Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Russian. Show all posts
User Data
Apple MacOS Apple Security Cyber Security Data Privacy data security Gatekeeper Malware Threat Personal Data Russian User Data

New macOS Malware Threat: What Apple Users Need to Know

 

Recently, the Moonlock Lab cybersecurity team discovered a macOS malware strain that can easily evade detection, posing a significant threat to users' data privacy and security. The infection chain for this malware begins when a Mac user visits a website in search of pirated software. 

On such sites, users might encounter a file titled CleanMyMacCrack.dmg, believing it to be a cracked version of the popular Mac cleaning software, CleanMyMac. When this DMG file is launched on the computer, it executes a Mach-O file, which subsequently downloads an AppleScript designed to steal sensitive information from the infected Mac. Once the malware infects a macOS computer, it can perform a variety of malicious actions. It collects and stores the Mac owner's username and sets up temporary directories to hold stolen data before exfiltration. The malware extracts browsing history, cookies, saved passwords, and other sensitive data from web browsers. It also identifies and accesses directories that commonly contain cryptocurrency wallets. 

Additionally, it copies macOS keychain data, Apple Notes data, and cookies from Safari, gathers general user information, system details, and metadata, and then exfiltrates all this stolen data to threat actors. Moonlock Lab has linked this macOS malware to a well-known Russian-speaking threat actor, Rodrigo4. This hacker has been active on the XSS underground forum, where he has been seen recruiting other hackers to help distribute his malware using SEO manipulation and online ads. This discovery underscores the growing threat of sophisticated malware targeting macOS users, a group often perceived as being less vulnerable to such attacks. 

Despite Apple's strong security measures, this incident highlights that no system is entirely immune to threats, especially when users are lured into downloading malicious software from untrustworthy sources. To protect yourself from such threats, it is essential to take several precautions. First and foremost, avoid downloading pirated software and ensure that you only use trusted and official sources for your applications. Pirated software often hides malware that can compromise your system's security. Installing reputable antivirus software and keeping it updated can help detect and block malware on macOS. Regularly updating your macOS and all installed applications is crucial to patch any security vulnerabilities that may be exploited by attackers. 

Additionally, exercise caution with downloads from unfamiliar websites or sources. Always verify the legitimacy of the website and the software before downloading and installing it. Enabling macOS’s built-in security features, such as Gatekeeper and XProtect, can also provide an additional layer of protection against malicious software. Gatekeeper helps ensure that only trusted software runs on your Mac, while XProtect provides continuous background monitoring for known malware. The Moonlock Lab's findings highlight the need for greater awareness and proactive measures to safeguard personal data and privacy. Users should remain vigilant and informed about the latest security threats and best practices for protecting their devices. 

By staying informed and cautious, Apple users can better protect their devices from malware and other cybersecurity threats. Awareness of the potential risks and implementing the recommended security practices can significantly reduce the likelihood of falling victim to such malicious activities. As cyber threats continue to evolve, maintaining robust security measures and staying updated on the latest threats will be crucial in ensuring the safety and integrity of personal data on macOS devices.
Read more »
Yahoo
Cyber Defence Cyber Security Digital World Geopolitical Protocols Russian Security Framework supply chain security Ukraine Yahoo

Russian Hackers Target Ukraine's Fighter Jet Supplier

 

A cyberattack on a Ukrainian fighter aircraft supplier has been reported, raising concerns about whether cybersecurity risks in the region are increasing. The incident—attributed to Russian hackers—highlights the need to have robust cyber defense strategies in a world where everything is connected.

According to a recent article in The Telegraph,  the cyber attack targeted Ukraine's key supplier for fighter jets. The attackers, suspected to have ties to Russian cyber espionage, aimed to compromise sensitive information related to defense capabilities. Such incidents have far-reaching consequences, as they not only threaten national security but also highlight the vulnerability of critical infrastructure to sophisticated cyber threats.

Yahoo News further reports that Ukrainian cyber defense officials are actively responding to the attack, emphasizing the need for a proactive and resilient cybersecurity framework. The involvement of top Ukrainian cyber defense officials indicates the gravity of the situation and the concerted efforts being made to mitigate potential damage. Cybersecurity has become a top priority for nations globally, with the constant evolution of cyber threats necessitating swift and effective countermeasures.

The attack on the fighter jet supplier raises questions about the motivations behind such cyber intrusions. In the context of geopolitical tensions, cyber warfare has become a tool for state-sponsored actors to exert influence and gather intelligence. The incident reinforces the need for nations to bolster their cyber defenses and collaborate on international efforts to combat cyber threats.

As technology continues to advance, the interconnectedness of critical systems poses a challenge for governments and organizations worldwide. The Telegraph's report highlights the urgency for nations to invest in cybersecurity infrastructure, adopt best practices, and foster international cooperation to tackle the escalating threat landscape.

The cyberattack on the supplier of fighter jets to Ukraine is an alarming indicator of how constantly changing the dangers to global security are. For countries to survive in the increasingly digital world, bolstering cybersecurity protocols is critical. The event emphasizes the necessity of a proactive approach to cybersecurity, where cooperation and information exchange are essential components in preventing cyberattacks by state-sponsored actors.
Read more »
Ukraine
attackers Cyber Attacks Data Data Safety data security Hackers Russian Safety Security Ukraine

SolarWinds Hackers Dangle BMWs to Eavesdrop on Diplomats

 

The Russia-backed group responsible for the SolarWinds attack, known as Cloaked Ursa or Nobelium/APT29, has shifted its tactics and is now targeting foreign diplomats working at embassies in Ukraine. Instead of using traditional political lures, the group is employing more personalized approaches to entice victims into clicking on malicious links.

Researchers from Palo Alto Networks' Unit 42 have been monitoring the activities of Cloaked Ursa and discovered that the initial lure in the campaign involved a legitimate flyer advertising the sale of a used BMW sedan in Kyiv. The flyer, which was originally shared by a diplomat within the Polish Ministry of Foreign Affairs, caught the attention of potential victims, particularly new arrivals to the region. 

Exploiting this opportunity, Cloaked Ursa created a counterfeit version of the flyer and sent it to multiple diplomatic missions as a bait for their malware campaign. The malicious message contained a link that promised additional photos of the car, but instead, it executed malware in the background when clicked.

The malware payload used by Cloaked Ursa is JavaScript-based and provides the attackers with a backdoor into the victim's system, enabling them to load further malicious code through a command-and-control connection. 

The group meticulously compiled its target list, using publicly available embassy email addresses for 80% of the victims and unpublished email addresses for the remaining 20%. This deliberate selection aimed to maximize their access to desired networks.

While the researchers observed the campaign being conducted against 22 out of the 80 foreign missions in Ukraine, they suspect that the actual number of targets is higher. The extensive scope of the attacks is remarkable for operations that are typically secretive and narrowly focused.

In a strategic shift, Cloaked Ursa has moved away from using job-related topics as bait and instead crafted lures that appeal to recipients' personal interests and desires. This change aims to increase the campaign's success rate by compromising not only the initial targets but also others within the same organization, extending its reach. 

The researchers noted that these unconventional lures have broad applicability across the diplomatic community and are more likely to be forwarded to other individuals within and outside the organization.

Cloaked Ursa, also known as Nobelium/APT29, is a state-sponsored group associated with Russia's Foreign Intelligence Service (SVR). The group gained notoriety for the SolarWinds attack, which involved a backdoor discovered in December 2020 and affected approximately 18,000 organizations through infected software updates.

Since then, the group has remained active, targeting foreign ministries, diplomats, and the US government, exhibiting sophistication in both tactics and custom malware development.

To mitigate APT cyberattacks like those conducted by Cloaked Ursa, the researchers provided some recommendations for diplomatic personnel. They advised administrators to educate newly assigned diplomats about cybersecurity threats specific to the region before their arrival. 

Additionally, individuals should exercise caution when downloading files, even from seemingly legitimate sources, and be vigilant about URL redirection when using URL-shortening services, as this could be indicative of a phishing attack. Verifying file extension types and avoiding files with mismatched or obfuscated extensions is crucial to prevent falling victim to phishing attempts. 

Finally, the researchers suggested that diplomatic employees disable JavaScript as a preventive measure, rendering JavaScript-based malware unable to execute.
Read more »
Technology
BTC-e cryptocurrency Cyberattacks CyberCrime Russian Technology

Accused Cybercriminals: Russians Charged with Hacking Mt. Gox Crypto Exchange and Manages BTC-e

 


In one of the earliest, biggest, and most widely publicized bitcoin robberies in the world, in the case of the collapsed cryptocurrency exchange Mt. Gox, the United States charged two Russian nationals. 

A criminal complaint was filed by the Department of Justice to investigate the hacking of the Bitcoin exchange carried out by Alexey Bilyuchenko, 43, and Aleksandr Verner, 29. They laundered 647,000 bitcoins, worth $17.2 billion today, thanks to their conspiracy. 

A second charge against Bilyuchenko is alleged to be a conspiracy to operate BTC-e, the "illicit exchange," from 2011 to 2017, in conjunction with Alexander Vinnik. Vinnik was extradited from Greece to the United States for a criminal investigation into BTC-e and money laundering charges against him in 2022. This was for his role in the operation of the exchange. 

This event proved to be one of the earliest indications that cryptocurrency exchanges which allow users to convert their digital assets into traditional cash via conversions of their digital assets were vulnerable to cybercriminals in the first place as a result of this event. There have been many thefts in the industry since then. 

In an attempt to contact Bilyuchenko or Verner to find their contact details, Reuters was unable to do so. Neither of them could be found, and it was unclear where they were located. 

It is also alleged that Bilyuchenko conspired with Russian national Alexander Vinnik between 2011 and 2017 to operate the unlicensed BTC-e Bitcoin trading platform that he set up with Vinnik. 

As one of Bilyuchenko's closest associates, he was arrested in Greece in 2017 and convicted of money laundering in France three years later. This made him a key associate of Alex Vinnik, an internationally recognized cybercrime kingpin. Now, Bilyuchenko is facing charges in California for operating BTC-e, an exchange that has since shut down out of business but has been accused by the Department of Justice of catering to cybercriminals. 

Additionally, it is alleged that the pair is also suspected of using an advertising contract with Bitcoin brokerage service New York Bitcoin Broker to launder more of the funds. To accomplish this, the latter must request the former to send wire transfers into offshore accounts, under the names of shell companies, in their names. 

There has been a lot of talk about Vinnik since he was arrested in Greece several years ago. He now finds himself in California awaiting his trial on charges that he ran a crypto exchange called BTC-e. He was arrested in France for money laundering charges. A threat known as Locky was also developed by him and has been credited with being a key factor in its development. 

If they are based in Russia, Bilyuchenko and Verner are unlikely to face trial at this time, since it is unclear where they are currently living. 

BTC-e funds are being moved on the blockchain as reported by CoinDesk in March. There was a transaction in November 2022 between a crypto wallet and BTC-e's wallet involving 3,299 bitcoin, which was the first time a transaction had been sent from the exchange wallet since 2017. Two unidentified recipients received over 10,000 bitcoins six years ago from a Chinese company. There is no clarification if Bilyuchenko and Verner were among those beneficiaries in the DOJ filing.

Before it was taken down, Bitcoin-e was believed to have helped cash out 95% of the ransomware payments before being taken down. It was used by cybercriminals in over 100 countries to facilitate the transfer, laundering, and storage of criminal proceeds.

There are currently over a million users using BTC-E, who handle billions of dollars worth of Bitcoin deposits and withdrawals, corresponding to millions of bitcoins. 

Mt Gox's longtime chief operating officer Mark Karpeles was convicted in Japan in 2019 of falsifying Mt Gox's financial data, but he was acquitted of embezzlement charges by a Japanese court as a result of the conviction. A suspension of his two-year and six-month sentence was imposed. 

Two Russian citizens have been charged for their involvement in the Mt. Gox hack, which serves as a significant landmark in the ongoing quest for redress for the victims of this well-known cyberattack, which has been deemed a severe cyberattack in the past few years. Law enforcement agencies are tirelessly working to investigate and prosecute those who are responsible for large-scale cryptocurrency breaches, and the indictment is a testament to the dedication of these agencies. 

Throughout the legal process, it will be important to keep track of the results and assess the potential costs and benefits for the global fight against cybercrime as the process unfolds. Due to this case, the need for robust cybersecurity measures and international cooperation has been highlighted to protect the integrity of digital assets. This will maintain public trust in crypto assets in general.
Read more »
Swiss
Amazon Web Services Cyber Crime Data Privacy FBI Russian Swiss

A Swiss Hacker Uncovered Confidential FBI Terrorism Screening Center File

Personal information of civilians who were on an outdated version of the US Government's No Fly List and Terrorist Screening Database was found on an open server by a 23-year-old Swiss hacker.

On January 12, Maia Arson Crimew, an influential hacker noted by the Department of Justice in a separate indictment, discovered the highly sensitive documents while browsing through a search engine full of unsecured servers. 

The text file "NoFly.csv," which refers to the subset of people in the Terrorist Screening Database who have been prohibited from flying because of suspected or known ties to terrorist organizations, was found after server analysis.

According to crimew, there were reportedly more than 1.5 million entries on the list overall. The data includes names and birthdates. The number of distinct people was significantly fewer than 1.5 million because it also contained many aliases.

According to the hacker, CommuteAir, an Ohio-based minor airline, maintained the insecure Amazon Web Services cloud server that contained the No Fly List as well as confidential data on roughly 1,000 of the airline's employees. Their passport numbers, addresses, and phone numbers were apparently included in this data.

Many of the names on the list appeared to be of Arabic or Middle Eastern ancestry, however, there were also Hispanic and Anglican-sounding names. The uncovered No-Fly list had several well-known names, including Viktor Bout, a Russian arms dealer who was recently released from a US prison in exchange for US basketball player Brittney Griner. Also included on the list were alleged IRA members, an Irish paramilitary group. Another person was listed as being 8 years old by crimew based on their birth year.

While those on the smaller No-fly list are known or suspected terrorists who are prohibited from traveling to or inside the US, those on the Terrorist Screening Database may be subject to enhanced security checks and inspections when traveling.

According to the FBI, a list of people shared among government agencies is the Terrorism Screening Database, which is intended to prevent the kind of intelligence failures that took place before 9/11. The more constrained, smaller No Fly List is contained within it. People who have been screened for terrorism may be subject to further security checks and limitations. No one from the No Fly List is allowed to board an airplane in the United States.
Read more »
Ukrainians
cyber attack Cyber Attacks Cyber Threats DDOS Attack Russian Ukrainians

Ukrainians DDoS Russian Vodka Supply Chains

 

According to the Russian news portal Vedomosti, Ukrainian cyber threat actors compromised Russia’s central alcohol distribution portal that is considered crucial for the distribution of alcoholic beverages in Russian regions called Unified State Automated Alcohol Accounting Information System or EGAIS.

EGAIS is a portal that plays important role in alcohol distribution in the nation. As per the law, for all alcohol producers and distributors, it is mandatory to register their shipments with EGAIS. Therefore, this attack caused extensive service blockage across Russia. 

The group hit the portal with DDoS attacks launched on May 2nd and 3rd. Through the DDoS or distributed denial of service attacks, the perpetrators overwhelm servers with superfluous requests in an attempt to overload systems and render some or all legitimate requests from being fulfilled. 

Also, according to the experts, sophisticated strategies have to be required against such types of attacks, as simply attempting to block a single source is insufficient. Three sites belonging to the platform have been hit by DDoS attacks. 

On May 4th, two EGAIS sites showed the error “the server stopped responding,” and the third didn’t work. The attacks took place on May 2nd and the next day system failures became more obvious about the attack. 

Wine trader Fort said that the site stopped working on May 4th, and the Union of Alcohol Producers, Igor Kosarev, and Ladoga representatives claimed the same. 

Fort further added that they had failed to upload about 70% of invoices to EGAIS due to the attack. Its supplies of wine to retail chains and restaurants in the region apparently failed to distribute on May 4 due to the incident. The outage impacted not only vodka distribution but wine companies faced disruption as well alongside purveyors of other types of alcohol. 

“Due to a large-scale failure, factories cannot accept tanks with alcohol, and customers, stores, and distributors cannot receive finished products that have already been delivered to them,” Vedomosti reported.

Ukrainian threat actors group, the Disbalancer took responsibility for the attack and announced their future plans to launch more attacks on the platform.
Read more »
Ukrainian Cyber Security
Cyber Attacks data security IT army Moscow Russia Russian Ukraine Ukrainian Cyber Security

Moscow Exchange Downed by Cyber-Attack

 

On Monday morning, the website for the Moscow Stock Exchange went down, becoming inaccessible. 
The Ukraine crowdsourced community of hackers operated by the Kyiv officials took responsibility for the outage in a message posted to Telegram while claiming the responsibility behind the attack.  

According to the officials early on Monday, the Kyiv officials called on its IT army members to launch attacks on the website. Following the attack, on Telegram, the IT Army claimed that it took only five minutes to knock the site down. However, as of now, its claims could not be verified. 

NetBlocks, a global internet connectivity tracking company reported that the site went offline on early Monday. However, the root cause behind the incident is still unknown. Mykhailo Fedorov, Ukraine’s deputy prime minister made a formal public statement on the incident and celebrated the formation of the IT army on Facebook. “The mission has been accomplished! Thank you!” the statement read. 

Also, last week Mykhailo Fedorov announced the formation of the IT Army and listed names of prominent Russian websites that the state-sponsored hackers could look to attack. 

In the middle of Monday afternoon, Sberbank, Russia’s largest lender website also went offline. The outage was reported by NetBlocks and celebrated by Fedorov, who declared: “Sberbank fell!” on social media. 

Further, Bloomberg reports that depositary receipts for Sberbank of Russia PJSC sank as much as 77%, while Gazprom PJSC dropped by 62%. 

Following the ongoing Russian war in Ukraine, the cyber threat Intelligence in their latest reports explained threats on cyberspace while saying that the outcome of this will affect every nation in the coming days, not just Ukraine. For now, the current situation changes the cybersecurity picture and worries the nations with the latest developments in cyberspace. 

Ultimately, critical infrastructures like power, banking, military infrastructures, and telecom are being targeted by the state actors, and the assets of several countries are increasingly coming under its grip. The US and UK have already issued warnings of potential cyber-attacks coming in the backdrop of the Russian military invasion in Ukraine.
Read more »
security threat
Cyber Crime Ransomware Gang REvil REvil Hacker group REvil Ransomware Russian security threat

BlackCat Ransomware Gang Employing Novel Techniques to Target Organizations

 

Last year in December, malware researchers from Recorded Future and MalwareHunterTeam unearthed ALPHV (aka BlackCat), the first professional ransomware strain that was designed in the Rust programming language. In this post, we will explore some of the methodologies employed by ransomware developers to target organizations.

According to an analysis published last month by Varonis, BlackCat was observed recruiting operators from multiple ransomware organizations, offering to allow affiliates to leverage the ransomware and keep 80-90% of the ransom payment.

“The group’s leak site, active since early December 2021, has named over twenty victim organizations as of late January 2022, though the total number of victims, including those that have paid a ransom to avoid exposure, is likely greater,” Varonis’s Jason Hill explained. 

The attackers leveraging BlackCat, often referred to as the "BlackCat gang,” employ multiple tactics that are becoming increasingly commonplace in the ransomware space. Notably, they use several extortion techniques in some cases, including the siphoning of victim data before ransomware deployment, threats to release data if the ransom is not paid, and distributed denial-of-service (DDoS) attacks.

According to cybersecurity researchers at Recorded Future, the ALPHV/BlackCat developer was previously involved with the REvil ransomware gang. Last month, the Russian government disclosed that at the United States’ request it arrested 14 individuals in Russia linked to the REvil ransomware gang.

Still, REvil rolls on despite these actions, according to Paul Roberts at ReversingLabs. “The recent arrests have NOT led to a noticeable change in detections of REvil malicious files,” Roberts wrote. “In fact, detections of files and other software modules associated with the REvil ransomware increased modestly in the week following the arrests by Russia’s FSB intelligence service.” 

Meanwhile, the U.S. State Department has a standing $10 million reward for information leading to the identification or location of any individuals holding key leadership positions in REvil. 

As of December 2021, BlackCat has the seventh-largest number of victims listed on their leak site among ransomware groups tracked by Unit 42 researchers. While Conti (ranked second) has been around in various guises for almost two years, it is surrounded at the top of the chart by emerging families.
Read more »
Subscribe to: Posts (Atom)