Search This Blog

Showing posts with label Russia. Show all posts

Security Researchers Discovered Crimea Manifesto Buried in VBA Rat


On Thursday, Hossein Jazi and the Threat Intelligence team at Malwarebytes released a report revealing a new threat actor that may be targeting Russian and pro-Russian individuals. A manifesto regarding Crimea was included by the assailants, implying that the attack was politically motivated. A suspicious document called "Manifest.docx" is used in the attacks, and it downloads and runs two attack vectors: remote template injection and CVE-2021-26411, an Internet Explorer exploit. Malwarebytes' Threat Intelligence team discovered the "Манифест.docx" ("Manifest.docx") on July 21.

"Both techniques have been loaded by malicious documents using the template injection technique. The first template contains a url to download a remote template that has an embedded full-featured VBA Rat. This Rat has several different capabilities including downloading, uploading, and executing files," Jazi said. 

The second template is imported into the document and is included in Document.xml.rels. According to the threat research teams at Google and Microsoft, the loaded code contains an IE Exploit (CVE-2021-26411) that was previously utilized by Lazarus APT to target security researchers working on vulnerability disclosure. The shell code used in this vulnerability loads the same VBA Rat as the remote template injection exploit. 

The attack, according to Jazi, was motivated by the ongoing conflict between Russia and Ukraine, which includes Crimea. Cyberattacks on both sides have been on the rise, according to the report. The manifesto and Crimea information, however, might be utilized as a false flag by threat actors, according to Jazi. 

The attackers used a combination of social engineering and the exploit, according to the report, to boost their chances of infecting victims. Malwarebytes was unable to pin the assault on a single actor but said that victims were shown a decoy document with a statement from a group linked to a figure named Andrey Sergeevich Portyko, who supposedly opposes Russian President Vladimir Putin's Crimean Peninsula policies. 

The decoy document is loaded after the remote templates, according to Jazi. The document is written in Russian but also has an English translation. A VBA Rat is also included in the attack, which collects victim information, identifies the AV product installed on the victim's workstation, runs shell-codes, deletes files, uploads and downloads files, and reads disc and file system information. Instead of using well-known API calls for shell code execution, which can easily be flagged by AV products, the threat actor employed the unique EnumWindows to run its shell-code, according to Jazi.

Evidence Indicates Russia's SVR is Still Using 'WellMess' Malware, Despite US Warnings


President Joe Biden's appeal for Vladimir Putin to crack down on cyberattacks emanating from within Russia appears to have failed to persuade the Kremlin to give it up. 

In a report published Friday, RiskIQ stated it discovered ongoing hacking infrastructure that Western governments associated last summer to the Russian SVR intelligence agency-linked APT29 or Cozy Bear, which it utilized to obtain Covid-19 research data.

The malware, also known as WellMess or WellMail, led to official warnings in the United States, the United Kingdom, and Canada in July 2020. In April, the FBI urged companies to fix five known vulnerabilities that the SVR had exploited, according to US officials. 

RiskIQ detected three dozen command and control servers supplying WellMess which were under APT29 control, as per the firm. Following a US-Russia summit at which cyberattacks were discussed, the focus was on infrastructure. 

“The behaviour found was noteworthy considering the circumstances in which it emerged, following on the heels of President Biden's public condemnation of Russian hacking at a recent summit with President Putin,” stated RiskIQ's Team Atlas. 

Cozy Bear has not been openly accused of being involved in any recent ransomware operations, which were the focus of the White House's discussions with Russia. The organization has set itself apart by executing cyber-espionage against targets like the federal contractor SolarWinds and the Democratic National Committee. 

RiskIQ is perplexed as to how Russian agents are now utilizing the WellMess malware. The company stated, “Readers should note that much of this infrastructure is still in active use by APT29, though we do not have enough information to say how it is being used or who the targets are.” 

Biden has been urging Putin both personally and in public statements, to stop malicious cyber activities originating from Russia, notably ransomware assaults are believed to be conducted by criminal groups.

A phone call between the two men came after a series of high-profile ransomware attacks with suspected Russian roots, the most recent of which has affected hundreds of people as a result of an incident at the software company Kaseya. 

“I made it very clear to him that the United States expects, when a ransomware operation is coming from his soil even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is,” Biden stated reporters about the call. 

In a speech last week, Biden told intelligence officials that if the US finds itself in a “shooting war” with a significant foreign power, it will probably come in response to a cyber attack.

The Russian Federation submitted to the United Nations the world's first draft convention against cybercrime

The Prosecutor General's Office of the Russian Federation reported that Russia has submitted to the UN the world's first draft convention on countering cybercrime and the criminal use of cryptocurrency.

Recall that last year an interdepartmental working group on combating information crime was established, one of the main tasks of which was to develop a draft of a universal comprehensive international convention on combating the use of information and communication technologies for criminal purposes.

The project has a number of advantages. It takes into account modern challenges and threats in the field of international information security, including the criminal use of cryptocurrency, introduces new elements of crimes committed using information and communication technologies.

It is stressed that Russia was the first country that developed and submitted to the special committee a draft convention to combating information crimes.

"Today cyber attacks are as much a weapon of mass destruction as a tactical nuclear weapon. Infrastructure, from the fuel supply to the water supply, can be stopped in an entire city. The settlement will be paralyzed with zero casualties. Thus, I would call cyberattacks bloodless killers, they do not set themselves the goal of destroying the population but simply teleport this population, in fact, to the Stone Age,” commented on the news the State Duma deputy Ruslan Balbek.

According to him, the Russian draft convention is timely and relevant.

In March, the President of Russia Vladimir Putin announced an increase in the number of crimes in the IT-sphere. He pointed out that over the past six years, the number of such crimes has increased 10 times.

Earlier, E Hacking News was reported that Russia-US summit was held in Geneva on June 16. Summing up the negotiations, Vladimir Putin said that the sides will start consultations on cybersecurity.

U.S. Department of Commerce Seizes Trade with 6 Russian Companies


The Department of Commerce restricts trade with four Russian IT and cybersecurity companies together with two additional entities, based on the latest document issued on Friday 16th of July, because of suspicions that these corporations constitute a threat to the US national security. 

On Friday, six Russian corporations were added to the Department's Entity List, build off sanctions enforced by the Treasury Department in April, claiming these companies and other organizations are in line with or help Russia's intelligence agencies. 

Since these organizations have appeared on the Entity List, the Department of Commerce will require them to seek a special license to do business with US companies or to receive supplies and components from American companies.

The Russian organizations that are now on the list of companies managed by the Commerce Department's Bureau of Industry and Security include: 

  •  Aktsionernoe Obschchestvo Past: An IT company that reportedly conducted research and development for the country's Foreign Intelligence Service; 
  •  Federal State Autonomous Institution Military Innovative Technopolis Era: A research center and technology park operated by the Russian Ministry of Defense;
  •  Federal State Autonomous Scientific Establishment Scientific Research Institute Specialized Security Computing Devices and Automation (SVA): A state-owned institution believed to support malicious cyber activity; 
  •  Aktsionernoe Obshchaestvo AST; 
  •  Aktsionernoe Obshchestvo Pozitiv Teknolodzhiz, or JSC Positive Technologies; 
  •  Obshchestvo S Ogranichennoi Otvetstvennostyu Neobit; 

As per the Commerce Department, IT companies like, AST, Positive Technologies, and Neobit have also worked with the Russian Government. 

In April, Treasury Department sanctions indicated Russian technology, security organizations, and research companies reportedly engaging in cyber campaigns with the Russian Foreign Intelligence Service, often referred to as the SVR, as well as other Russia's agencies, which includes the GRU. 

The government of Biden sought to curtail the cyber activities in the country while responding to frequent events - along with a large-scale attack on the software provider Kaseya with remote management software this month - that the Russian-speaking group of REvil is accused of carrying out. 

“Treasury is leveraging…[its] authority to impose costs on the Russian government for its unacceptable conduct, including by limiting Russia’s ability to finance its activities and by targeting Russia’s malicious and disruptive cyber capabilities," Treasury Secretary Janet L. Yellen said at the time. 

The department also noted: "The Russian Intelligence Services have executed some of the most dangerous and disruptive cyberattacks in recent history," including the 2020 SolarWinds incident, a supply chain attack that ultimately affected several U.S. agencies. 

The Treasury Department has also criticized the Kremlin for its electoral intervention to poison Kremlin's opponent Aleksei Navalny, and for robbing a U.S. security firm, among other recent measures, of "red team tools" – imitations of cyber-attack. The Kremlin refused these claims. 

On Thursday, the State Department also announced that it will now reward the country's key infrastructure with up to $10 million for information concerning cyber-threats. 

In addition, a website named 'StopRansomware' was revealed by the Homeland Security Department and the Justice Department, which is intended to be a primary platform for building ransomware-fighting tools from all government departments. 

Further, Biden added that the U.S. government is prepared to take "any necessary action to defend its people and its critical infrastructure in the face" of ongoing cyberattacks.

Business correspondence in messengers and social networks poses a cyber threat to companies

Experts believe that screenshots of work correspondence sent by company employees to third parties may fall into the hands of fraudsters. Such actions lead not only to reputational and financial risks for companies, but also to the risk of cyber threats.

"If the phone numbers of colleagues are visible in the correspondence, attackers can use this information: for example, for hacking, spam, data mining with the help of social engineering", says Alexander Tikhonov, general director of the SAS Russia/CIS IT company.

Kaspersky Lab said that the risks of cyber threats for companies became more relevant after the transition to remote work, since office workers began to use shadow IT more often for business correspondence that was not approved by the company.

"Employees are increasingly using personal gadgets, as well as programs installed on them, for personal use for work purposes," the company explained. Thus, 59% of Russians use personal mail to solve work issues, 55% communicate at work in messengers that are not approved by IT departments, and they admit that with the transition to a remote employment format, they began to do this regularly.

According to AlfaStrakhovanie analytical center, more than 60% of Russians send screenshots of work correspondence in messengers or post them on social networks. Moreover, 43% of respondents said that their company uses one of the standard instant messengers for corporate communication, and 23% responded that their company does not regulate the method of communication at all.

"People tend to think that social networks are not dangerous, that they are surrounded only by friends in the digital space," said Pavel Adylin, executive director of Artezio. He emphasized that the problem can only be solved by gradually improving the level of literacy and digital security of the business.

Russia Based Company, DDoS – Guard gets Targeted by Cybercriminals


Leaked data for sale through forums and marketplaces in cybercrime appears so frequent that it is essentially unknown, except for the choice of an individual victim. However, these leaks might show that a site or service has been compromised – possibly without the wiser being the operators. 

One such prospective victim is the apparent Russian company DDoS-Guard, which protects against distributed denial-of-service attacks. The company's supposed client data was presented on a cybercrime forum for sale. 

The DDoS Guard offers DDoS protection, network content delivery services, and Web Hosting services. It is a Russian Internet infrastructure company. 

On the 26th of May, a user put on "the full dump on the popular online DDoS-Guard service" for auction, with an opening sale price set at 500,000 dollars, or a blitz price set at 1.5 million dollars, with "buy it now." However, later on, the auction was started at $350,000. 

Singapore-based cybersecurity firm Group-IB reports that beyond DDoS defenses, "DDoS-Guard also provides computing capacities and obstructs the identification of website owners of hundreds of shady resources that are engaged in illicit goods sale, gambling and copyright infringements." "

We've seen several rogue websites hosted by DDoS-Guard," says Reza Rafati, a senior analyst at Group-IB's CERT-GIB incident response unit in Amsterdam. "They were almost impossible to take down. Their answer to our numerous complaints on them protecting illegal resources is that they are not the owners of these websites. Such a safe environment for illicit online activity doesn't do any good for the global effort against cybercrime." 

The DDoS-Guard customer database listed "all info such as name, site, real IP, payment info, etc." in the leak. The user claimed that several renowned websites, including, which is a BitTorrent Russian tracking service, are also featured on the client list. The listing says that the DDoS-Guard "infrastructure, backend, front end, and network filtering/blocking" are all included in the sale. 

A DDoS-Guard Spokesperson nevertheless rejected the claims of the seller. "We are aware that malefactors are trying to sell a certain database. Our company has not experienced any data leaks," Ruvim Shamilov, DDoS-Guard's PR manager, stated. 

SecurityTrails includes Hamas, which is the Palestinian militant party that rules Gaza, as well as enormous sites of squamous names that are potentially used by fraudsters, like "," "" and "," which are attributed to DDoS-Guard by the domain and IP Address service SecurityTtrails." 

For DDoS-Guard users, soon it would be possible to identify anyone who has been operating sites on their service, depending on who takes their hands on the client base dump. Yet legal enforcement agencies are probably already informed, says cyber-security expert Alan Woodward. 

"Anything that is done at scale, and particularly where it is crime as a service, is bound to attract the attention of the police," says Woodward. In addition to finding ways to interrupt services connected with illegal activity, law enforcement organizations have shown themselves to follow users of the service.

The eSIM technology stimulates the growth of the IoT market in Russia

The development of eSIM technology has become one of the drivers of the IoT market, both in Russia and around the world. The network of IoT devices, which have a traditional or built-in virtual (eSIM) SIM-card, differs from GSM, 3G and 4G networks by its lower power consumption. For this reason, this network is optimal for smart city systems.

According to GSMA, the number of new types of eSIM equipment in the world is increasing by 50% annually and by the end of this year, the number of IoT devices with eSIM and with conventional SIM cards will be the same.

The lack of equipment and regulatory framework to regulate eSIM slows down the implementation of eSIM, so customers deliberately do not purchase IoT equipment with eSIM. In addition, the government plans to oblige Russian companies and departments to use only Russian IoT solutions in housing, fire and other security.

However, according to experts, this restriction prevents the introduction of IoT, because now there are no ready-made Russian platforms for virtual SIM cards on the market.

It is interesting to note that against the background of the development of the Industrial Internet of Things (IIoT) there is an increase in the introduction of private networks in the world. However, the market in Russia is still at an early stage of development compared to the world market. According to TelecomDaily the Russian market volume of private LTE-networks now amounts to about 21 million dollars, and about 30 public projects operate in the country.

Private LTE is implemented in places where for technical or other reasons there is no possibility to introduce fixed-line communication. For example, these are quarries, mines or enterprises, located in inaccessible areas. In Russia, the leaders in the introduction of pLTE technology are primarily large industrial enterprises.

Experts agree that private LTE networks will be more and more in demand among industrial enterprises and in the future, they will be more and more often used for the implementation of smart cities projects.

Kremlin Does Not Know Why All Websites Linked to Hacker Group REvil Are Down

Press secretary of the President of the Russian Federation Dmitry Peskov said that the Kremlin does not have information whether the disappearance of the hacker group REvil from the darknet is linked to Russia-US cybersecurity contacts.

"I can't answer your question, because I don't have such information. I do not know which group, where it disappeared from," Peskov said.

Peskov stressed that Russia considers any manifestations of cybercrime unacceptable. "We believe that they should be punished. Internationally, we believe that we should all cooperate. In this case, Russia and the United States should cooperate to prevent such manifestations. And as for the details about this group, unfortunately, I do not have such information," he added.

At the same time, the Kremlin representative recalled that Russia and the United States have begun the process of bilateral consultations on combating cybercrime. However, Peskov stressed that he does not have any information about whether any specific measures have been taken against ransomware hackers.

Earlier, Bloomberg reported that sites on the darknet allegedly belonging to hacker group REvil were down. So, when trying to visit the site where members of the group usually post their statements, a notification appears that this page has not been found. Bloomberg emphasizes that the situation is similar with other resources associated with hackers from REvil.

The agency recalls that the list of REvil victims includes many major corporations. For example, Aseg, Apple and Lenovo, from which hackers demanded $50 million for stolen information. In May, the world's largest meat producer, JBS, was subjected to a cyberattack and paid a ransom of $11 million in bitcoins.

Russian banks to launch a system against telephone fraud

Financial organizations are planning to launch a pilot project of a system for accounting and analyzing telephone fraud, said Alexey Voilukov, vice president of the Association of Banks of Russia. The service will allow to monitor calls, identify unscrupulous operators and more effectively track the fraudsters.

The Association will present the developments to the regulatory agencies along with proposals for changing the legislation. In order to improve the response to criminal attacks, the project should be implemented on the basis of the site of the supervisory authority, for example, the Ministry of Internal Affairs.

Experts believe that the owner of such a system should be one of the government agencies, authorized to request information from operators about the sources of traffic and to process data containing the secrecy of communications.

"It is necessary to tighten legislation in the field of personal data protection and tighten control over bank employees since fraudsters often obtain information about customers through leaks," added experts.

Tinkoff Bank believes that it will take about a month to test the project after the creation of an interdepartmental anti-fraud group. The bank will become one of the pilot's participants.

Other major credit organizations also supported the idea of implementing the system. The pilot of the project can start as early as the end of 2021 or the beginning of 2022. However, full work will require changes in the law.

According to Tinkoff, the number of malicious calls in the first quarter of 2021 increased 2.3 times compared to the same period in 2020. In addition, about 80% of phone scammers use number spoofing, so after launching the project of the system of accounting and analysis of telephone fraud, it will be much more difficult for them to carry out attacks.

Cyber Criminals Sending Phishing Mails Pretending to be from Russian Government Domain

The administration of RSNet (Russian State Network) recommended not to open letters from unknown senders, not to click on links from emails of legitimate users of the RSNet, including from the administration of the RSNet, and also not to open attachment files contained in such emails.

According to Andrey Kovtun, the head of the mail threat protection group at Kaspersky Lab, scammers set up phishing mailings allegedly from a domain He explained that the attackers use a fake sender's address

"Such attacks are usually more complicated than mass attacks, even the real names and phone numbers of employees of the organization can be used," added the expert.

In turn, Alexey Drozd, the head of the information security department of SearchInform, warned against using links from emails even from legitimate users because of the possibility of hacking their accounts.

The expert also noted that recently, scammers sent phishing emails allegedly from the tax authorities.

"People trust domains that look like government domains. In addition, if any letter comes from a government agency, we consider it important," he added.

Earlier, the Ministry of Internal Affairs of Russia reported on the arrest of a group that published ads for the sale of real estate and premium cars and stole money from the accounts of Russians. The attackers asked potential buyers to confirm their solvency by transferring a certain amount to friends or relatives through certain payment systems, and then to provide the potential seller with a receipt for a financial transaction.

Thus, the attackers found out the personal data of the recipients of the transfers and made fake passports in their names, with which they visited credit and financial organizations and withdrew money from the accounts of citizens.

Presidential Press Secretary Said Moscow Not Involved in The Cyber Attacks on the Republican National Committee of US

On Wednesday, the press secretary of the President of the Russian Federation Dmitry Peskov told reporters that the cyber attack on the cloud networks of the US Republican National Committee had nothing to do with Moscow.

"We don't know what exactly was there, but it has nothing to do with Moscow," a Kremlin spokesman told reporters.

He stressed that the Russian side "does not have any detailed information on this matter." At the same time, Peskov noted that recently there have been a lot of publications, which appear literally every day, concerning various cyberattacks and their alleged connection to Russia.

On Tuesday, Bloomberg reported that the cloud networks of the National Committee of the Republican Party of the United States, maintained by Microsoft, were subjected to a cyber attack. As noted by journalists, it was hackers from a cybercriminal group known as APT 29 or Cozy Bear.

On July 6, it became known that expert contacts between Moscow and Washington on cybersecurity were continuing after a meeting between Vladimir Putin and Joe Biden. According to White House spokeswoman Jen Psaki, the U.S. side expects a new meeting of experts next week.

During the summit in Geneva on June 16, Putin and Biden agreed to start consultations on cybersecurity. The Russian leader drew attention to the fact that, even according to American sources, the majority of cyberattacks in the world are committed from the United States, as well as from Canada and the United Kingdom.

Putin stressed that Moscow and Washington can agree on rules of conduct in the areas of strategic stability, cybersecurity and regional conflicts. Biden, on the other hand, said that he gave his Russian colleague a list of 16 types of infrastructure facilities, attacks on which should be stopped immediately in the most effective way.

Experts Said How Cybercriminals Make Money on Russian Gamers

One of the most popular fraud schemes involves buying or selling an account in online games. An attacker can offer an account, but after transferring funds for it, the buyer does not get access to it.

Experts advise using specialized platforms for buying and selling an account, which charge a commission of about 10% for their services.

If there is no such platform, but there is a forum dedicated to the game, the expert advises to study the user's account and his rating on the forum as much as possible before selling or buying.

Gamers can also be deceived when buying expensive computer components, for example, video cards. Scammers create copies of popular online stores, in which the cost of components will be declared 2-3 times lower than the market price. The buyer most likely will not be able to return the money.

Another method of fraud is associated with the purchase of expensive goods, such as a game console through a private classifieds service. In this case, the buyer is offered to get an e-wallet on one of the legitimate services. His virtual card is allegedly linked to this account, which is used to make the payment.

The client transfers money to the wallet and informs the seller about it, after which he receives an SMS message with the virtual card data. However, the notification does not come from the service number, but from the phone of the scammers. So, the gamer makes the transfer to scammers and remains without money and the desired product.

Another method of fraud is connected with watching streams of other gamers. Scammers copy the broadcasts of famous players and add banners with ads for easy earnings to the video. By clicking on them, people get to the resources of scammers, where they lose money by providing their bank card details.

According to the expert, the solution to the problem in the game world could be the active development and use of escrow services, as it is used when selling domain names on the Internet.

NSA and FBI Blame Russia for Massive ‘Brute Force’ Attacks on Microsoft 365


American intelligence and law enforcement agencies have accused a Kremlin-backed hacking group for a two-year campaign to breach into Microsoft Office 365 accounts. 

In a joint report with British intelligence, the NSA, FBI, and DHS blamed Fancy Bear for the broad "brute force" attacks. Fancy Bear is most known for hacking the Democratic National Committee in the run-up to the 2016 Presidential Elections. 

Fancy Bear, according to the agencies, was actually the 85th Main Special Service Center (GTsSS), a group within the Russian General Staff Main Intelligence Directorate (GRU), and that it had been carrying out its brute force attacks on a variety of sectors, which include government and military departments, defense contractors, political parties, energy companies, and media outlets. The majority of the targets were based in the United States and Europe. 

The joint statement stated, “These efforts are almost certainly still ongoing. This brute force capability allows the 85th GTsSS actors to access protected data, including email, and identify valid account credentials. Those credentials may then be used for a variety of purposes, including initial access, persistence, privilege escalation, and defense evasion.” 

“This lengthy brute force campaign to collect and exfiltrate data, access credentials, and more is likely ongoing, on a global scale,” said Rob Joyce, the NSA's director of cybersecurity. 

At the time of writing, neither Microsoft nor the Russian embassy in London had replied to requests for comment. Fancy Bear used a technique known as "password spraying," in which computers attempt as many login attempts as feasible on a particular system as possible. The devices' traffic is routed through virtual private networks or the Tor network, both conceal a system's actual IP address by routing it through a variety of servers. 

According to the US report, they did it by utilizing Kubernetes, an open-source platform built by Silicon Valley tech giant Google for managing computer processes. Users of Microsoft 365 and other targeted cloud products should utilize multi-factor authentication, which requires a one-time code in addition to the login and password to get access to an account. It also suggests that if a user makes many unsuccessful tries to log into an account, the user should be locked out or put on a waiting list before trying again. 

The allegations follow President Biden's meeting with Russian President Vladimir Putin, during which the US leader urged his Russian counterpart to assist America in stopping the flow of destructive cyberattacks plaguing organizations throughout the world. 

In recent months, ransomware attacks on gas company Colonial Pipeline and meat supplier JBS, as well as thefts of US federal agency emails via a breach of IT supplier SolarWinds, have prompted concern. 

The current attacks look to be one of Fancy Bear's "classic military intel mission that is their major emphasis," according to John Hultquist, vice president of intelligence analysis at cybersecurity firm FireEye. 

Hultquist added that their bread and butter is good old-fashioned spy vs. spy activity that has been carried over into the cyber arena. He expressed concern that the organization may target the next Olympic Games in Japan, citing Russia's prior involvement in assaults on the 2018 Winter Olympics in South Korea.

More than 3 million Russians have become victims of a new online fraud scheme

Experts of the cybersecurity company Group-IB note that fraudsters skillfully disguise fake payment pages: they often contain logos of the international payment systems Visa, MasterCard.

"By creating phishing sites for popular services and online stores, scammers have learned to imitate payment pages protected by 3-D Secure, a technology that was previously considered one of the most effective to ensure the protection of user payment data when paying for online purchases worldwide", said the experts.

Attackers attract the victim with fraudulent advertising or spam mailing to the phishing page of the online store. There, the user enters payment data, paying for the selected product or service. Then SMS code is sent to the user's phone number to confirm the transaction. The user enters the code into the same form on the legitimate 3-D Secure page, and the money goes to the fraudster's card.

According to experts, to protect themselves, users must first pay attention to the source of the payment in an SMS message from the bank with a transaction confirmation code.

"If the words Card2Card or P2P are specified there, but the payment was not initiated from the specified resources, you should not enter the received code to confirm the payment," noted experts.

Information security expert Alexey Lukatsky stressed that it is necessary to pay attention to the name of the site, to its design, to possibly grammatical errors that are there, and to the domain on which this site is hosted.

The expert added that it is necessary to pay attention also to the 3-D Secure page.

"Because this domain must also be identical to the domain whose bank issues a card. Accordingly, if the domain name indicates something different or similar to our bank, then this is also a sign of fraud," added Mr. Lukatsky.

Logins and passwords of at least 1.2 million Russians have been leaked online

 The credential verification service developed by cybersecurity company BI.ZONE (a subsidiary of Sberbank) has revealed that information about logins and passwords of more than 1.2 million Russians is freely available as a result of data leaks.

"BI.ZONE, a strategic digital risk management company, helped over one and a half million Russians check their credentials for leaks containing their usernames and open passwords. The owners of more than 1 million 200 thousand contacts could become potential victims," the company said.

Experts note that this information is available not only on the darknet but also on the normal Internet. At the same time, since it is freely available, attackers do not even need to buy it.

According to Anton Okoshkin, director of anti-fraud at BI.ZONE, many Russians use the same credentials for many sites, so their leakage can lead to hacking of all accounts.

"In most cases, people use the same username and password on a variety of resources: from accounts in social networks and online stores to work services. In such a situation, if your account is compromised on one of them, the risk of hacking all accounts increases," Okoshkin noted.

At the same time, the expert noted that attackers usually begin automated verification of credentials on different services a few hours after the appearance of the leak in the public domain. "It is very important to promptly warn users about the compromise of their data," he stressed.

Almost 1.7 million Russians have already used the company's credential verification service. The service checks for a set of 5 billion credentials that have exactly fallen into the hands of attackers and contain user usernames and passwords. The leaked database is updated weekly.

Russia intends to sign agreements with a number of countries in the field of cybersecurity

Deputy Secretary of the Security Council of the Russian Federation Oleg Khramov named several countries with which Moscow plans to sign agreements on cooperation in the field of cybersecurity.

Mr. Khramov said that intergovernmental cooperation agreements are ready to be signed with Indonesia, Nicaragua and Uzbekistan. Relevant agreements with Iran and Kyrgyzstan were signed this year.

"About half a dozen draft agreements are at the stage of expert elaboration or domestic approval," Khramov added.

"Russia is ready to cooperate with all states that share its approaches and aim to jointly counter threats to international information security. But, of course, dialogue with our closest partners in the Collective Security Treaty Organization (CSTO), SCO and BRICS will continue to develop as a priority," Khramov stressed.

He also noted that cooperation within these associations has a solid legal foundation. Thus, Russia has concluded bilateral agreements with all the BRICS countries. Within the framework of the CSTO, there are specialized agreements on cooperation in a multilateral format.

Khramov stressed that, regarding the Western countries," the dialogue with our French colleagues is progressing positively."

In May, the American media reported on the possible connection of hackers who attacked the Colonial Pipeline with Russia. However, the White House did not confirm this information. Deputy Assistant to the US President for National Security Ann Nyberger stressed that it was a group of hackers, not a state, who carried out the attack.

On June 11, White House press secretary Jen Psaki said that the US authorities are ready to discuss at the upcoming US-Russian summit the topic of cybercrimes.

On June 16, Russian President Vladimir Putin and his American counterpart Joe Biden agreed to start consultations on cybersecurity during the summit in Geneva. But after, the Russian Foreign Ministry accused the United States of trying to win back the summit agreements on cybersecurity

Russian Foreign Ministry accused the United States of trying to win back the summit agreements on cybersecurity

According to the Russian Foreign Ministry, the words of White House spokesman Jen Psaki that the United States does not intend to warn Moscow about retaliatory cyber attacks are perplexing.

On Monday Psaki said that at the summit in Geneva, the US president Joe Biden mentioned hacking attacks on American facilities, which are blamed on Russia.

As Russian Foreign Ministry spokeswoman Maria Zakharova noted, Psaki's statement is surprising in the context of the Geneva talks, after which the sides announced their intention to begin consultations on cybersecurity.

"It seems that the United States is still trying to retain the right to launch cyber attacks based on fake Russian accusations of cyber attacks," Zakharova stressed at the briefing.

According to her, if Washington commits a cyber attack without warning, it will be an unannounced attack first.

"We really want Washington to take these words seriously," the Foreign Ministry representative added.

Zakharova recalled that before the meeting in Geneva, the United States had made it clear that the topic of international information security had become strategic for them.

"In this context, we hope that the understanding of the need for a direct, professional and responsible conversation with Russia will prevail. We expect Washington to take appropriate steps," the diplomat concluded.

Russia-US summit was held in Geneva on June 16. Summing up the negotiations, Vladimir Putin said that the sides will start consultations on cybersecurity. The president recalled that Moscow had previously provided all the information on the U.S. requests for cyberattacks, but had received nothing in response from the U.S. intelligence agencies. Putin noted that most of the cyber attacks in the world come from the U.S. and that anti-Russian insinuation must be stopped.

The Russian government plans to create a unified video surveillance system

The Russian government wants to create a single video surveillance system that will unite smart cameras in Russian cities. The devices will be able to recognize faces and license plates. The project will help to quickly respond to crimes, and in some cases, prevent them. The personal data of ordinary people is promised to be reliably protected.

The development of the project and the installation of cameras is estimated at 250 billion rubles ($3,500,000), and the implementation may take five years. Previously, the project was estimated at 97 billion rubles ($1,350,000).

Now the cameras in Moscow send video to the Data Processing Center, and in the new system, they will recognize suspicious situations themselves and only then send the video to the Data Processing Center.

It is expected that different cameras will be installed in the cities, depending on the tasks. A face recognition system will be needed somewhere and there will be cameras with powerful computing modules. In other places, there will be enough cameras with motion sensors.

According to the expert, the system will make it possible to better detect violations, respond promptly to them, and in some cases even predict them.

The emergence of a unified video surveillance system may raise fears that personal data will be sent to smart cameras. The CEO of Lab.Ag and the developer of many government sites, Artem Geller, explained that such an outcome is inevitable because the cameras are aimed at fixing the physical data of people.

"Of course, they will process the physiological aspects such as face, gait, clothing, license plate. But don't forget that cameras are already doing this,” Geller added.

Cybersecurity specialist Sergey Vakulin recalled the experience of video surveillance systems in China, where there is also a face recognition function, but each person is assigned his own identification number. And only then this data is encrypted, but even with such a process, there are vulnerabilities.

"The biggest problem is that a lot of data is stored and transmitted using a global network. And devices connected to the global network are more vulnerable," Vakulin added.

According to Vakulin, it is too early to worry about possible hacking and data leaks. He explained that each system has cybersecurity specialists, testers who detect bugs.

Putin called the accusations of launching a cyber war against the United States unsubstantiated

 Russian President Vladimir Putin said that the US accusations against Russia, including cyber attacks and election interference, are groundless, the US side has never provided any evidence.

"We are accused of a variety of things: interference in elections, cyber attacks, and so on. And they [the accusers] did not bother to provide any evidence. Just baseless accusations," he said, calling statements about Russia's involvement in cyber attacks in the United States a farce.

"The issue of cybersecurity is one of the most important today because all sorts of shutdowns of entire systems lead to very serious consequences, and this is possible," the Russian leader said in an interview with the program "Moscow. The Kremlin. Putin" of the Russia-1 TV channel.

According to Putin, the Russian Federation will be ready to extradite cybercriminals to the United States if the American side also extradites criminals to Russia.

He stressed that such agreements are expressed in the relevant interstate agreements, where the parties undertake certain obligations.

"And they are in the vast majority of cases equivalent. Both sides assume the same obligations," Putin explained.

On June 4, Putin called the accusations of cyber attacks on American companies made against Moscow ridiculous and suggested that the situation could have been provoked to increase disagreements in connection with the upcoming meeting with US President Joe Biden. The press secretary of the Russian leader Dmitry Peskov assured that Moscow will promptly consider the appeals of the American side in connection with the hacker attack on the JBS enterprises if such requests are received. He also stressed that Russia does not have data on the organizers of cyber attacks on JBS.

Putin did not rule out that Western intelligence services, including American ones, may conduct activities against Russia in the cyber sphere.

"I am not afraid of this, but I do not rule out that it may be so," the Russian leader said.

“What the US is afraid of may pose a threat to us. NATO has declared cyberspace a war zone. They are planning something, and this cannot but worry us," the Russian president added.

Cisco Smart Install Protocol is Still Being Exploited in Cyber-Attacks


Five years after Cisco issued its first warning, the Smart Install protocol is still being utilized in assaults, and there are around 18,000 internet-exposed devices that might be targeted by hackers. Smart Install is a plug-and-play configuration and image-management technology from Cisco that allows new switches to be deployed with zero-touch. Smart Install can be extremely important to organizations, but it can also be a significant security concern. 

A Smart Install network consists of a group of networking devices known as clients that are served by a common Layer 3 switch or router that serves as a director. You can use the Zero-Touch Installation process in a Smart Install network to install new access layer switches without the help of the network administrator. The director acts as a central management point for client switch images and configuration. When a new client switch is added to the network, the director immediately recognizes it and determines which Cisco IOS image and configuration file should be downloaded. 

The function remains enabled and can be accessed without authentication once a device has been set up via Smart Install. Malicious actors have been able to remotely target devices with Smart Install enabled, including reloading devices, loading a new operating system image, and running arbitrary commands with elevated privileges. 

After an exploitation tool was made public in 2016, Cisco issued a warning on the misuse of Smart Install. In 2017 and 2018, the company sent more alerts, identifying hundreds of thousands of vulnerable devices, including those in critical infrastructure organizations. In 2018, it was revealed that hacktivists targeted the Smart Install function in assaults on Cisco switches in Iran and Russia as part of an ostensibly pro-US attack, as well as a state-sponsored cyberespionage group affiliated to Russia. 

In 2016, the number of networking equipment vulnerable to Smart Install assaults surpassed 250,000, but by 2018 it had reduced to 168,000. The Shadowserver Foundation is still keeping track of the number of potentially susceptible devices, reporting that almost 18,000 are currently online, including many in North America, South Korea, the United Kingdom, India, and Russia. 

Last month, Lumen Technologies' Black Lotus Labs cybersecurity unit discovered that a hacktivist group had compromised at least 100 internet-exposed routers belonging to both public and private sector entities, most of which were based in the United States.