The NoName ransomware group has claimed responsibility for yet another cyberattack targeting government websites in Germany. The proclamation of the attack comes just 11 days after the group is said to have targeted German entities such as Energie Baden-Württemberg AG, Leistritz AG, and Aareal Bank AG. In this latest attack, the group allegedly targeted the Federal Office for Logistics and Mobility and the Federal Ministry of the Interior and Community. NoName allegedly carried out a DDos (Distributed Denial-of-Service) attack, preventing other users from accessing the websites. In the message posted on a dark web forum on Tuesday, NoName claimed that the attack on German websites was to condemn the visit of Ukrainian President Volodymyr Zelenskiy to the country to participate in a conference on Ukraine’s post-war recovery. “Ukrainian President Volodymyr Zelenskyy arrived in Germany late in the evening on Monday, June 10, to take part in an international conference on Ukraine's reconstruction. In his message in Telegram, Zelenskyy said that during his visit he had meetings with German Federal President Frank-Walter Steinmeier, Chancellor Olaf Scholz and Bundestag chairwoman Berbel Bas,” NoName said. “We decided to visit the conference too, and crush some websites,” it added. Despite the hack, NoName has not provided elaborate evidence or context of the cyberattack nor has it provided any details of how the German websites would be affected. While many experts had previously warned people not to underestimate thread actors who take out DDoS attacks, their effectiveness remains a big question, as most of the targets suffer only a few hours of downtime before returning to normal operations. As of the writing of this report, there has been no response from officials of the alleged target websites, leaving the claims unverified.

Previous Instances of NoName Ransomware Attacks

Since first emerging on dark web in March 2022, the pro-Russian hacker group NoName has been increasingly active, shortly after Russia’s invasion of Ukraine. The group has taken responsibility for a series of cyberattacks targeting government agencies, media outlets, and private companies across Ukraine, the United States, and Europe. Before making the claim of targeting German websites, NoName had a history of targeting prominent organizations in other countries. In April 2024, the group allegedly launched a cyberattack on Moldova, affecting key government websites such as the Presidency, Ministry of Foreign Affairs, Ministry of Internal Affairs, and the State Registry. These websites were rendered inaccessible, displaying the message, “This Site Can’t be Reached.” The attack hinted at a politically motivated agenda, though NoName did not explicitly disclose their motives. In March 2024, NoName targeted multiple websites in Denmark, including significant entities like Movia, Din Offentlige Transport, the Ministry of Transport, Copenhagen Airports, and Danish Shipping. Similarly, in January 2024, the group attacked high-profile websites in the Netherlands, including OV-chipkaart, the Municipality of Vlaardingen, the Dutch Tax Office (Belastingdienst), and GVB. More recently, NoName’s cyber onslaught on Finland raised further alarms. Finnish government organizations, including Traficom, the National Cyber Security Centre Finland (NCSC-FI), The Railways, and the Agency for Regulation and Development of Transport and Communications Infrastructure, faced temporary inaccessibility due to DDoS attacks. The ongoing cyberattacks by NoName across several countries serve as a reminder of the perils of the digital landscape. The operations of NoName ransomware, combined with their alleged political motives, highlight the urgent need for enhanced cybersecurity measures and international cooperation. The cybersecurity community must remain vigilant and proactive in protecting digital infrastructure from such malicious actors. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The website of Barcelona tram services, a central component of Spain's transportation network, was reportedly the target of a Distributed Denial-of-Service (DDoS) cyberattack. The TRAM Barcelona cyberattack has been claimed by the pro-Russian hacker group called "NoName," in collaboration with the Cyber Army of Russia. In a post, the group, which claims to be "NoName057(16)", made the announcement which read, "Supporting the attack by our friends from the People's Cyber Army, we are taking down one of Spain's transport websites." Since first emerging in March 2022, the pro-Russian hacker group NoName has been increasingly active, taking responsibility for a series of cyberattacks targeting government agencies, media outlets, and private companies across Ukraine, the United States, and Europe.

Decoding the Tram Barcelona Cyberattack

[caption id="attachment_72970" align="aligncenter" width="530"] Source: X[/caption] TRAM Barcelona, with its origins dating back to 1872, was one of Europe's earlier tram systems. After services were discontinued in 1971, the tram was reintroduced in 2004 with the new Trambaix and Trambesòs lines, which have since become a popular mode of transportation throughout Spain’s Catalonia region. [caption id="attachment_73002" align="alignnone" width="1642"] The hacker group declared the attack on May 29, 2024, and as of the time of this report, the website remains offline.[/caption] The specifics of the cyberattack on Tram Barcelona, including potential data breaches and the attackers' motives, have not been fully disclosed. The hacker group announced the attack on May 29, 2024, and as of this report, the website is still down. The company has not yet acknowledged the incident or issued any official statement about the status of the website and its services. The claimed cyberattack on Tram Barcelona highlights the persistent threat of security incidents on crucial entities, such as banks and government organizations. However, the absence of an official statement raises questions about the severity and credibility of the NoName cyberattack claim.

TRAM Barcelona Cyberattack: Latest in Series of Assaults

This isn’t the first instance of NoName targeting organizations. In January 2024, the group claimed responsibility for a series of cyberattacks across the Netherlands, Ukraine, Finland, and the USA. NoName has previously targeted a range of organizations, including OV-chipkaart, the Municipality of Vlaardingen, the Dutch Tax Office (Belastingdienst), PrivatBank 24, Credit Agricole Bank, MTB BANK, Accordbank, Matek Systems in China, Pixhawk in Switzerland, SpetsInTech, and Kvertus. Incidentally, just like Tram Barcelona, OV-chipkaart too is involved in the public transportation system offering a contactless smart card system widely used in for public transportation in the Netherlands. Until an official statement is released by the affected organization, the full scope and impact of the alleged NoName cyberattack remain unclear. As the cybersecurity landscape continues to evolve, these incidents highlight the importance of bolstering security protocols and adopting proactive measures to mitigate the increasing threat of cyberattacks. This is an ongoing story, and we will provide updates as more information becomes available. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Researchers at Guardio Labs have discovered that a group of spammers is using long-forgotten subdomains from established brands like MSN, eBay, CBS, and Marvel to send out malicious emails. The emails can bypass spam checks and to recipients they look like they come from a legitimate source.

A subdomain is a named sub-division of domain name. For example my.malwarebytes.com and www.malwarebytes.com are both subdomains of the malwarebytes.com domain.

Companies use subdomains for all kinds of purposes, from differentiating marketing campaigns to naming different online systems.

It’s also common practice for companies to create CNAME (Canonical Name) DNS records that alias a subdomain to another domain or subdomain.

For example, the subdomain my.malwarebytes.com is an easy to read alias for a CloudFront server called d1ok04i2z9vvoy.cloudfront.net.

When companies use these techniques and don’t clean up their records after they’re done, criminals can take advantage.

The researchers provide the example of marthastewart.msn.com, which was an alias for the msnmarthastewartsweeps.com domain.

At some point, MSN no longer needed the msnmarthastewartsweeps.com domain and stopped paying for it, but did not remove the CNAME record that alised marthastewart.msn.com to it.

Criminals discovered the link between the two and bought the msnmarthastewartsweeps.com domain.

This is bad, as the researchers explain:

This means that the subdomain inherits the entire behavior of msnmarthastewartsweeps.com , including it’s SPF policy.

The Sender Policy Framework (SPF) is an anti-spam DNS record that sets out what domains and IP addresses can send email for a particular domain.

By registering the old and forgotten alias msnmarthastewartsweeps.com, the criminals were able to add their own IP addresses to the SPF record, allowing them to send spam from marthastewart.msn.com that passes SPF checks.

Guardio Labs warns that SPF also offers criminals another way to gain control. SPF’s include: syntax can include a list of other domain names that are allowed to send emails on behalf of a domain. If any of the included domains are abandoned, criminals can buy them up and send email on behalf of the parent domain.

Once the researchers knew what they were looking for they identified thousands of instances of so-called “subdomailing”, encompassing both CNAME and SPF-based tactics and going back at least two years.

The sheer number of hijacked subdomains and available IP addresses is big enough for the criminals to cycle through them to minimize detection and depletion of their “assets.”

As an organization it is important to regularly check your domains for signs of compromise and better manage your online assets—starting with removing unused subdomains and DNS records.

Guardio Labs has created a special subdomailing checker website, allowing domain administrators and site owners to quickly check if any trace of abuse has been found. The researchers note that the checker queries a database with the latest domains impacted by CNAME and SPF-based hijacking. So, a positive result does not mean you are safe, just that you haven’t been hijacked yet.

---

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.