Search This Blog

Showing posts with label Dark Web. Show all posts

CloudSEK Blames Another Cybersecurity Company for the Hack

 

An Indian cybersecurity company claimed that another cybersecurity company had accessed its internal training website using a credential from a compromised collaboration platform. 

The CEO of Bengaluru-based CloudSEK, Rahul Sasi, declined to name the alleged offender other than to describe it as a "notorious Cyber Security organization that is into Dark web monitoring." 

An update to an ongoing cybersecurity incident was posted late Tuesday night by CloudSEK, which claims to use artificial intelligence to predict cyber threats. It stated that someone had obtained an employee's login information for the company's Atlassian Jira issue-tracking platform and used it to access the Atlassian Confluence server. 

Although "no database or server access was stolen," Sasi noted, the attacker grabbed "certain internal details including screenshots, issue reports, names of clients, and schema Diagrams." About two hours later, Sasi filed an update stating that attack indicators had pointed to the unnamed dark web monitoring firm. 

Sasi also reported that a hacker going by the handle "sedut" joined several forums for cybercriminals and refuted claims that they had gained access to the company's VPN, primary database, and Twitter account. CloudSEK acknowledges that a hacker did gain access to its Jira instance and retrieve some customer purchase orders. 

The company claims the hacker compromised a takedown account but was unable to reach the company's primary Twitter account. It continues that the allegedly authentic screenshots and video of the database that "sedut" released online was really stolen from training webpages that were published on Atlassian servers. The business claims that while the hacker did not obtain VPN login credentials, they did access its VPN IP addresses. 

Concerning how the employee's Jira credentials were hacked in the first place, the business claims that it shipped a broken staff laptop to a third-party vendor, who then returned it with the Vidar Stealer pre-installed. According to CloudSEK, the information thief operator published the employee's session cookies to a black market on the same day that the attacker bought them. 

An advertisement for supposed CloudSEK data has been posted in a criminal forum by a "sedut": $10,000 for the database, $8,000 for the code base, and $8,000 for employee and engineering product documentation. No "suspicious behavior" has been discovered, according to CloudSEK, in its code repositories.

Cybercrimes are More Interconnected and are Likely to be More Prevalent


According to two senior representatives from the cyber-security company, Palo Alto Networks, cybercrime and online scams are anticipated to be more prevalent than in previous years. 

Among various cyber threats, business e-mail compromise (BEC) and ransomware attacks continue to be on the top of the global watch list. 

As per Ms. Wendi Whitmore, Palo Alto Network’s Unit 42 senior vice-president, BEC scams, targets both corporations and individuals making genuine transfer-of-funds requests. It makes BEC the most common and costly threat to organizations worldwide. 

“We see (criminal) organizations where you’ve got a member in Nigeria that’s closely communicating (on the Dark Web) with someone in Eastern Europe, and maybe communicating closely with someone in Asia […] I think that as the economy continues to have more challenges, we’re going to see even more of that level of interconnectivity,” says Ms. Whitmore. 

On the FBI Internet Crime Complaint Centre report 2021, BEC continues to hold the apex position, for the sixth year. 

Does Dark Web Harbor Cybercrime? 

Mr. Vicky Ray, a principal researcher at Unit 42 who studies data and telemetry used in such global cyberattacks, believes that the Dark Web has become a breeding ground for cybercrime. 

On the Internet or the ‘Surface web,’ which is readily accessed by the general public, one can look for a variety of information or participate in forums. On the other hand, in order to access Dark Web, one needs a certain browser and a known URL. Some Dark Web forums demand that new members have a known party vouch for them. 

According to Palo Alto, the growth of Darknet markets in Asia has given cybercriminals more flexibility, since the platform's anonymity makes it less likely that they will ever be tracked. 

“It’s hard, but at the end of the day, it is our job to connect these dots together to really answer... the hard question of who may be behind it (a cyberattack) or what the motivation is.” Mr. Ray told The Straits Times. 

No matter if the attack is a ransomware attack or a data breach, cyber criminals are in an ecosystem where “everyone supports each other and collaboration is everywhere”, he continues, showing a screengrab of a malware developer apparently receiving feedback on a Dark Web forum. 

“What has changed in the past three years has been the tactics of ransomware as a service […] These gangs who were actually creating and using the ransomware to target victims, or potential victims back in the day, what they have realized is, if they provide that to other criminals, who are called affiliates, they can be more profitable,” he adds. 

Cybercrime on Dark Web

Criminals on the Dark Web co-operate in an operation in a variety of ways, from "consultants" who offer professional guidance to affiliates who buy malware from developers. 

However, there also lies a similar collaboration between law enforcement and business parties, like Palo Alto, which shares its criminal research with Interpol. 

In one such case, for instance, in 2021, the Nigerian Police Force detained 11 members of certain cybercrime gangs, who are assumed to be part of a threat group ‘SilverTerrier’ recognized for their BEC scams, said Interpol on its website. 

During Operation Falcon II, which ran from December 13 to December 22, 2021, investigators analyzed data from the network's BEC scams, which were allegedly linked to 50,000 individuals. One suspect had more than 800,000 potential victim domain credentials on his laptop, while no monetary amount was disclosed. 

In regards to this, Interpol said, “Through Interpol’s Gateway initiative, Palo Alto Networks’ Unit 42 and Group-IB (a cyber-security firm) have contributed to investigations by sharing information on ‘SilverTerrier’ threat actors, and analyzing data to situate the group’s structure within the broader organized crime syndicate. They also provided key technical expertise consultancy to support the Interpol teams.” 

The Gateway Initiatives aid law enforcement agencies and corresponding private companies to communicate information in a secure and quicker manner, in order to mitigate and disrupt cybercrime.

“We really see the significance of these (partnerships)... So you will see a lot of the law enforcement now openly talking to us and collaborating,” adds Mr. Ray  

Deutsche Bank Denied Despite Data Sold on Telegram

The hacking gang that breached Medibank's systems may also be the hackers who are providing access info to Deutsche Bank's systems on the darknet. As a result, there has been a significant attack on Deutsche Bank. 

Malicious actors (0x dump) are allegedly selling internet access to the network of the large international investment bank Deutsche Bank after claiming to have hacked it. The bank's internal networks appeared to be available for sale on Telegram by an initial access broker, but Deutsche Bank has denied that its systems have been compromised (IAB). 


Data Breach Incident

Hackers said, "We are offering further network access of a specific bank, We have DA (direct access), the domain contains about 21 k workstations set primarily with Windows."

The notice was placed next to an image of the Frankfurt headquarters of Deutsche Bank with the Deutsche Bank emblem overlaid on it. 

One of several experts to disclose the revelation made by the initial access broker on Telegram was the security researcher Dominic Alvieri. 

The IAB asserts access to some 21000 Windows-based machines on the bank's network. It further states that a Symantec EDR solution with 16 terabytes of data was used to defend the hacked devices.

Access to 7.5 Bitcoin from the Deutsche Bank, valued at about $156,274, is being made available by the IAB. 

According to ransomware researcher Dominic Alvieri, Ox dump is the same broker who provided access to Medibank's systems, the Australian health insurance company that had 9.7 million client and employee details stolen last month.

Personal information exposed in the data breach includes names, addresses, dates of birth, phone numbers, email addresses, Medicare numbers for clients, and occasionally passport numbers for our overseas students. It also includes some information about health benefits.

According to Lawrence Abrams of Bleeping Computer, it is not the same hackers who took the data from Medibank, rather, it is a suspected initial access broker. However, it might be the same individual who provided the ransomware gang with access to the network.

German Police Arrests Student Operator of Dark Web, Likely to Face 10 Years


Student operating biggest dark web forum arrested

A 22-year-old student, that German federal police suspect to be the leader of one of the biggest German-speaking, dark-web forums has been captured.

The accused, whose identity has not yet been disclosed, is charged with operating a criminal trading platform and will face up to 10 years in prison if found guilty. 

He was caught in October when officers and federal cops from the Central Office for Cybercrime Bavaria (ZCB) inspected two homes and seized systems, smartphones, and other evidence. 

Dark web responsible for shooting rampage at Munich Mall

As per German law enforcement, the student is from Lower Bavaria, and who worked as an operator of the third variant of Deutschland "im Deep Web" since November 2018. 

The initial version's tor website surfaced on the criminal underground landscape in 2013. After three years, an 18-year-old bought a gun and 300 rounds of ammo via the illegal marketplace before killing at least 9 people in a shooting frenzy at a Munich mall. 

Police closed the operation, however, new versions appeared

German police closed down Deutschland im Deep Web in 2017 after the murderous rampage, and also captured the operator during the time, who was convicted to seven years in prison in 2018. 

After that, however, two new variants of the marketplace surfaced, selling weapons, illegal goods, and weapons, under the motto "No control, everything allowed." 

The police closed down the latest version of the dark-web souk in March 2022. During the time, it had nearly 16,000 registered users and 72 active traders, as per law enforcement. 

The site currently shows a banner that says: "The platform and the criminal content have been seized by the Federal Criminal Police Office and the Bavarian Central Office for the Prosecution of Cybercrime."


Deutschland Arrest, joint effort by federal agencies

The Deutschland im Deep Web arrest comes after another dark web shut down earlier this year through a joint effort by German federal police and US law enforcement agencies. 

In April, the two countries slayed Hydra, the longest-operating known dark-web marketplace trafficking in illicit drugs and money-laundering services. 

First, German police captured Hydra servers and cryptocurrency wallets having $25 million in Bitcoins, therefore closing down the online souk. 


Charges pressed, dark web sanctioned


Also, the US Justice Department declared criminal charges against one of the suspected Hydra leaders and system admins, 30-year-old Dmitry Olegovich Pavlov from Russia, and the US treasury Department sanctioned the dark-web atrocities. 

The U.S. Department of the Treasury in its press release said:

"Russia is a haven for cybercriminals. Today’s action against Hydra and Garantex builds upon recent sanctions against virtual currency exchanges SUEX and CHATEX, both of which, like Garantex, operated out of Federation Tower in Moscow, Russia. Treasury is committed to taking action against actors that, like Hydra and Garantex, willfully disregard anti-money laundering and countering the financing of terrorism"

Dark Web Threats: How Can They Be Combated?





The Dark Web is often considered one of the most dangerous sources of brand reputational threats. Another very significant source of threats is the so-called shadowy websites. To keep themselves safe from cybercrime, organizations need to be able to monitor this ecosystem.

In the past, reputational missteps resulted from one of the primary causes of reputational damage: poor judgment and malfeasance. It has done great damage, both from an economic and ethical point of view. It is estimated that Volkswagen's quarterly operating profit dropped by almost 450 million euros six months after the diesel emissions scandal broke.  

Several dozen fake accounts were exposed at Wells Fargo and the bank was fined $185 million. There have also been instances when digital problems have been as powerful as traditional ones. In 2013 the infamous Target data breach turned out to be a $162 million loss for the company, as a result of the breach that occurred.  

Big enterprises create several systems to guard themselves against attacks that can cause disasters, in 2016 the estimated number of systems was 75.

The CEO of the security platform mentioned that scanning the web supports business and help them to safeguard from cyberattacks or find exfiltrated data previously.

A cyber-attacker who is planning to attack your company may seek advice from a third party or try to obtain resources, such as a botnet, on the Internet to deliver malicious payloads to your computer. Essentially, if you know where to look for them, you can find information that might alert you to an upcoming attack, so you need not worry about not being able to find it.

If a set of credentials is in the wrong hands, it only takes one set of credentials for your company to suffer a major blow in terms of its reputation. Detecting stolen credentials is not difficult - they are in the market for sale, so you can scan them for free! 

VIPs and corporate executives are of particular interest to hackers because they contain personal information about them. The information can be used to build convincing spearfishing attacks to gain access to sensitive information or intellectual property by using convincing spearfishing attacks. It is possible for some information, such as travel plans, to even put these individuals in a dangerous situation.

On a positive note, it is also good news that vulnerabilities about malware are one of the main topics of discussion on the dark web. With the proper threat intelligence, you can learn whether you are susceptible to potential cyber threats and if so, what you need to do to protect yourself. Thus, if you prepare in advance, you will be in a better position to deal with surprises in the future.

Hackers Deploy Agent Tesla Malware via Quantum Builder

A campaign promoting the long-standing.NET keylogger and remote access trojan (RAT) known as Agent Tesla uses a program that is available on the dark web that enables attackers to create harmful shortcuts for distributing malware. 

In the campaign that the experts observed, malicious hackers were using the developer to generate malicious LNK, HTA, and PowerShell payloads used to produce Agent Tesla on the targeted servers. The Quantum Builder also enables the creation of malicious HTA, ISO, and PowerShell payloads which are used to drop the next-stage malware. 

When compared to previous attacks, experts have found that this campaign has improved and shifted toward LNK, and Windows shortcut files. 

A spear-phishing email with a GZIP archive is swapped out for a ZIP file in a second round of the infection sequence, which also uses other obfuscation techniques to mask the harmful behavior. 

The shortcut to run PowerShell code that launches a remote HTML application (HTA) using MSHTA is the first step in the multi-stage attack chain. In turn, the HTA file decrypts and runs a different PowerShell loader script, which serves as a downloader for the Agent Tesla malware and runs it with administrative rights. 

Quantum Builder, which can be bought on the dark web for €189 a month, has recently witnessed an increase in its use, with threat actors utilizing it to disseminate various malware, including RedLine Stealer, IcedID, GuLoader, RemcosRAT, and AsyncRAT. 

Malicious hackers often change their tactics and use spyware creators bought and sold on the black market for crimes. This Agent Tesla effort is the most recent in a series of assaults in which harmful payloads were created using Quantum Builder in cyber campaigns against numerous companies. 

It features advanced evasion strategies, and the developers frequently upgrade these techniques. To keep its clients safe, the Zscaler ThreatLabz team would continue to track these cyberattacks. 

Agent Tesla, one of the most notorious keyloggers used by hackers, was shut down on March 4, 2019, due to legal issues. It is a remote access program built on the.NET platform, that has long existed in the cyber realm, enabling malicious actors to obtain remote access to target devices and transmit user data to a domain under their control. It has been in the public since 2014 and is promoted for sale on dark web forums. 

In a recent attack, OriginLogger, a malware that was hailed as the replacement for the well-known data theft and remote access trojan (RAT) noted as Agent Tesla, had its functioning dissected by Palo Alto Networks Unit 42.



30 Million Data Theft Hacktivists Detained in Ukraine

The Security Service of Ukraine's (SSU) cyber division has eliminated a group of hackers responsible for the data theft or roughly 30 million people. 

According to SSU, its cyber branch has dismantled a group of hacktivists who stole 30 million accounts and sold the data on the dark web. According to the department, the hacker organization sold these accounts for about UAH 14 million ($375,000). 

As stated by the SSU, the hackers sold data packs that pro-Kremlin propagandists bought in bulk and then utilized the accounts to distribute false information on social media, generate panic, and destabilize Ukraine and other nations. 

YuMoney, Qiwi, and WebMoney, which are not permitted in Ukraine, were used by the group to receive funds.The police discovered and seized many hard drives containing stolen personal data, alongside desktops, SIM cards, mobile phones, and flash drives, during the raids on the attackers' homes in Lviv, Ukraine. 

By infecting systems with malware, fraudsters were able to gather sensitive data and login passwords. They targeted systems in the European Union and Ukraine. According to Part 1 of Article 361-2 of the Ukrainian Criminal Code, unauthorized selling of material with restricted access, the group's organizer has been put under investigation.

The number of people detained is still unknown, but they are all charged criminally with selling or disseminating restricted-access material stored in computers and networks without authorization. There are lengthy prison terms associated with these offenses.

The gang's primary clients were pro-Kremlin propagandists who utilized the stolen accounts in their destabilizing misinformation efforts in Ukraine and other nations.

The SSU took down five bot farms that spread misinformation around the nation in March and employed 100,000 fictitious social media profiles. A huge bot farm with one million bots was found and destroyed by Ukrainian authorities in August.

The SSU discovered two further botnets in September that were using 7,000 accounts to propagate false information on social media.

Malware producers are frequently easier to recognize, but by using accounts belonging to real people, the likelihood that the operation would be discovered is greatly reduced due to the history of the posts and the natural activity.






Ukraine Neutralizes Pro-Russian Hacking Group for Selling Data of 30 million Accounts

 

The cyber department of Ukraine‘s Security Service (SSU) has dismantled a hacking group acting on behalf of Russian interests operating from Lviv, the largest city in western Ukraine. 

The malicious group sold 30 million accounts belonging to residents from Ukraine and the European Union on the dark web accumulating a profit of $372,000 via banned electronic payment systems YuMoney, Qiwi, and WebMoney, in Ukraine. 

As per the SSU’s press release, the hackers were pro-Kremlin propagandists who primarily targeted Ukrainian citizens and people in Europe to exfiltrate the private details of unsuspecting users. 

The malicious actors exploited these accounts to spread chaos and panic in the region through disinformation campaigns and to encourage wide-scale destabilization in Ukraine through fake news.

“Their wholesale customers were pro-Kremlin propagandists. It was they who used the received identification data of Ukrainian and foreign citizens to spread fake news from the front and create panic. The goal of such manipulations was large-scale destabilization in countries,” the Security Service of Ukraine (SSU) stated. “It was also established that hacked accounts were allegedly used on behalf of ordinary people to spread disinformation about the socio-political situation in Ukraine and the EU.”

During the searches, the law enforcement agencies seized magnetic disks containing private data as well as computer equipment, mobile phones, SIM cards, and flash drives containing evidence of illegal activities from the searches carried out at the hackers’ homes. 

“Currently, the organizer has been notified of the suspicion under Part 1 of Art. 361-2 (unauthorized sale or distribution of information with limited access, which is stored in electronic computing machines (computers), automated systems, computer networks or on media of such information) of the Criminal Code of Ukraine,” SSU concluded. 

Ukrainian organizations facing the heat 

Multiple hackers from across the globe have tried to capitalize on the ongoing conflict between Russia and Ukraine to launch a barrage of cyberattacks. Earlier this year in June, the malicious actors targeted the Ukrainian streaming service Oll.tv and replaced the broadcast of a football match between Ukraine and Wales with Russian propaganda. 

One month later in July, the anonymous hacking group targeted Ukrainian radio operator TAVR Media to spread fake news that Ukrainian President Volodymyr Zelensky was hospitalized and in critical condition. 

The hackers broadcasted reports that the Ukrainian President was in an intensive care ward and that his duties were being temporarily performed by the Chairman of the Ukrainian parliament Ruslan Stefanchuk, the State Service of Special Communications and Information Protection of Ukraine (SSSCIP) stated.

Analysis on Agent Tesla's Successor

OriginLogger, a malware that has been hailed as the replacement for the well-known data theft and remote access trojan (RAT) noted as Agent Tesla, had its functioning dissected by Palo Alto Networks Unit 42

Agent Tesla, one of the most notorious keyloggers used by hackers, was shut down on March 4, 2019, due to legal issues. It is a remote access program built on the.NET platform, that has long existed in the cyber realm, enabling malicious actors to obtain remote access to target devices and transmit user data to a domain under their control. It has been in the public since 2014 and is promoted for sale on dark web forums. Typically, attackers send it as an attachment in harmful spam emails.

Since Agent Tesla and OriginLogger are both commercialized keyloggers, it should not be assumed that one has a distinct advantage over the other in terms of initial droppers. 

Security company Sophos revealed two new versions of the common virus in February 2021, with the ability to steal login information from online browsers, email clients, and VPN clients as well as use the Telegram API for command and control.

According to Unit 42 researcher Jeff White, what has been labeled as Agent Tesla version 3 is OriginLogger, which is alleged to have emerged to fill the gap left by the former after its operators shut down the business.

A YouTube video explaining its features served as the foundation for the cybersecurity company's study, which resulted in the detection of a malware sample "OriginLogger.exe" that was added to the VirusTotal malware archive on May 17, 2022.

The binary is a developer code that enables a purchased client to specify the kind of data to be acquired, including screenshots, the clipboard, and the list of services and programs from which the keys are to be retrieved.

Unlike the IP addresses linked to originpro[.]me, 74.118.138[.]76 resolves to 0xfd3[.]com rather than any OriginLogger domains directly. Turning to this domain reveals that it has MX and TXT entries for mail. originlogger[.]com in the DNS.

Around March 7, 2022, the disputed domain started to resolve to IP 23.106.223[.]47, one octet higher than the IP used for originpro[.]me, which used 46. 

OrionLogger uses both Google Chrome and Microsoft Outlook, both of which were utilized by Unit 42 to locate a GitHub profile with the username 0xfd3 that had two source code repositories for obtaining credentials from those two applications.

Similar to Agent Tesla, OrionLogger is distributed via a fake Word file that, when viewed, is utilized to portray an image of a German passport, a credit card, and several Excel Worksheets that are embedded in it.

The files essentially include a VBA macro that uses MSHTA to call a remote server's HTML page, which contains obfuscated JavaScript code that allows it to access two encoded binaries stored on Bitbucket.

Advertisements from threat actors claim that the malware employs time-tested techniques and can keylog, steal credentials, and screenshots, download additional payloads, post your data in a variety of ways, and try to escape detection.

A corpus analysis of over 1,900 samples reveals that using 181 different bots and SMTP, FTP, web uploads to the OrionLogger panel, and Telegram are the most popular exfiltration methods for returning data to the attacker. The goal of this investigation was to automate and retrieve keylogger configuration-related information.





Esca RAT Spyware Actively Employed Cybercriminals

Escanor is a new RAT (Remote Administration Tool) that was promoted on the Dark Web and Telegram, as per Resecurity, a cybersecurity firm based in Los Angeles that protects Fortune 500 companies globally. 

The threat actors provide versions of the RAT for Android and PC, as well as an HVNC module and an exploit builder to turn Microsoft Office and Adobe PDF files into weapons for spreading malicious code. 

The tool was first publicly available for purchase on January 26th of this year as a small HVNC implant that allowed for the establishment of a stealthy remote connection to the victim's machine. Later, the kit evolved into a full-scale, commercial RAT with a robust feature set. 

Over 28,000 people have joined Escanor's Telegram channel, which has a solid reputation on the Dark Web. Previous 'cracked' releases by the actor going by the same name included Venom RAT, 888 RAT, and Pandora HVNC, which were probably utilized to enhance Escanor's capability further.

According to reports, cybercriminals actively employ the malware known as Esca RAT, a mobile variant of Escanor, to attack users of online banks by intercepting one-time password (OTP) credentials.

The warning states that the tool "may be used to gather the victim's GPS locations, watch keystrokes, turn on hidden cameras, and browse files on the distant mobile devices to steal data."

Escanor Exploit Builder has been used to deliver the vast majority of samples that have lately been discovered. Decoy documents that look like bills and notices from well-known internet providers are utilized by hackers.

Resecurity also advised that the website address 'escanor[.]live' has earlier been linked to Arid Viper, a group that was active in the Middle East in 2015.

APT C-23 is also known as Arid Viper. Espionage and information theft are this threat actor's primary goals, which have been attributed to malevolent actors with political motivations for the freedom of Palestine. Although Arid Viper is not a particularly technologically advanced actor, it is known to target desktop and mobile platforms, including Apple iOS. 

Their primary malware, Micropsia, is surrounded by Delphi packers and compilers in their toolset. This implant has also been converted to various platforms, including an Android version and versions built on Python.

The majority of Escanor patients have been located in the United States, Canada, the United Arab Emirates, Saudi Arabia, Kuwait, Bahrain, Egypt, Israel, Mexico, and Singapore, with a few infections also occurring in South-East Asia.




Private Details of 1 Billion Chinese Citizens up for Sale on Dark Web

 

In what could be the biggest-ever breach of personal information in history, the massive store of data containing information about more than a billion people has been leaked from a government agency, possibly from China, and put up for sale on Dark Web for 10 Bitcoins. 

More than 23TB of details apparently siphoned from a Shanghai police database stored in Alibaba’s cloud was put up for sale on the underground Breach Forums by someone with the handle ‘ChinaDan’. The leaked data included names, addresses, birthplaces, national ID numbers, cellphone numbers, and details of any related police records. 

"In 2022, the Shanghai National Police (SHGA) database was leaked. This database contains many TB of data and information on Billions of Chinese citizen," Changpeng Zhao, CEO of cryptocurrency exchange Binance, posted on Twitter. "Databases contain information on 1 billion Chinese national residents and several billion case records, including: name, address, birthplace, national ID number, mobile number, all crime/case details."

How did the data leak? 

The root cause of the data leak remains unknown, but experts believe that the database may have been misconfigured and exposed by human error since April 2021 before it was identified. This would contradict a claim that the database’s credentials were inadvertently leaked as part of a technical blog post on a Chinese developer site in 2020 and later employed to steal a billion records from the police database since no passwords were required to access it. 

But according to Bob Diachenko, a Ukrainian security researcher, this may not be correct. In late April, the researchers’ monitoring records show the database was exposed via a Kibana dashboard, a web-based software used to visualize and search massive Elasticsearch databases. If the database didn’t require a password as believed, anyone could have accessed the data if they knew its web address. 

Cybersecurity experts frequently search the internet for leaked exposed databases or other sensitive data. But hackers also run the same scans, often with the motive of copying data from an exposed database, deleting it, and offering the data’s return for a ransom payment — the standard methodology employed by attackers in recent years. 

Diachenko believes that’s what exactly happened on this occasion; a hacker discovered, raided, and deleted the exposed database, and left behind a ransom note demanding 10 bitcoins for its return. 

“My hypothesis is that the ransom note did not work and the threat actor decided to get money elsewhere. Or, another malicious actor came across the data and decided to put it up for sale,” said Diachenko.

ACY Accidentally Exposes User Data On Web

Anurag Sen, a famous cybersecurity expert said that ACY Securities, an Australia-based trading company accidentally posted huge amounts of personal and financial data of unsuspected users and businesses on the web for public access. The incident happened because of misconfigured database that ACY Securities owns. Sadly, the data leak had over 60GB worth of data that was left in the open without any protection. 

It means that anyone with basic knowledge about obtaining unsafe databases from platforms like Shodan can gain full access to ACY's data. The data had logs from February 2020 to this date, getting updated regularly. The exposed data includes- full name, postal code, address, date of birth, email address, gender details, contact number, password, and banking, and financial information. The attack hit businesses in various countries including China, India, Spain, Russia, Brazil, Australia, Romania, Malaysia, the United States, the United Kingdom, Indonesia, and United Arab Emirates. 

The expose is very severe because, at the beginning of this year, Anonymous and affiliated hacker groups totaled 90% (estimated) of Russian cloud databases, leaked to the public. The exposed data in these leaks was without a password or authentication. 

In the ACY Securities incident, if we consider the extent and nature of leaked data, the case could've turned out to have the worst implication. For instance, threat actors could have downloaded tha data and performed phishing scams, identity thefts, marketing campaign scams, and microloans identity scams.

"misconfigured or unsecured databases, as we know it, have become a major privacy threat to companies and unsuspected users. In 2020, researchers identified over 10,000 unsecured databases that exposed more than ten billion (10,463,315,645) records to public access without any security authentication. In 2021, the number increased to 399,200 exposed databases," read a post on HackRead.

Costa Rica's New Government is Under Attack by a Conti Ransomware Gang

 

The Conti ransomware organization, which has hacked some Costa Rican government computer systems, has increased its threat, claiming that its ultimate goal is to overthrow the government. The Russian-speaking Conti gang tried to intensify the pressure to pay a ransom by boosting its demand to $20 million, perhaps capitalizing on the fact that President Rodrigo Chaves had just been in office for a week. 

"We are aiming to overthrow the government by a cyber attack, and we have already demonstrated all of our strength and power," the group stated on its official website. "In your government, we have insiders. We're also attempting to obtain access to your other systems, and you have no choice but to pay us." Chaves said the organization had infiltrated up to 27 institutions at various levels of government, declaring that the country was "at war" with the Conti ransomware gang but giving no indication that the ransom would be paid. 

"I appeal to every Costa Rican to go to your government and organize rallies to demand that they pay us as soon as possible if your existing government is unable to fix the situation?" A different statement on Conti's dark web page stated, "Perhaps it's worth replacing." Over the weekend, the ransomware issued a warning that it will remove the decryption keys in a week, making it impossible for Costa Rica to restore access to the ransomware-encrypted files. 

The lethal April 19 attack prompted the new administration to proclaim a state of emergency, and the gang has exposed troves of data acquired from infected systems before encryption. Conti linked the attack to an affiliate actor nicknamed "UNC1756," a play on the name given to uncategorized threat groups by threat intelligence firm Mandiant. 

If it was any other ransomware gang, according to Aaron Turner, vice president of SaaS posture at Vectra, an AI cybersecurity firm, the threat would be unnoticeable. "However, because it's Conti, and Conti has publicly connected themselves with Putin's Russia's military activities, this threat should demand a second look," he said. 

He believes that if the US supports 'enemy' troops in Russia's neighborhood, there is a strong urge for retaliation. "Fortunately for Costa Rica, Conti isn't the most sophisticated gang of ransomware operators," he said. "Costa Rica is also lucky in that Russia's invasion of Ukraine went so badly that there are likely inadequate military forces on the other side of the planet to launch a combined cyberattack and conventional strike." While the prospect of overthrow is intriguing from an academic standpoint, Turner believes the chances of Conti orchestrating a coup are extremely remote. 

Affiliates are hacker organizations that rent access to pre-developed ransomware tools to coordinate assaults on corporate networks as part of the so-called ransomware-as-a-service (RaaS) gig economy, and then share the profits with the operators. Conti has continued to target companies all over the world after suffering a large data breach of its own earlier this year amid its public support for Russia in its current war against Ukraine. 

Conti is the "most prolific ransomware-associated cybercriminal activity organization operational today," according to Microsoft's security team, which records the cybercriminal gang under the cluster DEV-0193. "DEV-0193 has hired developers from other malware operations that have shut down for varied reasons, including legal actions. The addition of developers from Emotet, Qakbot, and IcedID to the DEV-0193 umbrella is very noteworthy." 

Conti is one of the most wanted cybercriminal gangs in the world, with the US State Department offering up to $10 million in incentives for any information leading to the identity of its senior members.

Dark Web: 31,000 FTSE 100 Logins

 

With unveiling the detection of tens of thousands of business credentials on the dark web, security experts warn the UK's largest companies that they could unintentionally be exposed to significant vulnerability. Outpost24 trawled cybercrime sites for the compromised credentials, discovering 31,135 usernames and passwords related to FTSE 100 companies using its threat monitoring platform Blueliv.

The Financial Times Stock Exchange (FTSE) 100 Index comprises the top 100 companies on the London Stock Exchange in terms of market capitalization. Across several industry verticals, these businesses reflect some of the most powerful and lucrative businesses on the market. 

The following are among the key findings from the study on stolen and leaked credentials: 

  • Around three-quarters (75%) of these credentials were obtained by traditional data breaches, while a quarter was gained through personally targeted malware infections. 
  • The vast majority of FTSE 100 firms (81%) had at least one credential hacked and published on the dark web, and nearly half of FTSE 100 businesses (42%) have more than 500 hacked credentials. 
  • Since last year, there were 31,135 hacked and leaked credentials for FTSE 100 organizations, with 38 of them being exposed on the dark web. 
  • Up to 20% of credentials are lost due to malware infections and identity thieves.
  • 11% disclosed in the last three months (21 in the last six months, and 68% for more than a year) Over 60% of stolen credentials come from three industries: IT/Telecom (23%), Energy & Utility (22%), and Finance (21%). 
  • With the largest total number (7,303) and average stolen credentials per company (730), the IT/Telecoms industry is the most in danger. They are the most afflicted by malware infection and have the most stolen credentials disclosed in the last three months.
  • Healthcare has the biggest amount of stolen credentials per organization (485) due to data breaches, as they have become increasingly targeted by cybercriminals since the pandemic started. 

"Malicious actors could use such logins to get covert network access as part of "big-game hunting" ransomware assault. Once an unauthorized third party or initial access broker obtains user logins and passwords, they can either sell the credentials on the dark web to an aspiring hacker or use them to compromise an organization's network by bypassing security protocols and progressing laterally to steal critical data and cause disruption," Victor Acin, labs manager at Outpost24 company Blueliv, explained.

T-Mobile Users Impacted by August Data Breach are at Risk of Identity Theft

 

A new warning was issued on Wednesday for T-Mobile data breach victims of potential identity theft risks. New York State Attorney General Letitia James warned victims affected by an August 2021 breach that their private details might be circulating for sale on the dark web. 
 
Last year in August 2021, T-Mobile reported a data breach that ended up compromising the private details of millions of T-Mobile users, including former clients and prospective buyers.  
 
Of the 53 million persons impacted by the data breach, more than 4 million were New Yorker residents who had their names, dates of birth, Social Security numbers, and driver’s license details were exposed, according to the press release issued by the Attorney General's office.   
 
Additionally, the attackers stole technical data — including international mobile equipment identities (IMEIs) and international mobile subscriber identities. IMEIs, which are often used for advertising purposes, are a unique fingerprint for a device that cannot be reset.  
 
“Recently, a large subset of the information compromised in the breach was discovered for sale on the dark web — a hidden portion of the Internet where cybercriminals buy, sell, and track personal information,” the warning reads.  
 
“Many individuals received alerts through various identity theft protection services informing them that their information was found online in connection with the breach, confirming that impacted individuals are at heightened risk for identity theft.” Officials from California, Florida, and several other states issued similar warnings. 
 
The state attorneys general noted that identity protection services already have alerted concerned individuals that their private details had been found online. Cybercrime forums have been under increased pressure by state, federal, and international law enforcement agencies, but the buying and selling of people’s personal data is still an increasingly active criminal act.  
 
Citizens who believe they were affected by the data breach are suggested to take the appropriate steps to protect their information from identity theft. This includes checking credit reports; considering contacting the Equifax, Experian, and TransUnion credit bureaus to place a free credit freeze on personal credit reports; and requesting credit reporting services to provide fraud warnings.

Europol Dismantles Criminal Network Distributing Forged EU Travel Documents on Dark Web

 

The Spanish National Police and the French Border Police, in a joint operation coordinated by Europol, have busted an organized cybercrime gang involved in the procurement and distribution of forged travel and ID documents for migrant smugglers. 

During the raids, in which three house searches were carried out and a total of 17 people were arrested, police seized computers, smartphones, storage devices, counterfeit and genuine ID documents and photocopies of ID documents, labor certificates, administrative documents, payment cards, and cash. 

According to a press release published by European Union’s law enforcement agency, the organized cybercrime gang network distributed forged ID and travel documents in France, Germany, Italy, and Spain. 

“The documents were used by other criminals involved in the smuggling of migrants to the US, the UK and Ireland and other criminal activities (such as property crimes, trafficking in human beings, drug trafficking),” the statement of Europol reads. The criminal network was directly involved in migrant smuggling activities and logistical arrangements in return for payments starting at €8000 ($9000) per person.” 

The members of the criminal gang, mainly originating from Eastern European countries, apparently also operated in Georgia and Lithuania. According to Europol, cybercriminals mainly used dark web channels to distribute forged documents, including residence permits, vehicle registration documents, driver’s licenses, and travel documents focusing on French, Romanian, Georgian, Lithuanian, and Polish IDs. 

Additionally, the suspects used instant messaging apps and postal services to send the documents to their intended recipients. Messaging apps, presumably encrypted ones, were used by the group to collaborate and exchange images of documents, vehicles, and money transfer slips. Europol analysts said they linked some of this information to other ongoing investigations. 

Last year witnessed a gradual shift in the methodology employed by migrant smugglers in the trafficking of human beings. Digital technology is playing a major role in the operations of migrant smugglers and they have expanded their use of social media platforms and mobile applications in order to offer their illegal services.  

Human traffickers have exploited the anonymity of the internet environment to target vulnerable individuals and then exploit them via both escort websites and even dating platforms. To counter this new threat, Europol signed a working agreement with the UK’s National Crime Agency (NCA) designed to formalize cooperation on this and other serious and organized crimes.

Russian Man and his Wife Arrested in U.S. for Stealing Record $4.5 billion in Bitcoins

Russian citizen Ilya Lichtenstein and his wife Heather Morgan were arrested in the United States on Tuesday. The U.S. Justice Department in a statement called them the largest Internet fraudsters in history. 

The spouses are suspected of hacking the Hong Kong cryptocurrency exchange Bitfinex in 2016 and withdrawing 120,000 bitcoins from its accounts, which is $4.5 billion at current prices. Intelligence agencies managed to confiscate $3.6 billion worth of bitcoins stored in the Russian's e-wallets. 

On Tuesday night, after the arraignment in the Court of the Southern District of New York, Magistrate Judge Debra Freeman decided to release the suspects on bail of $8 million for two. However, the spouses were unable to leave federal prison as the judge's decision was put on hold by Washington. 

According to the prosecution, the couple should remain in custody because "they are sophisticated cybercriminals and money launderers, and there is a serious risk of their escape." Prosecutors admit that the couple may have passports in other names. 

In particular, agents found a file named Passport_ideas on Liechtenstein's computer. And a plastic container with disposable phones was found under the bed in the apartment of the defendants. Under American law, Ilya Lichtenstein and Heather Morgan face up to 25 years in prison. 

A few years ago, 34-year-old Ilya Lichtenstein unsuccessfully tried to create a technology startup and become an investor. He came to the United States from Russia at the age of six, when his family was granted asylum for religious reasons. 

His wife, Heather Morgan, called herself an economist, a journalist, and a "Crocodile of Wall Street", was a freelance writer for Forbes magazine and even performed as a rapper under the name Razzltkhan. According to the New York Times, giant billboards with her image decorated Times Square. 

According to the investigation conducted by the FBI and the US Internal Revenue Service, Lichtenstein and Morgan hacked the Bitfinex protection system and made about 2 thousand illegal transactions, transferring funds from the accounts of the exchange's clients to their electronic wallet. 

In subsequent years, the suspects managed to launder about 25 thousand bitcoins through third-party exchanges and online services on the darknet. A new hearing on Lichtenstein and his wife's bail application will be held in Washington on February 11.

Morley Businesses Provider Uncovered a Ransomware Attack

 

Morley, a business services company revealed this week , it had been the target of a ransomware assault which could have exposed the personal information of over 500,000 people. The incident was found in August 2021 when it observed certain files had become unavailable owing to a ransomware attack.

Morley Companies, Inc., based in Saginaw, Michigan, provides business operations to Fortune 500 and Global 100 companies, such as session management, back-office procedures, contact centers, and trade show showcases and displays. 

According to an investigation, for all individuals affected, Morley will cover the expenses of 2 years of IDX identity protection. Those who are affected will be alerted and given instructions on how to join IDX's program. The intruders may have had access to user and staff data, including confidential and sensitive health information. To be precise, the hack exposed the personal information of 521,046 people in total. The company did not explain why it took about 6 months after discovering the breach to begin alerting victims in its letters to victims. 

Morley's security incident notification noted, "As a result, Morley realized the data may have been stolen from its digital environment." "Morley then started collecting personal information needed to notify possibly affected persons, which he finished in early 2022." 

In order to determine why the files weren't accessible anymore, Morley said it had to engage a cybersecurity specialist. When the root of the incident was uncovered, which was revealed to have been a ransomware epidemic, the company engaged the assistance of local experts to analyze the information and identify all those who had been impacted. 

Although this looks to be optimistic, the cyber-intelligence platform claims to have only recently uncovered Morley's data on the dark web. This is often a caution, the data will be used in future attacks by other threat actors, such as specific phishing.

Exposed Corporate Credentials Endanger the Pharmaceutical Industry

 

Constella Intelligence published a report that includes fresh and additional information relevant to pharma sector exposures, breaches, and leakages, with a specific focus on employees and executives from the top twenty pharma firms on the Fortune Global 500 list. 

The report examined eighteen prominent pharmaceutical corporations and their nine hundred plus subsidiaries around the world to assess the presence of exposures of services, sensitive platforms, unpatched CVEs, and other security vulnerabilities. Among the major insights were some alarming numbers, such as 92% of pharmaceutical organisations having at least one exposed database with possible data leakage and 46% having an exposed SMB service. SMB flaws have already been used in prominent assaults such as WannaCry, NotPetya, Nachi, and Blaster worms. 

In 70% of the pharmaceutical M&A deals examined in 2020, the newly acquired subsidiary had a detrimental impact on the parent company's security posture, introducing tens, if not hundreds, of sensitive unprotected and unpatched services. 

The threat intelligence team identified 9,030 breaches/leakages and 4,549,871 exposed records—including attributes such as email addresses, passwords, phone numbers, addresses, and even credit card and banking information—related to employee corporate credentials from the companies examined by analysing identity records from data breaches and leakages discovered in open sources and on the surface, deep, and dark web. 

The proliferation and distribution of this sensitive employee data provides threat actors with the resources they need to carry out a wide range of cyberattacks, including impersonation, phishing, account takeover, and a variety of others that can lead to more sophisticated attacks like ransomware or coordinated disinformation campaigns. 

“The pharma sector’s role within the healthcare ecosystem, especially with today’s public health needs, only emphasizes how critically important it is that these companies protect themselves from cyber threat actors,” said Constella Intelligence CEO, Kailash Ambwani. “As we have seen before, only one exposed employee credential can lead to a company having their systems or supply chain shut down by a data breach leading to a ransomware attack, resulting in a shortage of life-saving supplies.”

Because of their intellectual property and confidential information, as well as their critical role in creating life-saving treatments, pharmaceutical firms are high-value targets for threat actors. The pandemic-driven shift toward remote workforces, combined with accelerating operational digitization, has increased the overall digital footprint of enterprises in this industry, resulting in more digital vulnerabilities and risk.

DeepDotWeb Operator Sentenced to Eight Years for Role in $8.4 million Kickback Scheme

 

An Israeli national was sentenced to 97 months in prison in connection with operating the DeepDotWeb (DDW), a website that connected internet users with darknet marketplaces.

From 2013, Prihar (37) and co-defendant Michael Phan (34), started operating DeepDotWeb and provided a platform for Dark Web news and links to marketplaces, redirecting visitors to their .onion addresses -- websites that are not available via standard search engines in the clear web.

The conviction of Tal Prihar, 37, was announced last week by the U.S. Department of Justice and U.S. Attorney Cindy K. Chung for the Western District of Pennsylvania for money laundering and was ordered to forfeit $8,414,173, ASUS laptop, iPhone, and accounts at various cryptocurrency exchanges such as Kraken, Binance and OKCoin. 

Prihar had pleaded guilty to conspiracy to commit money laundering in March 2021, almost two years after his arrest and the site's seizure, while Phan remains in Israel and is currently undergoing extradition proceedings.

For linking users with the illegal darknet marketplaces, Prihar received a total of 8,155 bitcoins from his affiliate marketing deals with marketplace operators. To conceal the sources of these payments, Prihar converted them to fiat currency and laundered it through other Bitcoin and bank accounts he controlled in the name of shell companies. 

"To conceal the nature and source of these illegal kickback payments, Prihar transferred the payments from his DDW bitcoin wallet to other bitcoin accounts and to bank accounts he controlled in the names of shell companies." explains the DoJ announcement. 

The investigation into DDW involved the FBI's Pittsburgh Field Office, French authorities, Europol, the IRS, German law enforcement, the Israeli National Police, and the UK's National Crime Agency (NCA), among other organizations. 

Additionally, the DoJ also announced the sentencing of an associate of the Dark Overlord hacking group for his role in possessing and selling more than 1,700 stolen identities, including social security numbers, on the dark web marketplace AlphaBay. 

Slava Dmitriev, a 29-year-old Canadian citizen who was arrested in Greece in September 2020 and extradited to the U.S. in January 2021, was sentenced to a jail term of three years after he pleaded guilty in August 2021 to fraud charges.