Search This Blog

Showing posts with label Hacker group. Show all posts

Expert Opinion: The Consequences of the War of the Hacker Group Anonymous against Russia

 

Anonymous hacktivists announced on Twitter about the beginning of the war with Russia because of the special operation in Ukraine. The group is known for its massive DDoS attacks, declassification of government documents, and hacking of politicians' accounts. Information security experts told how Anonymous can harm Russia. 


Information security experts are confident that a real threat may be hiding behind the Anonymous statement. "Government websites, government online services such as Gosuslugi, email, social media accounts of politicians, websites and IT infrastructure of state banks and defense companies can be attacked", said Sergey Nenakhov, head of the information security audit department of Infosecurity a Softline Company. 

According to him, this community has repeatedly manifested itself earlier in hacktivism, hacking government websites, e-mails of politicians from different countries. They also manifested themselves in the online fight against the Islamic State organization (it is banned in Russia), obtaining and publishing information about members of the terrorist organization. 

Group-IB noted that the danger lies in the fact that other groups, including pro-state hacker groups targeting critical infrastructure facilities, may operate under the guise of Anonymous. 
"As for Anonymous, they act as follows: first, in public communities, for example, on Twitter, they call for attacks on certain organizations as part of a particular campaign. In order for users to easily identify these attacks, they usually use special hashtags for each event and the hashtag Anonymous. These campaigns can be joined by young hackers without professional skills and abilities. However, the strength of such actions lies precisely in the mass character of hacktivists," the company explained.

Fedor Dbar, commercial director of Security Code, believes that much will depend on whom the group will carry out the attacks. "The most serious consequences could be caused by attacks on critical information infrastructure (CII) facilities, but it cannot be said that tomorrow we will be left without electricity or electricity."

Suspected Founder of Hacker Group The Infraud Organization Arrested in Moscow

 

It became known that Russia will not extradite the possible leader of the hacker group The Infraud Organization to the United States. Russian FSB officers and Russian law enforcement agencies, with the assistance of US law enforcement agencies, detained four members of the hacker group The Infraud Organization on January 22. Prior to that, the alleged founder Andrei Novak was put on the wanted list in the United States on charges of cyber fraud. 

According to the FSB, Novak has been arrested, and three other alleged hackers have been placed under house arrest. The investigation continues to identify other members of The Infraud Organization. The detained members of the group are accused of illegal access to computer information and illegal turnover of payment funds. 

Russia has no plans to extradite Andrei Novak, the possible leader of the international hacker group The Infraud Organization, to the United States. Thus, Russian law prohibits the extradition of citizens of one's own country to a foreign state. 

It is noted that if among the detained members of the organization there is a person without Russian citizenship, then after the investigation of a criminal case in Russia and the trial he will be extradited to the country where the case was opened against him. 

It is worth noting that in February 2018, it was reported that law enforcement officers detained 13 persons in the United States accused of involvement in a criminal scheme, the damage from which amounted to at least $530 million. In total, 36 people have been charged, and one Russian, Andrei Novak, was included in this list. 

The detained 13 people are citizens of the United States, Australia, Great Britain, France, Italy, and Serbia. The criminal group was organized by a citizen of Ukraine in 2010. 

The company Group-IB, which in Russia is engaged in the investigation and prevention of cybercrime (its founder Ilya Sachkov was arrested in Russia on charges of treason), said at the time that the defendants were not an organized group, but united on hacker sites solely to carry out attacks. Group-IB suggested that their main field of activity could be carding. In addition, cybercriminals could manage cardershops (sites for the sale of bank cards), sell accounts and accounts.

REvil hacker group activity stopped in Russia

The Federal Security Service of Russia stopped the activities of the hacker group REvil, which was engaged in the theft of money using malware.

The operation was carried out in cooperation with the Investigative Department of the Ministry of Internal Affairs throughout Russia. According to the FSB, hackers developed malicious software, organized the theft of money from foreign bank accounts, and cashed them, including by purchasing expensive goods on the Internet.

"The appeal of the competent US authorities served as the basis for the search activities that reported the leader of the criminal community and his involvement in encroachments on the information resources of foreign high-tech companies," the FSB said.

The FSB of Russia has established the full composition of the REvil criminal community and the involvement of its members in the illegal turnover of payment funds, documentation of illegal activities has been carried out.

REvil has ceased to exist. According to the FSB, at 25 addresses of the places of residence of 14 members of the organized criminal community, over 426 million rubles ($5.5 million) were seized, including in cryptocurrency, $600 thousand, €500 thousand, as well as computer equipment, crypto wallets used to commit crimes, 20 premium cars purchased with funds obtained by criminal means.

"As a result of the joint actions of the FSB and the Ministry of Internal Affairs of Russia, the organized criminal community has ceased to exist, the information infrastructure used for criminal purposes has been neutralized. Representatives of the competent US authorities have been informed about the results of the operation," the FSB reported.

The REvil group is considered one of the most active hacker groups in the world. It has committed several major attacks, including against Apple and the Texas government.

It is worth noting that in the summer of 2021, according to The New York Times, after a conversation about REvil, which took place between US President Joe Biden and Russian leader Vladimir Putin at a summit in Switzerland, hackers disappeared from the darknet. Then the American president called on the Russian Federation to take measures to suppress the activities of cyber criminals operating on its territory.


North Korean hacker group Kimsuky started attacking Russian political scientists

The American cybersecurity company Proofpoint has discovered that the Kimsuky hacker group, presumably from North Korea, is attacking Russian scientists, foreign policy experts, and non-governmental organizations that deal with various issues of interaction with the DPRK.

It follows from the company's research that hackers send phishing emails to Korean experts on behalf of well-known experts in the Russian Federation.

Alexey Pavlov, Business Development Director of the center for countering cyberattacks Solar JSOC Rostelecom-Solar, explained that the letters contain a link, upon clicking on which the user sees a window for entering a login and password. This is similar to a Windows pop-up window for password-protected network resources. According to the attackers' plan, the victim must enter his credentials. Since the unsecured HTTP protocol is used, hackers get the credentials in cleartext.

The Proofpoint study provides an example of such a letter in Russian, allegedly on behalf of the Executive director of the National Committee for BRICS Research, Georgy Toloraya. “Mass mailings are being sent from fake addresses opened in my name,” he confirmed, adding that the signature was copied from old letters.

"Positive Technologies specialists recorded Kimsuky attacks using Korean themes in August," says Denis Kuvshinov, head of the company's threat research department.

According to Group-IB experts, over the past year, Kimsuky has been quite active in conducting cyber espionage operations not only against South Korea but also countries that support it.

The group has been carrying out thematic attacks since 2018. In 2020, it attacked Russian military and industrial organizations.

Experts believe that Kimsuky will try to purposefully extract valuable documents from specific officials and employees of research organizations. Kimsuky can connect infected computers to a botnet or steal access to crypto wallets.

Hacker group RedCurl attacked a large Russian online store

Commercial espionage remains a rare phenomenon, but the success of this group can set a new trend.

The cybersecurity company Group-IB has discovered traces of new attacks by RedCurl hackers engaged in commercial espionage and theft of corporate documentation from companies from various industries. This time, the victim of the group was a Russian retailer, one of the top 20 largest online stores in Russia.

The company notes that it discovered a new Russian-speaking group last year, in the period from 2018 to 2020, it carried out 26 attacks, 14 victim organizations from different countries were identified. Among the hackers' targets are construction, financial, consulting companies, retailers, banks and insurance, legal organizations located in Russia, Ukraine, the UK, Germany, Canada, and Norway. In 2021, the attacks resumed.

According to experts, commercial espionage remains a rare phenomenon, but the success of this group can set a new trend. The company's specialists noted that since the beginning of 2021, 4 attacks have been recorded.

A feature of the group is the sending of phishing emails to different departments of the organization on behalf of the HR team. After a computer is infected, information about the victim's infrastructure begins to be collected on the organization's network; criminals are interested in the version and name of the infected system, the list of network and logical drives, and the list of passwords.

Experts note that the actions and methods of RedCurl are unique for Russian-speaking hackers, for example, from the moment of infection to data theft, it takes from 2 to 6 months. The group does not use standard means of remote control of compromised devices. Infection, attachment to an infected device, promotion on the network, and theft of documents are carried using self-written and several public tools.

The group does not encrypt the infrastructure of the victim company, does not withdraw money from accounts, and does not demand a ransom for stolen data. This may indicate that hackers are rewarded from other sources, and their goal is to secretly extract valuable information. According to the company, RedCurl is interested in business correspondence, personal files of employees, documentation on various legal entities, and court cases.


Microsoft reported thousands of cyberattacks by the Russian hacker group

Microsoft has announced the activation of the Nobelium cyber group, which attacked the American software developer SolarWinds more than a year ago and gained access to US government data.

Microsoft has reported that a hacker group allegedly linked to Russian intelligence has significantly intensified its activities in recent months. From the beginning of July to mid-October, the hacker group carried out 22.9 thousand cyber attacks on 609 companies.

However, Russian experts do not agree at all with Microsoft representatives. So, Alexey Lukatsky, Cisco information security consultant, said that no one has shown evidence that hackers from Russia are behind the Nobelium hacker group.
According to him, if an attack is carried out from Russian IP addresses and code fragments have previously been attributed to Russian hackers (often also without evidence), experts conclude that Russians are behind the attack.
“It is now fashionable to accuse Russia of cyber attacks, as some countries allocate large budgets to increase the level of protection against cyber attacks and some companies believe that it is easy to get them to fight a known enemy,” said Lukatsky.

Anastasia Tikhonova, head of the Threat Intelligence Group-IB complex threat research group, also believes that there is no clear evidence that Russian hackers are behind the activities of the Dark Halo (Nobelium) group.
“No tactics, techniques and procedures that could prove intersections between the actions of Dark Halo (Nobelium) and another well-known group of attackers were presented, except perhaps a comparison of the Sunburst backdoor used by Dark Halo (Nobelium) with the Kazuar RAT, which is used by hackers of the Turla group,” added she. 

Sergey Nenakhov, Head of the Information Security Audit Department at Infosecurity, agrees with Tikhonova and Lukatsky. According to him, in order to draw conclusions about the involvement of a particular group of hackers in the attack, companies must have access to a large amount of telemetry data that can be collected by a very limited number of them. Microsoft, as a major player, can afford such an investigation, but it is unclear how independent this company is from political interference, Nenakhov said.

Russian-speaking hackers attacked Russian companies and demanded ransom

Group-IB recorded a successful attack by the criminal group OldGremlin on a Russian medical company. The attackers completely encrypted its corporate network and demanded a ransom of $50,000.

Russian-speaking hackers from the OldGremlin group attacked several Russian companies, despite the ban: among cybercriminals, there is an unspoken rule "do not work on RU".

According to experts, since the spring of 2020, hackers from OldGremlin have conducted at least nine attacks on Russian companies. It is noted that they send malicious emails allegedly on behalf of the Russian media holding RBC, the Russian metallurgical holding, the Minsk Tractor Plant, the Union of microfinance organizations and other individuals and enterprises. Under various pretexts, attackers are asked to click on the link and download the file. After trying to open it on the victim's computer, the backdoor malware TinyPosh runs.

This time a large Russian medical company became the victim of the criminals. After gaining access to the computer of one of the employees, they deleted the organization's backups, and also spread the TinyCrypton ransomware virus on the computers of the employees. As a result of their actions, the work of regional branches of the medical company was stopped. Then the hackers demanded a ransom: they wanted to get 50 thousand dollars in cryptocurrency for restoring access.

"The lack of a strong communication channel between organizations that resist cybercrime, as well as the difficult political situation, lead to the emergence of new criminal groups that feel safe," said Rustam Mirkasymov, head of the dynamic analysis of malicious code at Group-IB. The expert also stressed that businesses often underestimate the threats posed by cybercriminals, and do not use the necessary means of protection. 

Kaspersky Lab reports North Korean Hacker group Lazarus stealing cryptocurrencies using the Telegram messenger


A group of hackers calling themselves Lazarus modified their previous scheme to steal cryptocurrency which was used in 2018. Hackers use more effective tactics and act more carefully. According to Kaspersky Lab, now, not only users of the macOS operating system are at risk but also users of Windows.

Presumably, Lazarus hackers use malware that runs in memory and not on hard drives allowing it to remain undetected. The researchers believe that the group uses Telegram to spread the virus.

The new Lazarus attack was named Operation APpleJeus Sequel, which follows APpleJeus attack conducted in 2018. Principle of cryptocurrency theft remains the same as before: fake cryptocurrency companies are used to attract investors. The websites of these companies contain links to fraudulent

Telegram trading groups, through which malware that infects Windows computers is distributed.
Once the system is infected, attackers can gain remote access to it and steal the cryptocurrencies stored on the device. So far, researchers have been able to identify many victims of the new fraud across Europe and in China. A representative of Kaspersky Lab reports that it is known about the victims from Russia, China, Poland and the UK. At the same time, they include both individual traders and companies whose activities are related to cryptocurrency.

Kaspersky noted that currently, hackers from Lazarus have suspended their campaign using the messenger, but researchers suggested that in the future, attackers will use even more advanced methods.

Earlier, a closed UN report reported that North Korea finances the development of weapons through digital and Fiat currencies stolen from banks and cryptocurrency exchanges. Last fall, Group-IB said that a North Korean group of hackers stole $571 million in cryptocurrencies.

Group-IB reported on the five hacker groups threatening to Russian banks


The main hacker groups threatening Russian banks are Cobalt, Silence, MoneyTaker, Lazarus and SilentCards. They can hack a Bank, reach isolated financial systems and withdraw funds, said Ilya Sachkov, CEO and founder of Group-IB, a company specializing in preventing cyber attacks.

At the same time, hacker groups are shifting their focus from Russia to other countries.

According to the founder of Group-IB, "it is curious that three of the five groups (Cobalt, Silence, MoneyTaker) are Russian-speaking, but over the last year Cobalt and Silence began to attack banks mainly outside Russia".

"For example, Silence began its activities in Russia, but gradually shifted its focus to the CIS, and then entered the international market. Group-IB analysts have detected Silence attacks in more than 30 countries in Europe, Asia and the CIS for the current year," said Sachkov.

According to him, the pro-government hackers of developed countries are the most dangerous, since their activity is less noticeable, while they have a better arsenal for carrying out attacks.

"Our last year's forecast came true. The number of targeted attacks aimed at espionage, sabotage or obtaining direct financial benefits has grown significantly. So-called "digital weapons" or cyberweapons, which can stop production processes and disable networks of critical infrastructure and large commercial enterprises, are actively used. This is a serious problem. The number of cyber attacks will increase and it will be more difficult to resist them, " added Sachkov.

The head of the company Group-IB also said that cybercriminals began to use a new method of stealing money from Bank customers by installing remote access programs on smartphones. The monthly losses of large banks from this type of fraud can reach 6-10 million rubles.

He noted that the Secure Bank system monthly records of more than 1 thousand attempts to steal money from the accounts of individuals using this scheme.

Earlier it was reported about a new way of stealing from Bank cards. Hackers pose as Bank employees using the technology to substitute phone numbers.

These legit looking iPhone cables allow hackers to take charge of your computer

When they said you should be wary of third-party accessories and unbranded cables for charging your smartphone, they were serious. And the latest example of what a cable that isn’t original can do, should be enough to scare you. There is apparently a Lightning Cable that looks just as harmless as an iPhone cable should. But it has a nasty trick up its sleeve, which allows a hacker to take control of your computer, the moment you plug this in to the USB port. This cable has been dubbed the OMGCable.

A security researcher with the Twitter handle @_MG_ took a typical USB to Lightning cable and added a Wi-Fi implant to it. The moment this gets plugged into the USB port on a PC, a hacker sitting nearby with access to the Wi-Fi module hidden inside the cable can run a malicious code and take charge of a PC or remotely access data without the user even noticing.

“This specific Lightning cable allows for cross-platform attack payloads, and the implant I have created is easily adapted to other USB cable types. Apple just happens to be the most difficult to implant, so it was a good proof of capabilities,” said MG, as reported by the TechCrunch website.

The thing with phone charging cables is that no one really gives them a second look. You see one, you plug it in and you let it be. At the same time, a lot of users are wary about using USB drives, also known as pen drives or thumb drives, because they are popular as carriers of malware and viruses that can pretty much ruin your PC.

A Hacker Group, 'Barium' on a Supply Chain Hijacking Spree



One of the most fatal forms of hacking is a software supply chain attack as it involves illicitly accessing a developer's network and placing the malicious code into the software updates and applications that users consider and trust the most.

In a single attempt, supply chain hackers can potentially place their ransomware onto thousands or millions of computer systems, they can do so without even a single trace of malicious activity. With time, this trick has gained a lot of traction and has become more advanced and difficult to be identified. Supply chain attacks follow a similar pattern and have been used by the associated companies as their core tool.

Basically, supply chain attacks exploit various software dissemination channels and over the last three years, these attacks have been majorly linked to a group of Chinese hackers. Reportedly, they are popularly known as ShadowHammer, Barium, Wicked Panda and ShadowPad, the name varies along with the security firms.

The trick demonstrates the massive potential of ShadowHammer to destroy computer systems on a large scale along with exploiting vulnerabilities present in a fundamental model which governs the code employed by users on their systems, such destructive ability possessed by Barium is a matter of great concern for security researchers.

Referencing from the statements given by Vitaly Kamluk, the director of the Asia research team for security firm Kaspersky, "They're poisoning trusted mechanisms," "they’re the champions of this. With the number of companies they’ve breached, I don’t think any other groups are comparable to these guys."

"When they abuse this mechanism, they’re undermining trust in the core, foundational mechanisms for verifying the integrity of your system,"

"This is much more important and has a bigger impact than regular exploitation of security vulnerabilities or phishing or other types of attacks. People are going to stop trusting legitimate software updates and software vendors."

On being asked, Marc-Etienne Léveillé, a security researcher, said, "In terms of scale, this is now the group that is most proficient in supply chain attacks,"

"We’ve never seen anything like this before. It’s scay because they have control over a very large number of machines

"If [Barium] had deployed a ransomware worm like that through one of these attacks, it would be a far more devastating attack than NotPetya," said another expert on the matter.






Russia-linked hackers Fancy Bears leak data from International Luge Federation

A Russia-linked hacker group called “Fancy Bears” released a statement on Wednesday claiming to have leaked emails and documents that demonstrate violations of anti-doping rules, just two weeks before Winter Olympics 2018.

“The obtained documents of the International Luge Federation (FIL) show the violations of the principles of fair play: widespread TUE approvals, missed anti-doping tests and the double standards approach towards guilty athletes,” read the report.

This is the same group that was implicated in the 2016 Democratic National Committee (DNC) hack, and is also known by the names “Pawn Storm” or “APT 28”.

This is believed to be in response to Russia’s ban from the 2018 Winter Olympics following the controversy in the 2016 games where the same group is believed to have been responsible for the hack that leaked sensitive athlete data stolen from the World Anti-Doping Agency (WADA), which too was in response to the organization’s recommendation to ban Russian athletes from the 2016 games in Rio over allegations of state-sponsored doping.

The hacking group’s “About Us” on their website reads, “We are going to tell you how Olympic medals are won. We hacked World Anti-Doping Agency databases and we were shocked with what we saw.”

China Bank Network Website Defaced By Indian Cyb3r D3V!LS


Indian Hacker group named "Indian Cyb3r D3V!LS" has hacked into the China Bank website and defaced the main page of the website(www.bbyinhang.com).

The Bibi bank network independent website, co-founded by a number of financial professionals committed to universal access to financial expertise to help the general public understand the products and services provided by banks, to cultivate rational, smart and confident consumers of financial.

The hacker claimed to have breached the site by exploiting the Remote File Inclusion (RFI) vulnerability.

Hackers claimed to have compromised around 1000 credit card numbers but they are not going to release/misuse the details.

""Chinese Hacker defacing Many Indian government and colleges along with Pakistan hackers.  Don't mess with us we are greater than you.. no respect for your f** security.. " Hacker said.

Indonesian President website hacked by MJL007 from Jember Hacker Team


The official website of Indonesian president,Susilo Bambang Yudhoyono , presidensby.info, has been hacked and defaced by an Indonesian Hacker group known as Jember Hacker Team(JHT) .

The site was defaced by a hacker called "MJL007" from the group with a small message reading "This is a payback From Jember Hacker Team".

Few hours after the site got breached, the Indonesian Government restored the website. At the time of writing, the website works fine.

Detik cited the Indonesian minister of communications and information, Tifatul Sembiring, as claiming that the hacker didn't really hack into the website diverting the IP address that is in the existing DNS soft layer in Texas.

The mirror of the defacement can be found here:
http://www.zone-h.org/mirror/id/18912807

VandaTheGod hacks several Government websites


A Hacker named VandaTheGod from UGNazi hacker group, has breached several Government websites and other websites.

Recently, he hacked Ecuador government website "Technical Secretariat for Vocational Training (setec.gob.ec), Argentina govt site "Ministry of Education of the Province of Corrientes (mecc.gov.ar)", official site of Escalante City ,Philippines(escalantecity.gov.ph).

The hacked sites simply displays a text "Deface By @VandatheGod or @CosmoTheGod" with a email address of the hacker.

The hacker keep defacing more websites every minutes. He also hacked subdomain of "The International Bank for Trade and Finance(mail.ibtf.com.sy).  

Government of Mizoram (Dpar.mizoram.gov.in) site hacked and defaced by Anonymous

Mizoram government site hacked

Anonymous hacktivist has hacked into the Department of Personnel and Administrative Reform(DP&AR) sub domain(Dpar.mizoram.gov.in) belong to Government of Mizoram.

Mizoram  is one of the Seven Sister States listed as in North Eastern India, sharing borders with the states of Tripura, Assam, Manipur and with the neighboring countries of Bangladesh and Burma.

"This is Govt saying, they can still censor you if you speak against them. " Hacker posted the protest message in the defacement webpage.

"Free press is a myth in #India thanks to #ITAct #66A with latest modification the Govt will better control "

" The time to sit silently is gone. Call your friends and get them to protests sites"

The defaced page:
dpar.mizoram.gov.in/components/index.html

At the end of the defacement page, hackers mentioned  that the website is full of malware even before they hacked into the site.