Autosummary:
According to BI.ZONE, the threat actor obtains initial access using phishing emails, leveraging the foothold to steal documents, Telegram messenger data, and drop tools like Mipko Employee Monitor, WebBrowserPassView, and Defender Control to interact with the infected system, harvest passwords, and disable antivirus software. "Autosummary:
In addition, the China-linked clusters weaponized ChatGPT to work on a brute-force script that can break into FTP servers, research about using large-language models (LLMs) to automate penetration testing, and develop code to manage a fleet of Android devices to programmatically post or like content on social media platforms like Facebook, Instagram, TikTok, and X. Some of the other observed malicious activity clusters that harnessed ChatGPT in nefarious ways are listed below - A network, consistent with the North Korea IT worker scheme, that used OpenAI"s models to drive deceptive employment campaigns by developing materials that could likely advance their fraudulent attempts to apply for IT, software engineering, and other remote jobs around the world Sneer Review , a likely China-origin activity that used OpenAI"s models to bulk generate social media posts in English, Chinese, and Urdu on topics of geopolitical relevance to the country for sharing on Facebook, Reddit, TikTok, and X , a likely China-origin activity that used OpenAI"s models to bulk generate social media posts in English, Chinese, and Urdu on topics of geopolitical relevance to the country for sharing on Facebook, Reddit, TikTok, and X Operation High Five , a Philippines-origin activity that used OpenAI"s models to generate bulk volumes of short comments in English and Taglish on topics related to politics and current events in the Philippines for sharing on Facebook and TikTok , a Philippines-origin activity that used OpenAI"s models to generate bulk volumes of short comments in English and Taglish on topics related to politics and current events in the Philippines for sharing on Facebook and TikTok Operation VAGue Focus , a China-origin activity that used OpenAI"s models to generate social media posts for sharing on X by posing as journalists and geopolitical analysts, asking questions about computer network attack and exploitation tools, and translating emails and messages from Chinese to English as part of suspected social engineering attempts , a China-origin activity that used OpenAI"s models to generate social media posts for sharing on X by posing as journalists and geopolitical analysts, asking questions about computer network attack and exploitation tools, and translating emails and messages from Chinese to English as part of suspected social engineering attempts "Autosummary:
The posts, shared on TikTok, X, Reddit, and Facebook, included fake engagement to simulate popularity and targeted topics like Taiwan, USAID, and activist Mahrang Baloch.OpenAI bans ChatGPT accounts linked to Russian, Chinese cyber ops Pierluigi Paganini June 09, 2025 June 09, 2025 OpenAI banned ChatGPT accounts tied to Russian and Chinese hackers using the tool for malware, social media abuse, and U.S. satellite tech research. "Autosummary:
Acreed isn"t different from a typical info-stealer regarding the information it targets, which includes data stored in Chrome, Firefox, and their various derivatives, including passwords, cookies, cryptocurrency wallets, and credit card details. "Autosummary:
"Autosummary:
"Void Blizzard"s cyberespionage operations tend to be highly targeted at specific organizations of interest to the Russian government, including in government, defense, transportation, media, non-governmental organizations (NGOs), and healthcare sectors primarily in Europe and North America," Microsoft said in a Tuesday report. "Autosummary:
" Active since at least April 2024, the hacking group is linked to espionage operations mainly targeting organizations that are important to Russian government objectives, including those in government, defense, transportation, media, non-governmental organizations (NGOs), and healthcare sectors in Europe and North America. "Autosummary:
"Autosummary:
"Autosummary:
According to the report, the hackers gained initial access using multiple techniques, among them: Credential guessing or brute force Spear-phishing for credentials Spear-phishing to deliver malware Exploiting the Outlook NTLM vulnerability CVE-2023-23397 Leveraging vulnerabilities (CVE-2020-12641, CVE-2020-35730, CVE-2021-44026) in the Roundcube open-source webmail software Exploiting internet-facing infrastructure, corporate VPNs included, via public vulnerabilities and SQL injection Exploiting WinRAR vulnerability CVE-2023-38831 To hide the origin of the attack, APT28 routed their communication through compromised small office/home office devices that were in proximity to the target. "Autosummary:
Targets of the campaign include companies involved in the coordination, transport, and delivery of foreign assistance to Ukraine, according to a joint advisory released by agencies from Australia, Canada, Czechia, Denmark, Estonia, France, Germany, the Netherlands, Poland, the United Kingdom, and the United States. "Autosummary:
Konni APT, also known as Opal Sleet, Osmium, TA406, and Vedalia, is a cyber espionage group that has a history of targeting entities in South Korea, the United States, and Russia." The LNK files are configured to launch a decoy HWP file and run PowerShell commands, leading to the execution of files named toy03.bat, toy02.bat, and toy01.bat (in that order), the last of which contains shellcode to launch RoKRAT, a staple malware associated with APT37. "This joint cybersecurity advisory (CSA) highlights a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies. This includes those involved in the coordination, transport, and delivery of foreign assistance to Ukraine. Since 2022, Western logistics entities and IT companies have faced an elevated risk of targeting by the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (85th GTsSS), military unit 26165—tracked in the cybersecurity community under several names (see “Cybersecurity Industry Tracking”). The actors’ cyber espionage-oriented campaign, targeting technology companies and logistics entities, uses a mix of previously disclosed tactics, techniques, and procedures (TTPs). The authoring agencies expect similar targeting and TTP use to continue.
Executives and network defenders at logistics entities and technology companies should recognize the elevated threat of unit 26165 targeting, increase monitoring and threat hunting for known TTPs and indicators of compromise (IOCs), and posture network defenses with a presumption of targeting.
This cyber espionage-oriented campaign targeting logistics entities and technology companies uses a mix of previously disclosed TTPs and is likely connected to these actors’ wide scale targeting of IP cameras in Ukraine and bordering NATO nations.
The following authors and co-sealers are releasing this CSA:
Autosummary:
*.000[.]pe *.1cooldns[.]com *.42web[.]io *.4cloud[.]click *.accesscan[.]org *.bumbleshrimp[.]com *.camdvr[.]org *.casacam[.]net *.ddnsfree[.]com *.ddnsgeek[.]com *.ddnsguru[.]com *.dynuddns[.]com *.dynuddns[.]net *.free[.]nf *.freeddns[.]org *.frge[.]io *.glize[.]com *.great-site[.]net *.infinityfreeapp[.]com *.kesug[.]com *.loseyourip[.]com *.lovestoblog[.]com *.mockbin[.]io *.mockbin[.]org *.mocky[.]io *.mybiolink[.]io *.mysynology[.]net *.mywire[.]org *.ngrok[.]io *.ooguy[.]com *.pipedream[.]net *.rf[.]gd Outlook CVE Exploitation IOCs md-shoeb@alfathdoor[.]com[.]sa jayam@wizzsolutions[.]com accounts@regencyservice[.]in m.salim@tsc-me[.]com vikram.anand@4ginfosource[.]com mdelafuente@ukwwfze[.]com sarah@cosmicgold469[.]co[.]za franch1.lanka@bplanka[.]com commerical@vanadrink[.]com maint@goldenloaduae[.]com karina@bhpcapital[.]com tv@coastalareabank[.]com ashoke.kumar@hbclife[.]in 213[.]32[.]252[.]221 124[.]168[.]91[.]178 194[.]126[.]178[.]8 159[.]196[.]128[.]120 Commonly Used Webmail Providers portugalmail[.]pt mail-online[.]dk email[.]cz seznam[.]cz Malicious Archive Filenames Involving CVE-2023-38831 calc.war.zip news_week_6.zip Roadmap.zip SEDE-PV-2023-10-09-1_EN.zip war.zip Zeyilname.zip Brute Forcing IP Addresses Disclaimer: These IP addresses date June 2024 through August 2024. Utilities and scripts Legitimate utilities Unauthorized or unusual use of the following legitimate utilities can be an indication of a potential compromise: ntdsutil – A legitimate Windows executable used by threat actors to export contents of Active Directory wevtutil – A legitimate Windows executable used by threat actors to delete event logs vssadmin – A legitimate Windows executable possibly used by threat actors to make a copy of the server’s C: drive ADexplorer – A legitimate window executable to view, edit, and backup Active Directory Certificate Services OpenSSH – The Windows version of a legitimate open source SSH client schtasks – A legitimate Windows executable used to create persistence using scheduled tasks whoami – A legitimate Windows executable used to retrieve the name of the current user tasklist – A legitimate Windows executable used to retrieve the list of running processes hostname – A legitimate Windows executable used to retrieve the device name arp – A legitimate Windows executable used to retrieve the ARP table for mapping the network environment systeminfo – A legitimate Windows executable used to retrieve a comprehensive summary of device and operating system information net – A legitimate Windows executable used to retrieve detailed user information wmic – A legitimate Windows executable used to interact with Windows Management Instrumentation (WMI), such as to retrieve letters assigned to logical partitions on storage drives cacls – A legitimate Windows executable used to modify permissions on files icacls – A legitimate Windows executable used to modify permissions to files and handle integrity levels and ownership ssh – A legitimate Windows executable used to establish network shell connections reg – A legitimate Windows executable used to add to or modify the system registry Note: Additional heuristics are needed for effective hunting for these and other living off the land (LOTL) binaries to avoid being overwhelmed by false positives if these legitimate management tools are used regularly. The countries with targeted entities include the following, as illustrated in Figure 1: Bulgaria Czech Republic France Germany Greece Italy Moldova Netherlands Poland Romania Slovakia Ukraine United States Figure 1: Countries with Targeted Entities Initial Access TTPs To gain initial access to targeted entities, unit 26165 actors used several techniques to gain initial access to targeted entities, including (but not limited to): Credential guessing [T1110.001] / brute forceIPAddressToString" $command_7 = "@(0x4e,0x54,0x4c,0x4d, 0x53,0x53,0x50,0x00,0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x28,0x00,0x00,0x01,0x82,0x00,0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77,0x88,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)" $command_8 = ".AllKeys" $variable_1 = "$NTLMAuthentication" nocase $variable_2 = "$NTLMType2" nocase $variable_3 = "$listener" nocase $variable_4 = "$hostip" nocase $variable_5 = "$request" nocase $variable_6 = "$ntlmt2" nocase $variable_7 = "$NTLMType2Response" nocase $variable_8 = "$buffer" nocase condition: 5 of ($command_*) or all of ($variable_*) } HEADLACE shortcut rule APT28_HEADLACE_SHORTCUT { meta: description = "Detects the HEADLACE backdoor shortcut dropper.These accounts contained information on aid shipments to Ukraine, including: sender, recipient, train/plane/ship numbers, point of departure, destination, container registration numbers, travel route, and cargo contents.Militaire Inlichtingen- en Veiligheidsdienst Download the PDF version of this report: For a downloadable list of IOCs, visit: Introduction For over two years, the Russian GRU 85th GTsSS, military unit 26165—commonly known in the cybersecurity community as APT28, Fancy Bear, Forest Blizzard, BlueDelta, and a variety of other identifiers—has conducted this campaign using a mix of known tactics, techniques, and procedures (TTPs), including reconstituted password spraying capabilities, spearphishing, and modification of Microsoft Exchange mailbox permissions.An open source python script for finding insecure passwords stored in Group Policy Preferences ldap-dump.py – A script for enumerating user accounts and other information in Active Directory Hikvision backdoor string: “YWRtaW46MTEK” Suspicious command lines While the following utilities are legitimate, and using them with the command lines shown may also be legitimate, these command lines are often used during malicious activities and could be an indication of a compromise: edge.exe “-headless-new -disable-gpu” ntdsutil.exe "activate instance ntds" ifm "create full C:\temp\[a-z]{3}" quit quit ssh -Nf schtasks /create /xml[T1021.001] to access additional hosts and attempt to dump Active Directory NTDS.dit domain databases [T1003.003] using native Active Directory Domain Services commands, such as in Figure 2: Example Active Directory Domain Services command: C:\Windows\system32 tdsutil.exe "activate instance ntds" ifm "create full C:\temp\[a-z]{3}" quit quit Figure 2: Example Active Directory Domain Services command Additionally, GRU unit 26165 actors used the tools Certipy and ADExplorer.exe to exfiltrate information from the Active Directory.From a sample available to the authoring agencies of over 10,000 cameras targeted via this effort, the geographic distribution of victims showed a strong focus on cameras in Ukraine and border countries, as shown in Table 1: Table 1: Geographic distribution of targeted IP cameras Country Percentage of Total Attempts Ukraine 81.0% Romania 9.9% Poland 4.0% Hungary 2.8% Slovakia 1.7% Others 0.6% Mitigation Actions General Security Mitigations Architecture and Configuration Employ appropriate network segmentation [D3-NI] and restrictions to limit access and utilize additional attributes (such as device information, environment, and access path) when making access decisionsThere were a number of known malware variants tied to this campaign against logistics sector victims, including: HEADLACE [7] MASEPIE [8] While other malware variants, such as OCEANMAP and STEELHOOK, [8] were not directly observed targeting logistics or IT entities, their deployment against victims in other sectors in Ukraine and other Western countries suggest that they could be deployed against logistics and IT entities should the need arise.Bezpečnostní informační služba Poland Internal Security Agency (ABW) Agencja Bezpieczeństwa Wewnętrznego Poland Military Counterintelligence Service (SKW) Służba Kontrwywiadu Wojskowego United States Cybersecurity and Infrastructure Security Agency (CISA) United States Department of Defense Cyber Crime Center (DC3) United States Cyber Command (USCYBERCOM) Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)Redirector services used include: Webhook[.]site FrgeIO InfinityFree Dynu Mocky Pipedream Mockbin[.]org The actors also used spearphishing to deliver malware (including HEADLACE and MASEPIE) executablesCSeq: 2 Authorization: Digest username="admin", realm="[a-f0-9]{12}", algorithm="MD5", nonce="[a-f0-9]{32}", uri="", response="[a-f0-9]{32}" User-Agent: "Autosummary:
"Clicking "I"m not a robot" triggers a Binance Smart Contract, using an EtherHiding technique, to deliver a Base64-encoded command to the clipboard, which users are prompted to run in Terminal via macOS-specific shortcuts (⌘ + Space, ⌘ + V)," an independent researcher who goes by the alias Badbyte said. "Autosummary:
"Autosummary:
The financially-motivated group targeted organizations in the media, tourism, finance, insurance, manufacturing, energy, telecommunications, biotechnology and retail sectors. "Autosummary:
Since 2021, APT28 has targeted or compromised French ministerial bodies, local governments, DTIB, aerospace, research, think-tanks, and financial entities. "Autosummary:
" According to NATO, these recent incidents include "sabotage, acts of violence, cyber and electronic interference, disinformation campaigns, and other hybrid operations" that have impacted Czechia, Estonia, Germany, Latvia, Lithuania, Poland, as well as the United Kingdom. "Autosummary:
Each time the app is launched, the trojan silently gathers and transmits data such as the user’s phone number, accounts, contact list, current date, geolocation, stored file details, and the app version to a command-and-control server. "Autosummary:
Contact lists Current date and geolocation Information about stored files, and App version Besides sending the victim"s location every time it changes to a Telegram bot, the spyware supports the ability to download and run additional modules that allow it to exfiltrate files of interest, particularly those sent via Telegram and WhatsApp. "Autosummary:
"These recently observed attacks rely heavily on one-on-one interaction with a target, as the threat actor must both convince them to click a link and send back a Microsoft-generated code," security researchers Charlie Gardner, Josh Duke, Matthew Meltzer, Sean Koessel, Steven Adair, and Tom Lancaster said in an exhaustive analysis. Volexity said it also observed an earlier iteration of the campaign that redirects users to the website "vscode-redirect.azurewebsites[.]net," which, in turn, redirects to the localhost IP address (127.0.0.1). "Autosummary:
Specifically, the spyware performs the following actions: Sends the user"s phone number, contacts, geolocation, file info, and app version to attackers. "Autosummary:
" Trustwave"s latest analysis has revealed that the malicious requests originating from one of Proton66 net blocks (193.143.1[.]65) in February 2025 attempted to exploit some of the most recent critical vulnerabilities - CVE-2025-0108 - An authentication bypass vulnerability in the Palo Alto Networks PAN-OS software - An authentication bypass vulnerability in the Palo Alto Networks PAN-OS software CVE-2024-41713 - An insufficient input validation vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab - An insufficient input validation vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab CVE-2024-10914 - A command injection vulnerability D-Link NAS - A command injection vulnerability D-Link NAS CVE-2024-55591 & CVE-2025-24472 - Authentication bypass vulnerabilities in Fortinet FortiOS It"s worth noting that the exploitation of the two Fortinet FortiOS flaws has been attributed to an initial access broker dubbed Mora_001, which has been observed delivering a new ransomware strain called SuperBlack. "Autosummary:
"Autosummary:
Some of the other payloads dropped by PowerModul are listed below - FlashFileGrabber , which is used to steal files from removable media, such as flash drives, and exfiltrate them to the C2 server , which is used to steal files from removable media, such as flash drives, and exfiltrate them to the C2 server FlashFileGrabberOffline , a variant of FlashFileGrabber that searches removable media for files with specific extensions, and when found, copies them to the local disk within the "%TEMP%\CacheStore\connect\" folder , a variant of FlashFileGrabber that searches removable media for files with specific extensions, and when found, copies them to the local disk within the "%TEMP%\CacheStore\connect\" folder USB Worm, which is capable of infecting removable media with a copy of PowerModul PowerTaskel is functionally similar to PowerModul in that it"s also designed to run PowerShell scripts sent by the C2 server. "Autosummary:
Payload stored in Registry, obfuscated and split by functions Source: Symantec The malware can steal documents (.DOC, .PDF, .XLS, .TXT) from various locations like Desktop, Documents, and Downloads, confirming Gamaredon’s continuing interest in espionage. "Autosummary:
Other observers have posted on Facebook evidence of how propaganda has been posted by thousands of accounts on Telegram groups in the form of comments claiming "Romanians are the servants of the Europeans, the EU is stealing our wealth, the authorities are against the people, Romanians must wake up and stop being cowards..." Ironically, some of the comments have been accidentally left in Russian rather than properly translated into Romanian. "Autosummary:
Rhadamanthys is far from the only stealer in Water Gamayun"s arsenal, for it has been observed delivering another commodity stealer called StealC, as well as three custom PowerShell variants referred to as EncryptHub Stealer variant A, variant B, and variant C. The bespoke stealer is fully-featured malware that can collect extensive system information, including details about antivirus software, installed software, network adapters, and running applications. "Autosummary:
Android banking trojan Pierluigi Paganini March 28, 2025 March 28, 2025 Russian authorities arrested three suspects for developing Mamont, a newly identified Android banking trojan. "Autosummary:
The Russian cybersecurity vendor, in its own bulletin, characterized the zero-day exploitation of CVE-2025-2783 as a technically sophisticated targeted attack, indicative of an advanced persistent threat (APT). "Autosummary:
Some of the other utilities used are quser.exe, tasklist.exe, and netstat.exe for system reconnaissance fscan and SoftPerfect Network Scanner for local network reconnaissance ADRecon for gathering information from Active Directory Mimikatz, secretsdump, and ProcDump for credential harvesting RDP for lateral movement mRemoteNG, smbexec, wmiexec, PAExec, and PsExec for remote host communication Rclone for data transfer The attacks culminate with the deployment of LockBit 3.0 and Babuk ransomware on compromised hosts, followed by dropping a note that urges victims to contact them on Telegram for decrypting their files. "Autosummary:
Besides stealing login credentials, passwords, credit card data, and cookies from various Chromium- and Gecko-based browsers, Arcane is equipped to harvest comprehensive system data as well as configuration files, settings, and account information from several apps such as follows - VPN clients: OpenVPN, Mullvad, NordVPN, IPVanish, Surfshark, Proton, hidemy.name, PIA, CyberGhost, and ExpressVPN Network clients and utilities: ngrok, Playit, Cyberduck, FileZilla, and DynDNS Messaging apps: ICQ, Tox, Skype, Pidgin, Signal, Element, Discord, Telegram, Jabber, and Viber Email clients: Microsoft Outlook Gaming clients and services: Riot Client, Epic, Steam, Ubisoft Connect (ex-Uplay), Roblox, Battle.net, and various Minecraft clients Crypto wallets: Zcash, Armory, Bytecoin, Jaxx, Exodus, Ethereum, Electrum, Atomic, Guarda, and Coinomi Furthermore, Arcane is designed to take screenshots of the infected device, enumerate running processes, and list saved Wi-Fi networks and their passwords. "Autosummary:
"Autosummary:
" The approach has been used as part of schemes that propagate stealers, remote access tools (RATs), trojans that provide hidden remote access, and cryptocurrency miners like NJRat, XWorm, Phemedrone, and DCRat. "Autosummary:
Large-scale cryptocurrency miner campaign targets Russian users with SilentCryptoMiner Pierluigi Paganini March 10, 2025 March 10, 2025 Experts warn of a large-scale cryptocurrency miner campaign targeting Russian users with SilentCryptoMiner.Using this social engineering trick, threats like stealers, RATs, Trojans, and crypto miners can persist undetected. "Autosummary:
"Autosummary:
The operation involved the U.S. DOJ, FBI, Europol, and law enforcement from Germany, the Netherlands, Finland, and Estonia. "Autosummary:
CISA maintains stance on Russian cyber threats despite policy shift Pierluigi Paganini March 04, 2025 March 04, 2025 US CISA confirms no change in defense against Russian cyber threats despite the Trump administration’s pause on offensive operations. "Autosummary:
"Autosummary:
As The Guardian reports, recent statements from officials, including Liesyl Franz, deputy assistant secretary for international cybersecurity at the US state department, omitted any mention of Russia as a cybersecurity threat - focusing instead on China and Iran. "Autosummary:
"CISA"s mission is to defend against all cyber threats to U.S. Critical Infrastructure, including from Russia," the US cyber agency posted to X. "There has been no change in our posture. "Autosummary:
In one of the attacks targeting a government sector customer, Solar said it discovered the attacker deploying various tools to facilitate reconnaissance, while also dropping LuckyStrike Agent, a multi-functional .NET backdoor that uses Microsoft OneDrive for command-and-control (C2). "Autosummary:
“In these operations, UNC5792 has hosted modified Signal group invitations on actor-controlled infrastructure designed to appear identical to a legitimate Signal group invite” - Google Threat Intelligence Group The fake invitations had the legitimate redirect JavaScript code replaced with a malicious block that included Signal’s URI (Uniform Resource Identifier) for linking a new device (“sgnl://linkdevice uuid”) instead of the one for joining the group (“sgnl://signal.group/”). "Autosummary:
"Autosummary:
"Autosummary:
Microsoft has observed network scans and subsequent exploitation attempts of the following vulnerabilities: CVE-2021-34473 (Microsoft Exchange) CVE-2022-41352 (Zimbra Collaboration Suite) CVE-2023-32315 (OpenFire) CVE-2023-42793 (JetBrains TeamCity) CVE-2023-23397 (Microsoft Outlook) CVE-2024-1709 (ConnectWise ScreenConnect) CVE-2023-48788 (Fortinet FortiClient EMS) After exploiting the above vulnerabilities to obtain access, the hackers established persistence by deploying custom web shells like "LocalOlive". "Autosummary:
The virtual currency exchange received criminal proceeds from various illegal activities, including computer intrusions, ransomware attacks, identity theft, corruption, and drug distribution. Subsequently, Vinnik returned to Greece before being extradited to the U.S.. “Today’s result shows how the Justice Department, working with international partners, reaches across the globe to combat cryptocrime,” said Deputy Attorney General Lisa Monaco. "Autosummary:
"Autosummary:
" The group behind the attack, Cozy Bear (also known as Midnight Blizzard, APT29, and Nobelium), is believed to be part of Russia"s Foreign Intelligence Service (SVR) and has also been linked to other high-profile breaches, including the infamous 2020 SolarWinds supply chain attack. "CVE-2025-0411, a Mark-of-the-Web bypass vulnerability in the open-source archiver tool 7-Zip that was fixed in November 2024, has been exploited in zero-day attacks to deliver malware to Ukrainian entities, Trend Micro researchers have revealed. The 7-Zip vulnerability (CVE-2025-0411) Mark-of-the-Web (MotW) is a zone identifier used by the Windows operating system to flag files downloaded from the internet as potentially harmful. “CVE-2025-0411 allows threat actors to bypass Windows MoTW protections by double archiving contents using 7-Zip. … More
The post Russian cybercrooks exploiting 7-Zip zero-day vulnerability (CVE-2025-0411) appeared first on Help Net Security.
"Autosummary:
CVE-2025-0411, a Mark-of-the-Web bypass vulnerability in the open-source archiver tool 7-Zip that was fixed in November 2024, has been exploited in zero-day attacks to deliver malware to Ukrainian entities, Trend Micro researchers have revealed. "Autosummary:
The flaw, CVE-2025-0411 (CVSS score: 7.0), allows remote attackers to circumvent mark-of-the-web (MotW) protections and execute arbitrary code in the context of the current user. "Autosummary:
"Autosummary:
"Autosummary:
"Star Blizzard, a threat actor tied to the Russian Federal Security Service (FSB), was spotted attempting to compromise targets’ WhatsApp accounts through a clever phishing campaign. The campaign The campaign started with a spear-phishing email that was made to look like it was sent by a US government official. “We have established a private WhatsApp group to facilitate discussions regarding the latest non-govermental initiatives aimed at supporting Ukraine. This platform will also serve as a … More
The post How Russian hackers went after NGOs’ WhatsApp accounts appeared first on Help Net Security.
"Autosummary:
The spoofed WhatsApp page, with the QR code obscured (Source: Microsoft Threat Intelligence) “However, this QR code is actually used by WhatsApp to connect an account to a linked device and/or the WhatsApp Web portal,” Microsoft’s threat analysts explained. "Autosummary:
Active since at least 2012, it"s also tracked under the monikers Blue Callisto, BlueCharlie (or TAG-53), Calisto (alternately spelled Callisto), COLDRIVER, Dancing Salome, Gossamer Bear, Iron Frontier, TA446, and UNC4057. "Autosummary:
It"s also known as Blue Athena, BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422. "Autosummary:
"Additionally, in the advertisement, Blender was described as not requiring users to sign up, register, or "provide any kind of detail except the receiving address!"" It"s also accused of facilitating money laundering for Russia-aligned ransomware gangs like TrickBot, Conti (formerly Ryuk), Sodinokibi (aka REvil), and Gandcrab. "Autosummary:
DoJ charged three Russian citizens with operating crypto-mixing services Pierluigi Paganini January 11, 2025 January 11, 2025 The U.S. Department of Justice charged three Russian citizens with operating crypto-mixing services that helped crooks launder cryptocurrency. "The Banshee Stealer is a stealthy threat to the rising number of macOS users around the world, including those in Russian-speaking countries, according to Check Point researcher Antonis Terefos. Banshee Stealer was first publicly profiled in August 2024, a month after its developer began selling it as-a-Service for the high price of $3,000 per month. The malware is capable of functioning across both macOS x86_64 and ARM64 architectures, and can capture / steal credentials and … More
The post Banshee Stealer variant targets Russian-speaking macOS users appeared first on Help Net Security.
"Autosummary:
But even after the leak, the threat persists: Check Point has identified multiple campaigns still distributing the malware through phishing websites, ostensibly offering popular software (Telegram, TradingView, Parallels, etc.) for download. "Autosummary:
Ukrainian Cyber Alliance destroyed the connectivity of Russian ISP Nodex Pierluigi Paganini January 09, 2025 January 09, 2025 A group of hacktivists, known as the Ukrainian Cyber Alliance, breached Russian ISP Nodex, stole sensitive documents, and wiped systems. "Autosummary:
Since then, UCA cyber activists have claimed many breaches impacting various Russian organizations, including the Russian Ministry of Defense, Commonwealth of Independent States Institute (financed by the Russian state company Gazprom), the Donetsk People"s Republic"s Ministry of Coal and Energy, Vladimir Putin"s political adviser Vladislav Surkov, and multiple Russian military officers and media outlets, among others. "Autosummary:
"Dieter S. scouted out some of the targeted objects on site, taking photos and videos, for example of military transports and goods," prosecutors said, adding the intelligence information was then passed on to his contact. "Autosummary:
Three Russian-German nationals charged with suspicion of secret service agent activity Pierluigi Paganini January 02, 2025 January 02, 2025 German authorities have charged three Russian-German nationals with suspicion of, among other things, secret service agent activity for the Russian government. "Autosummary:
"Autosummary:
In August 2024, the Office of the Director of National Intelligence (ODNI), the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) jointly accused Iran of attempting to undermine democratic processes, including by orchestrating cyber operations designed to gain access to sensitive information related to the elections. "Autosummary:
“At the direction of, and with financial support from, the GRU, CGE and its personnel used generative AI tools to quickly create disinformation that would be distributed across a massive network of websites designed to imitate legitimate news outlets to create false corroboration between the stories, as well as to obfuscate their Russian origin.” "Autosummary:
“As alleged in the superseding complaint, at the time of Panev’s arrest in Israel in August, law enforcement discovered on Panev’s computer administrator credentials for an online repository that was hosted on the dark web and stored source code for multiple versions of the LockBit builder, which allowed LockBit’s affiliates to generate custom builds of the LockBit ransomware malware for particular victims. "Autosummary:
"As alleged in the superseding complaint, at the time of Panev"s arrest in Israel in August, law enforcement discovered on Panev"s computer administrator credentials for an online repository that was hosted on the dark web and stored source code for multiple versions of the LockBit builder, which allowed LockBit"s affiliates to generate custom builds of the LockBit ransomware malware for particular victims," reads the complaint. "Autosummary:
The domain names registered for the campaign suggest that APT29 targeted entities primarily in the U.S., France, Australia, Ukraine, Portugal, Germany, Israel, France, Greece, Turkey, and the Netherlands. "Autosummary:
"Autosummary:
Impersonating the Samsung Knox Manager Source: BleepingComputer Lookout says development work on BoneSpy peaked between January and October 2022, stabilizing to the following capabilities: Collects SMS messages, including sender, content, and timestamps Records ambient audio and phone call conversations Captures GPS and cell-based location data Takes pictures using the camera and captures device screenshots Accesses user"s web browsing history Extracts names, numbers, emails, and call details from the contact list and call logs Accesses clipboard content Reads device notifications PlainGnome is a newer, custom Android surveillance malware that does not use the codebase of a previously known project. "Autosummary:
Impersonating the Samsung Knox Manager Source: BleepingComputer Lookout says development work on BoneSpy peaked between January and October 2022, stabilizing to the following capabilities: Collects SMS messages, including sender, content, and timestamps Records ambient audio and phone call conversations Captures GPS and cell-based location data Takes pictures using the camera and captures device screenshots Accesses user"s web browsing history Extracts names, numbers, emails, and call details from the contact list and call logs Accesses clipboard content Reads device notifications PlainGnome is a newer, custom Android surveillance malware that does not use the codebase of a previously known project. "Autosummary:
One of the tools Tavdig loads on compromised devices is KazuarV2, Turla"s more advanced, stealthy backdoor, designed for long-term intelligence collection, command execution, and data exfiltration. "Autosummary:
RedLine info-stealer campaign targets Russian businesses through pirated corporate software Pierluigi Paganini December 08, 2024 December 08, 2024 An ongoing RedLine information-stealing campaign is targeting Russian businesses using pirated corporate software. "Autosummary:
" The European Commission, in a press statement on Thursday, said it has stepped up its monitoring of TikTok, urging the platform to "freeze and preserve data related to actual or foreseeable systemic risks its service could pose on electoral processes and civic discourse in the E.U." To that end, it has been asked to retain internal documents and information regarding the design and functioning of its recommender systems, in addition to details on how it"s addressing the risk of intentional manipulation through a technique called coordinated inauthentic behavior (CIB). "Autosummary:
Moreover, the spyware retains some permissions also found in the genuine app, such as precise location tracking, recording phone calls, and accessing contact information, which are common functionalities in many spyware tools.Its functionality includes location tracking, screen capture, keylogging, call recording, file extraction, password retrieval, and reading messages from other apps. "Autosummary:
" The second stage incorporates features to log keystrokes, extract files and stored passwords, read chats from other messaging apps, inject JavaScript, execute shell commands, obtain the device unlock password, and even add a new device administrator. "Autosummary:
The TGR Group is said to provide a wide range of illegal financial services, including laundering funds belonging to sanctioned entities, an unregistered service to exchange cash and cryptocurrency, accepting cash receipts and converting them into digital assets for clients, a prepaid credit card service, and concealing the source of funds to allow Russian elites to purchase property in the U.K. The NCA noted that the Smart network was used to fund Russian espionage operations between late 2022 to summer 2023. "Autosummary:
"Autosummary:
Led by the National Crime Agency working with Border Force, Op Destabilise has exposed Russian kleptocrats, drug gangs, and cyber criminals - all of whom relied on the flow of dirty money," said Security Minister Dan Jarvis. "Autosummary:
“Through the TGR Group, Russian elites sought to exploit digital assets—in particular U.S. dollar-backed stablecoins—to evade U.S. and international sanctions, further enriching themselves and the Kremlin,” said Acting Under Secretary for Terrorism and Financial Intelligence Bradley T. Smith, “The United States, alongside our allies and partners, remains committed to disrupting any effort by Russia to use digital assets or other illicit financial schemes to accrue, store, and transfer their ill-gotten gains.” “Through key facilitators like Zhdanova, Russian elites, ransomware groups, and other illicit actors sought to evade U.S. and international sanctions, particularly through the abuse of virtual currency,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. "Autosummary:
At the same time, Turla stole data from OilRig"s systems, including keylogger logs, directory listings, files, account credentials, and malware builders for private tools such as Neuron. It was determined that in late 2022, Turla had breached multiple C2 nodes of the Storm-0156 threat actor and deployed their own malware payloads, including a TinyTurla backdoor variant, the TwoDash backdoor, the Statuezy clipboard monitor, and the MiniPocket downloader. "Autosummary:
As part of this Operation Destabilise, U.K. law enforcement has collaborated with many international partners, including the U.S. Department of the Treasury"s Office of Foreign Assets Control (OFAC), the FBI, the Drug Enforcement Agency, the French Direction Centrale de la Police Judiciaire, and Ireland"s national police and security service, An Garda Síochána (AGS). "Autosummary:
At the same time, Turla stole data from OilRig"s systems, including keylogger logs, directory listings, files, account credentials, and malware builders for private tools such as Neuron. It was determined that in late 2022, Turla had breached multiple C2 nodes of the Storm-0156 threat actor and deployed their own malware payloads, including a TinyTurla backdoor variant, the TwoDash backdoor, the Statuezy clipboard monitor, and the MiniPocket downloader. "Autosummary:
"Autosummary:
"Autosummary:
Russian-based cybercrime group RomCom (aka UAT-5647, Storm-0978, Tropical Scorpius, UAC-0180, UNC2596) exploited two Firefox and Tor Browser zero-day vulnerabilities in recent attacks on users across Europe and North America. "Autosummary:
While investigating this campaign, ESET found that the Russian threat actors focused their attacks on organizations in Ukraine, Europe, and North America from various industries affected, including government, defense, energy, pharmaceuticals, and insurance. "Forest Blizzard, a threat group associated with Russia’s GRU military intelligence service, repeatedly breached a US-based organization via compromised computer systems of nearby firms, which they leveraged to authenticate to the target’s enterprise Wi-Fi network. The repeated attacks Volexity, a company that specializes in helping organizations detect the presence of and boot out nation-state level intruders from their systems and networks, said that the attackers were first spotted on a server on the target US … More
The post Faraway Russian hackers breached US organization via Wi-Fi appeared first on Help Net Security.
"Autosummary:
They solved the problem by: Breaching a nearby organization’s system Moving laterally within that organization to find accessible systems that are connected to the network via a wired Ethernet connection and have a Wi-Fi adapter Using that Wi-Fi adapter to connect to the target organization’s Wi-Fi and authenticate to it by using credentials they previous compromised via password spraying. "Autosummary:
" Russia is also believed to have ramped up its sabotage operations across European critical infrastructure following its full-scale invasion of Ukraine in February 2022, targeting Estonia, Finland, Latvia, Lithuania, Norway, and Poland with the goal of destabilizing NATO allies and disrupting their support for Ukraine. "Autosummary:
According to the DoJ, the Phobos ransomware operation targeted over 1,000 public and private entities in the United States and worldwide, extorting more than $16 million in ransom payments “The Justice Department unsealed criminal charges today against Evgenii Ptitsyn, 42, a Russian national, for allegedly administering the sale, distribution, and operation of Phobos ransomware.” "Autosummary:
"Autosummary:
"Minimal interaction with a malicious file by a user such as selecting (single-click), inspecting (right-click), or performing an action other than opening or executing could trigger this vulnerability," Microsoft revealed in its advisory. "Autosummary:
"Influence actors linked to Russia, in particular, are manufacturing videos and creating fake articles to undermine the legitimacy of the election, instill fear in voters regarding the election process, and suggest Americans are using violence against each other due to political preferences, judging from information available to the IC," describes CISA. "Autosummary:
At the end of October, the Office of the Director of National Intelligence (ODNI), the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) released the following statement: “The IC assesses that Russian actors manufactured and amplified a recent video that falsely depicted an individual ripping up ballots in Pennsylvania, judging from information available to the IC and prior activities of other Russian influence actors, including videos and other disinformation activities. "Midnight Blizzard – a cyber espionage group that has been linked to the Russian Foreign Intelligence Service (SVR) – is targeting government, academia, defense, and NGO workers with phishing emails containing a signed Remote Desktop Protocol (RDP) configuration file. “Based on our investigation of previous Midnight Blizzard spear-phishing campaigns, we assess that the goal of this operation is likely intelligence collection,” Microsoft’s threat analysts say. Midnight Blizzard Midnight Blizzard (aka Cozy Bear, APT29, and UNC2452) … More
The post Russian hackers deliver malicious RDP configuration files to thousands appeared first on Help Net Security.
"Autosummary:
As the Ukrainian CERT team recently warned, running the malicious file will establish an outgoing RDP connection with the attackers’ server, allowing the server access to disks, network resources, printers, COM ports, audio devices, the clipboard and other resources (including credentials) on the targets’ computer, as well as put into place technical prerequisites for running third-party programs or scripts. "Autosummary:
The operation was spearheaded by the Dutch police working with international partners, including the FBI, U.S. Department of Justice, and Eurojust, achieving unprecedented disruption to two highly impactful MaaS operations that have stolen millions of account credentials. "Autosummary:
After the malware was publicly exposed by Cyfirma in late August 2023, EVLF, the threat actor behind the project, decided to cease activity, but not before selling their Telegram channel to a Chinese-speaking threat actor. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
Another threat actor that has remained laser-focused on Ukraine is Gamaredon, a Russian hacking crew that"s also known as Aqua Blizzard (previously Actinium), Armageddon, Hive0051, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, UAC-0010, UNC530, and Winterflounder. "Autosummary:
"Autosummary:
Kyiv’s hackers launched an unprecedented cyber attack on Russian state media VGTRK on Putin’s birthday Pierluigi Paganini October 07, 2024 October 07, 2024 Russian state media VGTRK faced a major cyberattack, which a Ukrainian source claimed was conducted by Kyiv’s hackers. "Microsoft and the US Justice Department have seized over 100 domains used by Star Blizzard, a Russian nation-state threat actor. “Between January 2023 and August 2024, Microsoft observed Star Blizzard target over 30 civil society organizations – journalists, think tanks, and non-governmental organizations (NGOs) core to ensuring democracy can thrive – by deploying spear-phishing campaigns to exfiltrate sensitive information and interfere in their activities,” Steven Masada, Assistant General Counsel at Microsoft’s Digital Crimes Unit, explained. … More
The post 100+ domains seized to stymie Russian Star Blizzard hackers appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"The scripts" structure, comments and choice of function names and variables were strong clues that the threat actor used GenAI to create the malware," HP Wolf Security said. "Autosummary:
"Cryptex is also associated with over $720 million in transactions to services frequently used by Russia-based ransomware actors and cybercriminals, including fraud shops, mixing services, exchanges lacking KYC programs, and OFAC-designated virtual currency exchange Garantex," the Treasury said. "Autosummary:
"Autosummary:
Some of the tools used by the group are Cobalt Strike, mimikatz, chisel, BloodHound, PowerView, adPEAS, CrackMapExec, Advanced IP Scanner and PsExec. "Autosummary:
" Prominent among the other tools used by Twelve are Cobalt Strike, Mimikatz, Chisel, BloodHound, PowerView, adPEAS, CrackMapExec, Advanced IP Scanner, and PsExec for credential theft, discovery, network mapping, and privilege escalation. "Autosummary:
"The attempt to harm our infrastructure was prevented in a timely manner, and no user whose system was protected by Dr.Web was affected," it added in a separate statement in English, published on its official website. "Autosummary:
Russian state media networks banned by Facebook owner The Russian embassy in Washington, broadcaster RT, formerly Russia Today, and the owner of the Sputnik news agency, Rossiya Segodnya, did not immediately respond to BBC requests for comment. "Autosummary:
It offers a user-friendly interface, an extensive collection of templates, an app market to expand functionality, SEO tools, and dedicated e-commerce tools to handle payments and shipping. "Autosummary:
The joint advisory, released last week as part of a coordinated exercise dubbed Operation Toy Soldier, comes from cybersecurity and intelligence authorities in the U.S., the Netherlands, the Czech Republic, Germany, Estonia, Latvia, Ukraine, Canada, Australia, and the U.K. Cadet Blizzard, also known as Ember Bear, FROZENVISTA, Nodaria, Ruinous Ursa, UAC-0056, and UNC2589, gained attention in January 2022 for deploying the destructive WhisperGate (aka PAYWIPE) malware against multiple Ukrainian victim organizations in advance of Russia"s full-blown military invasion of the country. "Autosummary:
Flashpoint, in a report published last month, said WWH-Club remains operational despite the law enforcement effort, and that "its other administrators are attempting to distance themselves from Kublitskii and Khodyrev." Khodyrev and Kublitskii "had been living in Miami for the past two years, while secretly continuing to administer WWH Club and its sister dark web marketplaces, forums, and schools," the DoJ said. "The US Department of Justice has named five Russian computer hackers as members of Unit 29155 – i.e., the 161st Specialist Training Center of the Russian General Staff Main Intelligence Directorate (GRU) – which they deem resposible for the 2022 WhisperGate wiper malware attacks on Ukrainian government organizations and critical infrastructure, and subsequently computer network operations against NATO member and ally countries. “Since early 2022, the primary focus of the cyber actors appears to be … More
The post Exposed: Russian military Unit 29155 does digital sabotage, espionage appeared first on Help Net Security.
"Autosummary:
Active Directory (AD) enumeration (Impacket, ldapdomaindump, BloodHound) Vulnerability scanning (Acunetix, Amass, Droopescan, eScan, and JoomScan) They use CVE exploit scripts from GitHub repositories to target vulnerable IoT and networking devices, as well as computers and web servers, and virtual private servers to host their tools, perform reconnaissance, exploit victim infrastructure, and exfiltrate victim data. "Autosummary:
The APT28 group (aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM) has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. "Autosummary:
The complete list of domains, which mimic legitimate news outlets like Der Spiegel, Fox News, Le Monde, and The Washington Post, is as follows - tribunalukraine.info rrn.media ukrlm.info faz.ltd spiegel.agency lemonde.ltd leparisien.ltd rbk.media 50statesoflie.media meisterurian.io artichoc.io vip-news.org acrosstheline.press mypride.press truthgate.us warfareinsider.us shadowwatch.us pravda-ua.com waronfakes.com holylandherald.com levinaigre.net grenzezank.com lexomnium.com uschina.online honeymoney.press sueddeutsche.co tagesspiegel.co bild.work fox-news.top fox-news.in forward.pw, and washingtonpost.pm Concurrent with the domain seizures, the Treasury Department sanctioned 10 individuals and two entities for engaging in efforts to influence and undermine confidence in the electoral process. "Autosummary:
GRU Unit 29155 junior officers (U.S. State Department) Today, the U.S. State Department also announced a reward of up to $10 million through its Rewards for Justice program for information on Vladislav Borovkov, Denis Igorevich Denisenko, Yuriy Denisov, Dmitry Yuryevich Goloshubov, and Nikolay Aleksandrovich Korchagin, five of the Russian military intelligence officers believed to be part of GRU"s Unit 29155. "Autosummary:
" The complete list of domains used by Doppelgänger for spreading disinformation that the FBI has seized includes: ribunalukraine.info, rrn.media, ukrlm.info, faz.ltd, spiegel.agency, lemonde.ltd, leparisien.ltd, rbk.media, 50statesoflie.media, meisterurian.io, artichoc.io, vip-news.org, acrosstheline.press, mypride.press, truthgate.us, warfareinsider.us, shadowwatch.us, pravda-ua.com, waronfakes.com, holylandherald.com, levinaigre.net, grenzezank.com, lexomnium.com, uschina.online, honeymoney.press, sueddeutsche.co, tagesspiegel.co, bild.work, fox-news.top, fox-news.in, forward.pw, and washingtonpost.pm. "The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA) assess that cyber actors affiliated with the Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155) are responsible for computer network operations against global targets for the purposes of espionage, sabotage, and reputational harm since at least 2020. GRU Unit 29155 cyber actors began deploying the destructive WhisperGate malware against multiple Ukrainian victim organizations as early as January 13, 2022. These cyber actors are separate from other known and more established GRU-affiliated cyber groups, such as Unit 26165 and Unit 74455.
To mitigate this malicious cyber activity, organizations should take the following actions today:
This Cybersecurity Advisory provides tactics, techniques, and procedures (TTPs) associated with Unit 29155 cyber actors—both during and succeeding their deployment of WhisperGate against Ukraine—as well as further analysis (see Appendix A) of the WhisperGate malware initially published in the joint advisory, Destructive Malware Targeting Organizations in Ukraine, published February 26, 2022.
FBI, CISA, NSA and the following partners are releasing this joint advisory as a collective assessment of Unit 29155 cyber operations since 2020:
Autosummary:
Unit 29155 cyber actors have been observed obtaining the respective exploit scripts for, but not exploiting, the following CVEs: CVE-2020-1472 (Microsoft: Windows Server) CVE-2021-26084 (Atlassian Confluence Server and Data Center) CVE-2021-3156 (Red Hat: Privilege Escalation via Command Line Argument Parsing) CVE-2021-4034 (Red Hat: Polkit Privilege Escalation) CVE-2022-27666 (Red Hat: Heap Buffer Overflow Flaw) Estonian Internal Security Service (KAPO) Latvian State Security Service (VDD) Security Service of Ukraine (SBU) Computer Emergency Response Team of Ukraine (CERT-UA) Canadian Security Intelligence Service (CSIS) Communications Security Establishment Canada (CSE) Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) United Kingdom National Cyber Security Centre (NCSC-UK) For additional information on Russian state-sponsored malicious cyber activity and related indictments, see the recent U.S. Department of Justice (DOJ) press releases for June 26, 2024, and September 5, 2024, FBI’s Cyber Crime webpage, and CISA’s Russia Cyber Threat Overview and Advisories webpage. Acunetix: Unit 29155 cyber actors leveraged both Acunetix and Nmap to identify open ports, services, and vulnerabilities for networks [T1595.002].[6] Unit 29155 cyber actors leveraged both Acunetix and Nmap to identify open ports, services, and vulnerabilities for networks [T1595.002].[6] Amass: Unit 29155 cyber actors leveraged both Amass and VirusTotal to obtain subdomains for target websites "Autosummary:
In 2021, the Russian cyber-operatives exploited CVE-2021-1879 as a zero-day, targeting government officials in Eastern Europe, attempting to deliver a cookie-stealing framework that snatched LinkedIn, Gmail, and Facebook accounts. "Autosummary:
CVE-2024-4671 - A use-after-free flaw in Chrome"s Visuals component that could result in arbitrary code execution (Fixed by Google in Chrome version 124.0.6367.201/.202 for Windows and macOS, and version 124.0.6367.201 for Linux in May 2024) CVE-2024-5274 - A type confusion flaw in the V8 JavaScript and WebAssembly engine that could result in arbitrary code execution (Fixed by Google in Chrome version 125.0.6422.112/.113 for Windows and macOS, and version 125.0.6422.112 for Linux in May 2024) The November 2023 and February 2024 campaigns are said to have involved the compromises of the two Mongolian government websites – both in the first and only mfa.gov[.]mn in the latter – to deliver an exploit for CVE-2023-41993 by means of a malicious iframe component pointing to an actor-controlled domain. "Autosummary:
“Kadariya and his associates used multiple strategies to profit from their widespread hacking and wire fraud scheme, including by using accounts on predominantly Russian cybercrime forums to sell to cybercriminals access to the compromised devices of victim Internet users (so-called “loads” or “bots”), as well as information stolen from victims and recorded in “logs,” such as banking information and login credentials, to enable further efforts to defraud the victim Internet users or deliver additional malware to their devices.” "Autosummary:
Russian national arrested in Argentina for laundering money of crooks and Lazarus APT Pierluigi Paganini August 24, 2024 August 24, 2024 A Russian national was arrested in Argentina for laundering proceeds from illicit actors, including North Korea-linked Lazarus Group.Through our investigation, we were able to confirm that the Lazarus Group and APT38, cyber actors associated with the DPRK, are responsible for the theft of $100 million of virtual currency from Harmony’s Horizon bridge reported on June 24, 2022.” "Autosummary:
"Autosummary:
"Autosummary:
Cybersecurity researchers have shed light on a sophisticated information stealer campaign that impersonates legitimate brands to distribute malware like DanaBot and StealC. The activity cluster, orchestrated by Russian-speaking cybercriminals and collectively codenamed Tusk, is said to encompass several sub-campaigns, leveraging the reputation of the platforms to trick users into downloading the malware using bogus sites and social media accounts. "Autosummary:
The 27-year-old Russian national Georgy Kavzharadze (also known as “George,” “TeRorPP,” “Torqovec,” and “PlutuSS”) has been sentenced to over three years in prison for selling financial information, login credentials, and other personal data on the dark web marketplace, Slilpp. "Autosummary:
"When the cost of discovery remains low, phishing remains not only an effective technique, but a way to continue global targeting while avoiding exposing more sophisticated (and expensive) capabilities to discovery," the Citizen Lab said. "Autosummary:
"On various occasions, Silnikau allegedly distributed information and tools to Ransom Cartel participants, including information about compromised computers, such as stolen credentials, and tools such as those designed to encrypt or "lock" compromised computers," the DoJ noted. "Autosummary:
Largest online market for stolen credentials The U.S. Department of Justice announced the takedown of Slilpp on June 10, 2021, following a joint operation with law enforcement agencies from the United States, Germany, the Netherlands, and Romania, who seized servers used to host Slilpp"s infrastructure. "Autosummary:
The attackers used the results of the utility’s work on their side as a unique key to encrypt the payload file, which can only be decrypted on the victim’s computer, after which they downloaded the following files to the infected computers: Attackers also employed a previously undetected malware dubbed PlugY, which is downloaded through the CloudSorcerer backdoor. "Autosummary:
"Autosummary:
Some things to look out for are: DLL files larger than 5MB in size in the "C:\Users\Public" directory Unsigned "msedgeupdate.dll" files in the file system A running process named "msiexec.exe" for each logged-in user The Russian cybersecurity firm concludes that APT27 and APT31 are likely working together in EastWind. "Autosummary:
Russian cyber spies stole data and emails from UK government systems Pierluigi Paganini August 09, 2024 August 09, 2024 Earlier this year, Russian cyber spies breached UK government systems and stole sensitive data and emails, reported The Record media. "Autosummary:
An interesting and somewhat unusual feature is the targeting of files that might contain account credentials such as .pfx, .p12, .kdb, .kdbx, .lastpass, .psafe3, .pem, .key, .private, .asc, .gpg, .ovpn, and .log files. "Autosummary:
It was not until Thursday, during the large scale Russia-West prisoner swap, that the Kremlin spies, and their children, were returned to Russia. "Autosummary:
"Autosummary:
Kliushin was charged alongside four other Russian citizens, Ivan Ermakov (aka Ivan Yermakov, 35), Nikolai Rumiantcev (aka Nikolay Rumyantsev, 33), Mikhail Vladimirovich Irzak (aka Mikka Irzak, 43), and Igor Sergeevich Sladkov (42).Seleznev developed automated systems for systemic identity… pic.twitter.com/0P36EKtoMB — vx-underground (@vxunderground) August 1, 2024 In December 2017, the Russian hacker Roman Seleznev, aka Track2, Bulba and Ncux, was sentenced to 27 years in prison, he was convicted of causing $170 million in damage by hacking into point-of-sale systems. "Autosummary:
Promoted through Snapchat, Instagram, and Telegram, Russian Coms was available as a handset and later as a web app that could provide customers with encrypted calls, web phone, no logs, instant handset wipes, voice changing services, international calls, and 24/7 support. "Autosummary:
The list of hacked Russian banks includes Dom.RF, VTB Bank, Alfa-Bank, Sberbank, Raiffeisen Bank, RSHB Bank, Rosbank, Gazprombank, Tinkoff Bank and iBank. "Autosummary:
In 2023, the largest players in this space included LockBit, Black Basta, ALPHV/BlackCat, Cl0p, PLAY, and Akira, all run by Russian-speaking threat actors. "Autosummary:
The US Treasury mentions the example of Dmitry Khoroshev, the leader of the LockBit ransomware operation, sanctioned in May 2024, as well as Aleksandr Gennadievich Ermakov, a Russian national and a member of the REvil ransomware group, sanctioned in January 2024. "Autosummary:
In May 2023, the US Justice Department charged Russian national Mikhail Pavlovich Matveev (30), aka Wazawaka, m1x, Boriselcin, and Uhodiransomwar, for his alleged role in multiple ransomware attacks.On April 26, 2021, Matveev and his Babuk coconspirators hit the Metropolitan Police Department in Washington, D.C. The Russian citizen was charged with conspiring to transmit ransom demands, conspiring to damage protected computers, and intentionally damaging protected computers. "Autosummary:
Between 2021 and 2023, Vasiliev (aka Ghostrider, Free, Digitalocean90, Digitalocean99, Digitalwaters99, and Newwave110) also used LockBit ransomware in at least 12 attacks against victims worldwide, including businesses in New Jersey, Michigan, the United Kingdom, and Switzerland, causing at least $500,000 in damage and losses, according to the guilty plea. "Autosummary:
" Astamirov (aka BETTERPAY, offtitan, and Eastfarmer) is said to have deployed LockBit against at least 12 victims between 2020 and 2023, receiving $1.9 million in ransom payments from victims located in the U.S. state of Virginia, Japan, France, Scotland, and Kenya. "Autosummary:
" At the heart of the operation is a network of bulletproof hosting providers encompassing Aeza, Evil Empire, GIR, and TNSECURITY, which have also harbored command-and-control domains for different malware families like Stealc, Amadey, Agent Tesla, Glupteba, Raccoon Stealer, RisePro, RedLine Stealer, RevengeRAT, Lumma, Meduza, and Mystic. "Using this tool, RT affiliates disseminated disinformation to and about a number of countries, including the United States, Poland, Germany, the Netherlands, Spain, Ukraine, and Israel," law enforcement agencies from Canada, the Netherlands, and the U.S. said. "Autosummary:
"Autosummary:
"Autosummary:
It also supports a range of commands retrieved from the C2, including: Shell command execution using the "ShellExecuteExW" API Copy, move, rename, or delete files Receive a shellcode from the pipe and inject it into any process by allocating memory and creating a new thread in a remote process Receive a PE file, create a section, and map it into the remote process Create a process using COM interfaces Create a process as a dedicated user Create a new service or modify an existing service Add new network users or remove legitimate users from the system Overall, the CloudSorcerer backdoor is a potent tool that enables the threat actors to perform malicious actions on the infected machines. "Autosummary:
"Autosummary:
"Following best-practice architecture, we have a strong segregation of the Corporate IT, the production environment, and the TeamViewer connectivity platform in place," continues TeamViewer"s statement. TeamViewer says they believe their internal corporate network, not their production environment, was breached on Wednesday, June 26, using an employee"s credentials. "Autosummary:
"This week, we are continuing notifications to customers who corresponded with Microsoft corporate email accounts that were exfiltrated by the Midnight Blizzard threat actor," said a Microsoft spokesperson. "Autosummary:
"From August 5, 2021, through February 3, 2022, the conspirators leveraged the same computer infrastructure they used in the Ukraine-related attacks to probe computers belonging to a federal government agency in Maryland in the same manner as they had initially probed the Ukrainian Government networks," the Justice Department (DoJ) said. "Autosummary:
You could be eligible for a reward and relocation" - Rewards for Justice If arrested and convicted, Stigal faces a potential maximum sentence of five years in prison for his participation in cyberattacks against Ukraine, the U.S., and other NATO member countries. "Autosummary:
The group exploited the following vulnerabilities for privilege escalation: CVE-2022-2586, CVE-2021-3156, CVE-2021-4034, CVE-2019-13272, CVE-2022-27228, CVE-2021-44228, CVE-2021-40438, CVE-2023-3519, BDU:2023-05857, and CVE-2019-12725. "Autosummary:
"Autosummary:
Mikhail Yuryevich Gerber (Gerber) - Executive Vice President of Consumer Business Anton Mikhaylovich Ivanov (Ivanov) - Chief Technology Officer (CTO) Kirill Aleksandrovich Astrakhan (Astrakhan) - Executive Vice President for Corporate Business Anna Vladimirovna Kulashova (Kulashova) - Managing Director for Russia and the Commonwealth of Independent States (CIS) While many of these members report directly to the CEO, Eugene Kaspersky, the US government says they have not sanctioned Kaspersky Lab, its parent or subsidiary companies, or its CEO. "Autosummary:
Most of Nobelium campaigns against diplomatic entities use compromised legitimate email accounts belonging to diplomatic staff, and conduct phishing campaigns against diplomatic institutions, embassies, and consulates," the agency said. "Autosummary:
"Autosummary:
"Autosummary:
Two Ukrainians accused of spreading Russian propaganda and hack soldiers’ phones Pierluigi Paganini June 14, 2024 June 14, 2024 Ukraine’s security service (SBU) detained two individuals accused of supporting Russian intelligence in spreading propaganda and hacking soldiers’ phones. "Autosummary:
"Autosummary:
"Autosummary:
Details about Decoy Dog, a custom variant of the open-source Pupy RAT, emerged in April 2023, when Infoblox uncovered the malware"s use of DNS tunneling for communications with its command-and-control (C2) server to remotely control infected hosts. "Autosummary:
APT28, also known by the names BlueDelta, Fancy Bear, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422, is an advanced persistent threat (APT) group affiliated with Russia"s strategic military intelligence unit, the GRU. "Autosummary:
"Autosummary:
LunarMail operational diagram Source: ESET Based on similarities in observed tactics, techniques, and procedures (TTPs) between the Lunar toolset and and past activities, ESET attributes the backdoors to the Russian hacking group Turla with medium confidence. The commands LunarWeb supports include executing shell and PowerShell commands, collecting system information, running Lua code, zipping files, and exfiltrating data in AES-256 encrypted form. "Autosummary:
Error. "Autosummary:
“The operations have primarily targeted audiences in Lithuania, Latvia, and Poland with anti-North Atlantic Treaty Organization (NATO) narratives, often leveraging website compromises or spoofed email accounts to disseminate fabricated content, including falsified correspondence from military officials” reads the report published by FireEye. "Autosummary:
According to evidence found by CSIRT MON, the country"s Computer Security Incident Response Team (led by the Polish Minister of National Defense) and CERT Polska (the Polish computer emergency response team), Russian APT28 state hackers attacked multiple government institutions in a large-scale phishing campaign. "Autosummary:
"Russian national Dmitry Khoroshev is “LockBitSupp”, the creator, developer and administator of the infamous LockBit ransomware group, according to UK, US and Australia law enforcement agencies. The US Justice Deparment has unsealed charges against Khoroshev and the US Department of the Treasury’s Office of Foreign Assets Control (OFAC), the Australian Department of Foreign Affairs, and the UK Foreign, Commonwealth and Development Office have imposed sanctions on him. Taking LockBit down In February 2024, the UK … More
The post LockBit leader unmasked: US charges Russian national appeared first on Help Net Security.
"Autosummary:
With the help of affiliates, the LockBit ransomware group attacked more than 2,500 victims – individuals, businesses, hospitals, critical infrastructure organizations, government agencies, etc. – in 120+ countries, and “extracted at least $500 million in ransom payments from their victims and caused billions of dollars in broader losses, such as lost revenue, incident response, and recovery.” "Autosummary:
"LockBit ransomware has been used against Australian, UK and US businesses, comprising 18% of total reported Australian ransomware incidents in 2022-23 and 119 reported victims in Australia," Penny Wong, Minister for Foreign Affairs of Australia, said. "Autosummary:
"Autosummary:
The joint advisory comes from six US govt agencies, including CISA, FBI, NSA, EPA, DOE, USDA, and FDA, as well as the Multi-State Information Sharing and Analysis Center (MS-ISAC), Canada"s Centre for Cyber Security (CCCS), and United Kingdom"s National Cyber Security Centre (NCSC-UK). "Autosummary:
Error. "For nearly four years and perhaps even longer, Forest Blizzard (aka Fancy Bear, aka APT28) has been using a custom tool that exploits a specific vulnerability in Windows Print Spooler service (CVE-2022-38028). Dubbed GooseEgg, the tool is a launcher application that can spawn other applications with SYSTEM-level permissions, thus helping the hackers to perform remote code execution, install backdoors, steal credentials, and more. “Microsoft has observed Forest Blizzard using GooseEgg as part of post-compromise activities … More
The post Russian hackers’ custom tool exploits old Windows Print Spooler flaw (CVE-2022-38028) appeared first on Help Net Security.
"Autosummary:
“Microsoft has observed Forest Blizzard using GooseEgg as part of post-compromise activities against targets including Ukrainian, Western European, and North American government, non-governmental, education, and transportation sector organizations,” Microsoft threat analysts have shared on Monday. "Autosummary:
From March 7 to March 15, 2024, CERT-UA engaged in extensive counter-cyberattack operations, which included informing affected enterprises, removing malware, and enhancing security measures. "Autosummary:
"Autosummary:
In 2022, the Russian APT used multiple wipers in attacks aimed at Ukraine,including AwfulShred, CaddyWiper, HermeticWiper, Industroyer2, IsaacWiper, WhisperGate, Prestige, RansomBoggs, and ZeroWipe. The Sandworm group (aka BlackEnergy, UAC-0082, Iron Viking, Voodoo Bear, and TeleBots) has been active since 2000, it operates under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST). "Autosummary:
" "The backdoor"s victimology, infrequent sightings, and level of stealth and sophistication indicate APT-level activity, highly likely of Russian origin." "Autosummary:
"These aims include priming the information space with narratives favorable to Russia, generating perceptions of popular support for the war for domestic and foreign audiences, and making the GRU’s cyber capabilities appear more potent through exaggerated claims of impact" - Mandiant The war in Ukraine made Sandworm notorious for launching multi-faceted attacks aimed at causing damage to the country"s critical infrastructure and services, including state networks, telecommunications providers, news media, and the power grid. "Autosummary:
“The attackers developed and deployed malware that targeted the gateways and deleted filesystems, directories, disabled remote access services, routing services for each device, and rewrote flash memory, destroyed NAND memory chips, UBI volumes and other actions that further disrupted operation of these gateways.” concludes the report.However, our analysis of data leaked by Blackjack, including the Fuxnet malware, indicates that only a little more than 500 sensor gateways were bricked by the malware in the attack, and the remote sensors and controllers likely remain intact.” reads the analysis published by Claroty. "Autosummary:
OFAC also designated multiple other Russian fintech companies and their owners for working with OFAC-designated Rosbank, VTB Bank, Sberbank, Sovcombank, and the Central Bank of Russia to help Russian companies and nationals evade sanctions. "Autosummary:
WINELOADER, per the Google Cloud subsidiary, has also been employed in an operation targeting diplomatic entities in the Czech Republic, Germany, India, Italy, Latvia, and Peru in late January 2024. "Autosummary:
It has been clarified that the invalidation of licenses impacts Russian companies and organizations engaging in architecture, design, construction, manufacturing, media, education and entertainment, building information modeling (BIM), computer-aided design (CAD), and computer-aided manufacturing (CAM). "As you may know, the European Union recently imposed new economic sanctions that, effective March 20, 2024, prohibit Microsoft from supplying certain management or design software (including cloud-based solutions) to entities incorporated in Russia. Some of the most important products that will have their license keys invalidated are: Microsoft Azure : Cloud platform for computing, analytics, storage, and networking services. "Autosummary:
"AcidPour"s expanded capabilities would enable it to better disable embedded devices including networking, IoT, large storage (RAIDs), and possibly ICS devices running Linux x86 distributions," security researchers Juan Andres Guerrero-Saade and Tom Hegel said. "Autosummary:
The WineLoader backdoor features several similarities with other malware variants deployed in past APT29 attacks, such as "burnbatter", "myskybeat", and "beatdrop," suggesting a common developer. "Autosummary:
Ilya Andreevich Gambashidze (Gambashidze), the founder of the Moscow-based company Social Design Agency (SDA), and Nikolai Aleksandrovich Tupikin (Tupikin), the CEO and current owner of Russia-based Company Group Structura LLC (Structura), have been accused of providing services to the Russian government in connection to a "foreign malign influence campaign. "Autosummary:
"Midnight Blizzard (aka APT29), a group of Russian hackers tied to the country’s Foreign Intelligence Service (SVR), has leveraged information stolen from Microsoft corporate email systems to burrow into the company’s source code repositories and internal systems. “It is apparent that Midnight Blizzard is attempting to use secrets of different types it has found. Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, … More
The post Microsoft: Russian hackers accessed internal systems, code repositories appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access," the tech giant said. "Autosummary:
"In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access," reads a new blog post by the Microsoft Security Response Center. "Autosummary:
According to an official statement from the Defence Intelligence of Ukraine, the hack has allowed Ukraine to gain possession of "the information security and encryption software" used by Russia"s Ministry of Defence (Minoborony), as well as secret documents, reports, and instructions exchanged between over 2,000 units of Russia"s security services. "Autosummary:
This encompasses deputies, assistants, and specialists, individuals who used the electronic document management systems known as ‘bureaucrat."” “Cyber specialists of the Ministry of Defense of Ukraine implemented another successful special operation against the aggressor state of Russia – as a result of the attack, it was possible to gain access to the servers of the Ministry of Defense of the Russian Federation.” "Autosummary:
"Autosummary:
Military Unit 26165 cyberspies, part of Russia"s Main Intelligence Directorate of the General Staff (GRU) and tracked as APT28 and Fancy Bear, are using these hijacked and very popular routers to build extensive botnets that help them steal credentials, collect NTLMv2 digests, and proxy malicious traffic. "Autosummary:
APT29"s initial cloud breach vectors also include the use of stolen access tokens that enable them to hijack accounts without using credentials, compromised residential routers to proxy their malicious activity, MFA fatigue to bypass multi-factor authentication (MFA), and registering their own devices as new devices on the victims" cloud tenants After gaining initial access, SVR hackers use sophisticated tools like the MagicWeb malware (which allows them to authenticate as any user within a compromised network) to evade detection in the victims"s networks, mainly government and critical organizations spanning Europe, the United States, and Asia. "Autosummary:
"Autosummary:
The remote access trojan, which comes with capabilities for file transfers and command execution, is believed to have been put to use as early as 2014, and has also been utilized by other North Korean threat actors known as Kimsuky and ScarCruft (aka APT37). "Autosummary:
Operation Texonto, as the entire campaign has been codenamed, has not been attributed to a specific threat actor, although some elements of it, particularly the spear-phishing attacks, overlap with COLDRIVER, which has a history of harvesting credentials via bogus sign-in pages. "Autosummary:
"Autosummary:
APT28, also tracked under the monikers BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, Pawn Storm, Sednit, Sofacy, and TA422, is assessed to be linked to Unit 26165 of Russia"s Main Directorate of the General Staff (GRU). "In January 2024, an operation dismantled a network of hundreds of SOHO routers controlled by GRU Military Unit 26165, also known as APT 28, Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit. This network facilitated various crimes, including extensive spearphishing and credential harvesting against entities of interest to the Russian government, such as U.S. and foreign governments, military, and key security and corporate sectors. This botnet was distinct from prior GRU and Russian … More
The post U.S. authorities disrupt Russian intelligence’s botnet appeared first on Help Net Security.
"Autosummary:
In January 2024, an operation dismantled a network of hundreds of SOHO routers controlled by GRU Military Unit 26165, also known as APT 28, Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit. "Autosummary:
"Autosummary:
"Additionally, in order to neutralize the GRU"s access to the routers until victims can mitigate the compromise and reassert full control, the operation reversibly modified the routers" firewall rules to block remote management access to the devices, and during the course of the operation, enabled temporary collection of non-content routing information that would expose GRU attempts to thwart the operation," the Justice Department said. "Autosummary:
"Additionally, in order to neutralize the GRU"s access to the routers until victims can mitigate the compromise and reassert full control, the operation reversibly modified the routers" firewall rules to block remote management access to the devices, and during the course of the operation, enabled temporary collection of non-content routing information that would expose GRU attempts to thwart the operation," the Justice Department said. "Autosummary:
Urban, who went by the aliases Sosa, Elijah, King Bob, Anthony Ramirez, and Gustavo Fring, is said to be a key member of the cybercrime group known as Scattered Spider, according to KrebsOnSecurity, as well as a "top member" of a broader cybercrime ecosystem that calls itself The Com. "Autosummary:
APT28 is also tracked by the broader cybersecurity community under the names Blue Athena, BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422. "Autosummary:
Pro-Ukraine hackers wiped 2 petabytes of data from Russian research center Pierluigi Paganini January 27, 2024 January 27, 2024 The Main Intelligence Directorate of Ukraine’s Ministry of Defense states that pro-Ukraine hackers wiped 2 petabytes of data from a Russian research center. "Autosummary:
Cybersecurity firm Intel 471 said Ermakov went by various online aliases such as blade_runner, GustaveDore, JimJones, aiiis_ermak, GistaveDore, gustavedore, GustaveDore, Gustave7Dore, ProgerCC, SHTAZI, and shtaziIT. "Autosummary:
The Midnight Blizzard group (aka APT29, SVR group, Cozy Bear, Nobelium, BlueBravo, and The Dukes) along with APT28 cyber espionage group was involved in the Democratic National Committee hack and the wave of attacks aimed at the 2016 US Presidential Elections. "Autosummary:
"Among the destroyed data are meteorological and satellite data, which were actively used in constant mode by the Ministry of Defense and MNS RF, "Roscosmos," and several other state agencies-aggressors, as well as years of unique research," reads the announcement (machine translated). "Autosummary:
"Cozy Bear (aka Midnight Blizzard, aka APT29) has been busy hacking and spying on big tech companies: both Microsoft and Hewlett Packard Enterprise (HPE) have recently disclosed successful attack campaigns by the Russia-affiliated APT group. The Microsoft breach Last Friday, Microsoft revealed that a threat-actor identified as Midnight Blizzard – a hacking group believed to be associated with the Russian Foreign Intelligence Service (SVR) – has breached their corporate systems on January 12, 2024. The … More
The post Russian hackers breached Microsoft, HPE corporate maliboxes appeared first on Help Net Security.
"Autosummary:
"Autosummary:
The TrickBot malware he helped develop enabled cybercriminals to collect infected victims" sensitive information (such as login credentials, credit card information, emails, passwords, social security numbers, and addresses) and siphon off funds from victims" bank accounts Dunaev is the second TrickBot malware dev prosecuted by the U.S. Department of Justice after Latvian national Alla Witte (aka Max) was apprehended in February 2021 and charged with helping develop the module designed to deploy ransomware on compromised networks. "Autosummary:
"Autosummary:
"Based on our investigation, we now believe that the threat actor accessed and exfiltrated data beginning in May 2023 from a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions," reads the SEC filing. "Autosummary:
The company detected the attack on January 12th, with Microsoft initiating its response to investigate, disrupt, and mitigate the breach. "Autosummary:
PDF lure document (Google TAG) The Spica Rust-based malware uses JSON over websockets to communicate with its command-and-control (C2) server, and it helps to run arbitrary shell commands, steal Chrome, Firefox, Opera, and Edge cookies, upload and download files, and exfiltrate documents. "Autosummary:
COLDRIVER, also known by the names Blue Callisto, BlueCharlie (or TAG-53), Calisto (alternately spelled Callisto), Gossamer Bear, Star Blizzard (formerly SEABORGIUM), TA446, and UNC4057, is known to be active since 2019, targeting a wide range of sectors. "Autosummary:
Spica supports multiple capabilities, such as: Executing arbitrary shell commands Stealing cookies from Chrome, Firefox, Opera and Edge Uploading and downloading files Perusing the filesystem by listing the contents of it Enumerating documents and exfiltrating them in an archive There is also a command called “telegram,” but the functionality of this command is unclear The malware maintains persistence via an obfuscated PowerShell command that creates a scheduled task named CalendarChecker. "Autosummary:
"Autosummary:
"Autosummary:
"We attacked Kyivstar because the company provides communications to the Armed Forces of Ukraine, as well as government agencies and law enforcement agencies of Ukraine." Today, Vityuk confirmed that Sandworm was behind the December attack on Kyivstar, saying that this Russian military intelligence unit carried out other cyberattacks targeting Ukrainian targets, "in particular [..] telecom operators and ISPs. "Autosummary:
"Autosummary:
Also called Clean Ursa, Inception, Oxygen, and Red October, the threat actor is known for its persistent campaigns targeting Russia, Belarus, Azerbaijan, Turkey, and Slovenia. "Autosummary:
"Autosummary:
The authorities reported that from June 2021 through at least November 2022, threat actors targeted a wide range of businesses and critical infrastructure sectors, including Government Facilities, Communications, Critical Manufacturing, Information Technology, and especially Healthcare and Public Health (HPH). "Russian state-sponsored hackers have been exploiting CVE-2023-42793 to target unpatched, internet-facing JetBrains TeamCity servers since September 2023, US, UK and Polish cybersecurity and law enforcement authorities have warned. The targets APT 29 (aka CozyBear, aka Midnight Blizzard), believed to be associated with the Russian Foreign Intelligence Service (SVR), has been active since 2013. The group is known for targeting a wide variety of organizations: government agencies, think tanks, political organizations, diplomatic agencies, biomedical and energy … More
The post Russian hackers target unpatched JetBrains TeamCity servers appeared first on Help Net Security.
"Autosummary:
These attacks seem to be opportunistic in nature and hit disparate organizations in the US, Europe, Asia, and Australia: “an energy trade association; companies that provide software for billing, medical devices, customer care, employee monitoring, financial management, marketing, sales, and video games; as well as hosting companies, tools manufacturers, and small and large IT companies.” "Autosummary:
Targets of the campaign include an energy trade association; firms that provide software for billing, medical devices, customer care, employee monitoring, financial management, marketing, sales, and video games; as well as hosting companies, tools manufacturers, and small and large IT enterprises. "The SVR has, however, been observed using the initial access gleaned by exploiting the TeamCity CVE to escalate its privileges, move laterally, deploy additional backdoors, and take other steps to ensure persistent and long-term access to the compromised network environments," cybersecurity agencies from Poland, the U.K., and the U.S. said. "Autosummary:
"By choosing to exploit CVE-2023-42793, a software development program, the authoring agencies assess the SVR could benefit from access to victims, particularly by allowing the threat actors to compromise the networks of dozens of software developers," CISA warned today. "Autosummary:
"At the same time, the full cooperation with Europol, Eurojust and the Cypriot authorities made it possible to search his home in a Cypriot seaside resort, thus providing important elements of investigation," said Nicolas Guidoux, a Deputy Director in the French Ministry of the Interior. "Autosummary:
"Autosummary:
“During the special operation, military intelligence managed to break into one of the well-protected key central servers of the Federal Tax Service (FSS of the Russian Federation), and further into more than 2,300 of its regional servers throughout Russia, as well as in the territory of the temporarily occupied Crimea.” reads a statement published by the Main Intelligence Directorate of the Ministry of Defense of Ukraine. "The U.S. Federal Bureau of Investigation (FBI), U.S. Cybersecurity & Infrastructure Security Agency (CISA), U.S. National Security Agency (NSA), Polish Military Counterintelligence Service (SKW), CERT Polska (CERT.PL), and the UK’s National Cyber Security Centre (NCSC) assess Russian Foreign Intelligence Service (SVR) cyber actors—also known as Advanced Persistent Threat 29 (APT 29), the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard—are exploiting CVE-2023-42793 at a large scale, targeting servers hosting JetBrains TeamCity software since September 2023.
Software developers use TeamCity software to manage and automate software compilation, building, testing, and releasing. If compromised, access to a TeamCity server would provide malicious actors with access to that software developer’s source code, signing certificates, and the ability to subvert software compilation and deployment processes—access a malicious actor could further use to conduct supply chain operations. Although the SVR used such access to compromise SolarWinds and its customers in 2020, limited number and seemingly opportunistic types of victims currently identified, indicate that the SVR has not used the access afforded by the TeamCity CVE in a similar manner. The SVR has, however, been observed using the initial access gleaned by exploiting the TeamCity CVE to escalate its privileges, move laterally, deploy additional backdoors, and take other steps to ensure persistent and long-term access to the compromised network environments.
To bring Russia’s actions to public attention, the authoring agencies are providing information on the SVR’s most recent compromise to aid organizations in conducting their own investigations and securing their networks, provide compromised entities with actionable indicators of compromise (IOCs), and empower private sector cybersecurity companies to better detect and counter the SVR’s malicious actions. The authoring agencies r "
Autosummary:
SQL Server executable files - based on the review of the post exploitation actions, the SVR showed an interest in specific files of the SQL Server installed on the compromised systems: C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\sqlmin.dll, C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\sqllos.dll, C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\sqllang.dll, C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\sqltses.dll C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\secforwarder.dll Visual Studio files – based on the review of the post exploitation actions, the SVR showed an interest in specific files of the Visual Studio: C:\Program Files (x86)\Microsoft Visual Studio\2017\SQL\Common7\IDE\VSIXAutoUpdate.exe Update management agent files – based on the review of the post exploitation actions, the SVR showed an interest in executables and configuration of patch management software: C:\Program Files (x86)\PatchManagementInstallation\Agent\12\Httpd\bin\httpd.exe C:\Program Files (x86)\PatchManagementInstallation\Agent\12\Httpd C:\ProgramData\GFI\LanGuard 12\HttpdConfig\httpd.conf Interest in SQL Server Based on the review of the exploitation, the SVR also showed an interest in details of the SQL Server [T1059.001],[T1505.001]: powershell Compress-Archive -Path "C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\sqlmin.dll","C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\sqllos.dll","C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\sqllang.dll","C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\sqltses.dll" -DestinationPath C:\Windows\temp\1\sql.zip SVR cyber actors also exfiltrated secforwarder.dll Tactics Used to Avoid Detection To avoid detection, the SVR used a “Bring Your Own Vulnerable Driver” nltest -dclist nltest -dsgetdc tasklist netstat wmic /node:""<redacted>"" /user:""<redacted>"" /password:""<redacted>"" process list brief wmic /node:""<redacted>"" process list brief wmic process get commandline -all wmic process <proc_id> get commandline wmic process where name=""GoogleCrashHandler64.exe"" get commandline,processed powershell ([adsisearcher]"((samaccountname=<redacted>))").Findall().Properties powershell ([adsisearcher]"((samaccountname=<redacted>))").Findall().Properties.memberof powershell Get-WmiObject -Class Win32_Service -Computername powershell Get-WindowsDriver -Online -AllSUMMARY The U.S. Federal Bureau of Investigation (FBI), U.S. Cybersecurity & Infrastructure Security Agency (CISA), U.S. National Security Agency (NSA), Polish Military Counterintelligence Service (SKW), CERT Polska (CERT.PL), and the UK’s National Cyber Security Centre (NCSC) assess Russian Foreign Intelligence Service (SVR) cyber actors—also known as Advanced Persistent Threat 29 (APT 29), the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard—are exploiting CVE-2023-42793 at a large scale, targeting servers hosting JetBrains TeamCity software since September 2023.REG_DWORD /d "0" /f The SVR used the following Mimikatz commands [T1003]: privilege::debug lsadump::cache lsadump::secrets lsadump::sam sekurlsa::logonpasswords Persistence The SVR relied on scheduled tasks [T1053.005] to secure persistent execution of backdoors.[T1564], illustrated below: Privilege Escalation To facilitate privilege escalation [T1098], the SVR used multiple techniques, including WinPEAS, NoLmHash registry key modification, and the Mimikatz tool. BMP files that were used to exchange data were generated in the following way: Compress data using zlib, Encrypt data using custom algorithm, Add “***” string literal to encrypted data, Create a random BMP with random rectangle, And finally, encode encrypted data within lower pixel bits.Get-NetUser -UACFilter NOT_ACCOUNTDISABLE | select samaccountname, description, pwdlastset, logoncount, badpwdcount" Get-NetDiDomain Get-AdUser Get-DomainUser -UserName "Autosummary:
The men are said to be members of the Callisto Group (also known as Star Blizzard, SEABORGIUM, TA446, COLDRIVER, TAG-53, and BlueCharlie). Two men have been charged with hacking into computer networks in the United States, UK, other NATO countries, and Ukraine, on behalf of the Russian government. "Autosummary:
As a Bitzlato co-founder and principal stakeholder, Legkodymov (also known as "Gandalf" and "Tolik") has agreed to disband the cryptocurrency exchange and relinquish any rights to approximately $23 million in seized assets, as outlined in the plea agreement. "Autosummary:
Callisto"s latest tactics In a bulletin published today, the UK"s NCSC says Callisto remains focused on launching spear-phishing attacks targeting the country"s governmental organizations, think tanks, politicians, defense-industrial units, and various NGOs. In addition, the UK says the group is behind credential and data theft attacks against parliamentarians from multiple political parties, universities, journalists, the public sector, non-government organizations, and other civil society organizations. "Autosummary:
Additionally, beyond European Defense, Foreign Affairs, and Internal Affairs agencies, APT28"s focus extended to critical infrastructure organizations involved in energy production and distribution, pipeline infrastructure operations, and material handling, personnel, and air transportation. "The Russia-based actor Star Blizzard (formerly known as SEABORGIUM, also known as Callisto Group/TA446/COLDRIVER/TAG-53/BlueCharlie) continues to successfully use spear-phishing attacks against targeted organizations and individuals in the UK, and other geographical areas of interest, for information-gathering activity.
The UK National Cyber Security Centre (NCSC), the US Cybersecurity and Infrastructure Security Agency (CISA), the US Federal Bureau of Investigation (FBI), the US National Security Agency (NSA), the US Cyber National Mission Force (CNMF), the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the Canadian Centre for Cyber Security (CCCS), and the New Zealand National Cyber Security Centre (NCSC-NZ) assess that Star Blizzard is almost certainly subordinate to the Russian Federal Security Service (FSB) Centre 18.
Industry has previously published details of Star Blizzard. This advisory draws on that body of information.
This advisory raises awareness of the spear-phishing techniques Star Blizzard uses to target individuals and organizations. This activity is continuing through 2023.
To download a PDF version of this advisory, see Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns.
Since 2019, Star Blizzard has targeted sectors including academia, defense, governmental organizations, NGOs, think tanks and politicians.
Tar "
Autosummary:
The UK National Cyber Security Centre (NCSC), the US Cybersecurity and Infrastructure Security Agency (CISA), the US Federal Bureau of Investigation (FBI), the US National Security Agency (NSA), the US Cyber National Mission Force (CNMF), the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the Canadian Centre for Cyber Security (CCCS), and the New Zealand National Cyber Security Centre (NCSC-NZ) assess that Star Blizzard is almost certainly subordinate to the Russian Federal Security Service (FSB) Centre 18. OVERVIEW The Russia-based actor Star Blizzard (formerly known as SEABORGIUM, also known as Callisto Group/TA446/COLDRIVER/TAG-53/BlueCharlie) continues to successfully use spear-phishing attacks against targeted organizations and individuals in the UK, and other geographical areas of interest, for information-gathering activity. Star Blizzard uses webmail addresses from different providers, including Outlook, Gmail, Yahoo and Proton mail in their initial approach [T1585.002], impersonating known contacts of the target or well-known names in the target’s field of interest or sector. TARGETING PROFILE Since 2019, Star Blizzard has targeted sectors including academia, defense, governmental organizations, NGOs, think tanks and politicians.Spear-phishing Link Star Blizzard sends spear-phishing emails with malicious links directly to credential-stealing sites, or to documents hosted on a file-sharing site, which then direct victims to credential-stealing sites. "Autosummary:
"Russian state-backed hacking group Forest Blizzard (aka Fancy Bear, aka APT28) has been using a known Microsoft Outlook vulnerability (CVE-2023-23397) to target public and private entities in Poland, Polish Cyber Command has warned. Compromising email accounts and maintaining access to them APT28 is known for targeting government, non-governmental, energy and transportation organizations in the US, Europe, and the Middle East. The most recent attacks were detected and reported by the computer security incident response team … More
The post Russian hackers use old Outlook vulnerability to target Polish orgs (CVE-2023-23397) appeared first on Help Net Security.
"Autosummary:
At the time of the release of the patch, CVE-2023-23397 was known to have been leveraged as a zero-day by a Russia-based threat actor “in targeted attacks against a limited number of organizations in government, transportation, energy, and military sectors in Europe.” "Autosummary:
In October, the French cybersecurity agency (ANSSI) revealed that the Russian hackers had used the zero-click attack against government entities, businesses, universities, research institutes, and think tanks in France. "Autosummary:
"Autosummary:
"An analysis of the character of aviation incidents from the documents obtained indicates that a number of failures, especially those related to engines, landing gear, and wing mechanics, are of a systemic type." "Autosummary:
North Korea-linked Konni APT uses Russian-language weaponized documents Pierluigi Paganini November 24, 2023 November 24, 2023 North Korea-linked Konni APT group used Russian-language Microsoft Word documents to deliver malware. "Autosummary:
" The Visual Basic for Application (VBA) macro subsequently proceeds to launch an interim Batch script that performs system checks, User Account Control (UAC) bypass, and ultimately paves the way for the deployment of a DLL file that incorporates information gathering and exfiltration capabilities. "Autosummary:
Lure from Russian APT28 hackers with WinRAR exploit to target political entities source: ESET A report from Google in October notes that the security issue was exploited by Russian and Chinese state hackers to steal credentials and other sensitive data, as well as to establish persistence on target systems. "Autosummary:
The intrusions, attributed to APT29 (aka BlueBravo, Cloaked Ursa, Cozy Bear, Iron Hemlock, Midnight Blizzard, and The Dukes), involve the exploitation of the recently disclosed WinRAR vulnerability (CVE-2023-38831) via benign-looking lures that claim to offer BMWs for sale, a theme it has employed in the past. "Autosummary:
Gamaredon (aka Shuckworm, Actinium, Armageddon, Primitive Bear, UAC-0010, and Trident Ursa) has been active since 2014 and its activity focuses on Ukraine, the group was observed using the multistage backdoor Pteranodon/Pterodo. Check Point researchers reported possible infections also in the U.S., Vietnam, Chile, Poland, Germany, and Hong Kong. "Autosummary:
These attacks are suspected to have weaponized two more critical bugs in Zyxel gear (CVE-2023-33009 and CVE-2023-33010, CVSS scores: 9.8) as zero-days to co-opt the firewalls into Mirai and MooBot botnets, given that patches for them were released by the company on May 24, 2023. "Autosummary:
"Autosummary:
"Autosummary:
Inside the ISO file there were at least the following three files: “lun.vbs”, which runs n.bat “n.bat”, which likely runs the native scilc.exe utility “s1.txt”, which likely contains the unauthorized MicroSCADA commands The researcher found that the lun.vbs script had a September 23 timestamp, which suggests that the hackers had about two months to develop their OT capability since the initial access stage. "The largest and oldest bank in Russia Sberbank faced the record-breaking DDoS attack that reached 1 million RPS. Sberbank , the Russian banking and financial services giant, announced that it was recently hit by a record-breaking distributed denial of service (DDoS) attack that reached 1 million RPS. After the invasion of Ukraine, most Russian organizations […]
The post The largest Russian bank Sberbank hit by a massive DDoS attack appeared first on Security Affairs.
"Autosummary:
That is, some new, very qualified criminals appeared on the market who began to systematically attack the largest Russian resources,” Gref said that Sberbank faces about ten attacks per month, but threat actors have never breached the systems at the bank.The largest Russian bank Sberbank hit by a massive DDoS attack Pierluigi Paganini November 09, 2023 November 09, 2023 The largest and oldest bank in Russia Sberbank faced the record-breaking DDoS attack that reached 1 million RPS. "Mandiant reported that Russia-linked Sandworm APT used a novel OT attack to cause power outages during mass missile strikes on Ukraine. Mandiant researchers reported that Russia-linked APT group Sandworm employed new operational technology (OT) attacks that caused power outages while the Russian army was conducting mass missile strikes on critical infrastructure in Ukraine in October. […]
The post Russian Sandworm disrupts power in Ukraine with a new OT attack appeared first on Security Affairs.
"Autosummary:
In 2022, the Russian APT used multiple wipers in attacks aimed at Ukraine,including AwfulShred, CaddyWiper, HermeticWiper, Industroyer2, IsaacWiper, WhisperGate, Prestige, RansomBoggs, and ZeroWipe. The Sandworm group (aka BlackEnergy, UAC-0082, Iron Viking, Voodoo Bear, and TeleBots) has been active since 2000, it operates under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST). "Autosummary:
According to a report Group-IB shared with BleepingComputer, the threat actor has several usernames (e.g. farnetworkl, jingo, jsworm, razvrat, piparkuka, and farnetworkitand) and has been active on multiple Russian-speaking hacker forums trying to recruit affiliates for various ransomware operations. "Autosummary:
A more recent blow sufferend by Russia’s financial system concerns the National Payment Card System (NSPK), the Mir card operator, whose website became unavailable on October 30, 2023, and was later defaced to post messages about a client-impacting data breach. "Autosummary:
Ryuk, a predecessor to the Conti ransomware, first emerged on the threat landscape in 2018, and has compromised governments, academia, healthcare, manufacturing, and technology organizations worldwide. "Autosummary:
"The Treasury Department sanctioned a Russian woman accused of laundering virtual currency on behalf of cybercriminals. The Department of the Treasury’s Office of Foreign Assets Control (OFAC) on Friday sanctioned Ekaterina Zhdanova, a Russian national, for her role in laundering and managing virtual currency on behalf of Russian elites, ransomware operators, and other threat actors. “Through […]
The post US govt sanctioned a Russian woman for laundering virtual currency on behalf of threat actors appeared first on Security Affairs.
"Autosummary:
“Through key facilitators like Zhdanova, Russian elites, ransomware groups, and other illicit actors sought to evade U.S. and international sanctions, particularly through the abuse of virtual currency,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. "The FSB arrested two Russian hackers who are accused of having helped Ukrainian entities carry out cyberattacks on critical infrastructure targets. The Russian intelligence agency Federal Security Service (FSB) arrested two individuals who are suspected of supporting Ukrainian entities to carry out cyberattacks to disrupt Russian critical infrastructure. The two men are facing high treason […]
The post Russian FSB arrested Russian hackers who supported Ukrainian cyber operations appeared first on Security Affairs.
"Autosummary:
Russian FSB arrested Russian hackers who supported Ukrainian cyber operations Pierluigi Paganini November 03, 2023 November 03, 2023 The FSB arrested two Russian hackers who are accused of having helped Ukrainian entities carry out cyberattacks on critical infrastructure targets. "Autosummary:
"Autosummary:
ANSSI also reports that APT28 uses a range of VPN clients, including SurfShark, ExpressVPN, ProtonVPN, PureVPN, NordVPN, CactusVPN, WorldVPN, and VPNSecure. "Autosummary:
Search disk for files of specific extensions (.doc, .docx, .pdf, .xls, .xlsx, .ppt, .pptx, .zip, .rar, .7z, .odt, .ods, .kdbx, .ovpn, .pem, .crt, .key) and transfer them to the C2. "Autosummary:
"In recent weeks, Google"s Threat Analysis Group"s (TAG) has observed multiple government-backed hacking groups exploiting the known vulnerability, CVE-2023-38831, in WinRAR, which is a popular file archiver tool for Windows," Google TAG said today. "Autosummary:
"In 2023, the most active groups were UAC-0010 (Gamaredon/FSB), UAC-0056 (GRU), UAC-0028 (APT28/GRU), UAC-0082 (Sandworm/GRU), UAC-0144 / UAC-0024 / UAC-0003 (Turla), UAC-0029 (APT29/ SVR), UAC-0109 (Zarya), UAC-0100, UAC-0106 (XakNet), [and] UAC-0107 (CyberArmyofRussia)," the State Service of Special Communications and Information Protection of Ukraine (SSSCIP) said. "Autosummary:
Additionally, the attackers use tools like "ffuf", "dirbuster", "gowitness", and "nmap" to find potential vulnerabilities in web services that can be exploited to gain access. "A Russian zero-day broker is willing to pay $20 million for zero-day exploits for iPhones and Android mobile devices. The Russian zero-day broker firm Operation Zero is increasing payouts for top-tier mobile exploits. The company is willing to pay up to $20,000,000 for zero-day exploits for iPhone and Android devices. The Russian company pointed out […]
The post Russian zero-day broker is willing to pay $20M for zero-day exploits for iPhones and Android devices appeared first on Security Affairs.
"Autosummary:
Russian zero-day broker is willing to pay $20M for zero-day exploits for iPhones and Android devices Pierluigi Paganini September 27, 2023 September 27, 2023 A Russian zero-day broker is willing to pay $20 million for zero-day exploits for iPhones and Android mobile devices. "Autosummary:
"The Government of Bermuda believes that the recent cyberattack against its IT infrastructure was launched by Russian threat actors. This week a cyber attack hit the Government of Bermuda causing the interruption of internet/email and phone services. The attack impacted all the government departments. “The Department of Information and Digital Technology (IDT) is working quickly […]
The post Government of Bermuda blames Russian threat actors for the cyber attack appeared first on Security Affairs.
"Autosummary:
Walter Roban, JP, MP:, JP, MP, provided an update on the cyberattack: “As a result of our network interruption, there will be no sitting of the House of Assembly,” a government spokeswoman had confirmed. "Autosummary:
"Autosummary:
Finally, some interesting research was released this week: Contributors and those who provided new ransomware information and stories this week include: @Seifreed, @malwareforme, @serghei, @malwrhunterteam, @BleepinComputer, @demonslay335, @Ionut_Ilascu, @LawrenceAbrams, @billtoulas, @vxunderground, @BroadcomSW, @MsftSecIntel, @AlvieriD, @WilliamTurton, @GeeksCyber, @pcrisk, and @Mandiant. September 11th 2023 MGM Resorts International disclosed today that it is dealing with a cybersecurity issue that impacted some of its systems, including its main website, online reservations, and in-casino services, like ATMs, slot machines, and credit card machines. "Autosummary:
Supercharge Your Skills The Committee to Protect Journalists (CPJ) said "journalists and their sources are not free and safe if they are spied on, and this attack on Timchenko underscores that governments must implement an immediate moratorium on the development, sale, and use of spyware technologies. "The iPhone of a prominent Russian journalist, who is at odds with Moscow, was infected with NSO Group’s Pegasus spyware. The iPhone of the Russian journalist Galina Timchenko was compromised with NSO Group’s Pegasus spyware. A joint investigation conducted by Access Now and the Citizen Lab revealed that the journalist, who is at odds with the Russian government, […]
The post The iPhone of a Russian journalist was infected with the Pegasus spyware appeared first on Security Affairs.
"Autosummary:
“Sophisticated spyware like Pegasus, which bypasses encryption and takes full control of the victim’s phone, including access to photos, messages, and contacts, as well as the phone’s camera and microphone, represents an existential threat to journalists and media freedom globally.” "Autosummary:
North Korean defense targeting (Microsoft) Defense firms in Brazil, Czechia, Finland, Italy, Norway, and Poland have also been subject to these intrusions, all as part of a coordinated endeavor to enhance the country"s military capabilities. "Autosummary:
A brief description of each of the modules is as follows - netd - Collate and exfiltrate information from the compromised device at set intervals, including from app-specific directories and web browsers - Collate and exfiltrate information from the compromised device at set intervals, including from app-specific directories and web browsers td - Provide TOR services - Provide TOR services blob - Configure Tor services and check network connectivity (executed by netd) - Configure Tor services and check network connectivity (executed by netd) tcpdump - Legitimate tcpdump utility with no modifications - Legitimate tcpdump utility with no modifications killer - Terminate thee netd process - Terminate thee netd process db - Contains several tools to copy files and provide secure shell access to the device via the TOR hidden service using a modified version of Dropbear - Contains several tools to copy files and provide secure shell access to the device via the TOR hidden service using a modified version of Dropbear NDBR - A multi-call binary similar to db that comes in two flavors to be able to run on Arm (ndbr_armv7l) and Intel (ndbr_i686) CPU architectures Persistence on the device is achieved by replacing the legitimate netd daemon, which is responsible for network configuration on Android, with a rogue version, enabling it to execute commands as the root user. "Autosummary:
The phishing attacks feature PDF documents with diplomatic lures, some of which are disguised as coming from Germany, to deliver a variant of a malware called Duke, which has been attributed to APT29 (aka BlueBravo, Cloaked Ursa, Cozy Bear, Iron Hemlock, Midnight Blizzard, and The Dukes). "Autosummary:
"North Korean state-sponsored hackers have breached Russian missile maker NPO Mashinostroyeniya, according to SentinelLabs researchers. North Korean hackers discovered The researchers came across leaked email communication between NPO Mashinostroyeniya’s IT staff that contained information about a possible cyber intrusion first detected in May 2022. According to the emails, the breached company’s IT staff discovered a suspicious DLL file within company systems, which SentinelLabs researchers identified as a version of the OpenCarrot Windows OS backdoor previously … More
The post North Korean hackers breached Russian missile development firm appeared first on Help Net Security.
"Autosummary:
"Autosummary:
The backdoor supports a total of 25 commands, including: Reconnaissance: File and process attribute enumeration, scanning, and ICMP-pinging hosts in IP ranges for open TCP ports and availability. "Autosummary:
"Autosummary:
" Microsoft said the campaign, observed since at least late May 2023, affected less than 40 organizations globally spanning government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors. "An APT group linked to Russia’s Foreign Intelligence Service has hit employees of several dozen global organizations with phishing attacks via Microsoft Teams, says Microsoft. A social engineering attack to bypass MFA protection “To facilitate their attack, the actor uses Microsoft 365 tenants owned by small businesses they have compromised in previous attacks to host and launch their social engineering attack. The actor renames the compromised tenant, adds a new onmicrosoft.com subdomain, then adds a … More
The post Russian APT phished government employees via Microsoft Teams appeared first on Help Net Security.
"Autosummary:
Microsoft says that the targets in this campaign were government and non-government organizations, and organizations in the IT services, technology, discrete manufacturing, and media sectors. "Russia-linked APT29 group targeted dozens of organizations and government agencies worldwide with Microsoft Teams phishing attacks. Microsoft Threat Intelligence reported that Russia-linked cyberespionage group APT29 (aka SVR group, Cozy Bear, Nobelium, Midnight Blizzard, and The Dukes) carried out Microsoft Teams phishing attacks aimed at dozens of organizations and government agencies worldwide. APT29 along with APT28 cyber espionage group was involved in […]
The post Russian APT29 conducts phishing attacks through Microsoft Teams appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, APT29) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"While the group uses relatively common techniques to conduct attacks (such as the use of phishing and a historical reliance on open-source offensive security tools), its likely continued use of these methods, determined posture, and progressive evolution of tactics suggests the group remains formidable and capable," the company said. "Autosummary:
"The organizations targeted in this activity likely indicate specific espionage objectives by Midnight Blizzard directed at government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors. "Autosummary:
"Autosummary:
Fake PNG files contained in the ISO archive (Unit 42) Unit 42 reports that this campaign has targeted at least 22 of the 80 foreign missions in Kyiv, including those of the United States, Canada, Turkey, Spain, Netherlands, Greece, Estonia, and Denmark. "Autosummary:
The intrusions, which made use of residential proxy services to obfuscate the source IP address of the attacks, target governments, IT service providers, NGOs, defense, and critical manufacturing sectors, the tech giant"s threat intelligence team said. "Autosummary:
"Autosummary:
In these attacks, the cyber-espionage group (also known as BlueDelta, Fancy Bear, Sednit, and Sofacy) leveraged news about the ongoing conflict between Russia and Ukraine to trick recipients into opening malicious emails that would exploit Roundcube Webmail vulnerabilities to hack into unpatched servers. "Autosummary:
Join the Session The DoJ statement also comes a day after cybersecurity authorities from Australia, Canada, France, Germany, New Zealand, the U.K., and the U.S. released a joint advisory warning of LockBit ransomware. "DoJ charged a Russian national with conspiring to carry out LockBit ransomware attacks against U.S. and foreign businesses. The Justice Department announced charges against the Russian national Ruslan Magomedovich Astamirov (20) for his role in numerous LockBit ransomware attacks against systems in the United States, Asia, Europe, and Africa. The US authorities arrested the man […]
The post A Russian national charged for committing LockBit Ransomware attacks appeared first on Security Affairs.
"Autosummary:
The operation targeted many organizations in critical infrastructure sectors, including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation. In May, the US Justice Department charged Russian national Mikhail Pavlovich Matveev (30), aka Wazawaka, m1x, Boriselcin, and Uhodiransomwar, for his alleged role in multiple ransomware attacks. "Autosummary:
The state-sponsored actor, per Microsoft, has a track record of orchestrating destructive attacks, espionage, and information operations aimed at entities located in Ukraine, Europe, Central Asia, and, periodically, Latin America. "Autosummary:
The LNKs created by the script take a broad range of names, some selected specifically to pique the victim"s interest like: weapons_list.rtf.lnk secret.rtf.lnk pornophoto.rtf.lnk my_photos.rtf.lnk login_password.docx.lnk compromising_evidence.rtf.lnk instructions.rtf.lnk account_card.rtf.lnk bank_accоunt.rtf.lnk Once the victim launches those files, the PowerShell script enumerates all drives on the computer and copies itself to removable USB disks, increasing the likelihood of successful lateral movement within the breached network. "Autosummary:
"Autosummary:
Malicious website spreading Crypter ransomware (BleepingComputer) The installer downloaded from the fake website is "enlisted_beta-v1.0.3.115.exe," which drops two executable files on the user"s disk if launched, namely "ENLIST~1" (the actual game) and "enlisted" (the Python ransomware launcher). "Autosummary:
The three-year sting operation, dubbed Trojan Shield, led to more than 800 arrests across 18 countries following an analysis of over 27 million messages that involved discussions on narcotics concealment methods, shipments of narcotics, money laundering, and even violent threats. "Pro-Ukraine hackers Cyber Anarchy Squad claimed responsibility for the attack that hit Russian telecom provider Infotel JSC. Pro-Ukraine hacking group Cyber.Anarchy.Squad claimed responsibility for an attack on Russian telecom provider Infotel JSC. The company provides connectivity services to the Russian banking system, for this reason, the attack had a severe impact on the operations of […]
The post Pro-Ukraine Cyber Anarchy Squad claims the hack of the Russian telecom provider Infotel JSC appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, cyberattack) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Autosummary:
"In total, the company has about four hundred clients, a quarter of them are banks, the rest are credit institutions, car dealerships. "Two Russian nationals have been charged with the hack of the cryptocurrency exchange Mt. Gox in 2011 and money laundering. Russian nationals Alexey Bilyuchenko (43) and Aleksandr Verner (29) have been charged with the hack of the cryptocurrency exchange Mt. Gox in 2011 and the operation of the illicit cryptocurrency exchange BTC-e. The duo has […]
The post Russians charged with hacking Mt. Gox exchange and operating BTC-e appeared first on Security Affairs.
"Autosummary:
"Autosummary:
The list includes but is not limited to WhisperGate/WhisperKill, FoxBlade (aka HermeticWiper), SonicVote (aka HermeticRansom), CaddyWiper, DesertBlade, Industroyer2, Lasainraw (aka IsaacWiper), and FiberLake (aka DoubleZero). "Autosummary:
Mikhail Pavlovich Matveev (aka Wazawaka, m1x, Boriselcin, and Uhodiransomwar), the 30-year-old individual in question, is alleged to be a "central figure" in the development and deployment of LockBit, Babuk, and Hive ransomware variants since at least June 2020. "The US government is offering a $10M reward for Russian national Mikhail Pavlovich Matveev (30) charged for his role in ransomware attacks The US Justice Department charged Russian national Mikhail Pavlovich Matveev (30), aka Wazawaka, m1x, Boriselcin, and Uhodiransomwar, for his alleged role in multiple ransomware attacks. The DoJ unsealed two indictments charging the man […]
The post US Gov offers a $10M reward for a Russian ransomware actor appeared first on Security Affairs.
"Autosummary:
“From Russia and hiding behind multiple aliases, Matveev is alleged to have used these ransomware strains to encrypt and hold hostage for ransom the data of numerous victims, including hospitals, schools, nonprofits, and law enforcement agencies, like the Metropolitan Police Department in Washington, D.C.,” said U.S. Attorney Philip R. Sellinger for the District of New Jersey. "Autosummary:
"Autosummary:
Error. "Categories: News Tags: Russia Tags: Ukraine Tags: censorship Tags: press Tags: freedom Tags: restrictions Tags: evade Tags: counter-strike: global offensive Tags: counter strike GO Tags: steam Tags: workshop Tags: map Tags: de_vonya We take a look at one newspaper"s innovative way of bypassing Russian media restrictions. |
The post Newspaper evades Russian censors, hides news in Counter-Strike map appeared first on Malwarebytes Labs.
"Autosummary:
This room contains independent journalism that is forbidden in Russia A sign on one wall states “Russian strikes on civilian targets 2022-2023,” above a map highlighting strike locations, next to several photographs of the damage inflicted.The plan: Hide a secret room underneath a map, which players can stumble upon and see facts, figures, and photographs of what’s been going on. Flashing lights indicate the presence of the room Inside the room The room itself is made up of several areas of information, with a main table located in the middle. If you click on the map to open its page, and then hit the green “Subscribe” button, the map will be available next time you load up the game. "Autosummary:
"Russian APT group Nomadic Octopus hacked a Tajikistani carrier to spy on government officials and public service infrastructures. Russian cyber espionage group Nomadic Octopus (aka DustSquad) has hacked a Tajikistani telecoms provider to spy on 18 entities, including high-ranking government officials, telecommunication services, and public service infrastructures. The cyberspies compromised a broad range of devices, […]
The post Russian APT Nomadic Octopus hacked Tajikistani carrier appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Nomadic Octopus) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On Blogger Awards 2022 – VOTE FOR YOUR WINNERS Vote for me in the sections: The Teacher – Most Educational Blog The Entertainer – Most Entertaining Blog The Tech Whizz – Best Technical Blog Best Social Media Account to Follow (@securityaffairs) Please nominate Security Affairs as your favorite blog. "Autosummary:
"Autosummary:
"Print management software provider PaperCut confirmed ongoing active exploitation of CVE-2023-27350 vulnerability. On April 19th, Print management software provider PaperCut confirmed that it is aware of the active exploitation of the CVE-2023-27350 vulnerability. The company received two vulnerability reports from the cybersecurity firm Trend Micro) for high/critical severity security issues in PaperCut MF/NG. Trend Micro announced they will […]
The post Russian cybercrime group likely behind ongoing exploitation of PaperCut flaws appeared first on Security Affairs.
"Autosummary:
Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"More precisely, on September 13, 2022, around 05:40 UTC, an operator attempted to deploy several known Tomiris implants via Telemiris: first a Python Meterpreter loader, then JLORAT and Roopy," the researchers explained. "Autosummary:
Phishing page where victims land after an XSS redirection (Google) This week, a joint announcement by the UK NCSC, FBI, NSA, and CISA warned that APT28 is hacking Cisco Routers to install custom malware. "Autosummary:
The activity has been attributed to a threat actor tracked as APT28, which is also known as Fancy Bear, Forest Blizzard (formerly Strontium), FROZENLAKE, and Sofacy, and is affiliated with the Russian General Staff Main Intelligence Directorate (GRU). "Autosummary:
Larger organizations should consider taking additional, advanced actions like accelerating security improvements, reassessing risk tolerance, temporarily reducing system functionality, aggressively patching vulnerabilities, delaying non-security system changes, and preparing for extended operational hours or incident response scaling. "Autosummary:
" The state-sponsored cyber actor, also tracked as APT28, Fancy Bear, Forest Blizzard, Iron Twilight, Sednit, and Sofacy, is both highly active and proficient. "Russian national Denis Mihaqlovic Dubnikov has been sentenced to time served for committing money laundering for the Ryuk ransomware operation. Russian national Denis Dubnikov (30) has been sentenced to time served for committing money laundering for the Ryuk ransomware group. The man was also ordered to pay $2,000 in restitution. On February 7, 2023, Dubnikov pleaded […]
The post Russian national sentenced to time served for committing money laundering for the Ryuk ransomware operation appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Ryuk ransomware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"Files leaked by Russian IT contractor NTC Vulkan show that Russia-linked Sandworm APT requested it to develop offensive tools. Documents leaked from Russian IT contractor NTC Vulkan show it was likely involved in the development of offensive tools. The documents demonstrate that it also developed hacking tools for the Russia-linked APT group Sandworm. The Sandworm group […]
The post Leaked documents from Russian firm NTC Vulkan show Sandworm cyberwarfare arsenal appeared first on Security Affairs.
"Autosummary:
In 2022, the Russian APT used multiple wipers in attacks aimed at Ukraine, including AwfulShred, CaddyWiper, HermeticWiper, Industroyer2, IsaacWiper, WhisperGate, Prestige, RansomBoggs, and ZeroWipe. "Russian hacking group Winter Vivern has been actively exploiting Zimbra flaws to steal the emails of NATO and diplomats. A Russian hacking group, tracked Winter Vivern (aka TA473), has been actively exploiting vulnerabilities (CVE-2022-27926) in unpatched Zimbra instances to gain access to the emails of NATO officials, governments, military personnel, and diplomats. The CVE-2022-27926 flaw […]
The post Russian APT group Winter Vivern targets email portals of NATO and diplomats appeared first on Security Affairs.
"Autosummary:
A Russian hacking group, tracked Winter Vivern (aka TA473), has been actively exploiting vulnerabilities (CVE-2022-27926) in unpatched Zimbra instances to gain access to the emails of NATO officials, governments, military personnel, and diplomats. "Autosummary:
While the majority are targeting Russia and Eastern Europe, they have also been seen targeting the United States, Germany, China, France, the Netherlands, and the UK. "Autosummary:
Dubbed Untitled Goose Tool, the Python-based utility offers "novel authentication and data gathering methods" to analyze Microsoft Azure, Azure Active Directory, and Microsoft 365 environments, the agency said. "Autosummary:
BAILLOADER, for its part, is said to exhibit similarities with a crypter codenamed Tron that has been put to use by different adversaries to distribute Emotet, TrickBot, BazarLoader, IcedID, Conti ransomware, and Cobalt Strike. "Polish intelligence dismantled a cell of Russian spies that gathered info on military equipment deliveries to Ukraine via the EU member. Polish counter-intelligence has dismantled a cell of Russian spies that gathered information on the provisioning of military equipment to Ukraine via the EU member. “The ABW counter-intelligence agency has arrested nine people suspected of […]
The post Polish intelligence dismantled a network of Russian spies appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Polish intelligence) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Russia-linked threat actors targeted at least 17 European nations in 2023, and 74 countries since the start of the invasion of Ukraine. Microsoft revealed that Russia-linked threat actors targeted at least 17 European nations between January and mid-February 2023. According to a report published by the IT giant, the state-sponsored hackers have targeted 74 countries […]
The post Microsoft sheds light on a year of Russian hybrid warfare in Ukraine appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Ukraine) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
In a post on the Russian social media site VK (also known as VKontakte, effectively the Russian version of Facebook), a statement was posted demanding that the game have Russian voice acting reinstated (it was removed following the invasion of Ukraine), apologise to players based in Russia and Belarus, and unban an acount on the game’s Discord channel. The first-person shooter game, developed by Ukraine-based GSC Game World, is hotly anticipated by fans of its prequel “STALKER: Shadow of Chernobyl,” but isn’t scheduled to be released until December 2023. "Autosummary:
The hacking group (tracked as APT28, STRONTIUM, Sednit, Sofacy, and Fancy Bear) sent malicious Outlook notes and tasks to steal NTLM hashes via NTLM negotiation requests by forcing the targets’ devices to authenticate to attacker-controlled SMB shares. "Autosummary:
Hackers complain about firm’s stance The hackers posted a message on the Russian social media platform VK, claiming to have stolen a “vast amount of STALKER 2 material,” including the entire storyline, cutscene descriptions, concept art, global maps, and more. "The group of hacktivists CH01 defaced at least 32 Russian websites to mark a protest over the one-year anniversary of the Russian invasion A group of hacktivists that goes online with the moniker CH01 defaced at least 32 Russian websites to mark a protest over the one-year anniversary of the Russian invasion. The news was […]
The post Pro-Ukraine hackers CH01 defaced tens of Russian websites on the invasion anniversary appeared first on Security Affairs.
"Autosummary:
#Anonymous their affiliates and Pro-Ukrainian hackers have defaced at least 32 websites, showing the #Kremlin on fire, to mark a protest over the one-year anniversary of the #Russian invasion of #Ukraine during their #OpRussia campaign #WeStandWithUkraine #FckPutin pic.twitter.com/PUs0MiBeXo — Anonymous Operations (@AnonOpsSE) February 25, 2023 The hackers have uploaded a video showing the Kremlin burning on the defaced websites. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
Some of the key actors involved in the efforts include FROZENBARENTS (aka Sandworm or Voodoo Bear), FROZENLAKE (aka APT28 or Fancy Bear), COLDRIVER (aka Callisto Group), FROZENVISTA (aka DEV-0586 or UNC2589), and SUMMIT (aka Turla or Venomous Bear). "Autosummary:
"Autosummary:
"The Russian Government proposed to give a sort of immunity to the hackers that operate in the interests of Moscow. Russian media reported that Alexander Khinshtein, the head of the Duma committee on information policy, announced that the Russian government is evaluating to avoid punishing hackers acting in the interests of Moscow. “The question of […]
The post Russian Government evaluates the immunity to hackers acting in the interests of Russia appeared first on Security Affairs.
"Autosummary:
"Autosummary:
"Autosummary:
The individuals designated under sanctions are Vitaly Kovalev (aka Alex Konor, Bentley, or Bergen), Maksim Mikhailov (aka Baget), Valentin Karyagin (aka Globus), Mikhail Iskritskiy (aka Tropa), Dmitry Pleshevskiy (aka Iseldor), Ivan Vakhromeyev (aka Mushroom), and Valery Sedletski (aka Strix). "The US and the UK have sanctioned seven Russian individuals for their involvement in the TrickBot operations. The US and the UK authorities have sanctioned seven Russian individuals for their involvement in the TrickBot operations. The US Treasury has frozen the assets belonging to the individuals and imposed travel bans against them. The US Treasury […]
The post US and UK sanctioned seven Russian members of Trickbot gang appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Trickbot) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share OnThese malicious cyber activities have targeted critical infrastructure, including hospitals and medical facilities during a global pandemic, in both the U.S. and the U.K.” This is the first time the UK government has imposed such kind of sanctions, its authorities collaborated with the U.S. Department of the Treasury’s Office of Foreign Assets Control and the U.K.’s Foreign, Commonwealth, and Development Office; National Crime Agency; and His Majesty’s Treasury.: “By sanctioning these cyber criminals, we are sending a clear signal to them and others involved in ransomware that they will be held to account.” said UK Foreign Secretary James Cleverly. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
Steal SSH known hosts Steal data from PuTTY Steal stored passwords Take screenshots Create a directory List a directory Run a shell command Steal an arbitrary file The malware uses the following PowerShell code to steal passwords from the Windows Vault, the system"s built-in password manager, where saved credentials are stored in AES-256 encrypted form. "A Russian national pleaded guilty in the U.S. to money laundering charges linked to the Ryuk ransomware operation. On February 7, 2023, Russian national Denis Mihaqlovic Dubnikov (30) pleaded guilty in the U.S. to one count of conspiracy to commit money laundering for the Ryuk ransomware operation. Denis Mihaqlovic Dubnikov, 30, was arrested in Amsterdam in November […]
The post Russian national pleads guilty to money laundering linked to Ryuk Ransomware operation appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Ryuk ransomware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "A leading electrical engineering company in Russia, Elevel, has exposed its customers’ personally identifiable information (PII,) including full names and addresses. Original post at hxxps://cybernews.com/privacy/russian-e-commerce-giant-data-leak/ Founded in 1991, Elevel (previously Eleko) positions itself as the leading Russian electrical engineering company that runs both an e-commerce business and wholesale stores. On January 24, the Cybernews research […]
The post Russian e-commerce giant Elevel exposed buyers’ delivery addresses appeared first on Security Affairs.
"Autosummary:
"The popular collective Anonymous has leaked 128 GB of data allegedly stolen from the Russian Internet Service Provider Convex. The collective Anonymous released last week 128 gigabytes of documents that were allegedly stolen from the Russian Internet Service Provider Convex. The huge trove of data was leased by an affiliate of Anonymous’s affiliate group called […]
The post Anonymous leaked 128GB of data stolen from Russian ISP Convex revealing FSB’s warrantless surveillance appeared first on Security Affairs.
"Autosummary:
#Anonymous #OpRussia https://t.co/Q2DwUb3t3c, hacked they provide telecom services in #Russia, internet/telephone/cable Government, business Green Atom project exposed and used for spying on Internet/telephone traffic under an agreement with the FSS Credit- CAXXII#Ukraine pic.twitter.com/DTxNfa5Mpl — Anonymous Operations (@AnonOpsSE) January 31, 2023 Such surveillance activities are classified as unauthorized wiretapping, espionage, and warrantless surveillance of civilians, which are against the country’s laws. "Autosummary:
The conspirators, including Dubnikov, used various financial transactions, including international ones, to hide the origin, location, and identity of those who received the ransom payments. "Autosummary:
The advanced persistent threat, also known as Actinium, Armageddon, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, and UAC-0010, has a track record of striking Ukrainian entities dating as far back as 2013. "Autosummary:
"Autosummary:
"The attacks are not aimed at the general public but targets in specified sectors, including academia, defense, government organizations, NGOs, think tanks, as well as politicians, journalists and activists," the NCSC said. "Autosummary:
"Autosummary:
“The attacks are not aimed at the general public but targets in specified sectors, including academia, defense, government organizations, NGOs, think tanks, as well as politicians, journalists, and activists” - U.K. NCSC SEABORGIUM, also known as ‘TA446,’ is a Russian state-sponsored threat group that targeted NATO countries last summer. "Polish authorities charged Russian and Belarusian individuals with spying for the Russian military intelligence service (GRU). Polish authorities charged Russian and Belarusian individuals, who were arrested in April, with spying for the Russian military intelligence service (GRU) from 2017 to April 2022. The defendants gathered intelligence on military facilities critical for the defense of the […]
The post Russian and Belarusian men charged with spying for Russian GRU appeared first on Security Affairs.
"Autosummary:
The defendants gathered intelligence on military facilities critical for the defense of the country, focusing on military units from the northeast, as well as information on the combat capability, morale, and functioning of military units. "