Home Tags Eastern Europe

Tag: Eastern Europe

Cambium Networks Expands ‘Connecting the Unconnected’ Strategy to Eastern Europe

London, UK 10 May 2017 – Cambium Networks, a leading global provider of wireless broadband networking solutions, today announced it plans to expand its ‘Connecting the Unconnected’ strategy to Eastern Europe, under the guidance of its newly appointed Senior Sales Director for Europe, Alessio Murroni.

Thousands of existing networks have already upgraded to Cambium’s industry leading point-to-point, point-to-multipoint, Industrial IoT, Wi-Fi, and management system solutions, with Murroni’s new position intending to widen the company’s stance... Source: RealWire

The Mongols built an empire with one technological breakthrough

The humble stirrup was a game-changing invention that altered history.

Threat Actors Bring Ransomware To Industrial Sector With New Version of...

Disk-erasing malware has been tweaked to encrypt data instead and to ask for a Bitcoin payment. In an ominous but unsurprising development, threat actors appear to have begun targeting industrial companies in ransomware campaigns. Security firm CyberX’s threat intelligence research team recently analyzed a new version of the KillDisk disk-wiping malware that was used in cyber attacks against the Ukrainian power grid earlier this year. The analysis showed that KillDisk has been tweaked so that now instead of erasing data the malware encrypts it and then asks for a Bitcoin payment. The new version of KillDisk encrypts the local hard drives of the machines it infects as well as any network-mapped folders shared across the organization, using RSA 1028 and AES algorithms, CyberX’s vice president of marketing Phil Neray said in a blog this week. The security firm’s reverse engineering of the malware sample showed it containing a pop-up message demanding a ransom payment of 222 Bitcoins or roughly $206,000 in return for the decryption key. Ransomware attacks on companies in the industrial sector could cause significantly bigger problems than similar attacks on companies in other sectors.

For example, an attack that succeeded in locking up the operational data upon which physical processes rely could do serious and potentially even catastrophic damage to people and property.

Considering the severity of the potential consequences of a ransomware attack, plant owners are also likely to be more willing than others to quietly pay up any demanded ransom, CyberX said. The authors of the new KillDisk variant are a cybercriminal group called the TeleBots gang that appears to have evolved from another group called the Sandworm gang, Neray said. The Sandworm gang was responsible for a series of attacks on Industrial Control System (ICS) and SCADA networks in the US in 2014 involving the use of malware dubbed BlackEnergy.

The same group is also believed responsible for the attacks on the Ukrainian power grid in December 2015 and in early 2016 using the same BlackEnergy malware and the hard disk-erasing version of KillDisk. The TeleBots gang itself has been associated with previous attacks on Ukrainian banks and now appear to have turned their sights on companies in the industrial sector. “We know that both BlackEnergy and KillDisk were seen in the Ukraine power attacks and may also have been used in attacks against a large Ukrainian mining company and a large Ukrainian rail company,” says Neray in comments to Dark Reading.  The new KillDisk ransomware variant has almost the same functionality as the previous version, but instead of deleting files it encrypts them.  “For example, in both samples, the same string encoding algorithm is being used. So it's reasonable to assume that the new ransomware malware was designed [for use] against industrial companies too,” Neray says. In addition, other security researchers too have seen evidence of cybercriminals already targeting chemical plants in Eastern Europe for extortion, he says. It is unclear what malware strains were used in those attacks.

But as with KillDisk, the threat actors behind those attacks used malicious email attachments to distribute their malware and to penetrate the operational networks and processing systems of chemical plants in a way to effect the purity of the output, Neray says. Related stories:   Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ...
View Full Bio More Insights

One-stop-shop: Server steals data then offers it for sale

While intercepting traffic from a number of infected machines that showed signs of Remote Admin Tool malware known as HawkEye, we stumbled upon an interesting domain.
It was registered to a command and control server (C2) which held stolen keylog data from HawkEye RAT victims, but was also being used as a one-stop-shop for purchasing hacking goods. WhiteHats on the prowl? Before diving into an analysis of the server, it is worth pointing out some interesting behavior spotted in several of the victims’ stolen accounts.

A group of WhiteHat hackers who call themselves Group Demóstenes were found to be working around the clock, trawling the internet and looking to exfiltrate stolen data from C2 servers. When such a server was found, the group looked for a backdoor that would give them control over the filesystem.

They would then monitor the incoming, stolen data.

Either manually or automatically, they would collect the stolen credentials and send emails to the victims’ accounts.

These emails contained an attachment with proof that the user’s machine has been compromised.
In addition, they advise the user to change passwords immediately and offer to help. Hi *********** Our SERVERS detected information from a server on the US, we don’t even know goverment or another sourse …. we send a file with all your logins and passwords of all your accounts from hxxp://www.p******op[.]biz/*******WE HAVE TESTING IN YOUR PAYPAL ACCOUNT. LOG IN TO YOUR ACCOUNT AND YOU WILL SEE TWO CANCELED BILLING (OUR JOB IS WHITE HAT NO HACK ….
Steal)Seme you verify this information. it’s better thing we hurt all change password on the other computer Because Called Computer Name PC USER-PCLocal Time: 03.10.2016. 18:45:02Installed Language: en-Net Version: 2.0.50727.5485Operating System Platform: Win32NTOperating System Version: 6.1.7601.65536Operating System: Microsoft Windows 7 Home PremiumInternal IP Address: 192.168.0.101External IP Address:Installed Anti virus: Avast AntivirusInstalled Firewall: have a keylogger harm report All That You write, messages, passwords or more. ¿Why we do it?We have a Cause Called Group Demóstenes looking for Ciber attacks and false info.Please Donate by PayPal at h**cg**an@gmail[.]com 5 USD or more, Because this is only our ingress. PLEASE WRITE ME AT THIS MAIL FOR KNOW IF YOU KNOW ABOUT THIS The email above appears in two languages, English and Spanish.

The name of the group appears to be of Portuguese origin, though it is not certain. The shopfront: the command and control servers Scanning for network services which are running on the C2, we discovered that it contains not only a back-end for storing stolen credentials but also a front-end for selling some of them, alongside many other “goods”. Browsing the domain that communicated with the HawkEye RAT samples disclosed a login page.

Given the fact that the server was newly operational, it allowed users to register an account and login to purchase the goods on offer. After registering on the C2 web application, there was no sign of the stolen data transferred from compromised machines.

A forum-like web page opens up once a successful login is being processed. The C2 was meant to securely store the stolen data; however, it contained a crucial vulnerability which allowed researchers to download the stolen data. The C2 owners seem to have added six new Shell scripts on 22 November, just a week before the research started – a further indication of how new the operation is. Another item for sale is scam pages, and some are multilingual.

The attackers also reveal the scope of their victims, noting those who are registered to Amazon, Apple, Netflix and even National Bank of Australia and Barclays.

The listing of the year next to the banking information probably refers to how up-to-date the scam pages are in terms of the bank’s website updates. The attackers have spared no details and have added additional information regarding how one should act when using their services, and who to contact in the Support tab. To purchase goods in the private shop you must deposit money into your account on the website.

The attackers accept Bitcoins, PerfectMoney and WebMoney. Back to the stolen data As we described, HawkEye is a robust keylogger that can hijack keystrokes from any application being opened on the victim’s PC.
It can also identify login events and record the destination, username and password.
It is, however, limited to two-factor authentication and single sign-on. Stolen credentials on the server were found to be holding sensitive access passwords to government, healthcare, banking and payment web applications.

Among them is the following web server which belongs to the Pakistani government. As mentioned, hundreds of machines were found to be compromised by just one C2.

The following is a partial list of what was downloaded from the malicious server. Usually, careless threat actors forget to remove test files which might contain sensitive data.
In this case, we were able to obtain the attackers credentials from one very small file that was captured when searching related strings. Target geography The research is still ongoing and is currently affecting users located in APAC, such as Japan, Thailand and India, as well as parts of Eastern Europe such as Russia and Ukraine.

Yahoo breach means hackers had three years to abuse user accounts

Security researchers are disturbed it took Yahoo three years to discover that details of over 1 billion user accounts had been stolen back in 2013. It means that someone—possibly a state-sponsored actor—had access to one of the largest email user bases in the world, without anyone knowing.

The stolen database may have even included information on email ids of U.S. government and military employees. “It is extremely alarming that Yahoo didn’t know about this,” said Alex Holden, chief information security officer with Hold Security. Yahoo said back in November it first learned about the breach when law enforcement began sharing with the company stolen data  that had been provided by a hacker.

At the time, the company was already dealing with a separate data breach, reported in September, involving 500 million user accounts. However, this hacker was apparently sitting on another mother lode of stolen Yahoo data, but it’s still unclear how the theft occurred.  Holden, who investigates online black markets, said there was always chatter among underground dealers that someone had made away with a massive trove of information from the internet firm. “Hackers allegedly had small samples, but they had never seen the full data set,” Holden said. But the stolen data never appeared to be widely circulated to make a major profit, he said.
It suggests that state-sponsored hackers may have been behind the breach, and wanted to keep the data secretly to themselves.   “This information would have been distributed widely if cyber criminals were involved,” Holden said. “But right now, that seems not to be the case, even two or three years later.” Private security firm InfoArmor may have actually discovered details about the Yahoo data breach earlier this year.
In September, the company claimed it had found a stolen database allegedly belonging to Yahoo that was obtained from elite hackers-for-hire. Yahoo, however, didn’t comment on the company’s finding, making it unclear if the data was legitimate.   InfoArmor has claimed that a hacking team called “Group E,” likely out of Eastern Europe, breached Yahoo and sold the data in three private deals.

At least one of the buyers was a state-sponsored actor, said Andrew Komarov, InfoArmor’s chief intelligence officer, in an email on Wednesday. The security firm has shared its findings with law enforcement agencies in the U.S., U.K., Australia and Europe.
It said the stolen database it found also has information relating to over 150,000 U.S. government and military employees.

Backup email addresses included in the discovered dump contain .gov and .mil domain names, said Komarov, who called the Yahoo breach a “matter of national security.” The stolen data “may allow the threat actors to identify government employees very quickly,” he said.  The FBI has only said its investigating the Yahoo hack, and on Wednesday, the agency didn’t provide any new details. Yahoo also hasn’t mentioned who might have pulled off the intrusion, except to say an “unauthorized third party” was involved.   Still, the recent data breaches at the company highlight the need for the tech industry to constantly be on guard against cyber threats, a security expert said. “The lesson is clear: no organization is immune to compromise,” said Jeff Hill, director of product management for security provider Prevalent, in an email. “Criminal actors can do significant damage in days and weeks; give them years, and all bets are off.”

Malware Turns ATMs Into Cash-Spewing Jackpots

The remote hack works from anywhere in the world, robbing banks in as little as 10 minutes.

It is every consumer's dream to find an ATM spitting out cash like a winning slot machine, and it seems that hackers in Eastern Europe have figured out how to make that a reality.

As outlined by Russian security firm Group IB, the hackers are linked to the Buhtrap crew, which stole $28 billion from Russian banks between August 2015 and January 2016, according to Reuters. But while Buhtrap looted ATMs via fraudulent wire transfers, the ATM scammers reportedly use a less hands-on method: "touchless jackpotting."

The remote hack works from anywhere in the world, robbing banks in as little as 10 minutes. The hackers reportedly use a penetration testing tool known as Cobalt Strike, which lets them access servers that control ATMs via bank PCs infected by malicious emails. Accomplices then wait by the targeted ATMs and scoop up the cash as it spits out of the machine.

The hackers reportedly hit financial institutions in Armenia, Belarus, Bulgaria, Estonia, Georgia, Kyrgyzstan, Malaysia, Moldova, the Netherlands, Poland, Romania, Russia, Spain, and the UK. Group IB did not reveal which banks were targeted.

Global ATM manufacturers Diebold Nixdorf and NCR confirmed to PCMag that they are "familiar" with these types of breaches.

"ATM attacks are becoming more complex and sophisticated as hackers dedicate more time to attacking infrastructure," an NCR spokeswoman said in a statement. "Securing one's infrastructure and endpoints is a never-ending and extremely important task that does not depend on the region or attack type."

Diebold Nixdorf, meanwhile, claims there is "no indication to us that this group of fraudsters is active in Europe or the Americas."

But that doesn't mean they won't be. "Logical attacks on ATMs are expected to become one of the key threats targeting banks," according to Dmitry Volkov, head of the Group IB investigation department.

"They enable cybercriminals to commit fraud remotely from anywhere globally and attack the whole ATM network without being 'on the radar' of security services," he said in a statement. "This type of attack does not require development of expensive advanced software—a significant amount of the tools used are widely available on the deep Web."

As the Wall Street Journal reports, the FBI recently warned US banks to look out for potential attacks, following incidents in Taiwan and Thailand over the summer.

"Every bank is under threat of logical attacks on ATMs and should be protected accordingly," Volkov added.

178 arrested in pan-European money mule crackdown

Law enforcement dents cybercrime networks A pan-European crackdown has resulted in the arrest of 178 suspected money mules. Across Europe, 580 people were identified as suspects. National law enforcement agencies last week interviewed 380 suspects collectively implicated in losses amounting to €23m. After malware or phishing is used to obtain the login credentials of compromised accounts, it's normally necessary to transfer looted funds to another account in the same country before it can be wired overseas to cybercrime kingpins, who are typically based in eastern Europe. Money mules are recruited as money laundering intermediaries by these crime lords and their lieutenants. Money laundering schemes are frequently disguised as legitimate job opportunities but ignorance is unlikely to offer much as a defence for many of these accused of facilitating cybercrime. In a statement, Michèle Coninsx, president of Eurojust, said: "It is important to understand that money laundering may on the surface seem to be a small crime, but is orchestrated by organised crime groups, that is what we need to inform the public about.

Therefore, the European Money Mule Action II is paramount to stop people being lured and recruited into aiding serious crime, to break this crime link, by being aware of who is behind this type of crime." Steven Wilson, head of Europol's European Cybercrime Centre, added: "The European Money Mule Action is a successful example of public-private co-operation at the closest level.

The results of this second edition demonstrate a very strong connection between cybercrime and the illegal transactions identified." Law enforcement agencies from across Europe as well as the FBI and United States Secret Service participated in the international operation.
In addition, 106 banks and private partners supported the crackdown, the second pan-European operation of its type.

Background on an earlier European Money Mule Action last March, which led to the arrest of 81 suspects, can be found here. ® Sponsored: Customer Identity and Access Management

US DNC hackers blew through SIX zero-days vulns last year alone

Most targets were individuals with Gmail addresses Security researchers have shone fresh light on the allegedly Russian state-sponsored hacking crew blamed ransacking the US Democratic National Committee's computers. Sednit – also known as APT28, Fancy Bear and Sofacy – has been operating since 2004 and attacking targets as diverse as the DNC, the German parliament, and the French TV network TV5Monde. Other targets have included high-profile figures in Eastern European politics – including Ukrainian leaders, NATO officials and Russian political dissidents. The Spetsnaz of computer hacking favor phishing attacks and zero-day exploits, according to security researchers at ESET, the Slovakian IT security company: Most of the targets uncovered by ESET's research have Gmail addresses, the majority of which belong to individuals. Individual targets included political leaders and heads of police of Ukraine, members of NATO institutions, members of the People's Freedom Party, Russia's People's Freedom Party, Russian political dissidents 'Shaltay Boltai,' an anonymous Russian group known to release private emails of Russian politicians, journalists based in Eastern Europe, academics visiting Russian universities, and Chechen organizations. The group exploited no fewer than six zero-day vulnerabilities in the likes of Windows, Adobe Flash and Java last year alone, according to ESET. "A run-of-the-mill criminal gang would be unlikely to make use of quite so many previously unknown, unpatched vulnerabilities because of the significant skill, time and resources required to properly uncover and exploit them," it concludes. The first part of ESET's planned three-part white paper into Sednit can be found here [PDF]. ®

Ripper! Boffins find malware thought behind $347k Thai ATM raids

Evil EMV card pwns NCR ATMs, sets dispensary to max Researchers at security firm FireEye may have found the malware responsible for plundering ATMs across Thailand and other parts of South East Asia. The security boffins reckon the Ripper malware is "strongly" linked to the plundering last week of ATMs in Thailand in which 12 million Thai baht (US$346,992 ,£265,308, A$458,432) was stolen by a gang thought to herald from Eastern Europe. Some 21 attacks were made against NCR ATMs between 9 July and 23 August, the Bangkok Post reports. Police say some of the affected machines spewed around 40,000 baht a time. The malware bears a July PE compile date tieing in with the August hack, while a sample of Ripper was submitted to the VirusTotal static antivirus analyser from a Thailand IP address. "On 23 August FireEye detected a potentially new ATM malware sample that used some interesting techniques not seen before," senior malware researcher Daniel Regalado says "This malware family can be used to compromise multiple vendor platforms and leverages uncommon technology to access physical devices. "... indicators strongly suggest this piece of malware is the one used to steal from the ATMs at banks in Thailand." Thieves insert a custom EMV card into ATMs which sets up the machines for infection and plundering. Regalado has revealed the malware's internal workings in a technical analysis. It is unique in that it targets three ATM vendors around the world The malware can disable local network interfaces, thoroughly wipe forensic evidence, and turn up the dispensary allowance to the maximum of 40 notes per withdrawal. It is the latest in what appears to be an increase in the number of plundered ATMs across Asia and Japan. ® Sponsored: Global DDoS threat landscape report

Wildfire Ransomware Code Cracked – Unlock For Free

Wildfire ransomware has plagued victims in The Netherlands and Belgium Image: McAfee Labs Victims of the Wildfire ransomware can get their encrypted files back without paying hackers for the privilege, after the No More Ransom initiative released a free decryption tool. No More Ransom runs a web portal that provides keys for unlocking files encrypted by various strains of ransomware, including Shade, Coinvault, Rannoh, Rakhn and, most recently, Wildfire. Aimed at helping ransomware victims retrieve their data, No More Ransom is a collaborative project between Europol, the Dutch National Police, Intel Security, and Kaspersky Lab. Wildfire victims are served with a ransom note demanding payment of 1.5 Bitcoins -- the cryptocurrency favored by cybercriminals -- in exchange for unlocking the encrypted files. However, cybersecurity researchers from McAfee Labs, part of Intel Security, point out that the hackers behind Wildfire are open to negotiation, often accepting 0.5 Bitcoins as a payment. Most victims of the ransomware are located in the Netherlands and Belgium, with the malicious software spread through phishing emails aimed at Dutch speakers.

The email claims to be from a transport company and suggests that the target has missed a parcel delivery -- encouraging them to fill in a form to rearrange delivery for another date.
It's this form which drops Wildfire ransomware onto the victim's system and locks it down. A spam email used to infect victims with Wildfire. Image: McAfee Labs Researchers note that those behind Wildfire have "clearly put a lot of effort into making their spam mails look credible and very specific" - even adding the addresses of real businesses in The Netherlands - arousing suspicion that there are Dutch speaking actors involved in the ransomware campaign. Working in partnership with law enforcement agencies, cybersecurity researchers were able to examine Wildfire's control server panel, which showed that in a one month period the ransomware infected 5,309 systems and generated a revenue of 136 Bitcoins (€70,332). Researchers suggest that the malicious code -- which contains instructions not to infect Russian-speaking countries -- means Wildfire operates as part of a ransomware-as-service franchise, with software likely to be leased out by developers in Eastern Europe. Whoever is behind Wildfire, victims no longer need to pay a ransom in order to get their files back,with the decryptor tool now available to download for free from the No More Ransom site.

The tool contains 1,600 keys for Wildfire, and No More Ransom says more will be added in the near future. READ MORE ON CYBERCRIME

Very peed off: Ohio urologists stay zipped after embarrassing leak

150GB of patient, internal files stolen? You gotta be kidney me – no, urine for a shock A medical group in Ohio has confirmed it was ransacked by miscreants who leaked hundreds of thousands of medical files, financial documents and patient records – but offered little else in the way of an explanation. The Central Ohio Urology Group told The Register it is still working with investigators and IT security experts to get the full scope of a staggering database security breach it suffered at the hands of Ukrainian hackers. The hacking group, known as Pravvy Sector, said earlier this week it had broken into the servers of the medical group's laboratory in July, pulling 156GB of files out of compromised document management system – including internal spreadsheets, patients' test results and people's highly sensitive personal information. #hacked BigLab: https://t.co/18FY6mnUQt - 156GB files - https://t.co/xeEPgUdiY4 pic.twitter.com/NfxXkMz12q — Pravyy Sector (@pravsector) August 2, 2016 Pravvy Sector, which otherwise focuses on political issues in the Ukraine and Eastern Europe regions, did not give a reason for the attack. The information has since been verified and the Central Ohio Urology Group has admitted an attack took place.

The group, which operates 20 clinics in and around the Columbus area, said that it will notify patients individually as to what data had been stolen in the assault. "Our patients' health, safety and security is always our priority, and I want to personally apologize to all of our patients for what has happened," Central Ohio Urology Group CEO Tino Valentino said in a statement. "We understand that our patients trust us to keep their information secure. We are actively working to address this incident, and to do everything we can to help prevent this from happening again." Residents, meanwhile, have told journalists they are still in the dark as to what personal details and medical records have been stolen.

The Columbus Dispatch reports that two victims it spoke with only learned of the hack through the media, while WBNS reached out to a patient who said "at a minimum, they know that some information has been released of mine and they've chosen not to contact me because they don't know how much." The Central Ohio Urology Group says it will take several weeks before its investigation will be complete and the full scope of the incident known. ® Sponsored: 2016 Cyberthreat defense report

Asian nations mull regional ‘Europol’ in fight against cybercrime

ASEAN ministers flag 'Asiapol' in closed-door talks RSA APAC A closed-door meeting of cabinet ministers from more than a dozen countries met yesterday to mull the creation of a Europol-style organisation to crack down on cyber crime in the region and abroad, The Register has learned. The Asian organisation is conceptual only, but has support from countries including China, Malaysia, Myanamar, Indonesia, and host nation Singapore. It is the fourth year that ministers have met in the city-state on the shoulder of RSA's Asia Pacific conference. "It starts as a discussion, but for it to come to a concrete idea is some time away," Singapore Minister for Home Affairs K Shanmugam told The Register. "We need to think about it and talk about it ..
I am hoping it will come through but I don't think it will come through in the short term." Attendees at the meeting included justice department heads from Asian nations including Japan's national public safety commission H.E Taro Kono, Interpol secretary General Jürgen Stock, and Qi Yuguo Chef of China's cybercrime security department. Minister Kasiviswanathan Shanmugam, SC. The prevalence of financially-motivated cybercrime across China was a matter of "specific discussion", RSA's global public sector general manager Mike Brown says, adding that Beijing is an active and positive participant in the meetings. Europol and Interpol have enjoyed great success in cracking down on cybercrime after fostering better support with governments and private sector organisations in recent years. The European agency is credited with a part in Operation Shrouded Horizon, the 18-month take-down of notorious English-speaking crime forum Darkode culminating in dozens of arrests in July last year. RSA president Amit Yoran. The European Cybercrime Centre (EC3) is understood to be some way into an operation that it is hoped will lead to significant arrests of hackers in Eastern Europe, although the agency did not confirm the operation when contacted by The Register. Interpol bagged 58 arrests across Asia in its 2014 Operation Strikeback sextortion operation.
It is also understood to have ransomware actors in its cross-hairs in an operation that includes multiple European nations. Yet an Asian Europol would be useful, but not necessarily "effective", according to RSA president Amit Yoran. "There are a tremendous number of challenges that need to be tackled with consistency of law as well as action from government and law enforcement," Yoran told The Register without commenting specifically on the closed-door meetings. "I would not necessarily say they (Europol-type structures) are effective, these things take time, but I think it is a step in the right direction." In his keynote at the RSA conference yesterday themed with the need to "change perspectives"' Yoran said the security industry would be helped by "super smart humans" and not technology controls. "Gone are the days of point products addressing a thin sliver of security …. [it] is as flawed by conceptual design and as barren in value as anti-virus products," Yoran told delegates. "Tools alone won't win the battle for us; we need super-smart creative humans, we need you." ® Sponsored: 2016 Cyberthreat defense report