Search This Blog

Showing posts with label Russian Hackers. Show all posts

14 Account's Email System Targeted the Green Party of Germany

 

The foreign minister Annalena Baerbock and the economy minister Robert Habeck's email accounts were both compromised last month, according to the German Green party, which is a member of the coalition government of the nation. 

The party acknowledged a revelation published on Saturday by the German magazine Der Spiegel, but claimed that the two had stopped using official party accounts since January.

According to a report on a German magazine Der Spiegel on Thursday, the Green Party said that a total of 14 accounts, including the party's co-leaders' Omid Nouripour and Ricarda Lang, were also hacked and that certain messages were sent to other servers. The article further read that the attack also had an impact on the party's "Grüne Netz" intranet IT system, where private information is exchanged.

The party declined to acknowledge Der Spiegel's claim that an electronic trace suggested the cyberattack may have originated in Russia because of the current investigation by German authorities.

"More than these email accounts are affected," the party official claimed. The topic concerns emails using the domain "@gruene.de." The representative stated that it was yet unknown who had hacked in. The first indication of the attack came on May 30 and since June 13, when specialists determined that there had been a breach, access to the system has been restricted. 

Authorities blamed the unauthorized access on Russian state-sponsored hackers. Baerbock has consistently taken a harsh approach in response to Russia's abuse of human rights and aggression against Ukraine. Since taking office in December, Habeck has been in charge of Germany's initiatives to wean itself off of Russian energy sources.

Network logs, according to the Greens, did not reflect any signs of the increased traffic levels that would indicate the theft of a significant amount of data.

Millions of Loan Applicant's Data is Leaked via an Anonymous Server

The security team at SafetyDetectives, led by Anurag Sen, revealed the specifics of a misconfigured Elasticsearch server that exposed the personal information of millions of loan applicants. The information primarily came from individuals who applied for microloans in Ukraine, Kazakhstan, and Russia. 

The server was identified randomly on December 5th, 2021, while monitoring specific IP addresses. Since the anonymous server lacked authentication mechanisms, it was left vulnerable and unprotected, resulting in the loss of over 870 million records and 147GB of data. 

SafetyDetectives couldn't identify the server's host. Customers' logs from a variety of microloans providers' websites were stored on a server, however, the majority weren't financial services like lenders or banks, but rather third-party intermediates who operate as a link between the loan firm and the applicant. The majority of the data in the server's logs were in Russian which led experts to conclude that the server is owned by a Russian corporation. 

Different types of personal information (PII) and sensitive user data were revealed in this leak, according to SafetyDetectives researchers, including details of users' "internal passports" and other types of data. Internal passports are used to substitute for national IDs in Russia and Ukraine. They are only valid within the country's borders. 

The internal passport details revealed in the exposed data include Marital status Gender, Birthdate, location, physical address, full name, including first, middle, and patronymic names. Number of passports, issue/expiration dates, and serial number. Some of the disclosed information, including cities, names, addresses, and issued by places, was written in Cyrillic script, which is generally utilized in Asia and Europe.

This vulnerability is estimated to affect around 10 million users. Most INNs belonged to Ukrainians, but several server logs and passport numbers belonged to Russians. The server was based in the Dutch city of Amsterdam. 

On December 14th, 2021, SafetyDetectives contacted the Russian CERT, and the Dutch CERT on December 30th, 2021. Both, though, declined to assist. On January 13th, 2022, the server's hosting company was informed, and the server was secured the same day. Given the scope and type of the data exposed, the event might have far-reaching consequences.

Caramel Credit Card Theft is Proliferating Day by Day

 

A credit card stealing service is gaining traction, providing a simple and automated option for low-skilled threat actors to enter the sphere of financial fraud. Credit card skimmers are malicious scripts that are put into compromised e-commerce websites and wait patiently for customers to make a purchase. 

Following a purchase, these malicious scripts capture credit card information and transport it to remote sites, where threat actors can collect it. Threat actors then use these cards to make online purchases for themselves or sell the credit card information to other threat actors on dark web markets for as little as a few dollars. Domain Tools found the new service, which claims that it is run by a Russian criminal outfit called "CaramelCorp." 

Subscribers receive a skimmer script, deployment instructions, and a campaign management panel, which includes everything a threat actor needs to start their own credit card stealing campaign. Caramel only sells to Russian-speaking threat actors after a first verification procedure that weeds out individuals who use machine translation or are new to the sector. 

A lifetime subscription costs $2,000, which isn't cheap for aspiring threat actors, but it includes complete customer service, code upgrades, and growing anti-detection methods for Russian-speaking hackers. 

The "setInterval()" technique, which exfiltrates data between preset periods, is used to acquire credit card data. While it may not appear to be an efficient strategy, it can be used to collect information from abandoned carts and completed purchases. Finally, the campaigns are managed through a panel that allows the subscriber to monitor the affected e-shops, configure the gateways for obtaining stolen data, and more. 

While Caramel isn't new, and neither are skimming campaigns. In December 2020, Bleeping Computer discovered the first dark web posts offering the kit for sale. Caramel has grown in popularity in the underground scene thanks to continued development and advertising. The existence of Caramel and other similar skimming services lowers the technical barrier to starting up and managing large-scale card skimming campaigns, potentially increasing the prevalence of skimmer operations. 

One can defend themself from credit card skimmers as an e-commerce platform user by utilising one-time private cards, putting up charging limitations and prohibitions, or just using online payment methods instead of cards.

Data Stolen From Parker Hannifin was Leaked by the Conti Gang

 

Several gigabytes of data allegedly taken from US industrial components major Parker Hannifin have been leaked by a known Conti gang. Parker Hannifin is a motion and control technology business which specializes in precision-built solutions for the aerospace, mobile, and industrial industries. 

The Fortune 250 business said in a legal statement on Tuesday, the compromise of its systems was discovered on March 14. Parker shut down several systems and initiated an inquiry after detecting the incident. Law enforcement has been alerted, and cybersecurity and legal specialists have been summoned to help. Although the investigation is ongoing, the company announced some data, including employee personal information, was accessed and taken. 

"Relying on the Company's early evaluation and currently available information, the incident has had no major financial or operational impact, and the Company does not think the incident will have a significant impact on its company, operations, or financial results," Parker stated. "The Company's business processes are fully operating, and it retains insurance, subject to penalties and policy limitations customary of its size and industry." 

While the company has not shared any additional details regarding the incident, cybersecurity experts have learned the infamous Conti gang has taken credit for the Parker breach. More than 5 GB of archive files supposedly comprising papers stolen from Parker have been leaked by the hacker group. However, this could only be a small percentage of the data they've obtained; as per the Conti website, only 3% of the data theft has been made public. Usually, hackers inform victims they must pay millions of dollars to restore encrypted files and avoid stolen information from being leaked. 

Conti ransomware is a very destructive malicious actor because of how quickly it encrypts data and transfers it to other computers. To gain remote access to the affected PCs, the organization is using phishing attempts to deploy the TrickBot and BazarLoader Trojans. The cyber-crime operation is said to be led by a Russian gang operating under the Wizard Spider moniker and members of Conti came out in support of Russia's invasion of Ukraine in February.

Conti data, such as malicious source code, chat logs, identities, email addresses, and C&C server details, have been disclosed by someone pretending to be a Ukrainian cybersecurity researcher. Conti works like any other business, with contractors, workers, and HR issues, as revealed by the released documents. Conti spent about $6 million on staff salaries, tools, and professional services in the previous year, according to a review conducted by crisis response firm BreachQuest.

Conti and other ransomware organizations continue to pose a threat to businesses and ordinary services, and measures should be taken to help prevent a severe cyberattack.

New Android Spyware Linked to Russia Hacking Group Turla

 

A new Android spyware application has been spotted and detailed by a team of cybersecurity experts that records audio and tracks location once planted in the device. The spyware employs an identical shared-hosting infrastructure that was previously identified to be employed by a Russia-based hacking group known as Turla. 

However, it remains unclear whether the Russian hacking group has a direct connection with the recently identified spyware. It reaches through a malicious APK file that works as Android spyware and performs actions in the background, without giving any clear references to users. 

Researchers at threat intelligence firm Lab52 have discovered the Android spyware that is named Process Manager. Once installed, the malware removes its gear-shaped icon from the home screen and operates in the background, exploiting its wide permissions to access the device's contacts and call logs, track its location, send and read messages, access external storage, snap pictures, and record audio. 

The spyware collects all the data in JSON format and subsequently transmits it to a server located in Russia. It is not clear whether the app receives permissions by exploiting the Android Accessibility service or by luring users to grant their access. 

According to Lab52 researchers, authors of the Android spyware have exploited the referral system of an app called Roz Dhan: Earn Wallet Cash which is available for download on Google Play and has over 10 million downloads. The spyware attempts to download and install an application using a goo.gl that eventually helps malicious actors install it on the device and makes a profit out of its referral system.

It seems relatively odd for spyware since the cybercriminals seem to be focused on cyber espionage. According to Bleeping Computer, the strange behavior of downloading an app to earn commissions from its referral system suggests that spyware could be a part of a larger scheme that is yet to be uncovered. 

"The application, [which] is on Google Play and is used to earn money, has a referral system that is abused by the malware," the researchers said. "The attacker installs it on the device and makes a profit." 

To mitigate the risks, Lab52 researchers have recommended Android users avoid installing any unknown or suspicious apps on their devices. Users should also review the app permissions they grant to limit access of third parties to their hardware.

Viasat: Acid Rain Virus Disable Satellite Modems

 

The cyberattack which targeted the KA-SAT satellite broadband service to erase SATCOM modems on February 24 used a newly discovered data wiper virus. It impacted thousands in Ukraine and thousands more across Europe. 

A cybersecurity firm, SentinelOne, claims to have discovered a malware sample, which disrupted internet connectivity on February 24. The malware, called AcidRain, which was also likely utilized in the Viasat breach, is a Unix executable application which is meant to attack MIPS-based devices. This could indicate the attackers' lack of experience with the filesystem and firmware of the targeted devices, or their desire to create a reusable tool.

The same sample came from SkyLogic, the Viasat operator in charge of the damaged network, which is also situated in Italy. The software sample was also tagged with the moniker "ukrop," which could be a reference to the Ukraine Operation. 

The researchers underscored that Viasat did not offer technical indicators of compromise or a detailed incident response report. Instead, rogue commands damaged modems in Ukraine and other European countries, according to the satellite industry. The SentinelOne duo were perplexed as to how valid orders could produce such mayhem in the modem, "scalable disruption is more feasibly performed by delivering an update, script, or executable," they added. 

The program wipes the system and various storage device files completely. AcidRain executes an initial repetitive replacement and removal of non-standard files in the filesystem if the malware is launched as root "Juan Andres Guerrero-Saade and Max van Amerongen," SentinelOne threat experts, revealed. 

The wipers overwrite file structures with up to 0x40000 bytes of data or utilize MEMGETINFO, MEMUNLOCK, MEMERASE, and MEMWRITEOOB input/output control (IOCTL) service calls to erase data on compromised devices. 

The fact Viasat has supplied nearly 30,000 modems to get clients back online since the February 2022 attack and is still shipping more to speed up service restoration, suggests that SentinelOne's supply-chain threat scenario is correct. The IOCTLs used by this virus also resemble those used by the VPNFilter malware 'dstr' wiper plugin, a destructive program linked to Russian GRU hackers. 

The Ukrainian Computer Emergency Response Team recently stated a data wiper known as DoubleZero had been used in assaults on Ukrainian businesses. On the same day that Russia invaded Ukraine, they discovered IsaacWiper, a data wiper, and HermeticWizard, a new worm which dropped HermeticWiper payloads. ESET has discovered a fourth data-destroying malware strain called CaddyWiper, which wipes data across Windows domains and eliminates user data and partition information from associated drivers. 

Microsoft discovered a sixth wiper, now known as WhisperGate, in mid-January, which was being used in data-wiping attacks targeting Ukraine while masquerading as ransomware.

The Russian Hacker Group Killnet Took Down the Anonymous Website

 

The Russian hacker group Killnet said that they took down the Anonymous website "anonymoushackers[.]net" and called on Russians not to believe the Internet fakes and to stay calm. Killnet's appeal was published on one of its Telegram channels on Tuesday, March 1. 

According to the hacker group, "the Internet is full of fake information about hacking Russian banks, attacks on the servers of Russian media and much more. All this has no danger to people. This "information bomb" carries only text. And no more harm. Don't give in to fake information on the Internet. Do not doubt your country". 

Hackers blamed the events in Ukraine on the country's President, Vladimir Zelensky, as well as American leader Joe Biden. The leaders of the EU countries, as they say in the appeal, are following the lead of the United States. 

 According to independent verification done by CySecurity News, there is no official website for Anonymous Group. 

Russian hackers said that they had already disabled the website of the Anonymous group, along with the website of the Right Sector banned in the Russian Federation. The Anonymous hacker group declared a cyberwar on Russia and claimed responsibility for a hacker attack, for example, on the RT website. 

On February 28, the websites of Izvestia, TASS, Kommersant, Forbes, Fontanka, Mela, E1, Buro 24/7, RBC, Znak.Com and other Russian media were hacked. On the same day, massive DDoS attacks were launched against websites of the Crimean government and authorities. Hackers used a botnet with IP addresses mostly located in North and South America, Taiwan, and a number of other countries. 

On February 26, the Ministry of Information reported that users of the public services portal may face difficulties when working with the services of the site due to cyberattacks. At the same time, the department clarified that the personal data and information of citizens are reliably protected. On the same day, the administration of the President of the Russian Federation reported regular cyberattacks on the Kremlin's website. Moreover, Russian Railways reported that the company's website is subject to regular serious DDoS attacks. 

Earlier, Information security expert Nenakhov told what danger Anonymous hackers pose to Russia. According to him, DDoS attacks are the easiest thing that can happen. Government websites, government online services such as Gosuslugi, email, social media accounts of politicians, websites, and the IT infrastructure of state banks and defense companies are relatively more vulnerable to attacks.


As the Ukraine Conflict Escalates, US Braces for Russian Cyberattacks

 

Some of the most serious cyberattacks on US infrastructure in the last two years have been traced back to Russian hackers. The SolarWinds hack, which infiltrated multiple government departments in 2020, the ransomware attack that forced the suspension of one of America's main fuel pipelines for several days last year, and another attack on JBS, one of the world's largest meat producers, are also on the list. 

The US administration is on high alert for signs of Russian cyberattacks on banks and other financial institutions, following Moscow's broad strike on Ukraine on Thursday, which drew harsh international sanctions. According to a homeland security source with knowledge of the situation, Russia's cyberthreat to the United States is still active and has not changed since Russian President Vladimir Putin started a full-scale invasion of Ukraine. 

Threats to the national grid and big American institutions, according to the source, are a definite possibility. The Department of Justice and the FBI are both bracing for a potential attack and closely monitoring any strange cyber activity. The Department of Justice has a whole national security division devoted to this.

If Russia entered and hacked the US power system, intelligence believes that it will take between one and two weeks to restore full functioning. The US government has previously disclosed information indicating that Moscow mounted a vast hacking campaign to breach America's "critical infrastructure," which includes power plants, nuclear power plants, and water treatment plants.

Russia has also been accused of conducting online disinformation campaigns aimed at the United States, including efforts to meddle with US elections and cause unrest. This week, US authorities again accused Russian intelligence of spreading misinformation about Ukraine. 

While many online attacks cannot be explicitly traced to the Russian state, Herb Lin, a senior research scholar for cyber policy and security at Stanford University's Center for International Security and Cooperation, believes that hackers work with Russia's support. 

"They don't operate directly for the Russian government, but they operate under a set of rules that says: 'you guys do what you want, don't target Russian stuff and we won't bother you,'" Lin said. 

Even if Russian hackers do not directly target US organisations, Ukraine's reliance on foreign technology, according to Lin, can cause significant problems for the US. If the crisis in Ukraine worsens, "all the stuff in the US that directly aids the Ukrainian military machine becomes fair game for the Russians to target," Lin added.

Entropy Ransomware Connected to Dridex Malware, as per Sophos

 

The recently found Entropy ransomware has coding similarities to the Dridex malware, which started out as a banking trojan. After two Entropy cybercrimes on different firms, researchers were able to establish a bond between the different pieces of malware. 

Sophos principal researcher Andrew Brandt claimed in a new study detection signature designed to detect Dridex which prompted a closer look into the Entropy virus, both of the target businesses had gadgets were unprotected. Despite the characteristic for recognizing the Dridex packer code, endpoint protection measures blocked the attack, which was started by identifying the Entropy packer code.

In all incidents, the attackers gained remote access to the target networks by infecting them with Cobalt Strike Beacons and Dridex before deploying Entropy. Despite some similarities, the twin attacks differed greatly in terms of the initial access point used to parasite its path within the networks, the period invested in each environment, and the malware utilized to initiate the final stage of the invasion. 

The attack on the media company employed the ProxyShell vulnerability to infect a vulnerable Exchange Server with a web shell, which was then used to deploy Cobalt Strike Beacons throughout the network. The attacker is alleged to have spent four months doing espionage and data theft before launching the cyberattack in December 2021. The second attack on the provincial government agency was made possible via a malicious email attachment carrying the Dridex virus.

Notably, prior to encryption of the files on the hacked machines, redundant exfiltration of confidential documents to more than just one cloud storage service – in the form of packed RAR archives – occurred within 75 hours of the initial discovery of a suspect login session on a single machine. Apart from employing respectable tools like AdFind, PsExec, and PsKill, the resemblance between Dridex and Entropy samples and past DoppelPaymer extortion infections has raised the likelihood of a "similar origin."

The network of links between the various types of malware is worth mentioning; the Dridex malware, an information-stealing botnet, is thought to be the product of Indrik Spider, a well-known Russian cybercrime outfit  Evil Corp. 

The Evil Corp cluster continues to improve its tradecraft, continually altering payload signatures, exploitation tools, and initial access methods to mislead attribution. SentinelOne researchers identified the "evolutionary" ties in a standalone analysis, claiming nearly identical design, implementation, and functionality amongst various iterations of the malware, with the file-encrypting malware buried using a packer named CryptOne. 

"The attackers took advantage of a lack of attention in both situations - both targets had vulnerable Windows PCs which were missing relevant patches and updates," said Andrew Brandt, chief researcher at Sophos. Attackers would have had to work harder to gain first access into the Exchange Server if it had been patched properly.

The Reaction of Russian Hackers to the Arrests of REvil Became Known


Russian hackers have made their own security issues a priority after the arrests of other cybercriminals, including from the REvil group. Dmitry Volkov, CEO, and founder of Group-IB spoke about this reaction of the darknet to the events taking place. "Security and anonymity have become priorities after the precedents with the shutdown of REvil servers, the arrests of members of the group, as well as the detention in Russia of criminals who helped to cash out the incomes of cybercriminals. Another catalyst for this was the release of the fight against ransomware to the state level,” Mr. Volkov said. 

At the same time, partner programs that distribute ransomware on the dark web have become more closed. Now only those who are personally acquainted with its organizer can take part in such a project. According to Group-IB analysts, all this is happening against the background of the consolidation of the darknet around ransomware and the groups involved in it. 

"The entire criminal underground unites around ransomware. Everyone found a job: both those who sell access to hacked companies, those who attack them, and those who negotiate for ransom or post stolen data on the darknet. New groups will constantly appear in this market, reassembled from previous associations," Mr. Volkov is sure. 

According to Group-IB, the main list of victims at the country level, as well as the industry preferences of hackers remained unchanged. Globally, almost half of ransomware attacks are in the US (49.2 percent in 2021). Canada (5.6 percent) and France (5.2 percent) followed closely behind. Manufacturing enterprises are most often attacked (9.6 percent of attacks), the real estate sector (9.5 percent), and the transport industry (8.2 percent). 

"This became apparent after the ransomware attack on a hospital in Germany, which killed a person, and also after the attack on the Colonial Pipeline, which attracted the attention of US authorities. At the same time, individual groups, of course, can violate these unspoken prohibitions,” Mr. Volkov concluded.

Ukraine Government Websites Targeted in a Suspected Russian Cyber Attack

 

Threat actors targeted multiple Ukrainian government websites on Friday, temporarily disabling sites and leaving messages warning readers to “be afraid and expect the worse.”

According to Ukrainian officials said, it is too early to draw any conclusions but they pointed to a “long record” of Russian cyber-attacks against Ukraine as tensions between Russia and the West over Ukraine escalate following several rounds of unsuccessful talks. 

Ukraine’s foreign ministry described the incident as a “massive cyberattack,” but noted that no content on the sites had been altered and no personal details had been leaked.

Websites for the government’s cabinet, security and defense councils, and ministry for education were among those affected. “Our specialists are already working on restoring the work of IT systems, and the cyber police opened an investigation,” said the spokesperson. 

The foreign ministry website temporarily displayed a message in Ukrainian, Russian, and Polish that appeared to suggest the attack was in response to Ukraine's pro-Western stance. "Ukrainians! All of your personal data .. have been deleted and are impossible to restore. All information about you has become public, be afraid and expect the worst. This is for your past, present and future. For Volyn, OUN, UPA, Galitsia, Polesye and for historical lands," it said, referring to ultra-nationalist organizations and regions of Ukraine. 

The authorities including the SBU security service and Cyberpolice are working to address the issue. The education ministry said that the attack comes as tensions between Russia and the West soar over Ukraine, a strategic ex-Soviet country. The Western intelligence has blamed Russia for deploying tanks, artillery, and about 100,000 soldiers on Ukraine's war-torn eastern border in recent weeks, in what NATO says is preparation for an invasion. Meanwhile, Moscow says it has no plans to invade Ukraine. 

Earlier this week the United States and its NATO allies held talks with Russian officials in an attempt to ease tensions, but all three rounds of negotiations -- in Geneva, Brussels, and Vienna -- proved unsuccessful. 

Ukraine has suffered a series of cyber-attacks since 2014, which have knocked out power supplies, frozen supermarket tills, and forced the authorities to prop up the hryvnia currency after banks' IT systems crashed.

Russian hacker arrested in US who may have information about Russian interference in American elections

According to Bloomberg sources in the Russian and American security and intelligence agencies, Klyushin is a Kremlin insider and even a year and a half ago received a state award from Putin, the Order of Honor.

They added that Klyushin has access to documents that relate to the Russian campaign to hack the servers of the Democratic Party during the US elections in 2016. According to them, these documents confirm that the hacking was carried out by a group of hackers from the GRU, which is known under the names Fancy Bear and APT28. In addition, some sources expressed the opinion that Klyushin has access to secret records of other high-ranking GRU operations abroad. All this can make Klyushin a useful source of information for the US authorities, especially if he asks the court for leniency.

Another argument that Klyushin has this valuable information for the U.S. is that his subordinate at M13 was former ex-GRU operative Ivan Yermakov. In 2018, he was one of the defendants accused of hacking into the computer systems of the Democratic Party.

Recall that on December 19, Switzerland extradited Klyushin to the United States. He is suspected of illegal trading in securities worth tens of millions of dollars. Klyushin is the head of the M13 company, which has developed the Katyusha media monitoring system for the Ministry of Defense and the Presidential Administration.

In 2017, The Insider managed to prove that the Fancy Bear group consists of employees of the military unit 26165 GRU. A year later, this data was confirmed by the US Department of Justice, officially bringing charges against a group of hackers. The most famous operation APT28 was the hacking of the servers of the Democratic Party in 2016, designed to help Donald Trump defeat Hillary Clinton in the presidential election.

Russian hacker created the RedLine program, which steals passwords and bank card data in browsers

The RedLine malware attacks browsers based on the Chromium engine — Chrome, Edge, Yandex.Browser and Opera, as well as on the basis of the Gecko engine - Mozilla Firefox and Netscape. RedLine steals saved passwords, bank card data, information about cryptocurrency wallets, cookies, system information, and other information from browsers.

Further, experiments showed that the program collects any sensitive information stored in browsers, and in addition allows you to control the computers of victims via the SOAP remote access protocol and hypothetically create botnets from them. The problem affects not only companies but also ordinary users.

The RedLine program appeared on the Russian darknet in February 2020. The announcement of its sale was posted by a Russian-speaking user with the nickname REDGlade.

The AhnLab ASEC report calls RedLine a serious cyber threat. ASEC discovered the program in 2021 when they were investigating the hacking of the network of an unnamed company. It turned out that access was carried out through a VPN service from an employee's computer infected with RedLine.

Attackers sell malware on the darknet and telegram for an average of $150-200. RedLine is distributed using phishing mailings with attached files in the format .doc, .xls, .rar, .exe. It is also uploaded to domains that disguise themselves as an online casino or, for example, the website of the Krupskaya Confectionery Factory.

It is worth noting that in December 2021, RedLine became the most popular program used in cyber attacks. Since the beginning of the month, more than 22 thousand attacks have been carried out with the help of RedLine.

Experts urged not to store credentials in browsers, suggesting instead to use a password manager and enable two-factor authentication wherever possible.

Hacker who developed cheats for "World of Tanks" was brought to court

For several years, on his website, a native of Yekaterinburg, Andrei Kirsanov, according to police, managed to sell thousands of packages with bots and cheat programs that allowed users to receive unfair advantages over other players. The damage caused to the creators of games is estimated at 670 million rubles ($9 million).

A Moscow court has begun considering a criminal case against Yekaterinburg resident Andrey Kirsanov, accused of creating, using and distributing malicious computer programs.

It should be noted that before that no one was brought to criminal responsibility just for the interference in the gaming computer industry.

The defendant in the case was the Belarusian company Wargaming, a publisher and developer of computer games, including the popular online tank and naval action World of Tanks and World of Warships.

In them, players take control of military equipment - tanks and ships - and participate in online battles. For winning such battles, they receive in-game currency and experience points, which allow them to develop and discover new, more powerful equipment.

According to the company's representatives, since the release of the games, a large number of malicious programs have been created for them that allow users to gain unfair advantages over other players — bots and cheats. According to Wargaming, some users lose interest in the game, including due to the fact that rivals use such malware. Representatives of the company said that only last year more than 10 thousand bots were excluded from the game in World of Tanks.

As the employees of the Ministry of Internal Affairs of Russia have established, since 2015, hackers sold bots and cheat programs for playing World of Tanks and World of Warships through the Cyber ​​Tank and Cyber ​​Ship websites.

Russian hackers have posted confidential British police data

The hacker group Clop, allegedly linked to Russia, put up for sale data stolen from the British police. This statement was made on Sunday by the Mail on Sunday newspaper.

According to the publication, information stolen by hackers can be bought on the darknet. The Mail on Sunday says that information from the Police national computer system (PNC), where information about 13 million British residents is stored, could have fallen into the hands of hackers.

"We are aware of the incident and we are working with our law enforcement partners to understand and limit the extent of its potential consequences," the Kingdom's National Cyber Security Center said.

The ransomware attack reportedly targeted the British IT company Dacoll, one of whose divisions provides remote access to PNC for 90% of UK police forces.

The company confirms that the incident happened on October 5, but claims that it was related only to the company's internal network and did not affect its clients or their systems. Meanwhile, the Mail on Sunday claims that information from Dacoll's customers was put up for sale after the company refused to pay a ransom to hackers, the amount of which was not disclosed.

British cybersecurity expert Philip Ingram said that the damage caused by such a data leak is immeasurable, as now there are serious questions about the security of solutions used by numerous public and private organizations.

It is worth noting that the Clop group has been actively using the malware family with the same name since the winter of 2019, demanding a ransom for the return of access to blocked data. Some companies specializing in protection against hackers have suggested that some of the members of the group live in Russia.

Google sued two Russians hackers

Google has filed lawsuits against two Russians - Dmitry Starovikov and Alexander Filippov. According to the company, they are behind the activities of a botnet called Glupteba.

The corporation claims that Glupteba has infected more than a million Windows devices worldwide, the increase in infections can be "thousands" daily. The botnet was used to steal Google user account data. Most often, the infection occurred after users downloaded free applications from unauthorized sources.

In addition to stealing and using other people's data, Glupteba was aimed at covert mining of cryptocurrencies and redirecting other people's traffic through infected computers and routers. Using this method, illegal traffic can also be redirected to other people's devices.

Google notes the sophisticated technical complexity of Glupteba. It uses a blockchain, the decentralized nature of which allows it to effectively protect itself from work disruptions. For the company, this is the first case of fighting a botnet on the blockchain.

The main infrastructure of the botnet is now neutralized. Those who managed the network from infected devices no longer have access to it. However, the company notes that this statement is valid only at the moment.

Google assumes that it was Starovikov and Filippov who managed Glupteba, relying on data in their Gmail accounts and Google Workspace office applications. The company insists on reimbursing them for damage, as well as a lifetime ban on their use of Google services.

According to experts, this could create a positive precedent. If the Russians really manage to be punished significantly, this will significantly weaken the community as an attacker in cyberspace. At a minimum, the hackers' sense of impunity will disappear. You can read about how Google representatives tracked hackers on the company's official website.

Footage from thousands of hacked CCTV cameras sold online in Russia

Thousands of private CCTV cameras have been hacked in Russia, said Igor Bederov, head of the Information and Analytical Research department at T.Hunter. According to him, many of these devices are located in hotels, massage rooms, salons where intimate haircuts and depilation are done.

This is evidenced by the fact that there are many Telegram channels, VK publics and forums on the Web, where they sell access to hacked cameras or videos from them.

One of these channels published an advertisement for the sale of access to video from more than 300 cameras from other people's bedrooms, washrooms, medical offices, salons, changing rooms. Price — 600 rubles ($8). Thousands of screenshots from such cameras have been published as advertisements on the channel: one shows a naked woman on a massage table, the other shows a man doing intimate depilation.

“Owners of hotels, beauty salons and other types of businesses put cameras in their premises for security purposes. Often such cameras are located directly in the rooms or offices where intimate services are carried out. At the same time, they are not always properly protected,” Igor Bederov explained the reason for such leaks.

According to open sources, vulnerable cameras are located all over the world. Accesses are often sold by subscription. But this is not the only way to monetize hacked devices. For example, recently the media wrote about the sale of an archive of video from surveillance cameras in Russian hotels and saunas for 15 TB.

Experts said that in some cases such frames are used to blackmail the heroes of the video or the owners of the cameras. Various services are often used to identify people from photos. If people are not identified, hackers can always find the organization where these cameras are installed by metadata.

Oleg Bakhtadze-Karnaukhov, an independent researcher on the darknet, claims that most often attackers hack cameras with network port 37777.

It is very easy to protect the device at the same time — just change the factory settings. However, according to expert, this basic rule is often ignored.


Russians and Ukrainians accused of cybercrimes face 145 and 115 years in prison in the United States

The US Treasury has added Ukrainian Yaroslav Vasinsky and Russian Yevgeny Polyanin, accused of cyberattacks as part of the hacker group REvil, to the so-called SDN List. The persons included in it have their assets frozen, and US citizens are prohibited from doing business with foreigners on the list.

The Estonian crypto bank Chatex was also included in the sanctions list. The US Treasury Department said that sanctions are being imposed against the bank for participating in cyber ransomware in the US and for exchanging cryptocurrencies on the Chatex platform.

Yaroslav Vasinsky was arrested in Poland in October on charges of hacking the Kaseya business software provider in Florida (occurred on July 4). Polyanin remains at large, but, like Vasinsky, he, according to the US Department of Justice, participated in the operations of the hacker group REvil.

Hackers spread a malicious ransomware program among 1,500 Kaseya customers, encrypting their data and forcing some to disconnect for several days. The US suggests that the attack was carried out by the hacker group REvil. It accused Vasinsky and Polyanin of cyber hacking and conspiracy to commit fraud and money laundering. The US Treasury reported that the victims of the group paid it more than $200 million in bitcoins and other cryptocurrencies.

The court materials indicate that the Ukrainian hacker and his accomplices began to engage in the introduction of malware in April 2019. In total, by the beginning of November, the police and special services had identified about two dozen suspects in cyberattacks in 71 countries on companies and infrastructure using REvil ransomware. So, two people were arrested in Romania, five in South Korea.

The hacker group REvil (also known as Sodinokibi) has been working on the darknet since 2019. Kaspersky Lab said in its research in May 2021 that REvil distributes its encryption virus through partners (other hackers) who receive 60-75% of the ransom.


Russian hackers stole the data of world leaders from a British jewelry house

 The Daily Mail newspaper reported that the security systems of the British jewelry house Graff Diamonds were subjected to a cyberattack, as a result of which hackers gained access to the personal data of world leaders, actors and tycoons.

The article claims that the Conti hacker group allegedly linked to Russia is behind the attack.

According to the Daily Mail, hackers have already posted almost 70 thousand official documents on the darknet, including files concerning former US President Donald Trump, American TV presenter Oprah Winfrey, British football player David Beckham and others.

Hollywood actors Tom Hanks and Alec Baldwin, Crown Prince of Saudi Arabia Mohammed bin Salman, Ruler of Dubai Sheikh Mohammed bin Rashid Al Maktoum, as well as former Deputy Prime Minister of Kazakhstan Yerbolat Dosayev are also named among the clients of the jewelry house.

The hackers reported that the published data, which concerns about 11 thousand wealthy clients of the company, is only 1% of the files obtained as a result of the cyberattack.

According to cybersecurity experts, cybercriminals will demand a ransom in cryptocurrency or in jewelry. In the case of Conti hacker group, we can talk about 10% of the victim's annual income.

The jewelry house confirmed the information about the hacking of its security systems. “Unfortunately, we, like a number of other companies, have been the target of a sophisticated, albeit limited cyberattack by professional and determined criminals,” Graff Diamonds said.

According to a representative of the jewelry house, the incident has already been reported to law enforcement agencies and the ICO, the UK's data protection regulatory authority. In addition, the company also informed those customers whose data were affected.

Earlier, Microsoft reported that hackers allegedly linked to Russia committed more than 22 thousand new attacks on the networks of IT structures in four months. According to the company, we are talking about the Nobelium group, which in the United States is associated with the Russian Foreign Intelligence Service.

Russian Cybercriminals Claim to have Hacked the National Rifle Association

 

On the dark web, a well-known Russian cybercriminal gang has posted files that claim to be from the National Rifle Association. Grief, a hacking group, posted 13 files to its website on Wednesday, claiming to have hacked the NRA. It has threatened to reveal more files if it is not paid, however it has not stated how much it will cost. 

The news of the incident swiftly circulated online, with dozens of Twitter accounts with no followers attempting to magnify the attack's content by retweeting it. The accounts were formed in the previous six months and followed no one, but they shared content regarding the cyberattack, including postings from The Washington Times linked to a news report and a screenshot of Grief's website from Brett Callow, an Emsisoft threat analyst. 

When asked about the new accounts' activity, Twitter stated it reviewed "many accounts violating our platform manipulation and spam policies" and then took action. Twitter could not say who was behind the manipulative activity, or whether the accounts were linked to the group that claimed responsibility for the attack on the NRA. 

Grief, according to most cybersecurity experts, is a renamed effort by a group of Russian cybercriminals known as Evil Corp, which is currently under sanctions by the US Treasury Department. "It's the same group," said Allan Liska, a ransomware analyst at the cybersecurity firm Recorded Future. 

When contacted for comment, the NRA did not react. It did, however, issue a tweet in which it stated that it "does not share anything relevant to its physical or electronic security," and that it "takes extreme efforts to secure information regarding its members, donors, and operations." Grief, although being a criminal organization, isn't renowned for faking when it says an organization has been hacked, according to Brett Callow. "I’m not aware of any incidents in which Grief/Evil Corp has attempted to take credit for other operations’ attacks," Callow said. 

Some experts speculated that the NRA paid a ransom to its attackers after Grief temporarily withdrew the NRA from its website. Grief deleting the NRA from its website, according to Jon DiMaggio, chief security strategist at cyber threat analysis firm Analyst1, could be evidence that the NRA paid up. 

According to a screenshot uploaded by Mr. Callow, the NRA entry on Grief's leak website was available Monday, along with a file titled "corporate insurance" and other data. “Insurance docs are useful to ransomware operators as they effectively specify how much orgs can afford to pay — no matter what their balance sheets look like,” Mr. Callow tweeted.