Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Data Leaks. Show all posts
threat analysis
3AM Conti Cyber Security cybercrime gangs Data Leaks intrusion tactics malware ranso Ransomware Royal Security Researchers threat analysis

Security Researchers Establish Connections Between 3AM Ransomware and Conti, Royal Cybercriminal Groups

 

Security researchers examining the operations of the recently surfaced 3AM ransomware group have unveiled strong connections with notorious entities like the Conti syndicate and the Royal ransomware gang.

The 3AM ransomware, also known as ThreeAM, has adopted a novel extortion strategy: publicly revealing data leaks to victims' social media followers and utilizing bots to respond to influential accounts on X (formerly Twitter), directing them to the compromised data.

Initially observed by Symantec's Threat Hunter Team in mid-September, 3AM gained attention after threat actors shifted from deploying LockBit malware. According to French cybersecurity firm Intrinsec, ThreeAM is likely affiliated with the Royal ransomware group, now rebranded as Blacksuit, consisting of former members of Team 2 within the Conti syndicate.

As Intrinsec delved into their investigation, they found substantial overlap in communication channels, infrastructure, and tactics between 3AM and the Conti syndicate. Notably, an IP address listed by Symantec as a network indicator of compromise led researchers to a PowerShell script for dropping Cobalt Strike on VirusTotal.

Further investigation uncovered a SOCKS4 proxy on TCP port 8000, a TLS certificate associated with an RDP service, and HTML content from 3AM's data leak site indexed by the Shodan platform. The servers involved were traced back to the Lithuanian hosting company, Cherry Servers, known for hosting malware despite having a low fraud risk.

Intrinsec's findings aligned with a report from Bridewell, connecting the IP subnet to the ALPHV/BlackCat ransomware operation. This group, not part of the Conti syndicate but allied, was identified as having ties to IcedID malware used in Conti attacks.

In addition to technical details, Intrinsec uncovered 3AM's experiment with a new extortion technique. The gang set up a Twitter account in August, using it to reply to tweets from victims and high-profile accounts, linking to the data leak site on the Tor network. Intrinsec suspected the use of a Twitter bot for a name-and-shame campaign, noting an unusually high volume of automated replies.

Despite 3AM's perceived lack of sophistication compared to Royal, the researchers cautioned against underestimating its potential for deploying numerous attacks. The article concludes with a broader context on the Conti syndicate, its dissolution, and the emergence of affiliated groups like Royal ransomware.
Read more »
sensitive credential
cyber attack Cyber Attacks Data Leaks Free Leaksmas sensitive credential

Hackers Leak 50 Million Records in 'Free Leaksmas' Spree

Just before Christmas, hackers leaked around 50 million records full of private information. They shared these leaks on the Dark Web under the name "Free Leaksmas." It seems like they were doing this to thank each other and attract new customers during the busy holiday season. 

According to cybersecurity company Resecurity, they noticed that right before Christmas Eve, various hackers released a lot of data all at once. Some of this data seemed to come from previous security breaches, but there were also new breaches involved. The information was either stolen or copied from people worldwide. 

“Numerous leaks disseminated in the underground cyber world were tagged with 'Free Leaksmas,' indicating that these significant leaks were shared freely among various cybercriminals as a form of mutual gratitude”, Resecurity wrote on its website. 

One of the largest data releases came from a hack at the Peruvian telecom company Movistar. In this data dump, there were about 22 million records with sensitive information like customer phone numbers and DNI numbers (which are the main IDs for people in Peru). 

Other big leaks around Leaksmas included one with 2.5 million records from a Vietnamese fashion store's customers and another with 1.5 million records from a French company's customers. 

“A significant event during the 'Leaksmas' in the Dark Web involved the release of a large dataset from Movistar, a leading telecommunications provider in Peru. This dataset contained over 22 million records, including customers' phone numbers and DNI (Documento Nacional de Identidad) numbers”, Resecurity added. 

Not all the shared data Resecurity noticed during the holidays were from recent hacks; some seemed to be from older incidents. For instance, there was info about customers from a Swedish fintech company, Klarna. The hackers might have gotten this data from a rumoured (though not officially confirmed) breach in 2022. 

Another example was a data dump with 2 million records from customers of a Mexican bank. Resecurity's analysis suggested it might have come from a breach in 2021 or 2022. Over the holidays, cybersecurity experts found groups like SeigedSec and "Five Families" sharing stolen data online. 

SeigedSec targeted critical infrastructure in Israel and claimed responsibility for a breach in the Idaho National Laboratory. "Five Families" stole records from a Chinese store due to labour issues. Some criminals selling credit card data offered discounts. Cybercriminals are keen on getting personal info and exploiting weaknesses in websites and software.
Read more »
Subscribe to: Posts (Atom)