Search This Blog

Showing posts with label Cyber Crime. Show all posts

Hackers Altered the Covid-19 Vaccine Records

 

The European Union's drug regulator has said that COVID-19 vaccine documents that were purloined from its servers in a cyberattack have been not only leaked on the web but "manipulated" by hackers.

A cyber-attack hit the European Medicines Agency (EMA). At the hour of the divulgence of the hack, the EMA didn't give technical insights concerning the attack, nor any information on whether the attack will affect its operations while it is evaluating and approving COVID-19 vaccines. 

The European agency plays a vital role in the evaluation of COVID-19 vaccines across the EU, it has access to sensitive and confidential data, including quality, safety, and effectiveness of information coming about because of trials. The European Medicines Agency said on Friday that a continuous investigation concerning the cyberattack demonstrated that hackers got emails and records from November identified with the evaluation of experimental Covid vaccines. 

The agency, which regulates medications and drugs across the 27-part EU, had troves of confidential COVID-19 information as a feature of its vaccine approval process. 

"A portion of the correspondence has been manipulated by the culprits before distribution in a manner which could sabotage trust in vaccines," the agency said. It didn't clarify what data was altered — but cybersecurity experts state such practices are typical of disinformation campaigns launched by governments. 

Italian cybersecurity firm Yarix said, "the intention behind the leak by cybercriminals is sure: to cause critical harm to the reputation and credibility of EMA and Pfizer." The agency said that given the overwhelming toll of the pandemic, there was an "urgent public health need to make vaccines accessible to EU residents as quickly as time permits." The EMA demanded that despite that urgency, its decisions to recommend the green-lighting of vaccines were based "on the strength of the scientific proof on a vaccine's safety, quality and efficacy, and nothing else.” 

The agency, which is situated in Amsterdam, went under hefty criticism from Germany and other EU part nations in December for not approving vaccines against the virus all the more rapidly. The EMA gave its first recommendation for the Pfizer and BioNTech vaccine weeks after the shot got approval in Britain, the United States, Canada, and elsewhere. 

The EMA said law enforcement authorities are taking necessary action in response to the cyberattack.

Remote Images Used by Hackers to Evade Email Filters

 

Phishing emails impersonating well-known brands like Microsoft or PayPal need visual content to be successful. From brand logos to colorful pictures, images give a visual cue to the recipient that the email is innocuous and authentic. However, pictures add a visual component of authenticity to in any case fake emails: they likewise make the work of filtering emails a lot harder. Image spam has consistently been a very mainstream strategy for evading an email's textual content analysis, as there is no important content that can be separated from the text email parts. 

On the off chance that the detection of identical images is moderately simple—thanks to signatures based on cryptographic hashing algorithms, for example, MD5—the detection of similar pictures requires complex and costly algorithms. Without a doubt, to evade detection, phishers manipulate the pictures marginally, changing the compression level, colorimetry, or geometry to bypass email filters. They will probably make each picture unique to evade signature-based technologies.

Remote pictures have emerged as the most recent filter bypassing method by hackers hoping to exploit shortcomings in email security technology. In contrast to embedded images, which can be analysed progressively by email filters, remote pictures are facilitated on the web and accordingly should be fetched prior to being analysed. In 2020, the utilization of remote image-based dangers surged. In November 2020 alone, Vade Secure broke down 26.2 million remote pictures and hindered 262 million emails highlighting noxious remote pictures. 

Analyzing a remote picture requires getting it over a network. Exploiting this shortcoming, cybercriminals utilize extra strategies to make the process more cumbersome for security scanners, such as:

 • Multiple redirections

 • Cloaking techniques

 • Abuse of high-reputation domains 

The way towards blocking picture-based threats requires Computer Vision, a scientific field that manages how PCs can acquire a high-level understanding of visual content. Vade Secure implemented the first Computer Vision technology dependent on Deep Learning models (VGG-16, ResNet) in mid-2020 to distinguish brand logos in emails and sites. The Deep Learning models have been trained on a combination of gathered pictures and artificially created pictures. 

The outcome is that large numbers of these emails go undetected. For clients, this regularly implies accepting a phishing email and reporting it, just to get it once more, and sometimes, on numerous occasions.

After the global attack by the hackers, the FBI became interested in the company JetBrains

FBI officers began checking the JetBrains company. So far, there are no specific accusations, but the special services are investigating whether the products of the above company could be used in the hacking of the American SolarWinds, which is considered the starting point of the global hacker attack.

JetBrains, founded in Prague in 2000, sells customers software that makes it much easier to create applications. For millions of developers, its tools are indispensable: the company now has more than 10 million users in more than 213 countries.  In an interview with Forbes, the company's CEO, Maxim Shafirov, said that despite the pandemic, revenue has grown by 10% over the past year, and the company suggests that this year it can reach $400 million. According to a JetBrains representative, the company is worth more than $1 billion.

On Wednesday, The New York Times, Reuters and The Wall Street Journal reported that the investigation does not exclude the possibility of connecting JetBrains with one of the largest acts of cyberespionage in recent times. The publications contained hints that hackers could have hacked JetBrains or one of its products, the TeamCity testing, and code-sharing service, in order to then gain access to the systems of SolarWinds, which used this service. 

As a result of the attack, hackers compromised one of the SolarWinds tools and used it to break into the networks of customers, including government departments and major US IT companies. Among the victims of the cyberattack were the US Department of Justice, which announced that 3% of its messages sent through Office 365 were compromised, as well as the US Department of Energy and Treasury, Microsoft, Cisco and other organizations. The US claims that the attacks are linked to Russia. The Kremlin denies any involvement.

It is noted that the reputation of JetBrains can be seriously damaged if it is proved that its employees are involved in compromising the software and its misuse.

DarkMarket Taken Down in an international Operation

 

DarkMarket, purportedly the world's biggest dark web marketplace, has been taken down by a Europol-coordinated international operation, as indicated by authorities. Europol upheld the takedown with specialist operational analysis and coordinated the cross-border collaborative effort of the nations.

The Central Criminal Investigation Department in the German city of Oldenburg arrested an Australian resident who is the alleged operator of DarkMarket, close to the German-Danish border over the weekend. The investigation, which was driven by the cybercrime unit of the Koblenz Public Prosecutor's Office, permitted officials to find and close the marketplace, switch off the servers and hold onto the criminal framework – over 20 servers in Moldova and Ukraine upheld by the German Federal Criminal Police Office (BKA). The stored information will give investigators new prompts to further investigate moderators, sellers, and buyers.

Before its closure, DarkMarket facilitated near 500,000 clients and had encouraged more than 320,000 transactions, as indicated by Europol. The dark web marketplace exchanged everything from drugs and counterfeit cash to stolen Mastercard details and malware. As per Europol's estimate, the site exchanged what might be compared to €140 million in today’s money, in a blend of bitcoin and monero. European authorities intend to utilize held onto DarkMarket servers from Ukraine and Moldova to investigate the buyers and dealers who utilized the site for criminal transactions.

DarkMarket's bust was not the first for German authorities, which have discovered illegal platform operators on German soil lately. In 2019, Koblenz prosecutors declared the disclosure of darknet servers facilitated from a previous NATO bunker in a lethargic German town. Authorities state the probe that revealed DarkMarket included a months-in length international law enforcement operation. US agencies like the FBI, DEA narcotics law enforcement division, and IRS tax authority all added to the investigation, alongside police from Australia, Britain, Denmark, Switzerland, Ukraine, and Moldova, with Europol playing a "coordinating role." 

DarkMarket is the most recent dark web marketplace taken down since the Silk Road bust back in 2015 — in recent years, international law enforcement operations had additionally brought down AlphaBay and Wall Street Market, which were likewise used to sell drugs and other illegal products.

Korean Dating App Leaks Private Images and Information of 1 Million Users

 

Korea is a country where incidents of data breach have significantly risen in number, becoming the new normal. Due to this, Data Protection has become a subject of concern in Korea. Massive-scale data leakage incidents have caused the residents great trouble as their resident registration numbers are easily accessible on the internet. For instance, while using various online platforms for shopping a person provides the required information that is not regarded safe as small business owners pay little attention to the protection of the database while on the other hand big business owners at times lack efficient data control system. 

This data breach mostly leaks the private information of the users such as explicit content or certain images that should not be out in the public domain. The data that gets easily accessed due to the misconfigured and unsecure services, includes user information such as personally identifiable information and other sensitive data like private messages or images. 

Lately, one such incident took place in Korea again where a dating app has leaked highly sensitive NSFW picture and information of the app users that are nearly 1 million in the count. This one was free of cost dating app that goes by the name “ Sweet Chat” belonging to Sweet Talk. 

The aforementioned incident is a bit of a déjà vu, as the nearly same incident was reported in November last year. Though that incident had images, videos, and audios that were extremely explicit and private for the user and that particular database contained 130,000 files in total. Articulating about the incident that transpired this year the database only had NSFW images and only half of the total images were explicit. The count of the images and messages leaked this time was 1 million. 

The era of technology accords with a wide range of approaches that can harm a user caught in such cases. The user ID’s are easily connected to the leaked images by a Reverse Image search process, which is very handy for cybercriminals who later on blackmail the users. Wrongdoers even get imprisonment for up to 40 years for such blackmailing cases in Korea.

These cases are very sensitive, as they breach the wall of privacy for the user. It’s the responsibility of the owners and the app developers to make sure that all such private information and the confidential database remains safe and private. The consequences of such cases are highly amplified for the victims as now anybody could access their personal information. 

The users need to use these dating apps with proper care and change their passwords every now and then. Users are also advised to keep an eye on the personal information stored in the app. One must always be cautious about permissions that the apps ask for its proper working on the device. And cases carrying such sensitivity must be reported to the concerned authorities as soon as possible.

Singapore Witnessed a Sudden Surge in the Bank-Related Phishing Scam

 

Phishing emails are scams where the actors try to befool the user by sending emails that may concern the user. Generally, these emails are received in the name of a bank or some trusted company, that asks for your personal information. The entire process appears to be legitimate but it's designed to trick the user into extracting their personals information. 

We all buy or sell things online through various platforms and organizations that have our personal information stored in their database that is nevertheless safe until and unless the actors impersonate these organizations and befool users into submitting their OTP’s, passwords, etc. The user is safe from such phishing emails as long as they do not respond in the required condition to the mail. 

The city-state of Singapore has turned out to be a victim of extortion with phishing emails that have even agonized the government officials. On the 5th of January, the Singapore government officials stated that there have been bank-related phishing scams where the actors have been imitating to be Singapore Government officials and asking natives for their personal information.  Generally, the victims in such scams receive a call or email or even a message from some government agencies like the Ministry of Manpower, asserting some issues within the victim’s bank account. 

Furthermore, they ask to verify some personal details that should have stayed confidential – such as their NRIC numbers, password of bank account, log-in credentials, and much more. Following the aforesaid state of affairs, the actors then try to make illegitimate transactions of money from the victim’s account. 

The first six months of the year 2020 have reported some 900 cases of bank-related phishing scams and a more than 25-fold from the just 34 such cases for the same period in the year 2019, stated the Singapore Police. The amount of loss has been calculated to $ 3.6 million for the year 2020. 

The Singapore Police in charge of the case has requested the natives to ignore such calls and deny stipulating any information regarding the bank account or the log -in credentials and any private details. They clarified that no government agency in any situation would ask for any private information or bank account details over a phone call or via emails. Scammers or actors may mask their actual phone numbers and try to display a different profile using ID spoofing technology as further added by the police. 

After recording a significant surge in these cases Singapore government officials have asked for cooperation and support from the city natives, requesting them not to share their personal or internet banking details and OTP’s with anyone.

Court in the United States has sentenced Russian Andrey Tyurin to 12 years in prison for cybercrime

The Federal Court of the Southern District of New York sentenced Russian Andrey Tyurin to 12 years in prison for committing a number of cybercrimes. In addition, he was ordered to pay the United States 19 million dollars

The Russian Consulate General in New York is in contact with law enforcement agencies in the United States in the case of the Russian Andrei Tyurin, who was sentenced by the court to 12 years in prison for cybercrime, said the press secretary of the diplomatic mission Alexey Topolsky.

According to him, the conditions of detention of the Russian citizen were difficult in the context of the COVID-19 pandemic. Topolsky recalled that Tyurin contracted the coronavirus in an American prison.

"The Russian Consulate General in New York is monitoring the case of Andrei Tyurin and is in contact with US law enforcement agencies," said Topolsky.

In his last speech, Tyurin said that he sincerely repents for what he did.

According to the judge, Tyurin must reimburse the United States 19 million 214 thousand 956 dollars, this is the profit that he derived from his criminal activities.

By US standards, a 12-year sentence is not the harshest for such a crime, says international lawyer Timur Marchani.

"In the United States, for crimes related to cybersecurity, for crimes that entail hacking the banking system, some of the harshest penalties are provided. Here, the court took into account first of all the hacker's remorse and, most importantly, cooperation with the preliminary investigation authorities and then with the court," said Mr. Marchani.

Recall that the Russian was detained in Georgia at the request of the United States in December 2017. In September 2018, he was extradited to the United States. In September 2019, the Turin pleaded guilty to six counts of the indictment.

According to the investigation, Tyurin participated in a "global hacking campaign" against major financial institutions, brokerage firms, news agencies and other companies, including Fidelity Investments, E-Trade Financial and Dow Jones & Co.

Prosecutor Jeffrey Berman said that Tyurin ultimately collected client data from more than 80 million victims, "which is one of the largest thefts of American client data for one financial institution in history."

Ezuri Crypter Being Used to Evade Antivirus Detection

 

As per a report delivered by AT&T Alien Labs, various cyber criminals are utilizing Ezuri crypter to pack their malware and dodge antivirus detection. Although Windows malware has been known to deploy similar tactics, cybercriminals are currently utilizing Ezuri for penetrating Linux systems too. Written in Golang, Ezuri acts both as a crypter and loader for ELF (Linux) binaries. Utilizing AES, it encrypts the malware code and, on decoding, executes the noxious payload directly inside memory without producing any records on the disk. 

Systems engineer and Ezuri's maker, Guilherme Thomazi Bonicontro ('guitmz'), had open-sourced the ELF loader on GitHub in 2019 and debuted the tool in his blog entry. In an email interview with, Bonicontro otherwise known as TMZ shared that he is a malware researcher and makes research apparatuses for spreading awareness and aiding defenders. 

“I'm an independent malware researcher, I do this as one of my leisure activities. The objective of my work is just to learn and bring awareness on assorted PoC assault and defense techniques, yet never bring on any harm. As a general guideline, I generally share samples of my ventures with antivirus organizations and I never discharge code with ruinous payload or anything with refined replication capabilities. I believe knowledge ought to be available to everybody and every individual ought to be answerable for their own activities to rest soundly at night,” said Bonicontro. 

Researchers Ofer Caspi and Fernando Martinez of AT&T Alien Labs noted in the wake of decrypting the AES-encrypted payload, Ezuri quickly passes the subsequent code to the runFromMemory work as a contention without dropping malware files anyplace on the tainted system. During the last few months, Caspi and Martinez distinguished a few malware creators that pack their samples with Ezuri. These incorporate the cybercrime group, TeamTnT, active since at least April 2020. 

TeamTnT is known to assault misconfigured Docker instances and exposed APIs to transform weak systems into DDoS bots and crypto miners. Later variations of TeamTnT's malware, for example, "Black-T" that install network scanners on tainted systems and extract AWS credentials from memory were likewise discovered to be bound with Ezuri. As indicated by the AT&T researchers, "the last Black-T sample distinguished by Palo Alto Networks Unit42 is really an Ezuri loader." The researchers additionally saw the presence of the 'ezuri' string in numerous Ezuri-packed binaries. 

Malware samples which were commonly distinguished by about 50% of antivirus engines on VirusTotal, yielded 0 detections when encoded with Ezuri, at the time of AT&T's research. Even today, the Ezuri-stuffed sample has less than a 5% detection rate on VirusTotal.

Thallium Altered the Installer of a Stock Investment App

 

This week, ESTsecurity Security Response Center (ESRC) gave an account of a North Korean hacking group altering a private stock investment messaging application to deliver malevolent code. The gathering known as Thallium delivered a Windows executable utilizing Nullsoft Scriptable Install System (NSIS), a famous script-driven installer authoring tool for Microsoft Windows. This North Korean hacking group Thallium, colloquially known as APT37 has targeted clients of a private stock investment courier service in a software supply chain attack, as indicated by a report distributed recently. Not long ago, the group essentially depended on phishing assaults, for example, using Microsoft Office records, to focus on its victims. Thallium is presently utilizing different ways, for instance, transporting infected Windows installers and macro-laden Office records to go after investors.

The Windows executable contained malevolent code with the authentic files from a legitimate stock investment application program. ESTsecurity researchers demonstrated two manners by which the assailants influence the "XSL Script Processing" method. Inside the authentic installer of the stock investment platform, aggressors infused explicit orders that got a malignant XSL content from a maverick FTP server and executed it on Windows systems employing the in-built wmic.exe utility. 

The subsequent installer, repackaged with Nullsoft's NSIS, would give off the impression as though the client was installing the genuine stock investment application while discreetly sliding the malicious contents out of sight. The following phase of assault executes a VBScript to make documents and folders named 'OracleCache', 'PackageUninstall', and 'USODrive' among others in the %ProgramData% index. The payload at that point interfaces with the command-and-control (C2) server facilitated on frog.smtper[.]co to get extra commands. By making a maverick scheduled task called activate under a deceptive directory 'Office 365__\Windows\Office', the malware accomplishes continuity by instructing Windows Scheduler to run the dropped code every 15 minutes. These criminals observe the tainted system and after an initial screening, deployed a Remote Access Trojan (RAT) on the machine.

ESTsecurity researchers additionally noticed Microsoft Office documents, for example, Excel spreadsheets that contained macros were disturbing the previously mentioned XSL script payload. "ESRC is focusing on the way that the Thallium association is utilizing the 'XSL Script Processing' method not just in spear-phishing assaults dependent on noxious documents, yet besides for niche assaults including supply chain assaults," experts at ESTsecurity further said.

NameSouth’s Data Leaked for not Paying Ransom to Cybercriminals

 

NameSouth is by all accounts the most recent casualty of the ransomware group that surfaced at some point in 2019. NetWalker's objectives range across different enterprises, with archives of purloined information from around a hundred exploited organizations openly posted on the gang's darknet site to date. NameSouth LLC, a provider of veritable, OE, and OEM trade car parts for German-brand vehicles is situated in Mooresville, North Carolina. Set up in 2004, the organization distributes replacement parts for vehicles fabricated by Audi, BMW, Mercedes, Porsche, Saab, Volkswagen, and Volvo across North America.

The NameSouth archive leaked by NetWalker incorporates classified organization information and delicate archives, including monetary and accounting information, financial records, personally identifiable worker data, and different legal reports. In light of backup file creation dates, the document was exfiltrated from the NameSouth network on November 26, 2020. Apparently, the information was leaked days after the fact after the organization missed the gang's deadline to pay the ransom. A large portion of the information in the leaked archive seems to have a place with the organization instead of its accomplices or clients, which implies that it is NameSouth and its workers who are well on the way to endure the worst part of the harm. 

The leaked archive contains 3GB worth of report examines, including: 

 • Invoices containing tax identification numbers. 

 • Complete names, addresses, telephone numbers, and definite working long periods of at least 12 NameSouth representatives.

 • Client names and addresses.

 • Financial records dating from 2010 to 2020. 

 • Monetary and accounting information. 

From what samples of the leaked documents they had the option to get to, apparently, the records in the archive contain individual data of at least 12 NameSouth representatives, including their definite working hours. Such data would make it simpler for criminals to complete spear phishing assaults against the representatives. Getting to NameSouth's monetary and accounting information, including credit card records that date as far back as 2010, would permit criminals to commit fraud in the organization's name, for example, applying for government-supported Covid alleviation loans. 

To avoid becoming victims of such ransomware attacks, here are a few precautions:

 • Build up an intelligent danger recognition framework or a security incident event framework. In case of a break by pernicious criminals, such frameworks will caution your IT faculty about the occurrence constantly and assist them with keeping information exfiltration from organization servers. 

 • Utilize a salted secure encryption algorithm to encode your confidential information. At the point when scrambled, your organization information would be everything except futile to criminals. The information would be scrambled by the algorithm, which would deliver it incoherent for unapproved parties without an encryption key.

Hackers Hijacked Smart Devices and Live-Streamed Swatting Incidents

 

Technology is ameliorating at a great pace and here we are becoming the victims of our doings. In the current modern era, our reliance on technology is bound to skyrocket, however, various other factors need to be checked to ensure a durable sense of security and privacy. Several misconceptions and lack of knowledge among users are what allow hackers to make gigantic gains. 

In light of that, recently, one such incident took place where the hackers hijacked various smart home devices and live-streamed police raids simultaneously on various innocent natives of the settlement. Then, hackers made a hoax call to the police and authorities on 911, which lead to “Swatting”. In this regard, the FBI confirmed that these hackers have even spoken to the acknowledging officers operating via the hacked kit. 

What is “Swatting”?

The hackers are aggravating Swatting attacks, which is an offense. The operators attempt to befool authorities by 
making a hoax telephonic call and falsely stating that the current state of affair is an emergency and they should straight away be at their disposal at the said residence with armed forces. 

It should be noted that this was not the first time an incident of such sort has taken place. The FBI had clearly stated that there are “deadly” risks and appalling outcomes of such attacks. One such fake hoax call costed the life of an innocent person three years back when the police shot that man in Kansas over the information handed over to them by the hackers. 

Why such incidents happen where the hackers easily enter the secured digital systems of owners? 

Following the incident and investigating the matter at hand, the FBI has given valuable insights about the subject, the officials clarified that such “pranks” become a success because the victims have reused the watchwords from other devices and services for setting up the same smart home device as well, making attackers' work exceedingly simple.

On the hub of confidential information, the Dark Web, such credentials of devices are easily hacked and sold and concurrently bought; and when we use the same watchwords for multiple devices and services, as a consequence, it becomes easy for hackers to enter the security system and break the firewall. 

“The [perpetrators] call emergency services to report a crime,” the FBI told. 

“The offender watches the Livestream footage and engages with the responding police through the camera and speakers. In some cases, the offender also live streams the incident on shared online community platforms.”

With an upsurge in similar cases, the FBI has urged the victims as well as the owners of the smart devices/services that they must change their watchwords immediately and should also update the same regularly.

The head of Group-IB Mr. Sachkov described the portrait of a typical Russian hacker

Not only a programmer but also just a specialist with a good knowledge of mathematics can become a hacker in Russia, said the head of Group-IB Ilya Sachkov. The entrepreneur believes that for such people money is a priority.

"This is a talented young man, whose task is to earn money and that's all. He is not always well-educated in the humanities, not someone who will cause you sympathy. The priority is money, expensive cars, expensive watches, holidays abroad," said Sachkov.

Ten years ago, the career of a hacker was chosen exclusively by students, mostly children from disadvantaged families. However, the situation has changed: this profession is now chosen by those who "live in very rich families, with normal relations between parents".

A typical Russian hacker "tries to play Don Corleone", communicates with former or current law enforcement officers, and also looks for political assistants who will explain to him that real Russian hackers steal money from foreigners because of the "war with America".

He noted that the creators of viruses are often people with special needs, autistic children who have fallen into an aggressive environment. At the same time, the opinion that Russian-speaking hacker groups are leading in the world is already outdated. Today, all of them are mixed by nationality, although in the 90s, it was people from the post-Soviet space who were among the first to engage in such things, who communicated among themselves in Russian.

Group-IB specializes in products that help protect against cyber attacks and fight online fraudsters. In particular, the company investigates cybercrimes and helps to monitor attacking hackers. The group cooperates with Europol and Interpol.

Experts listed the possible goals of cyber criminals who hack websites

According to Positive Technologies, in 2020, cybercriminals have become increasingly interested in hacking sites: in seven out of ten cases, the purpose of an attack is to gain access to a resource, including for its further sale to another attacker.

The company's experts, to find out the most popular targets of hacking sites, examined more than 80 million messages on the ten most active forums in the shadow segment of the Internet, which provide services for hacking sites, buying and selling databases, and accessing web resources.

According to Positive Technologies analyst Yan Yurakov, since March 2020, interest in the topic of hacking sites has been identified. He also explained that this trend could lead to an increase in the number of companies represented on the Internet, which was provoked by the pandemic.

In seven out of ten requests related to hacking sites, the main goal is to gain access to a web resource. Attackers can not only steal confidential information but also sell access to a web application.

In another 21% of cases, the purpose of hacking a site is to extract and obtain databases of users or clients of the attacked resource. According to Positive Technologies, competitors and spammers who collect lists of addresses for targeted thematic mailing lists aimed at a specific audience are primarily interested in acquiring such information.

For about 4% of hackers, the main goal is not to hack the site itself, but to place malware on it. About 3% of customers are looking for a hacker to remove certain data from the site after hacking, and 2% sell ready-made programs and scripts for hacking.

Recently it became known that the list of pre-installed Russian software for smartphones, tablets, computers and Smart TV will include an application that combines sites with free access. Since April 1, the Ministry of Digital Industry has been conducting an experiment to provide residents of Russia with free access to 371 sites.

Police detained hackers who stole more than 20 million rubles

Police officers of the Chuvash Republic, with the assistance of BI.ZONE experts detained the organizers of a criminal group that stole money from customers of Russian banks using the FakeToken malicious software. The group operated for more than 5 years, the damage from its activities exceeds 20 million rubles ($272 200,00).

During a search at the addresses of one of the fraudsters, network devices, communication devices and computer equipment containing clear traces of the development and distribution of Trojan Banker.AndroidOS.FakeToken were found and seized. Also, employees of the Ministry of Internal Affairs found SIM cards of various telecom operators and electronic correspondence in Telegram, which confirms the involvement of the detainee in illegal activities.

According to BI.ZONE experts, the attackers used Trojan Banker.AndroidOS.FakeToken for stealing money from users of mobile devices based on the Android OS. The program infected devices, intercepted SMS messages from the Bank and transmitted them to the server of criminals, as well as collected Bank card data. The fraudsters used this information to transfer money from the victims' mobile and Bank accounts. "Over the past five months, the hacker group has gained access to more than 5,000 phones and data from at least 2,500 Bank cards," said experts.

"In February 2020, we recorded the activation of the FakeToken malware, which infected more than 2,000 victims every day. The group that manages this software is considered one of the most active in the Russian Federation, and we are glad that we were able to help stop the criminals," said Evgeny Voloshin, director of the BI.ZONE expert services unit.

It's important to note that the FakeToken Banking Trojan has been known since 2016. It is able to attack more than 2 thousand financial applications, its victims of steel of about 16 thousand users in 27 countries, including Russia, the Ukraine and Germany.

Russian hackers broke into the systems of the United States Department of the Treasury and Department of Commerce

The Russian Embassy in the United States has already called the accusations against Moscow baseless. They recalled that Vladimir Putin offered to restore bilateral relations in the field of international information security, but Russia did not receive a response from the United States

According to Reuters and the Washington Post, Russian hackers broke into the systems of the US Department of the Treasury and the National Telecommunications and Information Administration, a division of the US Department of Commerce.

According to media reports, a group of hackers Cozy Bear, close to Russian intelligence, was involved in the attack. After breaking into the system, the hackers gained access to Microsoft Office and read the Ministry of Finance's e-mail for several months.

The New York Times has already called this hack the largest in the last five years. The data leak was confirmed only by the Department of Commerce. According to Reuters, a meeting of the national security Council was held at the White House on Saturday. The investigation is just beginning, the amount of data that hackers received is unknown.

"Unfortunately, publications in the press have ceased to be a reliable source of information for us. As for why these hacks continue or why they allow them to be hacked, it seems to me that this is an endless race of the security system. Among other things, this is a huge business," comments Yuri Rogulev, Director of the Franklin Roosevelt Foundation for the study of the United States.

"Again, there is no evidence that Russian hackers are involved", said Roman Romachev, General Director of the R-Techno intelligence technology agency.

According to him, everything is aimed at once again increasing tensions in the first place in cyberspace in relation to Russia. And in order for taxpayers to understand where their billions are going, the US authorities periodically whip up such hysteria against alleged Russian hackers.

The Russian Embassy in the United States has already called the accusations against Moscow baseless. They recalled that Vladimir Putin offered to restore bilateral relations in the field of international information security, but Russia did not receive a response from the United States.

In 2020, cybercriminals started laundering four times more money

According to the Kaspersky Fraud Prevention report, in 2020, attackers most often tried to make unauthorized money transfers by using a compromised account (in 36% of cases) or by infecting the device with malware (31%).

In 2019, malware attacks were the absolute leader, 63% of the total number was recorded. The share of incidents related to money laundering increased fourfold this year and amounted to 12%.

Hackers use complex and multi-stage money laundering schemes: they change accounts, companies, presentation, currency, and jurisdiction many times. In this regard, financial organizations need to build a cybersecurity system in such a way as to minimize the possibility of hacking, as well as to promptly monitor any illegitimate actions.

In e-commerce, the most common form of fraud is the abuse of welcome bonuses in loyalty programs. The scheme is quite simple: attackers massively register accounts in the marketplace, receive welcome bonus points, and buy products with a discount under the bonus program. For example, in one case, a fraudster bought diapers and candy and then sold the purchased goods at a profit on popular trading platforms. In the future, the created accounts were not used, their average life was 1-2 days.

"As before, one of the most common methods of fraud is the use of applications with remote access tools. Also, the attackers have mastered the scheme of spoofing numbers for incoming calls. Bank customers, unfortunately, are often deceived, because they are used to the fact that a real call from a financial institution can be made from different numbers. The Kaspersky Fraud Prevention platform, aimed specifically at banks and other financial institutions, allows tracking the activity of hackers by analyzing a variety of parameters, including user behavior, device parameters, and the presence of malicious or dangerous programs," said Ekaterina Danilova, Business Development Manager at Kaspersky Fraud Prevention.


Here's why a Greece Hacker Easily Hacked Croatian University?

 

A hacker from Greece has published the database of the University of Rijeka in the context of Croatia supporting the anti-Serb movement. Reportedly, the hacker was fueled by the prevailing situation in the Balkans, and his acts were motivated by the same; addressing his Serbian brothers he wrote, "it's time to defend our land and our history". 

Hashing is a one-way road to security and a reliable password storage strategy that makes storing passwords less risky and complex by creating a strong foundation for securely storing passwords.
 
The database contains a table that compares every username with a password. The server receives a request for authentication with a payload containing a username and a password when a user logs in; then the username is being looked up in the database and matched with the stored password, and when the right match is being found, the user gets the access to the application or the website. 
 
The strength of security depends upon the format of storing the password, one of the most basic ways of password storage is 'cleartext', which however is also the least secure of all as it is readable data stored in the clear, for instance, unencrypted. To say, using cleartext for storing passwords is the real-world equivalent of writing them down on paper – here a digital one.  
 
Notably, the University website has been using Md5 to store the passwords which is yet another outdated format that can be easily cracked. Now coming back to hashing – it uses an algorithm to map data regardless of its size to a fixed length, one must not confuse hashing with encryption as encryption is a two-way function and hence reversible while hashing is a one-way function and hence is not reversible. The computing power required to reverse-hash something is unfeasible. 
 
What is salting?
 
Salting is a unique value that is added at the end of the password to distinguish its hash value from that of a similar password, without salting the same hash will be created for two identical passwords. It is done to strengthen security by complicating the cracking process. However, in the abovementioned hash, there are no additional values added to the passwords. 

They have simply used the md5 method without salting and as the main virtue of a secure hash function is to make its output difficult to predict, this method used by the University defies the whole purpose – making passwords weak and easy to crack. Some of the pre-cracked passwords are shown below. 



Google Drive Notifications Used to Send Malicious Links to Hundreds of Thousands of Users

 

Cybercriminals have now resorted to utilizing a legitimate Google Drive collaboration feature to trick users into clicking on pernicious links. 

As per recent reports the attacks have been originated from Google Drive's collaboration feature, which enables users to make push notifications or emails that invite people to share a Google doc. Attackers are mishandling this feature to send mobile users Google Drive notifications, inviting them to collaborate on documents, which at that point contained 'malicious links'. 

Since they are sent through Google Drive, the notifications originate from Google's no-reply email address, causing them to appear more legitimate. Different cycles of the attacks are sent using email (rather than by notifications) and incorporate the malignant link directly in the email. The Google Drive notifications accompany various lures. 

Many imply to be "personal notifications" from Google Drive, with one lure named "Personal Notification No 8482" telling the victim they haven't signed into their account for some time. These undermine that the account will be deleted in 24 hours except if they sign in using a (malicious) link. Another, named "Personal Notification No 0684," tells users they have an "important notice" of a financial transaction that they can see for their own in their account, using a link. 

The attack has focused on countless Google users, as per WIRED. The report said that the notifications are being sent in Russian or broken English. 

These links take victims to malevolent scam websites. WIRED detailed that one such site flooded users with notifications to click on links for "prize draws," while different sites mentioned that victims click on such links to "check their bank account." 

Targeted users took to Twitter to the caution of the scams, with one Twitter user saying that 'the only red flag' of the scam was that he wasn't anticipating a shared doc.

 


With the generality of working from home due to the Covid pandemic, attackers are progressively utilizing collaboration and remote-work tools, including Google offerings. 

Nonetheless, a Google spokesperson told WIRED that the company is dealing with new security measures and is currently making strong efforts for detecting Google Drive spam.

Russian experts says the number of cyber threats increased during COVID-19

Cyber attack prevention experts recorded a sharp increase in the number of cyber threats and outlined the main trends in computer crimes during the COVID-19.

The report was presented at the international forum of the Academy of Management of the Ministry of Internal Affairs of the Russian Federation "Strategic development of the system of the Ministry of Internal Affairs of Russia: state, trends, prospects".

The main conclusion of the study is the rapid growth of computer crime, primarily financial fraud using social engineering, as well as the exploitation of the COVID-19 theme in malicious mailings, switching operators of encryption viruses to large targets, as well as active recruitment of new participants to criminal communities.

According to the Ministry of Internal Affairs, one of the main trends of digital transformation is the development of remote methods of committing crimes, crimes have gone from offline to online. Almost 70% of registered crimes related to illegal arms trafficking in 2020 were committed using the Internet - remotely and anonymously. The same applies to the illegal sale of drugs, counterfeit money, securities and documents.

Throughout 2020, Group-IB recorded an increase in the number of financial scams using social engineering - vishing, phishing -the victims of which were mainly Bank customers.

At the same time, the fraud implementation schemes themselves have not actually changed. The main motive of cybercriminals is the same: stealing money or information that can be sold. Now it is popular to sell fake digital passes, send messages about fines for violation of quarantine, fake courier sites, fraudulent mailings on behalf of the Zoom video conferencing service.

This year has given birth to even more groups and partner programs, as well as new collaborations. So the operators of the QakBot banking Trojan joined Big Game Hunting, and recently the FIN7 group, which actively attacked banks and hotels, joined the REvil ransomware partner program. The size of the ransom has also increased significantly: cryptolocker operators often ask for several million dollars, and sometimes tens of millions.

The Russian Embassy denies the US charge of six Russians in hacking

The Russian Embassy in Washington denies US accusations against Russian citizens of hacking and destabilizing activities around the world

Russia has not been and is not engaged in carrying out cyberattacks in the world, said the Russian Embassy in Washington. The Department believes that the accusation of Russians in hacking is aimed at warming up Russophobic sentiments.

Earlier, the US Department of Justice and the FBI brought charges against six Russians of involvement in a series of hacker attacks and the spread of malware in order to attack the infrastructure of other countries. In particular, they are charged with spreading the NotPetya virus in 2017. It is alleged that these individuals are GRU employees. 

The Russian Embassy said that Russia "has no intention of engaging in any destabilizing operations around the world", as this does not correspond to foreign policy and national interests.

"It is quite obvious that such information occasions have nothing to do with reality and are aimed only at warming up Russophobic sentiments in American society, at deploying a "witch hunt" and espionage,” said the Embassy. According to the document, the US authorities are destroying Russian-American relations and artificially imposing on the Americans "a toxic perception of Russia and everything connected with it."

According to the US Department of Justice, the damage to the United States from the actions of Russian hackers amounted to more than $1 billion. They attacked companies and hospitals in the United States, Ukraine's energy systems, the French presidential election, and the Winter Olympics in Pyeongchang. US Secretary of State Mike Pompeo said this shows Russia's disregard for public security and international stability in cyberspace.