Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label cybercrime gang. Show all posts

Unveiling LockBit: Cybercrime Gang Targeting Global Titans in Hacking Spree

 

Ransomware, a form of malicious software, has a history spanning over three decades. However, it only gained regular attention in popular media over the last ten years.

This type of malware locks access to computer systems or encrypts files until a ransom is paid. Cybercriminal groups now view ransomware as a lucrative scheme, especially with the emergence of "ransomware as a service," which enables various groups to profit from successful ransom demands through affiliate schemes.

One prominent group, LockBit, has garnered attention by showcasing high-profile victims on its website. LockBit refers to both the malware and the group behind it, complicating its identification.

LockBit emerged in 2019 as a stealthy malware aimed at infiltrating organizations, locating valuable data, and encrypting it. Unlike mere data theft, LockBit encrypts data and holds it hostage until a ransom is paid, often resorting to threats of data publication (known as double extortion) if the payment deadline isn't met.

The LockBit group remains largely enigmatic, claiming no specific political allegiance and welcoming an unlimited number of affiliates worldwide solely interested in financial gain. However, they enforce rules prohibiting attacks on certain targets, including critical infrastructure like hospitals and specific post-Soviet countries.

Despite these rules, instances like a Canadian hospital falling victim to LockBit indicate the potential breach of these restrictions by rogue users. Interestingly, LockBit justifies avoiding specific countries due to the high number of members originating from the former Soviet Union, despite the group's current location in the Netherlands.

LockBit's victims range from the United Kingdom's Royal Mail and Ministry of Defence to Japanese company Shimano and aerospace giant Boeing, whose leaked data surfaced after refusing to pay the ransom. LockBit has also allegedly claimed responsibility for the recent ransomware incident involving the Industrial and Commercial Bank of China, linking the group to nearly 2,000 victims in the United States alone.

Ransomware as a service (RaaS) has surged in popularity, mirroring legitimate software services like Microsoft 365, providing cybercriminals with tools to conduct ransomware campaigns efficiently and profitably. These services handle every aspect of the criminal process, enticing new affiliates with a 20% commission and requiring a hefty deposit in Bitcoin.

Preventing ransomware attacks involves robust cybersecurity measures such as system updates, password management, network monitoring, and prompt responses to suspicious activities. The decision to pay a ransom remains subjective for organizations, but bolstering cybersecurity measures can deter criminal groups from targeting easier victims.

Interpol Operation: 14 Arrested, Allegedly Involved in Scamming Victims of $40 Million


Another Interpol operation detained 14 suspects and identified 20,674 suspected networks spread across 25 African nations that international law enforcement has connected to more than $40 million in losses due to cybercrime.

Operation Africa Cyber Surge II

The police operation, with combined efforts of Interpol, African law enforcement and private-sector security firms, commenced in April and lasted for four months. It was conducted in order to exterminate cyber malpractices like phishing, business email compromise (BEC) and other online scams. 

The international agency informed that the operation was conducted with the help and on-the-ground operational support of several infosec companies like Group-IB, Interpol and Uppsala Security. Their efforts helped in making three arrests in Cameroon related to an online scam involving the fake sale of artwork valued at $850,000.

Group-IB, that previously collaborated with Interpol on operations, gathered and communicated more than 1,000 indicators from its threat intelligence.

"Collaboration and intelligence sharing should be at the heart of cybersecurity operations, and Group-IB stands ready to make a further contribution to this end, in line with our core strategic mission of fighting against cybercrime in all its forms," Group-IB CEO Dmitry Volkov stated on Friday.

Information gathered by Group-IB and other private partners like Trend Micro, Kaspersky, and Coinbase aided in formulating some 150 Interpol analytical reports with data containing ‘intel on cyber threats’ from different countries. 

Details in the report included:

  • 3,786 malicious command and control servers
  • 14,134 victim IPs linked to data stealer cases
  • 1,415 phishing links and domains 
  • 939 scam IPs 
  • More than 400 other malicious URLs, IPs and botnets. 

The first phase of the operation was carried out between July 2022 and November 2022 and resulted in a number of investigations followed by operations against threat actors in the region. 

The most recent arrests come after months of similar cybercrime activities across Africa as international law enforcement works to dismantle cybercrime networks that operate out of various African nations.

Over 100 people were detained last week, according to Interpol, throughout the EU and Africa. Cops also recovered assets worth more than € 2.15 million ($2.4 million) that belonged to the Black Axe organized crime and cybercrime group.

In July 2023, cops in Côte d'Ivoire confirmed to have arrested a suspect, who was apparently a ‘key figure’ of cybercrime group – OPER1ER – responsible for defrauding banks and financial firms across 15 countries.

Interpol in a statement reported that the cybercrime group has defrauded the firms of a sum between $11 million to $30 million, with their targets spreading across Africa, Asia and Latin America.  

Operation Jackal: INTERPOL Shuts Down African Cybercrime Gang


A recent operation by INTERPOL on the West African cybercrime organization led to several bank accounts being frozen, with suspects detained and a series of financial investigations organized worldwide. 

Operation Jackal, conducted between May 15 and 29, apparently mobilized police forces, financial crime units and cybercrime agencies across 21 countries in order to launch a targeted strike on Black Axe and related West African organized criminal gangs.

As of now, more than 200 illicit bank accounts that were linked to online financial crime have been blocked, with several associated suspects arrested whose networks in cybercrime pose a severe threat to international security. 

“Organized crime is mostly driven by financial gain and INTERPOL is committed to working with our member countries to deprive these groups of their ill-gotten assets. This successful operation involving so many countries clearly shows what can be achieved through international cooperation, and will serve as a blueprint for concerted police action against financial crime in the future,” says Isaac Kehinde Oginni, Director of INTERPOL’s Financial Crime and Anti-Corruption Centre (IFCACC). “It also sends a strong message to West African crime networks that no matter where they hide in cyberspace, INTERPOL will pursue them relentlessly. The illegal activities of Black Axe and similar crimes syndicates will remain a priority for INTERPOL.”

In Portugal alone, four such investigations led to the accumulated seizure and recovery of around 1.4 EUR million.

A total of 34 suspects have been arrested in the Irish phase of the operation. Amongst these arrests, 12 were detained for investigative purposes and 22 on suspicion of money laundering and gangland-style offences. 

According to Deputy Head of the National Central Bureau of Dublin, Tony Kelly, ‘It became apparent early in the investigation that international cooperation and the use of INTERPOL’s analytical and coordination capabilities was essential to the investigation, and remains a pivotal element to the success to date and the ongoing investigation into this group.”

More such investigations have been witnessed across the world as intelligence agencies are putting efforts into investigating the issue.

Black Axe and other West African organized cybercrime syndicates are popular malicious gangs known for cyber-enabled criminal offences like financial fraud, mostly done by compromising company’s email systems, romance scams, inheritance scams, credit card fraud, tax fraud, advance payment scams and money laundering. 

Shell Confirms MOVEit-based Hack After the Threat Group Leaks Data


The CIOp ransomware gang has targeted a zero-day vulnerability in the MOVEit managed file transfer (MFT) product, acquiring data of at least 130 companies that had been utilizing the solution. At least 15 million people are thought to have been affected as of now.

CIOp , the Russia-based cybercrime gang has now started to expose its victim organizations that have refused to negotiate with its demands. Apparently, the victims’ names have been exposed on its leak website, will Shell being the first company to be revealed.

Following the leak, Shell confirmed being affected by the MOVEit attack. In a statement published on Wednesday, the company clarified that the MFT software was “used by a small number of Shell employees and customers.”

“Some personal information relating to employees of the BG Group has been accessed without authorization,” it added.

Shell confirmed the incident only after the Cl0p hacking gang disclosed files allegedly taken from the company. The fact that the group made 23 archive files with the label "part1" public may indicate that they have access to more information.

Following this discloser, the ransomware gang added that they did so since the company refused to negotiate.

However, it is yet not particularly clear of what information has been compromised. Although, the firm confirmed to have informed the affected victims.

Moreover, toll-free phone numbers have been made available to employees in in Malaysia, South Africa, Singapore, Philippines, UK, Canada, Australia, Oman, Indonesia, Kazakhstan, and Netherlands. Thus, indicating that the affected individuals are more likely to be from these countries.

Since no file-encrypting software was used in the attack, Shell noted that "this was not a ransomware event" and that there is no proof that any other IT systems were impacted.

It is worth mentioning that this was not the first time that Shell has been targeted by the CIOs group, since in 2020 the threat actors targeted the company’s Accellion file transfer service. The company noted that during this hack the hackers stole their personal and corporate data.

Some of the other notable companies targeted by the latest MOVEit exploit includes Siemens Energy, Schneider Electric, UCLA, and EY.

It has also been confirmed by some government organizations that they as well were impacted by the hack, while the ransomware group claims to have deleted all the data acquired from such entities.  

Delhi Police, FBI & Interpol in a Joint Operation Expose a Cybercrime Syndicate, Arrested Four


In a joint operation, Delhi Police, the Federal Bureau of Investigation (FBI), and Interpol have exposed an international syndicate involved in cybercrime, arresting four individuals involved in the cybercrime gang.

The four members, including the kingpin, were detained for allegedly conning the US nationals of 20 million dollars.

According to a statement provided by a Delhi Police official, the information regarding the cybercrimes was received by their Intelligence Fusion & Strategic Operations (IFSO) unit – which deals with complex cybercrime cases – from the FBI and Interpol. The agencies indicated that “some international cybercriminals, in conspiracy with each other and with the aid and assistance of co-conspirators based in India, the US and Uganda, were running call centers by posing as employees of the US Internal Revenue Service, Social Security Administration, Drug Enforcement Administration, and other US agencies,” said H.G.S. Dhaliwal, Special Commissioner Police (Delhi Police Special Cell).

“We received information that one accused, Parth Armarkar, impersonated a specific living person by the name of Uttam Dhillon. During his career, the real Uttam Dhillon served as the Acting Administrator of the US Drug Enforcement Administration and as the Director of INTERPOL Washington. Armarkar defrauded victims of millions of USD through call centers operating in Uganda, Africa. He is an Indian national and occasionally visits India,” Dhaliwal said.

The accused Armarkar, allegedly defrauded the victims of around $6 million via phony call centers in Uganda. Later, the technical inputs provided by the FBI helped Delhi police arrest the accused from Ahmedabad, India, apparently the place from where he was operating a segment of the syndicate.

Keeping in mind the severity of the situation, the Delhi Police established several teams of IFSO and Counter Intelligence/Special Cell to investigate on the issue.

Armarkar’s arrest was followed by the Delhi police tracking down the alleged leader of the syndicate, Vatsal Mehta. Further investigation led to the arrest of two more accused, Deepak Arora and Prashant Kumar. According to the police, the accused were on the FBI radar for a very long time.

As part of the coordinated action, the FBI has interviewed over 50 victims so far and collected evidence of fraud amounting to more than 20 million USD, which will be produced in court as per procedure. “Two victims from the US have also been examined through video calling by IFSO (Intelligence Fusion & Strategic Operations),” the officials noted.

The First Information Report (FIR) was lodged against the four accused under section 419 (cheating done by impersonation), 420 (cheating), 384 (extortion), 120B (criminal conspiracy), 34 (acts by many in furtherance of common intention) of the Indian Penal Code and sections 66C (identity theft) and 66D (impersonation) of the IT Act.

Cybercriminals Target Facebook Users with Malicious 'Look Who Died' Messages

'Look Who Died' Facebook Scam

In recent times, Facebook scams and fraud have been on the rise, with scammers finding new ways to exploit the platform for their malicious activities. The latest attention-grabbing scam to hit Facebook is the "Look who died" scam, which targets users seeking information about the death of a friend or celebrity. This article will delve into the details of the scam and provide expert advice on how to protect yourself from falling victim.

The 'Look Who Died' Scam: A Threat to Personal Data Security

The 'Look who died' scam operates by sending Facebook users messages with enticing subject lines like "Look who died." Curiosity prompts users to click on the link, expecting to find news or information related to the mentioned death. However, instead of being redirected to a legitimate news article, users unknowingly download a malware virus onto their computers or devices.

The Exploitative Tactics of Scammers on Facebook

As more people join Facebook and engage with its features, scammers are finding new ways to deceive and defraud users. Carey van Vlaanderen, a digital security expert and CEO of ESET Southern Africa, highlights the use of impersonation, fake promotions, and malware spread as some of the tactics scammers employ. Unfortunately, falling victim to these scams can result in financial loss and identity theft.

Identifying and Protecting Yourself from Facebook Scams

Van Vlaanderen emphasizes the need for caution and vigilance when using Facebook. She advises users to be wary of unusual requests or sensitive information being asked for, as these could be warning signs of a potential scam. To verify the authenticity of a message from a Facebook friend, Van Vlaanderen suggests checking for any sudden profile changes or strange posts that may indicate a compromised account.

The Wider Impact of Cybercrime and the Need for Protection

The rise in cybercrime is not limited to Facebook scams but extends to various forms of online attacks. According to experts from the Council for Scientific and Industrial Research (CSIR), cyber-attacks cost the country billions of rands annually. The digitalization era has seen an increase in cybercrime, posing risks to government institutions, large corporations, and small and medium-sized businesses. Financial and data loss, identity theft, and cyber extortion are significant concerns for individuals and organizations alike.

Urgent Action Required: Protecting Against Cybersecurity Breaches

Recent cybersecurity breaches, such as the one that affected the provincial legislature, highlight the urgency of addressing cyber threats. The lack of transparency surrounding such attacks and their implications raises concerns about preparedness and response strategies. ANC chief whip Pat Lekker has called for a debate on the cyberattack, emphasizing the need for open dialogue and effective measures to combat cybercrime.

Shifting Privacy Paradigm and Building Trust

Erhard Brand, a research and development lead at IT authentication company Entersekt, points out that digital privacy concerns are changing how companies handle personal and biometric data. Empowering individuals with control over their privacy fosters an environment of trust. As technology advances, it becomes crucial for companies to prioritize data security and privacy protection.

The 'Look who died' scam on Facebook serves as a reminder of the ever-present threat of online scams and fraud. To protect yourself from falling victim to such scams, exercise caution, be vigilant for warning signs, and adopt best practices for online security. As the cybercrime landscape evolves, individuals, businesses, and governments must work together to combat cyber threats, ensuring a safer digital environment for all.

Dragos Hacked: Cybersecurity Firm Reveals “Cybersecurity Event”, Extortion Attempt


Industrial cybersecurity company Dragos  recently revealed a “cybersecurity event,” where a notorious cybercrime gang attempted to breach Dragos' defenses and access the internal network to encrypt devices.

The firm disclosed the incident on its blog on May 10, alleging that it took place on May 8 where hackers acquired access to SharePoint and the Dragos contract management system by compromising a new sales employee's personal email address before the employee's start date. The hacker then impersonated the employee to complete the first steps of Dragos' employee-onboarding procedure using the stolen personal information from the hack.

After infiltrating Dragos’ SharePoint cloud platform, the hackers apparently downloaded “general use data” and access 25 intel reports, generally only made available to the customers.

“Dragos' swift response prevented the threat group from achieving its objective — the deployment of ransomware — or to engage in further activity, such as lateral movement, escalating privileges, establishing persistent access, or making changes to any Dragos infrastructure[…]No Dragos systems were breached, including anything related to the Dragos Platform,” the company noted. 

Due to role-based access control (RBAC) regulations, the threat actors were unable to access several Dragos systems during the 16 hours they had access to the employee's account, including its messaging, IT helpdesk, finance, request for proposal (RFP), employee recognition, and marketing systems.

Eleven hours into the attack, after failing to break into the company's internal network, they sent an email of extortion to Dragos executives. Because the message was sent after business hours, it was read five hours later.

Five minutes into reading the extortion message, Dragos disabled the compromised user account, terminated all open sessions, and prevented the hackers' infrastructure from accessing company resources.

The cybercriminal group also attempted to extort the firm by threatening to make the issue public in emails sent to CEOs, senior employees, and family members of Dragos who have public contacts.

One of the IP addresses specified in the IOCs is 144.202.42[.]216, earlier discovered hosting SystemBC malware and Cobalt Strike, both frequently used by ransomware gangs for remote access to compromised systems.

"While the external incident response firm and Dragos analysts feel the event is contained, this is an ongoing investigation. The data that was lost and likely to be made public because we chose not to pay the extortion is regrettable," Dragos said.