Search This Blog

Showing posts with label Cyber Criminals. Show all posts

43% of all Malware Installations are Concealed in Microsoft Office Documents

 

Companies have now employed hundreds of cloud applications to use due to the transition from work from the office to remote work, many of which may be vulnerable to cyberattacks or exploitation. This has increased the attack vector and exposed them to a slew of new threats. 

Although infiltrating office documents with malware has been around for a long period, it is indeed very effective in duping individuals. After embedding a hostile macro into an office document, malicious actors transmit the infected file to thousands of other people via email and wait for potential targets. A macro is a collection of commands that are packed together to perform a task automatically. 

Thus according to current Atlas VPN team research, malicious office documents account for 43 percent of all malware installations. Dangerous office files are common amongst cybercriminals because they can evade suspicion by most antivirus programs. 

The research is based on the Netskope Threat Lab Cloud and Threat Report: July 2021 Edition. It examined office documents from all platforms, including Microsoft Office 365, Google Docs, PDFs, and others. Only 14 percent of all downloaded malware were hostile office documents a year earlier, in the second quarter of 2020. Following that, in the third quarter of last year, the percentage rose to 38%. This growth was mostly affected by working remotely, as attackers discovered that malware-infected papers have proved to be beneficial. 

The effectiveness of EMOTET appears to have spread swiftly among cybercriminal gangs, motivating other hackers to adopt a similar approach. Another reason harmful documents succeed is that they can avoid detection by antivirus software and appear to be from a reliable source. 

Malware-infected document cyberattacks are designed to exploit the user's potential incapacity to perceive the danger. Only a blend of cybersecurity knowledge, training, and security software could provide the highest level of protection.

Fraudsters have taken advantage of Microsoft Office and Google Docs' popularity by introducing malicious code into the documents. To protect users from malware attacks, organizations must design and maintain a cybersecurity plan that addresses both the technological and human components. 

Driver's License Exploitation Scams Surge

 

The Covid epidemic has provided a ripe opportunity for cybercriminals, who are taking advantage of internet information from outdated driver's licenses of targeted individuals. 

According to Stateline, the “phishing” scams benefit from the fact that several nations have made emergency declarations permitting driver's licenses to remain in force beyond expiry dates. With the expiration of such renewals, drivers must now ensure that their licenses are updated, but scammers are taking full advantage of that shift, according to Stateline. 

In conventional phishing, cybercriminals send malicious links or attachments via email, and victims inadvertently click on them. Fraudsters use messaging to conduct their operations, which is known as "SMS phishing" or "smishing." 

As per state motor vehicle agencies, driver's license phishing frauds attempts to steal individual identities and personal information, that have already been sprouting up across the United States. Iowa, Minnesota, Ohio, Vermont, and Wyoming are among the states in which the frauds have been detected until now. 

Scam artists send out SMS or emails making false claims that the target's license needs an urgent update, as some of the information is missing, or even that it is about to expire and will be invalid within a few days. When a person clicks the hyperlink, a Google Forms spreadsheet with personally identifiable information such as a Social Security number and birth date is often opened. 

“It’s despicable,” said David Druker, a spokesperson for the Illinois secretary of state’s office, which issues driver’s licenses. “It’s just outrageous that when the country is going through the COVID crisis, people are taking the time and energy to steal information from others.” 

A large number of people in Illinois, according to Druker, reportedly obtained texts and emails from fraudsters posing as the secretary of state or employees from the state transportation department. Druker also added that he had no idea if anyone else has succumbed to the ruses. 

Upon learning well about phishing and smishing, Illinois officials notified the FBI and IRS, who had collaborated with Google to remove the bogus webpages. According to Druker, the authorities have discovered 1,035 sites so far, and Google has halted nearly 900 such websites. 

As per a notice issued earlier this month by the U.S. Department of Health and Human Services' Office of Inspector General, fraudsters are now employing door-to-door visits, along with telemarketing calls, messages, and social networking sites, to conduct COVID-19-related frauds. 

“Do not provide personal, medical, or financial details to anyone in exchange for vaccine information, and obtain vaccinations from trusted providers,” the Office of Inspector General urges. 

“Posting content that includes your date of birth, health care details, or other personally identifiable information can be used to steal your identity,” said the Inspector General’s office.

Threat Group Aggah Targets Industries Via Spear-Phishing Campaigns

 

A spear-phishing attack that seems to have commenced in early July 2021, targeting various manufacturing industries in Asia has been identified and reported by Anomali Threat Research. 

During this campaign, the strategies, methods, and procedures detailed in the report correspond to the threat group Aggah. The investigation further unveiled several PowerPoint files with harmful macros that employed MSHTA to launch a PowerShell script to charge hex-encoded payloads. Through the findings as well as the analysis based on the campaign's TTP, researchers evaluated that the threat group behind the security incident probably is Aggah. 

Cybercriminals employed numerous vulnerable WordPress websites to target Asian producers with a new operation for phishing attacks that deliver, the Warzone RAT, a freight for sale on crime forums, researchers stated. 

Warzone is a malware commodity having hacked versions available on GitHub. The RAT utilizes the Ave Maria stealer's code repeatedly. Warzone RAT's features include scale privilege, keylogging; remote shelling, file download and execution of files, file managers, and network endurance, as per the researchers.

Based on the recent research by Anomali threat detection and security agency, the threat organization Aggah, which is believed to be associated with Pakistan and was identified for the first time in March 2019, has delivered the RAT to manufacturing enterprises in Taiwan and South Korea. 

Aggah is an information-based threat group discovered by researchers from Palo Alto Network’s Unit 42, for the very first time. The researchers believed the activity to be a campaign against organizations in the UAE. In-depth research by the very same team revealed that it was a global Revenge Rat Phishing Campaign.

“Spoofed business-to-business (B2B) email addresses against the targeted industry is activity consistent with Aggah,” Tara Gould and Rory Gould from Anomali Threat Research wrote in a report on the campaign published Thursday 12th of August 2021. 

Aggah, which normally seeks to steal information from targets, was also previously considered to be affiliated with the Gorgon Group: a Pakistani organization recognized for targeting the Western governments. This relationship has still not been confirmed yet, however, the Anomali researchers believe that the Urdu-speaking group came from Pakistan. The most recent campaign of Aggah included the Taiwan-based manufacturing company, Fon-star International Technology; Fomo Tech, a Taiwanese engineering company, and the Korean power plant, the Hyundai Electric. 

Researchers have indicated that the latest campaign of Aggah for spear phishing began with a bespoke e-mail pretending to be from "FoodHub.co.uk," a UK-based food delivery service. “The email body includes order and shipping information as well as an attached PowerPoint file named 'Purchase order 4500061977, pdf.ppam' that contains obfuscated macros that use mshta.exe to execute JavaScript from a known compromised website, mail.hoteloscar.in/images/5[.]html,” researchers stated. 

“Hoteloscar.in is the legitimate website for a hotel in India that has been compromised to host malicious scripts,” they said. “Throughout this campaign, we observed legitimate websites being used to host the malicious scripts, most of which appeared to be WordPress sites, indicating the group may have exploited a WordPress vulnerability.”

Russia Based Company, DDoS – Guard gets Targeted by Cybercriminals

 

Leaked data for sale through forums and marketplaces in cybercrime appears so frequent that it is essentially unknown, except for the choice of an individual victim. However, these leaks might show that a site or service has been compromised – possibly without the wiser being the operators. 

One such prospective victim is the apparent Russian company DDoS-Guard, which protects against distributed denial-of-service attacks. The company's supposed client data was presented on a cybercrime forum for sale. 

The DDoS Guard offers DDoS protection, network content delivery services, and Web Hosting services. It is a Russian Internet infrastructure company. 

On the 26th of May, a user put on Exploit.in "the full dump on the popular online DDoS-Guard service" for auction, with an opening sale price set at 500,000 dollars, or a blitz price set at 1.5 million dollars, with "buy it now." However, later on, the auction was started at $350,000. 

Singapore-based cybersecurity firm Group-IB reports that beyond DDoS defenses, "DDoS-Guard also provides computing capacities and obstructs the identification of website owners of hundreds of shady resources that are engaged in illicit goods sale, gambling and copyright infringements." "

We've seen several rogue websites hosted by DDoS-Guard," says Reza Rafati, a senior analyst at Group-IB's CERT-GIB incident response unit in Amsterdam. "They were almost impossible to take down. Their answer to our numerous complaints on them protecting illegal resources is that they are not the owners of these websites. Such a safe environment for illicit online activity doesn't do any good for the global effort against cybercrime." 

The DDoS-Guard customer database listed "all info such as name, site, real IP, payment info, etc." in the Exploit.in leak. The user claimed that several renowned websites, including RuTracker.org, which is a BitTorrent Russian tracking service, are also featured on the client list. The listing says that the DDoS-Guard "infrastructure, backend, front end, and network filtering/blocking" are all included in the sale. 

A DDoS-Guard Spokesperson nevertheless rejected the Exploit.in claims of the seller. "We are aware that malefactors are trying to sell a certain database. Our company has not experienced any data leaks," Ruvim Shamilov, DDoS-Guard's PR manager, stated. 

SecurityTrails includes Hamas, which is the Palestinian militant party that rules Gaza, as well as enormous sites of squamous names that are potentially used by fraudsters, like "bitdefender-centrals.com," "nortoncomsetupz.com" and "garmin-express.support," which are attributed to DDoS-Guard by the domain and IP Address service SecurityTtrails." 

For DDoS-Guard users, soon it would be possible to identify anyone who has been operating sites on their service, depending on who takes their hands on the client base dump. Yet legal enforcement agencies are probably already informed, says cyber-security expert Alan Woodward. 

"Anything that is done at scale, and particularly where it is crime as a service, is bound to attract the attention of the police," says Woodward. In addition to finding ways to interrupt services connected with illegal activity, law enforcement organizations have shown themselves to follow users of the service.

Threat Actors Use Marvel's Black Widow Movie To Spread Malware

 

Marvel's Black Widow film has finally been released in theatres and online streaming platforms after being delayed for over a year due to the COVID-19 epidemic. Unfortunately, Marvel Universe fans aren't the only ones who are enthusiastic, as the launch of the Black Widow film has sparked the interest of several fraudsters and hackers. 

According to research conducted by cybersecurity firm Kaspersky, threat actors have been unlawfully monetizing interest in the upcoming film for months. 

Kaspersky warns of Black Widow movie-themed malware: The film was released on July 9th in the United Kingdom, however, it's yet to be aired in many other countries. Researchers have discovered malware downloads posing as the new Black Widow film that is already spreading on the internet. 

Several Black Widow-themed phishing sites are running, according to the company, with the motives of obtaining user credentials. One of the websites examined by researchers promised viewers an early screening of the film in exchange for registering on the site. Users were requested to provide their banking card information during the registration procedure to validate their residency region. However, they later discovered that money had been deducted from their account and they still didn’t get access to the movie. 

According to Kaspersky experts, there has been an increase in attempts to infect users who are keenly awaiting the new film's release. They first saw the rise in infection attempts following the film's formal announcement in May 2020, then again around its original November 2020 release date, and finally in May 2021. 

Since the movie's release date was pushed back to July 2021, hackers have tried to take advantage of the misunderstanding by infecting 13 percent of streaming services and even launching the movie's downloadable files. 

Kaspersky security expert Anton V. Ivanov wrote, “Right now, we have observed intensified scamming activities around Black Widow, the release of which, fans all over the world have been eagerly anticipating for a long time. In their excitement to watch the long-awaited movie, viewers have become inattentive to the sources they use, and this is exactly what fraudsters benefit from.” 

Precautionary Measures: 

Scammers are not only utilizing phishing websites to deceive innocent users, but they are also redirecting executable files disguised as movie downloads. To remain safe, avoid files that have a . EXE or .MSI extension, because movie files generally have .MP4, .AVI, .MOV, .WMV, or .M4P extensions. 

Furthermore, pay special attention to the website URL you visit in order to see or download the film. Scammers frequently make minor modifications to the domain or movie name, so double-check the address to rule out any bad activity. 

Finally, use anti-malware software that has a phishing site detection capability.

Social Media Influencers are the Latest Target of Cyber Criminals

 

The number of cybercrimes and scams is rapidly increasing with the advancement of technology. The police said that a new cyber fraud with social media influencers has been detected. 

There are a great number of followers of social media influencers on social media and companies are paying them regularly for their handles to promote their products. Many famous people get roped in, too. 

Cyber fraud is a kind of cybercrime fraud that uses the Internet to hide information or to provide erroneous data to knock victims out of money, property, and heritage. 

Cyber Law Expert N.Karthikeyan notes that mainstream media cannot include an advertisement on gambling or false investments. Such imaginary operators can utilize these influencers of social media who are unaware of the consequences. There are influencers on social media that only promote fictitious mobile apps. Fraudsters also send dubious links as supporters of influencers on social media. Once the victims click in and the details are registered, the fraudsters acquire complete control of the influencer's page or channel. They'll then post their content – that can be anything.

However, the Cyber Crime Cell officials noted that no specific complaint had yet been made on the matter. 

A woman social media influencer who was a candidate in recent elections said, " After uploading my affidavit into ECI website, I had three lakh downloads. I got good reviews on a social media page but only one person alleged that I had hacked the ECI site- which was baseless. He went on leveling allegations on me. I just ignored it." 

With the increase in such cyber frauds, a Youtuber who himself was a victim of this, stated that the overwhelming majority of influencers on social media are being used by fraudsters. They at times typically represent themselves as an established company or brand and appeal to influencers with lucrative publicity deals while proposing to administer the ads on behalf of the influencers. Later, they gather personally identifiable information or passwords from social media and seize complete control of the website or handle used by the influencers. 

"We have lodged a complaint against an Instagrammer who specifically targeted women influencers. He texted asking them to join in an Instagram live. If they accepted and came on live, he would level baseless allegations. If they didn’t agree to live as he was the stranger, he projected them as scammers, " said Joe Praveen Michael, an event manager.

Smart Plugs Used by Cyber Criminals to Break into Victims Property

 

Inexpensive intelligent connectors are a big threat to cybersecurity and can effectively be used by cybercriminals to hack anyone’s device or even gain entry to their residences, experts say. 

Usually, modern Internet-based devices can send data (using HTTPS) with stronger passwords and follow the appropriate safety practices using encrypted channels. Techradar reports that Sonoff and Ener-J smart plugs worked the opposite and that a large security issue was ready to be exploited. 

The security firm A&O IT Group documented its security analyses of two smart plugs, Sonoff S26 and Ener-J Wi-Fi, that are cheap and easily available at large. 

These smart connectors, which the customers will be able to purchase for just 10 dollars on Amazon, eBay, and AliExpress, can also be used to gain access to the Wi-Fi network of the targets by the hackers. This is because the router is communicated through port 80 via these devices, as well as because they have failed factory credentials, to send unencrypted HTTP traffic.

As soon as the attackers get Wi-Fi passwords, they can log in to the target network and do all sorts of activities from it: video and audio received from porters, insecure smart devices being regulated, confidential data downloaded, or even traffic monitoring from many other devices. 

They may also use Wi-Fi to download illicit information from the internet or undertake attacks on computers of other users that have little risk of getting caught. This is particularly important if the victim has items such as smart door locks, or video surveillance on the very same network. In this case, an intruder already knows how long the citizens are out and may even break into the property. 

The A&O IT Group says it has both reported vulnerabilities to Sonoff and Ener-J, but it has yet to receive any company's reports. 

To mitigate this issue, expertise from CNX Software suggests the fastest way is to set up a Guest SSID for IoT devices to prevent the sharing of the same network by other important devices. 

The most recent report on users of Eufy safety cameras that were later fixed in security feeds and the smart plug vulnerabilities that remind users that network security rests on the safety of all connected devices — something that users must remember when having smart doors, smart cameras, or other sensitive devices when using the same network.

Ransomware Attacks Targeting UK’s Education Sector Increased, says NCSC

 

According to the warning by GCHQ's cybersecurity arm, NCSC, there has been a substantial spike in the number of ransomware attacks targeting the education sector over the last month, just as schools were getting ready to resume in-person classes. 

Ransomware attacks on the UK education sector have been on the rise, according to a new report. This includes developments seen in August and September 2020, along with attacks that have occurred since February 2021. It also offers mitigation recommendations to help in the defense of this sector. 

According to the report, senior leaders must recognize the magnitude of the threat and the ability of the ransomware to cause serious harm to their organizations in terms of information exposure and access to important services. 

Ransomware encrypts servers and files, making it impossible for businesses to provide services. Cybercriminals are anticipating that the need for schools and colleges to provide instruction would lead to target organizations succumbing to extortion requests and paying a bitcoin ransom in return for the decryption key required to recover the network. More importantly, cybercriminals have begun to warn that if the ransom is not paid, they will disclose confidential data taken from the network during the attack. Many elevated cases have arisen in which cybercriminals have carried out their attacks by exposing confidential data to the public, mostly via the darknet's “name and shame” websites. 

"In recent incidents affecting the education sector, ransomware has led to the loss of student coursework, school financial records, as well as data relating to COVID-19 testing," the agency said. 

Ransomware attacks can be crippling to businesses, taking a considerable period for victims to recover and restore vital services. These activities can also be high-profile in nature, gaining a lot of attention from the public and the media. 

There are many ways for ransomware attackers to gain entry to a victim's network. Remote Desktop Protocol (RDP) is one of the most commonly used protocols for remote desktop activities, according to the NCSC, allowing staff to access their office desktop computers or servers from a remote device over the internet. Ransomware attackers often use insecure RDP and virtual private networks (VPN) configurations to gain initial access to victims' computers. 

"This is a growing threat and we strongly encourage schools, colleges, and universities to act on our guidance and help ensure their students can continue their education uninterrupted", says NCSC. 

To protect against malware and ransomware threats, the NCSC suggests that businesses must adopt a "defense in depth" technique. Having an effective plan for vulnerability management and deploying security fixes, protecting remote web services with multi-factor encryption, and installing and activating anti-virus programs are all cybersecurity guidelines for schools, colleges, and universities to secure their networks from ransomware attacks. 

Are Media Agencies the Next Target of Cybercriminals?

 

There is no denying the fact that cybercriminals have been exploiting the trust of people in media agencies. However, the ongoing situations have seen an incredible surge in cybercriminals needing to utilize each possible way to target media agencies.

Aside from direct attacks, they have even misused brand names to create counterfeit identities, which are then used to target 'potential victims'.

A couple of incidents throw light upon how and why these threat actors have set their sights on the media industry.

Some of them have been directly targeted generally through ransomware attacks.

Ritzau, the biggest independent news agency in Denmark, was targeted by a ransomware attack, prompting the compromise and encryption of more than one-fourth of its 100 network servers.

The computer servers at the Press Trust of India were also attacked by LockBit ransomware, which kept the agency from delivering news to its subscribers.

A few attackers very cleverly utilize the 'pretense' of media agencies to plan out their attacks.

Some time back, TA416 Able was found carrying out spear-phishing attacks by imitating journalists from the Union of Catholic Asia News, endeavoring to target the scope of victims, including diplomats for Africa and people in the Vatican.

Another incident happened when the U.S. seized 27 domain names that were utilized by Iran's Islamic Revolutionary Guard Corps (IRGC) for carrying out secretive influence campaigns, in which a few domains were suspected to be veritable media outlets.

OceanLotus had set up and operated a few websites, professing to be news, activist, or anti-corruption sites consistently. Furthermore, they traded off a few Vietnamese-language news websites and utilized them to load an OceanLotus web profiling framework.

Subsequently keeping these events in mind, experts recommend having sufficient safety measures, like frequent data backups, anti-malware solutions, and implementing Domain-based Message Authentication, Reporting & Conformance (DMARC).

Furthermore, recommendations were made on carrying out tests to distinguish and eliminate the risks of domain spoofing.


Russian citizen arrested in the United States on charges of organizing a cyber crime


According to the Ministry of Justice, 27-year-old Yegor Kryuchkov tried to pay $1 million to an employee of a company from Nevada in order to introduce malware into its computer network. When the FBI joined the investigation, the Russian tried to run from the United States

A Federal Court in Los Angeles has arrested a Russian citizen, Yegor Kryuchkov, on charges of conspiring to commit cybercrime. This was reported by the press service of the US Department of Justice.

According to the Department, 27-year-old Kryuchkov in the period from July 15 to August 22 this year tried to bribe an employee of an unnamed American company located in the state of Nevada. The statement claims that the Russian offered him $1 million for participation in the implementation of the fraudulent scheme.

The Ministry of Justice reported that Kryuchkov allegedly planned to load malicious software into the computer system of this company. This would allow him and his associates to gain unhindered access to company data.

Last week, Kryuchkov was contacted by the Federal Bureau of Investigation (FBI), after which he left Reno (Nevada) and went to Los Angeles in order to leave the United States. The Russian, according to the Department, asked his friend to buy him a plane ticket.

Kryuchkov was detained in Los Angeles on August 22. According to the Ministry of Justice, the Russian entered the United States on a tourist visa.

The Russian Embassy in the United States said that diplomats are aware of Kryuchkov's arrest. "We will contact the Russian in the near future to find out the problem. We will provide him with the necessary consular and legal assistance,” said the diplomatic mission.

The Russians were offered $10 million from the State Department for information about Russian hackers

Residents of Russia began to receive SMS about a way to get $10 million from the US State Department. In the messages, Russians are offered this money for information about the interference of Russian hackers in the American elections.

Such SMS messages are published by residents of different cities in Russia in social networks. Among them the Deputy of the Duma of Yekaterinburg Timofey Zhukov. In the Telegram channel, he published a screenshot of such a message. "The US State Department is offering up to $10 million for information about interference in the US election. If you have information, please contact us,” said the SMS.

The link in the message leads to a verified Twitter account of the US State Department's Rewards for Justice program. According to the hashtag of the same name, Election_Reward, dozens of messages of the Department's program were published on Twitter in different languages of the world, including Russian.

Experts noted that the message was sent to Russians through the program CentrSoobsh — a service that is usually used to send spam or fake SMS in order to hack accounts by fraudsters.

Earlier, US Secretary of State Mike Pompeo announced the start of this program. He promised that Washington will pay the amount for information about persons interfering in the elections. Pompeo mentioned that the program applies to both Russia and other malicious states.

The representative of the Russian Foreign Ministry, Maria Zakharova, considered that if the US really begins to pay everyone up to 10 million dollars for such information, the state Department's website "will break down from denunciations to neighbors."

Senator of the Federation Council Frants Klintsevich called such actions an illusion and provocation, which carry a danger. He added that the messages are sent not by the US, but by emissaries with money.

According to him, it is necessary to find those who send messages, to bring everything to its logical end. Moreover, if necessary, the Russian Federation need s to change the legislation, as such actions are trying to destabilize the situation in the country.

Indian Organizations Suffer the Most in Public Cloud Security Incidents



In a survey of 26 countries for public Cloud security incidents, India emerges as the nation which endured the hardest hits the previous year with 93 percent of the nation's organizations encountering the problem.

The survey included more than 3,500 IT managers across 26 nations in Europe, the Americas, Asia Pacific, the Center East, and Africa that currently host data and workloads at hand in the Public Cloud.

The cybersecurity incidents that Indian organizations suffered most included ransomware (53 percent) and other malware (49 percent), exposed data (49 percent), compromised accounts (48 percent), and cryptojacking (36 percent), said the report titled "The State of Cloud Security 2020" by cybersecurity company Sophos.

While Europeans seem to have endured the least level of security incidents in the Cloud, an indicator that compliance with General Data Protection Regulation (GDPR) guidelines are assisting with protecting organizations from being undermined.

However, India still hasn't enforced a data protection law.

Chester Wisniewski, Principal Research Scientist at Sophos said in a statement, "Ransomware, not surprisingly, is one of the most widely reported cybercrimes in the public Cloud."

 "The recent increase in remote working provides extra motivation to disable Cloud infrastructure that is being relied on more than ever, so it's worrisome that many organizations still don't understand their responsibility in securing Cloud data and workloads," Wisniewski added later.

"Cloud security is a shared responsibility, and organizations need to carefully manage and monitor Cloud environments in order to stay one step ahead of determined attackers."

According to the report, more than 55 percent of Indian organizations and businesses revealed that cybercriminals obtained access through the stolen Cloud provider account credentials.

Regardless of this, only 29 percent said managing access to Cloud accounts is a top area of concern. Albeit 'accidental exposure' keeps on plaguing organizations, with misconfigurations exploited in 44 percent of reported attacks on Indian organizations.

With 76 percent of organizations utilizing the Public Cloud, detection and response are driving the Cloud security concern for IT managers in India while data security still stays as a top concern across the world for organizations.

Police found Ukrainian hackers who insulted Greta Thunberg in Odessa


Attackers broke into the terminal of the Odessa airport and scolded the eco-activist.
Law enforcement authorities in Odessa (Ukraine) said that they found the hackers of the Odessa airport information system, who posted pictures with insulting or obscene language on the organization’s scoreboard against eco-activist Greta Thunberg.

According to police, on February 25, officers with the support of the special forces unit of the National Police of Ukraine searched the houses of the participants and founders of the Ukrainian Cyber Alliance public organization. The search was authorized by a decision of the Odessa court. The seized equipment was sent for examination. Law enforcement officers opened a criminal case on the fact of unauthorized interference in the work of the Odessa terminal. The attackers face imprisonment for a term of three to six years.

Ukrainian Cyber Alliance associates such actions of the National Police of Ukraine with political pressure on its activists.

It is worth noting that the Ukrainian Cyber Alliance is a community of Ukrainian cyber-activists that emerged in the spring of 2016 from the Association of two groups of cyber-activists FalconsFlame and Trinity. Later, a group of cyber activists RUH8 and individual cyber-activists of the CyberHunta group joined the Alliance.

The fact of hacking the Odessa airport information system occurred in October last year. At that time, a new terminal was installed in the renovated hall of the Odessa airport. Hackers posted a photo of the Swedish eco-activist with the inscription "F*** you, Greta" on the new terminal.

Recall that Time magazine awarded 16-year-old Swedish eco-activist Greta Thunberg the title of "Person of the Year". She began her fight for ecology in the late summer of 2018. Every Friday, the girl went on a single picket near the walls of the Swedish Parliament with a poster "School strike for climate", and a year later, similar pickets were staged around the world.

Hackers used the websites of Russian government agencies to extract cryptocurrency


According to the deputy head of the National Coordination Center for Computer Incidents of the FSB, Nikolai Murashov, encryption viruses decreased their activity last year and were replaced by malware. In particular, these programs have changed for crypto-jacking or hidden cryptocurrency mining.

Murashov noted that the software for hidden mining uses up to 80% of the free power of the device, and the user may not know about it. According to him, the seizure of server capacities of large organizations for the purpose of mining cryptocurrencies threatens to severely reduce their productivity and harm their main activities.

Murashov said that hackers attack not only large companies but also ordinary users, for example, by mining through a browser while visiting infected web pages. Browser companies have already begun to struggle with this problem. So, in April of last year, the Mozilla Firefox introduced protection against crypto-jacking.

In addition, the number of installations of shadow miners on computers of ordinary users has increased. Last year alone, more than 50,000 such incidents were recorded.

"The scope of activities of shadow miners expanded over the past year. Hackers started using new software that is difficult to track because of the special code structure. Some applications are developed specifically for government servers and gaining control over them. Programs use computing power for mining, but administrators can only notice this during a detailed audit," said Murashov.

In Russia, the most high-profile incident last year was an incident with miners who mined cryptocurrency on the computers of the nuclear center in Sarov. The attackers, who turned out to be employees of the organization, used the equipment for their own purposes for several years.

Companies around the world are being attacked by ransomware viruses and crypto-jacking. Recently, a cybersecurity company Proofpoint, reported that in 2019, more than half of all public and private organizations in the United States were subjected to virus attacks and phishing. In this regard, regulators are beginning to take decisive action.

Romanian cybercriminals sentenced to 20 years in prison for developing malware


Two Romanian citizens were sentenced to imprisonment for the development and operation of the Bayrob malware, which infected more than 400 thousand computers, and theft of confidential information.

Back in 2016, three members of the hacking group Bayrob were extradited to the US. Law enforcement officers told that citizens of Romania Bogdan Nicolesku aka Masterfraud, aka mf, Danet Tiberiu aka Amightysa, aka amy and dRadu Miclaus aka Minolta, aka min since 2007 engaged in fraud and development of malware, and then their business became a large botnet, which was also involved in cryptocurrency mining.

According to authorities, during the years of activity, the group stole more than four million dollars from its victims, but Symantec analysts, who helped law enforcement agencies to stop the group's activities, reported that in fact, the damage from the actions of Bayrob could be more than $35,000,000.

Bayrob malware was conceived as a tool to steal email addresses from the target computer and then send infected messages to users. Cybercriminals managed to infect and hack more than 400 thousand computers. The attackers registered more than 100 thousand email accounts to send 10 million letters to the collected addresses. The defendants also intercepted requests to Facebook, PayPal, eBay and other websites and redirected victims to similar domains in order to steal their data.

So, if in 2007 about 1000 cars were infected with Bayrob, by 2014 their number increased to 50,000, and by 2016 it exceeded 300,000 altogether.

All three suspects were charged in 2016, but the case came to court much later. At the end of last week, the website of the US Department of Justice reported that Nicolesku and Tiberiu were sentenced to 20 and 18 years in prison.