Search This Blog

Showing posts with label Cyber Crime. Show all posts

Anonymous Hacktivists Leak 180 GB of Data from Web Host Epik

 

One of the most prominent hacktivists gangs, Anonymous, has returned. Security analysts have verified that the most recent attack by malicious hackers focuses on Epik, an alt-right web host company. 

Anonymous Hacktivist group claims that they have seized gigabytes of Epik's data which supplies several customers with the domain name, hosting, and DNS services. Among many other places on the right-wing are the GOP in Texas, Gab, Parler, and 8chan. The information stolen was disclosed as a torrent document. The hacktivist group states that the data package, which has a size of over 180 GB, includes a "decade's worth of data from the company." 

Epik is a web and domain registrar service provider company that caters to certain right-wing customers. The company is a leading service provider: it helps organizations that normally disconnect IT, service providers. 

"The data set is all that's needed to trace actual ownership and management of the fascist side of the Internet that has eluded researchers, activists, and, well, just about everybody," said the Anonymous hackers. 

The allegedly disclosed database might enable anyone to know the identity of Epik client as well as other personally identifiable information as per Ars Technica's latest revelation. 

Likewise, Anonymous's current cyber operation named “Operation Jane” was launched in September following the passing of the Texas Heartbeat Act. The restricted abortion law authorizes the enforcement of the six-week prohibition on abortion, not necessarily by government entities or by the police. Any Texas resident who carries out or aids in facilitating unlawful abortion can take a civil complaint, and demand at least $10,000 in penalties, according to that act. 

Different SQL databases hold client records for every domain name hosting Epik are among the data sets. Ars investigated a tiny section of the leaked dataset, including an Epik mailbox that contained Epik CEO Rob Monster letters from a source. 

"We are not aware of any breach. We take the security of our clients' data extremely seriously, and we are investigating the allegation," an Epik representative told Ars. 

Before the attack, Anonymous altered the Texas GOP homepage with "Texas: Taking voices from women to promote theocratic erosion of church/state barriers," substituting references to "Help Texas Stay Red." "Texas." The group has also placed "donate" links to Planned Parenthood for reproductive health services.

This Aspiring Hacker was Caught in a Quite Embarrassing Manner

 

The US Department of Justice (DoJ) has arrested a Ukrainian citizen for using a botnet to hack people's passwords. He was caught by his alleged messages to vape shops in Ukraine, including an invoice with his home location. 

Glib Oleksandr Ivanov-Tolpintsev is accused by the Department of Justice of deploying a botnet to break passwords of targeted individuals, which he subsequently sold on the dark web. According to his indictment, Ivanov-Tolpintsev made over $80,000 from the operation. 

The press release from the DoJ reads, “During the course of the conspiracy, Ivanov-Tolpintsev stated that his botnet was capable of decrypting the login credentials of at least 2,000 computers every week...Once sold [on the dark web], credentials were used to facilitate a wide range of illegal activity, including tax fraud and ransomware attacks.” 

On October 3, 2020, Polish police arrested Ivanov-Tolpintsev in Korczowa, Poland, and he was extradited to the United States to stand prosecution for these offenses. 

Amateur Blunders 

According to an IRS affidavit, investigators tracked down Ivanov-Tolpintsev by looking at the contents of the Gmail accounts he used to conduct his dark web activities. 

Many digital receipts from online vape shops were sent to one of these accounts, revealing Ivanov Tolpintsev's name and contact information. 

Furthermore, Ivanov-normal Tolpintsev's email account was set as the recovery address for these accounts. Exploring the contents of his regular account showed a plethora of personally identifying information, including passport scans and Google Photos photos.

The government was able to assemble enough evidence to convince a court to order Ivanov Tolpintsev's arrest and extradition because of his carelessness in separating his criminal digital identity from his physical one. 

Although the investigators haven't revealed much about Ivanov Tolpintsev's botnet case but the case highlights the dangers of depending solely on a password to protect an account. 

Since breaking and auctioning passwords on the dark web may lead to significant attacks like the one on the United Nations, security experts have been urging to implement multi-factor authentication (MFA) systems.

1GB of Puma Data is Now Accessible on Marketo

 

Hackers have stolen data from Puma, a German sportswear firm, and are now attempting to extort money from the corporation by threatening to expose the stolen files on a dark web page specialized in the leaking and selling of stolen data. The Puma data was posted on the site more than two weeks ago, near the end of August. 

The publication claims that the threat actors took more than 1 GB of private information, which would be sold to the highest bidder on an unlawful marketplace, according to Security Affairs analysts. This operation appears to be devoted only to the theft and sale of private information, ruling out the possibility that it is a ransomware offshoot. 

To back up their claims, the threat actors released some sample files that, based on their structure, suggest the attackers got Puma's data from a Git source code repository. The information is now available on Marketo, a dark web platform. The platform, which was launched in April of this year, is quite simple to use. 

Users can register on the marketplace, and there is a section for victim and press inquiries. Victims are given a link to a private chat room where they can negotiate. Marketo includes an overview of the company, screenshots of allegedly stolen data, and a link to a "evidence pack," also known as a proof, in each of the individual postings. They utilise a blind bidding mechanism to auction sensitive data in the form of a silent auction. Users place bids depending on how much they believe the data is worth. 

Site administrators first compile a list of potential victims, then provide proof (typically in the form of a small downloadable archive) that their network has been infiltrated. If the victimised firm refuses to cooperate with the hackers, their data is exposed on the web, either for free or for VIP members only. The website claims to compile data from a variety of hacking groups but does not cooperate with ransomware gangs.

“Right now, I can say that Puma haven’t contacted us yet,” the administrator of the dark web leak portal told The Record in a conversation last week. “The rest of the data would be released if Puma will decline the negotiations,” they added.

Underground Criminals Selling Stolen Network Access to Third Parties for up to $10,000

 

Cybersecurity firm Intsights published a new report that highlights the vibrant marketplaces on the dark web where attackers can buy or sell what they needed to target an organization. 

Paul Prudhomme, a cybersecurity advisor at IntSights, analyzed several underground exchanges on Russian and English-language platforms where stolen credentials and network compromises are traded. The underground criminals sell stolen network access to third parties for up to $10,000. The prices are also influenced by location and industry.

“Some cyber-criminals specialize in network compromises and sell the access that they have obtained to third parties, rather than exploiting the networks themselves,” researchers explained. “By the same token, many criminals that exploit compromised networks — particularly ransomware operators — do not compromise those networks themselves but instead buy their access from other attackers.”

According to researchers, cybercriminal groups rarely possess a team of attackers experienced in each stage of an attack, making dark web platforms ideal to sell or buy malware payloads, hosting infrastructure, and access to abused networks. 

“In September 2020, Russian-speaking username “hardknocklife” auctioned off remote desktop protocol (RDP) access to a U.S. hospital. He mentioned as a selling point that this RDP access yielded patient records, in which he reportedly had no interest,” researchers added. 

“US patient records from healthcare organizations are a valuable resource for identity thieves and other fraudsters because they contain dates of birth, social security numbers, and other personal details that they can use for fraudulent credit applications and other malicious purposes,” they went on to say. “This seller could have mined or monetized that data himself but lacked interest in doing so, perhaps because he could be more productive as an intruder than a fraudster, or because he lacked the fraud or criminal business skills to do so.”

This information started at the low price of $500 in the auction but was sold at a ten times higher rate of $5000. Researchers examined a sample of 46 sales of network access on underground forums between September 2019 and May 2021. The sample included 30 offerings from Russian-language forums (65%) and 16 offerings from English-language forums (35%). 

The primary target of underground criminals is the Tech & telecoms industry (22%), followed by Financial Services, Healthcare & Pharma, and Energy and Industrials, all on 19.5%. There is no surprise in these numbers. They match industry risk from other reports. What is perhaps a surprise is the emergence of automotive (9%) in fifth place.

IntSights researchers analyzed 46 separate offers to sell network access. In the majority of cases (40 out of 46), the location was mentioned. North America with 37.5% was at the top of the list followed by Europe, the Asia Pacific and the Middle East/North Africa accounted for 17.5% each, with Latin America just 10%. 

“Criminals typically prefer victims in wealthier countries with advanced economies, as they are generally more lucrative. Prices for access to healthcare organizations also trend lower due to the perception that they are easier to compromise,” researchers concluded.

FTC Issued a Warning About Phishing Scams Involving Unemployment Benefits

 

Americans should be skeptical of text messages appearing to be from their state workforce agency, according to the Federal Trade Commission. Following the discovery of an SMS-based phishing effort targeting users of unemployment insurance benefits, the FTC has raised a red flag. In one year, consumers lost $57 million to phishing schemes, according to the FBI's Internet Crime Complaint Center.

"Identity thieves are targeting millions of people nationwide with scam phishing texts aimed at stealing personal information, unemployment benefits, or both," said Seena Gressin, attorney at the division of consumer and business education at the FTC. As part of the effort, several fraudulent texts are being sent out. One advises the receiver that their unemployment insurance (UI) claim requires "necessary corrections." Another instructs the target to double-check their personal details.

A targeted user who clicks on a link in one of these messages will be directed to a fake website impersonating their state workforce agency, which Gressin described as "looking very real." Instructions on the site ask the user to enter a slew of personal information, including their login credentials and Social Security number. "Fraudsters can use the information to file fraudulent UI benefits claims or for other identity theft," warned Gressin.

Scammers love to target people when they are most vulnerable, knowing that they will be more likely to fall for the trap. That is especially true for people who are unemployed and rely on unemployment benefits to get by. 

The Federal Trade Commission (FTC) disclosed the information of seven different phishing texts that are now circulating. One reads "RI-DLT Labor: This is to notify you that your Rhode Island insurance claim account is currently on hold for verification. Please complete your verification by following the instruction link below to activate your account."

"As we continue to work our way through the pandemic and associated issues, unemployment insurance has become more and more important to people unable to work when jobs that match their skills are not available," said KnowBe4security awareness advocate Erich Kron. "With the recent rise in cases, due to the Delta variant and other factors, stress levels continue to rise for people impacted. This makes them prime candidates for attacks such as this, which threaten their only source of income."

Inadequate Payment Leads the Affiliate to Leak the Ransomware Gang's Technical Manual

 

A frustrated Conti affiliate revealed the gang's training material during attacks and released details on one of the administrators of ransomware. The document contains the Cobalt Strike C2 server IP addresses and the 113 MB archive with a wide variety of training tools for ransomware attacks. 

The Conti Ransomware business runs as "Ransomware-as-a-service" (RaaS), wherein the core group handles the virus as well as the Tor sites. It has been identified since 2020 as a ransomware program. 

Most ransomware of Conti is laid out straight by a hacker who has obtained an unsecured RDP port, using email phishing on the Internet over a worker's computer or used malware attachments, downloads, patch operations, or network access flaws. 

Recently published at an undercover cybercrime forum called the XSS, an individual who seemed to have had a problem with the minimal money paid by the Conti gang to infiltrate the corporate networks, revealed their documents. These files have been uploaded on a forum of Russian speaking cybercrime practitioners, which contains many instruction manuals, reportedly from Conti, a Russian speaking group of hackers who have attacked several healthcare facilities, which include health chains in the U.S. and the national system of Ireland, the Health Service Executive. 

The main team will get 20-30 percent of the ransom payment under this model, whereas the associates would earn the balance. The affiliate also said he had shared the information since he had been only paid $1,500 in an operation while the rest of the gang make millions and promise enormous payments after a victim pays the ransom. 

In one of the step-by-step tutorials published in Russian, the participants are told to locate and hack the victims using a malware identified as Cobalt Strike. The instruction states that the first stage is to use Google to look for possible revenues for a target company. Hackers are then directed to locate staff accounts that have administrative access for the firm and how to use this knowledge to apply ransomware to encrypt their network interface to demand ransom for its decryption 

"The leak also shows the maturity of their ransomware organization and how sophisticated, meticulous, and experienced they are while targeting corporations worldwide," says Advanced Intel's Vitali Kremez, who had already analyzed the archive. "It also provides a plethora detection opportunity including the group focus on AnyDesk persistence and Atera security software agent persistence to survive detections."

The Russian Federation submitted to the United Nations the world's first draft convention against cybercrime

The Prosecutor General's Office of the Russian Federation reported that Russia has submitted to the UN the world's first draft convention on countering cybercrime and the criminal use of cryptocurrency.

Recall that last year an interdepartmental working group on combating information crime was established, one of the main tasks of which was to develop a draft of a universal comprehensive international convention on combating the use of information and communication technologies for criminal purposes.

The project has a number of advantages. It takes into account modern challenges and threats in the field of international information security, including the criminal use of cryptocurrency, introduces new elements of crimes committed using information and communication technologies.

It is stressed that Russia was the first country that developed and submitted to the special committee a draft convention to combating information crimes.

"Today cyber attacks are as much a weapon of mass destruction as a tactical nuclear weapon. Infrastructure, from the fuel supply to the water supply, can be stopped in an entire city. The settlement will be paralyzed with zero casualties. Thus, I would call cyberattacks bloodless killers, they do not set themselves the goal of destroying the population but simply teleport this population, in fact, to the Stone Age,” commented on the news the State Duma deputy Ruslan Balbek.

According to him, the Russian draft convention is timely and relevant.

In March, the President of Russia Vladimir Putin announced an increase in the number of crimes in the IT-sphere. He pointed out that over the past six years, the number of such crimes has increased 10 times.

Earlier, E Hacking News was reported that Russia-US summit was held in Geneva on June 16. Summing up the negotiations, Vladimir Putin said that the sides will start consultations on cybersecurity.

Russia Based Company, DDoS – Guard gets Targeted by Cybercriminals

 

Leaked data for sale through forums and marketplaces in cybercrime appears so frequent that it is essentially unknown, except for the choice of an individual victim. However, these leaks might show that a site or service has been compromised – possibly without the wiser being the operators. 

One such prospective victim is the apparent Russian company DDoS-Guard, which protects against distributed denial-of-service attacks. The company's supposed client data was presented on a cybercrime forum for sale. 

The DDoS Guard offers DDoS protection, network content delivery services, and Web Hosting services. It is a Russian Internet infrastructure company. 

On the 26th of May, a user put on Exploit.in "the full dump on the popular online DDoS-Guard service" for auction, with an opening sale price set at 500,000 dollars, or a blitz price set at 1.5 million dollars, with "buy it now." However, later on, the auction was started at $350,000. 

Singapore-based cybersecurity firm Group-IB reports that beyond DDoS defenses, "DDoS-Guard also provides computing capacities and obstructs the identification of website owners of hundreds of shady resources that are engaged in illicit goods sale, gambling and copyright infringements." "

We've seen several rogue websites hosted by DDoS-Guard," says Reza Rafati, a senior analyst at Group-IB's CERT-GIB incident response unit in Amsterdam. "They were almost impossible to take down. Their answer to our numerous complaints on them protecting illegal resources is that they are not the owners of these websites. Such a safe environment for illicit online activity doesn't do any good for the global effort against cybercrime." 

The DDoS-Guard customer database listed "all info such as name, site, real IP, payment info, etc." in the Exploit.in leak. The user claimed that several renowned websites, including RuTracker.org, which is a BitTorrent Russian tracking service, are also featured on the client list. The listing says that the DDoS-Guard "infrastructure, backend, front end, and network filtering/blocking" are all included in the sale. 

A DDoS-Guard Spokesperson nevertheless rejected the Exploit.in claims of the seller. "We are aware that malefactors are trying to sell a certain database. Our company has not experienced any data leaks," Ruvim Shamilov, DDoS-Guard's PR manager, stated. 

SecurityTrails includes Hamas, which is the Palestinian militant party that rules Gaza, as well as enormous sites of squamous names that are potentially used by fraudsters, like "bitdefender-centrals.com," "nortoncomsetupz.com" and "garmin-express.support," which are attributed to DDoS-Guard by the domain and IP Address service SecurityTtrails." 

For DDoS-Guard users, soon it would be possible to identify anyone who has been operating sites on their service, depending on who takes their hands on the client base dump. Yet legal enforcement agencies are probably already informed, says cyber-security expert Alan Woodward. 

"Anything that is done at scale, and particularly where it is crime as a service, is bound to attract the attention of the police," says Woodward. In addition to finding ways to interrupt services connected with illegal activity, law enforcement organizations have shown themselves to follow users of the service.

Email Fatigue Elevates Cyber Crime Rates

 

According to research, email is indeed the most preferred medium of communication by almost 86 percent of professionals. Whilst the average office employee gets 121 e-mails a day and sends roughly 40 business e-mails, Radicati Group's 2017 study reports that 269 billion e-mails are sent daily to just over 3.7 billion e-mail users worldwide. Consequently, cyber-attacks based on email are also sky-rocketing. 

Furthermore, because of the broad shift to work from home culture due to the pandemic, more vital data is communicated through email than ever. Users can get hundreds of E-Mails every day, and it takes time and effort to screen them. 

Given the rising volume, it is no surprise that email fatigue is growing. Unfortunately, this exhaustion will make it easier for people to click a harmful e-mail, which explains why 94 percent of malware is currently sent by email. 

Email fatigue is a word used to describe a condition where email users feel overwhelmed with the emails they receive. This can often lead to unsubscriptions, low commission rates, or even a large number of spam reports. 

However, while spam is an old-school approach, it is still being used for nefarious reasons by hackers. Fake spam withdrawal is a strategy that cybercriminals employ to improve their mailing lists and validate email addresses. Whenever a user clicks on a false link in a spam email, the spammer will check for the correct emails, active, and regularly checking the email address. From there the user can receive additional malicious payloads in an email. 

Notable phishing attack includes the Five Rivers Health Centers in Dayton, Ohio where 155,000 patients details were exposed for 2 months owing to an e-mail phishing attack. And over 10,000 phishing scams exploiting common coronavirus concerns were investigated in 2020 by Her Majesty Revenue and Customs (HMRC) from the UK. 

The successful spear phishing resulted in 95 percent of the attacks on enterprise networks. The Australian hedge fund co-founder, Levitas Capital, was a target of a whaling attack in November 2020, which is a form of spear phishing. Although it cost the corporation $800,000 – a little below the initially anticipated 8 million dollars – it also resulted in a loss of the largest customer for the hedge fund. Finally, the company had to close permanently. 

In 2019, an investigation of cybersecurity indicated that 26 percent of global firms have compromised by one to ten BEC attacks (business e-mail compromise). Recent attacks by the BEC include: 

  • Barbara Corcoran's Shark Tank Host that lost $380,000, 
  • The Puerto Rican government, which amounted to $4 million; 
  • Japan's media powerhouse, Nikkei, sent $29 million in a bogus email, according to instructions.

Cyber-crime members constantly improve their email methods by playing with the emotions of a victim: causing fear, manipulating greed, benefiting from the curiosity of the individual, asking for help, or encouraging users to feel comfortable. This strategy is frequently employed by ransomware-as-a-service attackers. 

A one-and-a-done strategy never works whenever it comes to email security. Malware is passed through a single defense, hence a solution must include several protective layers. In this method, a subsequent layer stops if malware defeats a defense. 

Using a multi-layered method paired with Acronis Cyber Protect technologies, including URL filtering, may prevent harmful domains and malware downloads from being the first affected systems.

Experts Said How Cybercriminals Make Money on Russian Gamers

One of the most popular fraud schemes involves buying or selling an account in online games. An attacker can offer an account, but after transferring funds for it, the buyer does not get access to it.

Experts advise using specialized platforms for buying and selling an account, which charge a commission of about 10% for their services.

If there is no such platform, but there is a forum dedicated to the game, the expert advises to study the user's account and his rating on the forum as much as possible before selling or buying.

Gamers can also be deceived when buying expensive computer components, for example, video cards. Scammers create copies of popular online stores, in which the cost of components will be declared 2-3 times lower than the market price. The buyer most likely will not be able to return the money.

Another method of fraud is associated with the purchase of expensive goods, such as a game console through a private classifieds service. In this case, the buyer is offered to get an e-wallet on one of the legitimate services. His virtual card is allegedly linked to this account, which is used to make the payment.

The client transfers money to the wallet and informs the seller about it, after which he receives an SMS message with the virtual card data. However, the notification does not come from the service number, but from the phone of the scammers. So, the gamer makes the transfer to scammers and remains without money and the desired product.

Another method of fraud is connected with watching streams of other gamers. Scammers copy the broadcasts of famous players and add banners with ads for easy earnings to the video. By clicking on them, people get to the resources of scammers, where they lose money by providing their bank card details.

According to the expert, the solution to the problem in the game world could be the active development and use of escrow services, as it is used when selling domain names on the Internet.

Kaspersky: the most malicious hackers speak Russian

Kaspersky said that the most professional, most aggressive espionage attacks are carried out by those who speak English, Russian and Chinese.

As for the most professional cybercrime groups, they almost all speak Russian, "because the best programmers in the world also speak Russian," he noted, explaining the difference between cybercrime and cyber espionage, that is, hackers who work for the state.

"The Soviet, Russian education system produces the most intelligent programmers in large numbers. The most malicious cybercriminals graduated from the same universities as the most professional programmers who work as white hat hackers," Kaspersky said.

The second factor explaining the abundance of Russian-speaking cybercrime groups is that English-speaking cybercriminals are quickly found and punished in the United States.

"There were criminal groups in the United States, in other countries, but they were almost liquidated. This is explained very simply. Where is the most money? In the USA. Who are the American criminals attacking? Their own. And they are immediately taken on their own territory. Who are the Russian-speaking groups attacking? Again, America. All. It's just the economy," Kaspersky said.

According to Mr. Kaspersky, that is why it is completely ineffective to fight cybercrime by the forces of disunited cyber police units.

"Cybercriminals commit crimes on the Web, where there are no borders. Police units act only in their own territory," Kaspersky added.

He believes that cooperation at the international level is needed, which is currently working very poorly to solve this problem.

Kaspersky recalled that cooperation between different countries on cybersecurity issues has been built for several years, its peak occurred in 2015-2016. Then there was a fairly successful joint police operation of Russia, the U.S. and some European countries against the high-profile international cyber gang Carbanak.


NATO's Cloud Platform Hacked

 

The SOA & IdM platform is utilized by NATO and is classified as secret. It was used to conduct various critical functions inside the Polaris programme. The North Atlantic Treaty Organization (NATO), commonly known as the North Atlantic Alliance, is an intergovernmental military alliance made up of 30 European and North American countries. 

The organization is responsible for carrying out the North Atlantic Treaty, which was signed on April 04, 1949. NATO is a collective defense organization in which NATO's independent member states commit to defending each other in the event of an external attack. NATO's headquarters are in Haren, Brussels, Belgium, and Allied Command Operations' headquarters is near Mons, Belgium. 

Polaris was developed as part of NATO's IT modernization effort and uses the SOA & IdM platform to provide centralized security, integration, and hosting information management. The military alliance classified the platform as a secret because it performs multiple key roles. 

According to the hackers, they used a backdoor to make copies of the data on this platform and attempted to blackmail Everis. They went even further, making jokes about handing over the stolen material to Russian intelligence. 

Paul Howland, Polaris Program Officer explained the benefits of the program: “This project has the potential to be a game-changer in how NATO will develop and deploy its operational services in the future. It will drive innovation and reduce costs. Operational by ensuring a much greater reuse of deployed capacities". 

The hackers who carried out the attack said they had no idea they could take advantage of a flaw in the NATO platform at first. Furthermore, they concentrated solely on Everis' corporate data in Latin America, despite NATO's announcement that it was ready to respond to a cyber-attack. One of the secure NATO systems was among Everis' subsidiaries, much to their astonishment. 

After analyzing the company and discovering documents connected to drones and military defense systems, the hackers continued stealing more data from Everis networks. They justified their actions by claiming that they were not "for peace on earth and in the cyber world" when they slowed the development of the Polaris programme. The hackers sought a ransom of XMR 14,500 from Everis in exchange for not linking the company's identity to the LATAM Airlines data breach. They've also demanded this money in exchange for not revealing any NATO data.

Phishing Campaign that Imitates Legitimate WeTransfer Applications

 

The Cofense Phishing Defense Center (PDC) has discovered a current phishing attempt that uses bogus websites to impersonate official WeTransfer applications. Threat actors can use this to get around email security gateways (SEG) and trick users into providing their credentials. 

WeTransfer is a file-sharing website that makes it simple for users to share files. Because of the service's popularity, it's possible that consumers may disregard the email's threat level. Threat actors have reimagined this site in order to attract unwary recipients to click on a malicious link that takes them to a phishing website, where they will be asked to pass up their credentials. 

The threat actor instructs the victim to respond to an email that says, "Pending files will be deleted shortly." The timestamps convey a sense of urgency. The malicious URL link that connects to the WeTransfer phishing landing page is hidden below the "Get your files" button. Threat actors provide a list of typical document names to make this appear more authentic. 

Another intriguing aspect is the email address's legitimacy. The threat actors have gone to great lengths to spoof the email address in order to convince recipients that the email came from the correct WeTransfer top-level domain: "@wetransfer.com." The most prevalent tactic used in phishing campaigns to acquire user trust is spoofing the email address. The top-level domain is specified by the Message-ID: @boretvstar[.]com – has nothing to do with WeTransfer. Furthermore, analysts discovered that @boretvstar[.]com is for sale and links to an error page that reads, “This site can't be reached.”

It's evident that the threat actors went to great lengths to resemble the official "WeTransfer" page as closely as possible. However, upon closer examination, the researchers found that Apple and Google logos are missing from the login buttons, and the URL does not match the actual URL. 

When the user clicks the button in the last stage of the attack, they are sent to a false WeTransfer page. To download the shared file, the user must first provide their credentials. The login area on the phishing landing page is prepopulated with the user's email address. The user is displayed a failed login attempt after entering the password, which is a frequent approach used by threat actors. 

In recent weeks, the PDC has seen over 40 identical campaigns reported by well-conditioned users to spot suspicious emails across all of our customers' settings. This phishing campaign is aimed to get around SEGs by impersonating a legitimate file-sharing platform.

Extortion Emails by Bogus DarkSide Gang Targets Energy and Food Industry

 

In bogus extortion emails sent to firms in the energy and food industries, threat actors impersonate the now-defunct DarkSide Ransomware campaign. The Darkside ransomware attack first hit business networks in August 2020, asking millions of dollars in exchange for a decryptor and a pledge not to reveal stolen data. 

Following the ransomware gang's attack on the Colonial Pipeline, the country's largest petroleum pipeline, the ransomware gang was thrown into the spotlight, with the US government and law enforcement focusing their attention on the group. Because of the heightened scrutiny from law officials, DarkSide abruptly shut down its operations in May for fear of being arrested. 

Trend Micro researchers reveal in a new analysis that a new extortion campaign began in June, with threat actors imitating the DarkSide ransomware group. "Several companies in the energy and food industry have recently received threatening emails supposedly from DarkSide," explains Trend Micro researcher Cedric Pernet. "In this email, the threat actor claims that they have successfully hacked the target's network and gained access to sensitive information, which will be disclosed publicly if a ransom of 100 bitcoins (BTC) is not paid." 

The email campaign began on June 4 and has been targeting a few targets every day since then. Threatening emails were sent to the generic email accounts of a few firms. For each target, the Bitcoin wallet at the bottom of the email is the same. None of the aforementioned wallets have received or sent any Bitcoin payments. There has been no actual attack linked to the emails, and no new targets have been discovered. 

The researchers discovered that the same attacker had filled contact forms on many companies' websites in addition to sending targeted emails to them. The content of the web forms was identical to the text of the emails. They were able to obtain the sender's IP address, 205[.]185[.]127[.]35, which is a Tor network exit node. 

The threat actor appears to be exclusively interested in the energy (oil, gas, and/or petroleum) and food businesses, based on the telemetry data; in fact, all of their targets are in these industries. The campaign had the most impact on Japan, followed by Australia, the United States, Argentina, Canada, and India. China, Colombia, Mexico, the Netherlands, Thailand, and the United Kingdom are among the other countries affected.

New Cyber Espionage Group Targeting Ministries of Foreign Affairs

 

Researchers unveiled a new cyber espionage group on Thursday, which is behind the series of targeted operations attacking diplomatic entities and telecommunication corporations in Africa and the Middle East since at least 2017. 

The campaign, dubbed "BackdoorDiplomacy," involves exploiting flaws in internet-exposed devices like web servers to carry out various cyber-hacking operations, including moving laterally across the network to execute a custom implant called Turian which is capable of exfiltrating sensitive data stored on removable media. 

Jean-Ian Boutin, head of threat research at Slovak cybersecurity firm ESET said, "BackdoorDiplomacy shares tactics, techniques, and procedures with other Asia-based groups. Turian likely represents a next stage evolution of Quarian, the backdoor last observed in use in 2013 against diplomatic targets in Syria and the U.S." 

The cross-platform group, which targets both Windows and Linux operating systems, singles out management interfaces for networking equipment and servers with internet-exposed ports, most likely abusing unsecured flaws to implement the China Chopper web shell for initial access, which is then used to conduct reconnaissance and install the backdoor. 

F5 BIG-IP devices (CVE-2020-5902), Microsoft Exchange servers, and Plesk web hosting control panels are among the systems affected. Victims have been identified in many African countries' foreign ministries and those in Europe, the Middle East, and Asia. Furthermore, in Africa and at least one Middle Eastern country, telecom carriers have also been hit. 

The researchers stated, "In each case, operators employed similar tactics, techniques, and procedures (TTPs), but modified the tools used, even within close geographic regions, likely to make tracking the group more difficult."

BackdoorDiplomacy is also believed to overlap with previously reported campaigns operated by a Chinese-speaking group Kaspersky tracks as "CloudComputating.

According to ESET researchers, apart from its features to gather system information, take screenshots, and carry out file operations, Turian's network encryption protocol is nearly identical to that used by WhiteBird, a C++ backdoor operated by an Asia-based threat actor named Calypso that was installed within diplomatic organizations in Kazakhstan and Kyrgyzstan at the same timeframe as BackdoorDiplomacy.

Operation Trojan Shield a Success: The FBI and Australian Officials

 

More than 800 suspects, 8 tonnes of cocaine as well as more than $48 million have been captured in a large worldwide sting operation involving sixteen countries, including the US, officials revealed on Tuesday 8th of July.

According to Europol, the European Union law enforcement agency, the FBI, and Australian law enforcement have established and operated an encoded device company, named ANOM, which was then utilized to obtain access to organized criminal networks in over 100 nations. 

The ANOM APP allows police officers to track the drug smuggling, money laundering, and even assassination plans, which had been discreetly circulated among the offenders. 

Drug gangs and those linked to the mafia were their targets. The operation, which took place in even more than a dozen nations, comprised drugs, firearms, luxury automobiles, and cash of the offenders. 

“Operation Trojan Shield is a shining example of what can be accomplished when law enforcement partners from around the world work together and develop state of the art investigative tools to detect, disrupt and dismantle transnational criminal organizations,” said Calvin Shivers, the assistant director of the FBI’s Criminal Investigative Division in a press conference in The Hague, Netherlands. 

Whereas Australian Prime Minister Scott Morrison said the operation had "struck a heavy blow against organized crime" around the world. 

Initially, the FBI started using a network of protected devices named ANOM and disseminated devices that over the criminal world using the chat app. The operation came about when the law enforcement agencies took over two other encrypted websites leaving criminal gangs on the market for new protected phones. 

Initially, the gadgets were utilized by claimed senior criminals, which provided the platform with confidence to other offenders. 

Van der Berg added that the users of the network had talked in 45 languages about drug trafficking, arms and explosives, armed robbery, contract assassinations, and more. 

Australian fugitive and suspected drug trafficker Hakan Ayik was vital to the sting because, after being provided a cell phone by undercover detectives, the App was relentlessly recommended to criminal friends, authorities said. 

Officials added that the operation was able to eliminate over 100 threats to lives, other than the drug, weapons, and money arrests and seizures. Access to their networks also permitted law enforcement agencies to see images of hundreds of tonnes of cocaine camouflaged in fruit and canned goods. Authorities have indicated that they have triggered these large arrests because illicit companies have gained critical strength. 

Australian Prime Minister Scott Morrison said in a press conference Tuesday that the operation "struck a heavy blow against organized crime — not just in this country, but one that will echo around organized crime around the world."

How Cybercriminals are Hacking ATM Machines? Here's a Quick Look

 

Security researchers have published a report on the modus operandi of the cybercriminals who are using malware, a key from eBay, and a Raspberry Pi to hack ATMs. Here’s how they’re doing it. 

The Modus Operandi

Cybercriminals exploit the vulnerabilities in the operating system of the computers responsible for running the ATMs. Unfortunately, the operating system inside the computers isn’t as secured as the enclosure the computer sits in. Windows 7 is the most common operating system; however, Windows XP is also widely used. These are outdated operating systems that should have made to retire a long time ago. 

Threat actors purchase malware packages from the dark web to exploit the vulnerabilities in these operating systems and to interact with the ATM software. Some of the malware packs contain compromised proprietary software belonging to ATM manufacturers.

Before hacking the ATM, cybercriminals mark the ATMs in a city, and the ones with the high use are targeted. Attacks are typically planned for days such as Black Friday or Valentine’s Day when ATMs are loaded with up to 20 percent more money than usual. ATMs are also loaded with extra money in the weeks leading up to Christmas because many people receive their yearly or Christmas bonus in their pay.

Choice of ATM Brands and Malware Installation 

The popular names in ATM manufacturing are Diebold Nixdorf, Wincor Nixdorf, NCR, Triton, and Hitachi-Omron. Cybercriminals are very specific in their targets because the knowledge of ATM hardware helps threat actors to buy the appropriate malware and the appropriate key to open the ATM enclosure.

The USB ports on ATMs are restricted and will only accept a connection from a keyboard or a mouse. This is to allow servicemen to perform maintenance on the units. You would have loaded the malware onto your Raspberry Pi, and obtained a battery so that it can run as a portable unit. The malware is written in a way that convinces the ATM that the Raspberry Pi is a keyboard. Stored commands tumble out of the Raspberry Pi into the ATM, and the ATM dutifully follows them. 

Another way is to insert a USB memory stick into the ATM and reboot it off an operating system in the memory stick. When the ATM has booted, threat actors can install the malware directly into the ATM’s currently dormant operating system. When they reboot the ATM using its regular operating system they can control the malware by inserting a specially created card, or via a secret key combination on the ATM’s keypad.

Darkside Ransomware Gang Received Nearly $5 Million as the Extortion Amount from the Victims of Colonial Pipeline Attack

 

Security experts at London-based blockchain analytics firm Elliptic discovered the bitcoin wallet used by the ransomware group responsible for the Colonial Pipeline attack and the extortion amount received from victims. 

According to a report from blockchain analytics firm Elliptic, the ransomware gang Darkside received a ransom payment of 75 Bitcoin, or roughly $5 million, made by Colonial Pipeline on May 8 following the cyberattack on its operations.

The cyberattack on Colonial Pipeline led to widespread fuel shortages in the U.S. and has been described as the worst cyberattack on critical U.S. infrastructure to date. 

Security researchers first spotted the ransomware gang’s operation in August 2020 and nearly after 9 months in May 2021, the FBI confirmed the role of the Darkside ransomware gang in engineering the attack on Colonial Pipeline.

In total, just over $90 million in Bitcoin ransom payments were made to DarkSide, emerging from 47 distinct wallets. According to DarkTracer, 99 organizations have been attacked with the DarkSide malware – indicating that almost half of DarkSide victims paid a ransom and that the average payment was $1.9 million. DarkSide says it targets only big companies and forbids affiliates from dropping ransomware on organizations in several industries, including healthcare, funeral services, education, public sector, and non-profits. 

The firm also discovered a ransomware bitcoin payment made by Brenntag, a large chemical distribution company in Germany, totaling roughly $ 4.4 million. The group's wallet has been active since March 4, 2021, and has received 57 payments from 21 different wallets, according to Elliptic.

DarkSide and other ransomware groups have engineered the ransomware-as-a-service model, where the designers of the malware can effectively outsource the actual hacking and infecting of a target and then split whatever ransom comes in. The practice has democratized ransomware use, allowing less experienced cybercriminals to get in on the scam without any technical knowledge. 

"In this operating model, the malware is created by the ransomware developer, while the ransomware affiliate is responsible for infecting the target computer system and negotiating the ransom payment with the victim organization. This new business model has revolutionized ransomware, opening it up to those who do not have the technical capability to create malware, but are willing and able to infiltrate a target organization," Elliptic told.

FBI Analyst Charged for Stealing National Security Documents

 

An FBI employee with a top-secret security clearance has been indicted on charges that she illegally stored several national security documents and other national security information at home over more than a decade, the Justice Department stated on Friday. 

Kendra Kingsbury, a 48-year-old from Dodge City, Kansas, is accused of taking a range of materials between 2004 and 2017, many of which were marked secret because they discussed intelligence sources and methods containing information about operatives such as a suspected associate of Osama bin Laden. The files were from 2005 and 2006, when bin Laden, who engineered the Sept. 11 terrorist attacks, was alive and on the run from U.S. forces. 

The grand jury indictment, filed in the Western District of Missouri, alleges that Kingsbury illegally removed documents she was granted access to at work and stored them at home. She is charged with two counts of gathering, transmitting, or losing defense information, a felony that carries a maximum sentence of 10 years.

“The documents include information about al-Qaeda members on the African continent, including a suspected associate of Usama bin Laden,” the indictment reads. In addition, there are documents regarding the activities of emerging terrorists and their efforts to establish themselves in support of al-Qaeda in Africa,” the indictment reads. 

Though Kingsbury held a top-secret security clearance and was assigned to squads covering a range of crimes and threats, she did not have a “need to know” the information in most of the documents, prosecutors say. However, the indictment does not provide a reason for why Kingsbury mishandled the documents, nor does it accuse her of having transmitted the information to anyone else. The Justice Department declined to elaborate beyond the indictment on Friday.

“As an intelligence analyst for the FBI, the defendant was entrusted with access to sensitive government materials. Insider threats are a significant danger to our national security, and we will continue to work relentlessly to identify, pursue and prosecute individuals who pose such a threat,” John Demers, assistant attorney general for the Justice Department’s National Security Division, said in a statement.

In 2018, the FBI collaborated with the Office of the Director of National Intelligence to set up an updated framework meant to guide the U.S. government’s National Insider Threat Task Force (NITTF). Last month the NITTF issued an advisory on protecting against insider threats to critical infrastructure entities, including those with work touching on the U.S. electric grid, telecommunications networks, and hospitals.

Brazilian Cybercriminals Created Fake Accounts for Uber, Lyft and DoorDash

 

According to a recent report by the Federal Bureau of Investigation (FBI), a Brazilian organization is planning to defraud users of digital networks such as Uber, Lyft, and DoorDash, among others. According to authorities, this group may have used fake IDs to build driver or delivery accounts on these sites in order to sell them to people who were not qualified for the companies' policies. 

This scam may have also included the use of GPS counterfeiting technologies to trick drivers into taking longer trips and earning more money. Furthermore, the Department of Justice (DOJ) states that this organization would have begun operations in 2019 and would have expanded its operations after the pandemic paralyzed many restaurants and supermarkets. 

The gang, which worked mainly in Massachusetts but also in California, Florida, and Illinois, communicated through a WhatsApp group called "Mafia," where they allegedly agreed on similar pricing strategies to avoid undercutting each other's income, according to the FBI. 

The party leased driver accounts on a weekly basis, according to court records. A ride-hailing service driver account costs between $250 and $300 per week, while a food delivery web account costs $150 per week. The FBI claimed to have tracked more than 2,000 accounts created by gang members during their investigation. 

According to the agents in charge of the investigation, the suspects made hundreds of thousands of dollars from this scheme, depositing their earnings in bank accounts under their control and withdrawing small sums of money on a regular basis to avoid attracting the attention of the authorities. Thousands of dollars were also made by criminals due to referral incentives for new accounts. One of the gang members received USD 194,800 through DoorDash's user referral system for 487 accounts they had on the website, according to a screenshot posted on the group's WhatsApp page. 

The DOJ has charged 19 Brazilian people so far, as well as revealing that six members of the fraudulent party are still on the run. The Department of Justice reported the second round of charges against five Brazilian citizens last week. Four were apprehended and charged in a San Diego court, while a fifth is still on the run and assumed to be in Brazil.