Tag: Eastern Europe
For example, an attack that succeeded in locking up the operational data upon which physical processes rely could do serious and potentially even catastrophic damage to people and property.
Considering the severity of the potential consequences of a ransomware attack, plant owners are also likely to be more willing than others to quietly pay up any demanded ransom, CyberX said. The authors of the new KillDisk variant are a cybercriminal group called the TeleBots gang that appears to have evolved from another group called the Sandworm gang, Neray said. The Sandworm gang was responsible for a series of attacks on Industrial Control System (ICS) and SCADA networks in the US in 2014 involving the use of malware dubbed BlackEnergy.
The same group is also believed responsible for the attacks on the Ukrainian power grid in December 2015 and in early 2016 using the same BlackEnergy malware and the hard disk-erasing version of KillDisk. The TeleBots gang itself has been associated with previous attacks on Ukrainian banks and now appear to have turned their sights on companies in the industrial sector. “We know that both BlackEnergy and KillDisk were seen in the Ukraine power attacks and may also have been used in attacks against a large Ukrainian mining company and a large Ukrainian rail company,” says Neray in comments to Dark Reading. The new KillDisk ransomware variant has almost the same functionality as the previous version, but instead of deleting files it encrypts them. “For example, in both samples, the same string encoding algorithm is being used. So it's reasonable to assume that the new ransomware malware was designed [for use] against industrial companies too,” Neray says. In addition, other security researchers too have seen evidence of cybercriminals already targeting chemical plants in Eastern Europe for extortion, he says. It is unclear what malware strains were used in those attacks.
But as with KillDisk, the threat actors behind those attacks used malicious email attachments to distribute their malware and to penetrate the operational networks and processing systems of chemical plants in a way to effect the purity of the output, Neray says. Related stories: Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ...
View Full Bio More Insights
It was registered to a command and control server (C2) which held stolen keylog data from HawkEye RAT victims, but was also being used as a one-stop-shop for purchasing hacking goods. WhiteHats on the prowl? Before diving into an analysis of the server, it is worth pointing out some interesting behavior spotted in several of the victims’ stolen accounts.
A group of WhiteHat hackers who call themselves Group Demóstenes were found to be working around the clock, trawling the internet and looking to exfiltrate stolen data from C2 servers. When such a server was found, the group looked for a backdoor that would give them control over the filesystem.
They would then monitor the incoming, stolen data.
Either manually or automatically, they would collect the stolen credentials and send emails to the victims’ accounts.
These emails contained an attachment with proof that the user’s machine has been compromised.
In addition, they advise the user to change passwords immediately and offer to help. Hi *********** Our SERVERS detected information from a server on the US, we don’t even know goverment or another sourse …. we send a file with all your logins and passwords of all your accounts from hxxp://www.p******op[.]biz/*******WE HAVE TESTING IN YOUR PAYPAL ACCOUNT. LOG IN TO YOUR ACCOUNT AND YOU WILL SEE TWO CANCELED BILLING (OUR JOB IS WHITE HAT NO HACK ….
Steal)Seme you verify this information. it’s better thing we hurt all change password on the other computer Because Called Computer Name PC USER-PCLocal Time: 03.10.2016. 18:45:02Installed Language: en-Net Version: 2.0.50727.5485Operating System Platform: Win32NTOperating System Version: 6.1.7601.65536Operating System: Microsoft Windows 7 Home PremiumInternal IP Address: 192.168.0.101External IP Address:Installed Anti virus: Avast AntivirusInstalled Firewall: have a keylogger harm report All That You write, messages, passwords or more. ¿Why we do it?We have a Cause Called Group Demóstenes looking for Ciber attacks and false info.Please Donate by PayPal at h**cg**an@gmail[.]com 5 USD or more, Because this is only our ingress. PLEASE WRITE ME AT THIS MAIL FOR KNOW IF YOU KNOW ABOUT THIS The email above appears in two languages, English and Spanish.
The name of the group appears to be of Portuguese origin, though it is not certain. The shopfront: the command and control servers Scanning for network services which are running on the C2, we discovered that it contains not only a back-end for storing stolen credentials but also a front-end for selling some of them, alongside many other “goods”. Browsing the domain that communicated with the HawkEye RAT samples disclosed a login page.
Given the fact that the server was newly operational, it allowed users to register an account and login to purchase the goods on offer. After registering on the C2 web application, there was no sign of the stolen data transferred from compromised machines.
A forum-like web page opens up once a successful login is being processed. The C2 was meant to securely store the stolen data; however, it contained a crucial vulnerability which allowed researchers to download the stolen data. The C2 owners seem to have added six new Shell scripts on 22 November, just a week before the research started – a further indication of how new the operation is. Another item for sale is scam pages, and some are multilingual.
The attackers also reveal the scope of their victims, noting those who are registered to Amazon, Apple, Netflix and even National Bank of Australia and Barclays.
The listing of the year next to the banking information probably refers to how up-to-date the scam pages are in terms of the bank’s website updates. The attackers have spared no details and have added additional information regarding how one should act when using their services, and who to contact in the Support tab. To purchase goods in the private shop you must deposit money into your account on the website.
The attackers accept Bitcoins, PerfectMoney and WebMoney. Back to the stolen data As we described, HawkEye is a robust keylogger that can hijack keystrokes from any application being opened on the victim’s PC.
It can also identify login events and record the destination, username and password.
It is, however, limited to two-factor authentication and single sign-on. Stolen credentials on the server were found to be holding sensitive access passwords to government, healthcare, banking and payment web applications.
Among them is the following web server which belongs to the Pakistani government. As mentioned, hundreds of machines were found to be compromised by just one C2.
The following is a partial list of what was downloaded from the malicious server. Usually, careless threat actors forget to remove test files which might contain sensitive data.
In this case, we were able to obtain the attackers credentials from one very small file that was captured when searching related strings. Target geography The research is still ongoing and is currently affecting users located in APAC, such as Japan, Thailand and India, as well as parts of Eastern Europe such as Russia and Ukraine.
The stolen database may have even included information on email ids of U.S. government and military employees. “It is extremely alarming that Yahoo didn’t know about this,” said Alex Holden, chief information security officer with Hold Security. Yahoo said back in November it first learned about the breach when law enforcement began sharing with the company stolen data that had been provided by a hacker.
At the time, the company was already dealing with a separate data breach, reported in September, involving 500 million user accounts. However, this hacker was apparently sitting on another mother lode of stolen Yahoo data, but it’s still unclear how the theft occurred. Holden, who investigates online black markets, said there was always chatter among underground dealers that someone had made away with a massive trove of information from the internet firm. “Hackers allegedly had small samples, but they had never seen the full data set,” Holden said. But the stolen data never appeared to be widely circulated to make a major profit, he said.
It suggests that state-sponsored hackers may have been behind the breach, and wanted to keep the data secretly to themselves. “This information would have been distributed widely if cyber criminals were involved,” Holden said. “But right now, that seems not to be the case, even two or three years later.” Private security firm InfoArmor may have actually discovered details about the Yahoo data breach earlier this year.
In September, the company claimed it had found a stolen database allegedly belonging to Yahoo that was obtained from elite hackers-for-hire. Yahoo, however, didn’t comment on the company’s finding, making it unclear if the data was legitimate. InfoArmor has claimed that a hacking team called “Group E,” likely out of Eastern Europe, breached Yahoo and sold the data in three private deals.
At least one of the buyers was a state-sponsored actor, said Andrew Komarov, InfoArmor’s chief intelligence officer, in an email on Wednesday. The security firm has shared its findings with law enforcement agencies in the U.S., U.K., Australia and Europe.
It said the stolen database it found also has information relating to over 150,000 U.S. government and military employees.
Backup email addresses included in the discovered dump contain .gov and .mil domain names, said Komarov, who called the Yahoo breach a “matter of national security.” The stolen data “may allow the threat actors to identify government employees very quickly,” he said. The FBI has only said its investigating the Yahoo hack, and on Wednesday, the agency didn’t provide any new details. Yahoo also hasn’t mentioned who might have pulled off the intrusion, except to say an “unauthorized third party” was involved. Still, the recent data breaches at the company highlight the need for the tech industry to constantly be on guard against cyber threats, a security expert said. “The lesson is clear: no organization is immune to compromise,” said Jeff Hill, director of product management for security provider Prevalent, in an email. “Criminal actors can do significant damage in days and weeks; give them years, and all bets are off.”
The remote hack works from anywhere in the world, robbing banks in as little as 10 minutes.
It is every consumer's dream to find an ATM spitting out cash like a winning slot machine, and it seems that hackers in Eastern Europe have figured out how to make that a reality.
As outlined by Russian security firm Group IB, the hackers are linked to the Buhtrap crew, which stole $28 billion from Russian banks between August 2015 and January 2016, according to Reuters. But while Buhtrap looted ATMs via fraudulent wire transfers, the ATM scammers reportedly use a less hands-on method: "touchless jackpotting."
The remote hack works from anywhere in the world, robbing banks in as little as 10 minutes. The hackers reportedly use a penetration testing tool known as Cobalt Strike, which lets them access servers that control ATMs via bank PCs infected by malicious emails. Accomplices then wait by the targeted ATMs and scoop up the cash as it spits out of the machine.
The hackers reportedly hit financial institutions in Armenia, Belarus, Bulgaria, Estonia, Georgia, Kyrgyzstan, Malaysia, Moldova, the Netherlands, Poland, Romania, Russia, Spain, and the UK. Group IB did not reveal which banks were targeted.
Global ATM manufacturers Diebold Nixdorf and NCR confirmed to PCMag that they are "familiar" with these types of breaches.
"ATM attacks are becoming more complex and sophisticated as hackers dedicate more time to attacking infrastructure," an NCR spokeswoman said in a statement. "Securing one's infrastructure and endpoints is a never-ending and extremely important task that does not depend on the region or attack type."
Diebold Nixdorf, meanwhile, claims there is "no indication to us that this group of fraudsters is active in Europe or the Americas."
But that doesn't mean they won't be. "Logical attacks on ATMs are expected to become one of the key threats targeting banks," according to Dmitry Volkov, head of the Group IB investigation department.
"They enable cybercriminals to commit fraud remotely from anywhere globally and attack the whole ATM network without being 'on the radar' of security services," he said in a statement. "This type of attack does not require development of expensive advanced software—a significant amount of the tools used are widely available on the deep Web."
As the Wall Street Journal reports, the FBI recently warned US banks to look out for potential attacks, following incidents in Taiwan and Thailand over the summer.
"Every bank is under threat of logical attacks on ATMs and should be protected accordingly," Volkov added.
Therefore, the European Money Mule Action II is paramount to stop people being lured and recruited into aiding serious crime, to break this crime link, by being aware of who is behind this type of crime." Steven Wilson, head of Europol's European Cybercrime Centre, added: "The European Money Mule Action is a successful example of public-private co-operation at the closest level.
The results of this second edition demonstrate a very strong connection between cybercrime and the illegal transactions identified." Law enforcement agencies from across Europe as well as the FBI and United States Secret Service participated in the international operation.
In addition, 106 banks and private partners supported the crackdown, the second pan-European operation of its type.
Background on an earlier European Money Mule Action last March, which led to the arrest of 81 suspects, can be found here. ® Sponsored: Customer Identity and Access Management
The email claims to be from a transport company and suggests that the target has missed a parcel delivery -- encouraging them to fill in a form to rearrange delivery for another date.
It's this form which drops Wildfire ransomware onto the victim's system and locks it down. A spam email used to infect victims with Wildfire. Image: McAfee Labs Researchers note that those behind Wildfire have "clearly put a lot of effort into making their spam mails look credible and very specific" - even adding the addresses of real businesses in The Netherlands - arousing suspicion that there are Dutch speaking actors involved in the ransomware campaign. Working in partnership with law enforcement agencies, cybersecurity researchers were able to examine Wildfire's control server panel, which showed that in a one month period the ransomware infected 5,309 systems and generated a revenue of 136 Bitcoins (€70,332). Researchers suggest that the malicious code -- which contains instructions not to infect Russian-speaking countries -- means Wildfire operates as part of a ransomware-as-service franchise, with software likely to be leased out by developers in Eastern Europe. Whoever is behind Wildfire, victims no longer need to pay a ransom in order to get their files back,with the decryptor tool now available to download for free from the No More Ransom site.
The tool contains 1,600 keys for Wildfire, and No More Ransom says more will be added in the near future. READ MORE ON CYBERCRIME
The group, which operates 20 clinics in and around the Columbus area, said that it will notify patients individually as to what data had been stolen in the assault. "Our patients' health, safety and security is always our priority, and I want to personally apologize to all of our patients for what has happened," Central Ohio Urology Group CEO Tino Valentino said in a statement. "We understand that our patients trust us to keep their information secure. We are actively working to address this incident, and to do everything we can to help prevent this from happening again." Residents, meanwhile, have told journalists they are still in the dark as to what personal details and medical records have been stolen.
The Columbus Dispatch reports that two victims it spoke with only learned of the hack through the media, while WBNS reached out to a patient who said "at a minimum, they know that some information has been released of mine and they've chosen not to contact me because they don't know how much." The Central Ohio Urology Group says it will take several weeks before its investigation will be complete and the full scope of the incident known. ® Sponsored: 2016 Cyberthreat defense report
I am hoping it will come through but I don't think it will come through in the short term." Attendees at the meeting included justice department heads from Asian nations including Japan's national public safety commission H.E Taro Kono, Interpol secretary General Jürgen Stock, and Qi Yuguo Chef of China's cybercrime security department. Minister Kasiviswanathan Shanmugam, SC. The prevalence of financially-motivated cybercrime across China was a matter of "specific discussion", RSA's global public sector general manager Mike Brown says, adding that Beijing is an active and positive participant in the meetings. Europol and Interpol have enjoyed great success in cracking down on cybercrime after fostering better support with governments and private sector organisations in recent years. The European agency is credited with a part in Operation Shrouded Horizon, the 18-month take-down of notorious English-speaking crime forum Darkode culminating in dozens of arrests in July last year. RSA president Amit Yoran. The European Cybercrime Centre (EC3) is understood to be some way into an operation that it is hoped will lead to significant arrests of hackers in Eastern Europe, although the agency did not confirm the operation when contacted by The Register. Interpol bagged 58 arrests across Asia in its 2014 Operation Strikeback sextortion operation.
It is also understood to have ransomware actors in its cross-hairs in an operation that includes multiple European nations. Yet an Asian Europol would be useful, but not necessarily "effective", according to RSA president Amit Yoran. "There are a tremendous number of challenges that need to be tackled with consistency of law as well as action from government and law enforcement," Yoran told The Register without commenting specifically on the closed-door meetings. "I would not necessarily say they (Europol-type structures) are effective, these things take time, but I think it is a step in the right direction." In his keynote at the RSA conference yesterday themed with the need to "change perspectives"' Yoran said the security industry would be helped by "super smart humans" and not technology controls. "Gone are the days of point products addressing a thin sliver of security …. [it] is as flawed by conceptual design and as barren in value as anti-virus products," Yoran told delegates. "Tools alone won't win the battle for us; we need super-smart creative humans, we need you." ® Sponsored: 2016 Cyberthreat defense report