Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Telegram. Show all posts
Threat actor
Commonwealth of Independent States Cybersecurity Dark Web Exfiltration Lazy Koala malware password stealer malware Phishing Attacks PT ESC Telegram Threat actor

Lazy Koala: New Cyber Threat Emerges in CIS Region

 

Cybersecurity researchers at Positive Technologies Expert Security Center (PT ESC) recently uncovered a new threat actor they've named Lazy Koala. Despite lacking sophistication, this group has managed to achieve significant results.

The report reveals that Lazy Koala is targeting enterprises primarily in Russia and six other Commonwealth of Independent States countries: Belarus, Kazakhstan, Uzbekistan, Kyrgyzstan, Tajikistan, and Armenia. Their victims belong to government agencies, financial institutions, and educational establishments. Their primary aim is to acquire login credentials for various services.

According to the researchers, nearly 900 accounts have been compromised so far. The purpose behind the stolen information remains unclear, but it's suspected that it may either be sold on the dark web or utilized in more severe subsequent attacks.

The modus operandi of Lazy Koala involves simple yet effective tactics. They employ convincing phishing attacks, often using native languages to lure victims into downloading and executing attachments. These attachments contain a basic password-stealing malware. The stolen files are then exfiltrated through Telegram bots, with the individual managing these bots being dubbed Koala, hence the group's name.

Denis Kuvshinov, Head of Threat Analysis at PT ESC, describes Lazy Koala's approach as "harder doesn't mean better." Despite their avoidance of complex tools and tactics, they manage to accomplish their objectives. Once the malware establishes itself on a device, it utilizes Telegram, a preferred tool among attackers, to exfiltrate stolen data.

PT ESC has notified the victims of these attacks, warning that the stolen information is likely to be sold on the dark web.
Read more »
Telegram
malware Phishing Attacks Social Media Telegram

Telegram Emerges as Hub for Cybercrime, Phishing Attacks as Cheap as $230

Cybersecurity experts raise alarms as Telegram becomes a hotspot for cybercrime, fueling the rise of phishing attacks. This trend facilitates mass assaults at a shockingly low cost, highlighting the "democratization" of cyber threats. In a recent development, cybersecurity researchers shed light on the democratization of the phishing landscape, courtesy of Telegram's burgeoning role in cybercrime activities. 

This messaging platform has swiftly transformed into a haven for threat actors, offering an efficient and cost-effective infrastructure for orchestrating large-scale phishing campaigns. Gone are the days when sophisticated cyber attacks required substantial resources. Now, malevolent actors can execute mass phishing endeavours for as little as $230, making cybercrime accessible to a wider pool of perpetrators. 

The affordability and accessibility of such tactics underscore the urgent need for heightened vigilance in the digital realm. Recent revelations regarding Telegram's involvement in cybercrime underscore a recurring issue with the platform's lenient content moderation policies. Experts emphasize that Telegram's history of lax moderation has fostered a breeding ground for various illicit activities, including the distribution of illegal content and cyber attacks. 

Criticism has been directed at Telegram in the past for its failure to effectively address issues such as misinformation, hate speech, and extremist content, highlighting concerns about user safety. With cyber threats evolving and the digital landscape growing more complex, the necessity for stringent moderation measures within platforms like Telegram becomes increasingly urgent. 

However, balancing user privacy with security poses a significant challenge, given the platform's encryption and privacy features. As discussions continue, Telegram and similar platforms must prioritize user safety and implement effective moderation strategies to mitigate risks effectively. 

"This messaging app has transformed into a bustling hub where seasoned cybercriminals and newcomers alike exchange illicit tools and insights creating a dark and well-oiled supply chain of tools and victims' data," Guardio Labs threat researchers Oleg Zaytsev and Nati Tal reported. 

Furthermore, they added that "free samples, tutorials, kits, even hackers-for-hire – everything needed to construct a complete end-to-end malicious campaign." The company also described Telegram as a "scammers paradise" and a "breeding ground for modern phishing operations." 

In April 2023, Kaspersky revealed that phishers are using Telegram to teach and advertise malicious bots. One such bot, Telekopye (aka Classiscam), helps create fake web pages, emails, and texts for large-scale phishing scams. Guardio warns that Telegram offers easy access to phishing tools, some even free, facilitating the creation of scam pages. 

These kits, along with compromised WordPress sites and backdoor mailers, enable scammers to send convincing emails from legitimate domains, bypassing spam filters. Researchers stress the dual responsibility of website owners to protect against exploitation for illicit activities. 

Telegram offers professionally crafted email templates ("letters") and bulk datasets ("leads") for targeted phishing campaigns. Leads are highly specific, and sourced from cybercrime forums or fake survey sites. Stolen credentials are monetized through the sale of "logs" to other criminal groups, yielding high returns. Social media accounts may sell for $1, while banking details can fetch hundreds. With minimal investment, anyone can launch a significant phishing operation.
Read more »
Website Security
Cyber Phishing Data Beach Phishing scam Telegram Website Security

Decrypting the Threat: Telegram's Dark Markets and the Growing Menace of Phishing Networks

 

In the last few years, social media has gradually become a one-stop shop for scammers. With easily available information, scammers are able to hand-pick their target and create a customized scam for them.

Telegram is one such platform that has also emerged as a hub for all things any scammer might need to create a perfect scam. Information that was once hidden behind the screens of the dark web is now readily and publicly available on Telegram, many of which are even free to access. 

From instructional guides and phishing kits to the services of hackers for hire, this application has increasingly become a comprehensive hub, providing scammers with everything they might require for their illicit activities.

For a newcomer, it is astonishing to see how easy it is to find these marketplaces on Telegram, which were previously deep inside Tor Onion networks. Messages flow incessantly, unveiling an array of products, services, tips, and tricks—knowledge that was once exclusive to the depths of the dark web is now readily accessible. 

One of the most known examples of such a scam is the “Bank of America” phishing page scam which was circulated in the US network. This scam was made to extract the bank account details of potential targets, which were then sold to higher players. 

These scammers who work on the higher chain work by delving into the criminal abyss of cash extraction from these accounts unveils a new echelon of illicit activity, characterized by heightened complexity. This is precisely where the orchestrated network of the scammer's supply chain comes into play. 

Planning a scheme as elaborate as this involves assembling several essential elements: 

Firstly, the foundation lies in crafting a sophisticated phishing web page, often termed a "scam page." To deploy this page seamlessly, a dependable hosting solution is indispensable. An effective email-sending system is then required to initiate the deceptive process. Crafting a compelling email message, strategically designed to lure victims to the scam page, serves as another crucial element. The acquisition of targeted email addresses, known as "Leads," becomes pivotal for precision targeting. Unsurprisingly, there is a separate marketplace that is solely focused on gathering data of potential targets through malicious websites, surveys and pop-up emails offering discounts and free rewards. 
 
Lastly, a mechanism for monetizing the stolen credentials completes the construction. Notably, all these necessary building blocks are readily available on Telegram, with some offered at remarkably low prices, and astonishingly, certain elements are even accessible for free. This holistic approach underscores the alarming accessibility and affordability of these illicit tools within the Telegram ecosystem. 

After analyzing the scam creation process, it's evident that phishing scams exploit compromised security on legitimate websites.

Owners of such sites bear a dual responsibility of safeguarding their business interests and preventing their platforms from being exploited by scammers. This includes protecting against the hosting of phishing operations, sending deceptive emails, and other illicit activities that may occur without their knowledge. Vigilance and proactive measures are essential to ensure the integrity and security of online platforms.
Read more »
Telegram
Amazon Bitcoin Cybeattacks Cyber Threats CyberCrime Cybersecurity OLVX SEO Telegram

Rise of OLVX: A New Haven for Cybercriminals in the Shadows

 


OLVX has emerged as a new cybercrime marketplace, quickly gaining a loyal following of customers seeking through the marketplace tools used to conduct online fraud and cyberattacks on other websites. The launch of the OLVX marketplace follows along with a recent trend in cybercrime marketplaces being increasingly hosted on the clearnet instead of the dark web, which allows for wide distribution of users to access them and for them to be promoted through search engine optimization (SEO). 

Research conducted by Zerofox cybersecurity researchers discovered that there is a new underground market called OLVX (olvx[.]cc) that was advertising a wide variety of hacking tools for illicit purposes and was linked to a large number of hacking tools and websites. 

Researchers at ZeroFox, who detected OLVX at the end of July 2023, have noted a marked increase in activity on the new marketplace in the fall, noticing that both buyers and sellers are increasing their activity on the marketplace. 

There have been several illicit tools and services offered to threat actors by OLVX since its launch on July 1, 2023. As opposed to the other markets that OLVX operates in, it focuses on providing cyber criminals with tools that they can take advantage of during the 2023 holiday peak season in retail. 

ZeroFox found that OLVX marketplace activity spiked significantly in fall 2023 due to more items selling on the marketplace, and buyers rushing to the new store to purchase those items. OLVX is estimated to be the result of leaked OLUX code from 2020/2021, according to an investigation. 

Post-leak stores use improved versions of OLUX code, even though the old OLUX code is outdated. For better accessibility and better web hosting, OLVX hides the contents of its website on Cloudflare. For customer growth, OLVX does not make use of the dark web; instead, it relies on SEO and forums to grow customers.

For customer support, OLVX runs a Telegram channel to provide support. The company's reputation and earnings are boosted by strong relationships with its customers.  Unlike most other markets of this nature, OLVX does not rely on an escrow service to ensure funds are protected.

Instead, it offers a "deposit to direct payment" system which supports Bitcoin, Monero, Ethereum, Litecoin, TRON, Bitcoin Cash, Binance Coin, and Perfect Money as cryptocurrencies. By doing this, users are encouraged to spend more, because funds are always available, so browsing leads to more frequent purchases for the user. 

To maintain privacy and security, customers who are running low on funds are advised to use time-limited anonymous cryptocurrency addresses to "top-off" their accounts, in order to maintain funds. During the holiday season, OLVX and similar marketplaces thrive as cybercriminal hubs, supplying tools for targeting campaigns to cybercriminals during the colder months. 

On the site, OLVX offers hosting via Cloudflare and advertises DDoS protection through Simple Carrier LLC, which is a substandard hosting provider.  Consumers are increasingly putting their security at risk as they shop. 

OLVX is one of the leading tools that criminals use during the holiday season for illicit activities, making this the time of year when criminals run their heists. Due to the unique nature of the platform, an independent verification team can not verify that the above quality and validity claims are accurate, however, users believe that OLVX's rising popularity and established reputation lend credibility to the majority of the claims. 

Interestingly, Zerofox indicates that fraudulent activity on the platform starts to increase as users get closer to the holiday shopping season, which means that buyers should maintain heightened vigilance so as to avoid scams and identify fraud.
Read more »
Telegram
cryptocurrency Cyberattacks Cybersecurity Data Theft Google python Software Supply Chain Telegram

Data Theft Alert: Malicious Python Packages Exposed – Stay Secure

 


Researchers have observed an increasing complexity in the scope of a malicious campaign, which has exposed hundreds of info-stealing packages to open-source platforms over the past half-year, with approximately 75,000 downloads being recorded. 

Checkmarx's Supply Chain Security team has been monitoring the campaign since it started at the beginning of April. Analysts discovered 272 packages with code intended to steal confidential information from systems that have been targeted by this campaign. 

There has been a significant evolution of the attack since it was first identified. The authors of the packages have started integrating increasingly sophisticated obfuscation layers and detection-evading techniques to attempt to prevent detection. 

The concept of an info stealer has evolved from humble beginnings over time to become a powerful info stealer capable of stealing information associated with everyone. 

Crypto and Data Theft 


As the researchers point out, "the Python ecosystem started showing a pattern of behaviour in early April 2023." For example, the “_init_py” file was found to load only when it was confirmed that it was running on a target system rather than in a virtualized environment. This is the usual sign of a malware analysis host, according to the researchers. 

This malware will check for the presence of an antivirus on the compromised endpoint, search for task lists, Wi-Fi passwords, system information, credentials, browsing history, cookies, and payment information saved in your browser as well as cryptocurrency data from wallet apps, Discord badges, phone numbers, email addresses, Minecraft data, and Roblox data. As you can see, the malware checks for these things as well. Additionally, it will also take screenshots of any data that is considered to be of importance and upload it directly. 

Aside from that, the malware causes the compromised system to take screenshots and steal individual files such as those in the Desktop, Pictures, Documents, Music, Videos, and Downloads directories to spread to other systems. 

In addition, the malware monitors constantly the victim's clipboard for cryptocurrency addresses, and it swaps the addresses with the attacker's address to divert the payment to wallets controlled by the attacker. 

Approximately $100,000 worth of cryptocurrency is estimated to have been directly stolen by this campaign, according to the analysts. 

An Analysis of The Attack's Evolution 


There was no doubt that the malicious codes and files from this campaign were found in April packages, since the malicious code was plain text, as reported by the researchers. The researchers also noticed that a multilayered anti-obfuscation had been added to two of the packages by the authors in May to hinder analysis of the packages. 

However, in August, a researcher noted that many packages now have multi-layer encryption. There are currently at least 70 layers of obfuscation used by two of the most recent packages tested by Checkmarx's researcher Yahuda Gelb, as noted in a separate report. 

There was also an announcement that the malware developers planned to develop a feature that could disable antivirus software, added Telegram to the list of targeted applications, and introduced a fallback mechanism for data exfiltration during August. 

There are still many risk factors associated with supply chain attacks, according to the researchers, and threat actors are uploading malicious packages to widely used repositories and version control systems daily, such as GitHub, or package repositories such as PyPi and NPM, as well as to widely used package repositories such as GitHub. 

To protect their privacy, users should carefully scrutinize their trustworthiness as well as be vigilant against typosquatting package names in projects and packages that they trust.
Read more »
Telegram
Casino Cyber Crime Cybercrime boom Gambling Industry Mr. Big Southeast Asian Casinos Telegram

Casinos in Southeast Asia are Encouraging Cybercrime Boom


Mr. Big is having certain problem. He wants to move what he calls his “fraud funds,” back to China. However, restriction is keeping him in doing so. 

Mr. Big, obviously not revealing his real name, took to telegram where he posted an ad to his Telegram channel. In exchange for a 10% cut, he was looking for a "group of smuggling teams" to "complete the final conversion" of the stolen money by smuggling gold and valuable stones into southern China through Myanmar.

While it is still unclear whether Mr. Big succeeded in his plans, his ad has now been deleted and when the infamous investigative newsroom ProPublica tried to contact him, they were unable to get in touch with him. However, the website where he posted his advertisement reveals a lot about the reasons why Americans and individuals all over the world have been the subject of a massive wave of fraud that originated in Southeast Asia and is only now starting to be understood on a much larger scale.

In their recent event of crime investigation, Singapore police seized a whopping sum of more than $2 billion in a case of money laundering executed by a syndicate with alleged ties to organized crime, including "scams and online gambling."

The Telegram channel that contained Mr. Big's request for help was a Chinese-language forum that provided access to "white capital"—cash that has been laundered—and that was "guaranteed" by a casino owner in Myanmar, Fully Light Group. This operator claims to make sure that agreements made on the site are carried out.

Also, Fully Light has its own Telegram channel which provide advertisements of similar services. One such channel has around 117,000 participants, and features advertisements of cryptocurrency swaps for accessing “pure white,” Chinese renminbi or “white capital” Singaporean dollars.

Casinos further aids in such dealings, which is quite apparent. According to a new research conducted by the United Nations Office on Drugs and Crime, a vast number of casinos and other gambling operators in Southeast Asia have turned out to be a primary aspect in the functioning of underground banking system, aiding organized criminal groups. However, the research has not been officially published. 

A report by UNODC notes that currently there are more than 340 physical casinos in Southeast Asia, and several online gambling operators that serve the escalation of infiltration in organized crimes.  

Read more »
VPN
Cyber Security Encrypted Email encrypted messaging apps Encryption End-to-End Encryption internet Security private browser Protonmail Signal app Telegram Tor Browser TutaNota VPN

Top 5 Ways to Encrypt Your Internet Traffic for Enhanced Securit

 

Encryption involves converting data into a format that is unreadable without the corresponding decryption key, thereby bolstering security and preventing unauthorized access.

Securing your internet connection with encryption is indeed possible, but it necessitates a multi-pronged strategy. Here are five approaches to encrypting your internet traffic:

1. Utilize a Private Browser:

Your browser serves as the primary gateway to the internet. If it doesn't shield you from tracking, other security measures won't be as effective. The Tor Browser stands out as a truly private option. It redirects traffic through a series of relays, encrypting it at each step. While it's indispensable for privacy-conscious tasks, its speed may be a limitation for everyday use. In such cases, browsers like Brave or Firefox, while not as robust as Tor, offer enhanced privacy and tracking protection compared to mainstream options like Chrome or Microsoft Edge.

2. Employ a VPN:

The use of a Virtual Private Network (VPN) is recommended, especially when combined with browsers other than Tor. A VPN enhances privacy and complicates efforts to track online activities. However, not all VPN providers are equal. It's crucial to choose one with robust encryption, a strict no-logs policy, protection against DNS leaks, a kill-switch feature, and reliable performance. Ensure thorough testing after selection, and extend VPN use to all devices, not just computers.

3. Embrace Encrypted Messaging Apps:

While a secure browser and VPN are crucial, using an encrypted messaging app is equally important. Opt for apps with end-to-end encryption, ensuring only the sender and recipient can read messages. Signal is highly recommended due to its reputation and emphasis on user privacy. Telegram offers a good alternative, especially for those seeking social features. WhatsApp, despite being owned by Meta, also provides end-to-end encryption and is more secure than many mainstream messaging apps.

4. Switch to an Encrypted Email Provider:

Email services from major companies like Google, Microsoft, and Yahoo collect substantial amounts of user data. By using their services, you not only contribute to Big Tech profits but also expose yourself to potential risks. Consider migrating to an encrypted email provider, which typically offer superior encryption, advanced security measures, and a focus on user privacy. While some advanced features may require payment, providers like ProtonMail, TutaNota, and Mailfence enjoy excellent reputations.

5. Invest in Encrypted Cloud Storage:

File storage plays a crucial role in internet traffic encryption, especially with the widespread use of cloud storage for personal data. Opt for providers offering end-to-end encryption and robust security practices. While numerous options are available, paid encrypted cloud storage services like Icedrive, pCloud, Tresorit, and Proton Drive provide reliable and secure solutions. Free options are scarce due to the substantial costs associated with providing this level of security and infrastructure.

By implementing these measures, you can significantly enhance the encryption of your internet traffic and fortify your overall cyber infrastructure. Additionally, consider local encryption and encrypting your entire hard drive for added security.
Read more »
WhatsApp
alternative messaging apps Cyber Security End-to-End Encryption Privacy Concerns Secure Messaging Signal app SMS security risks SMS vulnerabilities Telegram WhatsApp

Seure Messaging Apps: A Safer Alternative to SMS for Enhanced Privacy and Cybersecurity

 

The Short Messaging Service (SMS) has been a fundamental part of mobile communication since the 1990s when it was introduced on cellular networks globally. 

Despite the rise of Internet Protocol-based messaging services with the advent of smartphones, SMS continues to see widespread use. However, this persistence raises concerns about its safety and privacy implications.

Reasons Why SMS Is Not Secure

1. Lack of End-to-End Encryption

SMS lacks end-to-end encryption, with messages typically transmitted in plain text. This leaves them vulnerable to interception by anyone with the necessary expertise. Even if a mobile carrier employs encryption, it's often a weak and outdated algorithm applied only during transit.

2. Dependence on Outdated Technology

SMS relies on Signaling System No. 7 (SS7), a set of signalling protocols developed in the 1970s. This aging technology is highly insecure and susceptible to various cyberattacks. Instances of hackers exploiting SS7 vulnerabilities for malicious purposes have been recorded.

3. Government Access to SMS

SS7 security holes have not been adequately addressed, potentially due to government interest in monitoring citizens. This raises concerns about governments having the ability to read SMS messages. In the U.S., law enforcement can access messages older than 180 days without a warrant, despite efforts to change this.

4. Carrier Storage of Messages

Carriers retain SMS messages for a defined period, and metadata is stored even longer. While laws and policies aim to prevent unauthorized access, breaches can still occur, potentially compromising user privacy.

5. Irreversible Nature of SMS Messages

Once sent, SMS messages cannot be retracted. They persist on the recipient's device indefinitely, unless manually deleted. This lack of control raises concerns about the potential exposure of sensitive information in cases of phone compromise or hacking.

Several secure messaging apps provide safer alternatives to SMS:

1. Signal
 
Signal is a leading secure messaging app known for its robust end-to-end encryption, ensuring only intended recipients can access messages. Developed by the non-profit Signal Foundation, it prioritizes user privacy and does not collect personal data.

2. Telegram

Telegram offers a solid alternative to SMS. While messages are not end-to-end encrypted by default, users can enable Secret Chats for enhanced security. This feature prevents forwarding and limits access to messages, photos, videos, and documents.

3. WhatsApp

Despite its affiliation with Meta, WhatsApp is a popular alternative with billions of active users. It employs end-to-end encryption for message security, surpassing the safety provided by SMS. It's available on major platforms and is widely used among contacts.

In conclusion, SMS is not a recommended option for individuals concerned about personal cybersecurity and privacy. While it offers convenience, its security shortcomings are significant. 

Secure messaging apps with end-to-end encryption are superior alternatives, providing a higher level of protection for sensitive communications. If using SMS is unavoidable, caution and additional security measures are advised to safeguard information.
Read more »
Telegram
Cyber Attacks DDoS Hactivist Group Messaging Apps Telegram

Hackers Attack Telegram With DDoS After Targeting Microsoft and X

 

Anonymous Sudan has launched a distributed denial-of-service (DDoS) attack against Telegram in response to the messaging platform's decision to deactivate its principal account, according to threat intelligence firm SOCRadar. 

Anonymous Sudan, claiming to be a hacktivist group motivated by political and religious concerns, carried out DDoS attacks against organisations in Australia, Denmark, France, Germany, India, Israel, Sweden, and the United Kingdom. 

The group has been active since the beginning of the year, and on January 18, it launched its Telegram channel, proclaiming its intention to undertake cyberattacks against any entity that opposes Sudan. The group's operations began with the targeting of many Swedish websites. 

However, in June, Microsoft 365, Outlook, Microsoft Teams, OneDrive for Business, and SharePoint Online were the targets of a string of disruptive DDoS attacks launched by Anonymous Sudan, which quickly gained attention. Cloud computing platform Azure from Microsoft was also impacted. Microsoft, which records the group as Storm-1359, confirmed DDoS attacks were the cause of the interruption after Anonymous Sudan boasted about the strike on their Telegram channel. 

With the goal of forcing Elon Musk into establishing the Starlink service in Sudan, the organisation launched a disruptive DDoS attack against X (previously Twitter) in late August. The hacktivists' primary Telegram channel has been moved temporarily as a result of the attack on Telegram, which had a different objective than the group's usual targets but yet failed to accomplish its goal. 

Uncertainty around the ban on Telegram has led the threat intelligence company to speculate that it may be connected to recent attacks on X or the use of bot accounts. Current DDoS and defacement operations are being carried out by the Anonymous Sudan group, which may not be based in Sudan and may actually have connections to the Russian hacking collective KillNet, according to previous reports from SOCRadar and Truesec. 

The group doesn't request the support of pro-Islamic organisations, only communicates with Russian hackers, and mostly posts in English and Russian rather than Arabic. The campaigns that have been noticed also have no connection to political issues regarding Sudan. 

The group also doesn't seem to be associated with the original Anonymous Sudan hacktivists, who first showed up in Sudan in 2019, or with Anonymous, the decentralised, anti-political hacktivist movement.
Read more »
User Security
Fake Apps FlyGram Privacy Signal Plus Messenger Telegram User Security

Threat of Fake Signal and Telegram Apps: Protecting Your Privacy and Security


In today’s digital age, the use of messaging apps has become an integral part of our daily lives. Apps like Signal and Telegram have gained immense popularity due to their focus on privacy and security. 

However, with the rise in popularity of these apps, there has also been an increase in the number of fake apps that pose as extensions or premium versions of these popular messaging platforms. 

In this blog post, we will discuss the recent discovery of fake Signal and Telegram apps that have been found to sneak malware into thousands of Android phones.

The Discovery

Researchers at the cybersecurity firm ESET recently discovered fake apps in the Google and Samsung app stores that posed as extensions or premium versions of the popular messaging platforms Signal and Telegram. 

These malicious apps, called Signal Plus Messenger and FlyGram, were designed to steal user data. When users took certain actions, these fake apps could pull sensitive information from legitimate Signal and Telegram accounts, including call logs, SMS messages, locations and more.

The Implications

By stealing sensitive information from legitimate Signal and Telegram accounts, these malicious apps can compromise the privacy and security of users’ conversations. 

This can lead to identity theft, financial fraud, and other forms of cybercrime. It is therefore important for users to be vigilant when downloading apps from app stores and to only download apps from trusted sources.

Read more »
Telegram
Cyberattacks CyberCrime Data Breach database Kodi MyBB Telegram

Forum Database Sold Online After Kodi Data Breach

 


Hackers have breached the Kodi Foundation's MyBB forum database, stealing user information such as email addresses and private messages which were tried to be sold online. 

In other words, it is an open-source, cross-platform media player, organizer, and streaming suite that includes several third-party options that allow users to access and stream content from a variety of sources as well as customize their experience as they see fit based upon their personal preferences. 

Several months ago, the Kodi Foundation published a statement revealing that it had been breached by hackers. This was after the organization's MyBB forum database, containing user information and private messages, was stolen and sold online. 

To create backups of the databases, the threat actors abused the account by downloading and deleting backups of the databases. The database's nightly full backups were also downloaded, in addition to the existing data backups. A disablement request has now been sent to the account in question. 

The non-profit organization developed Kodi media center, a free and open-source software entertainment hub, and media player. According to a breach notice published on April 8, the Kodi Team learned of unauthorized access after a data dump of its forum user base (MyBB) was offered for sale online. 

The now-defunct Kodi forum had about 401,000 users who posted 3 million messages covering various topics, including video streaming, suggestions, support, sharing upcoming add-ons, and more. Hackers took over the forum database by accessing the admin interface with inactive staff credentials, according to a site statement on Saturday. 

In the aftermath of the breach, the developer has shut down. The forum, which was home to over 3 million posts, is working to perform a global password reset, as it is assumed that “all passwords are compromised” despite being stored in an encrypted format. 

In an update published earlier today, Kodi's administrators informed the community that they are commissioning an updated forum server. As a result, the existing systems do not appear to have been compromised. 

The forum will be redeployed using the latest MyBB version. This comes with a heavy workload required to incorporate custom functional changes and backport security fixes, so a delay of "several days" is to be expected. 

Kodi shares a list of exposed email addresses associated with forum accounts with the Have I Been PWNed data breach notification service. 

Even though these passwords were hashed and salted, Kodi warns that all passwords should be viewed as compromised for the time being. It may be possible that service availability will be affected if the admin team plans a global password reset. 

According to Kodi's release, any sensitive information transmitted to other users through the user-to-user messaging system may have been compromised, along with any sensitive data sent between users. If you previously used the same login and password for a website, you should follow the instructions on that website for resetting your password or changing it. 

On February 15th, 2023, Amius claimed to have sold a database dump on a website under its brand. According to the database, there are 400,314 Kodi forum members, including "several IPTV resellers," listed in the database. 

There is no information regarding the database price as the seller accepted a private offer over Telegram. The Breached forum is one of the largest hacking and data leak forums. It has developed its reputation over the past few years for hosting, leaking, and selling breaches of companies, governments, and various other organizations. 
Read more »
Unauthorized access
Asia bloomberg CCTV Cyber Security Dark Web Database Breach Telegram Unauthorized access

Data Centers Hacked to Collect Data from Multinational Firms

Over the past 18 months, there have been reports of cyberattacks against numerous data centers in various parts of the world, which have led to the leakage of information about some of the biggest corporations in the world and the publication of access privileges on the dark web.

Resecurity discovered several actors on the dark web, some of whom may have come from Asia, who were able to access customer records and exfiltrate them from one or more databases linked to particular apps and systems utilized by various data center firms during the campaign.

Initial access in at least one of the situations was probably obtained through a weak helpdesk or ticket management module which was connected with other programs and systems, allowing the threat actor to move laterally.

According to Resecurity, the threat actor was able to harvest credentials for data center IT personnel and clients, as well as a list of CCTV cameras and their corresponding video stream identifiers used to monitor data center settings.

Bloomberg said that two of the victim companies are GDS Holdings, based in Shanghai, and ST Telemedia Global Data Centres, based in Singapore. Resecurity did not identify the data center operators that were mentioned in the attack.

According to Bloomberg, GDS acknowledged that a customer assistance website was compromised in 2021 but insisted that there was no risk to the IT systems or data of its clients. It presented no risk to the clients, according to ST Telemedia.

According to Resecurity, businesses with a global presence in finance, investment funds, biomedical research firms, technology vendors, e-commerce sites, cloud services, ISPs, and content delivery network firms were among those whose information was exposed. According to the researchers, the companies are headquartered in the US, UK, Canada, Australia, Switzerland, New Zealand, and China.

Resecurity has not pinpointed any known APT groups as the perpetrators of the attacks. The experts point out that numerous, distinct perpetrators might compromise the victims.
Read more »
Web browser
Golang Info Stealer Malicious Payload malware Telegram Titan-Stealer Web browser

Titan-Stealer: A New Golang-based Info-Stealer Malware


Recently, a new Golang-based information stealer malware, named ‘Titan Stealer’ is being promoted by threat actors in their Telegram channel. Initial details regarding the malware were discovered by cybersecurity researcher Will Thomas in November 2022 by using the IoT search engine Shodan. 

Titan is advertised as a malware builder that enables users to alter the malware binary's functionality and the type of data that will be extracted from a victim's system. 

The malware, when launched, initiates a technique called ‘process hollowing’ in order to disseminate the malicious payloads into the memory of a legitimate process called AppLaunch.exe, Microsoft’s .NET ClickOnce Launch Utility. 

According to a recent report by Uptycs security, researchers Karthickkumar Kathiresan and Shilpesh Trivedi say, “the stealer is capable of stealing a variety of information from infected Windows machines, including credential data from browsers and crypto wallets, FTP client details, screenshots, system information, and grabbed files.” 

Targets of The Info Stealer 

The Titan Stealer has been targeting web browsers, including Google Chrome, Mozilla Firefox, Microsoft Edge, Yandex, Opera, Brave, Vivaldi, 7 Star Browser, Iridium Browser, and others. The crypto wallets singled out are Armory, Atomic, Bytecoin, Coinomi, Edge Wallet, Ethereum, Exodus, Guarda, Jaxx Liberty, and Zcash. 

Additionally, it has the ability to collect data from the Telegram desktop app and compile a list of the host's installed programs. 

The gathered information is then transmitted as a Base64-encoded archive file to a remote server under the attacker's control. Additionally, the malware includes a web panel that enables threat actors to access the stolen data. 

How is the Titan Stealer Operated? 

The exact approach used to distribute the malware is still unclear, but the threat actors have utilized numerous methods, such as phishing, malicious ads, and cracked software. 

"One of the primary reasons [threat actors] may be using Golang for their information stealer malware is because it allows them to easily create cross-platform malware that can run on multiple operating systems, such as Windows, Linux, and macOS," says Cyble in its analysis of Titan Stealer. "Additionally, the Go compiled binary files are small in size, making them more difficult to detect by security software." 

The findings come a little over two months after SEKOIA unveiled Aurora Stealer, another Go-based malware that is being used by a number of criminal actors in their campaigns. 

The malware often spreads through websites that mimic a renowned software, with the same domains being continuously updated to host trojanized versions of different programs. 

It is also found to be taking advantage of a tactic called padding in order to artificially inflate the size of the executables to as much as 260MB by adding random data, in order to evade detection by antivirus software. 

Read more »
Trojan
Android Chat Apps malware Telegram Trojan

StrongPity Hackers Disseminate Trojanized Telegram App to Android Users

 

The StrongPity APT hacking group is disseminating a bogus Shagle chat app that is a trojanized version of the Telegram for Android app with a backdoor added. Shagle is a legitimate random video chat platform that allows strangers to communicate through an encrypted communications channel. 

However, the platform is entirely web-based and does not include a mobile app. Since 2021, StrongPity has been using a phony website that impersonates the official Shagle site to trick victims into downloading a malicious Android. Once installed, this app allows hackers to spy on their targets by monitoring phone calls, collecting SMS texts, and stealing contact lists.

StrongPity, also known as Promethium or APT-C-41, was previously linked to a malware-infecting campaign that distributed trojanized Notepad++ installers and malicious versions of WinRAR and TrueCrypt.

ESET researchers found the latest StrongPity activity and linked it to the espionage APT group based on code similarities with previous payloads. Furthermore, the Android app is signed with the same certificate that the APT used to sign an app in a 2021 campaign that mimicked the Syrian e-gov Android application.

Trojanizing the Telegram app 

StrongPity's malicious Android app is an APK file called "video.apk," which is a modified version of the standard Telegram v7.5.0 (February 2022) app.

ESET was unable to determine how victims arrived at the bogus Shagle website, but it is most likely through spear phishing emails, smishing (SMS phishing), or online instant messages. The malicious APK is downloaded directly from the bogus Shagle website and has never appeared on Google Play.

According to ESET, the cloned site first appeared online in November 2021, so the APK has most likely been actively distributed since then. The first confirmed detection in the wild, however, occurred in July 2022. One disadvantage of using Telegram as the basis for the hacking group's fake app is that the backdoored version will not be installed if the victim already has the real Telegram app installed on their phones.

The API ID used in the captured samples has currently been limited due to overuse, so the trojanized app will no longer approve new user registrations; thus, the backdoor will not function. This, according to ESET, indicates that StrongPity malware was successfully deployed on targeted victims.

Backdoor for spying on victims

When the malware is installed, it requests Accessibility Service access and then retrieves an AES-encrypted file from the attacker's command and control server. The file contains 11 binary modules that were downloaded to the device and used by the backdoor to perform various malicious functions.

Each module serves an espionage purpose and is activated as needed. The following is a complete list of the malicious spyware modules:
  • libarm.jar – records phone calls
  • libmpeg4.jar – collects text of incoming notification messages from 17 apps
  • local.jar – collects file list (file tree) on the device
  • phone.jar – misuses accessibility services to spy on messaging apps by exfiltrating contact name, chat message, and date
  • resources.jar – collects SMS messages stored on the device
  • services.jar – obtains device location
  • systemui.jar – collects device and system information
  • timer.jar – collects a list of installed apps
  • toolkit.jar – collects contact list
  • watchkit.jar – collects a list of device accounts
  • wearkit.jar – collects a list of call logs
The information gathered is saved in the app's directory, encrypted with AES, and then sent back to the attacker's command and control server.

The malware can read notification content from Messenger, Viber, Skype, WeChat, Snapchat, Tinder, Instagram, Twitter, Gmail, and other services by abusing the Accessibility Service. The malware automatically grants itself permission to change security settings, write to the filesystem, reboot, and perform other dangerous functions on rooted devices where the regular user has administrator privileges.

Since 2012, the StrongPity hacking group has been active, frequently hiding backdoors in legitimate software installers. According to ESET's report, the threat actor is still using the same tactic after a decade. Android users should exercise caution when downloading APKs from sources other than Google Play.
Read more »
Telegram
Crypto Cyber Attacks DEV Excel Files lazarus Lazarus APT Lazarus Group Microsoft North Korea Telegram

North Korean Lazarus Group Targeting Crypto Market via Telegram & Excel File


DEV-0139 uses targeted attacks to steal cryptocurrency investments 

Microsoft has identified a threat actor that has been targeting cryptocurrency investment startups. An entity that Microsoft has termed as DEV-0139 posed as a cryptocurrency investment firm on Telegram and used an Excel file deployed with malicious "well-crafted" malware to attack systems and access them remotely. 

The threat is part of a trend in cyberattacks showing a high degree of sophistication. In our case, the threat actor made a fake OKX employee profile and joined Telegram groups used for facilitating communication between VIP clients and cryptocurrency exchange platforms. 

In recent years, the cryptocurrency market has grown exponentially, getting the attention of investors as well as threat actors. Cybercriminals have used cryptocurrency for their attacks and campaigns, especially for ransom payment in ransomware attacks. 

DEV-0139 uses Telegram and Excel files to target victim

There has also been a rise in threat actors directly attacking organizations in the cryptocurrency industry for monetary motives. Cyberattacks targeting the cryptocurrency market come in various forms, this includes fraud, vulnerability exploitation, fake apps, and use of info stealers, threat actors use these variables to steal cryptocurrency funds. 

In October, the victim was asked to join a new group and then asked to provide feedback on an Excel document that compared Binance, OKX, and Huobi VIP fee structures. 

The document offered correct information and high awareness of the ground reality of crypto trading, however, it also sideloaded an infected. DLL (Dynamic Link Library) file to make a backdoor into the user's system. The victim was then told to view the .dll file while discussing the course fees. 

According to Microsoft, the weaponized Excel file initiates the following series of activities:

  • A malicious macro in the weaponized Excel file abuses the UserForm of VBA to obfuscate the code and retrieve some data.
  • The malicious macro drops another Excel sheet embedded in the form and executes it in invisible mode. The said Excel sheet is encoded in base64 and dropped into C:\ProgramData\Microsoft Media\ with the name VSDB688.tmp
  • The file VSDB688.tmp downloads a PNG file containing three executables: a legitimate Windows file named logagent.exe, a malicious version of the DLL wsock32.dll, and an XOR-encoded backdoor.
  • The file logagent.exe is used to sideload the malicious wsock32.dll, which acts as a DLL proxy to the legitimate wsock32.dll. The malicious DLL file is used to load and decrypt the XOR-encoded backdoor that lets the threat actor remotely access the infected system.

The attack method is popular, Microsoft suggests the attacker was the same as the one running .dll files for the same reasons in June, and also behind other cyberattack instances as well. As per Microsoft, DEV-0139 is the same threat actor that cybersecurity agency Volexity associated with North Korea's state-sponsored Lazarus Group. 

It uses a malware strain called AppleJeus and an MSI (Microsoft installer). The United States federal Cybersecurity and Infrastructure Security Agency reported on AppleJeus last year and Kaspersky Labs documented it in 2020. 

To stay safe from such threats, Microsoft suggests:

1. Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.

2. Educate end users about protecting personal and business information in social media, filtering unsolicited communication (in this case, Telegram chat groups), identifying lures in spear-phishing emails and watering holes, and reporting reconnaissance attempts and other suspicious activity.

3. Educate end users about preventing malware infections, such as ignoring or deleting unsolicited and unexpected emails or attachments sent via instant messaging applications or social networks. Encourage end users to practice good credential hygiene and make sure the Microsoft Defender Firewall (which is enabled by default) is always on to prevent malware infection and stifle propagation.

4. Change Excel macro security settings to control which macros run and under what circumstances when you open a workbook. Customers can also stop malicious XLM or VBA macros by ensuring runtime macro scanning by Antimalware Scan Interface (AMSI) is on. This feature—enabled by default—is on if the Group Policy setting for Macro Run Time Scan Scope is set to “Enable for All Files” or “Enable for Low Trust Files”.

5. Turn on attack surface reduction rules to prevent common attack techniques observed in this threat:

  • Block Office applications from creating executable content
  • Block Office communication application from creating child processes
  • Block Win32 API calls from Office macros
6. Ensure that Microsoft Defender Antivirus is up to date and that real-time behavior monitoring is enabled.

The cryptocurrency market is a lucrative interest for cybercriminals. Targeted victims are identified via trusted channels to better the chance of attack. While hackers prefer targeting big organizations, smaller organizations can also become an easy target of interest. 






Read more »
User Security
Cybersecurity Data Breach Telegram User Data User Privacy User Security

A Copyright Violation Lawsuit Involves Telegram Sharing Users' Data

 


Following a court order in India, Telegram has disclosed the names, contact information, and IP addresses of administrators of channels accused of copyright infringement. The fact that it can provide authorities with such a large volume of data about its users in just a few seconds demonstrates the power of the instant messaging platform in terms of what it can get. 

An order by the Delhi High Court compelled the app owner to share the data imposed on him by the court. An argument was made that the company had not taken enough steps to prevent the unauthorized distribution of a teacher's course material on the platform. This was after she filed a lawsuit against the company. Neetu Singh, the teacher who was the plaintiff in the case, told several Telegram channels were reselling her study materials. However, they were not allowed to do so. 

Telegram had earlier been ordered by an Indian court to follow Indian law and disclose information about the members who operate such channels. 

During its litigation, Telegram tried unsuccessfully to argue that disclosing information about users would violate its privacy policies and the laws of Singapore. Telegram is currently maintaining its physical servers for storing the data of its users in Singapore. The court dismissed this argument as the ongoing infringement activity is connected to Indian works. This activity is likely to be attributed to Indian users. However, even if the data is stored in places other than India, it could still be accessed from there. 

Earlier this week, Justice Pratibha Singh told Telegram's board members that Telegram had complied with the earlier order and had shared the data with them. 

As part of the case, a copy of the said data will be provided to counsel for the plaintiffs. This will be with a clear warning that neither they nor any of their representatives shall share this data with a third party. However, for the present proceedings, such disclosure is not permitted. A report first put forth by LiveLaw from the court (PDF) states that disclosure of information to the police/government authorities is permissible. 

Telegram spokesperson Remi Vaughn commented that there was no response from Telegram regarding whether private information was shared. He added, generally, Telegram does not store very much information about its users. Our understanding is that, in many cases, we will not be able to access any user data without a specific entry point. This may have been the case here. Due to this, Telegram cannot confirm that there has been any sharing of private information in this instance.

Interestingly, Telegram has grown to rank among the top five most used apps in the South Asian region. This is because Telegram has nearly 150 million users across the continent. According to a previous report, Telegram's piracy problem might have contributed to the sudden popularity of the app among some users. Movies and TV shows are widely shared on the platform. These movies and TV shows will remain littered with easily discoverable channels, some of which have tens of thousands of users - where users can discover or find easily discoverable content.
Read more »
WhatsApp
Bug Facebook Meta Phishing Attacks Privacy Telegram WhatsApp

Pavel Durov: Users Must Cease Using WhatsApp Since it's a Spying Tool

WhatsApp is among the most popular messaging apps in the world. It was first launched in January 2009 and since then evolved to include audio and video calls, emojis, and WhatsApp Payments. However, criticism has also surrounded the well-known messaging app due to claims about privacy and security issues. 

Recently, WhatsApp disclosed a security flaw affecting its Android app that was deemed critical. Pavel Durov, the creator of Telegram, pokes fun at WhatsApp and advises users to avoid it. 

Hackers could have complete access to all aspects of WhatsApp users' phones, according to Telegram founder Pavel Durov. Additionally, he asserted that WhatsApp has been monitoring user data for the past 13 years while claiming that WhatsApp's security flaws were planned purposely.

Durov outlined Telegram's security and privacy characteristics by saying, "I'm not trying to convince anyone to use Telegram here. There is no need to promote Telegram more." He claimed that Telegram's instant messaging software prioritizes privacy. With more than 700 million active users as of right now, the app is apparently growing steadily, adding over 2 million new users every day.

Regarding security and privacy, WhatsApp states that all texts, chats, and video calls are provided with end-to-end encryption. However, the program has frequently experienced bugs and security problems, which have sparked concerns about its privacy.

In terms of private chats and user data, WhatsApp already has a complicated and distorted past. People have been worried about Facebook's handling of users' personal data ever since it purchased Meta in 2014. For revealing user data not just with governmental organizations but also with private parties, Meta has been criticized for a considerable time.

The rise in popularity of Telegram and Signal and other instant messaging services with a security and privacy focus can be attributed to this.

According to a recent report from Meta, WhatsApp users are susceptible to hacking due to a flaw in the way videos are downloaded and played back. If this flaw is exploited, hackers would have complete access to virtually everything on the phone of the WhatsApp user. Along with users' emails and pictures, this also contains other correspondence, such as SMS messages from various banks and app data from one's banking and payment apps.




Read more »
Telegram
Command and Control(C2) Cyber Security DDOS Attacks Encryption Ransomware Attacks. Russian Hackers Telegram

Evolution of LilithBot Malware and Eternity Threat Group

A variant of the versatile malware LilithBot was recently uncovered by ThreatLabz in its database. This was connected to the Eternity group, also known as the Eternity Project, a threat entity affiliated with the Russian Jester Group, which has been operating since at least January 2022, according to further investigation.

In the darknet, Eternity disseminates many malware modules bearing the Eternity name, such as a stealer, miner, botnet, ransomware, worm+dropper, and DDoS bot.

LilithBot Malware

The distribution channels for the LilithBot that were found were a specialized Telegram group and a Tor connection that offered one-stop shopping for these multiple payloads. It included built-in stealer, clipper, and miner capabilities in addition to its primary botnet activity. 

The LilithBot multipurpose malware bot was discovered by Zscaler's ThreatLabz threat research team in July 2022 and was being offered as a subscription by the Eternity organization. In this campaign, the threat actor adds the user to its botnet and then steals files and user data by sending it via the Tor network to a command-and-control (C2) server. The malware in this campaign performs the functions of a stealer, miner, clipper, and botnet while using false certificates to avoid detection.

This malware-as-a-service (MaaS) is unusual because, in addition to using a Telegram channel to share updates on the latest features, it also uses a Telegram Bot to let customers create the binary. Common cryptocurrencies accepted by Eternity for payments include BTC, ETH, XMR, USDT, LTC, DASH, ZEC, and DOGE. Eternity often conducts business via Telegram.

If the buyer requests it, hackers will construct viruses with add-on functionality and offer customized viruses. The infection costs from $90 and $470 in USD. The Eternity Telegram channel demonstrates the frequent upgrades and improvements the team makes to its services.

The Eternity gang frequently refers users to a dedicated Tor link where a detailed description of their various viruses and their features may be found. The Tor link takes you to the homepage, where you can learn more about the different products and modules you may buy. The targeted user's files and documents are encrypted by the malware. A specific video explaining how to create the ransomware payload is available on the Tor page. Their Ransomware is the most expensive item on sale. For yearly membership, Eternity Stealer costs $260.
  • Eternity Miner as a yearly subscription costs $90.
  • Eternity Miner ($90 )as an annual subscription 
  • Eternity Clipper ($110 )
  • Eternity Ransomware ($490)
  • Eternity Worm ($390)
  • Eternity DDoS Bot (N/A) 

It is adaptable to the unique needs of clients and can constantly be updated at no further cost. They also provide their clients with numerous additional discounts and perks.

It is possible that the organization is still carrying out these tasks as the LilithBot malware has developed, but doing so in more complex ways, for as by completing them dynamically, encrypting the tasks like other areas of code, or employing other cutting-edge strategies.

The 'Microsoft Code Signing PCA' certificate authority issues a valid Microsoft-signed file, and it will also show a countersignature from Verisign. But as research is seen, LilithBot's bogus certificates lack a countersignature and appear to have been granted by the unverified Microsoft Code Signing PCA 2011.

Read more »
Void Balaur
Cyber Crime domains Hacking Group Phishing Attacks Russia Telegram User Privacy Void Balaur

Void Balaur Targets Russian Entities

A hacker-for-hire company that was originally revealed in 2019 has extended its scope to target victims with links to Russia in the political and corporate sector. 

Reported to attack a variety of known target groups worldwide, Void Balaur is a very active hacker-for-hire cyber mercenary gang. Since at least 2016, people have seen their services available for purchase online. Private data collection and access to particular online email and social media sites, including Gmail, Outlook, Telegram, Yandex, Facebook, Instagram, and corporate emails, are among the services offered. 

Google claims Since 2012, TAG has been keeping tabs on a diverse group of Indian hackers-for-hire, many of whom have worked briefly for Indian security companies Appin and Belltrox.

The gang often conducts attacks that are both general and opportunistic with the goal of getting illegal access to popular email services, social networks, communications, and corporate accounts.

According to reports, the hack-for-hire service provided by the gang is offered using a variety of guises, including Hacknet and RocketHack. The operators have offered additional services over the years, including real-time location tracking, SMS logs, and remote device access.

Furthermore, the assault infrastructure run by Void Balaur includes more than 5,000 distinct domains that present themselves as portals for public services, authentication services, and email websites.

A wide range of industries, frequently with specific political or business ties to Russia, are among the new targets. Additionally, Void Balaur hunts out targets useful for positioning or assisting upcoming assaults. They have the United States, Russia, Ukraine, and a number of other nations as their targets.

However, in early 2022, one of the group's managed domains resolved to an IP address that belongs to and is run by the Russian Federal Guard Service (FSO), indicating what appears to be an operating oversight and raising the possibility of a connection.

Despite the fact that Void Balaur targets persons and organizations all over the world, ads launched in 2022 have targeted individuals who are active in political and business circumstances that are important to Russia.

The use of highly repeatable phishing emails that look like they are from banks or local governments is common in order to deceive recipients into clicking a malicious link and divulging their account information.

In September 2021, one of the group's most infamous efforts featured attacks that targeted the personal email accounts of lawmakers and government leaders of an Eastern European nation.

In accordance with its reputation as a cyber mercenary, Void Balaur does not confine itself to the geopolitical sphere. Nonetheless,  employing and adopting the proper security measures will help in repelling cyber mercenary attacks.

Read more »
Telegram
Check Point Cyber Crime DDOS Attacks Japan Cyber Security Killnet Russian Hackers Telegram

Killnet Targets Japanese Government Websites

According to investigation sources on Wednesday, the Tokyo Metropolitan Police Department intends to look into the recent website outages of the Japanese government and other websites that may have been brought on by cyberattacks by a Russian hacker organization.  

As per Chief Cabinet Secretary Hirokazu Matsuno, the government is apparently investigating if issues with the aforementioned sites were brought on by a denial-of-service (DDoS) attack. 

As per experts, access to the government's e-Gov portal website, which provides a wealth of administrative information, temporarily proved challenging on Tuesday.  

The pro-Russian hacker collective Killnet claimed responsibility for the attack and alleged it had attacked the electronic system of the tax authority and Japan's online public services in a post on the messaging app Telegram. Furthermore, it appeared that the hacker collective wrote that it was an uprising over Japan's 'militarism' and that it kicked the samurai. 
 
However, as per Sergey Shykevich, manager of Check Point Software's threat intelligence group, Killnet was likely responsible for these attacks.  

Killnet's justification for these strikes, according to Shykevich, "is owing to Japan's support of Ukraine in the ongoing Russia-Ukraine war, as well as a decades-long dispute over the Kuril Islands, which both sides claim control over."

As per the sources, the MPD will look into the cases by gathering specific data from the affected businesses and government bodies. The National Police Agency will assess whether the hack on the e-Gov website qualified as a disruption that materially impairs the operation of the government's primary information system as defined by the police statute, which was updated in April.

The cybersecurity expert added that firms in nations under attack by Killnet should be aware of the risks because the group employs a variety of tactics, such as data theft and disruptive attacks, to achieve its objectives. 

Following a recent large-scale attack by Killnet on websites in Italy, Lithuania, Estonia, Poland, and Norway, there have been allegations of attacks targeting Japanese government websites.





Read more »
Subscribe to: Posts (Atom)