Search This Blog

Showing posts with label Russian Hacker. Show all posts

Russian Scam Industry Expands as a Result of Mobilization

 

After experiencing setbacks on the Ukrainian front, Russian President Vladimir Putin ordered a partial mobilization. Russian men who are eligible for enlistment have turned to illegal channels that grant them fabricated exemptions, whereas those fleeing the country to neighboring regions have turned to using identity masking tools.

Due to the aforesaid circumstance, it is now highly profitable for people to sell illegal services. In a similar vein, scammers and hackers see a good opportunity to take advantage of anxious people in haste.

Cybercriminals selling fake documents on the dark web, Telegram, and other encrypted channels are the initial scams to attempt to profit from the situation.

The scammers have even gone to the point of actively publicizing their phony services on social media and making direct contact with individuals through channels that preach about mobilization. The hackers allegedly offer people certificates of ineligibility for military duty, which they claim will enable them to avoid enlistment, according to a report by RIA Novosti.

For the recruitment officers to never hunt for the buyer, the agreement also calls for updating the regional enlistment office's database within 48 hours. The scammers demand 27,000 rubles ($470) in exchange for the same, as well as a copy of the client's passport.

Once the funds are paid, the con artists cut off contact with the victim and probably utilize the identity they have stolen to commit more fraud or sell it on the dark web. These advertisements claim to be able to produce fake HIV and hepatitis certificates for 33,000 and 38,000 rubles ($630), respectively.

According to Russian news site Kommersant, there is a 50% increase in demand for so-called 'gray' SIM cards as a result of the widespread migration of Russians. These SIM cards support 'pay-as-you-use' plans and thus are compatible with the networks of MTS, MegaFon, Beeline, Tele2, and Yota. Since the government can use regular SIMs to trace young men liable for military duty and potentially halt them at the border, Russians are eagerly looking for these cards.

IMEI (International Mobile Equipment Identity), is a special 15-digit number that is connected to the device's hardware instead of the SIM card. Roskomsvoboda, a Russian internet rights group, says there have been numerous cases of people being forced by FSB officers to divulge their IMEI numbers while entering Georgia, Kazakhstan, and Finland. IMEI monitoring is aided by using telecommunication stations for approximate location triangulation. 

Law enforcement has used IMEI for several years, and tracking software that promises to find your lost or stolen device also employs it. Except for a few Huawei, Xiaomi, and ZTE models that store the IMEI in a rewritable memory region in violation of the technology's rules and allow users to flash it with specific tools, assigned IMEIs are not interchangeable or editable.

As an alternative, Roskomvoboda advises evacuating Russians to either submit a burner phone at the border or purchase a new device once they have left the nation.


ESXi , Linux, and Windows Systems at Risk From New Luna Ransomware

Luna is a brand-new ransomware family that was written in Rust, making it the third strain to do so after BlackCat and Hive, according to Kaspersky security researchers

The experts who examined the ransomware's command-line options believe that Luna is a reasonably straightforward ransomware program. 

Luna ransomware

This interesting encryption method combines x25519 with AES. The researchers discovered that the Linux and ESXi samples, which are compiled using the identical source code, differ only slightly from the Windows version.

Darknet forum advertisements for Luna imply that the ransomware is only meant to be used by affiliates who speak Russian. Due to spelling errors in the ransom note that are hard-coded into the malware, its main creators are also thought to be of Russian descent.

The Luna ransomware is also able to avoid automated static code analysis attempts by utilizing a cross-platform language.

"The source code used to compile the Windows version and the Linux and ESXi samples are identical. The remaining code is almost unchanged from the Windows version" the researchers added. Luna "confirms the trend for cross-platform ransomware," the researchers wrote, pointing out how hackers are able to target and strike at scale while avoiding static analysis, thanks to the platform flexibility of languages like Golang and Rust.

Nevertheless, considering that Luna is a recently identified criminal organization and its activities are still being constantly monitored, there is very little knowledge available regarding the victimology trends.

Black Basta

Researchers have also revealed information about the Black Basta ransomware group, which modified its software to target ESXi systems. By adding compatibility for VMware ESXi, various ransomware families, including LockBit, HelloKitty, BlackMatter, and REvil, hope to increase their potential targets.

The double-extortion attack model is used by Black Basta, a ransomware operation that has been operational since April 2022.

Researchers from Kaspersky said that operators had introduced a new feature that relies on launching the computer in safe mode before encrypting data and imitating Windows Services in order to maintain persistence.

Black Basta can avoid detection from a variety of endpoint security solutions by starting Windows in safe mode.




Backdoor Installed by HelloXD Ransomware , Directed Windows and Linux Devices

 

HelloXD is ransomware that first appeared in November 2021 and does double extortion assaults. Researchers discovered several variations that affect Windows and Linux computers. 

According to a recent analysis from Palo Alto Networks Unit 42, the malware's creator has developed a new encryptor with unique packing for detection avoidance and encryption algorithm tweaks. This is a substantial deviation from the Babuk code, indicating the author's goal to create a new ransomware strain with possibilities and characteristics to allow for more attacks. 

HelloXD ransomware threat 

HelloXD first emerged to the public on November 30, 2021, and is based on Babuk's leaked code, which was published in September 2021 on a Russian-language cybercrime site. 

Palo Alto Networks Unit 42 security researchers Daniel Bunce and Doel Santos said, "Unlike other ransomware, this ransomware does not have an active leak site; instead, it prefers to direct the infected victim to negotiations via Tox chat and onion-based messaging instances." 

The operators of the ransomware family are no exception since they used double extortion to extort cryptocurrencies by exfiltrating a victim's personal data, encrypting key, performing cyber espionage, and threatening to publish it.MicroBackdoor is an open-source malware used for command-and-control (C2) communications to browse the infected system, exfiltrate files, execute orders, and remove traces, according to its developer Dmytro Oleksiuk. 

In March 2022, the Belarusian threat actor nicknamed Ghostwriter (aka UNC1151) used multiple forms of the implant in its cyber operations against Ukrainian governmental agencies. The features of MicroBackdoor allow a hacker to explore the file system, upload and download files, run commands, and delete traces of its activity from compromised PCs. 

Hello XD is a harmful ransomware project in its early stages that is now being deployed in the field. Although infection volumes aren't high now, its active and targeted development paves the way for a more harmful state. By piecing together the actor's digital trail, Unit 42 said it connected the likely Russian vendor behind HelloXD — who passes by the online aliases x4k, L4ckyguy, unKn0wn, unk0w, _unkn0wn, and x4kme — to further cybercriminals like selling proof-of-concept (PoC) exploits and custom Kali Linux distributions using malicious software. 

During 2019 and 2021, the average lifespan of an enterprise ransomware attack — that is, the period between initial access and ransomware distribution — decreased by 94.34 percent, from nearly two months to just 3.85 days, according to a new report by IBM X-Force.

The role of initial access brokers (IABs) in getting access to victim networks and then selling that access to associates, who then misuse the foothold to install ransomware payloads, has been attributed to the enhanced speed and efficiency trends in the ransomware-as-a-service (RaaS) ecosystem. 

Overall, the data theft by threat actor appears skilled and capable of moving Hello XD forward, so analysts should keep a close eye on its progress.

Ukrainian Security Researcher  Source Code for New Conti Malware Has Been Exposed

 

The source code of a fresh version of the Conti ransomware has been disclosed by a Ukrainian security researcher. This is the latest in a string of leaks sparked by the criminal group's support for Russia. Conti is a ransomware gang based in Russia which uses a ransomware-as-a-service (RaaS) business model. While some ransomware demands are in the millions of dollars, Coveware thinks the average Conti demand is just over $765,000. 

The renowned Conti ransomware organization published a statement soon after Russia launched its incursion of Ukraine, warning this was prepared to strike the key infrastructure of Russia's adversaries in revenge for any assaults on Russia. 

In response, an anonymous user created the "Conti Leaks" Twitter account and began distributing materials supposedly stolen from the cybercrime ring. The first set of disclosures included correspondence sent within the Conti organization in the preceding year. More chat logs, credentials, email addresses, C&C server information, and source code for the Conti ransomware and other malware were included in the second phase. 

After a period of inactivity of more than two weeks, the Twitter account resurfaced over the weekend, releasing what looks to be the source code for a newer version of Conti. Previously, some speculated that the leaker was a Ukrainian security researcher, while others speculated that he was a rogue employee of the Conti group. Messages were leaked and shared. 

The discharge of ransomware source code, particularly for advanced operations such as Conti, can have catastrophic consequences for corporate networks and consumers. This is due to the fact other threat actors frequently exploit the disclosed raw code to create their own ransomware attacks. In the past, a researcher released the source code for ransomware called 'Hidden Tear,' which was soon adopted by several threat actors to begin various operations.

Telegram Abused By Raccoon Stealer

 

As per a post released by Avast Threat Labs this week, Raccoon Stealer, which was first identified in April 2019, has added the capacity to keep and update its own genuine C2 addresses on Telegram's infrastructure. According to researchers, this provides them with a "convenient and trustworthy" command center on the network which they can alter on the fly. 

The malware, which is thought to have been built and maintained by Russian-linked cybercriminals, is primarily a credential stealer, but it is also capable of a variety of other nefarious activities. Based on commands from its C2, it can collect not just passwords but also cookies, saved logins and input data from browsers, login credentials from email services and messengers, crypto wallet files, data from browser plug-ins and extensions, and arbitrary files. 

As per the reports, Buer Loader and GCleaner were used to distribute Raccoon. Experts suspect it is also being distributed in the guise of false game cheats, patches for cracked software (including Fortnite, Valorant, and NBA2K22 hacks and mods), or other applications, based on some samples. 

Given since Raccoon Stealer is for sale, the only limit to its distribution methods is the imagination of the end-users. Some samples are spread unpacked, while others are protected by malware packers like Themida. It is worth mentioning whether certain samples were packed by the same packer five times in a row.

Within Telegram, the newest version of Raccoon Stealer talks with C2: According to the post, there are four "crucial" parameters for its C2 communication which are hardcoded in every Raccoon Stealer sample. Details are as follows:
  • MAIN KEY, which has changed four times throughout the year;
  • Telegram gate URLs with channel names; 
  • BotID, a hexadecimal string that is always sent to the C2; 
  • TELEGRAM KEY, a decryption key for the Telegram Gate C2 address. 

The malware decrypts MAIN KEY, which it uses to decrypt Telegram gates URLs and BotID, before hijacking Telegram for its C2. According to Martyanov, the stealer then utilizes the Telegram gate to connect to its real C2 via a series of inquiries to eventually allow it to save and change actual C2 addresses utilizing the Telegram infrastructure. 

The stealer can also transmit malware by downloading and executing arbitrary files in response to an instruction from C2. Raccoon Stealer spread roughly 185 files totaling 265 megabytes, including downloaders, clipboard crypto stealers, and the WhiteBlackCrypt ransomware, according to Avast Threat Labs.

Ukrainian Government Websites Shut Down due to Cyberattack

 

Ukrainian state authorities' websites have stopped working. At the moment, the website of the Ukrainian president, as well as resources on the gov.ua domain are inaccessible. 
According to the source, a large-scale cyberattack by the Russian hacker group RaHDit was the reason. A total of 755 websites of the Ukrainian authorities at the gov.ua domain were taken offline as a result of the attack. 

Hackers posted on government websites an appeal written on behalf of Russian soldiers to soldiers of the Armed Forces of Ukraine and residents of Ukraine. "The events of the last days will be the subject of long discussions of our contemporaries and descendants, but the truth is always the same! It is absolutely obvious that what happened is a clear example of what happens when irresponsible, greedy, and indifferent to the needs of their people come to power," they wrote. 

Another of the hacked websites published an appeal on behalf of Zelensky. In it, the President of Ukraine allegedly stated that he had agreed to sign a peace treaty with Russia. "This is not treason to Ukraine, to the Ukrainian spirit, it is exclusively for the benefit of the Ukrainian people," the banner said. 

The third message called on civilians to "refuse to support national radical formations formed under the guise of territorial defense." It was warned that any attempts to create armed gangs would be severely suppressed. In another announcement, Ukrainian soldiers were asked not to open fire on the Russian army and lay down their weapons: "Return fire will kill you. You are guaranteed life, polite treatment, and a bus home after the war." 

This information could not be confirmed. Currently, when entering government websites, it is reported that access to them cannot be obtained.

Earlier it became known that Russian hackers from the Killnet group hacked the website of the Anonymous group, which had previously declared a cyberwar against Russia. They urged Russians not to panic and not to trust fakes. 

On February 25, hackers from Anonymous announced their decision to declare a cyberwar against Russia due to the start of a special operation in the Donbas. The attackers attacked Russian Internet service providers and government websites. They also hacked the websites of major media outlets: TASS, Kommersant, Izvestia, Forbes, Mela, Fontanka. 

As a reminder, the special operation in Ukraine began in the morning of February 24. This was announced by Russian President Vladimir Putin.

Ukrainian Researcher Released  Software for Conti Ransomware

 

Conti, the notorious ransomware gang, is now the subject of cyberattacks following its proclamation early last week, it wholeheartedly supports Russia's continuing invasion of neighboring Ukraine, with the most recent blow being the public release of its source code. 

This comes only days after an archive comprising well over a year's worth of instant conversations between members of Conti, believed to be based in Russia, was leaked: speaking 400 files and tens of thousands of lines of Russian-language internal chat logs. Messages from January 2021 to February 27 of such a year can be found in the internal communication files.

Its analysis cited a cybersecurity bulletin issued jointly by the Cybercrime and Infrastructure Agency (CISA) and the FBI over the weekend, which warned Russia's attack on Ukraine – which also included cyberattacks on the Ukrainian government and key infrastructure organizations – could spill over Ukraine's borders, especially in the wake of US and allied sanctions. 

Throughout the night, ContiLeaks began publishing more information, including the source code for the gang's administration panel, the BazarBackdoor API, storage server screenshots, and more. A password-protected folder including the source code for the Conti ransomware encryptor, decryptor, and function Object() { [native code] } was one component of the release to get people interested.While the leaker did not reveal the password publicly, another researcher cracked it soon after, giving everyone access to the Conti ransomware malware files' source code. 

The code may not provide more information if you are a reverse engineer. For those who can program in C but not reverse engineer, the source code contains a wealth of information about how the malware operates. While this is beneficial for security research, having this code available to the public has its pitfalls. Threat actors immediately coopt the code to establish their own operations, as we observed when the HiddenTear (for "educational purposes") and Babuk malware source code was leaked. 

In May, the FBI issued a five-page [PDF] warning to American firms about Conti ransomware assaults on healthcare and first-responder networks, citing at least 16 such attacks by Conti in the previous year and ransom demands as high as $25 million. 

"As a result of Russia's invasion, cybercrime organizations such as Conti have taken sides, with the assumption that many of these organizations are linked to Russia and perhaps to Russian intelligence", Brett Callow, a vulnerability analyst at Emsisoft, a cybersecurity firm based in New Zealand, stated.

Viasat Claims Delay on a "Cyber Event"

 

Viasat Inc., an American communications provider, claims its satellite internet services in Ukraine and Europe are being disrupted by a "cyber incident." 

Based in Carlsbad, California, Viasat offers high-speed satellite broadband access and secure networking systems to military and commercial customers throughout the United States and around the world. The problem stems from Viasat's purchase of the Ka-SAT satellite from the satellite's launcher and former owner, Eutelsat, in April 2021. 

"While we attempt to restore service to affected consumers, we're also looking into and evaluating our European network and systems to figure out what's causing the problem. We're also putting further network safeguards in place to avoid any further consequences." authorities stated. 

According to the firm, the interruption began on February 24, the day Russia invaded Ukraine, and it contacted "law enforcement and government partners," adding it had "no indication of consumer data is implicated." In a statement to PaxEx.Aero, another ISP, Germany-based EUSANET, the company said it was suffering problems as well. 

An insider told British news channel Sky News that the interruptions were triggered by a distributed denial of service (DDoS) attack. The number of Viasat users in Ukraine is unknown, and the firm has declined to specify how many are affected. Subsequently, Viasat's stock was up 3.5 percent in lunchtime trade Monday, trading at around $45. 

To optimize service area, Viasat operates huge satellites in geosynchronous orbit, which means people are stationary at a location roughly 35,000 kilometers from Earth.

This is the conventional method of providing broadband access from space, but a number of businesses, including SpaceX's Starlink, are investing in constructing networks in low-Earth orbit which use hundreds or thousands of satellites.

DDoS Assaults on Ukrainian Banking Elite has Resumed Yet Again


Cyberattacks took down Ukrainian official and bank websites, prompting the government to declare a statewide state of emergency amid growing fears that Russian President Vladimir Putin could launch a full-scale military invasion of Ukraine. The websites of Privatbank (Ukraine's largest bank) and Oschadbank (the State Savings Bank) were also blasted in the onslaught and brought down Ukrainian government sites as well, according to Internet monitor NetBlocks. 

"At around 4 p.m., another massive DDoS attack on the state commenced. We have relevant data from several banks," stated Mykhailo Fedorov, Minister of Digital Transformation, who also mentioned the parliament website had been hacked. Hackers were prepared to conduct big attacks on government organizations, banks, and the defense sector, as Ukrainian authorities said earlier this week. 

SSSCIP and other national cybersecurity authorities in Ukraine are currently "working on countering the assaults, gathering and evaluating information." According to the Computer Emergency Response Team of Ukraine (CERT-UA), the attackers used DDoS-as-a-Service platforms and numerous bot networks, including Mirai and Meris, to carry out the DDoS attacks on February 15th. The DDoS attacks were traced to Russia's Main Directorate of the General Staff of the Armed Forces on the same day, according to the White House. 

"We have technical information indicating ties the Russian main intelligence directorate, or GRU," Deputy National Security Advisor for Cyber Anne Neuberger stated. "Known GRU infrastructure was spotted delivering huge volumes of communication to Ukraine-based IP addresses and domains." 

Neuberger went on to say as, despite the "limited impact," the strikes can be considered as "setting the framework" for more disruptive attacks, which could coincide with a possible invasion of Ukraine's territory. 

The UK government also blamed Russian GRU hackers for the DDoS strikes last week which targeted Ukrainian military and state-owned bank websites. Following a press release from Ukraine's Security Service (SSU), which also had its website hacked, the country was attacked by a "huge wave of hybrid warfare." The SSU announced earlier this month so, during January 2022, it stopped over 120 cyberattacks aimed at Ukrainian governmental entities.

Russia Suspected of Espionage Against Ukraine Via Two Big Nations

 

On Friday, the White House suspected Russia of being behind recent cyberattacks on Ukraine's defense department and banking institutions. 

The statement by Anne Neuberger, the White House's top cyber official, was the most precise attribution of culpability for the cyber breaches which have occurred as tensions between Russia and Ukraine have risen. Although the attacks this week had a "limited impact" since Ukrainian officials were able to swiftly restore its networks, Neuberger believes hackers were laying the framework for future devastating invasions. 

As tensions between Russia and Ukraine rise, Britain has joined the United States in criticizing the GRU military intelligence agency for the widespread denial-of-service attacks. The strike, according to the British Foreign Office, "showed a persistent disdain for Ukrainian integrity." This is just another example of Russia's aggressive behavior toward Ukraine."

Russians may also be laying the foundations for more disruptive measures in the event of a Ukrainian invasion. Neuberger remarked, "We expect more destabilizing or damaging cyber action if Russia decides to continue its invasion of Ukraine, and we're working closely with friends and partners to guarantee to be prepared to call out the behavior and respond." 

The United States was publicly criticizing Russia because it needed to "call out the action swiftly." "The international community must be ready to expose harmful cyber operations and hold actors accountable for any disruptive or damaging cybersecurity threats," Neuberger added. 

The widespread breach of service attacks on Tuesday was described by Ukrainian officials as the deadliest in the country's history. However, while these certainly affected internet banking, hampered some government-to-public interactions, and were definitely intended to induce fear. "Typical DDoS attacks survive because the defenders are untrained," said Roland Dobbins, DDoS engineer at cybersecurity organization Netscout, adding that the most market mitigation technologies designed to resist such attacks are ineffective.

EU Ready to Send a Mission to Kiev to Fight Cyberattacks

 

The EU countries, while discussing the situation around Ukraine, expressed their readiness, if necessary, to adopt a set of sanctions against Russia. French Foreign Minister Jean-Yves Le Drian said this on Monday after the EU Council meeting in Brussels. 

"This meeting showed a great degree of agreement between the Europeans and the United States. This cohesion is very important," he said, adding that diplomatic efforts are underway in connection with the escalation along the Ukrainian border. 

"I was greatly impressed by the firmness of the Europeans and their willingness to jointly present a set of sanctions, measures to contain Russia in order to prevent an offensive - military or otherwise - in Ukraine," Le Drian said. 

On the night of January 14, the websites of the Ministry of Foreign Affairs of Ukraine, the Ministry of Education, the Ministry of Agrarian Policy and Food were subjected to massive cyberattacks. Hackers posted messages warning residents to "fear and expect the worst." In addition, Ukrainians were warned that the allegedly personal information of residents of the country, which was uploaded to the "common network," would be destroyed without the possibility of recovery. 

According to Deputy Secretary of the National Security and Defense Council of Ukraine Sergei Demedyuk, hackers associated with the intelligence services of Belarus are behind the cyber attack on Ukrainian departments. Later, a criminal case was opened on the fact of the cyber attack. 

White House Press Secretary Jen Psaki noted that the United States is in contact with Ukraine regarding the incident, and also offered its assistance in the investigation. According to her, the United States, its allies, and partners are "concerned about this cyberattack." 

NATO Secretary-General Jens Stoltenberg announced that the organization will sign an agreement with Ukraine on strengthening cyber cooperation. He condemned cyberattacks on the government of Ukraine. 
 
On December 21, the American newspaper New York Times reported that the United States and Great Britain secretly sent a group of cybersecurity specialists to Ukraine. As specified, the West wants to help Kiev to be ready for allegedly preparing cyber attacks.

Suspected Founder of Hacker Group The Infraud Organization Arrested in Moscow

 

It became known that Russia will not extradite the possible leader of the hacker group The Infraud Organization to the United States. Russian FSB officers and Russian law enforcement agencies, with the assistance of US law enforcement agencies, detained four members of the hacker group The Infraud Organization on January 22. Prior to that, the alleged founder Andrei Novak was put on the wanted list in the United States on charges of cyber fraud. 

According to the FSB, Novak has been arrested, and three other alleged hackers have been placed under house arrest. The investigation continues to identify other members of The Infraud Organization. The detained members of the group are accused of illegal access to computer information and illegal turnover of payment funds. 

Russia has no plans to extradite Andrei Novak, the possible leader of the international hacker group The Infraud Organization, to the United States. Thus, Russian law prohibits the extradition of citizens of one's own country to a foreign state. 

It is noted that if among the detained members of the organization there is a person without Russian citizenship, then after the investigation of a criminal case in Russia and the trial he will be extradited to the country where the case was opened against him. 

It is worth noting that in February 2018, it was reported that law enforcement officers detained 13 persons in the United States accused of involvement in a criminal scheme, the damage from which amounted to at least $530 million. In total, 36 people have been charged, and one Russian, Andrei Novak, was included in this list. 

The detained 13 people are citizens of the United States, Australia, Great Britain, France, Italy, and Serbia. The criminal group was organized by a citizen of Ukraine in 2010. 

The company Group-IB, which in Russia is engaged in the investigation and prevention of cybercrime (its founder Ilya Sachkov was arrested in Russia on charges of treason), said at the time that the defendants were not an organized group, but united on hacker sites solely to carry out attacks. Group-IB suggested that their main field of activity could be carding. In addition, cybercriminals could manage cardershops (sites for the sale of bank cards), sell accounts and accounts.

Group-IB: REvil hackers detention may affect Russian companies



Experts believe that the arrest of the REvil hacker group can create temporary problems for cybercriminals in Russia, but this may affect the well-being of Russian companies. 

 "At the moment, we do not see a significant decrease in the number of ransomware attacks. As for REvil, they have not been active for several months anyway. At the same time, this situation may negatively affect Russian companies. Russian-speaking cybercriminals may attack them more actively", said Oleg Skulkin, head of Group-IB Computer Forensics Laboratory. 

The company clarified that for a long time many Russian-speaking hackers "did not work in Russia and the CIS", as it was unsafe. However, over the past two years, attacks using ransomware in Russia and the CIS have become more frequent. And the detention of REvil can spur them on because after successful international operations they can forget about the unspoken prohibitions. 

At the same time, the expert did not rule out that cybercriminals may temporarily have problems. "Of course, they may have difficulties with cashing out funds obtained illegally. Perhaps some of the partners will stop their activities for some time," Skulkin said. 

After the detention of REvil, hacker gangs in Russia may hide or slightly reduce the intensity of attacks, but they will definitely not give up on them, says Pavel Korostelev, head of the product promotion department of the Security Code company. 

"Now hackers will probably wait until the dust settles, but gangs don't have a single control center that says: 'Stop, no more attacks'. It's a way of making money, so there will always be people willing to take risks. If a business will get better, it won't be for long," the expert said. 



Russian accused of developing programs for the Trickbot hacker network extradited from South Korea to US

 The US Department of Justice said that the Russian is a member of a hacker group that used the Trickbot malicious network. The network has been used to attack "millions of computers" around the world, including schools, banks, healthcare, energy and agricultural companies, the prosecution said.

According to the ministry's press release, 38-year-old Vladimir Dunaev and his accomplices stole money and confidential information from November 2015 until August 2020, and also damaged computer systems. Individuals, financial and state institutions, utilities and private enterprises are among the victims of the hackers' actions.

The US Department of Justice clarifies that Mr. Dunaev was allegedly one of the developers of malware for the Trickbot network. He was engaged in creating modifications for the browser and helped malicious software bypass security programs.

The Russian was extradited from South Korea to the United States last week, on October 20. He is charged with conspiracy to commit computer fraud and identity theft, conspiracy to commit information technology and banking fraud, and conspiracy to launder money. In total, more than 10 people are involved in the case, including four Russians and one Ukrainian.

In June, similar charges were brought against a citizen of Latvia, Anna Witte, whom the US Justice Department also considers a member of the hacker group that used Trickbot. This network, according to the American side, was located in Russia, Ukraine, Belarus and the Republic of Suriname (South America). The Washington Post wrote that Trickbot is allegedly controlled by Russian-speaking attackers. In November 2020, the network was disconnected, the American company Microsoft took part in the special operation.

Russian hacker: a DDoS attack could be the reason for the decline of social networks

Earlier, Facebook said that a large-scale failure did not lead to a leak of user data. Facebook's representatives assured that there is no such evidence. The company also confirmed that unsuccessful software configuration changes led to the failure.

According to Varskoy, the reason why the version about an external attack on the service is excluded is quite obvious. The hacker believes that the company does not want to lose the trust of customers and money.

“All the journalists were waiting for what Facebook itself would say, and the company gave them an answer that would satisfy them. All other versions after that will look like just versions. I am almost sure that we are dealing with a common technical phenomenon, but I would not rule out the attack version one hundred percent,” Varskoy added.

The hacker is convinced that Facebook quickly came to the conclusion that the leak did not occur, since it takes more time to detect the leak or its absence.

The expert noted that if this is really an attack, then its authors have the strongest resources, consisting of many machines. According to Varsky, in this way, hackers could simply demonstrate their strength.

Recall that on the evening of October 4, thousands of users around the world complained about disruptions in the messenger WhatsApp, as well as the social networks Facebook and Instagram. Following this large-scale failure, users reported problems in the work of Twitter, Google and Amazon.

In addition, it became known that the data of more than one and a half billion Facebook users got into the network and are sold on a popular hacker site. The names, email addresses, phone numbers, gender, or even the identity card of the users are available for purchase. According to the Telegram channel Mash, this is the largest and most significant leak of Facebook data in history.

Russia's 'Cozy Bear' Breached the Systems of the Republican National Committee

 

According to two people familiar with the situation, Russian government hackers broke into the Republican National Committee's computer systems last week, at the same time a Russia-linked criminal group launched a huge ransomware attack. According to the sources, the government hackers were members of a group known as APT 29 or Cozy Bear. 

That organization has previously been linked to Russia's foreign intelligence service and has been suspected of hacking the Democratic National Committee in 2016 and a supply-chain cyberattack involving SolarWinds Corp., which infiltrated nine US federal organizations and was revealed in December. It is unclear what data the hackers accessed or took, if any. The RNC has denied being hacked on many occasions. “There is no indication the RNC was hacked or any RNC information was stolen,” spokesman Mike Reed said. 

Chief of Staff Richard Walters claimed in a statement released after this story was posted that the RNC learned over the weekend that a third-party provider, Synnex Corp., had been breached. “We immediately blocked all access from Synnex accounts to our cloud environment,” he said. “Our team worked with Microsoft to conduct a review of our systems and after a thorough investigation, no RNC data was accessed. We will continue to work with Microsoft, as well as federal law enforcement officials, on this matter.”

Microsoft declined to disclose any additional information in a statement. A company spokeswoman responded, “We can’t talk about the specifics of any particular case without customer permission. We continue to track malicious activity from nation-state threat actors -- as we do routinely -- and notify impacted customers.” Dmitry Peskov, a spokesman for the Kremlin, denied that the Russian government was involved. “We can only repeat that whatever happened, and we don’t know specifically what took place here, this had no connection to official Moscow,” he said on a conference call. 

The RNC attack, combined with the recent ransomware incident, is a big provocation to President Joe Biden, who warned Russian President Vladimir Putin about cyberattacks at a summit on June 16. As agreed at the meeting, the two countries have been holding "some contacts" about cybersecurity, according to Peskov, who declined to disclose specifics or comment on whether the recent incident was discussed. 

It is unclear whether the RNC hack is linked to the ransomware strikes, which used a number of previously discovered flaws in software from Miami-based Kaseya Ltd.

JetBrains – A possible Doorway to Massive Hacking Plot?

 

JetBrains a software company based in the Czech Republic could possibly be used as a doorway by Russian hackers to secure access to United States private sector systems and federal government systems. American intelligence agencies and private Cybersecurity researchers are investigating the position of a software company that could possibly be used as a pathway by Russian hackers to inject malware that would glide to several technology firms.

JetBrains a software company established in Prague, Czech Republic has more than 1,200 employees and the company’s products are widely used across the globe by more than 300,000 companies and 9,000,000 developers which include 79 Fortune Global 100 companies and 95 Fortune 100 companiesJetBrains is widely recognized as a leading instrument for developing software.

Numerous leading companies like Citibank, Google, Netflix, HP, Twitter, Volkswagen, Expedia, NASA, Valve, Ubisoft, VMware, The New York Times, and Hewlett-Packard are among its consumers and it also has a major say in developing the software for Siemens – a leading supplier of technology in a sensitive framework such as nuclear and power plants.

Maxim Shafirov, the company’s chief executive officer stated in a post that “we have not been contacted by any government or security agency regarding this matter, nor are we aware of being under any investigation, if such an investigation is undertaken, the authorities can count on our full cooperation”.

SolarWinds, the company stationed in Austin, Texas is one of the primary consumers of JetBrains. TeamCity software is a product of JetBrains, it is a continuous integration and deployment system used for unit testing and code quality analysis. The software was utilized as a weapon by the threat actors to gain access to the SolarWinds TeamCity server by manipulating high severity vulnerabilities. However, JetBrains’ CEO denied all the allegations regarding the involvement of the company in the SolarWinds hack.

The FBI arrested a Russian associated with Deer.io


The Federal Bureau of Investigation arrested a Russian citizen who allegedly supported the sale of hacked accounts and personal data of Internet users. The arrest occurred at the John F. Kennedy Airport.

"We received information from American law enforcement agencies that he was detained on March 7. He is in New York now in a Manhattan detention center," said Alexei Topolsky, a spokesman for the Russian Consulate.

According to him, the initial initiative for the arrest comes from the San Diego FBI. The Russian has not yet contacted the Consulate.

According to the FBI, Mr. Firsov managed the platform Deer.io where online stores engaged in illegal activities were located. The arrest warrant indicates that Firsov took part in the work Deer.io since its launch (October 2013).

According to the prosecution, Firsov is the administrator of this platform, which is located in Russia and provides an opportunity for criminal elements to sell their "products and services". The prosecution claims that the platform is selling the hacked American and international financial and corporate information, personal data, stolen accounts of many American companies.

The prosecution said that a cybercriminal who wants to sell contraband or offer criminal services through the platform can do it for $12 a month. The monthly fee is paid in bitcoins or via a number of Russian payment systems, such as WebMoney. According to Firsov, more than 24 thousand stores worked on the site, which brought in more than $17 million.

American law enforcement officers opened a criminal case, according to which Deer.io almost completely used for cybercrime purposes. FBI found stores on the Firsov site that sell access to hacked accounts, servers and personal data of users.

The Bureau said that Kirill Firsov was aware of who uses his platform, and more than once advertised Deer.io on cybercrime forums.

Russian hacker accused the ex-employee of Kaspersky Lab of forced hacking


Hacker, who has been in the pretrial detention center for the fifth year, made a statement to the head of the Investigative Committee of Russia. He insists that his case was fabricated with the participation of a Kaspersky Lab convicted of high treason along with FSB officers.

Russian hacker Dmitry Popelysh, accused of stealing money from the accounts of Sberbank and VTB together with his twin brother Eugene, said that he sent a complaint to the head of the Russian Investigative Committee. According to the hacker, the criminal case against him and his twin brother was fabricated.

The hacker said that ex-employee of Kaspersky Lab Stoyanov blackmailed and threatened him. Later, he demanded that brothers Popelysh provide technical support to some servers.

It is reported that mentions of an unknown employee who forced the hackers to commit hacks is in the surrender of Popelysh for 2015. However, this information was not verified by the investigation.

Previously, Stoyanov was the head of the computer incident investigation Department at Kaspersky Lab. He also participated in the examination of case of Popelysh.

The representative of Kaspersky Lab told that the company is not aware of Dmitry Popelysh’s appeal to the Investigative Committee.

Recall that in 2012 the brothers Popelysh were convicted of embezzlement of 13 million rubles from customers of banks. In 2015, they were again detained and accused of creating and actively using malware. According to the case, the men stole about 12.5 million rubles ($195,000) in two years. In the summer of 2018, they were sentenced to eight years. In 2019, the sentence was canceled in connection with "violations committed during the preliminary investigation." In total, they have been detained for four years and four months.

It is interesting to note that Dmitry Popelysh is already the second Russian hacker who publicly stated that experts investigating his criminal case forced him to commit hacks. Konstantin Kozlovsky, who has been in a pretrial detention center since May 2016 on charges of organizing a hacker group Lurk, claimed that he was recruited by FSB in 2008 and done various cyber attacks for a long time. He also mentioned that his supervisor was FSB major Dmitry Dokuchaev.

JPMorgan hacker to plead guilty next week in New York




One of the key suspects in the enormous JPMorgan Chase hack in 2014, a Russian hacker Andrei Tyurin, is all set to plead next week in New York.

He was one of the several people charged for the case in 2015, and was on the loose until Georgian officials caught hold of him a year ago. Gery Shalon, the supposed instigator of the conspiracy, was arrested in Israel in 2015 and handed over to the US as he has allegedly been in touch with American authorities.

During Tyurin's first New York court appearance; it was proposed that his associations in the criminal world may enable specialists to examine the Russian endeavours to disrupt the 2016 US presidential election through cyber-attacks and hacking.

Tyurin was first produced in a US court in September the previous year after he was handed over from the Republic of Georgia and he had pleaded not guilty to charges including hacking, wire fraud, identity theft and conspiracy.

From that point forward, various hearings for his situation have been cancelled as prosecutors and defence attorneys worked through for an agreement and just last week, the Manhattan US attorney's office endeavoured to solidify his New York case with one in Atlanta, in which he is one of the few accused for hacking E*Trade.