Search This Blog

Showing posts with label Cyber Crime. Show all posts

NATO's Cloud Platform Hacked

 

The SOA & IdM platform is utilized by NATO and is classified as secret. It was used to conduct various critical functions inside the Polaris programme. The North Atlantic Treaty Organization (NATO), commonly known as the North Atlantic Alliance, is an intergovernmental military alliance made up of 30 European and North American countries. 

The organization is responsible for carrying out the North Atlantic Treaty, which was signed on April 04, 1949. NATO is a collective defense organization in which NATO's independent member states commit to defending each other in the event of an external attack. NATO's headquarters are in Haren, Brussels, Belgium, and Allied Command Operations' headquarters is near Mons, Belgium. 

Polaris was developed as part of NATO's IT modernization effort and uses the SOA & IdM platform to provide centralized security, integration, and hosting information management. The military alliance classified the platform as a secret because it performs multiple key roles. 

According to the hackers, they used a backdoor to make copies of the data on this platform and attempted to blackmail Everis. They went even further, making jokes about handing over the stolen material to Russian intelligence. 

Paul Howland, Polaris Program Officer explained the benefits of the program: “This project has the potential to be a game-changer in how NATO will develop and deploy its operational services in the future. It will drive innovation and reduce costs. Operational by ensuring a much greater reuse of deployed capacities". 

The hackers who carried out the attack said they had no idea they could take advantage of a flaw in the NATO platform at first. Furthermore, they concentrated solely on Everis' corporate data in Latin America, despite NATO's announcement that it was ready to respond to a cyber-attack. One of the secure NATO systems was among Everis' subsidiaries, much to their astonishment. 

After analyzing the company and discovering documents connected to drones and military defense systems, the hackers continued stealing more data from Everis networks. They justified their actions by claiming that they were not "for peace on earth and in the cyber world" when they slowed the development of the Polaris programme. The hackers sought a ransom of XMR 14,500 from Everis in exchange for not linking the company's identity to the LATAM Airlines data breach. They've also demanded this money in exchange for not revealing any NATO data.

Phishing Campaign that Imitates Legitimate WeTransfer Applications

 

The Cofense Phishing Defense Center (PDC) has discovered a current phishing attempt that uses bogus websites to impersonate official WeTransfer applications. Threat actors can use this to get around email security gateways (SEG) and trick users into providing their credentials. 

WeTransfer is a file-sharing website that makes it simple for users to share files. Because of the service's popularity, it's possible that consumers may disregard the email's threat level. Threat actors have reimagined this site in order to attract unwary recipients to click on a malicious link that takes them to a phishing website, where they will be asked to pass up their credentials. 

The threat actor instructs the victim to respond to an email that says, "Pending files will be deleted shortly." The timestamps convey a sense of urgency. The malicious URL link that connects to the WeTransfer phishing landing page is hidden below the "Get your files" button. Threat actors provide a list of typical document names to make this appear more authentic. 

Another intriguing aspect is the email address's legitimacy. The threat actors have gone to great lengths to spoof the email address in order to convince recipients that the email came from the correct WeTransfer top-level domain: "@wetransfer.com." The most prevalent tactic used in phishing campaigns to acquire user trust is spoofing the email address. The top-level domain is specified by the Message-ID: @boretvstar[.]com – has nothing to do with WeTransfer. Furthermore, analysts discovered that @boretvstar[.]com is for sale and links to an error page that reads, “This site can't be reached.”

It's evident that the threat actors went to great lengths to resemble the official "WeTransfer" page as closely as possible. However, upon closer examination, the researchers found that Apple and Google logos are missing from the login buttons, and the URL does not match the actual URL. 

When the user clicks the button in the last stage of the attack, they are sent to a false WeTransfer page. To download the shared file, the user must first provide their credentials. The login area on the phishing landing page is prepopulated with the user's email address. The user is displayed a failed login attempt after entering the password, which is a frequent approach used by threat actors. 

In recent weeks, the PDC has seen over 40 identical campaigns reported by well-conditioned users to spot suspicious emails across all of our customers' settings. This phishing campaign is aimed to get around SEGs by impersonating a legitimate file-sharing platform.

Extortion Emails by Bogus DarkSide Gang Targets Energy and Food Industry

 

In bogus extortion emails sent to firms in the energy and food industries, threat actors impersonate the now-defunct DarkSide Ransomware campaign. The Darkside ransomware attack first hit business networks in August 2020, asking millions of dollars in exchange for a decryptor and a pledge not to reveal stolen data. 

Following the ransomware gang's attack on the Colonial Pipeline, the country's largest petroleum pipeline, the ransomware gang was thrown into the spotlight, with the US government and law enforcement focusing their attention on the group. Because of the heightened scrutiny from law officials, DarkSide abruptly shut down its operations in May for fear of being arrested. 

Trend Micro researchers reveal in a new analysis that a new extortion campaign began in June, with threat actors imitating the DarkSide ransomware group. "Several companies in the energy and food industry have recently received threatening emails supposedly from DarkSide," explains Trend Micro researcher Cedric Pernet. "In this email, the threat actor claims that they have successfully hacked the target's network and gained access to sensitive information, which will be disclosed publicly if a ransom of 100 bitcoins (BTC) is not paid." 

The email campaign began on June 4 and has been targeting a few targets every day since then. Threatening emails were sent to the generic email accounts of a few firms. For each target, the Bitcoin wallet at the bottom of the email is the same. None of the aforementioned wallets have received or sent any Bitcoin payments. There has been no actual attack linked to the emails, and no new targets have been discovered. 

The researchers discovered that the same attacker had filled contact forms on many companies' websites in addition to sending targeted emails to them. The content of the web forms was identical to the text of the emails. They were able to obtain the sender's IP address, 205[.]185[.]127[.]35, which is a Tor network exit node. 

The threat actor appears to be exclusively interested in the energy (oil, gas, and/or petroleum) and food businesses, based on the telemetry data; in fact, all of their targets are in these industries. The campaign had the most impact on Japan, followed by Australia, the United States, Argentina, Canada, and India. China, Colombia, Mexico, the Netherlands, Thailand, and the United Kingdom are among the other countries affected.

New Cyber Espionage Group Targeting Ministries of Foreign Affairs

 

Researchers unveiled a new cyber espionage group on Thursday, which is behind the series of targeted operations attacking diplomatic entities and telecommunication corporations in Africa and the Middle East since at least 2017. 

The campaign, dubbed "BackdoorDiplomacy," involves exploiting flaws in internet-exposed devices like web servers to carry out various cyber-hacking operations, including moving laterally across the network to execute a custom implant called Turian which is capable of exfiltrating sensitive data stored on removable media. 

Jean-Ian Boutin, head of threat research at Slovak cybersecurity firm ESET said, "BackdoorDiplomacy shares tactics, techniques, and procedures with other Asia-based groups. Turian likely represents a next stage evolution of Quarian, the backdoor last observed in use in 2013 against diplomatic targets in Syria and the U.S." 

The cross-platform group, which targets both Windows and Linux operating systems, singles out management interfaces for networking equipment and servers with internet-exposed ports, most likely abusing unsecured flaws to implement the China Chopper web shell for initial access, which is then used to conduct reconnaissance and install the backdoor. 

F5 BIG-IP devices (CVE-2020-5902), Microsoft Exchange servers, and Plesk web hosting control panels are among the systems affected. Victims have been identified in many African countries' foreign ministries and those in Europe, the Middle East, and Asia. Furthermore, in Africa and at least one Middle Eastern country, telecom carriers have also been hit. 

The researchers stated, "In each case, operators employed similar tactics, techniques, and procedures (TTPs), but modified the tools used, even within close geographic regions, likely to make tracking the group more difficult."

BackdoorDiplomacy is also believed to overlap with previously reported campaigns operated by a Chinese-speaking group Kaspersky tracks as "CloudComputating.

According to ESET researchers, apart from its features to gather system information, take screenshots, and carry out file operations, Turian's network encryption protocol is nearly identical to that used by WhiteBird, a C++ backdoor operated by an Asia-based threat actor named Calypso that was installed within diplomatic organizations in Kazakhstan and Kyrgyzstan at the same timeframe as BackdoorDiplomacy.

Operation Trojan Shield a Success: The FBI and Australian Officials

 

More than 800 suspects, 8 tonnes of cocaine as well as more than $48 million have been captured in a large worldwide sting operation involving sixteen countries, including the US, officials revealed on Tuesday 8th of July.

According to Europol, the European Union law enforcement agency, the FBI, and Australian law enforcement have established and operated an encoded device company, named ANOM, which was then utilized to obtain access to organized criminal networks in over 100 nations. 

The ANOM APP allows police officers to track the drug smuggling, money laundering, and even assassination plans, which had been discreetly circulated among the offenders. 

Drug gangs and those linked to the mafia were their targets. The operation, which took place in even more than a dozen nations, comprised drugs, firearms, luxury automobiles, and cash of the offenders. 

“Operation Trojan Shield is a shining example of what can be accomplished when law enforcement partners from around the world work together and develop state of the art investigative tools to detect, disrupt and dismantle transnational criminal organizations,” said Calvin Shivers, the assistant director of the FBI’s Criminal Investigative Division in a press conference in The Hague, Netherlands. 

Whereas Australian Prime Minister Scott Morrison said the operation had "struck a heavy blow against organized crime" around the world. 

Initially, the FBI started using a network of protected devices named ANOM and disseminated devices that over the criminal world using the chat app. The operation came about when the law enforcement agencies took over two other encrypted websites leaving criminal gangs on the market for new protected phones. 

Initially, the gadgets were utilized by claimed senior criminals, which provided the platform with confidence to other offenders. 

Van der Berg added that the users of the network had talked in 45 languages about drug trafficking, arms and explosives, armed robbery, contract assassinations, and more. 

Australian fugitive and suspected drug trafficker Hakan Ayik was vital to the sting because, after being provided a cell phone by undercover detectives, the App was relentlessly recommended to criminal friends, authorities said. 

Officials added that the operation was able to eliminate over 100 threats to lives, other than the drug, weapons, and money arrests and seizures. Access to their networks also permitted law enforcement agencies to see images of hundreds of tonnes of cocaine camouflaged in fruit and canned goods. Authorities have indicated that they have triggered these large arrests because illicit companies have gained critical strength. 

Australian Prime Minister Scott Morrison said in a press conference Tuesday that the operation "struck a heavy blow against organized crime — not just in this country, but one that will echo around organized crime around the world."

How Cybercriminals are Hacking ATM Machines? Here's a Quick Look

 

Security researchers have published a report on the modus operandi of the cybercriminals who are using malware, a key from eBay, and a Raspberry Pi to hack ATMs. Here’s how they’re doing it. 

The Modus Operandi

Cybercriminals exploit the vulnerabilities in the operating system of the computers responsible for running the ATMs. Unfortunately, the operating system inside the computers isn’t as secured as the enclosure the computer sits in. Windows 7 is the most common operating system; however, Windows XP is also widely used. These are outdated operating systems that should have made to retire a long time ago. 

Threat actors purchase malware packages from the dark web to exploit the vulnerabilities in these operating systems and to interact with the ATM software. Some of the malware packs contain compromised proprietary software belonging to ATM manufacturers.

Before hacking the ATM, cybercriminals mark the ATMs in a city, and the ones with the high use are targeted. Attacks are typically planned for days such as Black Friday or Valentine’s Day when ATMs are loaded with up to 20 percent more money than usual. ATMs are also loaded with extra money in the weeks leading up to Christmas because many people receive their yearly or Christmas bonus in their pay.

Choice of ATM Brands and Malware Installation 

The popular names in ATM manufacturing are Diebold Nixdorf, Wincor Nixdorf, NCR, Triton, and Hitachi-Omron. Cybercriminals are very specific in their targets because the knowledge of ATM hardware helps threat actors to buy the appropriate malware and the appropriate key to open the ATM enclosure.

The USB ports on ATMs are restricted and will only accept a connection from a keyboard or a mouse. This is to allow servicemen to perform maintenance on the units. You would have loaded the malware onto your Raspberry Pi, and obtained a battery so that it can run as a portable unit. The malware is written in a way that convinces the ATM that the Raspberry Pi is a keyboard. Stored commands tumble out of the Raspberry Pi into the ATM, and the ATM dutifully follows them. 

Another way is to insert a USB memory stick into the ATM and reboot it off an operating system in the memory stick. When the ATM has booted, threat actors can install the malware directly into the ATM’s currently dormant operating system. When they reboot the ATM using its regular operating system they can control the malware by inserting a specially created card, or via a secret key combination on the ATM’s keypad.

Darkside Ransomware Gang Received Nearly $5 Million as the Extortion Amount from the Victims of Colonial Pipeline Attack

 

Security experts at London-based blockchain analytics firm Elliptic discovered the bitcoin wallet used by the ransomware group responsible for the Colonial Pipeline attack and the extortion amount received from victims. 

According to a report from blockchain analytics firm Elliptic, the ransomware gang Darkside received a ransom payment of 75 Bitcoin, or roughly $5 million, made by Colonial Pipeline on May 8 following the cyberattack on its operations.

The cyberattack on Colonial Pipeline led to widespread fuel shortages in the U.S. and has been described as the worst cyberattack on critical U.S. infrastructure to date. 

Security researchers first spotted the ransomware gang’s operation in August 2020 and nearly after 9 months in May 2021, the FBI confirmed the role of the Darkside ransomware gang in engineering the attack on Colonial Pipeline.

In total, just over $90 million in Bitcoin ransom payments were made to DarkSide, emerging from 47 distinct wallets. According to DarkTracer, 99 organizations have been attacked with the DarkSide malware – indicating that almost half of DarkSide victims paid a ransom and that the average payment was $1.9 million. DarkSide says it targets only big companies and forbids affiliates from dropping ransomware on organizations in several industries, including healthcare, funeral services, education, public sector, and non-profits. 

The firm also discovered a ransomware bitcoin payment made by Brenntag, a large chemical distribution company in Germany, totaling roughly $ 4.4 million. The group's wallet has been active since March 4, 2021, and has received 57 payments from 21 different wallets, according to Elliptic.

DarkSide and other ransomware groups have engineered the ransomware-as-a-service model, where the designers of the malware can effectively outsource the actual hacking and infecting of a target and then split whatever ransom comes in. The practice has democratized ransomware use, allowing less experienced cybercriminals to get in on the scam without any technical knowledge. 

"In this operating model, the malware is created by the ransomware developer, while the ransomware affiliate is responsible for infecting the target computer system and negotiating the ransom payment with the victim organization. This new business model has revolutionized ransomware, opening it up to those who do not have the technical capability to create malware, but are willing and able to infiltrate a target organization," Elliptic told.

FBI Analyst Charged for Stealing National Security Documents

 

An FBI employee with a top-secret security clearance has been indicted on charges that she illegally stored several national security documents and other national security information at home over more than a decade, the Justice Department stated on Friday. 

Kendra Kingsbury, a 48-year-old from Dodge City, Kansas, is accused of taking a range of materials between 2004 and 2017, many of which were marked secret because they discussed intelligence sources and methods containing information about operatives such as a suspected associate of Osama bin Laden. The files were from 2005 and 2006, when bin Laden, who engineered the Sept. 11 terrorist attacks, was alive and on the run from U.S. forces. 

The grand jury indictment, filed in the Western District of Missouri, alleges that Kingsbury illegally removed documents she was granted access to at work and stored them at home. She is charged with two counts of gathering, transmitting, or losing defense information, a felony that carries a maximum sentence of 10 years.

“The documents include information about al-Qaeda members on the African continent, including a suspected associate of Usama bin Laden,” the indictment reads. In addition, there are documents regarding the activities of emerging terrorists and their efforts to establish themselves in support of al-Qaeda in Africa,” the indictment reads. 

Though Kingsbury held a top-secret security clearance and was assigned to squads covering a range of crimes and threats, she did not have a “need to know” the information in most of the documents, prosecutors say. However, the indictment does not provide a reason for why Kingsbury mishandled the documents, nor does it accuse her of having transmitted the information to anyone else. The Justice Department declined to elaborate beyond the indictment on Friday.

“As an intelligence analyst for the FBI, the defendant was entrusted with access to sensitive government materials. Insider threats are a significant danger to our national security, and we will continue to work relentlessly to identify, pursue and prosecute individuals who pose such a threat,” John Demers, assistant attorney general for the Justice Department’s National Security Division, said in a statement.

In 2018, the FBI collaborated with the Office of the Director of National Intelligence to set up an updated framework meant to guide the U.S. government’s National Insider Threat Task Force (NITTF). Last month the NITTF issued an advisory on protecting against insider threats to critical infrastructure entities, including those with work touching on the U.S. electric grid, telecommunications networks, and hospitals.

Brazilian Cybercriminals Created Fake Accounts for Uber, Lyft and DoorDash

 

According to a recent report by the Federal Bureau of Investigation (FBI), a Brazilian organization is planning to defraud users of digital networks such as Uber, Lyft, and DoorDash, among others. According to authorities, this group may have used fake IDs to build driver or delivery accounts on these sites in order to sell them to people who were not qualified for the companies' policies. 

This scam may have also included the use of GPS counterfeiting technologies to trick drivers into taking longer trips and earning more money. Furthermore, the Department of Justice (DOJ) states that this organization would have begun operations in 2019 and would have expanded its operations after the pandemic paralyzed many restaurants and supermarkets. 

The gang, which worked mainly in Massachusetts but also in California, Florida, and Illinois, communicated through a WhatsApp group called "Mafia," where they allegedly agreed on similar pricing strategies to avoid undercutting each other's income, according to the FBI. 

The party leased driver accounts on a weekly basis, according to court records. A ride-hailing service driver account costs between $250 and $300 per week, while a food delivery web account costs $150 per week. The FBI claimed to have tracked more than 2,000 accounts created by gang members during their investigation. 

According to the agents in charge of the investigation, the suspects made hundreds of thousands of dollars from this scheme, depositing their earnings in bank accounts under their control and withdrawing small sums of money on a regular basis to avoid attracting the attention of the authorities. Thousands of dollars were also made by criminals due to referral incentives for new accounts. One of the gang members received USD 194,800 through DoorDash's user referral system for 487 accounts they had on the website, according to a screenshot posted on the group's WhatsApp page. 

The DOJ has charged 19 Brazilian people so far, as well as revealing that six members of the fraudulent party are still on the run. The Department of Justice reported the second round of charges against five Brazilian citizens last week. Four were apprehended and charged in a San Diego court, while a fifth is still on the run and assumed to be in Brazil.

FIN7 is Spreading a Backdoor Called Lizar

 

Under the pretext of being a Windows pen-testing platform for ethical hackers, the infamous FIN7 cybercrime gang, a financially motivated organization, is spreading a backdoor called Lizar. 

Since mid-2015, the Russian criminal advanced persistent threat group FIN7 has targeted the retail, restaurant, and hospitality sectors in the United States. Combi Security, the front company for FIN7, manages a portion of the operation. It has been dubbed one of the world's most prolific criminal hacking organizations. FIN7 is also known as the Carbanak Group, but these two groups appear to be using the same Carbanak malware and are therefore monitored separately. 

FIN7 is posing as a legitimate company selling a security-analysis platform, according to the BI.ZONE Cyber Threats Research Team. According to the researchers, they go to great lengths to ensure authenticity: “These groups recruit workers who are unaware that they are dealing with actual malware or that their employer is a real criminal group.” 

The group usually targets victims with malware-laced phishing attacks in the hopes of infiltrating networks and selling bank-card data. It has also introduced ransomware/data exfiltration attacks to its arsenal since 2020, carefully choosing targets based on revenue using the ZoomInfo service, according to researchers. 

Its malware selection is often changing, with researchers sometimes being surprised by never-before-seen samples. However, the Carbanak remote-access trojan (RAT), which is highly complex and sophisticated in comparison to its peers, has been its go-to toolkit. Carbanak is commonly used for network reconnaissance and gaining a foothold. 

However, BI.ZONE researchers have recently discovered that the community is employing a new form of backdoor known as Lizar. According to an article published on Thursday, the new edition has been in use since February and provides a strong range of data extraction and lateral movement capabilities. 

 “Lizar is a diverse and complex toolkit,” according to the firm. “It is currently still under active development and testing, yet it is already being widely used to control infected computers, mostly throughout the United States.” 

Attacks on a gambling establishment, several educational institutions, and pharmaceutical firms in the United States, as well as an IT corporation headquartered in Germany and a financial institution in Panama, have been recorded so far.

Threat Actors' Dwell Time Reduced to 24 Days, FireEye Reports

 

FireEye, the intelligence-led security company, published the FireEye Mandiant M-Trends 2021 report. The FireEye-owned forensic specialist’s M-Trends 2021 report was compiled from investigations of targeted attack activity between October 1, 2019, and September 30, 2020. This year’s report outlines critical details on the latest attacker methodologies and malware, the growth of multifaceted extortion and ransomware, preparing for expected UNC2452 / SUNBURST threat actors, growing insider threats, and industry targeting trends. 

“UNC2452, the threat actor responsible for the SolarWinds supply chain attack, reminds us that a highly-disciplined and patient actor cannot be underestimated. This actor’s attention paid to operational security, counter forensics, and even counterintelligence set it apart from its peers. Defense against this actor will not be easy, but it is not impossible. We have learned a great deal about UNC2452 in recent months, and we believe that intelligence will be our advantage in future encounters," said Sandra Joyce, Executive Vice President, Global Threat Intelligence, Mandiant.

Over the past decade, Mandiant has noticed a trending reduction in global median dwell time (defined as the duration between the start of a cyber intrusion and when it is identified). The researchers revealed that 59% of organizations detected attackers within their own environments over the period, a 12-percentage point increase on the previous year. The speed at which they did so also increased: dwell time for attackers inside corporate networks fell below a month for the first time in the report’s history, with the median global figure now at 24 days.

This is in stark contrast to the 416 days it took firms when the report was first published in 2011. It's also more than twice as fast as the previous year (56 days) and shows that detection and response are moving in the right direction. For incidents notified to firms externally, the figure was slightly higher (73 days) and for internally detected attacks it was lower (12 days). In America, dwell time dropped from 60 days in 2019 to just 17 days last year, while in APAC (76 days) and EMEA (66 days) the figure increased slightly. 

The top five most targeted industries, in order, are Business and Professional Services, Retail and Hospitality, Financial, Healthcare and High Technology. Mandiant experts observed that organizations in the Retail and Hospitality industry were targeted more heavily in 2020 – coming in as the second most targeted industry compared to 11th in last year’s report. 

Healthcare also rose significantly, becoming the third most targeted industry in 2020, compared to eighth in last year’s report. This increased focus by threat actors can most likely be explained by the vital role the healthcare sector played during the global pandemic.

However, a major contributing factor to the global reduction in dwell time may be the escalation of ransomware attacks, which usually take place over a shorter time frame than traditional cyber-espionage or data theft operations.

Hackers Target Rogers With a New SMS Phishing Campaign

 

Rogers Communications Inc. is advising Canadians to be wary of SMS phishing scams that promise to refund consumers for a system outage that occurred earlier last week. Users were unable to use cellular voice and data networks after the network experienced a nationwide blackout a week ago. Threat actors are also sending fraudulent text messages to recipients, instructing them to click on a link to receive a rebate. 

An SMS circulated on social media falsely reports that “R0GERS WIRELESS INC.” (spelled with a zero instead of an O) is providing a $50 credit to anyone who clicks on a link provided.

Rogers Communications Inc. is a communications and publishing corporation based in Canada. With substantial additional telecommunications and mass media infrastructure, it mainly functions in the areas of cellular broadcasting, cable television, telephony, and Internet connectivity. Rogers' offices are located in Toronto and Ontario. While the business dates back to 1925, when Edward S. Rogers Sr. formed Rogers Vacuum Tube Company to market battery less radios, the current venture dates back to 1960, when Ted Rogers and a partner purchased the CHFI-FM radio station, and then became part-owners of a consortium that created the CFTO television station.

Rogers replied that it never sends credit alerts via text message and advises anyone who receives one to ignore the embedded link. Furthermore, the credit amount will vary based on the cellular plan and will not include a registration link, according to the company. 

According to Ericsson, the 16-hour wireless system blackout on April 19th was triggered by a software update that caused devices to be disconnected from the network. A message from Rogers CTO Jorge Fernandes to customers the next day said, "We have addressed the software issue and our engineering and technical teams will continue to work around the clock with the Ericsson team to restore full services for our customers." 

The links in these texts all point to websites that are hosted on an IP address rather than a domain name. It's unclear what information was phished because the pages have all been taken offline, but it's definitely Rogers customers' personal and account information. 

Rogers is aware of the scam and has advised users to "forward the content of the SMS to 7726 (SPAM), to register it for investigation/blocking from the network," according to a tweet from the company.

Ransomware Attack by REvil on Apple, Demands $50 Million

 

While Apple was working on the preparations for the 'Spring Loaded' event that went live on Tuesday, 20th April, the company requested a settlement to prevent its next-gen equipment data from being leaked. The REvil Group, also identified as SODINOKIBI, said that it had been able to access the computer network of Apple's Quanta Computer, and has requested $50 million to decrypt its systems, via the Dark Web. Quanta Computer is a major MacBook Air, MacBook Pro supplier. 

The operator of REvil published a blog on its dark website that goes by the name – 'Happy Blog' claiming that Quanta Computer is being a target of a ransomware attack. 

Even though the Hacker Group initially tried to negotiate an agreement with the company, the team allegedly posted details of the upcoming Apple devices before the Spring-Loaded event, following the refusal by Quanta Computer to pay the ransom, as per a blog post. 

Some of the schematic seemingly aligned with the current iMac as well as some new version details were shared by hackers. The Ransomware Operator warned Apple, to repurchase the existing data until 1st May to avoid further leakage. Each day, before Apple buckles up, hackers attempt to threaten to post new files to their site. The organization also said that it is dealing with many big suppliers on the sale of large amounts of classified drawings and gigabytes of personal information. 

“Quanta Computer's information security team has worked with external IT experts in response to cyberattacks on a small number of Quanta servers,” a Quanta Computer spokesperson stated. “We've reported to and kept seamless communications with the relevant law enforcement and data protection authorities concerning recent abnormal activities observed. There's no material impact on the Company's business operation.” 

The representative further stated that the information security defense system was triggered instantly while performing a comprehensive inquiry. The organization has also said its cybersecurity level was revamped and its current infrastructure is improved. 

Quanta also said that they were working on the issue with law enforcement authorities and data protection authorities

SOCTA: Here's a Quick Look into the Report by Europol

 

The Serious Organized Crime Threat Assessment study 2021 by Europol summarises the criminal threat from the last four years and offers insights into what can be expected in the following four years. Organized crime isn't just cybercrime, but cybercrime is now a big component of organized crime. Europol sees the development of businesses, growth in the digital lifestyle, and the rise of remote workers as new vulnerabilities and opportunities for use. 

“Critical infrastructures will continue to be targeted by cybercriminals in the coming years, which poses significant risks,” cautions the published report. “Developments such as the expansion of the Internet of Things (IoT), the increased use of artificial intelligence (AI), applications for biometrics data, or the availability of autonomous vehicles will have a significant impact. These innovations will create criminal opportunities.” 

The interruption of Emotet Botnet in January 2021, with foreign activities organized by Europol, is highlighted in the report. This includes the international efforts concerning the authorities of the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada, and Ukraine. But the overall thought is that cybercrime is growing in sophisticated ways with criminal gangs being increasingly organized due to which the threat is multiplying at a fast rate. However, the Europol report does not comment on the usual cyber threats, apart from the fact that crime syndicates sell it 'as a service more and more. 

ENISA estimates that 230,000 new malware variants are detected each day. Europol shows that the number and sophistication of attacks continue to increase. “The increase in the number of attacks on public institutions and large companies is particularly notable.” Further, the DDoS - Denial of service is an expanding threat, frequently followed by attempts at extortion. Attacks on government and vital resources continue, but criminal groups with lower security protocols increasingly target smaller organizations. 

“Last year saw a multitude of damaging consequences from ransomware, breaches, and targeted attacks against sensitive data,” comments Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber. Cyber attackers have taken full advantage of the much more critical vulnerabilities at the detriment of the organizations, ranging from hacks of COVID-19 study data to assaults on critical networks and government agencies. The increase in online child exploits, especially what is recognized as the live distance violence, also occurred as students experienced months at home during school closures. Besides, Europol states that it has a database of over 40 million pictures from around the globe of child sexual abuse. 

Furthermore, there shouldn’t be an underestimation of the involvement of the Dark Web in illegal activities, where criminals use it to share their knowledge on operating security. The usage of the dark web for the selling of illicit drugs and weapons has increased over the past four years, but law enforcement has seemed to have caused some mistrust among consumers and might have cooled down the growth rate in association with online assaults. Sex trafficking (THB) is also carried out on the dark web and surface web pages where labor and sex are the main categories. Europol claims that THB is substantially underreported and states that in the EU, THB is on the rise for labor exploitation. 

Even the complexity of technology has increased with the inception of fraud such as investment fraud, BEC, non-deployment fraud, novelty fraud, fake invoice fraud, social profit fraud, bank fraud, etc. This will probably go on. Also “The use of deep fakes will make it much more challenging to identify and counter fraud,” warns Europol. And the organized crime ecosystem is marked by a networked environment with smooth, systemic, and profitable coordination among criminals.

Here's a Quick Look at How Pakistani Counterfeiters Helped Russian Operatives

 

One company stood out in a cascade of U.S. sanctions imposed on Thursday on Russian cybersecurity companies and officials allegedly acting on behalf of the Kremlin intelligence in Karachi, Pakistan: ‘A fresh air farm house’. 

The Farm House, whose Facebook page reveals a waterpark-equipped vacation rental, is run by 34-year-old Mohsin Raza, considered one of two founders of an internet faux ID enterprise that prosecutors say helped Russian operatives get a toehold in the United States. 

According to a U.S. Treasury assertion and an indictment issued this week by federal prosecutors in New Jersey, Raza operated a digital faux ID mill, churning out photographs of doctored drivers’ licenses, bogus passports, and cast utility payments to assist rogue shoppers to go verification checks at U.S. fee firms and tech corporations. 

Reuters reached Raza in Pakistan at a telephone number offered by the US Treasury's sanctions record. He confirmed his identity and acknowledged being a digital counterfeiter, saying he used "simple Photoshop" to change ID cards, bills, and other documents to order. Raza – who stated he is additionally dabbled in graphic design, e-commerce and cryptocurrency – denied any wrongdoing, saying he was merely serving to individuals entry accounts that they’d been frozen out of.

Among his clients, the New Jersey indictment alleges was a worker of the Internet Research Agency – a notorious Russian troll farm implicated by U.S. investigators, media experiences, leaked paperwork, and former insiders in efforts to intrude in U.S. elections. The IRA worker used Raza’s companies in 2017 to obtain cast drivers’ licenses to assist the identification of pretend accounts on Facebook, based on the indictment. 

Facebook didn’t instantly provide any remark. Raza stated he did not observe who used his service. He stated inspiration for his enterprise got here a number of years in the past when a PayPal account which he had opened beneath an alias was locked, trapping a whole lot of {dollars} he’d obtained for optimizing on-line search outcomes. 

Money earned from the fake ID business was poured into the construction of the Fresh Air Farm House, Raza said. The facility, which features three bedrooms, a playing field, a water slide, and a BBQ area, is now on a US list of sanctioned entities alongside Russian oligarchs and defense contractors. Raza's business is an example of how transnational cybercrime can serve as a springboard for state-sponsored disinformation, said Tom Holt, who directs the School of Criminal Justice at Michigan State University. 

The alleged use by Russian operatives of a Pakistani fake ID merchant to circumvent American social media controls "highlights why this globalized cybercrime economy that touches so many areas can be a perfect place to hide - even for nation-states," he said.

The United States imposes sanctions against 25 Russian companies for cyber attacks and Crimea

 On 15 April, the US Treasury Department put 25 Russian companies, six of which are IT companies, on its sanctions list as a response to allegedly organized cyber attacks by Russia, the situation in Crimea, and interference in the election.

The U.S. Treasury Department also listed 16 organizations and 16 individuals from the Russian Federation that U.S. authorities believe were behind the hacking of SolarWinds software and an attack on the networks of several U.S. departments, as well as interfering in the 2020 U.S. presidential election.

Recall that in February 2020, U.S. intelligence officials said that Russia had begun interfering in the 2020 presidential election. Specifically, they claimed that Russia was interfering in both the Democratic Party primaries and the overall course of the election, "hoping to sow chaos and discord." In addition, Russian secret services allegedly tried to force U.S. citizens to spread disinformation and bypass social media mechanisms aimed at combating fake news. However, no evidence of interference was presented.

On March 16, 2021, a report of the Office of the Director of National Intelligence of the United States was made public. According to the authors of the report, the Russian authorities, with the approval of Russian President Vladimir Putin, organized a campaign aimed at "denigrating" Democratic Party candidate Joseph Biden and supporting his Republican rival Donald Trump, as well as "undermining confidence in the election in general and aggravating sociopolitical controversy in the United States."

At the highest level, Moscow has repeatedly rejected claims that Russia tried to interfere in U.S. election processes.

In March 2021, Russian presidential spokesman Dmitry Peskov suggested that the publication of the U.S. National Intelligence Report was "a reason to put on the agenda the issue of new sanctions against our country."

"Russia also did not interfere in previous elections and did not interfere in the elections mentioned in this report in 2020. Russia has nothing to do with any campaign against any of the candidates. In this regard, we consider this report incorrect, as it is absolutely groundless and unsubstantiated," said Peskov.

On March 17, 2021, Russian Foreign Ministry spokeswoman Maria Zakharova, speaking on the Russia-24 television channel, described the report of the U.S. intelligence agencies on Russian "interference" in the election as "an excuse for their existence."

Cybercriminals Used Facebook Ads to Lure Users into Installing the Fake Clubhouse App

 

Audio-only app Clubhouse gained huge success over the last few months and now attackers are misusing the reputation and fame earned by the app by delivering Facebook ads, wherein they promote the Clubhouse app for PC to deliver the malware. Notably, the attackers have used the old tactics again because the PC version of the Clubhouse app is not yet released.

The Clubhouse app has nearly 8 million downloads so far. Therefore, malware designers have been busy taking advantage of Clubhouse's rising popularity, creating what they claim is a Clubhouse client for PCs, and then promoting those ads on Facebook to get users to download the app. 

As per a report by TechCrunch, this fake app is full of links to malware. The app also contains a screenshot of the fictional Clubhouse app for desktops, as visualized by the threat actors. Once users download and install the malicious app, it contacts a “command and control” server to perform various tasks. According to the report, running the app inside a secure “sandbox” disclosed that the malicious app tries to corrupt a desktop with ransomware.

Every Facebook page posing as Clubhouse only had a handful of likes but were still running at the time of publication. When TechCrunch reached out to Facebook, the company didn’t answer as to how many users have clicked on the ads directing to the fake Clubhouse websites.

In total, nine ads were posted this week between Tuesday and Thursday. Most of the ads stated a similar tagline that read: Clubhouse “is now available for PC.” While another featured a photo of co-founders Paul Davidson and Rohan Seth. Meanwhile, the clubhouse did not return a request for comment.

Fake advertisements can appear on social media platforms frequently and can slip through the net with ease, so it is important that account owners are aware of the risks with all advertisements on social media. Although social networks will take down any fake adverts once reported, the user must also err on the side of caution when clicking on any advert, and further research is always advised before clicking further into downloading anything. Therefore, this incident brings light to the fact that not all ads can be trusted when you are on any social media platform.

Maze/Egregor Ransomware Earned over $75 Million

 

Researchers at Analyst1 have noticed that the Maze/Egregor ransomware cartel has made at least $75 million in ransom payments to date. This figure is the base of their estimations, as the maximum could be conceivably more since not every victim has disclosed paying to the threat actor. While the group is crippled presently, it is the one that began numerous innovations in the ransomware space. 

“We believe this figure to be much more significant, but we can only assess the publicly acknowledged ransom payments. Many victims never publicly report when they pay a ransom,” security firm Analyst1 said in a 58-page report published this week. 

Analyst1's discoveries are in accordance with a similar report from blockchain analysis firm Chainalysis, which listed the Maze group as the third most profitable ransomware operation — behind Ryuk and Doppelpaymer. 

The now-dead ransomware Maze group was a pioneer in its times. Started in mid-2019, the group was closed down for obscure reasons before the end of last year however resurrected as Egregor ransomware. The greater part of the code, working mechanism, and different clues call attention to that Egregor is the new Maze group. The group dealt with a purported RaaS (Ransomware-as-a-Service), permitting other cybercrime actors to lease admittance to their ransomware strain. These clients, likewise called affiliates, would penetrate organizations and send the Maze groups ransomware as an approach to encrypt files and extort payments.

But, while there were a lot of ransomware groups working on similar RaaS plans, the Maze group became famous by making a “leak site” where they'd regularly list organizations they infected, which was a novelty at that point, in December 2019. 

This branding change didn't influence the group's prosperity. Indeed, both Maze and Egregor positioned as the second and third most active RaaS services on the market, representing almost a fourth of all victims recorded on leak sites a year ago. As per Analyst1's report published for the current week, this heightened period of activity additionally converted into money-related benefits, based on transactions the company was able to track on public blockchains. 

However, this achievement additionally drew attention from law enforcement, which started putting hefty assets into researching and finding the group. Right now, the Maze/Egregor group is on a hiatus, having stopped activities after French and Ukrainian authorities captured three of their members in mid-February, including a member from its core team.

The Russian who hacked JPMorgan was demanded $20 million in compensation

In January, Andrei Tyurin was sentenced to 12 years in prison for the largest theft of personal data of bank clients in US history.  He acted as part of a hacker group and stole data that brought the hackers hundreds of millions of dollars

The Federal Court for the Southern District of New York ordered to pay compensation in the amount of $19.9 million to Russian Andrei Tyurin, who was sentenced in January to 12 years in prison for cybercrimes.  This is evidenced by the documents received on Monday in the electronic database of the court.

As follows from these materials, the parties came to an agreement on the amount that Tyurin should provide to individuals and legal entities affected by his actions.  According to the agreements approved by the court, Tyurin "will pay compensation in the amount of $19,952,861."  The full list of companies and individuals who will receive these funds is not provided in the documents.  It is also not specified whether Tyurin has the ability to pay the specified amount.

In early January, Tyurin was sentenced to 144 months in prison.  According to Judge Laura Taylor Swain, the Russian was involved in "large-scale criminal activities of a financial nature."  According to the investigation, he was involved in cyber attacks on large American companies in order to obtain customer data.

The US prosecutor's office said that Tyurin hacked the data of nearly 140 million customers and stole information from 12 companies.  Among them are JPMоrgan Chase Bank, Dow Jones & Co, Fidelity Investments, E-Trade Financial.  The authorities called the actions of the Russian the largest theft of data from the bank's clients in the history of the country.

Tyurin was extradited to the United States from Georgia in September 2018.  The American authorities charged him with hacking into the computer systems of financial structures, brokerage houses and the media specializing in the publication of economic information.  Representatives of the Secret Service claimed that the Russian was involved in "the largest theft of customer data from US financial structures in history."  They noted that Tyurin could be sentenced to imprisonment for up to 92 years.

 The Russian initially declared his innocence.  According to the materials of the court, in September 2019 Tyurin made a deal with the prosecutor's office.  He pleaded guilty to several counts.  The US Secret Service claimed that Tyurin and his accomplices "embezzled hundreds of millions of dollars."

BCPS Hit by Conti Ransomware Gang, Hackers Demanded $40 Million Ransom

 

Several weeks ago, the Conti ransomware gang encrypted the systems at Broward County Public Schools and took steps to release sensitive personal information of students and staff except if the district paid a colossal $40 million ransom. Broward County Public Schools, the country's 6th biggest school district with an annual budget of about $4 billion, enlightened parents about a network outage on March 7 that adversely affected web-based teaching, but dependent on this new data, the incident was unmistakably much more serious. 

First reported by DataBreaches.net, the hackers took steps to disclose a huge trove of personal information, including the social security numbers of students, teachers, and employees, addresses, dates of birth, and school district financial contact information. "Upon learning of this incident, BCPS secured its network and commenced an internal investigation,” the statement continued. “A cybersecurity firm was engaged to assist. BCPS is approaching this incident with the utmost seriousness and is focused on securely restoring the affected systems as soon as possible, as well as enhancing the security of its systems." 

The hackers published screenshots of a text message from mid-March between them and a district official — clearly a negotiation for the hackers to deliver the documents back to the district. 

“The good news is that we are businessmen,” the text message from the hackers said. “We want to receive ransom for everything that needs to be kept secret, and don’t want to ruin your reputation. The amount at which we are ready to meet you and keep everything as collateral is $40,000,000.” 

After weeks of negotiations, the hackers in the end brought the proposal down to $10 million. Under district policy, that sum is the maximum it can pay without school board approval. 

Broward County's case was one of a few ransomware assaults that hit educational institutions in the past two weeks. The Clop ransomware gang was very active, with reported cases influencing the University of Maryland, Baltimore Campus (UMBC); the University of California, Merced; the University of Colorado; and the University of Miami. Jamie Hart, cyber threat intelligence analyst at Digital Shadows noticed that these assaults were led by the Clop gang and were targeted as a part of the Accellion FTA breach.