Search This Blog

Showing posts with label Italy. Show all posts

LockBit Ransomware Gang Targets Italian Tax Agency


Over the weekend, the Lockbit ransomware gang disclosed they have infiltrated Italy’s Revenue Agency (L’Agenzia delle Entrate) and stolen 78 GB of files, including documents, scans, financial reports, and contracts. 

The Italian Revenue Agency manages the financial code of Italy and collects taxes and revenue. The agency also offers multiple online services for Italian and non-Italian taxpayers. 

The ransomware gang gave the agency about six days to pay the ransomware to avoid leaking stolen data. The group then extended the deadline to August 1 and announced it now had 100 GB of data. They also posted several screenshots of the stolen data on their dark web data leak website. 

“The Revenue Agency, operational since 1 January 2001, was born from the reorganization of the Financial Administration following the Legislative Decree No. 300 of 1999. It has its own statute and specific regulations governing administration and accounting. The bodies of the Agency are made up of the Director, the Management Committee, the Board of Auditors.” reads the text posted on the leak site. “From 1 December 2012 the Revenue Agency incorporated the Territory Agency (article 23-quater of Legislative Decree 95/2012).” 

However, Sogei, an IT firm owned by the Ministry of Economy and Finance, tasked with the investigation of the alleged hack, said that there is no evidence that the tax agency has suffered a data breach. 

“Sogei spa informs that from the first analyzes carried out, no cyber attacks have occurred or data has been stolen from the financial administration's technological platforms and infrastructures. From the technical checks carried out, Sogei, therefore, excludes that a computer attack on the Revenue Agency website may have occurred,” the company stated in a lengthy statement. 

At the end of June, the Lockbit ransomware gang announced the launch of Lockbit 3.0, a new ransomware-as-a-service offering and a bug bounty program. The group said it will offer rewards ranging between $1,000 and $1 million to security researchers and ethical or unethical hackers for information regarding vulnerabilities in their website, the ransomware encryption process, the Tox messaging app, and bugs exploiting their Tor infrastructure. 

Additionally, the Lockbit 3.0 version is employing a new extortion methodology that allows threat hackers to buy data stolen from the victims during the attacks. This means that someone could buy data from Italian taxpayers and leverage them for a wide range of financial frauds.

'Hermit' Spyware Deployed in Syria, Kazakhstan, and Italy

Lookout Inc. discovered an enterprise-grade Android surveillanceware being used by the authorities operating within Kazakhstan's borders. Lookout researchers identified evidence of the spyware, called "Hermit," being used in Italy and northern Syria. 

Researchers got a sample of "Hermit" in April 2022, four months after a series of violently suppressed nationwide rallies against government policies. The Hermit spyware was most likely built by RCS Lab S.p.A, an Italian surveillance firm, and Tykelab Srl. 

The Hermit spyware was most likely produced by Italian surveillance vendor RCS Lab S.p.A and Tykelab Srl, a telecommunications solutions company accused of acting as a front company, according to Lookout. 

In the same market as Pegasus creator NSO Group Technologies and Gamma Group, which invented FinFisher, is a well-known developer with previous interactions with governments such as Syria. This appears to be the first time that a modern RCS Lab mobile spyware client has been publicly disclosed. 

The spyware is said to be spread by SMS messages that spoof users into installing what appear to be harmless apps from Samsung, Vivo, and Oppo, which, when launched, load a website from the impersonated company while silently initiating the kill chain. 

Spyware has been seen to infect Android smartphones in the past. The threat actor APT-C-23 (aka Arid Viper) was linked to a series of attacks targeting Middle Eastern users with new FrozenCell versions in November 2021. Last month, Google's Threat Analysis Group (TAG) revealed that government-backed actors in Egypt, Armenia, Greece, Madagascar, Côte d'Ivoire, Serbia, Spain, and Indonesia are purchasing Android zero-day exploits for covert surveillance efforts. 

As per Lookout, the samples studied used a Kazakh language website as a decoy, and the main Command-and-control (C2) server used by this app was a proxy, with the true C2 being located on an IP from Kazakhstan. "They call themselves 'lawful intercept' organizations since they claim to only sell to customers with legitimate surveillance purposes, such as intelligence and law enforcement agencies. Under the pretext of national security, similar technologies have been used to phish on corporate executives, human rights activists, journalists, academics, and government officials "as per the researchers. 

The revelations came as the Israel-based NSO Group is rumored to be in talks to sell its Pegasus technology to US defense contractor L3Harris, which makes StingRay cellular phone trackers, raising concerns it could allow law enforcement to deploy the controversial hacking tool.

Italy Alerts Organizations of Incoming DDoS Attacks


On Monday, Italy's Computer Security Incident Response Team (CSIRT) issued an urgent warning about the significant threat of cyberattacks against national entities. The Italian organisation is referring to a DDoS (distributed denial-of-service) cyberattack, which may not be catastrophic but can nonetheless cause financial and other harm due to service failures and interruptions. 

“There continue to be signs and threats of possible imminent attacks against, in particular, national public entities, private entities providing a public utility service or private entities whose image is identified with the country of Italy,” describes the public alert. 

The indicators are Telegram postings from the Killnet organisation inciting massive and unprecedented assaults on Italy. Killnet is a pro-Russian hacktivist group that launched an attack on Italy two weeks ago, employing an ancient but still powerful DDoS technique known as 'Slow HTTP.' As a result, CSIRT's advised defensive actions this time are related to this sort of assault but also contain numerous generic pieces of advice. 

Last Tuesday, Killnet announced "Operation Panopticon," appealing for 3,000 "cyber fighters" to join in 72 hours. Last week, the group restated the call to action multiple times. The necessary sign-up form requests information on the volunteers' system, origin, age, and Telegram account, as well as the tools needed to launch resource-depletion attacks. 

While DDoS appears to be the primary purpose, it is possible that Killnet intends to utilise DDoS to force defences to cope with service outages rather than active cyberattacks. Killnet presented an etymology definition of the word Panopticon, implying data leaks and warning that 90% of the country's officials will 'go crazy.' 

Killnet's recent targeting of entities in numerous countries, Italy among them, for backing Ukraine's resistance against Russia has resulted in the group's targeting of Italian groups. This prompted Anonymous Italy to take action, launching attacks on Killnet and doxing some of its members via social media. As a result, Killnet retaliated. 

The CSIRT Italy website was intermittently inaccessible at the time of writing, but no long-term connection difficulties were observed. There have also been reports of Poste Italiane, Italy's national postal service provider, going down for many hours this morning. 

However, the agency told la Repubblica that the disruption was caused by a software upgrade that did not proceed as planned, rather than by Killnet assaults. Other local media sources that regularly monitor the availability of Italian sites claim that the web portals of the State Police and the Italian Ministries of Foreign Affairs and Defense are also unavailable. At the time of writing, the sites of the two ministries appear to have been damaged by a DDoS assault, according to BleepingComputer.

Ursnif Banking Trojan is Back in Italy


The banking trojan 'Ursnif' (aka 'Gozi') is back in business in Italy, targeting a large range of banking users with mobile malware. According to the IBM's Trusteer Team's analysis, the stakeholders behind Ursnif now include "Cerberus," in their operations, a Trojan whose code had been leaked in September 2020 after a failing auction attempt. 

Ursnif is a banking trojan and is seen in several automated exploit kits, spreading attachments and dangerous links. Ursnif is primarily related to data theft, although its component versions also contain (backdoors, spyware, file injectors, etc.).

Cerberus is a mobile overlay malware that was first developed in the midst of 2019. Cerberus is allegedly utilized to get two-factor authentication codes in real-time during the attack whereas it is also useful to obtain the screen code from the lock and remotely operate the device. 

In September 2020, the development team of Cerberus agreed to dissolve, encouraging an endeavor to sell the source code to the highest bidder starting at $100,000. 

As IBM notes, Ursnif is arguably now the oldest existing banking malware, with its main focus being Italy. It will usually be sent through e-mail with an attached document with harmful macros - to various business addresses. After that Web injection takes over and calls on the targets to download a presumed safe software - essentially a mobile Trojan app. This is done using a QR code with an encoded string of base64. 

“If users scan the QR code, they will open a web page on their smartphone and be sent to a fake Google Play page featuring a corresponding banking app logo of the banking brand the victim originally attempted to access. The campaign, in this case, included several domains that were most likely registered for that purpose and reported in other malicious activity in the past, such as hxxps://[BANK BRAND],” wrote Itzik Chimino, a researcher at Security Intelligence. 

Each domain that hosts bogus Google Play pages uses identical terms or typosquatting to make it appear legitimate. Examples include: 

For a few months, these malicious domains have also been on VirusTotal, and additional reports have accumulated over time.

For customers who fail to scan the QR code effectively, a download link will be provided that asks them to give their telephone number and then receive an SMS message with a malicious app link, that warns consumers about a service disruption if the app is failing to collect them. 

The remote server sends a download URL to allow users to unintentionally download the Cerberus malware if they enter a phone number on a website injector. This injection also retains device IDs for victims associated with their bot ID and account passwords. 

These URLs bring Cerberus on the mobile phone, while Ursnif is on the PC. The performers are therefore completely infected by the mixture of both instruments, while Ursnif still has a job. The malware hooks the desktop internet browser on this front and handles websites that are dynamically used for the purpose. 

One of Ursnif's primary measures is to automatically change the transaction-receiving IBAN with one that it manages. In particular, the actors only specify a parameter that enables this swap if the amount of the account exceeds €3,000. 

Finally, it is noteworthy that the injections are highly adaptive and the actors differentiate their method depending on the victim and the bank service that is faked. The actors have considered everything, including security problems, log-in times, and even a fake maintenance notice, to prevent the victim from viewing the real service portal. 

Further, it is advised to not download the app outside the Play Store and neither to click on any URLs received via SMS. If one receives any message that claims its source as some bank, avoid acting according to that instead visit or contact the bank personally.

Banca di Credito Cooperativo Bank Suffers a Major Cyber Attack


A suspected cyber-attack by hackers has paralyzed the operations of the 188 branches of the Banca di Credito Cooperativo (Bcc) in Rome, one of the largest Italian cooperative credit banks. Yesterday morning, during the daily security checks, the institute’s experts discovered a security loophole, which reduced the possibility of carrying out normal operations at the institute’s counters.

Threat actors targeted the internal network 

According to an unofficial source, a component of the IT infrastructure of the Bcc showed traces of activity not attributable to normal operation in some servers and internal workstations. To allow controls and secure the network, security experts isolated this piece of infrastructure. But this caution reduced the operations at the branches for 24 hours: the portals continued to work, but customers who showed up for withdrawals, deposits, and more struggled to be identified and supported at the branches.

Execution of the backup plan 

The institute would be examining the incident with its IT security experts, to be able to say in the next few hours whether it was a telematic attack or a simple technical malfunction. However, the bank announces that as of today, operations at the branches have been fully restored, by virtue of the activation of the emergency plan, which provides for analogue integration to digital deficiencies that could last for the whole week. Meanwhile, the DarkSide ransomware gang has taken responsibility for the attack.

In the afternoon the Bcc of Rome released a note, according to which “the technical malfunctions did not affect the information system in the strict sense, and the home banking systems, payment cards, and ATM services are all fully operational today”. 

The institute also points out that “today the agencies are regularly open to the public and the technical problems that affected their operations are in the final resolution phase, which will be gradually restored from Monday 3 May” for those who go to the branch. While, for what seems a paradox since it is a cyber-attack, “home banking services can be regularly used from PCs or smartphones and through them it is possible to carry out all information and dispositive operations”.