Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Tor Site. Show all posts

Here's Why Cybercriminals are Shifting Their Base from Tor to Telegram

 

Cybercrime is a rapidly evolving field. Threat actors, ransomware gangs, malware authors, and others are quickly leaving the "traditional" dark web (Tor sites) and relocating to shady Telegram channels that are dedicated to crimes.

This article will look at the reasons threat actors are abandoning Tor and offer comprehensive advice on how to monitor Telegram conversations effectively. 

Why are threat actors switching to Telegram from Tor? 

The majority of cybercrime activity today takes place on contemporary social media platforms and outside of the conventional dark web. Numerous factors, including the monetization of cybercrime, increased law enforcement inspection of Tor sites, and the general slowness of Tor, contributed to the change. We will discuss each in turn.

Exit scams are rare 

The marketplace serves as a clearinghouse, which is both one of the main benefits and drawbacks of conventional dark web marketplaces. Usually, there is a 14-day hold on transactions during which the exchange keeps the cryptocurrency and the buyer can ask for compensation if they are defrauded. The problem is that market owners frequently store millions of dollars in cryptocurrencies at any given moment, which makes it very tempting to commit exit scams and steal the money held.

Modern social media features

Telegram has an edge over Tor websites in the following areas: 

Emojis, direct private chats, a phone app, and other nice-to-have features are among the many features that make Telegram one of the fastest and most popular modern social networking platforms. 

Even less technical knowledge is needed to locate cybercrime channels and complete transactions than with Tor, democratising the availability of cybercrime data.

Numerous platforms exist that give free "samples" of credentials, stealer logs, breach data, and other data that allow customers to quickly "validate" the efficacy of the vendors' solutions. 

Perceived privacy 

It is well known that law enforcement agencies closely monitor the sites, forums, and marketplaces on the Tor network. Users are aware that when they create a forum post or marketplace listing, it may be viewed by business security teams, several law enforcement agencies, and other parties.

In contrast, Telegram appears to offer perceived anonymity because of the vast number of channels dedicated to crimes, the lack of IP monitoring available to security and LE specialists, and the apparent transience of messages. 

Telegram channels for various forms of cybercrime 

Telegram channels typically focus on a single form of illicit activity, in contrast to older dark web marketplaces. A criminal may be able to purchase combolists, drugs, firearms, credit card details, and a variety of other illegal commodities on a dark web market. 

Bitcoin transactions 

Utilising third-party services, it is possible to send payments in bitcoin using the Telegram client. As a result, attackers can use the Telegram app to receive bitcoin payments. Despite the possible dangers, it's crucial to remember that Telegram is not inherently bad and can be used for good reasons as well. Telegram is a popular platform for collaboration and communication among people and businesses, and it can be a helpful tool for maintaining relationships. 

Nation state cyberterrorism 

Nation-state hacktivist channels make up the final group of channels that are very important for cybersecurity teams. Particularly since the start of the crisis in Ukraine, channels like Bloodnet, Killnet, Noname47, Anonymous Sudan, and others have experienced explosive growth in popularity. These channels frequently choose predetermined targets, frequently important infrastructure in NATO nations, and attempt to hack websites, DDoS crucial services, and leak company data. 

As a result of Telegram's high levels of privacy and anonymity, resilience to censorship, and potential for disseminating propaganda and false information, threat actors are increasingly choosing it as their preferred platform, which is concerning. Authorities and individuals must be aware of these threats and take action to safeguard both themselves and others.

Ferrari Refutes Ransomware Attack Following RansomEXX’s Online Claims

 

Italian vehicle designer Ferrari S.p.A might have become the latest victim of a ransomware attack. As per a Reuters report, internal documents belonging to the brand were published on a dark web leak site owned by ransomware group RansomEXX. 

However, the car manufacturer thwarted such claims, stating that there was no evidence of a ransomware attack or of a breach of the company's system. The company said that it is investigating the leak of the internal documents and that appropriate actions would be taken as needed, adding that there has been no disruption to its business and operations. 

Earlier this week Monday, Corriere Della Sera newspaper, citing the Italian website the Red Hot Cyber, reported that the luxury car designer had been a victim of a ransomware attack. 

 According to Red Hot Cyber, a notorious hacking group called RansomEXX claimed on its Tor leak site that it has breached Ferrari stealing 6.99 GB of data, which not only included internal documents but also datasheets and repair manuals, etc. The source of the documents remains unclear.  

In December 2021, ransomware gang Everest indirectly targeted Ferrari, when Italian manufacturing firm Speroni was hit by the ransomware group. That time around, the hackers siphoned 900 GB of data containing sensitive details regarding the firm’s partners such as Ferrari, Lamborghini, Fiat Group, and other Italian car manufacturers. 

According to Cybernews, the malicious hackers also got involved with Ferrari’s entry into the NFT market, taking control of the company’s subdomain and exploiting it to host an NFT scam almost immediately after Ferrari disclosed it would mint tokens based on their cars, earlier this year. 

RansomEXX has been operating since 2018, after updating its name in June 2020. The gang's modus operandi has become more potent and is targeting high-profile firms. 

Some of the high-profile organizations targeted by the RansomExx group in the past include the Texas Department of Transportation (TxDOT), Konica Minolta, Brazilian government networks, IPG Photonics, and Tyler Technologies. RansomExx has designed its own Linux version to make certain that they target all critical servers and data in a firm.

Night Sky: New Ransomware Targeting Corporate Networks

 

The new year has brought with it new ransomware named 'Night Sky,' which targets corporate networks and steals data in double-extortion attacks. 

The Night Sky operation began on December 27th, according to MalwareHunterTeam, which was the first to identify the new ransomware. The ransomware has since published the data of two victims. 

One of the victims got an initial ransom demand of $800,000 in exchange for a decryptor and the promise that the stolen material would not be made public. 

How Night Sky encrypts devices

A sample of the Night Sky ransomware seen by BleepingComputer has a personalised ransom note and hardcoded login credentials to access the victim's negotiation page. 

When the ransomware is activated, it encrypts all files except those with the.dll or.exe file extensions. The ransomware will not encrypt the following files or folders: 
AppData
Boot
Windows
Windows.old
Tor Browser
Internet Explorer
Google
Opera
Opera Software
Mozilla
Mozilla Firefox
$Recycle.Bin
ProgramData
All Users
autorun.inf
boot.ini
bootfont.bin
bootsect.bak
bootmgr
bootmgr.efi
bootmgfw.efi
desktop.ini
iconcache.db
ntldr
ntuser.dat
ntuser.dat.log
ntuser.ini
thumbs.db
Program Files
Program Files (x86)
#recycle

Night Sky appends the.nightsky extension to encrypted file names while encrypting them. A ransom letter named NightSkyReadMe.hta is included in each folder, and it provides details about what was stolen, contact emails, and hardcoded passwords to the victim's negotiation page. 

Instead of communicating with victims through a Tor site, Night Sky employs email addresses and a transparent website that runs Rocket.Chat. The credentials are used to access the Rocket.Chat URL specified in the ransom note. 

Double extortion tactic: 

Before encrypting devices on the network, ransomware operations frequently grab unencrypted data from victims. Threat actors then utilize the stolen data in a "double-extortion" scheme, threatening to leak the information unless a ransom is paid. 

Night Sky built a Tor data leak site to leak the data of victims, which now contains two victims, one from Bangladesh and the other from Japan. While there hasn't been much activity with the new Night Sky ransomware operation, one should keep a watch on it as we enter the new year.