Search This Blog

Showing posts with label cyber attack. Show all posts

Coronavirus Themed Phishing Attacks Continue to Rise


New data by researchers has demonstrated that cybercriminals are preying on people's concerns regarding the COVID-19 pandemic and carrying out sophisticated phishing, malware and email attacks. The sudden upsurge in the related attacks imply that attackers were quick to adapt to the new global health crisis environment and exploit it in their favor.

As per Barracuda Networks, an American IT security company, the number of email attacks associated with the new Coronavirus has seen a steady surge since January, the type of attack has recorded a 667% spike by the end of February. As per the data, January recorded a total of 137 attacks only, while in the month of February the number spiked to a whopping 1,188 and between March 1st to 23rd, there were as many as 9,116 email attacks in the regard.

Another notable kind of attack is the one where victims are receiving malicious emails with the promises of offering financial relief during the COVID-19 pandemic, researchers warned. Users are being tricked into believing that they will be receiving payments from global institutions, businesses and governments working with a common objective of providing economic aid to common people during the ongoing pandemic, as soon as the user clicks on the links or proceed to download files, the attacker gets illicit access to his credentials, card data, and other sensitive information.

One such campaign is found to be specifically attacking U.S. healthcare, IT sector and higher-education organizations, the emails sent in relation to this campaign contain a message titled "General Payroll!"

"The Trump administration is considering sending most American adults a check for $1,000 as part of the efforts to stimulate the economy and help workers whose jobs have been disrupted by business closures because of the pandemic,” it says.

“All staff/faculty & employee include students are expected to verify their email account for new payroll directory and adjustment for the month of March benefit payment.” The message further reads.

Users receiving the email are asked to access a malicious link that will direct them to a phishing page in order to verify their email account, they will be required to enter their usernames, email addresses, and passwords linked with their employee benefits. By doing so, the user will provide his personal data to the page controlled by the attackers.

“The ongoing shift to coronavirus-themed messages and campaigns is truly social engineering at scale, and these recent payment-related lures underscore that threat actors are paying attention to new developments,” researchers told.

Hackers switched from direct theft of money to gaining control over the infrastructure of companies


According to the report by Rostelecom Solar JSOC, hackers changed the focus of attacks, switching from direct theft of money to gaining control over the infrastructure of companies. Experts explain this trend by the fact that the average level of security of banks has increased significantly, which forces hackers to look for more vulnerable targets. Moreover, the demand for industrial espionage has increased on the black market. However, experts said that the activity of such hacker groups began to decrease against the background of the pandemic.

According to the report, by the end of 2019, the number of attacks aimed at gaining control over the infrastructure of companies and organizations has increased by 40%, while attacks for the purpose of stealing money have become 15% less frequent.

A long and unnoticeable presence in the organization's infrastructure allows attackers to investigate its internal processes in detail, gain deeper access to IT systems and control over them, says Vladimir Drukov, Director of Solar JSOC. He notes that hackers monetize this information by selling it on the black market, blackmailing the victim organization, or engaging in competitive intelligence.

In addition, in recent years, attacks are increasingly targeted at industrial and energy facilities, as well as government agencies whose control over infrastructure is critical for the country.

Kaspersky Lab confirmed that the number of attacks on corporate infrastructure is increasing. According to antivirus expert Denis Legezo, about 200 groups engaged in cyber espionage are currently being observed. However, the expert notes that during the coronavirus pandemic, a decline in their activity is noticeable.

Head of Analytics and Special Projects at InfoWatch Group of Companies Andrei Arsentyev noted that hackers are usually engaged in industrial espionage by order, including “hunting for various know-how, business development plans, pricing schedules”.

Attackers can monetize attacks not only through theft of funds but also by selling already configured connections to the victim’s local network to other criminals, says Evgeny Gnedin, head of Positive Technologies information security analytics department. Such a model of “access as a service” is gaining momentum today, which explains the increase in the number of such attacks.

Security Experts say number of network nodes in the Russian Federation accessible via RDP


Positive Technologies experts said that the number of network nodes in the Russian Federation accessible via the Remote Desktop Protocol (RDP) for three weeks (since the end of February 2020) increased by 9% and reached over 112,000.

It is enough for hackers to send a special RDP request to vulnerable Remote Desktop Services (RDS) to attack. Authentication is not required. If successful, an attacker can install and delete programs on a compromised system, create accounts with the highest level of access, and read and edit confidential information. The vulnerabilities affect Windows 7, Windows Server 2008, and Windows Server 2008 R2 operating systems.

According to Alexey Novikov, director of Positive Technologies security expert center, attacks on the network perimeter of domestic companies have begun to grow. Hackers are trying to get access over servers and get into the local network. This boom is caused by the transfer of employees to remote work.

For a secure remote connection, employees need to use a special gateway. For RDP connections needs a RDG, for VPN requires a VPN Gateway. Experts do not recommend connecting directly to the workplace.

Experts warn that opening access to individual subnets to all VPN users at once significantly reduces the security of the organization and not only gives broad opportunities to an external attacker but also increases the risk of an insider attack. Therefore, IT professionals need to maintain network segmentation and allocate the required number of VPN pools.

Positive Technologies experts emphasize the threat of remote access channels to business-critical networks and systems, for example, production and energy technology networks, ATM management networks or card processing in banks.

In addition, Positive Technologies recommends paying attention to a critical vulnerability (CVE-2019-19781) in Citrix software that is used in corporate networks. The vulnerability in PHP 7 (CVE-2019-11043), which, according to Positive Technologies, was included in the list of the most dangerous by the end of 2019, should be eliminated.

Russian Defence Minister says Pro-Western Activists Trying to Infiltrate Military Facilities using Media Laws as a cover


Defense Minister Sergei Shoigu, speaking in the Federation Council, announced opposition attempts to penetrate Russian military facilities.

The head of the military Department recalled that Western countries regularly make high-profile accusations against Moscow, such as interference in American elections, hacking attacks, and concealment of military losses.

"In our country, they are supported by a Pro-Western opposition division regularly trained abroad. Using media laws as a cover, its activists are trying to infiltrate military facilities and are monitoring relatives and witnesses. They go to hospitals where our wounded are lying, to cemeteries, to commemorations, to the families of our dead children. They take photos of the entrances and exits from our secret objects and put them on the Internet. You can imagine what responsibility they would be brought to in Western countries," said the head of the military Department.

In this regard, Shoigu called on senators to regulate Russian legislation in this area.
The head of the defense department also told the Federation Council about the increase in the number of cyberattacks against the Russian army.

"The information space today has become another theater of war. Over the past three years, the information infrastructure of the Armed Forces has been attacked by more than 25 thousand high-tech computer attacks from abroad. At the same time, their number increases annually by an average of 12%. We are ready for this fight. Of course, I wanted the hackers to have a little less domestic helpers,” said Shoigu.

According to him, the Ministry of Defense has a reliable system for protecting information resources, and all attacks are neutralized.

A number of countries have previously accused Russia of hacking attacks. Thus, Georgia accused the Russian military of planning and conducting a cyberattack, as a result of which sites and servers of several government bodies, courts, the media, and private companies were damaged. Also, the head of the Ministry of Defense of Ukraine Andrei Zagorodniuk said that the country is daily faced with cyberattacks that come from Russia.

At the same time, since 2016, the United States has been discussing the topic of possible Russian interference in the presidential election, as a result of which Donald Trump became the head of state.

Rostelecom detected more than a hundred thousand cyberattacks in the North-Western Federal district of Russia


In 2019, the Rostelecom Solar JSOC Monitoring and Response Center for Cyberthreats detected and repelled over 1.1 million external attacks on organizations' information resources. At the same time, as always, more than 430 thousand cyberattacks were detected in Moscow. More than 128 thousand cyberattacks were recorded over the year in the North-Western Federal district.

The most common tool of hackers was the use of vulnerabilities in web applications (web portals, email, Internet banks, personal accounts). At the same time, according to Solar JSOC experts, it's easy to hack every third application and gain access to the organization’s server. The number of such attacks increased by 13% in 2019.

"Such dynamics can be associated with the active development of corporate Internet resources, not only in traditional industries (banks, retail), but also in the fuel and energy sector, and the public sector. At the same time, most of these resources have critical vulnerabilities that allow hackers to get privileged access to the organization's resources," explained Vladimir Dryukov, director of the

Rostelecom Solar JSOC Monitoring and Response Center.
Also, in 28% of cases, cybercriminals used the introduction of malware (viruses, Trojans, spyware, etc.) into the information infrastructure of organizations in the region. Across the country, the number of such attacks increased by 11% in 2019. At the same time, hackers are constantly improving their tools, making malware less visible to security tools.

The method of selecting and compromising credentials (logins and passwords) from the Internet resources of organizations was in third place.

According to experts, among other types of cyberattacks, there are attempts to compromise logins and passwords of system administrators, DDoS, and exploitation of known vulnerabilities that were not timely eliminated by information security services of organizations.

The Federal Security Service (FSB) of the Russian Federation purchased equipment for hacking smart devices - Hacker group Digital Revolution


Hacker group Digital Revolution published documents according to which the FSB ordered the creation of the Fronton program for organizing cyberattacks using the Internet of things devices.

According to the technical documentation published by hackers, there are three versions of the program — Fronton, Fronton-3D and Fronton-18. They allow infecting smart devices (from digital assistants to smart homes), integrate them into a network and “crash” the servers responsible for the stability of large Internet services and the Internet in entire countries.

It's interesting to note that the Moscow company 0day (LLC 0DT) could have participated in the development of the programs. Previously, the company also carried out orders of the Ministry of Internal Affairs.

According to the published documents, the Internet of things is "less secure, unlike mobile devices and servers." This is due to the fact that many users use smart devices instantly, without changing factory usernames and passwords.

FSB contractors cite the experience of Mirai, the largest network of infected IoT devices, which had 600,000 bots. In 2016, it disabled the DNS servers of the American company Dyn, which made PayPal, Twitter, Netflix and about 70 other services unavailable for some time. At the same time, the organizers of the attack did not use computers, but printers, children's monitors and IoT routers.
Hackers noted that Fronton can be used for "spying on the whole world". The BBC suggests that, most likely, the main targets of cyberattacks may be digital cameras.

The documents note that 95% of the botnet should consist of IP cameras and digital video recorders. Search server must find targets for hacking, which can be connected via a virtual private network or the Tor browser. Documentation also emphasizes that "the use of the Russian language and the connected Cyrillic alphabet is excluded". It is suggested to hack devices using a dictionary of typical passwords from the Internet of things devices.

In December 2018, Digital Revolution said that it hacked the server of the Kvant Scientific Research Institute, owned by the FSB, and found documents on the system of automatic monitoring of social networks for protest moods. In the summer of 2019, hackers said that they broke into the servers of the Moscow IT company Sitek, which carried out projects for Russian special services and agencies.

ESET: hackers used the Adobe brand to attack government websites


IT specialists of the Slovak company ESET warn of a new series of attacks committed by the Turla cyber-spy group, which are aimed at websites of government agencies in the world.

"ESET, a leader in information security, has discovered a new activity of the Turla group, which is aimed at government websites. This time, cybercriminals are using social engineering techniques, using a fake Adobe Flash update as a decoy to download malicious software," said the website.

According to the report, as a result of such attacks, at least four websites, two of which belong to the government of Armenia, were infected. At the same time, these web portals have been infected at least since the beginning of 2019. ESET specialists warned the national unit of CERT of Armenia. Thus, the researchers concluded that the main target of cybercriminals is officials and politicians.

During the recorded cyberattacks, hackers infect the selected site with malicious software, which is subsequently transmitted to the devices of users of the resource. After the initial infection, Turla operators get full access to the victims' devices.

ESET specialists were not able to determine what the hackers did on infected devices, but they usually try to steal confidential documents.

According to ESET, during the latest attacks, the cybercriminals of the Turla group used a completely new backdoor called PyFlash. According to ESET experts, the authors of Turla used Python for the first time in this malicious software. The command server sends commands to the backdoor to download files, execute Windows commands, and launch and remove malicious software.

The company added that the group of cybercriminals Turla is active in most of the world, but mainly its activities are aimed at countries in Eastern Europe and East Asia. Its main goals are government and military organizations. A group of cyber spies has been working for more than ten years.

Check Point: coronavirus has become a tool for hacker attacks on users and businesses


According to Check Point Threat Intelligence, more than 4,000 coronavirus-related domains have been registered worldwide since January 2020. 3% of these sites have already been identified as malicious, and another 5% as suspicious.

According to experts, hackers send spam with a link to a malicious site on behalf of trusted organizations to encourage a potential victim to click on it. When you click the link, malware is automatically installed on the user's device.

So, Check Point discovered a phishing attack allegedly on behalf of the World Health Organization (WHO), which spread in Italy. Experts noted that 10% of organizations in Italy were subjected to this attack.

Moreover, a website registered in Russia in February 2020 was discovered. The attackers offered to buy "the best and fastest test for detecting coronavirus at a fantastic price — 19,000 rubles ($264)".
In addition, a large spam campaign was recorded in Japan. There, attackers send spam on behalf of the Japanese Society for the rehabilitation of disabled persons (JSRD). Emails report the spread of the coronavirus in several cities in Japan, prompting the recipient to open the document.
If the user is interested and opens the attachment, the Emotet Trojan will be downloaded to their computer.

According to experts, as the spread of the coronavirus continues, scammers will continue to use the coronavirus theme to carry out attacks on users and businesses.

Any events that cause mass discussion or are popular, especially negative ones, are an occasion for fraudsters to realize their plans, said Alexey Dankov, head of the information security Department at Cross Technologies. In this case, they use the news as an excuse to get data, and people who are panicked lose their vigilance and, as a result, trust scammers.

"A virus that has become a pandemic is a great reason for cybercriminals to get the desired information on accounts and personal information," added Mr. Dankov.

Russia has responded to Canada's accusations of cyberattacks on Georgian websites


The international community, following Georgia, the UK and the US, continues to publish statements condemning the cyberattack allegedly committed by Russia on the websites of Georgian government agencies, non-governmental organizations and the media. The relevant statements are published in Georgian by the Georgian Foreign Ministry.

Foreign Ministry of Australia, the Ministry of Foreign Affairs of Ukraine, and the foreign ministries of Canada, the Netherlands, Romania, and Montenegro condemned the actions of the Russian GRU. And the Icelandic Foreign Minister on his behalf published a short statement on Twitter.
The Ministry of Foreign Affairs of Ukraine not only condemns Russia but also calls on the international community to "bring to justice those who deliberately organize and carry out cyberattacks".

The authors of all statements regard the report of a cyberattack on Georgian websites as a "violation by Russia of the sovereignty and territorial integrity of Georgia and disrespect for the norms and principles of international law".

However, the Russian Embassy in Canada on Twitter stated that Russia is not involved in cyberattacks on Georgian government websites.

"Another fragment of Russophobic lies and fakes," the Russian mission responded to the accusations from Canada. The diplomats called the Canadian policy towards Russia extremely deplorable and reprehensible, and stressed that it further worsens the weakened relations between the two countries.
Prior to this, the accusations of cyberattacks on Georgia were denied by the Deputy head of the

Russian Foreign Ministry, Andrey Rudenko. According to him, Russia did not intend and is not going to interfere in the internal affairs of the neighboring country.

Recall, on February 20, US Secretary of State Michael Pompeo accused Russia of attacking Georgia. They allegedly occurred in October 2019. According to him, because of this, the work of the country's government, several private websites and two major television stations was disrupted. Representatives of the Georgian government made the same statements. The cyberattack was allegedly indicated by the results of the investigation, which Tbilisi conducted "together with other partners."

Russian banks and energy companies have undergone a new wave of cyberattacks


A new wave of cyberattacks targeting banks and energy companies has been recorded in Russia. Employees of these organizations receive numerous phishing emails with infected links, clicking on which is fraught with data theft from the computer.

It is reported that the malicious message contains an office document. The victim clicks on it and gets to the text hosting Pastebin, which downloads images from the Imgur service, which in turn contains malicious code. Thanks to it, attackers can steal secret files, withdraw funds, or install spyware on a user's computer.

"Since the chain consists of four stages, the protection tools that companies use cannot detect it, they are designed for shorter activity of malware," explained Igor Zalevsky, head of the center for the investigation of cyber incidents of JSOC CERT Rostelecom-Solar.

The company said that about 60% of phishing emails were received by employees of the energy sector, but 80% of all attacks turned out to be aimed at banks.
Zalevsky added that the attack is similar to the activity of the hacker group Silence, which just specializes in credit organizations. It is possible that the group decided to expand the scope of its activities or it's completely different hackers copying the behavior of Silence.

Group-IB confirmed that the attack recorded by Rostelecom-Solar was previously carried out in the banking sector.

Information security experts said that in 2020, energy companies will become the “main targets” for cybercriminals.

Andrey Arsentyev, head of Analytics and special projects at InfoWatch group, agrees with this assessment, he called the energy sector one of the "most attacked" in recent years. According to Denis Kuvshinov, a leading specialist of the PT Expert Security Center Positive Technologies cyber threat research group, the main goal of cybercriminals targeting the energy sector is industrial espionage, as well as the impact on critical infrastructure.

Sophisticated Hackers Infiltrate Dozens of U.N. Servers


An internal confidential document from the United Nations, leaked to The New Humanitarian and seen by The Associated Press, says many servers were undermined including at the U.N. human rights office, which gathers rather sensitive information all year round.

 According to a U.N. official, the hack seemed very "sophisticated" and the degree of the damage stays vague, particularly regarding personal, secret or compromising information that may have been 'stolen'.

The official, who talked openly about the scene, basically on the condition of appearing anonymous, said frameworks have since been strengthened. “It’s as if someone were walking in the sand, and swept up their tracks with a broom afterward. There’s not even a trace of a clean-up,” says the authority said.

Jake Williams, CEO of the cybersecurity firm Rendition Infosec and a former U.S. government hacker says, “The intrusion definitely looks like espionage,” referring to the incident which occurred just the previous year where the 'sophisticated hackers' had invaded U.N. offices in Geneva and Vienna in an apparent espionage operation, and their identity and the degree of the information they acquired is obscure.

 “The attackers have a goal in mind and are deploying malware to machines that they believe serve some purpose for them and any number of intelligence agencies from around the globe are likely interested in infiltrating the U.N,” Williams added further.

U.N. representative Stephane Dujarric said the attack “resulted in a compromise of core infrastructure components” and was “determined to be serious.” The 'earliest' activity was identified with the intrusion that happened in July and it was detected in August, he said in light of emailed questions.

He said the world body needs more data to figure out who may have been behind the incursion; however included "the methods and tools used in the attack indicate a high level of resource, capability, and determination."

The report says that the hackers exploited a flaw in Microsoft's SharePoint software to penetrate the systems however that the type of malware utilized was unknown, nor had professionals recognized the command and control servers on the web used to exfiltrate data.

Nor was it comprehended what component and mechanism were utilized by the hackers to keep up their presence on the invaded systems. The inner document from the U.N. Office of Information and Technology said 42 servers were "compromised" and another 25 were regarded "suspicious," about all at the sprawling Geneva and Vienna offices.

Three of the "compromised" servers are believed to belong to the Human Rights office, which is situated across town from the primary U.N. office in Geneva, and two were utilized by the U.N. Economic Commission for Europe.

Nonetheless, this hack comes in the midst of rising concerns about computer or cell phone vulnerabilities, both for huge associations like governments and the U.N. just as for individuals and businesses.

Malware Attack! Oregon County's Network Smashed By a Ransomware?


Per local news and reports, allegedly, a cyber-attack shook the Tillamook County of Oregon, USA when it rendered the local government’s services ineffective.

Apparently owing it to the cyber-attack, the county officials are back to basics with all their daily tasks and are working about the crisis.

When the computers in the various departments of the county started misbehaving, that’s when the officials grasped the severity of the situation and immediately warned the IT department.

That is when the IT department comprehended that the systems had been infected with encrypting malware. To contain the infection, all the affected servers and devices were instantly isolated.

There is no sincere evidence to show if the malware was used for a ransomware attack but it sure is being conjectured on the affirmative. Per sources, no request for a ransom has been posted so far.

Allegedly, the Oregon city was recently struck by a cyber-attack of the same nature about a week ago.

The damage is of such a severe type that along with infecting all of the county’s computers and servers it has seriously harmed both the online and offline phone systems given the “VoIP” (Voice over Internet Protocol) that they employ.

Per sources, to rummage the details of the cyber-attack including the source, type, and magnitude of the attack, the county especially engaged a “digital forensic” team from a well-known cyber-security organization.

There is no doubting the fact that the Oregon county systems have been shut by the attack indefinitely and there is no knowing when they’d be back on operations.

With quite a substantial population to be hit by a cyber-attack of such severity, Oregon County has never before experienced a similar attack. Hence they can’t exactly mention their modus operandi to their plan of mitigation.

Sources mention that the county officials have decided to subcontract a few response operations to counter the attack and its repercussions.

The cyber-crisis management team happens to be the best at what they do and are efficiently working towards containing and mending the damages done by the malware.

Alexander Baranov says Russia has nothing to do with the cyberattack on the friendly Austrian Foreign Ministry


The hacker attack that the Austrian Ministry of Foreign Affairs underwent prompted European countries to take active measures to defend against such attacks. At the same time, the EU accuses Moscow of the attack, which makes no sense, given the friendly relations between Russia and Austria. Alexander Baranov, head of the Department of Information Security at the National Research University, commented on the situation.

According to the expert, anti-Russian accusations once again show the policy of Western "hawks" who regularly make groundless statements to undesirable countries.
"These accusations are completely groundless and are not supported by any arguments," Baranov said.

He stressed that Russia has absolutely no interest in attacking the Austrian Foreign Ministry. In addition, Austria supports the implementation of major projects, such as the Nord Stream 2 gas pipeline.

"This is one of the friendliest countries in the European Union, I think. Therefore, I do not see any sense to attack its foreign Ministry, especially since the country is small and it does not play a decisive role," the expert believes.

In his opinion, the provocation is obvious in order to worsen relations between the countries.
"One of the most famous methods of hackers is to carry out an attack from the territory of States that have nothing to do with it. Most often it is China or India," Baranov explained.

The expert reminded that it is now almost impossible to track the end user if he uses an anonymizer. It is possible that the European security forces were able to establish any facts, but they are not able to make them public because of the secrecy.

He added that European politicians enjoy their impunity by regularly making unfounded accusations.
"Representatives of Russia have repeatedly asked for facts, but there is nothing, there is only empty talk," the expert concluded.

A hacker attack on the Austrian Foreign Ministry occurred in early January. In Vienna, they believe that the incident has a Russian trace while recognizing the absence of any evidence.

Earlier, the Austrian newspaper DiePresse reported that a number of EU countries decided to form a group to protect themselves from cyber attacks from Russia. Vienna will work together with Germany, the Czech Republic, Belgium and Cyprus on this issue. These States consider themselves to be "victims of a Russian cyber-espionage".

Experts predicted an increase in the number of DDoS attacks in 2020


In Russia, the number of DDoS attacks will increase due to the introduction of 5G technology, said Anton Fishman, head of the system solutions Department of the Group-IB.

He noted that the wider introduction of 5G will significantly increase the number of traditional attacks that providers have faced in recent years. "For example, the power and frequency of DDoS attacks will increase significantly due to many insecure devices."

According to him, a DDoS attack can be used as a distraction when stealing money from a Bank or disabling a service.

Earlier, Stanislav Kuznetsov, Deputy Chairman of the Board of Sberbank, said that the main areas that require attention when countering cybercrime are DDoS attacks, data leaks and fraud using social engineering methods. He explained that the number of DDoS attacks has increased, their quality has changed, in addition, it is quite difficult to detect them.

It is important to add that on the eve of the Deputy Chairman of the Board of Sberbank Stanislav Kuznetsov said that in January the bank underwent the most powerful DDoS attack in its history.

"On January 2, 2020, Sberbank faced an unprecedented DDoS attack that was 30 times more powerful than the most powerful attack in the history of Sberbank. The attack was carried out using IoT devices (Internet of Things)," said Kuznetsov, noting that the state Bank successfully repelled the cyberattack.

According to Kuznetsov, not every company in Russia or even in the world could reflect such attacks.
"This could become a trend in 2020 [increasing cyber attacks]," he added.

According to Kuznetsov, in 2019, the number of hacker attacks on Sberbank increased by 15-20%, and the Bank records 280-300 attempts to attack its systems per day.

"We identify all of them and block them. In addition, it is worth noting that mass malicious mailings are still popular — about 50% of the emails that our employees receive are spam, including phishing attempts," said the Deputy Chairman of Sberbank.

Hackers from Russia hacked the Ukrainian gas company Burisma


Russian hackers in November 2019 attacked the Ukrainian energy company Burisma in order to gain potentially compromising information about former US Vice President Joe Biden and his son Hunter.

Starting in November 2019, a series of phishing attacks were carried out to gain access to the usernames and passwords of employees of Burisma, as well as other companies belonging to Burisma Holdings. According to an American cybersecurity company Area 1, hackers allegedly linked to the GRU and members of the Fancy Bear group, also known as Sofacy and APT28, are behind these attacks.

It is known that hackers managed to hack the accounts of some employees and thus gain access to one of the company's servers. Experts said that the timing and scale of the attacks suggest that hackers may have been looking for potentially compromising material about the former US Vice President and his son, who was part of the leadership of Burisma.

According to experts from Area 1, the tactics of Russian hackers, are strikingly similar to the hacking of the servers of the National Committee of the Democratic Party of the United States during the 2016 presidential campaign, for which the American special services also blame Russia. Then, as now, Russian hackers used phishing emails.

The story involving the son of Joe Biden in the work of Burisma caused of a loud political scandal in the United States. In this regard, an investigation was launched to impeach President Donald Trump.
In particular, it was pointed out that Trump, during his July phone conversation with his Ukrainian president Vladimir Zelensky, asked him to resume the investigation into Burisma, with which Joe Biden and his son were associated. Moreover, Trump threatened to freeze military aid to Kiev.

Kaspersky Lab recorded an increase in attacks by Russian hackers on banks in Africa


Kaspersky Lab recorded a wave of targeted attacks on major banks in several Tropical African countries in 2020. It is assumed that the attacks are made by the Russian-speaking hacker group Silence.

According to the company's leading anti-virus expert, Sergey Golovanov, "hundreds and sometimes thousands of attempts to attack the infrastructure of banks in Africa are blocked every day."
According to Kaspersky Lab, the hacker group Silence has already penetrated the internal network of

African financial organizations, and the attacks are "in the final stages".
During the attack, hackers could gain access to a large amount of confidential data that can be used in the future, said Golovanov.

At the end of August 2019, Group IB calculated the amount of theft from banks by the group of Russian-speaking hackers The Silence. From June 2016 to June 2019, the amount of damage amounted to about 272 million rubles ($4.2 million). Hackers infected financial institutions in more than 30 countries in Asia, Europe and the CIS.

According to Kaspersky Lab, Silence attacks financial organizations around the world with phishing emails containing malicious files, often on behalf of real employees of organizations. Viruses use administrative tools, study the internal infrastructure of banks, and then attackers steal money (including through ATMs).

The director of the Positive Technologies security expert center, Alexei Novikov believes that Silence did not increase activity at the beginning of 2020, and attacks outside of Russia and the CIS countries are uncharacteristic for them.

Recall that in October, Group-IB reported five hacker groups that threaten Russian banks: Cobalt, Silence, MoneyTaker, Lazarus and SilentCards. According to the founder of Group-IB, "it is curious that three of the five groups (Cobalt, Silence, MoneyTaker) are Russian-speaking, but over the last year Cobalt and Silence began to attack banks mainly outside Russia".

Kaspersky Lab reports North Korean Hacker group Lazarus stealing cryptocurrencies using the Telegram messenger


A group of hackers calling themselves Lazarus modified their previous scheme to steal cryptocurrency which was used in 2018. Hackers use more effective tactics and act more carefully. According to Kaspersky Lab, now, not only users of the macOS operating system are at risk but also users of Windows.

Presumably, Lazarus hackers use malware that runs in memory and not on hard drives allowing it to remain undetected. The researchers believe that the group uses Telegram to spread the virus.

The new Lazarus attack was named Operation APpleJeus Sequel, which follows APpleJeus attack conducted in 2018. Principle of cryptocurrency theft remains the same as before: fake cryptocurrency companies are used to attract investors. The websites of these companies contain links to fraudulent

Telegram trading groups, through which malware that infects Windows computers is distributed.
Once the system is infected, attackers can gain remote access to it and steal the cryptocurrencies stored on the device. So far, researchers have been able to identify many victims of the new fraud across Europe and in China. A representative of Kaspersky Lab reports that it is known about the victims from Russia, China, Poland and the UK. At the same time, they include both individual traders and companies whose activities are related to cryptocurrency.

Kaspersky noted that currently, hackers from Lazarus have suspended their campaign using the messenger, but researchers suggested that in the future, attackers will use even more advanced methods.

Earlier, a closed UN report reported that North Korea finances the development of weapons through digital and Fiat currencies stolen from banks and cryptocurrency exchanges. Last fall, Group-IB said that a North Korean group of hackers stole $571 million in cryptocurrencies.

Attackers hacked a Spanish TV channel and showed an interview with the separatist leader of Catalonia


Spanish state television company TVE on Wednesday said that last Thursday unknown attackers used an open portal on its website to air a Russia Today program about Catalan separatist leader Carles Puigdemont.

According to the representative of TVE, hackers did not break into any external cybersecurity barriers but took advantage of the “open door” on the site.

As the source noted, it is too early to talk about the identity and location of the attackers, since the investigation is not yet finished.

The interview shown last Thursday was watched by about 96 users. Puigdemont and former Ecuadorian President Rafael Correa participated in a program produced by the Russian state channel. 
In addition, in an interview, Puigdemont said that there is no option to resolve the problem of Catalonia, which would not include the independence of the region.

It is interesting to note that both of them fled to Belgium after legal proceedings were initiated against them in their home countries.

Earlier, the Spanish authorities found evidence that Russian groups actively used social networks to support the independence movement of Catalonia and tried to influence public opinion in an effort to destabilize Spain.

Russia Today editor-in-chief Margarita Simonyan said that the channel was not involved in the hack.
"Hackers broke into the Spanish channel "+24" and turned on our broadcast instead of them, Simonyan commented on her Telegram channel.

"We just had an interview with Puigdemont, the chief on the independence of Catalonia. We don't know who did it, but it was beautiful," noted she.

Russian hackers in recent years are suspected of interfering in the political affairs of many countries, including the United States, Britain and France.

Twitter Followers of the Epilepsy Foundation Targeted by a Mass Strobe Cyber attack


A series of mass cyber-attack occurred during the National Epilepsy Awareness Month, as the hackers circulated videos and pictures of 'flashing strobe lights' to a huge number of Twitter followers of the Epilepsy Foundation and obviously aimed to trigger seizures in those suffering with the disorder.

The foundation revealed 30 similar attacks in the first seven day stretch of November, and said it had documented complaints with law enforcement authorities, also including with the US Lawyer's Office in Maryland, where the group's headquarters are situated. It was very indistinct what number of users tapped on the videos and animated images known as GIFs.

In that attack, a Marine Corps veteran from Maryland, John Rayne Rivello, was accused for utilizing Twitter to send a GIF with a blinding strobe light to an epileptic author, Kurt Eichenwald, who had expressed his views through his writings fundamentally on Donald J. Trump and his supporters during the 2016 presidential campaign.

The journalist Kurt Eichenwald was sent a strobing image over Twitter that caused him to have an epileptic seizure

Mr. Eichenwald, who was a correspondent for The New York Times from 1986 to 2006, had composed an opinion piece in Newsweek featured as "How Donald Trump Supporters Attack Journalists."  and in his writing he portrayed the death threats he had received on the grounds that he had 'written critically' on Mr. Trump.

In December 2016, after production of the Newsweek piece, Mr. Eichenwald told the investigators that he once came across such a message from somebody distinguished as @jew_goldstein, which contained a strobe light GIF and an assertion in capital letters: "You deserve a seizure for your posts."

Looking at the strobe caused an immediate seizure that kept going around eight minutes.

Investigators discovered several digital clues which drove them to Mr. Rivello, including a message he had sent to some other Twitter users that read, "I hope this sends him into a seizure." They likewise found a screenshot on Mr. Rivello's iCloud account demonstrating Mr. Eichenwald's Wikipedia page with a 'fake' date of death just as a screenshot of a list of epilepsy seizure triggers that had been duplicated from an epilepsy data site.

Nonetheless Mr. Eichenwald filed a lawsuit against Mr. Rivello in the federal court in Maryland for battery and various other claims. The defense moved to reject it, contending to some degree that the battery claim couldn't be bolstered on the grounds that Mr. Eichenwald didn't claim that any physical contact had happened.

Be that as it may, Chief Judge James K. Bredar of the United States District Court in the District of Maryland allowed the lawsuit to continue, further writing that the “novelty of the mechanism by which the harm was achieved" didn't make the supposed activities any lesser degree of an unjust act.

New Orleans: Mayor Declares State of Emergency after a Cyberattack


The city of New Orleans after being hit by a cyberattack, declared a state of emergency wherein the employees and officials were asked to shut down the computers, power down devices by unplugging and take down all servers as a cautionary measure. As a part of the incident, The Nola.gov website was also down.

Officials suspect the involvement of ransomware as the attacks demanding ransom has become increasingly common in the recent past and ransomware was detected as per Mayor LaToya Cantrell, however, there is no confirmatory lead on the matter as the city has not received any ransom demand from the attackers.

Earlier this year, in November, The State of Louisiana was hit by a ransomware attack which prompted officials to shut down government websites and deactivate other digital services and consequently, a state of emergency was being declared by the governor. As per the sources, it is the gravest cyber attack the state had witnessed till date, it took about two weeks for the authorities to restore all the systems and make them functional again. The attack was followed by aggressive measures being taken by the security officers who classified the attack being a "sophisticated and coordinated" one. As per the latest findings, it remains unclear whether the two attacks are linked to each other or not.

While drawing other correlations, New Orleans Mayor LaToya Cantrell referenced the attack back to one where several school systems in Louisiana were attacked by malware. The compromised school systems were from Sabine, Morehouse, and Ouachita, according to the reports by CNN.

“Out of an abundance of caution, all employees were immediately alerted to power down computers, unplug devices & disconnect from WiFi. All servers have been powered down as well,” stated a tweet from New Orleans’ Office of Homeland Security & Emergency Preparedness.

During a press conference in regard of the matter, Mayor LaToya Cantrell said, “We have a unified command, we’re here with not only our local partners but our state and federal partners as well, which includes our national guard, Louisiana state police, FBI, the state fusion center and secret service."