Search This Blog

Showing posts with label Telegram. Show all posts

Void Balaur Targets Russian Entities

A hacker-for-hire company that was originally revealed in 2019 has extended its scope to target victims with links to Russia in the political and corporate sector. 

Reported to attack a variety of known target groups worldwide, Void Balaur is a very active hacker-for-hire cyber mercenary gang. Since at least 2016, people have seen their services available for purchase online. Private data collection and access to particular online email and social media sites, including Gmail, Outlook, Telegram, Yandex, Facebook, Instagram, and corporate emails, are among the services offered. 

Google claims Since 2012, TAG has been keeping tabs on a diverse group of Indian hackers-for-hire, many of whom have worked briefly for Indian security companies Appin and Belltrox.

The gang often conducts attacks that are both general and opportunistic with the goal of getting illegal access to popular email services, social networks, communications, and corporate accounts.

According to reports, the hack-for-hire service provided by the gang is offered using a variety of guises, including Hacknet and RocketHack. The operators have offered additional services over the years, including real-time location tracking, SMS logs, and remote device access.

Furthermore, the assault infrastructure run by Void Balaur includes more than 5,000 distinct domains that present themselves as portals for public services, authentication services, and email websites.

A wide range of industries, frequently with specific political or business ties to Russia, are among the new targets. Additionally, Void Balaur hunts out targets useful for positioning or assisting upcoming assaults. They have the United States, Russia, Ukraine, and a number of other nations as their targets.

However, in early 2022, one of the group's managed domains resolved to an IP address that belongs to and is run by the Russian Federal Guard Service (FSO), indicating what appears to be an operating oversight and raising the possibility of a connection.

Despite the fact that Void Balaur targets persons and organizations all over the world, ads launched in 2022 have targeted individuals who are active in political and business circumstances that are important to Russia.

The use of highly repeatable phishing emails that look like they are from banks or local governments is common in order to deceive recipients into clicking a malicious link and divulging their account information.

In September 2021, one of the group's most infamous efforts featured attacks that targeted the personal email accounts of lawmakers and government leaders of an Eastern European nation.

In accordance with its reputation as a cyber mercenary, Void Balaur does not confine itself to the geopolitical sphere. Nonetheless,  employing and adopting the proper security measures will help in repelling cyber mercenary attacks.

Killnet Targets Japanese Government Websites

According to investigation sources on Wednesday, the Tokyo Metropolitan Police Department intends to look into the recent website outages of the Japanese government and other websites that may have been brought on by cyberattacks by a Russian hacker organization.  

As per Chief Cabinet Secretary Hirokazu Matsuno, the government is apparently investigating if issues with the aforementioned sites were brought on by a denial-of-service (DDoS) attack. 

As per experts, access to the government's e-Gov portal website, which provides a wealth of administrative information, temporarily proved challenging on Tuesday.  

The pro-Russian hacker collective Killnet claimed responsibility for the attack and alleged it had attacked the electronic system of the tax authority and Japan's online public services in a post on the messaging app Telegram. Furthermore, it appeared that the hacker collective wrote that it was an uprising over Japan's 'militarism' and that it kicked the samurai. 
 
However, as per Sergey Shykevich, manager of Check Point Software's threat intelligence group, Killnet was likely responsible for these attacks.  

Killnet's justification for these strikes, according to Shykevich, "is owing to Japan's support of Ukraine in the ongoing Russia-Ukraine war, as well as a decades-long dispute over the Kuril Islands, which both sides claim control over."

As per the sources, the MPD will look into the cases by gathering specific data from the affected businesses and government bodies. The National Police Agency will assess whether the hack on the e-Gov website qualified as a disruption that materially impairs the operation of the government's primary information system as defined by the police statute, which was updated in April.

The cybersecurity expert added that firms in nations under attack by Killnet should be aware of the risks because the group employs a variety of tactics, such as data theft and disruptive attacks, to achieve its objectives. 

Following a recent large-scale attack by Killnet on websites in Italy, Lithuania, Estonia, Poland, and Norway, there have been allegations of attacks targeting Japanese government websites.





The Prynt Stealer Malware Includes a Secret Backdoor, Hackers Steal Data from Credentials


Telegram channel used for attacks

Zscaler experts have found a Telegram channel-based backdoor in the info-stealing malware, which lets threat actors steal (secretly) a copy of the information extracted from the targets, it includes a secret backdoor in the code that gets in every variant and derivative copies of these malware strains. 

The backdoor sends copies of victims' stolen data gathered by other hackers to a private telegram chat monitored by the builder's developers. 

The unfortunate surprise isn't a novelty in the cybercrime landscape, earlier other malware were found to have a secret backdoor. 

What is Prynt Stealer?

Prynt Stealer is an info stealer that was found in April, it lets its operators extract credentials from web browsers, FTP/VPN clients, and messaging and gaming apps. 

The malware is based on open-source projects, this includes AsynRAT and StormKitty, and it extracts data stolen from victims via a Telegram channel. 

Prynt Stealer can be purchased in the underground market for $100 for a one-month licence and a lifetime subscription worth $900. 

How does the attack work?

Prynt Stealer has a code that is responsible for sending information to Telegram from StormKitty with a few trivial changes. Experts add that the info stealer avoids using anti-analysis code from either StormKitty or AsyncRAT. 

It makes a thread that activates the function called processChecker to constantly monitor the target's process list for activities like taskmgr, netstat, netmon, and wireshark. 

If any monitored processes are found, it bans the Telegram C2 (Command and Control) communication channels. 

Zscaler report says:

"The fact that all Prynt Stealer samples encountered by ThreatLabz had the same embedded telegram channel implies that this backdoor channel was deliberately planted by the author. Interestingly, the Prynt Stealer author is not only charging some clients for the malware, but also receiving all of the data that is stolen." 

Leaked copies used for attack

"Note that there are cracked/leaked copies of Prynt Stealer with the same backdoor, which in turn will benefit the malware author even without direct compensation.”

The experts also noticed leaked/cracked copies of Prynt Stealer that contained the same backdoor, which suggests that the malware author was able to get stolen data from these copies. 

Experts also found two more versions of the info-stealing malware named WorldWind and DarkEye that were written by the same author. 

What is DarkEye?

The experts observed that DarkEye is not mentioned or sold openly, but it is wrapped as a backdoor with a "free" Prynt Stealer builder. Threat actors use the backdoor with LodaRat and DarkEye stealer. 

The report concludes: 

"the free availability of source code for numerous malware families has made development easier than ever for less sophisticated threat actors. As a result, there have been many new malware families created over the years that are based on popular open-source malware projects like NjRat, AsyncRAT, and QuasarRAT. The Prynt Stealer author went a step further and added a backdoor to steal from their customers by hardcoding a Telegram token and chat ID into the malware.”



Cloudflare Users Targeted by Hackers that Breached into Twilio


On Tuesday, the web infrastructure provider Cloudflare revealed that at least 76 of its staff members and their families had received texts on both personal and business phones that resembled the intricate phishing effort on Twilio.

Furthermore, Cloudflare said that its Cloudforce One threat intelligence team was able to do an analysis of the attack, despite the fact that its systems were not hacked.

The systems and officials of several firms are the targets of this sophisticated attack, as per analysts. Four phone numbers linked to SIM cards issued by T-Mobile were used in the attack, which exists around the same time Twilio was targeted and was ultimately unsuccessful.

Cloudflare said the rogue domain was built via Porkbun under 40 minutes before the wave of more than 100 smishing messages started. It also said the phishing page was created to quickly pass the data given by unwary customers to the attacker via Telegram.

The data was directly taken to the attacker via the messaging app Telegram once the message receiver input his credentials on the phishing site. Experts claim since the phishing page would request a Time-based One Time Password (TOTP) code, the real-time relay was essential for the hackers. Once they had this information, the attackers would access the actual login page for the victim company.

Only three employees, as per Cloudflare, clicked the link in the phishing email and submitted their credentials. However, the business does not use TOTP codes; rather, its staff members use a YubiKey security key that complies with FIDO2. This implies that even if an attacker has the credentials, they cannot access the firm systems without the hardware key.

As Cloudflare also disclosed, AnyDesk remote access software was immediately downloaded on their machines after providing their credentials on the phishing pages, enabling the hackers to remotely take control of their systems if installed.

The company stated it reset the affected employees' login passwords and tightened its access policy to block any logins from unidentified VPNs, residential proxies, and infrastructure providers in addition to working with DigitalOcean to shut down the attacker's server.



Data Spyware Delivered via Telegram & Discord Bots

Hackers have utilized these messaging apps in a variety of ways to transmit their own malware, according to Intel 471's research. They have discovered ways to host, distribute, and execute various activities on these platforms, which they mostly exploit in cooperation with data theft in order to be able to steal credentials or other information from unwary users.

According to a recent study from Intel 471, threat actors are using the multifaceted nature of messaging apps — in particular, their content-creation and program-sharing components — as a basis for information stealing.

Tactics & Techniques

Researchers at Intel 471 have found a number of data thefts that are openly accessible and depend on Telegram or Discord to operate.

Additionally, these hackers conduct similar attacks against the Roblox and Minecraft gaming sites. Discord's content delivery network (CDN) is regularly used to store malware, as per researchers, because the platform doesn't place limitations on file storage.

One Telegram-focused botnet, dubbed X-Files, includes features that may be accessible through Telegram's bot commands. Once the malware has been installed on a victim's computer, criminal actors can take credit card information, login credentials, session cookies, and passwords, and send them to a Telegram channel of their choice. 

Several browsers, including Google Chrome, Chromium, Opera, Slimjet, and Vivaldi, may import data into X-Files. Although Prynt Stealer, another stealer, operates similarly, it lacks the built-in Telegram commands.

The following malware families have been seen hosting harmful payloads on Discord CDN: PrivateLoader,  Discoloader, Colibri, Warszone RAT, Modi loader, Raccoon thief, Smokeloader Amadey,  Tesla agent thief, GuLoader, Autohotkey, and njRAT.

Cautions

The entry threat for malicious actors is reduced by automation in well-known chat platforms. Data theft might be the initial step in initiating a targeted attack against an enterprise, even though they can not alone cause as much harm as malware like a data wiper or ransomware.

Although messaging services like Discord and Telegram are not often utilized for corporate activities, their popularity and the surge in remote work have increased the attack surface available to cybercriminals.




XFiles Malware Exploits Follina, Expands ItsAttacks

What is XFiles?

The X-Files info stealer malware has put a new vulnerability in its systems to exploit CVE-2022-30190- Follina, and attack targeted systems with malicious payloads. A cybersecurity firm said that the new malware uses Follina to deploy the payload, run it, and take control of the targeted computer. "In the case of the XFiles malware, researchers at Cyberint noticed that recent campaigns delivering the malware use Follina to download the payload, execute it, and also create persistence on the target machine," says Bleeping Computers.  

How is Follina infected? 

•The malware, sent in the victims' spam mail, consists of an OLE object that directs to an HTML file on an external resource that has JavaScript code, which exploits Follina. 

•After the code is executed, it gets a base64-encoded string that contains PowerShell commands to make a presence in the Windows startup directory and deploy the malware. 

•The second-stage module, "ChimLacUpdate.exe," consists of an AES decryption key and a hard-coded encryption shellcode. An API call decodes it and deploys it in the same running process. 

•After infection, XFiles starts normal info stealer malware activities like targeting passwords and history stored in web browsers, cookies, taking screenshots, and cryptocurrency wallets, and look for Telegram and Discord credentials. 

•The files are locally stored in new directories before they are exfiltrated via Telegram. 

The XFiles is becoming more active 

• A cybersecurity agency said that XFiles has expanded by taking in new members and initiating new projects. 

• A project launched earlier this year by Xfiles is called the 'Punisher Miner.' 

• However, it's an irony that a new mining tool will charge $9, the same as how much XFiles costs for a month of renting the info stealer. 

CyWare Social says "it appears that the XFiles gang is expanding and becoming more prolific. The gang is recruiting talented malware authors, becoming stronger, and thus providing their users with more readymade tools that do not require experience or coding knowledge. Successful incorporation of the Follina-exploiting document increases the chances of infection and consequently increases the success rate of attacks."

Telegram is Selling the Eternity Malware Kit, Which Offers Malicious Services 

 

Cybercriminals have recently used Telegram to offer malware and other dangerous tools as services. Researchers have discovered a deadly new malware subscription plan which can be used to facilitate a wide range of attacks. 

The "Eternity Project," a modular malware kit, has capabilities that allow buyers to steal passwords and credit card information, launch ransomware attacks and infiltrate victims with cryptomining software. Each component of the malware toolkit, such as an information stealer, a coin miner, a clipper, ransomware software, a worm spreader, and, finally, a DDoS (distributed denial of service) bot, can be purchased separately. 

The creators share the latest update, usage instructions, and debate feature proposals on a private Telegram channel with over 500 members. Buyers can apparently use the Telegram Bot to assemble the binary automatically after choosing its desired feature set and paying the equivalent amount in cryptocurrency. The malware module is the most premium at $490 per year. The info-stealer, which costs $260 per year, steals passwords, credit cards, bookmarks, tokens, cookies, and autofill data from over twenty different web browsers. 

The malware's versatility is also highlighted through a deep-dive investigation of the infostealer module. Researchers claim that this single tool may gather data from a wide range of apps, including web browsers and cryptocurrency wallets, as well as VPN clients, messaging apps, and more. 

The miner module is $90 a year and includes features such as task manager invisibility, auto-restart once killed, and startup launch persistence. The clipper is a $110 application that scans the clipboard for cryptocurrency wallet credentials and replaces them with wallets controlled by the user. The Eternity Worm is available for $390 from the developer, and it can propagate itself using USB drivers, lan shares, local files, cloud drives, Python projects, Discord accounts, and Telegram accounts.

The authors say it's FUD (completely undetectable), a claim supported by Virus Total data showing zero detections for the strain. Surprisingly, the ransomware module provides an option of setting a timer that, when reached, renders the files entirely unrecoverable. This adds to the victim's pressure to pay the ransom as soon as possible. 

Despite the wide range of hazards posed by Eternity Project malware, Cyble says there are a few precautions consumers can take. Maintaining regular data backups, keeping software up to date, and avoiding visiting untrustworthy websites and email attachments are recommended best practices.

21M Users' Personal Data Exposed on Telegram

 

A database containing the personal information and login passwords of 21 million individuals was exposed on a Telegram channel on May 7th, 2022, as per Hackread.com. The data of VPN customers was also exposed in the breach, including prominent VPNs like SuperVPN, GeckoVPN, and ChatVPN. 

The database was previously accessible for sale on the Dark Web last year, but it is now available for free on Telegram. The hacked documents contained 10GB of data and exposed 21 million unique records, according to VPNMentor analysts. The following details were included: 
  • Full names
  • Usernames
  • Country names
  • Billing details
  • Email addresses
  • Randomly generated password strings
  • Premium status and validity period
Further investigation revealed that the leaked passwords were all impossible to crack because they were all random, hashed, or salted without collision. Gmail accounts made up the majority of the email addresses (99.5 percent). 

However, vpnMentor researchers believe that the released data is merely a portion of the whole dump. For the time being, it's unknown whether the information was gained from a data breach or a malfunctioning server. In any case, the harm has been done, and users are now vulnerable to scams and prying eyes. The main reason people use VPNs is to maintain their anonymity and privacy. Because VPN customers' data is regarded more valuable, disclosing it has far-reaching effects. 

People whose information was exposed in this incident may be subjected to blackmail, phishing scams, or identity theft. Because of the exposure of personally identifiable information such as country names, billing information, usernames, and so on, they may launch targeted frauds. Threat actors can easily hijack their accounts and exploit their premium status after cracking their credentials. 

If the data falls into the hands of a despotic government that prohibits VPN use, VPN users may be arrested and detained. Users should change their VPN account password and use a mix of upper-lower case letters, symbols, numbers, and other characters for maximum account security.

US has Offered a $10 Million Bounty on Data About Russian Sandworm Hackers

 

The United States announced a reward of up to $10 million for information on six Russian military intelligence service hackers. According to the State Department's Rewards for Justice Program, "these people engaged in hostile cyber actions on behalf of the Russian government against U.S. vital infrastructure in violation of the Computer Fraud and Abuse Act."

The US Department of State has issued a request for information on six Russian officers (also known as Voodoo Bear or Iron Viking) from the Main Intelligence Directorate of the General Staff of the Russian Federation's Armed Forces (GRU) regarding their alleged involvement in malicious cyberattacks against critical infrastructure in the United States. The linkages attributed are as follows : 

  • Artem Valeryevich Ochichenko has been linked to technical reconnaissance and spear-phishing efforts aimed at gaining illegal access to critical infrastructure sites' IT networks around the world. 
  • Petr Nikolayevich Pliskin, Sergey Vladimirovich Detistov, Pavel Valeryevich Frolov, and Yuriy Sergeyevich Andrienko, are accused of developing components of the NotPetya and Olympic Destroyer malware used by the Russian government to infect computer systems on June 27, 2017, and Yuriy Sergeyevich Andrienko, who are accused of developing components of the NotPetya and Olympic De.
  • Anatoliy Sergeyevich Kovalev is accused of inventing spear-phishing techniques and communications which were utilized by the Russian government to hack into critical infrastructure computer systems. 

On October 15, 2020, the US Justice Department charged the mentioned officials with conspiracy to commit wire fraud and aggravated identity theft for carrying out damaging malware assaults to disrupt and destabilize other countries and cause monetary damages. 

According to the indictment, GRU officers were involved in attacks on Ukraine, including the BlackEnergy and Industroyer malware-based attacks on the country's power grid in 2015 and 2016. The folks are accused of causing damage to protected computers, conspiring to commit computer fraud and abuse, wire fraud, conspiracy to commit wire fraud, and aggravated identity theft by the US Department of Justice. According to the US Department of State, the APT group's cyber actions resulted in roughly $1 billion in losses for US firms.

The Rewards of Justice has established a Tor website at "he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad[.]onion" as part of the project, which may be used to anonymously submit reports on these threat actors or to communicate the information using Signal, Telegram, or WhatsApp. 

Recently, the Sandworm collective was linked to Cyclops Blink, a sophisticated botnet malware that snagged internet-connected firewall devices and routers from WatchGuard and ASUS. Other recent hacking efforts linked to the gang include the use of an improved version of the Industroyer virus against high-voltage electrical substations in Ukraine amid Russia's continuing invasion.

T-Mobile Reveals its Security Systems were Hacked via Lapsus$ Hackers

 

T-Mobile acknowledged on Friday it had been the subject of a security compromise in March when the LAPSUS$ mercenary group gained access to its networks. The admission occurred after investigative journalist Brian Krebs published internal chats from LAPSUS$'s key members, revealing the group had infiltrated the company many times in March previous to the arrest of its seven members. 

After analyzing hacked Telegram chat conversations between Lapsus$ gang members, independent investigative journalist Brian Krebs first exposed the incident. T-Mobile said in a statement the breach happened "a few weeks ago" so the "bad actor" accessed internal networks using stolen credentials. "There was no customer or government information or any similarly sensitive information on the systems accessed, and the company has no evidence of the intruder being able to get anything of value," he added.

The initial VPN credentials were allegedly obtained from illegal websites such as Russian Market in order to get control of T-Mobile staff accounts, enabling the threat actor to conduct SIM switching assaults at anytime. 

The conversations suggest how LAPSUS$ had hacked T-Slack Mobile's and Bitbucket accounts, enabling the latter to obtain over 30,000 source code repositories, in addition to getting key to an internal customer account management application called Atlas. In the short time since it first appeared on the threat scene, LAPSUS$ has been known for hacking Impresa, NVIDIA, Samsung, Vodafone, Ubisoft, Microsoft, Okta, and Globant. 

T-Mobile has acknowledged six previous data breaches since 2018, including one in which hackers gained access to data linked to 3% of its members. T-Mobile acknowledged it had disclosed prepaid customers' data a year later, in 2019, and unknown threat actors had acquired access to T-Mobile workers' email accounts in March 2020. Hackers also acquired access to consumer private network information in December 2020, and attackers accessed an internal T-Mobile application without authorization in February 2021. 

According to a VICE investigation, T-Mobile, unsuccessfully, tried to prevent the stolen data from being posted online after paying the hackers $270,000 through a third-party firm in the aftermath of the August 2021 breach. After its stolen sensitive information turned up for sale on the dark web, the New York State Office of the Attorney General (NY OAG) alerted victims of T-August Mobile's data breach would face elevated identity theft risks. 

The City of London Police announced earlier this month as two of the seven adolescents arrested last month for alleged potential connections to the LAPSUS$ data extortion group, a 16-year-old, and a 17-year-old had been charged.

Anonymous Rises Again Amid Russia Ukraine War

 

Anonymous, the international hacktivists collective has surfaced again, this time, the group claims to have hacked RoskoAmnadzor (known as Federal Service for Supervision of Communications, Information Technology and Mass Media), a federal Russian agency. Anonymous has also claimed that it stole more than 360,000 files. You have mostly read about Russian banning VPNs, Telegram, or email services, however, there's a particular agency that bans these services. 

It's called Roskomnadzor, a major federal executive agency that is responsible for handling, managing, and censoring Russian media. "Anonymous also targeted and hacked misconfigured/exposed Cloud databases of Russian organizations. Tho shocking aspect of the attack was the fact that Anonymous and its affiliate hackers hacked 90% of Russian Cloud databases and left anti-war and pro Ukrainian messages," Hackread reports. 

Details about the attack 

The size of the leaked data is 820 GB, most of these database files in the database related to Roskomnadzor's data are linked to the Republic of Bashkortostan, Russia's largest provinces. The full dataset is now available on the official website of Distributed Denial of Secrets (aka DDoSecrets), a non for profit whistleblower organization. However, it should be noted that initially started as an Anonymous affiliate shared Roskomnadzor's data with DDoSecrets and the agency itself is not responsible for the attack. Besides this, the first announcement of the data leak came from a journalist and co-founder of DDoSecrets Emma Best in March 2022. 

YourAnonNews, a famous representative of the Anonymous collective also tweeted about the attack. Anonymous has openly sided with Ukraine over the ongoing war with Russia, the Russian government has restricted all important sources of information, especially news and media outlets, and Roskomnadzor was told to block Facebook, Twitter, and other online platforms. 

Hackread reports, "While Twitter launched its Tor onion service, authorities in Russia have also amended the Criminal Code to arrest anyone who posts information that contradicts the government’s stance. Nevertheless, since Roskomnadzor is a major government agency responsible for implementing government orders Anonymous believes the Russian public must have access to information about what is going on within Roskomnadzor."

Telegram Abused By Raccoon Stealer

 

As per a post released by Avast Threat Labs this week, Raccoon Stealer, which was first identified in April 2019, has added the capacity to keep and update its own genuine C2 addresses on Telegram's infrastructure. According to researchers, this provides them with a "convenient and trustworthy" command center on the network which they can alter on the fly. 

The malware, which is thought to have been built and maintained by Russian-linked cybercriminals, is primarily a credential stealer, but it is also capable of a variety of other nefarious activities. Based on commands from its C2, it can collect not just passwords but also cookies, saved logins and input data from browsers, login credentials from email services and messengers, crypto wallet files, data from browser plug-ins and extensions, and arbitrary files. 

As per the reports, Buer Loader and GCleaner were used to distribute Raccoon. Experts suspect it is also being distributed in the guise of false game cheats, patches for cracked software (including Fortnite, Valorant, and NBA2K22 hacks and mods), or other applications, based on some samples. 

Given since Raccoon Stealer is for sale, the only limit to its distribution methods is the imagination of the end-users. Some samples are spread unpacked, while others are protected by malware packers like Themida. It is worth mentioning whether certain samples were packed by the same packer five times in a row.

Within Telegram, the newest version of Raccoon Stealer talks with C2: According to the post, there are four "crucial" parameters for its C2 communication which are hardcoded in every Raccoon Stealer sample. Details are as follows:
  • MAIN KEY, which has changed four times throughout the year;
  • Telegram gate URLs with channel names; 
  • BotID, a hexadecimal string that is always sent to the C2; 
  • TELEGRAM KEY, a decryption key for the Telegram Gate C2 address. 

The malware decrypts MAIN KEY, which it uses to decrypt Telegram gates URLs and BotID, before hijacking Telegram for its C2. According to Martyanov, the stealer then utilizes the Telegram gate to connect to its real C2 via a series of inquiries to eventually allow it to save and change actual C2 addresses utilizing the Telegram infrastructure. 

The stealer can also transmit malware by downloading and executing arbitrary files in response to an instruction from C2. Raccoon Stealer spread roughly 185 files totaling 265 megabytes, including downloaders, clipboard crypto stealers, and the WhiteBlackCrypt ransomware, according to Avast Threat Labs.

Telegram has Experienced a Global Outage

 

On Thursday, March 3, the popular messenger Telegram experienced a failure. Users reported about the problems on the website of the service Downdetector, which tracks problems with access to Internet resources. 

According to Downdetector, the failure occurred at about 14 o'clock Moscow time. The majority of those who left complaints (56 percent) reported problems with the server connection. Users also noted problems with receiving messages (22 percent) and the operation of the application (23 percent). 

The failure affected residents of Russian cities, including Moscow and St. Petersburg. Users from Ukraine and Belarus also complained about the problems. 

The other day Pavel Durov published the following statement: "We do not want Telegram to be used as a tool to exacerbate conflicts and incite interethnic discord. In the event of an escalation of the situation, we will consider the possibility of partially or completely restricting the operation of Telegram channels in the countries involved during the conflict." 

According to him, recently Telegram has been increasingly used to spread fakes and unverified data related to the war, and the administration does not have the opportunity to check all publications for authenticity. However, soon Durov promised not to limit the work of the messenger in Ukraine. 

According to him, "a lot of users have asked us not to consider disabling Telegram channels for the period of the conflict, since we are the only source of information for them." But he urges users to "double-check and not take for granted the data that is published in Telegram channels during this difficult period." 

It is worth noting that in the week since the beginning of Russia's military operation in Ukraine, news channels in the Telegram messenger have added 19.5 million new subscribers. Another Russian social network, created at the time by Pavel Durov, is experiencing a new surge in popularity due to technical problems of other social networks. In VK, views in the news feed increased by 5% over the week, and the average daily number of video views increased by 15%. People are looking on platforms for up-to-date information from media that are subject to hacker attacks, and from eyewitnesses of events. 

Earlier, CySecurity News reported that three popular foreign social networks - Facebook, Instagram and Twitter began to receive complaints from residents of Russia in large numbers.

Facebook, Instagram and Twitter Users from Russia have Noticed Malfunctions in their Work

 

According to Downdetector, a service for tracking problems in the work of Internet platforms, users from Russia began to complain en masse about the failures of Facebook, Instagram and Twitter. Problems in social networks began on February 25. Over 80% of users sent complaints about the functioning of the application, another 10% noticed that they could not log in to their profile, and 7% reported problems with the operation of social network sites. 

Recall that on February 25, Roskomnadzor (the Federal Service for Supervision of Communications, Information Technology, and Mass Media) partially restricted access to Facebook. On the same day, the Prosecutor General's Office recognized the social network involved in the violation of human rights and freedoms and citizens of Russia. 

On February 26, representatives of Russian media were banned from showing ads and monetization in the social network Facebook. The company took such a step because of the situation around Ukraine. At the same time, Twitter suspended advertising for Russians and Ukrainians, as well as temporarily stopped recommending tweets to avoid the spread of insulting materials. 

In addition, Roskomnadzor restored measures in the form of slowing the speed of Twitter Internet service on devices in Russia in connection with the dissemination of untrustworthy public information about the military operation in Ukraine. 

The agency recalled that since March 10, 2021, Roskomnadzor slowed down Twitter on mobile phones and fixed devices on the territory of the Russian Federation for refusal to delete information that is prohibited in the Russian Federation. On May 17, 2021, after the deletion of more than 91% of the prohibited information by Twitter's moderation services, the restrictions were lifted. 

Roskomnadzor noted that in this situation, the condition for lifting access restrictions "is the complete removal of Twitter of prohibited materials identified by Roskomnadzor, as well as the termination of participation in the information confrontation, distribution of fakes and calls for extremism". 

In the Russian segment of the Internet, you can now often find messages: "If anything, here is my Telegram account...». Since February 25, when Roskomnadzor announced the partial blocking of the Facebook network, almost every Russian user has considered it his duty to notify friends where to look for him now. 

Bloggers and media resources are increasingly posting on their pages posts with recommendations for installing a VPN and other measures to bypass blocking.

Durov Suspected WhatsApp of Intentionally Introducing Vulnerabilities

 

Russian entrepreneur and founder of the Telegram messenger Pavel Durov while criticizing the WhatsApp service said that the messenger, owned by Meta, was hardly ever secure, in his Telegram channel.

Durov also suspects that the service may intentionally introduce vulnerabilities. "Since the creation of WhatsApp, there has hardly been a moment when it was secure: every few months, researchers discover a new security problem in the application," he added. 

Durov noted that every few months researchers find a new security issue in the application. He recalled that he had already spoken out about the danger of the service in 2020. Since then, as the creator of Telegram considered, the situation with WhatsApp has not changed. 

As an illustration of his words, he cited a study by the American information technology company Boldend, which revealed a vulnerability in WhatsApp. The gap in the messenger has existed for several years and allows attackers to gain access to the correspondence of their victims unnoticed. 

In addition, the creator of Telegram commented on a Forbes report, which claims that Facebook investor Peter Thiel secretly funded a startup with the ability to hack WhatsApp. "WhatsApp users' messages have been available for attacks by potential hackers for years," Durov said about the report. 

"It would be hard to believe that WhatsApp technicians are so often incompetent. Telegram, a much more technically sophisticated application, has never had such serious security problems," Durov concluded. 

In December, Durov said that his Telegram remains protected from the influence of third parties. He cited the example of the FBI report, which claimed that the bureau has access to Viber, iMessage, WhatsApp, and Line, but Telegram, Threema, Signal, and Wickr do not transmit correspondence to third parties. At the same time, it was noted that Telegram can, at the request of law enforcement officers, issue the IP address and phone number of the user. 

Earlier, Pavel Durov's team advised the Ministry of Finance of Ukraine on cryptocurrencies. The Minister said that he actively uses the Telegram messenger for fast communications.

German Ministry of Justice announced millions in fines for Telegram in case of non-compliance with laws

German Justice Minister Marco Bushman announced "million-dollar" fines for Telegram messenger for violating German law and reminded that the company must designate a contact person in the country and provide a mechanism to notify the social network of unlawful content.

"And our laws also apply to Telegram. According to them, Telegram should appoint a contact person in Germany and create an easily identifiable way to notify about illegal content. Since these duties are violated, we have initiated many procedures for imposing a fine," Bushman said in an interview with Bild am Sonntag.

He noted that the German authorities regularly contact the authorities of the UAE, where the messenger's headquarters are located.

"In case the next attempt to deliver an alert (about the offense) fails, the next step will be a public alert. After that, we will be able to impose a monetary fine. Our laws provide for millions of dollars in fines," Bushman added.

Bushman also addressed the topic of Telegram, responding to the newspaper's questions about the cases of threats against the authorities that have been reported on the social network in recent weeks. The threats, according to the media, have been voiced recently in the chats of covid dissidents.

Earlier, German Interior Minister Nancy Feather called for a tougher policy towards cases of hate speech in the Telegram messenger. She noted that Telegram channels, through which information can be distributed to subscribers, fall under the norms of the German law on network security, which implies the obligation to remove illegal content.

It is worth noting that the total amount of Telegram's court fines since the beginning of 2021 is more than 40 million rubles. At the same time, some of the court's decisions have not yet entered into force.

Swiss Army Bans WhatsApp at Work

 

A spokesman for the Swiss army announced Thursday that the use of WhatsApp while on duty has been prohibited, in favour of a Swiss messaging service regarded more safe in terms of data security. 

Using other messaging applications like Signal and Telegram on soldiers' personal phones during service activities is likewise barred. 

Commanders and chiefs of staff got an email from headquarters at the end of December advising that their troops switch to the Swiss-based Threema. According to army spokesman Daniel Reist, the recommendation applies "to everyone," including conscripts serving in the military and those returning for refresher courses. 

Switzerland is known for its neutrality. However, the landlocked European country's long-standing position is one of armed neutrality and has mandatory conscription for men.

During operations to assist hospitals and the vaccination campaign in Switzerland's efforts to prevent the Covid-19 pandemic, the concern of using messaging apps on duty came up, as per Reist. The Swiss army will bear the cost of downloading Threema, which is already used by other Swiss public agencies, for four Swiss francs ($4.35, 3.85 euros). 

Other messaging services, such as WhatsApp, are governed by the US Cloud Act, which permits US authorities to access data held by US operators, even if it is stored on servers located outside of the nation. Threema, which claims to have ten million users, describes itself as an instant messenger that collects as little data as possible. It is not supported by advertisements. 

The company states on its website, "All communication is end-to-end encrypted, and the app is open source." 

According to an army spokesman mentioned in a Tamedia daily report, data security is one of the reasons for the policy change. As per local surveys, WhatsApp is the most popular messenger app among 16- to 64-year-olds in Switzerland.

Telegram Exploited by Attackers to Spread Malware

 

Researchers discovered that cybercriminals are using the Echelon info stealer to attack the crypto-wallets of Telegram users in an attempt to deceive new or naïve members of a cryptocurrency discussion group on the messaging network. 

Researchers from SafeGuard Cyber's Division Seven threat analysis section discovered a sample of Echelon in a cryptocurrency-focused Telegram channel in October, according to an investigation published on Thursday. 

The malware used throughout the campaign is designed to exploit credentials from a variety of messaging and file-sharing channels, such as Discord, Edge, FileZilla, OpenVPN, Outlook, and even Telegram itself, as well as a variety of cryptocurrency wallets, which include AtomicWallet, BitcoinCore, ByteCoin, Exodus, Jaxx, and Monero. 

The campaign was a “spray and pray” effort: “Based on the malware and how it was posted, SafeGuard Cyber believes that it was not part of a coordinated campaign, and was simply targeting new or naïve users of the channel,” according to the report. 

Researchers discovered that attackers had been using the handle "Smokes Night" to disseminate Echelon on the channel, although it's unknown how successful they were. "The post did not appear to be a response to any of the surrounding messages in the channel," they added.

According to the researchers, additional users on the channel didn't even appear to detect anything strange or engage with the post. However, this does not imply that the malware did not reach consumers' devices, according to the experts. 

“We did not see anyone respond to ‘Smokes Night’ or complain about the file, though this does not prove that users of the channel did not get infected,” they wrote. 

The Telegram messaging platform has undoubtedly become a hotspot of activity for hackers, who've already taken advantage of its popularity and large attack surface by distributing malware on the network via bots, rogue accounts, and other methods.

Echelon was delivered to the cryptocurrency channel in the form of a.RAR file called "present).rar," which contained three files: "pass – 123.txt," a benign text document comprising a password; "DotNetZip.dll," a non-malicious class library and toolset for manipulating.ZIP files; and "Present.exe," the malicious executable for the Echelon credential stealer. 

The.NET payload also featured numerous characteristics that made it hard to identify or analyze, such as two anti-debugging capabilities that immediately terminate the process if a debugger or other malware analysis techniques are identified, and obfuscation utilizing the open-source ConfuserEx program. 

According to the researchers, additional characteristics of the malware include computer fingerprinting and the ability to take a screenshot of the victim's workstation. According to the researchers, the Echelon sample taken from the campaign uses a compressed.ZIP file to deliver passwords as well as other stolen data and screenshots back to a command-and-control server.

Analysts Warn of Telegram Powered Bots Stealing Bank OTPs

 

In the past few years, two-factor verification is one of the simplest ways for users to safeguard their accounts. It has now become a major target for threat actors. As per Intel 471, a cybersecurity firm, it has observed a rise in services that allow threat actors to hack OTP (one time password) tokens. Intel 471 saw all these services since June which operate via a Telegram bot or provide assistance to customers via a Telegram channel. Through these assistance channels, users mostly share their feats while using this bot and often walk away thousand dollars from target accounts. 

Recently, threat actors have been providing access to services that call victims, which on the surface, looks like a genuine call from a bank and then fool victims into providing an OTP or other authentication code into a smartphone to steal and give the codes to the provider. Few services also attack other famous financial services or social media platforms, giving SIM swapping and e-mail phishing services. According to experts, a bot known as SMSRanger, is very easy to use. With one slash command, a user can enable various modes and scripts targeted towards banks and payment apps like Google Pay, Apple Pay, PayPal, or a wireless carrier. 

When the victim's phone number has been entered, the rest of the work is carried out by the bot, allowing access to the victim's account that has been attacked. The bot's success rate is around 80%, given the victims respond to the call and provides correct information. BloodOTPBot, a bot similar to SMSRanger sends the user a fake OTP code via message. In this case, the hacker has to spoof the target's phone number and appear like a company or bank agent. After this, the bot tries to get the authentication code with the help of social engineering tricks. 

The bot sends the code to the operator after the target receives the OTP and types it on the phone keyboard. A third bot, known as SMS buster, however, requires more effort from the attacker for retrieving out information. The bot has a feature where it fakes a call to make it look like a real call from a bank, and allows hackers to contact from any phone number. The hacker could follow a script to fake the victim into giving personal details like ATM pin, CVV, and OTP.

Telegram Bug in Mac Allows User To Save Secret Chats

 

Cybersecurity experts have found a technique for Telegram users of Mac to keep self disappearing texts or view the messages without the knowledge of sender. Telegram has an optional "secret chat" feature that ensures privacy of the conversations by providing additional features. If you start a conversation with a Telegram user, the chat becomes end-to-end encrypted, all the messages, media and attachments will be on self-destruct by default, and will disappear from the device after some time. 

But, a new bug found by cybersecurity expert Reegun Richard Jayapaul, Trustwave SpiderLabs' Lead Threat Architect, lets a Telegram Mac user to save self disappearing messages and media permanently. If the files sent in a chat are other than media, they are saved in the cached folder with XXXXXX unique numbers related to a user profile. "As voice recordings, video messages, images, or location sharing images are automatically downloaded to the cache, Reegun discovered that a user could simply copy the media from the cache folder before viewing it in the program," reports Bleeping Computers.

Telegram won't download these attachments unless the recipient downloads it, it is done because these documents generally have a large file size. When a user views the content or reads a message, the self-destruct timer starts, and the chats soon disappear, the content is automatically deleted. However, experts found that the self-disappearing media wasn't removed from the cached folder, and the user had the option of saving it to a different location in the hard drive. The vulnerability was patched by Telegram for MacOs version 7.7 (215786) or later after it was pointed out, however, there's a different bug which allows a user to save self-disappearing media. 

As per the reports, Telegram has told the experts that the issue can't be fixed because there isn't any way to stop second bug from gaining direct access to the app folder. Telegram said "please note that the primary purpose of the self-destruct timer is to serve as a simple way to auto-delete individual messages. However, there are some ways to work around it that are outside what the Telegram app an control (like copying the app’s folder), and we clearly warn users about such circumstances."