Search This Blog

Showing posts with label Hacking Group. Show all posts

Void Balaur Targets Russian Entities

A hacker-for-hire company that was originally revealed in 2019 has extended its scope to target victims with links to Russia in the political and corporate sector. 

Reported to attack a variety of known target groups worldwide, Void Balaur is a very active hacker-for-hire cyber mercenary gang. Since at least 2016, people have seen their services available for purchase online. Private data collection and access to particular online email and social media sites, including Gmail, Outlook, Telegram, Yandex, Facebook, Instagram, and corporate emails, are among the services offered. 

Google claims Since 2012, TAG has been keeping tabs on a diverse group of Indian hackers-for-hire, many of whom have worked briefly for Indian security companies Appin and Belltrox.

The gang often conducts attacks that are both general and opportunistic with the goal of getting illegal access to popular email services, social networks, communications, and corporate accounts.

According to reports, the hack-for-hire service provided by the gang is offered using a variety of guises, including Hacknet and RocketHack. The operators have offered additional services over the years, including real-time location tracking, SMS logs, and remote device access.

Furthermore, the assault infrastructure run by Void Balaur includes more than 5,000 distinct domains that present themselves as portals for public services, authentication services, and email websites.

A wide range of industries, frequently with specific political or business ties to Russia, are among the new targets. Additionally, Void Balaur hunts out targets useful for positioning or assisting upcoming assaults. They have the United States, Russia, Ukraine, and a number of other nations as their targets.

However, in early 2022, one of the group's managed domains resolved to an IP address that belongs to and is run by the Russian Federal Guard Service (FSO), indicating what appears to be an operating oversight and raising the possibility of a connection.

Despite the fact that Void Balaur targets persons and organizations all over the world, ads launched in 2022 have targeted individuals who are active in political and business circumstances that are important to Russia.

The use of highly repeatable phishing emails that look like they are from banks or local governments is common in order to deceive recipients into clicking a malicious link and divulging their account information.

In September 2021, one of the group's most infamous efforts featured attacks that targeted the personal email accounts of lawmakers and government leaders of an Eastern European nation.

In accordance with its reputation as a cyber mercenary, Void Balaur does not confine itself to the geopolitical sphere. Nonetheless,  employing and adopting the proper security measures will help in repelling cyber mercenary attacks.

Uber Blames Extortion, Hacking Group Lapsus$ For Recent Data Breach


Uber revealed more details about the security incident that occurred last week on Monday, pinning the attack on a threat actor it believes is affiliated with the notorious LAPSUS$ hacking group. 

The financially motivated extortionist group was dealt a massive blow in March 2022 when the City of London Police arrested seven suspected LAPSUS$ gang members aged 16 to 21. Two of them were charged for their actions weeks later. The hacker responsible for the Uber breach, an 18-year-old teenager known as Tea Pot, has also claimed responsibility for breaking into video game publisher Rockstar Games over the weekend.

"This group typically uses similar techniques to target technology companies, and in 2022 alone has breached Microsoft, Cisco, Samsung, NVIDIA, and Okta, among others," the San Francisco-based company said in an update.

As the company's investigation into the incident continues, Uber stated that it is functioning with "several leading digital forensics firms," in addition to cooperating with the US Federal Bureau of Investigation (FBI) and the Justice Department.

In terms of how the attack occurred, the ridesharing company stated that an "EXT contractor" had their personal device compromised with malware and their corporate account credentials stolen and sold on the dark web, correlating with an earlier Group-IB report. The previous week, the Singapore-based company reported that at least two of Uber's employees in Brazil and Indonesia had been infected with Raccoon and Vidar information robbers.

"The attacker then repeatedly tried to log in to the contractor's Uber account," the company said. "Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in."

After gaining access, the miscreant appears to have accessed other employee accounts, giving the malicious party access to "several internal systems" such as Google Workspace and Slack. The company also stated that as part of its incident response measures, it disabled impacted tools, rotated keys to the services, locked down the codebase, and blocked compromised employee accounts from accessing Uber systems or issued password resets for those accounts.

Uber did not say how many employee accounts were potentially compromised, but it emphasised that no unauthorised code changes were made and that there was no evidence the hacker had access to production systems that support its customer-facing apps. The firm also revealed that the attacker gained access to HackerOne bug reports, but added that "any bug reports the attacker was able to access have been remediated."

"There is only one solution to making push-based [multi-factor authentication] more resilient and that is to train your employees, who use push-based MFA, about the common types of attacks against it, how to detect those attacks, and how to mitigate and report them if they occur," Roger Grimes, data-driven defence evangelist at KnowBe4, said in a statement.

According to Chris Clements, vice president of solutions architecture at Cerberus Sentinel, organisations must recognise that MFA is not a "silver bullet" and that not all factors are created equal.
While there has been a transition from SMS-based authentication to an app-based approach to reduce the dangers associated with SIM swapping attacks, the attack against Uber and Cisco shows that security controls that were once thought to be infallible are being circumvented by other means.

The fact that threat actors are relying on attack paths such as adversary-in-the-middle (AiTM) proxy toolkits and MFA fatigue (aka prompt bombing) to trick an unsuspecting employee into inadvertently handing over MFA codes or authorising an access request underscores the importance of employing phishing-resistant methods.

"To prevent similar attacks, organizations should move to more secure versions of MFA approval such as number matching that minimize the risk of a user blindly approving an authentication verification prompt," Clements said.

"The reality is that if an attacker only needs to compromise a single user to cause significant damage, sooner or later you are going to have significant damage," Clements added, underscoring strong authentication mechanisms "should be one of many in-depth defensive controls to prevent compromise."

A New Ransomware Gang BianLian on a Sudden Rise

BianLian has 20 victims 

A new ransomware gang working under the name BianLian surfaced last year and is actively on the rise since then. The group already has a record of twenty victims across various industries (engineering, medicine, insurance, and law). Most of the victim organizations are based in Australia, the UK, and North America.

Cybersecurity firm Redacted published a report regarding the incident, it hasn't attributed the attack to anyone but believes the threat actor "represents a group of individuals who are very skilled in network penetration but are relatively new to the extortion/ransomware business." 

Redacted firm finds the group 

Unfortunately, the Redacted team of experts has found proof that BianLian is now trying to advance its tactics. In August, the experts noticed that a troubling expansion in the rate by which BianLian was bringing new [CBC] servers online. 

"The BianLian group has developed a custom tool set consisting of a backdoor and an encryptor, developing both using the Go programming language," says the report.

The experts currently lack the insight to know the reason for the sudden increase in growth, it may hint that the hacking group is ready to increase its operational tempo, though whatever may be the reason, there isn't much good that comes from a ransomware operator that has resources readily available to him. 

How does BianLian work?

To get initial access into the victim's network, BianLian generally attacks the SonicWall VPN devices, servers that offer remote network access through solutions like Remote Desktop, ProxyShell vulnerability chain 

Once exploited, they deploy either a webshell or a lightweight remote access solution like ngrok as the follow-on payload. Once inside the victim network, BianLian takes upto six weeks to initiate the encryption process. 

As BianLian in the beginning spreads throughout the network, looking for the most important information to steal and find out the most important machines to encrypt, it appears to take steps to reduce observable incidents, via living of the land (LOL) methods to move horizontally. 

In the past, BianLian has occasionally posted teaser information on victim organizations, leaving the victims identities masked, which may have served as an additional pressure mechanism on the victims in an attempt to have them pay the actors ransom demand, says Redacted report. 

Google Blocks Malicious Domains Used by Hack-for-hire Groups

About hack-for-hire

Threat Analyst Group (TAG) of Google last week revealed that it blocked around 36 malicious domains used by Hacking groups in Russia, UAE, and India. 

In a technique similar to surveillance ecosystems, hack-for-hire groups give their clients the leverage to launch targeted cyberattacks on corporate organizations, politicians, activists, journalists, and other users that are at high-risk. 

What is Google saying?

Google in its Blog says "as part of our efforts to combat serious threat actors, we use results of our research to improve the safety and security of our products. Upon discovery, all identified websites and domains were added to Safe Browsing to protect users from further harm."  

The only difference in the manners of the two is that while users buy the spyware from commercial vendors and later use it themselves, the actors behind hack-for-hire cyberattacks deploy the hacking attempts on the clients' behalf so that the buyers remain anonymous. 

How does hack-for-hire operate?

The hack-for-hire ecosystem is flexible in two ways, first in how the actors deploy the attacks themselves, and second, in the large range of targets, they seek in a single campaign on their clients' behalf. 

Some hacking groups publicly market their products and services to any user that is willing to pay, however, few operate in a hidden manner and sell their services to a limited public. 

"We encourage any high risk user to enable Advanced Protection and Google Account Level Enhanced Safe Browsing and ensure that all devices are updated. Additionally, our CyberCrime Investigation Group is sharing relevant details and indicators with law enforcement," says Google. 

Other Details

A recent campaign launched by an Indian hacking group attacked an IT company in Cyprus, a fintech organization in the Balkans, an educational institute in Nigeria, and a shopping company in Israel, hinting the wide range of victims. 

According to Google Since 2012, TAG has been tracking an interwoven set of Indian hack-for-hire actors, with many having previously worked for Indian offensive security providers Appin and Belltrox. 

One cluster of this activity frequently targets government, healthcare, and telecom sectors in Saudi Arabia, the United Arab Emirates, and Bahrain with credential phishing campaigns, Google adds. 

Lapsus$ Attackers Gained Access to a Support Engineer's Laptop, as per Okta


According to Okta, a quick inquiry into the posting of screenshots that appeared to depict a data breach discovered they are linked to a "contained" security incident that occurred in January 2022. 

After the LAPSUS$ hacking group shared screenshots on Telegram which it claimed were taken after gaining access to " Superuser/Admin and several other systems," Okta, an enterprise identity, and access management business, initiated an investigation. 

Lapsus$ is a hacking gang that has risen through the ranks by supposedly breaking into the networks of high-profile companies one by one to collect information and threaten to disclose it online until blackmail payments are made.

Sitel, Okta's third-party provider of customer support services, was hacked by the Lapsus$ data extortion gang. "The Okta Security team was notified on January 20, 2022, a new factor had been added to a Sitel customer service engineer's Okta account. It was a password which served as this factor" Okta explains. "Though this individual approach was unsuccessful, it reset the account and contacted Sitel," says the company, which then hired a top forensic agency to conduct an investigation. 

Okta is a publicly-traded corporation based in San Francisco with thousands of users, including several technology companies. FedEx, Moody's, T-Mobile, JetBlue, and ITV are among the company's top clients. 

"Lapsus$ is infamous for extortion, threatening victims with the publication of sensitive information if demands are not met," said Ekram Ahmed, a Check Point spokesperson. "The gang boasts of infiltrating Nvidia, Samsung, and Ubisoft, among others." The public has never fully understood how the gang was able to penetrate these targets. 

Okta claims it was unaware of the scope of the event in January, believing it to be restricted to a failed account takeover attempt aimed at a Sitel support engineer. Sitel's hiring of a forensics firm to investigate the incident and prepare a report also assured Okta at the moment the situation didn't need to be escalated any further.

The stock price of Okta dropped about 20% in less than a week after the company's clumsy announcement of the January hacking event. At first, Okta CEO Todd McKinnon described the event as an "attempt" by malicious attackers to hack a support engineer's account. However, it was eventually discovered the problem had affected 2.5 percent of Okta's clients (366 in total). Sitel's support engineers have restricted access to Jira requests and support systems, but they are not allowed to download, create, or delete client records. 

According to Okta, the screenshots posted by the Lapsus$ group were taken from a compromised Sitel engineer's account with limited access. Regardless, the corporation voiced dissatisfaction with the amount of time it took for the investigation's findings to be released.

US Defense Contractors Struck by SockDetour Windows backdoor


SockDetour, a new custom malware discovered on US defence contractor computers, has been utilised as a backup backdoor to sustain access to hijacked networks. 

The malicious payload was discovered by Unit 42 security researchers, who believe its administrators kept it hidden for a long time because it has been utilised in the open since at least July 2019. The fact that SockDetour "operates filelessly and socketlessly" on compromised Windows servers by hijacking network connections explains its stealthiness, making it much difficult to identify at the host and network levels. 

The connection hijacking is carried out with the help of the official Microsoft Detours library package, which is used for monitoring and instrumenting Windows API calls.

Unit 42 explained, “With such implementation, SockDetour [..] serves as a backup backdoor in case the primary backdoor is detected and removed by defenders." 

The threat actors utilised a very precise delivery server in one of the attacks, QNAP network-attached storage (NAS) device commonly used by small businesses that had earlier been infected with QLocker ransomware — they most likely utilised the same security vulnerability (the CVE-2021-28799 remote code execution bug) to acquire access to the server. 

On July 27, 2021, the researchers discovered the malware on the Windows server of at least one US defence contractor, which led to the identification of three additional defence organisations being attacked by the same group with the same backdoor. 

"Based on Unit 42’s telemetry data and the analysis of the collected samples, we believe the threat actor behind SockDetour has been focused on targeting U.S.-based defence contractors using the tools. Unit 42 has evidence of at least four defence contractors being targeted by this campaign, with a compromise of at least one contractor," researchers explained. 

What is SockDetour?

The SockDetour backdoor was earlier linked to attacks exploiting various vulnerabilities in Zoho products, including ManageEngine ADSelfService Plus (CVE-2021-40539) and ServiceDesk Plus (CVE-2021-44077), by an APT activity cluster tracked by Unit 42 as TiltedTemple. While Unit 42 analysts suspected in November that the TiltedTemple campaign was the work of a Chinese-sponsored threat group known as APT27, the firm did not link the SockDetour malware to a specific hacking group. 

The partial attribution is based on techniques and harmful tools that match APT27's earlier activities, as well as similar cyber espionage targeting of the same industries (e.g., defence, technology, energy, aerospace, government, and manufacturing). TiltedTemple attacks targeting Zoho vulnerabilities resulted in the compromise of critical infrastructure organisations' networks. 

In three separate campaigns in 2021, TiltedTemple assaults targeting Zoho vulnerabilities resulted in the penetration of networks belonging to critical infrastructure organisations around the world, using: 
• an ADSelfService zero-day exploit between early-August and mid-September, 
• an n-day AdSelfService exploit until late October, 
• and a ServiceDesk one starting with October 25.

Hackers Exploit Log4j Flaw to Attack Belgium Defense Ministry


The Belgian Ministry of Defense has stated that the Log4j vulnerability was used in a cyberattack on its networks. 

The Defense Ministry said in a statement that an attack on its computer network with internet access was identified on Thursday. They didn't disclose whether the attack was ransomware, but they did state that "quarantine measures" were swiftly implemented to "contain the affected elements." 

The Defense Ministry stated, "Priority was given to the operability of the network. Monitoring will continue. Throughout the weekend, our teams were mobilized to contain the problem, continue our operations and alert our partners." 

"This attack follows the exploitation of the Log4j vulnerability, which was made public last week and for which IT specialists around the world are jumping into the breach. The Ministry of Defense will not provide any further information at this stage." 

Government hacking groups all across the world are using the Log4j vulnerability, according to multiple reports from firms like Google and Microsoft. State-sponsored hackers from China, Turkey, Iran, and North Korea, according to Microsoft, have begun testing, exploiting, and abusing the Log4j issue to spread a range of malware, including ransomware. 

According to multiple sources, since the vulnerability was found over two weeks ago, cybercriminal organisations have attempted to exploit it not only to acquire a foothold in networks but also to sell that access to others. 

To avoid attacks and breaches, governments around the world have advised agencies and companies to fix their systems or devise mitigation strategies. Singapore conducted emergency meetings with vital information infrastructure sectors to prepare them for potential Log4j-related threats, and the US' Cybersecurity and Infrastructure Security Agency instructed all federal civilian agencies to fix systems before Christmas. 

Katrien Eggers, a spokesperson for the Centre for Cybersecurity Belgium, told ZDNet that the organisation had also issued a warning to Belgian companies about the Apache Log4j software issue, stating that any organisation that had not already taken action should "expect major problems in the coming days and weeks." 

The Centre for Cybersecurity Belgium stated, adding that any affected organizations should contact them. "Because this software is so widely distributed, it is difficult to estimate how the discovered vulnerability will be exploited and on what scale. It goes without saying that this is a dangerous situation."

BlackBerry Discovers Initial Access Broker Linked to 3 Different Hacker Groups


The latest report from BlackBerry revealed an initial access broker termed "Zebra2104" that has links with three harmful cybercriminals groups, and few are involved in phishing campaigns and ransomware attacks Research and Intelligent team at Blackberry discovered that Zebra2104 gave entry points to ransomware groups such as MountLocker, Phobos, and StrongPity APT. 

The access was given to various organizations in Australia and Turkey which fell victim to the attacks. The StrongPity APT attacked Turkish firms in the healthcare sector, and also targeted smaller enterprises. As per Blackberry, its research suggests an access broker having a lot of manpower, or actors might've built large hidden traps on the web. 

The report also suggests that an inquiry confirmed that MountLocker ransomware was working along with StrongPity, an APT group that dates back to 2012, a Turkish state-sponsored group (allegedly). As of now, it might be hard to believe that criminal groups are sharing resources, but the experts have found a common link, enabled by a fourth criminal group termed Zebra2104, which the experts believe to be an Initial Access Broker (IAB). According to experts, there is an abundance of hacking groups working together, more than mentioned in this article. 

The single-domain directed the experts to a path where they discovered various ransomware attacks, and an APT C2 (command and control). The path turned out to be an IAB--Zebra2104 infrastructure. IAB's general gets access to the top bidders in dark web platforms on underground forums. Following that, the winning bidder deploys ransomware or any other malware in the target organization's systems, the campaign depends on the goals of the attack. 

"A few of the domains had been involved in a phishing campaign that went after state government departments in Australia as well as real estate companies there in September 2020. With the help of other Microsoft reports, the researchers were able to trace the campaigns further to an indicator of compromise of a MountLocker intrusion," reports ZD Net.

FIN7 Hackers Using 'Windows 11 Alpha' Themed Malicious Documents to Drop JavaScript Backdoor

In a recent wave of the spear-phishing campaign, the FIN7 cybercrime group employed Windows 11 Alpha-themed weaponized word documents to deliver a JavaScript payload with a JavaScript backdoor. 

'Phishing Email Campaign' is the initial attack vector, posing as 'Windows 11 Alpha', it contains an infected Microsoft Word document (.doc). The virus is accompanied by this image which convinces a user to click on 'Enable Editing' and further advance towards the installation process. Once the user enables the content, the VBA macro that is contained in the image begins to come into effect. 

VBA macro is populated with junk data such as comments, it is a common strategy employed by criminals to impede analysis. Once the junk data is being pulled out, all we would be left with is a 'VBA macro'. Upon further analyzing the JavaScript, researchers learned that it contained obfuscated strings along with a deobfuscation function. 

Researchers have found that the threat actors behind the malicious campaign – upon detecting languages of certain countries including Russia, Slovenia, Serbia, Estonia, and Ukraine – call into action the 'me2XKr' function to delete all the tables and then stops running. They do so in order to prevent execution in the aforementioned countries. 

Primarily targeting the U.S.-based telecommunications, education, retail, finance, and hospitality sectors via meticulously crafted attacks, FIN7 has managed to stay ahead of law enforcement by employing novel and advanced techniques to thwart detection from time and again. The threat group, also identified by some as "Carbanak Group", has increasingly diversified its monetization tactics which allowed the gang to widen the impact of their compromise. As a result, the group acquired a competitive advantage and has targeted a wide range of industries. Although FIN7 is characterized by its mass payment card data theft, the ambitions of the threat group are not limited to the theft of payment card data. In scenarios where end-to-end encryption (E2EE) prevented the attackers to obtain card data, they turned to attack the finance departments of the targeted organizations. 

In an analysis dated 02 September 2021, Anomali Threat Research said, "The specified targeting of the Clearmind domain fits well with FIN7's preferred modus operandi." "The group's goal appears to have been to deliver a variation of a JavaScript backdoor used by FIN7 since at least 2018."

Hacking Group That Targeted D.C. Police Briefly Posts Internal Police Files


Hackers who allegedly gained access to the D.C. police department's computer network briefly posted the personnel files of at least five current and former officers, a gambit one security expert believes was intended to show that the group's threats are legitimate. 

On Monday, Babuk issued the first warning to D.C. police by uploading screenshots of files the group claimed to have stolen. The group claims to have 250 GB of data, which is enough to store 70,000 images or thousands of pages. 

According to Brett Callow, an analyst for the New Zealand-based cybersecurity firm Emsisoft, which has been monitoring the hack, the documents posted on Wednesday ran into the hundreds of pages and included names, Social Security numbers, phone numbers, financial and housing records, job histories and polygraph assessments. 

In a statement, the hacking group Babuk warned police to "get in touch as soon as possible and pay us, otherwise, we will publish the data." Officials in Washington, D.C., have not commented about whether they are in contact with the group. One of the former officers identified in the leak was contacted by NBC News, who confirmed the information was accurate. The officer's identity was not revealed. 

One of the records reviewed by The Washington Post is marked “background investigation document” and “confidential”. The 576-page file includes details of when an officer was going through a background check to be hired in 2017. It contains the officer's financial and banking details, as well as a photocopy of the officer's driver's license, social media posts, a private cell phone number, and answers to questions about past marijuana usage. 

The records were taken down later on Wednesday, according to Callow. However, the group issued a new alert on its dark Web site sometime Thursday, stating only that the police “now determine if the leak will be or not.” The threat was also removed later. 

This week, D.C. police said they were "aware of unauthorized access on our server" and were trying to "determine the full impact." The FBI was called in to assist with the investigation. Babuk has threatened to reveal confidential sources and reports with titles like "known shooters," "most violent person," "RAP feuds," "gang conflict report," and "strategic crime briefings," among others. 

Acting D.C. police chief Robert J. Contee III sent an email to more than 3,600 officers on Wednesday night, reporting that the hacking group had stolen human resource files containing officers' personal information. Officers are told how to get free copies of their credit reports in the email. Officers may also put "fraud notices" on their credit reports, requiring someone who wants to access the data to seek additional permissions. 

According to Adam Scott Wandt, an assistant professor of public policy in the cybersecurity programme at John Jay College of Criminal Justice, “The data leak could reveal informants, putting their lives in danger. This criminal organization poses a very serious and dangerous threat.” Wandt stated, "The amount of harm that can be done is simply enormous. It has the potential to obstruct ongoing investigations. Imagine looking up your name on Google and seeing a data dump that reveals you're being investigated for fraud or drug dealing.” 

The D.C. police department, according to Callow, "has no good choices." The data will be released if they do not pay. If they pay, all they have to do now is trust the criminals to delete the stolen information. “However, why would they?” 

According to a study released by Emsisoft, 2,354 agencies and businesses were targeted last year in ransomware attacks. There were 113 local, state, and federal governments, 560 healthcare facilities, and 1,681 educational institutions included in the list. The groups also gain access to private networks, shut down systems, and then demand payment to restore services. In 2019, a cyberattack crippled Baltimore's ability to process payments and conduct online real estate transactions. According to the Baltimore Sun, the attack cost the city $18 million in lost revenue as well as money spent to repair systems and boost security.

D.C. cops are being targeted by a new type of extortion scheme in which data is stolen and bribes are demanded to keep it from being published, stated cybersecurity experts. According to Callow, the group appears to have raw knowledge based on Wednesday's postings of real data files.