of service attacks on Tuesday was described by Ukrainian officials as the deadliest in the country's history. However, while these certainly affected internet banking, hampered some government-to-public interactions, and were definitely intended to induce fear. "Typical DDoS attacks survive because the defenders are untrained," said Roland Dobbins, DDoS engineer at cybersecurity organization Netscout, adding that the most market mitigation technologies designed to resist such attacks are ineffective.
Read more »
Ukraine
Cyber Attacks Cyber War Cyberattack Kiev Russia Russian Hacker Ukraine

EU Ready to Send a Mission to Kiev to Fight Cyberattacks

 

The EU countries, while discussing the situation around Ukraine, expressed their readiness, if necessary, to adopt a set of sanctions against Russia. French Foreign Minister Jean-Yves Le Drian said this on Monday after the EU Council meeting in Brussels. 

"This meeting showed a great degree of agreement between the Europeans and the United States. This cohesion is very important," he said, adding that diplomatic efforts are underway in connection with the escalation along the Ukrainian border. 

"I was greatly impressed by the firmness of the Europeans and their willingness to jointly present a set of sanctions, measures to contain Russia in order to prevent an offensive - military or otherwise - in Ukraine," Le Drian said. 

On the night of January 14, the websites of the Ministry of Foreign Affairs of Ukraine, the Ministry of Education, the Ministry of Agrarian Policy and Food were subjected to massive cyberattacks. Hackers posted messages warning residents to "fear and expect the worst." In addition, Ukrainians were warned that the allegedly personal information of residents of the country, which was uploaded to the "common network," would be destroyed without the possibility of recovery. 

According to Deputy Secretary of the National Security and Defense Council of Ukraine Sergei Demedyuk, hackers associated with the intelligence services of Belarus are behind the cyber attack on Ukrainian departments. Later, a criminal case was opened on the fact of the cyber attack. 

White House Press Secretary Jen Psaki noted that the United States is in contact with Ukraine regarding the incident, and also offered its assistance in the investigation. According to her, the United States, its allies, and partners are "concerned about this cyberattack." 

NATO Secretary-General Jens Stoltenberg announced that the organization will sign an agreement with Ukraine on strengthening cyber cooperation. He condemned cyberattacks on the government of Ukraine. 
 
On December 21, the American newspaper New York Times reported that the United States and Great Britain secretly sent a group of cybersecurity specialists to Ukraine. As specified, the West wants to help Kiev to be ready for allegedly preparing cyber attacks.
Read more »
United States
Carding Cyber Crime Group-IB Hacker group Russia Russian Hacker The Infraud Organization United States

Suspected Founder of Hacker Group The Infraud Organization Arrested in Moscow

 

It became known that Russia will not extradite the possible leader of the hacker group The Infraud Organization to the United States. Russian FSB officers and Russian law enforcement agencies, with the assistance of US law enforcement agencies, detained four members of the hacker group The Infraud Organization on January 22. Prior to that, the alleged founder Andrei Novak was put on the wanted list in the United States on charges of cyber fraud. 

According to the FSB, Novak has been arrested, and three other alleged hackers have been placed under house arrest. The investigation continues to identify other members of The Infraud Organization. The detained members of the group are accused of illegal access to computer information and illegal turnover of payment funds. 

Russia has no plans to extradite Andrei Novak, the possible leader of the international hacker group The Infraud Organization, to the United States. Thus, Russian law prohibits the extradition of citizens of one's own country to a foreign state. 

It is noted that if among the detained members of the organization there is a person without Russian citizenship, then after the investigation of a criminal case in Russia and the trial he will be extradited to the country where the case was opened against him. 

It is worth noting that in February 2018, it was reported that law enforcement officers detained 13 persons in the United States accused of involvement in a criminal scheme, the damage from which amounted to at least $530 million. In total, 36 people have been charged, and one Russian, Andrei Novak, was included in this list. 

The detained 13 people are citizens of the United States, Australia, Great Britain, France, Italy, and Serbia. The criminal group was organized by a citizen of Ukraine in 2010. 

The company Group-IB, which in Russia is engaged in the investigation and prevention of cybercrime (its founder Ilya Sachkov was arrested in Russia on charges of treason), said at the time that the defendants were not an organized group, but united on hacker sites solely to carry out attacks. Group-IB suggested that their main field of activity could be carding. In addition, cybercriminals could manage cardershops (sites for the sale of bank cards), sell accounts and accounts.
Read more »
Russian Hacker
Cyber Attacks Group-IB REvil REvil Hacker group Russian Hacker

Group-IB: REvil hackers detention may affect Russian companies



Experts believe that the arrest of the REvil hacker group can create temporary problems for cybercriminals in Russia, but this may affect the well-being of Russian companies. 

 "At the moment, we do not see a significant decrease in the number of ransomware attacks. As for REvil, they have not been active for several months anyway. At the same time, this situation may negatively affect Russian companies. Russian-speaking cybercriminals may attack them more actively", said Oleg Skulkin, head of Group-IB Computer Forensics Laboratory. 

The company clarified that for a long time many Russian-speaking hackers "did not work in Russia and the CIS", as it was unsafe. However, over the past two years, attacks using ransomware in Russia and the CIS have become more frequent. And the detention of REvil can spur them on because after successful international operations they can forget about the unspoken prohibitions. 

At the same time, the expert did not rule out that cybercriminals may temporarily have problems. "Of course, they may have difficulties with cashing out funds obtained illegally. Perhaps some of the partners will stop their activities for some time," Skulkin said. 

After the detention of REvil, hacker gangs in Russia may hide or slightly reduce the intensity of attacks, but they will definitely not give up on them, says Pavel Korostelev, head of the product promotion department of the Security Code company. 

"Now hackers will probably wait until the dust settles, but gangs don't have a single control center that says: 'Stop, no more attacks'. It's a way of making money, so there will always be people willing to take risks. If a business will get better, it won't be for long," the expert said. 



Read more »
TrickBot
Cyber Crime Hackers Arrested Russian Hacker TrickBot

Russian accused of developing programs for the Trickbot hacker network extradited from South Korea to US

 The US Department of Justice said that the Russian is a member of a hacker group that used the Trickbot malicious network. The network has been used to attack "millions of computers" around the world, including schools, banks, healthcare, energy and agricultural companies, the prosecution said.

According to the ministry's press release, 38-year-old Vladimir Dunaev and his accomplices stole money and confidential information from November 2015 until August 2020, and also damaged computer systems. Individuals, financial and state institutions, utilities and private enterprises are among the victims of the hackers' actions.

The US Department of Justice clarifies that Mr. Dunaev was allegedly one of the developers of malware for the Trickbot network. He was engaged in creating modifications for the browser and helped malicious software bypass security programs.

The Russian was extradited from South Korea to the United States last week, on October 20. He is charged with conspiracy to commit computer fraud and identity theft, conspiracy to commit information technology and banking fraud, and conspiracy to launder money. In total, more than 10 people are involved in the case, including four Russians and one Ukrainian.

In June, similar charges were brought against a citizen of Latvia, Anna Witte, whom the US Justice Department also considers a member of the hacker group that used Trickbot. This network, according to the American side, was located in Russia, Ukraine, Belarus and the Republic of Suriname (South America). The Washington Post wrote that Trickbot is allegedly controlled by Russian-speaking attackers. In November 2020, the network was disconnected, the American company Microsoft took part in the special operation.

Read more »
Russian Hacker
Cyber Attacks DDOS Attacks Russian Hacker

Russian hacker: a DDoS attack could be the reason for the decline of social networks

Earlier, Facebook said that a large-scale failure did not lead to a leak of user data. Facebook's representatives assured that there is no such evidence. The company also confirmed that unsuccessful software configuration changes led to the failure.

According to Varskoy, the reason why the version about an external attack on the service is excluded is quite obvious. The hacker believes that the company does not want to lose the trust of customers and money.

“All the journalists were waiting for what Facebook itself would say, and the company gave them an answer that would satisfy them. All other versions after that will look like just versions. I am almost sure that we are dealing with a common technical phenomenon, but I would not rule out the attack version one hundred percent,” Varskoy added.

The hacker is convinced that Facebook quickly came to the conclusion that the leak did not occur, since it takes more time to detect the leak or its absence.

The expert noted that if this is really an attack, then its authors have the strongest resources, consisting of many machines. According to Varsky, in this way, hackers could simply demonstrate their strength.

Recall that on the evening of October 4, thousands of users around the world complained about disruptions in the messenger WhatsApp, as well as the social networks Facebook and Instagram. Following this large-scale failure, users reported problems in the work of Twitter, Google and Amazon.

In addition, it became known that the data of more than one and a half billion Facebook users got into the network and are sold on a popular hacker site. The names, email addresses, phone numbers, gender, or even the identity card of the users are available for purchase. According to the Telegram channel Mash, this is the largest and most significant leak of Facebook data in history.

Read more »
Subscribe to: Posts (Atom)