Search This Blog

Showing posts with label Cyber Crime. Show all posts

The Russian Embassy denies the US charge of six Russians in hacking

The Russian Embassy in Washington denies US accusations against Russian citizens of hacking and destabilizing activities around the world

Russia has not been and is not engaged in carrying out cyberattacks in the world, said the Russian Embassy in Washington. The Department believes that the accusation of Russians in hacking is aimed at warming up Russophobic sentiments.

Earlier, the US Department of Justice and the FBI brought charges against six Russians of involvement in a series of hacker attacks and the spread of malware in order to attack the infrastructure of other countries. In particular, they are charged with spreading the NotPetya virus in 2017. It is alleged that these individuals are GRU employees. 

The Russian Embassy said that Russia "has no intention of engaging in any destabilizing operations around the world", as this does not correspond to foreign policy and national interests.

"It is quite obvious that such information occasions have nothing to do with reality and are aimed only at warming up Russophobic sentiments in American society, at deploying a "witch hunt" and espionage,” said the Embassy. According to the document, the US authorities are destroying Russian-American relations and artificially imposing on the Americans "a toxic perception of Russia and everything connected with it."

According to the US Department of Justice, the damage to the United States from the actions of Russian hackers amounted to more than $1 billion. They attacked companies and hospitals in the United States, Ukraine's energy systems, the French presidential election, and the Winter Olympics in Pyeongchang. US Secretary of State Mike Pompeo said this shows Russia's disregard for public security and international stability in cyberspace.

The Russian was convicted as a LinkedIn hacker


The Federal court for the Northern District of California in San Francisco sentenced Russian Yevgeny Nikulin to seven years and four months in prison for computer fraud. According to the Americans, Nikulin hacked the databases of LinkedIn, Dropbox and Formspring,  as a result of which about 117 million account login codes were stolen.

One of his lawyers, Arkady Bukh, informed the Russian about the verdict. According to him, the four years spent in prison after the arrest of Yevgeny Nikulin in Prague in October 2016 at the request of the FBI will be counted in the sentence.

The Prosecutor's Office recommended that the court appoint Nikulin 12 years in prison after the jury ruled guilty on all nine counts. The Russian did not admit his guilt and refused the last word before sentencing.

The judge, determining the punishment, noted the mind, abilities and sense of humor of Nikulin, but considered that these qualities only aggravate the guilt of the Russian.

Yevgeny Nikulin was extradited to the United States in March 2018. He was accused of hacking the databases of LinkedIn, Dropbox and Formspring, as a result of which about 117 million login codes were stolen, causing damage to computer devices, and transferring stolen personal data to third parties. The prosecution materials are classified as "secret", their volume is six terabytes of information.

Recall that in Prague, Nikulin claimed that an FBI employee during interrogation put pressure on him to get information about Russian interference in the US presidential election in 2016.

The Russian Foreign Ministry previously called the Nikulin case an example of how American intelligence agencies are hunting for Russians around the world.

Russian citizen arrested in the United States on charges of organizing a cyber crime


According to the Ministry of Justice, 27-year-old Yegor Kryuchkov tried to pay $1 million to an employee of a company from Nevada in order to introduce malware into its computer network. When the FBI joined the investigation, the Russian tried to run from the United States

A Federal Court in Los Angeles has arrested a Russian citizen, Yegor Kryuchkov, on charges of conspiring to commit cybercrime. This was reported by the press service of the US Department of Justice.

According to the Department, 27-year-old Kryuchkov in the period from July 15 to August 22 this year tried to bribe an employee of an unnamed American company located in the state of Nevada. The statement claims that the Russian offered him $1 million for participation in the implementation of the fraudulent scheme.

The Ministry of Justice reported that Kryuchkov allegedly planned to load malicious software into the computer system of this company. This would allow him and his associates to gain unhindered access to company data.

Last week, Kryuchkov was contacted by the Federal Bureau of Investigation (FBI), after which he left Reno (Nevada) and went to Los Angeles in order to leave the United States. The Russian, according to the Department, asked his friend to buy him a plane ticket.

Kryuchkov was detained in Los Angeles on August 22. According to the Ministry of Justice, the Russian entered the United States on a tourist visa.

The Russian Embassy in the United States said that diplomats are aware of Kryuchkov's arrest. "We will contact the Russian in the near future to find out the problem. We will provide him with the necessary consular and legal assistance,” said the diplomatic mission.

US Army Says North Korea Has Hackers and Electronic Warfare Specialists Working and Operating Abroad


In a report published a month ago by the US Army said North Korea has at least 6,000 hackers and electronic warfare specialists working in its ranks with a large number of these are operating in nations, like Belarus, China, India, Malaysia, and Russia. 
The report is a tactical manual that the US Army uses to train their troops and military pioneers, and which the Army has made public for the first time just the previous month. 

Named "North Korean Tactics," the 332-page report consists of a 'treasure trove' of data about the Korean People's Army (KPA) like the military strategies, weaponry, leadership structure, troop types, logistics, and electronic warfare capacities. 

By far most of the report manages exemplary military tactics and capacities; the report likewise highlights North Korea's clandestine hacking units. "Most EW [electronic warfare] and cyberspace warfare operations take place within the Cyber Warfare Guidance Unit, more commonly known as Bureau 121," the US Army said. 

This evaluation is equivalent to the past reports from the intelligence and cybersecurity communities, which have additionally connected all of North Korea's hackers back to Bureau 121, a division of the Reconnaissance General Bureau, a North Korean intelligence agency that is a part of the National Defence Commission. 

The US Armed force says Bureau 121 has developed exponentially lately, as North Korea has expanded it’s the cyberspace exercises. According to the report, Bureau 121 developed from "at least 1,000 elite hackers in 2010" to more than 6,000 members today. 

The number is a steady one with comparable figures published by the South Korean Defence Ministry, which said that North Korea was operating a cyberwarfare staff of 3,000 out of 2013, a number that later multiplied to 6,000 by 2015. 

Notwithstanding, the US Army as of now believes that it's 6,000 figure isn't totally accurate. Army officials state that they have estimates for the internal divisions within Bureau 121, numbers that seem to have not been released previously, until the previous month. 

They don't have an exact number for the members part of the Lazarus Group sub-division, yet this group is the one, for the most part, the one to which North Korean authorities turn "to create social chaos by weaponizing enemy network vulnerabilities and delivering a payload if directed to do so by the regime." 

While the US Army report doesn't go a lot into details on why the Pyongyang regime lets military hackers travel abroad, there are previous reports and court documents that have gone into these details, with the Pyongyang regime utilizing its hackers to set up shell companies that serve both as cover when setting up 'foreign-based server infrastructure', yet in addition as 'intermediary entities in money laundering operations'. 

In any case, while the US Army report acknowledges that North Korean hackers have been engaged with financial cybercrime, Armed officials go significantly further and outline the whole North Korean government as a criminal network, with the Kim regime being associated with a wide scope of activities that likewise incorporated drug trading, counterfeiting, and human trafficking, and not simply the variety of cybercrime.

Group-IB has identified a group of hackers engaged in corporate espionage

The hacker group RedCurl hacked companies around the world and stole corporate documents. The damage from its activities can amount to tens of millions of dollars

Group-IB, a cybersecurity company, has uncovered a previously unknown hacker group that engaged in corporate espionage.

B Group-IB found that in total, the group carried out 26 attacks on companies from such sectors as construction, finance, retail, banks, insurance, tourism. The hackers targeted commercial organizations in Russia, the United Kingdom, Germany, Canada, Norway, and Ukraine.  The victims of the hackers were 14 organizations. At the same time, at least 10 companies were attacked in Russia.

The group allegedly consists of Russian-speaking hackers. Group-IB notes that RedCurl used a unique tool that allowed it to remain unnoticed for a long time for its victims.

The first known hacker attack occurred in May 2018. Hackers used phishing emails to access corporate information. Most often, employees of one Department of the victim company received an email allegedly from the HR Department, for example, about annual bonuses. The fake emails contained the company's signature, logo, and fake domain name.

When opening bonus documents attached to emails, a Trojan was launched on the victim's computer, which was controlled by RedCurl through legitimate cloud storage. Using them, as well as the PowerShell language in the development of Trojans, allowed hackers to remain unnoticed for a long time for traditional cyber defenses.

After that, hackers analyzed the contents of hard drives of users and stole information. First, they were interested in business correspondence, trade secret documents, personal data and passwords of employees.

At the same time, the launched Trojans continued to spread within the victim's network, infecting more and more computers. Group-IB specialists found that the hackers stayed there from two months to six months. According to Rustam Mirkasymov, head of the Group-IB Dynamic Malware Analysis Department, despite the absence of direct financial damage, indirect losses of victim companies from RedCurl actions can amount to tens of millions of dollars.

Experts continue to record new attacks by the hacker group in different countries of the world.

The United Nations Reports Increase in Internet Usage and Cyber Crime during the Pandemic

 

The U.N. counterterrorism chief reported a 350% increase in phishing websites in just the first quarter of the year, mostly targeting hospitals and health care systems and obstructing their work responding to the current COVID-19 pandemic. 
Vladimir Voronkov told the U.N. Security Council that the upsurge in phishing websites was a part of “a significant rise in cybercrime in recent months” revealed by speakers previous month's first Virtual Counterterrorism Week at the United Nations. 

The weeklong gathering was attended delegates from 134 nations, 88 civil society and private sector organizations, 47 international and regional organizations, and 40 United Nations bodies. 

He said the U.N. furthermore; the global experts haven't yet completely comprehended “the impact and consequences of the pandemic on global peace and security, and more specifically on organized crime and terrorism.” 

Voronkov says, “We know that terrorists are exploiting the significant disruption and economic hardships caused by COVID-19 to spread fear, hate, and division and radicalize and recruit new followers. The increase in internet usage and cybercrime during the pandemic further compounds the problem.” 

Undersecretary-General Voronkov said the discussions demonstrated a mutual understanding and worry that “terrorists are generating funds from illicit trafficking in drugs, goods, natural resources, and antiquities, as well as kidnapping for ransom, extorting and committing other heinous crimes.” 

He said U.N. member nations are rightly focused around handling the currently increasing health and human crisis brought about by COVID-19 however he urged them not to overlook the threat of terrorism. 

In many parts of the world, Voronkov stated, “terrorists are exploiting local grievances and poor governance to regroup and assert their control.” 

Ghada Waly, executive director of the Vienna-based U.N. Office on Drugs and Crime, told the council meeting on the linkage among counterterrorism and transnational organized crime that the links are "complex and multifaceted," and “the COVID-19 crisis poses a host of new challenges to national authorities.” 

“Organized criminal groups and terrorists may seek to capitalize on and exploit new vulnerabilities,” she said, “and transit patterns are shifting in view of travel restrictions and lockdown measures, adding further challenges for border security.”

Lastly, she added a rather important point which highlights the fact that during these dark times comprehensive and cooperative responses are needed more than ever.

The Russians were offered $10 million from the State Department for information about Russian hackers

Residents of Russia began to receive SMS about a way to get $10 million from the US State Department. In the messages, Russians are offered this money for information about the interference of Russian hackers in the American elections.

Such SMS messages are published by residents of different cities in Russia in social networks. Among them the Deputy of the Duma of Yekaterinburg Timofey Zhukov. In the Telegram channel, he published a screenshot of such a message. "The US State Department is offering up to $10 million for information about interference in the US election. If you have information, please contact us,” said the SMS.

The link in the message leads to a verified Twitter account of the US State Department's Rewards for Justice program. According to the hashtag of the same name, Election_Reward, dozens of messages of the Department's program were published on Twitter in different languages of the world, including Russian.

Experts noted that the message was sent to Russians through the program CentrSoobsh — a service that is usually used to send spam or fake SMS in order to hack accounts by fraudsters.

Earlier, US Secretary of State Mike Pompeo announced the start of this program. He promised that Washington will pay the amount for information about persons interfering in the elections. Pompeo mentioned that the program applies to both Russia and other malicious states.

The representative of the Russian Foreign Ministry, Maria Zakharova, considered that if the US really begins to pay everyone up to 10 million dollars for such information, the state Department's website "will break down from denunciations to neighbors."

Senator of the Federation Council Frants Klintsevich called such actions an illusion and provocation, which carry a danger. He added that the messages are sent not by the US, but by emissaries with money.

According to him, it is necessary to find those who send messages, to bring everything to its logical end. Moreover, if necessary, the Russian Federation need s to change the legislation, as such actions are trying to destabilize the situation in the country.

Russian hacker who hacked Dropbox and LinkedIn found guilty


Russian citizen Yevgeny Nikulin, accused of hacking LinkedIn eight years ago, was found guilty by a jury in San Francisco

The verdict in Nikulin's case was announced on Friday after a trial that began in March, which was interrupted due to the coronavirus pandemic and resumed in July.

In 2016, there were a number of large-scale data leaks, and many dumps, including MySpace, LinkedIn, Tumblr and Vkontakte, were eventually put up for sale.
In 2016, one of the hackers, Russian Evgeny Nikulin, was arrested and extradited to the United States in 2017.

Nikulin was accused of a number of articles, and all of them were connected with penetration into other people's networks and data theft. According to court documents, Nikulin hacked Dropbox, Formspring and LinkedIn in the spring and summer of 2012 and stole about 117,000,000 user records, including usernames, passwords and email addresses.

Nikulin then used the data stolen from LinkedIn to send phishing emails to employees of other companies. Authorities said that this way Nikulin managed to collect a lot of information about 68,000,000 Dropbox users, including usernames, email addresses and hashed passwords.
Similarly, Nikulin managed to get into the account of the Formspring engineer. Thus, in June 2012, he gained access to the company's internal user database, which at that time numbered more than 30,000,000 people.

According to data from Radio Free Europe journalists, his activity brought a good income. Nikulin bought expensive cars, watches and traveled a lot. For example, Nikulin admitted that he owns a Lamborghini Huracan, Bentley, Continental GT and Mercedes-Benz G-Class.

The sentence to Nikulin will be announced on September 29. The jury took less than one day to reach a verdict. Nikulin faces up to 32 years in prison and fines exceeding a million dollars.
Lawyer Arkady Bukh said that the defense intends to challenge the verdict. According to him, the psychiatrist who was appointed by the judge previously recognized Nikulin as mentally abnormal.
Nikulin always denied guilt and even called the charges revenge of the United States for providing political asylum in Russia to Edward Snowden.

The Russian Prime Minister spoke about the growth of cybercrime activity in Russia


Russian Prime Minister Mikhail Mishustin said that this spring there was an increase in cybercrime activity. The Prime Minister said this on July 8 in a video message to participants of the international online training on cybersecurity Cyber Polygon-2020

“This spring, we observed an increase in the activity of cybercriminals. More than 90% of successful attacks are carried out using social engineering methods: fraudsters attack us with phishing emails and use the technology of number substitution, trying to take citizens by surprise,” said the prime minister.

According to Mishustin, cyber threats can come from entire states. "Geopolitical differences also extend to the digital environment, thus adding countries to the list of possible sources of threats to digital security," said he.

The Prime Minister drew attention to the fact that security researchers regularly detect complex malware that is specifically designed to disable critical functionality and cause physical damage to industries and infrastructure.

He said that the government, in cooperation with Russian companies in the field of information technology security, is working to inform the population about cyber risks and cyber threats. This makes it possible to solve many problems, but there are still many issues that require attention.
Mishustin pointed out that the national action plan for the recovery of the Russian economy after the crisis is based on the increasing digitalization of the economy and government.

"We will radically increase the number of e-government services provided and create fundamentally new systems to support digital business. In these conditions, one of the most important areas is the protection of cyberspace," added the head of the Cabinet of Ministers.

In addition, the Prime Minister said that the key to a secure digital future for the entire world is cooperation in the field of cybersecurity, and Russia is ready to share its achievements in this field with the world.

He noted that Russia is today one of the leaders in technological progress. According to the Prime Minister, Russian developments in the field of information security successfully compete on the international market.

Hackers hacked Twitter account of the Russian Foreign Ministry and put up for sale data from tourists


Hackers hacked the Twitter account of the situation and crisis center of the Russian Foreign Ministry and put up a database of Russian tourists there for sale. The Foreign Ministry confirmed the hacking but called the message about the sale of data false. The Department said that the account has now been restored and is fully functioning.

Hackers offered to buy the database for June 2020 for 66 bitcoins (about $9000). They claimed that the database contains more than 115 thousand people. A Jabber account was specified for communication.

"Last night, attackers hacked the account of the situation and crisis center of the Russian Foreign Ministry. The information published on the feed in the morning of July 2 is "fake" and has no relation to the Russian Foreign Ministry. The account has been restored and is fully operational,” the Russian Foreign Ministry said on Twitter.

According to Alexey Kubarev, the Development Manager of the DLP Solar Dozor, Rostelecom-Solar, a number of signs in the announcement of the sale of the base cast doubt on its authenticity. First, the phone numbers listed in it are not valid.  At the same time, the base price is surprisingly high — about $5 per line. If we recall similar cases in 2019, then in them the price for one line in the database did not exceed $1.70.

According to the expert, the seller’s goal could not be a deal, but an informational throw about the alleged leak.

Earlier, E Hacking News reported that hackers tried to disrupt the website of the Public Chamber of Russia several times. In the evening of June 30, and then on July 1, they made a series of DDoS attacks on the Internet resource. The attackers also blocked the work of a special website of the chamber dedicated to public monitoring of voting on amendments to the Constitution.

Largest ISP in Austria Hit by a Security Breach



The largest internet service provider in Austria was hit by a security breach this week, in the wake of enduring a malware infection in November 2019, following an informant's report.

A1 Telekom said that their security team identified the malware a month later; however, that expelling the infection was trickier than it was initially envisioned.

From December 2019 to May 2020, its security team had stood up to the malware's operators in endeavors to expel the entirety of their hidden backdoor components and kick out the intruders.

The Austrian ISP told a local blogger that the malware just infected computers on its office network, yet not its whole IT framework, which comprised of approximately more than 15,000 workstations, 12,000 servers, and a large number of applications.

In interviews with the Austrian press [1, 2, 3], A1 said that the multifaceted nature of its internal system kept the attacker from advancing toward various frameworks "because the thousands of databases and their relationships are by no means easy to understand for outsiders."

The attackers evidently assumed manual control for the malware and endeavored to extend this initial foothold on a couple of frameworks to the company's whole system.

A1 said the attacker figured out how to compromise a few databases and even ran database inquiries so as to become familiar with the company's interior system.

A1, which hadn't disclosed the nature of the malware, didn't state if the 'intruders' were 'financially-focused' cybercrime gang or a nation-state hacking group.

While A1 declined to remark on the informant's attribution. Christian Haschek, the Austrian blogger and security researcher who originally broke the story, said the informant asserted the hack was carried out by Gallium, a codename utilized by Microsoft to portray a Chinese nation-state hacking group specializing in hacking telecom providers across the world.


Provider Volia reported to the cyber police about the intense cyberattacks on the server


Cable provider Volia appealed to the Cyber Police on the fact of fixing a DDoS attack on the Kharkov servers of the company, which has been ongoing since May 31.

"For three days, from May 31 to today, the Volia infrastructure in Kharkov is subjected to cyberattacks. At first, they were carried out only on subscriber subsystems, later they switched to telecommunications infrastructure. As a result, more than 100,000 subscribers experienced problems using the Internet, IPTV, multi-screen platform, and digital TV," said the company.

In total, the complete lack of access to Volia's services, according to the provider, lasted 12 minutes on May 31, 45 minutes on June 1. There was also an attack on the website volia.com, but it was managed to neutralize.

"DDoS attacks were massive and well-organized. The type of attack is UDP flood and channel capacity overflow with the traffic of more than 200 GB. UDP is a protocol used for online streaming services - streaming, telephony, video conferencing, etc. The attack occurred from tens of thousands of different IP addresses around the world: the United States, Malaysia, Taiwan, Vietnam, etc.", emphasized the press service of the provider.

According to representatives of the company, attacks of this volume are followed by extortion and other attempts to influence the company. Therefore, Volia appealed to the cyber police with a statement about a massive DDoS attack on the infrastructure.

At the same time, Volia stated that they cannot be sure that the attacks will not happen again, but they are doing everything possible to avoid it.
It should be noted that Volia company serves about 2 million cable TV and Internet subscribers in 35 cities of Ukraine.

In Ukraine, a world-famous hacker has been detained


The press center of the Security Service of Ukraine announced the arrest of a world-famous hacker who operated under the nickname Sanix. Last January, Forbes, The Guardian, and Newsweek wrote about the cybercriminal. TV channel Italia 1 dedicated a separate story to it since the database put up for sale by an unknown person was the largest in the history of the stolen database.

The hacker Sanix turned out to be a 20-year-old resident of the small town of Burshtyn. The guy graduated from high school and college, has no higher education.

At the beginning of last year, Sanix attracted the attention of the world's leading cybersecurity experts. On one of the forums, a hacker posted an ad for the sale of a database with 773 million email addresses and 21 million unique passwords. According to the portal Wired, this event should be considered the largest theft of personal data in history.

SBU experts claim that the hacker also sold pin codes for bank cards, electronic wallets with cryptocurrency and PayPal accounts.

During the searches, computer equipment with two terabytes of stolen information, phones with evidence of illegal activity and cash from illegal operations in the amount of $7,000, and more than $3,000 were seized from a hacker.

The National Police of Ukraine added that the 87 GB database proposed by the hacker makes up only a small part of the total amount of data that he possessed. More than 3 TB of such databases, uploaded and broken passwords were found at the hacker. This includes the personal and financial data of EU citizens and the United States.

Sanix himself in private correspondence with a BBC journalist noted that he was only a salesman. Sanix said that poverty in the country and an urgent need for money motivated him to become a cybercriminal.

Hackers who were preparing attacks on hospitals arrested in Romania


Romanian law enforcement officials stopped the activities of the cybercriminal group PentaGuard, which was preparing to carry out attacks on Romanian hospitals using ransomware.

Four hackers were arrested, and searches were conducted at their place of residence (at three addresses in Romania and one address in Moldova). According to the Romanian Directorate for Investigating Organized Crime and Terrorism (DIICOT), hackers had various malicious programs at their disposal, including Trojans for remote access, ransomware, as well as tools for defacing sites and SQL injections.

In addition, hackers developed malicious computer applications for use in computer attacks, such as rasomware-cryptolocker and RAT (Remote Trojan Access). Such malicious attacks were directed against several state institutions, as in Bucharest.

During the investigation, it became clear that cybercriminals planned to attack hospitals. The attackers intended to send phishing emails on the subject of COVID-19 to medical institutions, and use them to infect networks with ransomware Locky or BadRabbit, encrypt files and demand a ransom for recovery. According to the Romanian media, this is how the cybercriminals wanted to protest against the quarantine measures taken by the Romanian government.

This type of attack makes it possible to block and seriously disrupt the functioning of the IT infrastructure of these hospitals. They are part of the healthcare system, which currently plays a decisive and decisive role in combating the pandemic with the new coronavirus.

The hacker group PentaGuard has existed since about 2000. In January 2001, the group carried out a massive deface of the sites of the British and Australian governments. Over the past few years, PentaGuard has not conducted any deface campaigns but has remained active on hacker forums. In January 2020, the group resumed defacing attacks.

FinCEN Chief Blanco warns of Wide Scale Virtual Currency Scams


Financial Crimes Enforcement Network (FinCEN) is keeping a close watch on financial scams involving virtual currency payments as the COVID-19 pandemic opens new areas of exploitation said, Director Ken Blanco.



As we are stuck in an unfortunate period of emergency, these scammers are exploiting this vulnerability from extortion, ransomware, and the sale of fraudulent medical products, to initial coin offering investment scams.

“This type of cybercrime in the COVID-19 environment is especially despicable, because these criminals leverage altered business operations, decreased mobility, and increased anxiety to prey on those seeking critical healthcare information and supplies, including the elderly and infirm,” the Financial Crimes Enforcement Network chief told the virtual Consensus Blockchain Conference in a video conference.

Blanco stressed on the need for collaborating with other law enforcement agencies and working together to beat this issue by generating much-needed funds to help the recipients and for financial survival.
 “The need for our collaboration is clear and undeniable,” he stated.
He further delved into the cyber crimes occurring because of COVID-19 as much of the population and government employees are working from home these cybercriminals are attacking vulnerabilities in remote applications like VPN (virtual private networks) and remote desktop protocol in order to steal information. Blanco advised companies to pay due diligence and advise the same to the customers.

"Financial institutions should consider the risks of the current environment in their business processes, and the appropriate level of assurance needed for digital identity solutions to mitigate criminal exploitation of your products and platforms.”

FinCEN has also worked with other law enforcement initiatives like the Joint Criminal Opioid Darknet Enforcement (J-CODE) and National Cyber Investigative Joint Task Force (NCIJTF) in cases like criminals exploiting crypto for the purchase of fentanyl.

The virtual currency business has to be very vigilant and properly scrutinized as there are a number of miscreants persistently attacking their onboarding and authentication processes. FinCEN, since 2013 has received nearly 70,000 Suspicious Activity Reports (SARs) of cryptocurrency fraud alone. During COVID-19, this threat becomes ten fold.

Germany has put a Russian "Dmitry Badin" on the international wanted list on suspicion of a cyberattack


The Office of the German Federal Public Prosecutor issued an arrest warrant for a Russian whom they suspect of hacking into the computer systems of the German Parliament in 2015, writes the newspaper Sueddeutsche Zeitung. The publication reports that the suspect's name is Dmitry Badin, he is allegedly an officer of the GRU.

Mr. Badin is also wanted by US authorities for hacking attacks, including the theft of emails from Hillary Clinton and the Democratic Party on the eve of the 2016 presidential election. US investigators rank him among a group of seven Russians suspected of cyber-hacking. The FBI believes that he is a Russian military intelligence officer from the GRU.

According to German law enforcement agencies, Badin is a member of the hacker group Fancy Bear. The Russian is accused of carrying out secret intelligence activities and illegally extracting computer data. Sources say that the Russian was one of the organizers of the attack on the networks of the German Parliament. Cybercrime was investigated by the Federal Criminal Investigation Agency and the police.

The newspaper reported that investigators are confident that 29-year-old Mr. Badin was also involved in a hacker attack on the German Bundestag Parliament in April 2015.

Recall that in January 2019, Germany experienced the largest leak of personal data of politicians in the history of the country. The German authorities suspected Moscow of the cyberattacks that had occurred before. Then Der Spiegel reported with reference to the country's counterintelligence that the hacker group Snake, linked to the Russian special services, tried to get access to the electronic resources of the Bundestag, the Bundeswehr and the German Foreign Ministry. The German intelligence services previously accused the same group of massed cyberattacks against German government agencies registered at the end of 2017.

Russia repeatedly denied accusations of involvement in hacker attacks. None of the German law enforcement agencies has ever provided any evidence in support of the media version about the connections of cybercriminals with Moscow.

The Dreambot Malware Botnet Appears To Have Gone Silent and Possibly Shut Down


Dreambot's backend servers as per a report published by the CSIS Security Group, a cyber-security firm situated in Copenhagen, seem to have gone quiet and potentially shut down completely.

It started in March around the same time when the cybersecurity community likewise stopped seeing the new Dreambot samples disseminated in the wild. 

Benoit Ancel, the malware analyst at the CSIS Security Group, says, “The lack of new features? The multiplication of new Gozi variants? The huge rise of Zloader? COVID-19? We can't be sure exactly what was the cause of death, but more and more indicators point at the end of Dreambot." 

The Dreambot malware's apparent demise put an end to a six-year-old "career" on the cybercrime landscape. First spotted in 2014, it was created on the leaked source code of the more seasoned Gozi ISFB banking trojan, one of the most reused bits of malware today. 

With time, Dreambot received new highlights, like the Tor-hosted command and control servers, a keylogging capacity, the capacity to steal browser cookies and information from email clients, a screenshot feature, the capacity to record a victim's screen, a bootkit module, and a VNC remote access feature - just to name the most significant.

Typical Dreambot Control Panel

Besides, Dreambot likewise evolved from a private malware botnet into what's known as a Cybercrime-as-a-Service (CaaS). 

 As a CaaS, the Dreambot creators would publicize access to their botnet on hacking and malware forums. Various crooks could gain access to a part of Dreambot's infrastructure and an adaptation of the Dreambot malware, which they'd be answerable for distributing to victims. 

Dreambot "customers" would infect victims, steal funds, and pay the Dreambot gang a week after week, month to month, or at a yearly expense. CSIS says this model seems to have been fruitful. "We counted more than a million [Dreambot] infections worldwide just for 2019," Ancel said. 

In any case, the CSIS researcher additionally said that as of late, Dreambot developed from being only a banking trojan. All the more explicitly, it evolved from a specific banking trojan into a generic trojan. 

Criminals would lease access to the Dreambot cybercrime machine, yet not use it to steal money from bank accounts. Instead, they'd taint countless computers, and afterward review each target, searching for explicit computers. 

Nonetheless, Dreambot operators have not been 'publicly identified' and stay on the loose. The explanation behind this whole cybercrime platform's current disappearance likewise stays a mystery. Be that as it may, with the operators everywhere, Dreambot's return 'remains a possibility'.


Russian authorities arrested cyber criminals who sold billion counterfeit rubles on the dark web


Employees of the Ministry of Internal Affairs in Nizhny Novgorod stopped the activities of a group engaged in the production of counterfeit money. Fakes in denominations of 5000, 2000 and 1000 were of such high quality that not every detector in stores could detect them.

High-quality counterfeit money was made in Nizhny Novgorod, from where it was delivered to almost all regions of Russia through the Hydra Internet resource. The criminal organization included several dozen people, and none of them personally knew each other.

Last year, Tatarstan opened the first criminal case under the article Production, storage, transportation or sale of counterfeit money or securities. The first counterfeit bills were found in the region. Then fake money began to appear in many regions of Russia.

For conspiracy, the attackers communicated exclusively through the periodically blocked by Roskomnadzor mirrors of the Internet resource Hydra. According to police officers, the accomplices knew each other only by nicknames on the Internet. The distribution of fakes was also carried out in a non-contact manner using special hiding places.

Wholesale lots from 500 thousand rubles ($6,750) went for 10-15% of the face value. But the greatest demand in the regions were small parties from 10 thousand to 150 thousand rubles ($135 - $2,000) counterfeiters sold for 30% of the nominal value.

When a buyer made a payment on Hydra using cryptocurrency, a shipment of fake money was sent from Moscow using fake passports through a transport company to accomplices. They left fake money in secret places, and then passed the coordinates to customers.

The identity of the organizers and producers of counterfeit money could be established only in the spring of this year. They were three residents of Nizhny Novgorod region Oleg Efimov, Ivan Averof and Andrey Skvortsov. Two sets of printing equipment for the production of counterfeit money of very high quality, color laser printers, laptops, a laminator, mock-ups of banknotes, threads for gluing into banknotes and blanks of emblem images were seized from the detainees.

It was established that the criminal group existed for about a year and printed and put into circulation about one billion rubles ($13,5 million).

BGP Hijacking Attacks Google, Amazon and Other Famous Networks' Traffic!


As per reports, a telecommunication provider that is owned by Russia rerouted traffic which was intended for the most imminent Content Delivery Networks (CDNs) and cloud host providers of the globe.

The entire re-direction kept on for around an hour during which it affected over 8,500 traffic routes of the internet. The concerned organizations happen to be few of the most celebrated ones.

Per sources, the brands range across well-known names like Cloudflare, Digital Ocean, Linode, Google, Joyent, Facebook, LeaseWeb, Amazon, GoDaddy, and Hetzner.

Reportedly, all the signs of this attack indicate towards its being a case of hijacking the Border Gateway Protocol, also known as, BGP hijacking. It is the illegitimate takeover of IP prefixes by a hijacker to redirect traffic.

This gives a lot of power in the hands of the hijacker because they could at any time “publish an announcement” stating that the servers of a particular company are on their network. As a result of which all of e.g. Amazon’s traffic would end up on the hijacker’s servers.

In earlier times when Hypertext Transfer Protocol wasn’t as widely used to encrypt traffic, BGP hijacking was a lucrative way to carry Man-in-the-Middle (MitM) attacks and catch and modify traffic.

But in recent times, analysis and decryption of traffic later in time has become easier because of BGP hijacking, as the encryption gets weaker with time.

This predicament isn’t of a new kind. It has been troubling the cyber-world for a couple of decades, mainly because they aim at boosting the BGP’s security. Despite working on several projects there hasn’t been much advancement in improving the protocol to face them.

Google’s network has been a victim of BGP hijacking by a Nigerian entity before. Researchers mention that it is not necessary for a BGP hijacking to be malicious.

Reportedly, “mistyping the ASN” (Autonomous System Number) is one of the other main reasons behind a BGP hijacking, as it is the code via which internet units are recognized and ends up accidentally redirecting traffic.

Per sources, China Telecom stands among the top entities that have committed BGP hijacking, not so “accidentally”. Another famous one on a similar front is “Rostelecom”.

The last time Rostelecom seized a lot of attention was when the most gigantic of financial players were victimized by BGP hijacking including HSBC, Visa, and MasterCard to name a few.

The last time, BGPMon didn’t have much to say however this time, Russian Telecom is in a questionable state, per sources. They also mention that it is possible for the hijack to have occurred following the accidental exposure of the wrong BGP network by an internal Rostelecom traffic shaping system.

Things took a steep turn when reportedly, Rostelecom’s upstream providers re-publicized the freshly declared BGP routes all across the web aggravating the hijack massively.

Per researchers, it is quite a difficult task to say for sure if a BGP hijacking was intentional of accidental. All that could be said is that the parties involved in the hijack make the situation suspicious.

Zoombombing: what is it and how you can prevent your conference calls from being zoombombed


Amid this Covid-19 lockdown, the use of video conferencing software has seen a rapid rise- be it work-related, teaching or just socializing. Our use of video chats has increased and with it, the security concerns have risen diligently.


One such software "Zoom", which is quite popular for video conferencing has been drawing attention from security researchers and journalists recently over privacy and security issues. Even United States investigative agency FBI issued a warning to the citizens to be cautious while using zoom app citing cases of zoombombing where calls were interrupted by "pornographic and/or hate images and threatening language," and the agency also asked the software companies to practice "due diligence and caution" in their security measures.

 Zoombombing is an incident when your video conference calls are interrupted by unwanted/uninvited attendee and disrupts the meet. 

Measures by Zoom to prevent Zoombombing

On Wednesday, Zoom CEO Eric Yuan published a blog post addressing these security concerns. He mentioned that Zoom will freeze feature updates and focus on coming up with security solutions for the next 90 days. Quoting to dedicate these ninety days to "the resources needed to better identify, address and fix issues proactively." He wrote that these initiatives will focus on "conducting a comprehensive review with third-party experts and representative users to understand and ensure the security of all of our new consumer use cases," according to the post.

Steps you can take to prevent "Zoombombing" 

There are some simple settings you can change on your Zoom app for your calls from being interrupted by unwanted individuals.

  1. Don't use your personal meeting ID, instead use a pre-meeting ID exclusive for that meeting. There are Zoom tutorials to help you understand how to generate a random meeting ID for a meeting. 
  2.  Enable the "waiting room" feature in Account Management. It will allow you to see who is attempting to join the meeting and give them access. 
  3. Once the meeting begins and everyone is in it, lock the meeting to outsiders. 
  4.  Make sure you don't publish or post the meeting ID on public platforms. 
  5.  If any outsider does barge in- 
You can lock them out by going to Participants List in the navigation sidebar, scroll to more and click to Lock Meeting. You can also shut them up, by clicking on Mute all control in the Participants List.