Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Russia. Show all posts
Ukraine
APT44 Cyber Attacks Russia Sandworm Ukraine

APT44: Unearthing Sandworm - A Cyber Threat Beyond Borders


APT44: Operations Against Ukraine

A hacking group responsible for cyberattacks on water systems in the United States, Poland, and France is linked to the Russian military, according to a cybersecurity firm, indicating that Moscow may escalate its efforts to target opponents' infrastructure.

Sandworm has long been known as Unit 74455 of Russia's GRU military intelligence organization, and it has been linked to attacks on Ukrainian telecom providers as well as the NotPetya malware campaign, which damaged companies worldwide.

Global Scope

Researchers at Mandiant, a security business owned by Google Cloud, discovered that Sandworm appears to have a direct link to multiple pro-Russia hacktivist organizations. Mandiant believes Sandworm can "direct and influence" the activities of Russia's Cyber Army.

One of them is the Cyber Army of Russia Reborn (CARR), also known as the Cyber Army of Russia, which has claimed responsibility for cyberattacks against water infrastructure this year.

One attack occurred in Muleshoe, Texas, causing a water tower to overflow and spilling tens of thousands of gallons of water down the street.

Ramon Sanchez, the city's manager, told The Washington Post that the password for the system's control system interface had been compromised, adding, "You don't think that's going to happen to you." Around the same time, two additional north Texas communities, Abernathy and Hale Center, discovered hostile activity on their networks.

Mapping APT44

1. The Rise of APT44

APT44 is not your run-of-the-mill hacking group. It operates with surgical precision, blending espionage, sabotage, and influence operations into a seamless playbook. Unlike specialized units, APT44 is a jack-of-all-trades, capable of infiltrating networks, manipulating information, and disrupting critical infrastructure.

2. Sabotage in Ukraine

Ukraine has borne the brunt of APT44’s wrath. The group’s aggressive cyber sabotage tactics have targeted critical sectors, including energy and transportation. Their weapon of choice? Wiper malware that erases data and cripples systems. These attacks often coincide with conventional military offensives, amplifying their impact.

3. A Global Threat

But APT44’s reach extends far beyond Ukraine’s borders. It operates in geopolitical hotspots, aligning its actions with Russia’s strategic interests. As the world gears up for national elections, APT44’s interference attempts pose a grave threat. Imagine a digital hand tampering with the scales of democracy.

4. Graduation to APT44

Mandiant has officially christened Sandworm as APT44. This isn’t just a name change; it’s a recognition of the group’s maturity and menace. The report provides insights into APT44’s new operations, retrospective analysis, and context. Organizations must heed the warning signs and fortify their defenses.

Read more »
Russia
Anti Kremlin Data Breach Data Leak Hacktivist group Russia

Navalny's Revenge? Hackers Siphon Huge Russian Prisoner Database: Report

 

Following the murder of Russian opposition leader Alexey Navalny, anti-Kremlin militants seized a database comprising hundreds of thousands of Russian prisoners and hacked into a government-run online marketplace, according to a report. 

Navalny was the most prominent Russian opposition figure and a strong critic of Russian President Vladimir Putin. He died on February 16 at a penal colony in Russia's Arctic region while serving his jail sentence. 

CNN reported that an international group of 'hactivists', comprising Russian expats and Ukrainians, stole prison documents and hacked into the marketplace by acquiring access to a computer linked to the Russian prison system. 

Following Navalny's death in February, overseas 'hactivists' allegedly acquired a Russian database containing hundreds of thousands of convicts, relatives, and contacts. 

As per the report, the hackers also targeted the jail system's online marketplace, where relatives of inmates purchase meals for their family members. The rate of products like noodles and canned meat was changed by the hackers from nearly $1 to $.01 once they gained access to the marketplace.

It took many hours for the administrators of the prison system to realise that something was wrong, and it took an additional three days to undo the hacker's work completely. 

The hackers also posted a photo of Navalny and his wife, Yulia Navalnaya, on the jail contractor's website, along with the statement "Long live Alexey Navalny". While the hackers claimed the database included information on approximately 800,000 prisoners, the report said there were some duplicate entries, but the data spilt by the hackers "still contains details on hundreds of thousands of inmates". 

What is 'hacktivism' and why did hackers siphon Russian databases? 

The terms "hacking" and "activism" are combined to form the phrase "hacktivism." It alludes to hacking operations in which hackers participate in activism for a specific cause. 

According to Clare Stouffer of the cybersecurity company Norton, hacktivism is a lot like activism in the real world, when activists create disruption to push for the change they want.

"With hacktivism, the disruption is fully online and typically carried out anonymously. "While not all hacktivists have malicious intent, their attacks can have real-world consequences," Stouffer wrote in a Norton blog.
Read more »
Ukraine-Russia War
British Cyber Attacks Killnet Royal Family Russia Ukraine Ukraine-Russia War

Royal Family’s Official Website Suffers Cyberattack, Following Remarks on Russia


The British Royal Family’s official website is suffering a cyberattack, following UK’s support for Ukraine that went public. A DoS attack, which is brought on by an influx of unnecessary traffic, caused the Royal Family website to be unavailable for an hour and a half on Sunday morning. An 'error' notice would have been displayed to anyone attempting to visit the site at this time, but by early afternoon it was fully working once more.

While Buckingham Palace insiders claim that it is impossible to determine who was behind the attack at this time, the pro-Kremlin group Killnet has taken responsibility for it in a message posted on the social media site Telegram. The 'Five Eye Alliance' (an intelligence alliance made up of the UK, the US, Canada, Australia, and New Zealand) has previously identified the group as a significant cyber-security threat, and the US Department of Health has previously noted that Killnet has made a number of threats to organizations, including the NHS.

Thankfully, the DoS attack on the royal family website only caused service disruption. No privileged information was accessed, and no control over the website was obtained. These kinds of attacks tend to be more disruptive than damaging, but they can still bring down websites, which can be disastrous in some circumstances.

However, this was not the first the royal family had suffered a cyberattack. The website was also taken down in November 2022 by Killnet, and the Met Police foiled a cyber plot to interrupt the royal wedding of the current Prince and Princess of Wales in 2011.

For many years, but particularly since the Ukraine war, there has been a looming threat of a cyberattack by Russia or by organizations that support Russia. Oliver Dowden, the deputy prime minister, stated at the April Cyber UK conference in Belfast that these attacks may now be motivated by "ideology." The royal family has consistently shown its support for the Ukrainian people. The Princess of Wales met privately with the First Lady of Ukraine in September of last year, and this year, the Prince of Wales paid a visit to Ukrainian troops stationed near the border. In February, King Charles convened meetings with President Zelensky at Buckingham Palace.

The attack came to light only two weeks after King Charles made a public remark over the war, in his speech on the royal visit to Paris. In his comment, he mentioned Russia’s ‘unprovoked aggression’ and said that ‘Ukraine must prevail.’  

Read more »
US Military
Cyber Security Data Leak Email Account Compromise Mali Private Data Russia US Military

Typo Delivers Millions of US Military Emails to Russia's Ally Mali

 

Due to a small typing error, millions of emails from the US military were unintentionally forwarded to Mali, a Russian ally. For years, emails meant for the US military's ".mil" domain have been transmitted to the west African nation with the ".ml" extension. 

According to reports, some of the emails contained private information including passwords, medical information, and high officers' travel schedules. The Pentagon claimed to have taken action to resolve the situation.

The Financial Times, which broke the story, claims that Dutch internet entrepreneur Johannes Zuurbier discovered the issue more than ten years ago. He has held a contract to handle Mali's national domain since 2013 and has apparently collected tens of thousands of misdirected emails in recent months. 

None were tagged as classified, but they included medical data, maps of US military bases, financial records, and planning documents for official trips, as well as some diplomatic letters, according to the newspaper. 

This month, Mr Zuurbier issued a letter to US officials to raise the alarm. He stated that his contract with the Mali government was about to expire, implying that "the risk is real and could be exploited by US adversaries." On Monday, Mali's military administration was set to take control of the domain.

According to current and former US officials, "classified" and "top secret" US military communications are routed through separate IT networks, making it unlikely that they will be accidentally compromised. 

However, Steven Stransky, a lawyer who previously served as senior counsel to the Department of Homeland Security's Intelligence Law Division, believes that even seemingly innocuous material could be beneficial to US adversaries, especially if it includes specifics on individual employees. 

"Those sorts of communications would mean that a foreign actor can start building dossiers on our own military personnel, for espionage purposes, or could try to get them to disclose information in exchange for financial benefit," Mr Stransky explained. "It's certainly information that a foreign government can use." 

Lee McKnight, a Syracuse University professor of information studies, believes the US military was lucky that the issue was brought to its attention and that the emails were directed to a domain used by Mali's government rather than cyber criminals.


He went on to say that "typo-squatting" - a sort of cybercrime that targets individuals who misspell an internet domain - is rampant. "They're hoping that a person will make a mistake, and that they can lure you in and make you do stupid things," he noted. 

Both Mr. McKnight and Mr. Stransky believes that human errors are a major concern for IT professionals working in government and the private sector alike.
Read more »
Satellite
Data Breach Military PCMag Phishing Attack Russia Satellite

Wagner Hackers Disrupt Russian Satellite Internet Provider

 

In an unexpected turn of events, a hacker group claiming to be connected to Wagner, a Russian paramilitary outfit, has taken credit for taking down a significant Russian satellite internet provider. Critical satellite communication systems' security and stability have come under scrutiny following the event.
According to reports from reputable sources like PCMag, Datacenter Dynamics, and OODA Loop, the incident occurred on June 30, 2023. The group, identified as "Vx_Herm1t" on Twitter, announced their successful cyber attack against the Russian telecom satellite operated by the company Dozer. The tweet has since been taken down, but the repercussions of the attack are still being felt.

The disruption of a satellite internet provider has significant implications for both communication and national security. Satellite-based communication is vital for remote and hard-to-reach regions, providing essential connectivity for businesses, government agencies, and individuals. Any interference with these systems can lead to disruptions in critical services, affecting everything from emergency response operations to financial transactions.

Although the motivation behind the attack is not explicitly stated, the alleged affiliation with Wagner, known for its involvement in military and political activities, raises concerns about potential political or strategic motives behind the cyber attack. The incident comes amid growing tensions in cyberspace, where state and non-state actors are increasingly using sophisticated cyber methods to further their agendas.

The attack also serves as a stark reminder of the vulnerability of satellite communication infrastructure. As the world becomes more reliant on space-based technologies, the risk of cyber attacks targeting satellites and space systems is becoming a pressing concern. Safeguarding these assets is crucial for maintaining uninterrupted communication and preserving national security interests.

Russian authorities and international cybersecurity organizations are probably looking into the attack as a result of the incident to determine where it came from and stop similar attacks in the future. The international community will be watching the issue closely as it develops to understand the broader consequences of this cyberattack on international cyber norms and state-sponsored cyber operations.

Right now, the priority is on restoring the interrupted satellite services and enhancing the systems' resistance to future intrusions. The incident highlights the urgent requirement for strong cybersecurity measures and global collaboration to preserve crucial space infrastructure and maintain the dependability of international communication networks.

Read more »
Wagner ransomware
cyber attack Cyber Attacks Ransomware Russia Wagner ransomware

Wagner' Ransomware Targets Computers in Russia

A recent ransomware attack has been uncovered by security researchers, revealing a peculiar motive. The attackers behind this ransomware campaign are seemingly attempting to promote recruitment for the Russian mercenary group known as Wagner. 

Notably, Wagner had a brief period of rebellion against the Kremlin over the past weekend. The ransomware specifically targets Windows PCs and includes a note that subtly suggests victims should contemplate joining the paramilitary organization. 

This discovery was made by the cybersecurity company Cyble. Additionally, security experts have found that the ransomware note, which encourages recruitment for the Russian mercenary group Wagner, is written in the Russian language. This indicates that the ransomware campaign was primarily intended to target computers within the country. 

 Cyble became aware of the attack after detecting a sample of the ransomware uploaded to VirusTotal by a user based in Russia. The ransomware note also includes a legitimate phone number for Wagner's recruitment offices in Moscow, accompanied by the provocative phrase, "If you want to go against the officials!" Over the past weekend, a significant development unfolded alongside the activities of the Russian paramilitary group Wagner. 

During this time, Yevgeny Prigozhin, the leader of Wagner, issued orders for his troops to march towards Moscow, aiming to remove Shoigu from Russia's Ministry of Defense. However, Prigozhin abruptly called off the armed revolt and instead accepted a deal that would effectively exile him to Belarus. 

Interestingly, amidst these events, a ransomware incident emerged, raising questions about its creators. Notably, Wagner has not claimed responsibility for the malicious code. The investigation indicates that the ransomware attack was crafted using the Chaos ransomware building tool, which originally surfaced in underground forums. 

The exact origins and motives behind the attack remain uncertain. While there are speculations about the motives behind the ransomware strain, with some suggesting a potential political agenda in support of Wagner Group, security researcher Allan Liska from Recorded Future offers an alternative perspective. 

Liska suspects that the true intent behind the attack may differ from initial assumptions. “Installing a ransomware/wiper on someone's machine is a poor way to recruit them. On the other hand, if you are a hacktivist group, say one that has used ransomware based on the Chaos builder in the past, that wants to get people mad at a certain group, this is a good way to do it,” Liska said in a tweet.
Read more »
Russia
cyber attack Cyber Attacks Data Theft Microsoft online heft Russia

Hackers Hit Microsoft For Sudan Experts Says Its Russia

 

In recent events, Microsoft experienced a series of outages earlier this month, which have been attributed to a hacking group. This group had been engaged in a string of attacks on various targets, including Israel, Sweden, and several other nations. Cybersecurity researchers have identified a growing campaign associated with these attacks, which they believe may be linked to Russia. 

A newly emerged group known as Anonymous Sudan, which became active in January 2023, has recently taken responsibility for a series of distributed denial-of-service (DDoS) attacks targeting Australian companies. These attacks have affected various sectors, including healthcare, aviation, and education organizations. 

In a recent statement, Microsoft officially acknowledged that the disruptions experienced by its Outlook service in early June were caused by a DDoS attack. Anonymous Sudan has claimed responsibility for this particular attack and publicly attributed it to their group. 

Identifying themselves as a loosely organized collective of hacktivists, the group adopted a name that implied their association with Sudan. They explicitly stated their intention to focus on Australian organizations in March, citing their objection to attire exhibited at a fashion festival in Melbourne. The clothing in question featured Arabic text reading "God walks with me." 

According to cybersecurity experts, it has been determined that the group operating under the name "Anonymous Sudan" is believed to originate from Russia. Their motives and objectives differ significantly from what they claim, as their true purpose appears to be aligned with advancing Moscow's agenda. 

By leveraging their supposed Islamic affiliations, the group aims to advocate for enhanced collaboration between Russia and the Islamic world, often asserting Russia's support for Muslims. This strategic positioning allows them to serve as a convenient proxy for advancing Russian interests, as stated by Mattias WÃ¥hlén, a threat intelligence specialist at Truesec, based in Stockholm. 

In response to inquiries, a spokesperson representing Anonymous Sudan refuted any claims of acting on behalf of Russia while affirming shared interests. The spokesperson clarified that the group targets entities deemed antagonistic towards Islam, emphasizing that any country considered hostile to Islam is also regarded as hostile to Russia.
Read more »
Russia
API Artificial Intelligence BlackCat CNN cyber theft Cyberattacks CyberCrime Cybersecurity Data Breach Reddit Russia

Hackers Threatened to Leak 80GB of Data Allegedly Stolen From Reddit in February

 


An independent cybersecurity expert and CNN reviewed a post from the BlackCat ransomware gang, also known as ALPHV. The post said the group had stolen 80 gigabytes of confidential data from Reddit during a February breach and claimed to have accessed it. A cyber-security expert and CNN examined the dark web post, and the group claimed it had stolen 80 gigabytes. 

A hacker group in Russia is threatening to release Reddit data if it doesn't pay a ransom demand - as well as reverse the controversial API pricing increases. 

According to the hackers, they demand a ransom of $4.5 million and an API price hike from the company. This is if they hope to prevent data release, which was hacked. 

It appears that phishing attacks allow threat actors to gain access to the company's systems to steal internal documents, source code, employee data, and a limited amount of information about Reddit's advertising partners. 

Reddit spokesperson confirmed that "BlackCat's claims refer to a cyber incident that Reddit confirmed on February 9 as related to BlackCat's claims". During a high-targeted phishing attack carried out at the incident, hackers accessed information about employees and internal documents. 

Information about employees and internal documents was accessed through a targeted phishing attack. It is believed that the company was unaware that the passwords or accounts of customers had been stolen. 

Reddit provided no further information regarding the attack or the culprits. Nevertheless, over the weekend, BlackCat raised the stakes in the February cyber intrusion, claiming responsibility for it. It threatened to leak the "confidential" information obtained during the attack. BlackCat has not shared any evidence of data theft by the hackers, and it's unclear exactly what type of information the hackers have stolen.  

BlackCat has threatened to leak the "confidential" data but there is no sign of what it is supposed to be. They have neither provided evidence of data theft nor evidence to back up their claim. 

CTO of Reddit Chris Slowe recently talked about a security incident that happened in February, and he posted about the incident here. Throughout the post, Slowe said that, as a result of a highly targeted and sophisticated phishing attack, the company's "systems were hacked," with hackers gaining access to "some internal documents, code, and some internal business systems." The hackers only obtained employee information, according to Slowe.

In a statement to CNN on Monday, a Reddit spokesperson confirmed that BlackCat's post refers to the incident in February. No user data was accessed, according to the spokesperson, but he refused to elaborate further on the matter. 

Several Reddit forums remained dark last Monday during the planned two-day protest. This was intended to highlight the company's plan to charge steep fees for third-party apps to access the company's platform in the future. 

There are still more than 3,500 Reddit forums unresponsive a week after the attack happened. Some experts argue that BlackCat's actual motives are questionable while some are sympathetic to the protestors' cause based on the ransom note. 

This is the second Reddit data breach in six years. This time, the attackers could access Reddit data dating back to 2007. A user's username, hashed password, email address, and the content of public posts and private messages were included in that report. 

In February, hackers reportedly stole 80GB of data from Reddit and threatened to leak it in three days as part of their threat. In response to the breach, Reddit acknowledged the incident and is actively investigating the matter. A ransom demand has been made by the hackers, who have warned that if they are not paid, the thieves will release sensitive information about their victims.

As of right now, it is impossible to verify the authenticity of stolen data. There are persistent cyber threats that online platforms face daily. This incident reminds us of the importance of robust security measures against such threats. Reddit is striving to improve its privacy and security protocols, and users are advised to remain vigilant at all times.
Read more »
Russia
Bank of England cyber attack Cyber Attacks Ransomware Russia

Bank of England Demands Cyber Crackdown After Russia-linked Attacks

The Bank of England has taken steps to prepare financial institutions for the possibility of a major cyber attack by instructing them to enhance their defenses. The Bank is concerned that Russian-linked hackers may attempt to destabilize the financial system, hence the need for this measure.
 
The directive, which was issued last week, requires banks, insurers, and market infrastructure companies to simulate their response to a severe attack. This move follows a series of high-profile attacks, including ones on Royal Mail and the Guardian, by ransomware gangs earlier this year. 

Sarah Breeden, who heads financial stability at the Bank, has written to executives instructing them to ensure that their systems and emergency response plans are in place by March 2025. Further, she added that financial firms should test their systems against severe but plausible cyberattack scenarios. 

She also said that firms should improve their operational resilience if they are unable to remain within impact tolerance during a cyber attack. The City is deemed to be at risk from ransomware gangs that target important firms that keep Britain's financial system functioning. 

According to a 2022 survey of 130 global financial institutions, almost 75% experienced at least one ransomware attack in the past year. The ION Group, a company that plays a crucial role in the infrastructure of City trading, was attacked by the same Russian-linked ransomware gang that targeted Royal Mail in February. 

The attack caused disruption to trading desks in the City and affected other trade processing systems, leading some companies to resort to manual processing. Sarah Breeden has emphasized the need for companies in the Square Mile to improve their operational resilience by assessing their risks, vulnerabilities, and dependencies. 

Although Sarah Breeden did not specifically mention Russian-linked groups as a potential threat, experts warn that worsening relations with Moscow have significantly increased the risks. According to a report by the US-based Financial Services Information Sharing and Analysis Center, cyber-attacks have surged due to Russia's conflict with Ukraine. 

The Bank of England issued this warning following its first cyber stress test, which was held in 2022 for lenders and market infrastructure companies. The Financial Policy Committee has urged firms to plan, prepare and test their response to cyber attacks to mitigate any impact on financial stability. 

The Lockbit gang, which demands payment in hard-to-trace cryptocurrencies in exchange for unscrambling files on hacked computers, targeted both Royal Mail and ION Group. The group is known for demanding tens of millions of pounds in ransom and has reportedly extorted around $100m from its victims over the past few years.
Read more »
Russia
cyber attack Cyber Attacks cyber potential threats Cyber-Intelligence Cyberwarfare NTC Vulkan Russia

Cyberwarfare Leaks Reveal Russia's Sweeping Efforts and Potential Targets

NTC Vulkan is a cybersecurity consultancy firm based in Moscow, which appears to offer ordinary cybersecurity services on the surface. However, a recent leak of confidential documents has revealed that the company's engineers are also involved in the development of advanced hacking and disinformation tools for the Russian military.
 
The leaked documents indicate that NTC Vulkan has been working with several Russian military and intelligence agencies including the FSB, GOU, GRU, and SVR to support cyber operations. 

In addition to this, one of the company's cyber-attack tools, Scan-V, has been linked to the notorious Sandworm hacking group. The tool searches for internet vulnerabilities and saves them for future use in cyber-attacks. 

Another system developed by NTC Vulkan, known as Amezit, is a comprehensive framework for controlling and monitoring the internet in regions under Russia's command. This system enables the spread of disinformation through the use of fake social media profiles, in addition to surveillance and monitoring of the internet. 

The third system developed by NTC Vulkan, Crystal-2V, is a training program for cyber operatives in the methods required to bring down rail, air, and sea infrastructure. The information processed and stored by the Crystal-2V system is deemed "Top Secret." 

It is a very unusual or rare incident, thousands of pages of secret documents dated from 2016 to 2021, have been revealed by an anonymous source, however, he approached the German newspaper Süddeutsche Zeitung just days after the Russian invasion of Ukraine began. The unknown source expressed anger over the Russian government's actions in Ukraine and the role played by NTC Vulkan in supporting those actions. 

 According to him, the GRU and FSB, two of Russia's most prominent intelligence agencies, were "hiding behind" NTC Vulkan. The individual also expressed a desire to make the information contained in the leaked documents public to raise awareness about the dangers posed by the company's activities and the Russian government's actions. 

The authenticity of the Vulkan files has been confirmed by five western intelligence agencies, while both the company and the Kremlin have remained silent on the matter. The leaked documents reveal emails, internal documents, project plans, budgets, and contracts that shed light on Russia's cyber warfare efforts in the midst of a violent conflict with Ukraine. 

It is unclear if the tools developed by Vulkan have been used for real-world attacks. However, it is known that Russian hackers have targeted Ukrainian computer networks repeatedly. The documents also suggest potential targets, including the USA and Switzerland. 

Nevertheless, advanced hacking and disinformation tools are being used by the Russian military and intelligence agencies. This raises significant concerns about the nature and scope of Russia's cyberwarfare capabilities.
Read more »
Russia
ALPHV Cyber Crime Cyberattack Cybersecurity Google LockBit Microsoft NATO Russia

The Ukraine Invasion Blew up Russian Cybercrime Alliances

 


Over the years, Russia has built up one of the world’s most formidable cybercriminal ecosystems. Russian hacker groups are linked to disruptive cyberattacks including one of the United States’ most critical oil pipelines and the world’s largest meat producers.  

A recently released study suggests that the conflict between Russia and the former Soviet Union disrupted the criminal ecosystem in Russia and its former Soviet satellite states. This was a year after the illegal invasion. Alexander Leslie, the associate threat intelligence analyst at Recorded Future's Insight Group, believes this is one of the most significant developments in the history of cybercrime. It has broad implications affecting nearly every aspect of the world of cybercrime.

In a recent interview with The Register, Leslie told them that these fractures can be felt in all facets of the Russian-speaking underground: digital fraud, dark web forums and marketplaces, ransomware gangs, and hacktivists, all of whom derive their revenue from Russian-speaking underground activities. 

"Russia's military intervention in Ukraine has ushered in the era of volatility and unpredictability in the world of international cybercrime, which carries a multitude of implications for the defense community," Leslie said in a statement. 

As per the report, Russian cybercrime refers to a wide range of crimes perpetrated by miscreants who speak Russian languages in a variety of parts of the world, including Russia, Ukraine, Belarus, the Baltics, the South Caucasus, and Central Asia.  Leslie, during the time before the war, all of these criminal elements shared a common goal. This goal was refusing to target entities located in the Commonwealth of Independent States. This was so as not to draw attention from law enforcement. The day after the Russian government began attacking critical infrastructure on February 24, 2022, the Conti ransomware gang immediately declared its "full support" for the Russian government and pledged to use all the resources at its disposal to take back the critical infrastructure that had been destroyed. There were later claims that the country had condemned the war, but the damage had already been done at that point. 

Hundreds of internal documents from Conti's internal domains were leaked by a Ukrainian security researcher on February 27, 2022. It was the so-called Conti leaks that led to the Trickbot leaks, which were able to reveal Trickbot's senior leadership by using the information revealed in the Conti data dump, which was appropriated by the Trickbot leaks. According to reports, Conti closed down its operations in the weeks that followed. 

Moreover, Conti's rival gangs such as ALPHV (BlackCat) and LockBit neither declared their loyalty to the Kremlin to any significant extent, while on the other hand, some of his rival gangs did. 

There is also a decrease in the number of ransomware attacks in the context of the war in general, which may be attributable to fewer Russian cyberattacks as well. It has been a year since the war started and fears of large-scale disruptions of Ukrainian and Western infrastructure have not yet been realized. Although Russia has not given up, Google reported that it would increase the targeting of Ukrainian users by 250 percent by the year 2022 compared to 2020. In contrast, it will increase the targeting of NATO users by 300 percent.  

As experts point out, this is not necessarily an indictment of Russia's cyber capabilities. Instead, it is an indication of the effectiveness of Ukrainian cyber defense backed up by its Western allies and companies such as Google, Microsoft, and Amazon on the ground. This is a largely successful strategy.  

The Georgia Institute of Technology's Nadiya Kostyuk, who specializes in modern warfare and cyber conflict, has said that that support was "crucial" to Ukraine's cyberspace remaining relatively unscathed, despite the geopolitical turmoil around the world. 

It is currently apparent that Ukraine's cyber capabilities haven't kept up with those of Russia even though it has been developing them since 2014. According to her, Microsoft, along with other companies, had played a huge part in building more resilient networks and systems as well as defending Ukraine's cyberspace. 

Forum Rules for the Russian Dark Web. 

The war did not only expose the fault lines of ransomware gangs, but also other criminals associated with these gangs. It would appear that the invasion of Ukraine also violates an unwritten rule on Russian-language dark web forums, which holds that criminals would not target organizations in former Soviet states unless they were inside the country. 

Despite the increased geographical decentralization of cybercriminal groups, Leslie predicts that the industry will become more centralized in the future.

During the kinetic war and in the immediate aftermath of it, there was also an increase in pro-Russian hacktivist groups. The 'second wave' of hacktivism took place around March 22, 2022, when Killnet's campaign against the Latvian government was initiated, following the initial wave of hacktivism, which included pre-existing groups such as the Stormous ransomware gang as well as new crews that were created to support the Russian war effort. 

An Increase in the Number of Killnets

Despite that, Recorded Future claims that Killnet dominated this second wave of electronic music. 

As a consequence of these attacks, the gang and its subgroups have expanded their targets beyond Europe. They have in recent years targeted the Americas, Asia, and other parts of the world. 

Recorded Future says that most of the pro-Russian hacktivist groups active since the end of the war are no longer active despite estimates by security researchers such as @Cyberknow20 that there were 70 or more such groups active at the beginning of the war. 

As the authors point out, although they identified about 100 such groups between February 24, 2022, and February 10, 2023, only a few remain active today. This is even though a total of about 100 groups were identified. 

Even those that remain are not very effective, as there are only a few left. A new FBI report describes Killnets' distributed denial of service attacks as having "limited success" in the course of their attacks. Additionally, the researchers point out that their impact on the overall war effort has been "minimal" at best, in terms of the effects on the war effort. 

Is 2023 Going to be a Year of Change?

A second year of the war is expected to bring more of the same from security researchers, with insider criminal gangs leaking information, hacktivist attacks making headlines, and database dumps being sold on dark-web forums - possibly with a rise in Russian and Belarusian databases that have been leaked - as well as credential leaks targeting .ru and .by domains that have been targeted by hackers.  As a result of the malware-as-a-service threat landscape and the ongoing changing of the criminal forums on the dark web, "volatility and instability" are predicted to persist through 2023 throughout the Russian-speaking dark web market. 

In the short term, Leslie predicts that the cyber efforts of Ukraine are likely to be stepped up in 2023. The public-private partnership has helped foster increased collaboration between intelligence agencies and the provision of active defensive support, and we anticipate that this will only increase in the years to come, Leslie added. 

The majority of offensive operations are likely to be undertaken by the IT Army of Ukraine. This is expected to maintain support to enable a method of crowdsourced hacktivism that will continue to dominate offensive operations. 

He says he expects more hack-and-leak attacks from the Ukrainian IT Army in the future, but the most dominant methods of attack will likely remain DDoS attacks and website defacement.
Read more »
Ukraine
China cyber espionage Cyber Security CyberCrime Hacking Iran Iran government Opportunistic Cybercrime Russia State Sponsored Hackers Ukraine

Cybersecurity in 2023: Russian Intelligence, Chinese Espionage, and Iranian Hacktivism


State-sponsored Activities 

In the year 2022, we witnessed a number of state-sponsored cyber activities originating from different countries wherein the tactics employed by the threat actors varied. Apparently, this will continue into 2023, since government uses its cyber capabilities as a means of achieving its economic and political objectives. 

Russian Cyber Activity will be Split between Targeting Ukraine and Advancing its Broader Intelligence Goals 

It can be anticipated that more conflict-related cyber activities will eventually increase since there is no immediate prospect of an end to the conflict in Ukraine. These activities will be aimed at degrading Ukraine's vital infrastructure and government services and gathering foreign intelligence, useful to the Russian government, from entities involved in the war effort. 

Additionally, organizations linked to the Russian intelligence services will keep focusing their disinformation campaigns, intelligence gathering, and potentially low-intensity disruptive attacks on their geographical neighbors. 

Although Russia too will keep working toward its longer-term, more comprehensive intelligence goals. The traditional targets of espionage will still be a priority. For instance, in August 2022, Russian intelligence services used spear phishing emails to target employees of the US's Argonne and Brookhaven national laboratories, which conduct cutting-edge energy research. 

It is further expected that new information regarding the large-scale covert intelligence gathering by Russian state-sponsored threat actors, enabled by their use of cloud environments, internet backbone technology, or pervasive identity management systems, will come to light. 

China Will Continue to Prioritize Political and Economic Cyber Espionage 

It has also been anticipated that the economic and political objectives will continue to drive the operation of China’s intelligence-gathering activities. 

The newly re-elected president Xi Jinping and his Chinese Communist Party will continue to employ its intelligence infrastructure to assist in achieving more general economic and social goals. It will also continue to target international NGOs in order to look over dissident organizations and individuals opposing the Chinese government in any way. 

China-based threat actors will also be targeting high-tech company giants that operate in or supply industries like energy, manufacturing, housing, and natural resources as it looks forward to upgrading the industries internally. 

Iranian Government-backed Conflicts and Cybercrimes will Overlap 

The way in which the Iranian intelligence services outsource operations to security firms in Iran has resulted in the muddled difference between state-sponsored activity and cybercrime. 

We have witnessed a recent incident regarding the same with the IRGC-affiliated COBALT MIRAGE threat group, which performs cyber espionage but also financially supports ransomware attacks. Because cybercrime is inherently opportunistic, it has affected and will continue to affect enterprises of all types and sizes around the world. 

Moreover, low-intensity conflicts between Iran and its adversaries in the area, mainly Israel, will persist. Operations carried out under the guise of hacktivism and cybercrime will be designed to interfere with crucial infrastructure, disclose private data, and reveal agents of foreign intelligence. 

How Can Organizations Protect Themselves from Opportunistic Cybercrime?

The recent global cyber activities indicate that opportunistic cybercrime threats will continue to pose a challenge to organizational operations. 

Organizations are also working on defending themselves from these activities by prioritizing security measures, since incidents as such generally occur due to a failure or lack of security controls. 

We have listed below some of the security measures organizations may follow in order to combat opportunistic cybercrime against nations, states, and cybercrime groups : 

  • Organizations can mitigate threats by investing in fundamental security controls like asset management, patching, multi-factor authentication, and network monitoring. 
  • Maintaining a strong understanding of the threat landscape and tactics utilized by adversaries. Security teams must also identify and safeguard their key assets, along with prioritizing vulnerability management. 
  • Traditional methods and solutions, such as endpoint detection and response, are no longer effective in thwarting today's attacks, so it is crucial to thoroughly monitor the entire network, from endpoints to cloud assets. However, in order to identify and effectively address their most significant business concerns, and prioritize threats in order to combat them more efficiently.  

Read more »
Windows
Cyber Data Cyber Security Cyberattacks Government Russia Trojan Ukraine Windows

Trojanized Windows 10 Installer Utilized in Cyberattacks Against Ukrainian Government Entities

 

Ukraine's government has been compromised as part of a new campaign that used trojanized versions of Windows 10 installer files to conduct post-exploitation activities. The malicious ISO files were distributed via Ukrainian and Russian-language Torrent websites, according to Mandiant, which discovered the "socially engineered supply chain" attack around mid-July 2022. The threat cluster is identified as UNC4166. 

"Upon installation of the compromised software, the malware gathers information on the compromised system and exfiltrates it," the cybersecurity company said in a technical deep dive published Thursday.

Even though the origin of the adversarial collective is unknown, the disruptions are said to have targeted organisations that had previously been victims of disruptive wiper attacks blamed on APT28, a Russian state-sponsored actor. According to the Google-owned threat intelligence firm, the ISO file was designed to disable telemetry data transmission from the infected computer to Microsoft, install PowerShell backdoors, and block automatic updates and licence verification.

The main objective of the operation appears to have been data gathering, with additional implants deployed to the machines only after an initial reconnaissance of the vulnerable environment to determine if it contained valuable intelligence.

Stowaway, an open source proxy tool, Cobalt Strike Beacon, and SPAREPART, a lightweight backdoor written in C that enables the threat actor to execute commands, harvest data, capture keystrokes and screenshots, and export the data to a remote server, were among them.

The malicious actor attempted to download the TOR anonymity browser onto the victim's device in some cases. While the precise reason for this action is unknown, it is suspected that it served as an alternative exfiltration route.

SPAREPART, as the name suggests, is considered to be redundant malware that is used to uphold remote access to the system if the other methods fail. It also has the same functionality as the PowerShell backdoors that were dropped early in the attack chain.

"The use of trojanized ISOs is novel in espionage operations and included anti-detection capabilities indicates that the actors behind this activity are security conscious and patient, as the operation would have required a significant time and resources to develop and wait for the ISO to be installed on a network of interest," Mandiant stated.

The findings come as Check Point and Positive Technologies revealed attacks on the government sector in Russia, Belarus, Azerbaijan, Turkey, and Slovenia by an espionage group known as Cloud Atlas as part of a persistent campaign.

The hacking group, which has been active since 2014, has a history of targeting entities in Eastern Europe and Central Asia. However, the outbreak of the Russo-Ukrainian war earlier this month has shifted its focus to organisations in Russia, Belarus, and Transnistria.

"The actors are also maintaining their focus on the Russian-annexed Crimean Peninsula, Lugansk, and Donetsk regions," Check Point said in an analysis last week.

The adversary's attack chains typically utilise phishing emails with bait attachments as the initial intrusion vector, leading to the delivery of a malicious payload via an intricate multi-stage sequence. The malware then contacts an actor-controlled C2 server to obtain additional backdoors capable of stealing files with specific extensions from the compromised endpoints.

Check Point's observations, on the other hand, culminate in a PowerShell-based backdoor known as PowerShower, which was first discovered by Palo Alto Networks Unit 42 in November 2018. Some of these intrusions in June 2022 were also successful, allowing the threat actor to achieve full network access and use tools such as Chocolatey, AnyDesk, and PuTTY.

"With the escalation of the conflict between Russia and Ukraine, their focus for the past year has been on Russia and Belarus and their diplomatic, government, energy and technology sectors, and on the annexed regions of Ukraine," Check Point added.

Cloud Atlas, also known as Clean Ursa, Inception, Oxygen, and Red October, is still unidentified, joining the ranks of other APTs such as TajMahal, DarkUniverse, and Metador. The group's name derives from its reliance on cloud services such as CloudMe and OpenDrive to host malware.

Read more »
Scumbags
AFP Australia Cyber Attacks CyberCrime Hackers Medibank Russia Scumbags

Medibank's Hackers will be Hacked in Australia

 


Threat actors behind the Medibank hack that compromised nearly 10 million customers' private information are being hunted by the Australian government, cyber security minister Clare O'Neil said. 
A hack on Medibank's computer, which was attributed to Russian cybercriminals, was announced by the Australian Federal Police on Friday afternoon. 

AFP identified Russian criminals as the culprits without contacting Russian officials before the public announcement, as the embassy in Australia has expressed disappointment that the AFP has identified Russian-based criminals as the culprits without contacting Russian officials. 

In the statement released by the Consulate on Friday evening, the consulate mentioned that it encouraged the AFP to promptly contact the respective Russian law enforcement agencies to seek assistance. 

Combating cybercrime that adversely affects the lives of citizens and damages businesses is a complex task that demands a cooperative, non-political and responsible approach from all members of the international community. 

It was announced on Saturday that the Australian Federal Police (AFP) and the Australian Signals Directorate (ASD) have signed an agreement on the creation of a comprehensive policing model which will take into account both the Optus and Medicare data breaches and effectively deal with the criminals behind them. 

"Around 100 officers from these two organizations will be a part of this joint standing operation, and many of these officers will be physically co-located with the Australian Signals Directorate," she said.

As Ms. O'Neil pointed out, officers report to work every day of the week. The goal is to deal with these gangs and thugs in the most effective manner possible. 

Ms. Saunders explained, With this partnership, the Australian Government has formalized a standing body which will be responsible for the day-to-day pursuit and prosecution of the con men responsible for these malicious crimes against innocent people and who will, day in and day out, hunt them down. 

A group of the smartest and most determined people in Australia will be collaborating to track down the hackers. 

A New Permanent Policing Model 

In a statement, Attorney General Mark Dreyfus described the situation as "extremely distressing."

In response to the attack, the government released a statement stating that it would do everything it could to limit the impact of this horrible crime. It would also provide support and comfort to the families and friends of those who are affected. 

Dreyfus said in his remarks that the updated partnership between the AFP and the ASD aimed at fighting cyber criminals will be a permanent and formal agreement. 

The AFP, he explained, works full-time on this issue, and they are working with international partners, such as the FBI, which has done great work on this problem, with the assistance of their international partners, including the United Nations. 

As part of the investigation, AFP Commissioner Reece Kershaw on Friday said officers were also working with Interpol to track down the perpetrators of the crime. 

"We know who you are," he said. In the area of bringing overseas offenders back to Australia to face the justice system, it has been noted that the AFP has been doing a good job on the scoreboard. 

A Review of Australia's Diplomatic Relations With Russia is Currently Taking Place

There will be no slowdown in the work of the national security agencies because diplomatic channels with Russia will remain open concerning extradition, according to Mr. Dreyfus. 

According to the president of the Russian Federation, Russia should do all that it can to protect its citizens from engaging in these kinds of crimes, while within its borders. 

In a statement, Mr. Dreyfus said that his government is taking a close look at the options available to it. This is because it wants to maintain Russia's diplomatic profile in Australia. 

In regards to our diplomatic channels, we would like to maintain them as long as they are appropriate for our national interests. However, diplomatic profiles must always be consistent with that. 

A spokesman for the opposition's cyber security wing, James Paterson, said that the disclosure could have broad implications for Australia's Magnitsky regime. Those who violate the law are subject to this.

With the passage of the regime with bipartisan support, which was passed with the support of the Republican and Democratic Parties, it becomes possible to impose targeted financial sanctions and travel bans in response to serious corruption and significant cyberattacks. 

At a press conference earlier today, Prime Minister Albanese told reporters he was dismayed and disgusted by the actions of those who committed this crime. He authorized AFP officials to release the details as a matter of public interest. 

In the recent past, hackers have released more information about some of the medical records of their customers on the dark web, including information about abortions and alcoholism. 

A ransomware attack was carried out by a criminal group targeting Medibank's data, which resulted in close to 500,000 health claims, along with personal information, being stolen. 

There are several mental health and other support services available through Medibank's Resources Page, which is available to affected customers.
Read more »
US
Cyber Security Disinformation War IRA Russia Russia-Ukraine War US

Battling the Russian Disinformation War

 

Over the years, the US- Russian ties have been in fluctuation mode. Donald Trump, the former US president was lenient towards Kremlin from 2017-2020 during which the White House seemed to take a backseat to cybersecurity issues. 

However, the Joe Biden regime is ready to take on Russia on every possible front. After Russia invaded Ukraine last February, the American-led European Union moved blocked RT and Sputnik, two of the Kremlin’s top channels for spreading misinformation about the war. 

Blake Dowling, CEO at Florida- based Aegis Business Technologies blamed Russian-backed hackers for staging cyberattacks against American infrastructure (Colonial Pipeline), businesses and government (SolarWinds and others), and elections. 

According to Dowling, Russian Internet Research Agency has also played in propagating disinformation around the globe.

The IRA is an army of internet trolls based in an old arms factory in St Petersburg founded by Yevgeny Prigozhin. The internet operatives in IRA work as regular employees during their shifts of 8 hours per day. 

During their shifts employees must meet quotas which would be something like designing a dozen social media accounts, and posting five political posts and 10 nonpolitical posts. At the same time, they must comment and like hundreds of their colleague’s posts. 

One IRA employee published a blog about a new video game in the U.S. that had a theme of slavery, aiming to stir up anti-U.S. feelings in Russia. In reality, there was no such game, but that is what the job was. 

Apart from social media trolls, a Russian hacktivist group called Killnet is also playing a major role in disrupting services in the United States. They are looking to cause chaos to the enemies of Russia, specifically those entities that side with Ukraine. 

The standard modus operandi of the hacking group is to launch distributed denial of service attacks (DDoS) toward their victims, causing their web presence to break down. Earlier targets include the European song contest Eurovision and this month fourteen airports in the United States. 

To counter this cyber onslaught, the Department of Homeland Security and Cyber Security and Infrastructure Security Agency recommends a Shields Up approach for American citizens. 

The Shield Up technique refers to a heightened cyber defensive posture when protecting data and technical assets. This includes updating your network and hardware for known exploits and vulnerabilities and using robust passwords that are changed regularly.
Read more »
UK Elections
Cyber Security Online Vote Russia UK UK Elections

Security Experts Raise Concern Regarding Fairness of Conservative Leadership Contest

 

Malicious actors from rogue nations could try to discredit the Tory online vote with false narratives regarding the fairness of an online members’ vote, cybersecurity experts warned. 

After the controversial exit of Liz Truss, Conservative MPs will vote for their preferred candidate in a series of ballots. But if there are still two candidates remaining in the race after Monday, Tory party members will take part in an online vote to decide the new UK prime minister. 

Online voting concerns 

During the last Tory leadership election, held over the summer, the online publication Tortoise managed to register four bogus conservative members to demonstrate how the leadership contest is open to potential exploitation. 

The website signed up two foreign nationals, a person who did not exist, and a pet tortoise as members of the Conservative Party. Shockingly, the party accepted its payments of £25 for each registration, and the bogus recruits were issued membership numbers and invited to hustings. 

According to James Harding, the editor of Tortoise, the incident had raised serious concerns regarding the safety of the vote. He condemned the secrecy surrounding the ballot, with the Conservatives refusing to provide real insights regarding the modus operandi of their membership or the security arrangements. 

 “I think that it’s reasonable if you live in a democracy to try and know who’s voting the prime minister into power,” Harding stated. If you want to have confidence in your democracy you have to have some understanding of how the election works and that someone is supervising it. We could find ourselves in a position where we go to another membership contest and the membership is doing that online and how do we know that’s secure?” 

However, Conservative Party chairman Jake Berry insisted that the web ballot will be “secure” even though it had to be ditched for the last contest because of concerns regarding the system loopholes. Jake Berry "Without going into the security measures we will take, for reasons I'm sure you will understand, we are satisfied that the online voting system will be secure,” Berry stated. 

The concerns are raised amid warnings from threat analysts that hostile states like Russia could attempt to hijack the poll and influence who becomes the next Prime Minister. 

Previously in 2016, Russia was accused of attempting to interfere in key elections including the US presidential race and the Brexit referendum. 

According to Peter Ryan, a professor of applied security at Luxembourg University, KGB hackers could exploit the rules that allow Tory members living abroad to vote. 

“We don't know that much about the electorate that is putting in place the leader of a G7 country,” he said. For all we know, the KGB could have signed up a significant number of stooges. The margin last time was low - it would not take much to swing it.”
Read more »
Russian Cyber Security
Cyber Attacks DDoS DDOS Attack DDOS Attacks Killnet Russia Russian Cyber Security

KillNet: Pro-Russian Threat Actors Claims Responsiblity for 14 DDoS Attacks on U.S. Airports

 

On Monday, a pro-Russian hackers group ‘KillNet reportedly claimed to be behind the DDoS attacks, that temporarily took down the websites of several U.S. airports.
 
A similar case was witnessed by Atlanta International Airport. Consequently, users were unable to access the websites for a few hours during the campaign. Though, the attacks did not have any impact on flight operations.
 
The Los Angeles International Airport (LAX) authority informed about a threat on their website to the Transportation Security Administration and the FBI.
 
"The service interruption was limited to portions of the public facing FlyLAX.com website only. No internal airport systems were compromised and there were no operational disruptions," a spokesperson stated in an emailed statement. Adding to the statement, she said the airport’s IT Team has restored all services and is investigating the cause.
 
Later, the hacker group apparently posted the list of the hacked airport websites on Telegram that included 14 targeted domains, urging hackers to participate in the DDoS attack.
 
The Airport websites impacted by the group include Los Angeles International, Chicago O’Hare, Hartsfield-Jackson Atlanta International Airport, the Los Angeles International Airport (LAX), the Chicago O’Hare International Airport (ORD), the Orlando International Airport (MCO), the Denver International Airport (DIA), the Phoenix Sky Harbor International Airport (PHX), and the sites of airports in Kentucky, Mississippi, and Hawaii.
 
In a Telegram post on Monday, Killnet listed other U.S. sites that could be the next potential victims of similar DDoS attacks, such as sea terminals and logistics facilities, weather monitoring centers, health care systems, subway systems, and exchanges and online trading systems.
 
Apparently, this DDoS attack was not the first attack by KillNet as KillNet has previously targeted many other countries that were against the Russian invasion of Ukraine. These NATO countries include Italy, Romania, Estonia, Lithuania, and Norway.
 
KillNet's DDoS attacks and those urging other threat actors to carry out are an example of what security experts determine is the tendency in recent years of geopolitical tensions, to be permeated the cyber world. As per the speculations, this campaign against the US and other NATO countries, for instance, instigates days after an explosion demolished a section of a major bridge connecting Russia to the Crimean Peninsula.
Read more »
Void Balaur
Cyber Crime domains Hacking Group Phishing Attacks Russia Telegram User Privacy Void Balaur

Void Balaur Targets Russian Entities

A hacker-for-hire company that was originally revealed in 2019 has extended its scope to target victims with links to Russia in the political and corporate sector. 

Reported to attack a variety of known target groups worldwide, Void Balaur is a very active hacker-for-hire cyber mercenary gang. Since at least 2016, people have seen their services available for purchase online. Private data collection and access to particular online email and social media sites, including Gmail, Outlook, Telegram, Yandex, Facebook, Instagram, and corporate emails, are among the services offered. 

Google claims Since 2012, TAG has been keeping tabs on a diverse group of Indian hackers-for-hire, many of whom have worked briefly for Indian security companies Appin and Belltrox.

The gang often conducts attacks that are both general and opportunistic with the goal of getting illegal access to popular email services, social networks, communications, and corporate accounts.

According to reports, the hack-for-hire service provided by the gang is offered using a variety of guises, including Hacknet and RocketHack. The operators have offered additional services over the years, including real-time location tracking, SMS logs, and remote device access.

Furthermore, the assault infrastructure run by Void Balaur includes more than 5,000 distinct domains that present themselves as portals for public services, authentication services, and email websites.

A wide range of industries, frequently with specific political or business ties to Russia, are among the new targets. Additionally, Void Balaur hunts out targets useful for positioning or assisting upcoming assaults. They have the United States, Russia, Ukraine, and a number of other nations as their targets.

However, in early 2022, one of the group's managed domains resolved to an IP address that belongs to and is run by the Russian Federal Guard Service (FSO), indicating what appears to be an operating oversight and raising the possibility of a connection.

Despite the fact that Void Balaur targets persons and organizations all over the world, ads launched in 2022 have targeted individuals who are active in political and business circumstances that are important to Russia.

The use of highly repeatable phishing emails that look like they are from banks or local governments is common in order to deceive recipients into clicking a malicious link and divulging their account information.

In September 2021, one of the group's most infamous efforts featured attacks that targeted the personal email accounts of lawmakers and government leaders of an Eastern European nation.

In accordance with its reputation as a cyber mercenary, Void Balaur does not confine itself to the geopolitical sphere. Nonetheless,  employing and adopting the proper security measures will help in repelling cyber mercenary attacks.

Read more »
Russia
Cobalt Strike Cyber Attacks DDOS Attack Ransomware Gang Russia

Anonymous Hacker Targets Cobalt Strike Servers Linked to Former Conti Gang Members

 

An anonymous hacking group launched DDoS assaults on Cobalt Strike servers handled by former Conti ransomware members with anti-Russian texts to halt their operation. 

Earlier this year in May, the Conti ransomware gang permanently switched off its operation but its members joined other groups, such as Quantum, Hive, and BlackCat. However, former Conti members continued employing the same Cobalt Strike infrastructure to launch new attacks. 

The hackers flooded the CS servers employed by Conti hackers to control the Cobalt Strike (CS) with anti-Russian texts such as “Stop the war!,” “15000+ dead Russian soldiers!,” and “Be a Russian patriot!” 

According to Vitali Kremez, the CEO of cyber intelligence company Advanced Intelligence (AdvIntel), the hackers targeted at least four Cobalt Strike servers by former Conti gang members. 

The messages are flooding the servers at a rapid rate of nearly two every second resulting in the disruption of Conti ransomware operations. Kremez says whoever is behind this activity constantly targeting Cobalt Strike servers is believed to be operated by previous Conti ransomware members, resuming the flood whenever a new server is discovered. 

“Red teamers operating Cobalt Strike infrastructure to help identify gaps for organizations need to ensure that they are properly protecting their infrastructure,” stated Jerrod Piker, threat analyst at Deep Instinct. “DoS/DDoS protection is necessary as evidenced by the recent Conti group attacks, as well as advanced malware prevention, identity protection, and access control. Attackers will always look for and eventually discover low-hanging fruit, so we have to ensure that we make their discovery process as difficult as possible.” 

Conti is one of the most prolific ransomware groups of the last year along with LockBit 2.0, PYSA, and Hive, and has blocked hospital, corporate, and government agency networks while demanding ransom for sharing the decryption key as part of their name-and-shame scheme. 

After the ransomware gang sided with Russia in February to invade Ukraine, an anonymous pro-Ukraine hacktivist under the Twitter handle ContiLeaks released the malware source code, credentials, chat logs, and operational workflows.

Hackers getting the taste of their own medicine 

It remains unclear who is behind these messages but for the moment they’re keeping the hackers busy. Last month, the LockBit ransomware gang suffered a DDoS attack disrupting its operation. The attack was launched after the gang claimed responsibility for a hack on security firm Entrust earlier this year. 

The hackers blamed the DDoS on Entrust since the HTTPS requests came with the message to delete the company’s data. However, the halt was temporary and the ransomware gang came online with enhanced infrastructure allowing them to keep the stolen data intact even when facing distributed denial-of-service (DDoS) attacks.
Read more »
Subscribe to: Posts (Atom)