Search This Blog

Showing posts with label Cyber Attacks. Show all posts

A Hacker Collective Based in Pakistan, Being Backed by China to Gather Intelligence Against India

 

In a rather coordinated attempt in order to steal strategic data and critical infrastructure by sending phishing mails a campaign was launched by a Pakistan-backed hacker, Transparent Tribe. 

The campaign, dubbed as 'Operation Sidecopy' utilizes a remote access malware that can heighten its privilege in undermined systems, and thus, easily steal data by infiltrating a computer. 

Cyber Security researchers at Seqrite, the cyber security solutions arm of Quick Heal, believe that the main tools utilized in Operation Sidecopy shows the association of Transparent Tribe which Seqrite believes is being backed by China to accumulate insight against India. 

One of the main characteristics that Seqrite believes can be associated with Pakistan's Transparent Tribe is the remote server facilitating that the 'collective uses'. 

As per researchers Kalpesh Mantri, Pawan Chaudhari and Goutam Tripathy at Seqrite, Operation Sidecopy utilizes Contabo GmbH to 'host' the remote server through which the malware is instructed and information inflow is controlled, which Transparent Tribe is accounted for to have done already.

Himanshu Dubey, director of Quick Heal Security Labs, affirmed that alongside the Operation Sidecopy cyber attacks are highly targeted towards India in nature and have been continuously observed since 2019.

'Till now, this attack has been only seen targeting India.The Tactics, Techniques and Procedures (TTPs), as well as Decoy documents that we analysed, were crafted specifically in Indian context,” he says. 

Clarifying the Pakistan and China connection in the series of cyber attacks taken note of, Quick Heal's Dubey says, “We have considered several factors such as infrastructure used for command servers, registered domain naming patterns and recently created domains, command and control server names are similar to the names used by APT36 in past, and APT36’s history of attacks targeting Indian defence organisations.Also, one domain that hosted HTML stager applications is registered to a user in Rawalpindi, Pakistan.” 

 Dubey avows that the entirety of Seqrite's discoveries under Operation Sidecopy have been shared with the authorities of the Indian government in order to assist them with taking proper digital protection steps and forestall loss of important data.

A major Ukrainian IT company has revealed details of the hacker attack

Ukrainian IT company SoftServe has issued an official statement about the recent hacker attack, in which it gave details of the incident and said that its investigation is still ongoing.

As a reminder, in early September SoftServe underwent a hacker attack during which client data, including the source code of a number of developments, were stolen. Later, another confidential data appeared on the network, including scanned copies of internal and foreign passports of company employees.

"As we reported earlier, SoftServe experienced a cybersecurity incident on Tuesday, September 1. It was a complex, multi-step and targeted attack against our company. As a result of the attack, the company's mail server was damaged, a number of corporate services were disabled, and the internal file server was compromised,” noted SoftServe.

The attackers managed to download fragments of various information, and in order to put pressure on the company, they made them publicly available.  SoftServe expects new incidents and declares its readiness for them.

"We expect that new data can be published again and are ready for it. Such actions of attackers, as well as various kinds of provocations and the spread of fakes to escalate the situation are a common tactic in hacker attacks. As noted earlier, SoftServe managed to localize the attack within a few hours after the attack and our team quickly restored the operation of corporate systems that function normally,” noted the company on its Facebook page.

The company also said that SoftServe is currently operating normally and has a "clear plan to deal with the consequences" of the incident. The company promises technical, legal, financial, and other assistance to anyone who suffered from the attack.

SoftServe has engaged one of the world's cybersecurity experts to independently investigate the incident.

Experts listed most frequent cyber threats in the first half of the year

In the first half of 2020, phishing emails gained popularity among cyber fraudsters. Such conclusions were made by analysts of the Group-IB company.

According to the study, attackers in the context of the coronavirus pandemic began to use malicious mailings twice as often in order to get user data to access various popular Internet services.

One in three malicious emails sent by fraudsters contained spyware that steals paid data or other important information in order to sell it on the Darknet or blackmail the owner.

One of the most popular ways to get personal data of victims through mailing lists is Troyan-Downloader, which, after getting onto a computer through a letter, download other malicious software. 

According to experts, the list of malicious software in demand among fraudsters is headed by the banking Trojan RTM, which intercepts data on account details and takes screenshots. The second place is taken by the spyware Loki PWS, which steals usernames and passwords, and closes the top three Formbook backdoor.

Analysts consider the increase in phishing mailings to be expected, as the popularity of Internet services has grown on self-isolation.

Recall that this trend was confirmed by a study by Trend Micro Incorporated. So, according to experts, in the first half of 2020, almost 9 million attacks related to COVID-19 were recorded. These include email messages, links, and malicious files that mention the coronavirus. The growing ransomware family includes 68 new types of malware, and the main targets are government organizations, healthcare, and manufacturing. 

Hackers threaten to bring down the tax, energy and banking system of Belarus

A group of hackers threatens to bring down the tax, energy and banking systems of Belarus if the head of state Alexander Lukashenko does not comply with the ultimatum

The union of hackers and IT-developers of Belarus has threatened President Alexander Lukashenko to bring down the tax, energy and banking systems if security forces continue to detain protesters.

The statement of attackers was published in the Telegram channel "Cyber Partisans". They demand that Lukashenko stop the arrests by September 13, go out with a loudspeaker and publicly apologize to the population, as well as leave his post. And if this does not happen, "Belarus will forget what taxes are."

"Alexander Lukashenko, we are addressing you personally. It will be very painful, first, the tax system will break down, then the electricity in the country will run out, then the banking system will break down… Do you need it?" the hackers asked the President of the Republic. In addition, the hackers stressed that they are able to "kill the ruble" and start blocking the bank accounts of people from Lukashenko's inner circle.

Recall that after the announcement of the election results in Belarus, mass protests began. The protesters are demanding Lukashenko's resignation and new fair elections. In addition, citizens report violence by the security forces.

The European Union refused to recognize the victory of Lukashenko, and the Kremlin, on the contrary, congratulated the permanent leader of the Republic on the next term.

An interesting fact is that during the elections and in the following days, the Internet stopped working several times in the country. The Belarusian authorities called the cause of the failure a cyberattack from abroad, but later it became known that the equipment for blocking local state security agencies was provided by the American company Sandvine.

DDoS attacks from the USA, UK, Ukraine were recorded during the voting in the Russian Federation

Andrey Krutskikh, special representative of the President of Russia for international cooperation in the field of information security, said on Monday at a conference on cybersecurity that the sources of DDoS attacks on Russian government agencies during the voting on amendments to the constitution were recorded from the United States, Great Britain, Ukraine and a number of CIS countries.

He noted that in 2020, attacks with the aim of affecting critical infrastructure and electoral processes have become commonplace.

"For example, during the voting period on amendments to the Constitution of the Russian Federation (June 25 - July 1 this year), there were large-scale attacks on the infrastructure of the Central Election Commission and other state bodies of Russia. Sources of DDoS attacks with a capacity of up to 240 thousand requests per second were recorded from the United States, Great Britain, Ukraine and a number of CIS countries,” said the special representative of the President of the Russian Federation.

According to Krutskikh, in 2020, the problems that all countries face in the information space are growing like a "snowball". Thus, the volume of illegal content, including terrorist content, distributed on the Internet is increasing, and the implementation of destructive actions of states in the information space is becoming the norm.

"The concepts adopted in some countries for preemptive cyber strikes and offensive actions in the cyber sphere do not add the optimism,” stated Mr. Krutskikh.

It is interesting to note that during the six days of voting, officials reported one major attack, it occurred on the evening of June 27. Artem Kostyrko, head of the department for improving territorial administration and developing smart projects of the Moscow government, explained that hackers tried to influence the system through a service for monitoring online voting.

Chinese hackers targeted about five Russian developers of banking software

Chinese hacker group Winnti attacked at least five Russian developers of banking software, as well as a construction company. According to Positive Technologies, the names of banks and developers are not disclosed.

Positive Technologies noted that the implantation of special malicious code by hackers at the development stage potentially allows them to get access to Bank data. After the code is implemented onto the infected machine, a full-fledged backdoor is loaded to investigate the network and steal the necessary data.

Andrey Arsentiev, head of analytics and special projects at InfoWatch, explained that previously Winnti hacked industrial and high-tech companies from Taiwan and Europe through attacks on the software supply chain, but now, apparently, it has decided to switch to Russian companies.

According to him, there is a rather complex software supply chain in the financial sector, so Winnti may be interested not only in obtaining direct financial benefits but also in corporate espionage. As for the construction industry, Chinese hackers may be aimed at obtaining trade secrets, which in turn may be related to the plans of Chinese companies to expand into the Russian market. Mr. Arsentiev came to the conclusion that, in this way, hacker attacks would allow studying the strategy of potential competitors

Nikolay Murashov, deputy director of the National Coordination Center for Computer Incidents, said that organizations involved in software development and system integration accounted for about a third of all targeted attacks in the Russian Federation in recent years.

According to Mikhail Kondrashin, technical director of Trend Micro, attacks specifically on software developers for banks open up endless opportunities for subsequent attacks. The appearance of such attacks actually changes the rules of information security in the field of development: it is no longer just about developing secure code, but rather protecting the infrastructure itself.

A New Set of Cybersecurity Principles Issued By the White House


A new set of cybersecurity principles were recently issued by the White House to ensure its commercial and critical infrastructure investments in space.

The short document states: “The United States considers unfettered freedom to operate in space vital to advancing the security, economic prosperity, and scientific knowledge of the Nation.” 

As the US focuses on this unfettered access critical to its future, it additionally increased the utilization of digital services and technologies delivered by satellites. The move was brought about as the focus of the White House goes beyond military operations in space.

The nation is worried about the effect of cybersecurity attacks against a scope of services delivered by satellite, for example, the global positioning systems. GPS is particularly significant, to military activities as well as regular citizen use.

The Space Policy Directive 5 details a list of suggested best practices for making sure that the information systems, netwoRk “radio-frequency-dependent wireless communication channels” that together power US space systems.

“These systems, networks, and channels can be vulnerable to malicious activities that can deny, degrade or disrupt space operations, or even destroy satellites,” the document stated.

“Examples of malicious cyber-activities harmful to space operations include spoofing sensor data; corrupting sensor systems; jamming or sending unauthorized commands for guidance and control; injecting malicious code; and conducting denial-of-service attacks.”

Among the suggested best practice principles was the utilization of “risk-based, cyber-security-informed engineering” to create and operate space systems, with persistent monitoring for vindictive action and of system configurations. 

 Other elements that will help ensure a good baseline of cybersecurity were mentioned as:
1. Protection against unauthorized access to space vehicle functions 

2. Physical protection of command

3. Control and telemetry receiver systems

4. Measures to counter communications jamming and spoofing

5. Management of supply chain risks and improved collaboration between space system owners. 

The document likewise included that such attacks could bring about the loss of mission data, damage to space systems, and loss of control over space vehicles such as satellites, space stations, and launch vehicles, which could lead to collisions that generate dangerous orbital debris.

Norwegian Parliament Hit by a Cyber-Attack on Its Internal Email System


Stortinget, the Norwegian Parliament succumbed to a cyber-attack that targeted its internal email system. The news came in on Tuesday when the Norwegian parliament's director, Marianne Andreassen, affirmed that the threat actors had targeted the parliament. 

The hackers penetrated email accounts for elected representatives and employees, from where they stole various amounts of data. Andreassen said that the incident is currently being monitored, and, so couldn't give any insight into who was responsible for the attack, or the number of hacked accounts.

People whose accounts were exposed in the attack have been informed about the same and a report has been filed with the Norwegian police and the nation's intelligence agency has just begun investigating the incident, as per a statement the agency posted on its Twitter account after the incident. 

The local press, who initially broke the story additionally, announced that the parliament's IT staffs has closed down its email service to keep the hackers from siphoning more information. 

Besides this, a representative for Norway's main opposition party, the Labour Party, told public broadcaster NRK that the attack had additionally affected a few Labour Party members and staff. 

After the incident was found, the Norwegian National Security Authority (NSA) was brought in to counter the attack and get to the bottom of what had occurred "We have been involved for a few days," said NSA spokesman Trond Oevstedal. 

"We are assisting parliament with analysis and technical assistance." Andreassen said that the parliament had discovered "anomalies a little more than a week ago." 

"A number of risk-reducing immediate measures were implemented to stop the attack," said Andreassen. "These measures had an immediate effect." 

In a statement issued earlier read: "Burglary has been registered in the email accounts of a small number of parliamentary representatives and employees. Our analyses show that different amounts of data have been downloaded." 

The Storting through this statement said that the attackers had snatched a vague measure of data. So far no there is no info released with respect to what sort of cyber-attack was executed against the Norwegian parliament or who was responsible for it. 

However, as Andreassen said to the reporters they take the matter quite seriously and have given our complete attention to investigating the situation to get a complete image of the incident and the possible degree of harm caused by it.

Cyber Criminals broke into the database of patients of the Russian cancer center and demanded a ransom

The Sverdlovsk Regional Clinical Center was hacked. Svetlana Lavrova, a neurophysiologist, told about this on her Facebook page.

“The data of 400 patients who were operated on from the 10th to the 21st were encrypted," said Alexander Dorofeev, Deputy chief physician at the Sverdlovsk Regional Cancer Center.

The Department of information policy of the Sverdlovsk region said that the hack occurred on August 21 at the time of installation and integration of the laboratory information system.

Hackers chose the moment when the system was most vulnerable, during the installation of new software. A specially designed virus encrypted data on test results - information that is so necessary to prescribe an effective treatment. They became unreadable without a special key.

Then the hackers demanded one thousand dollars for the decoder. The management agreed to pay, but the hackers stopped communicating.

As a result, a lot of work had to be done in a few days: manually restore medical reports, re-enter them into the database.

"Especially for those who doubt confidentiality: the missing data was not transferred to someone, no one found out who had what kind of tumor, just hackers "broke" our access to them," wrote a neurophysiologist Svetlana Lavrova on Facebook.

As a result, a statement to the police has not yet been written, since there was no time.  Now, when all the data has been restored and the patients received the necessary treatment, a check will be carried out. Police need to find out who these scammers are who tried to sell the lives of 400 people for a thousand dollars. And most importantly, how they managed to find out at what point the system will be vulnerable.

NZ Stock Exchange Halted Temporarily Twice After Being Hit by Cyber Attacks


The New Zealand stock exchange was hit by a cyber-attack due to which it had to remain offline two days in a row. The exchange said the attack had "impacted NZX network connectivity" and it had chosen to temporarily halt trading in cash markets not long before 16:00 local time.

The trading had to be stopped briefly for a second time, yet was back ready for action before the day's end. 

A DDoS attack is generally a quite straightforward kind of cyber-attack, wherein a huge 'array' of computers all attempt to connect with an online service at the same time usually resulting in 'overwhelming its capacity'. 

They frequently use devices undermined by malware, which the owners don't know are a part of the attack. 

While genuine traders may have had issues with carrying out their business, but it doesn't mean any financial or personal data was accessed. NZX said the attack had come “from offshore via its network service provider". 

The subsequent attack had halted the trading for a long time in the working day - from 11:24 to 15:00 local time, the exchange said. In any case, in spite of the interference, the exchange was up at the end of the business, close to its 'all-time' high. 

Nonetheless, NZX said it had first been hit by a distributed denial of service (DDoS) attack from abroad and so the New Zealand cybersecurity organization CertNZ had also given a caution in November that mails were being sent to financial firms threatening DDoS attacks except if a ransom was paid. 

The mails professed to be from a notable Russian hacking group Fancy Bear. 

Be that as it may, CertNZ said at the time 'the threat had never had never been carried out, past a 30-minute attack as a scare tactic'.

Number of Cyber Attacks from Germany Increased, says Russian Foreign Minister

In the period from 2019 to 2020, Russia registered a sufficient number of cyberattacks from Germany to Russian facilities and organizations. This was stated by Russian Foreign Minister Sergey Lavrov after talks with his German counterpart Heiko Maas. 

Moscow is concerned about the situation with cooperation with Berlin on cybersecurity. "We expressed concern to the German side about the situation in our interaction on cybersecurity,” said Lavrov.

"We noted that last year and this year a significant number of cyberattacks were registered against objects and organizations in Russia, coming from the German segment of the Internet,” said the Russian Minister said.

Recall that at the end of May, the German Foreign Ministry summoned the Russian Ambassador in Berlin, Sergei Nechaev. He was informed that the Prosecutor General's Office of Germany had put on the wanted list a Russian Dmitry Badin on suspicion of participating in a hacker attack on the Bundestag in April-May 2015. 

In addition, the Department reported that Berlin plans to activate the cyber sanctions regime against Russia because of this case. The EU cyber sanctions regime came into force in May and has not yet been applied. Restrictive measures under this regime may include asset freezes, as well as travel bans to EU countries. The imposition of sanctions requires the unanimous approval of all member countries.

The Russian Foreign Ministry said that Berlin did not provide evidence of Russia's involvement in the hacker attack, and strongly rejected the charges. As Andrei Krutskikh, Director of the Department of International Information Security of the Russian Foreign Ministry, said earlier, Moscow offers Berlin to hold consultations on cybersecurity, this would help to settle many claims.

A resurgence in DDoS Attacks amidst Global COVID-19 lockdowns


Findings of Link11's Security Operations Center (LSOC) uncovered a 97% increase in the number of attacks for the months of April, May, and June in 2020 when compared with the attacks during the same period in the previous year, with an increment of 108% in May 2020.

The annual report incorporates the data which indicated that the recurrence of DDoS attacks relied upon the day of the week and time, with most attacks concentrated around weekends of the week and evenings. 

More attacks were registered on Saturdays, and out of office hours on weekdays. 

Marc Wilczek, COO, Link11 says, “The pandemic has forced organizations to accelerate their digital transformation plans, but has also increased the attack surface for hackers and criminals – and they are looking to take full advantage of this opportunity by taking critical systems offline to cause maximum disruption. This ‘new normal’ will continue to represent a major security risk for many companies, and there is still a lot of work to do to secure networks and systems against the volume attacks. Organizations need to invest in security solutions based on automation, AI, and Machine Learning that are designed to tackle multi-vector attacks and networked security mechanisms...” 


Key findings from the annual report include: 

Multivector attacks on the rise: 52% of attacks consisted of a few strategies for the attack, making them harder to defend against. One attack included at least 14 techniques.

The growing number of reflection amplification vectors:: More usually utilized vectors included DNS, CLDAP, and NTP, while WS Discovery and Apple Remote Control are still being utilized in the wake of being discovered in 2019. 

DDoS sources for reflection amplification attacks distributed around the globe: The top three most significant source nations in H1 2020 were the USA, China, and Russia. Be that as it may, the ever-increasing number of attacks have been traced back to France. 

The average attack bandwidth remains high: The attack volume of DDoS attacks has balanced out at a relatively elevated level, at an average of 4.1 Gbps. In most attacks, 80% were up to 5 Gbps. The biggest DDoS attack was halted at 406 Gbps. 

DDoS attacks from the cloud: At 47%, the percentage of DDoS attacks from the cloud was higher than the entire year 2019 (45%). Instances from every single established provider were 'misused', however, the more usual ones were Microsoft Azure, AWS, and Google Cloud. 

The longest DDoS attack lasted 1,390 minutes – 23 hours and interval attacks, which are set like little pinpricks and flourish on repetition lasted an average of 13 minutes.


Google Bans Hacked Political Content Ahead of the US Elections, Implements New Google Ads Policy


The presidential elections in the US are near. Keeping this in mind, Google has announced a new policy that will ban ads that advertise hacked political content or propaganda. This new policy will come into effect from 1 September 2020, as per the news available on Google's support page. After the new rule is implemented, the third party players won't be able to purchase ad-space on Google ads, directly or indirectly linked to the hacked content of any political party.

However, ads related to news articles or other pages that contain hacked political material may be allowed. But the news article and the page shouldn't be linked to the political content in any way, says the policy. The violators of this new Google Ads policy (Ad Buyers) will first receive a warning to remove the ad from their account or face account suspension after seven days.


The policy is made observing the 2016 US Elections. 

The new Google Ads policy is made to avoid the 2016 US presidential elections scenario. As we all know, during the 2016 election campaigns in the US, the Russian hackers were able to break into the servers of various political factions associated with the Democratic Party. The breach resulted in data leaks of the Democratic party on WikiLeaks and DC leaks. The attack resulted in biased media coverage and online ads on various social media and platforms that discussed the hacked political content. Google will become the first company to make such a move when the policy is enacted on 1 September.

Twitter, in a similar incident, banned the distribution of hacked content on its platform in 2018 before the US midterm elections. It included not only political content but every other hacked material. It resulted in an unofficial ban of the ads on Twitter, as they need tweets to advertise. According to Google's policy, the following is not allowed: "Ads that directly facilitate or advertise access to hacked material related to political entities within the scope of Google's elections ads policies. This applies to all protected material obtained through the unauthorized intrusion or access of a computer, computer network, or personal electronic device, even if distributed by a third party."

The Council of the EU and Its First-Ever Sanctions against Persons or Entities Involved in Various Cyber-Attacks



The Council of the European Union imposed its first-ever sanction against persons or entities engaged with different cyber-attacks focusing on European citizens and its member states. 

The sanctions imposed include a ban for people traveling to any EU nations and a freeze of assets on persons and entities. 

The order has been issued against six individuals and three entities liable for or associated with different cyber-attacks. Out of the six individuals sanctioned they include two Chinese citizens and four Russian nationals. 

The companies associated with carrying out these cyber-attacks incorporate an export firm situated in North Korea, and technology companies from China and Russia.

The entities responsible for or engaged with different cyber-attacks incorporate some publicly referred to ones as 'WannaCry', 'NotPetya', and 'Operation Cloud Hopper,' just as an endeavored cyber-attack against the organization for the prohibition of chemical weapons.




As per the European Council, the detailed of these persons or entities are: 

 1. Two Chinese Individuals—Gao Qiang and Zhang Shilong—and a technology firm, named Tianjin Huaying Haitai Science and Technology Development Co. Ltd, for the Operation Cloud Hopper. 

 2. Four Russian nationals (also wanted by the FBI) — Alexey Valeryevich, Aleksei Sergeyvich, Evgenii Mikhaylovich, and Oleg Mikhaylovich—for attempting to target the Organisation for the Prohibition of Chemical Weapons (OPCW), in the Netherlands. 

 3. A Russian technology firm (exposed by the NSA) — Main Centre for Special Technologies (GTsST) of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation—for the NotPetya ransomware attack in 2017 and the cyber-attacks directed at a Ukrainian power grid in the winter of 2015 and 2016. 

 4. A North Korean export firm — Chosun Expo, for the WannaCry ransomware attack that made havoc by disrupting information systems worldwide in 2017 and linked to the well-known Lazarus group. 

The Council says, “Sanctions are one of the options available in the EU's cyber diplomacy toolbox to prevent, deter and respond to malicious cyber activities directed against the EU or its member states, and today is the first time the EU has used this tool." 

As indicated by the European Union, the two Chinese nationals who carried out Operation Cloud Hopper are members from the APT10 threat actor group, otherwise called 'Red Apollo,' 'Stone Panda,' 'MenuPass' and 'Potassium.' 

On the other hand, the four Russian nationals were agents of the Russian Intelligence agency GRU who once expected to hack into the Wi-Fi network of the OPCW, which, if effective, would have permitted them to compromise the OPCW's on-going investigatory work.

Experts found targeted attacks by hackers from North Korea on Russia


Kaspersky Lab revealed that the well-known North Korean hacker group Lazarus has become active in Russia. The attackers attack through applications for cryptocurrency traders in order to steal data for access to the wallets and exchanges. In addition, the group collects research and industrial data.

Experts believe that hackers are particularly interested in the military-space sphere, energy and IT, and the interest in bitcoin can be explained by the need for North Korea  to bypass sanctions

The first cases of Lazarus targeted attacks on Russia appeared at the beginning of last year. According to Kaspersky Lab,  since at least spring 2018 Lazarus has been carrying out attacks using the advanced MATA framework. Its peculiarity is that it can hack a device regardless of what operating system it runs on — Windows, Linux or macOS.

According to Kaspersky Lab, the victims of MATA include organizations located in Poland, Germany, Turkey, South Korea, Japan and India, including a software manufacturer, a trading company and an Internet service provider.

Several waves of attacks have been detected this year. So, this month, Lazarus attacks were discovered in Russia, during which the backdoor Manuscrypt was used. This tool has similarities to MATA in the logic of working with the command server and the internal naming of components.

"After studying this series of attacks, we conclude that the Lazarus group is ready to invest seriously in the development of tools and that it is looking for victims around the world," said Yuri Namestnikov, head of the Russian research center Kaspersky Lab.

According to Andrey Arsentiev, head of Analytics and Special Projects at InfoWatch Group, Lazarus is one of the politically motivated groups. It is supported by the North Korean authorities and is necessary for this state: cybercrimes are committed to obtain funds for developing weapons, buying fuel and other resources. He explained that the anonymous nature of the cryptocurrency market makes it possible to hide transactions, that is, by paying for various goods with bitcoin, North Korea can bypass the sanctions,

Kaspersky Lab noted that data from organizations involved in research related to the coronavirus vaccine is currently in high demand in the shadow market.

Discovery of a New Malware Framework and Its Linkages with a North Korean Hacker Group



The discovery of a brand new malware framework and its linkages with a North Korean hacker group has heightened the panic within the digital world. Kaspersky, the cybersecurity company has already alerted the SOC groups of the discovery.

Referred to as  "MATA," the framework has been being used since around April 2018, principally to help in attacks intended to steal customer databases and circulate ransomware.

The framework itself gives its controllers the adaptability to target Windows, Linux, and macOS and comprises of a few components including loader, orchestrator, and plugins.

Kaspersky associated its utilization to the North Korean group "Lazarus”, which has been engaged for a considerable length of time in 'cyber-espionage' and sabotage and, by means of its Bluenoroff subgroup, endeavors to collect illegal funds for its Pyongyang masters.

The group was even pegged for WannaCry, just as refined attacks on financial institutions including the notorious $81m raid of Bangladesh Bank. Kaspersky senior researcher, Seongsu Park, contended that the most recent attacks connected to Lazarus display its eagerness to invest serious resources to create new malware toolsets in the chase for money and data.

“Furthermore, writing malware for Linux and macOS systems often indicates that the attacker feels that he has more than enough tools for the Windows platform, which the overwhelming majority of devices are run on. This approach is typically found among mature APT groups” he added later.

“We expect the MATA framework to be developed even further and advise organizations to pay more attention to the security of their data, as it remains one of the key and most valuable resources that could be affected.”

The security vendor encouraged the SOC teams to get to the most recent threat intelligence feeds, install dedicated security on all Windows, macOS and Linus endpoints, and to back-up regularly.

The framework seems to have been deployed in a wide variety of scenarios, focusing on e-commerce firms, software developers, and ISPs across Poland, Germany, Turkey, Korea, Japan, and India.

Russian Foreign Ministry urged whole world to abandon cyber attacks on healthcare facilities during a pandemic


Against the background of the coronavirus pandemic, Moscow calls for an end to cyberattacks on healthcare facilities and critical infrastructure. This was announced on Monday, July 20, by the Russian President's Special Representative for International Cooperation in the Field of Information Security, Director of the Department of International Information Security of the Russian Foreign Ministry, Andrei Krutskikh.

He stressed that Russia shares the opinion of many countries that the information and communication infrastructure in the health sector is needed.

"We propose to secure the obligation for states to refrain from attacks not only on medical facilities, but also in general on the critical information infrastructure of institutions that provide vital public services," said Krutskikh.

In particular, the diplomat noted the spheres of education, energy, transport, as well as banking and finance. In addition, he added that work on this will continue at the  United Nations platforms on international information security.

In addition, the Russian Ministry of Foreign Affairs offered Germany to hold consultations on cybersecurity.

"We consider it extremely important to resume a full-scale dialogue in this format with the involvement of the necessary range of experts on international information security. This will help neutralize an unnecessary irritant in our bilateral relations and transfer interaction on the issue of information security into a practical plane," said Krutskikh.

Moreover, the special representative commented on the situation with  Russian Dmitry Badin.
According to Krutskikh, Russia has offered Germany several times to hold consultations on information security, including in 2018, but the German side disrupted the planned talks.

Earlier, E Hacking News reported that the Office of the German Federal Public Prosecutor issued an arrest warrant for a Russian whom they suspect of hacking into the computer systems of the German Parliament in 2015. The publication reports that the suspect's name is Dmitry Badin, he is allegedly an officer of the GRU.  Russia repeatedly denied accusations of involvement in hacker attacks. 

Three countries have accused Russia of trying to steal data on the vaccine


The UK's National Cyber Security Center (NCSC) said that Russian hackers, led by Russian intelligence agencies, tried to steal information about the development of a coronavirus vaccine in the UK, Canada and the United States.

The report clarifies that the "cyber espionage group" APT29, or Dukes and Cozy Bear, which is "almost certainly" part of the Russian intelligence structure, has been carrying out attacks on various organizations that participated in the creation of the drug throughout the year.

According to the NCSC, hackers used malicious software WellMess and WellMail and phishing to gain access to the developers' computers. From the point of view of intelligence, many of these data were not valuable, but the stolen information can allegedly be used later or in case they become significant.

In the UK, SARS-CoV-2 vaccines are being developed by two research centers: the University of Oxford and Imperial College in London. The British media, citing information from sources in the special services, write that both organizations were “attacked by hackers”.

In turn, the Press Secretary of the Russian President Dmitry Peskov called the allegations of the British side unfounded. "We do not have information about who could have hacked pharmaceutical companies and research centers in the UK. We can say one thing - Russia has nothing to do with these attempts. We do not accept such accusations," said the Kremlin spokesman.

Hundreds of laboratories around the world are searching for a COVID-19 vaccine. The World Health Organization has said that without creating a vaccine, a pandemic cannot be defeated. Currently, nine research centers have begun clinical trials in the world. In Russia, clinical trials should begin in June. The Russian Ministry of Health expects a vaccine to appear at the end of July.
Earlier, E Hacking News reported that accusations of the British authorities against Russia of allegedly stealing coronavirus developments by Russian hackers are "typical corona - madness".

Azerbaijani hackers obtained information from the Armenian Ministry of Defense


Passport data of several hundred Armenian citizens, including military personnel, as well as documents related to the Republic's military units, were leaked to the network by Azerbaijani hackers over the past three days. This was stated by media expert and information security specialist Samvel Martirosyan on July 8.

The expert noted that over the past month personal information of Armenian citizens infected with the coronavirus was leaked to the network six times. According to him, the criminals may have much more information than they published.

This is an extremely dangerous situation because among the documents there is such information as the number of vehicles in the military unit, and passport data can be used by fraudsters to issue loans.
Martirosyan believes that Azerbaijani hackers get access to official information mainly through email, taking advantage of the low level of computer literacy of the Armenian population. A significant amount of this information is sent via personal emails, which hackers can easily hack. To solve the problem, the expert suggests developing clear instructions on how to use the information and train people.

The National Security Service (NSS) of the Republic noted that they do not have information on the last data leakage but confirmed the fact of the previous two.

Earlier it became known that Azerbaijani hackers once again posted the data of Armenian citizens infected with Covid-19. On June 24, two files with names, addresses and mobile phones were published, but without passport data. Two weeks earlier, Azerbaijani hackers distributed the data of about 3,500 Armenian citizens with confirmed coronavirus infection, as well as residents of the Republic who were in contact with patients. "The e-mail of one of the outpatient regional medical centers was hacked and there was an attempt to extract information," said the NSS.

Hackers "showed ethics" and did not attack medical services in Russia during the pandemic


During the pandemic, there were no hacker attacks on medical institutions in Russia, unlike in many countries of the world, Group-IB reported. The company believes that the hackers showed "rare ethics for our observation"

Many computer hackers during the coronavirus pandemic refused to attack the information system s of Russian medical institutions, said Ilya Sachkov, CEO of a cybersecurity company Group-IB.

According to Sachkov, attackers who launch DDoS attacks can have “professional ethics” - unlike those who create fraudulent resources for fraud. Group-IB noticed attacks on medical institutions in many countries of the world, but this did not happen in Russia: there weren’t even any announcements on hacker forums or attacks by ransomware, said Sachkov.

The head of Group-IB added that the company noticed "some rare ethics for our observation" from hackers. “As if taking into account what is happening, everyone understood that in Russia medical facilities are a matter of life or death for many people ... This, of course, is my guess, I did not communicate with hackers, but I noticed. In principle, this [attack on the hospital] would be super-moral,” added Sachkov.

In April, Group-IB reported that the pandemic had divided the hacker community: some tried to profit from people's panic, while others condemned it. Several users on hacker forums at the time urged others to stop using the coronavirus for harmful purposes. In the spring, fraudsters actively used the COVID-19 theme to trick money from the Russians. The Central Bank also noticed the problem.

In May, Group-IB said that fraudsters activated a theft scheme with online purchases and false courier services. Due to the fact that many people were self-isolated and began to actively use the services of couriers, the number of registrations of fake sites similar to the sites of real delivery services has increased several times.