A new wave of cyberattacks targeting Android users in the Middle East has surfaced, with a focus on both Palestine and Egypt. Dubbed AridSpy, this multistage Android malware is allegedly orchestrated by the notorious Arid Viper APT group, a name synonymous with cyber espionage in the region. The malicious software, discovered being distributed through five dedicated websites, is ingeniously disguised within seemingly legitimate applications, marking a dangerous evolution in cyber threats. The modus operandi of these campaigns, initiated as early as 2022 and persisting to this day, revolves around the deployment of trojanized apps designed to infiltrate unsuspecting users' devices. These applications, ranging from messaging platforms to job opportunity portals, harbor the insidious AridSpy spyware within their code, allowing the attackers to remotely control the infected devices and extract sensitive information with alarming efficiency.
Arid Viper APT group Leveraging AridSpy to Target Victims
A key element of AridSpy's strategy lies in its ability to camouflage itself within genuine apps, thus bypassing traditional security measures. By leveraging existing applications and injecting them with malicious code, the perpetrators exploit the trust users place in familiar software, amplifying the reach and impact of their cyber offensive.ESET's investigation into these activities uncovered various instances of AridSpy infiltration, with the majority of cases centered around the distribution of the malicious Palestinian Civil Registry app. This tactic, coupled with the impersonation of reputable messaging platforms like StealthChat and Voxer Walkie Talkie Messenger, underscores the group's sophisticated approach to cyber warfare.Lukáš Štefanko, a researcher at ESET, sheds light on the mechanics of AridSpy's infiltration, detailing how unsuspecting users are lured into installing the tainted applications. “In order to gain initial access to the device, the threat actors try to convince their potential victim to install a fake, but functional, app. Once the target clicks the site’s download button, myScript.js, hosted on the same server, is executed to generate the correct download path for the malicious file,” explains Štefanko.
Through deceptive download buttons and carefully crafted scripts, the attackers exploit vulnerabilities in users' trust and familiarity with popular apps, paving the way for the silent installation of AridSpy on their devices.
Reverse-Engineering Apps
Moreover, Arid Viper's ingenuity extends beyond mere app impersonation, as evidenced by their manipulation of legitimate app servers to facilitate data exfiltration. By reverse-engineering existing apps and utilizing their infrastructure, the group orchestrates a seamless data extraction process, further complicating detection and mitigation efforts.AridSpy's capabilities are not limited to data espionage alone; the spyware boasts a sophisticated feature set aimed at evading detection and maximizing information extraction. Through a combination of network evasion tactics and event-triggered data exfiltration mechanisms, AridSpy operates stealthily, siphoning off a plethora of sensitive data including call logs, text messages, media files, and even location information.As the online threats continue to target victims globally, users and organizations alike must remain vigilant against hackers groups and ransomware gangs. By staying informed and adopting robust security measures, individuals can mitigate the risks posed by malicious actors such as the Arid Viper group, safeguarding their digital assets and personal information from exploitation.
With spotlight on investments behind banks, we ask whether three top providers still offer a good deal
Protests outside Barclays branches and the recent arguments over Baillie Gifford’s sponsorship of book festivals have put the spotlight on the investments behind big banking institutions. For most people, choosing an ethical home for their current account will be the easiest way to ensure their money is being used in an environmentally friendly or socially responsible way.
The consumer group Which? names three “eco providers” for current accounts: the Co-operative Bank, Nationwide building society and Triodos Bank. These three also do well on the green money website MotherTree, which has ranked major UK banks on how much £10,000 in a current account contributes in carbon emissions. At the bottom of its table – so therefore the winner – is Triodos, followed by the Co-op Bank and then Nationwide.
A notorious Chinese hacking group has reportedly gone on a cyber offensive against South Korea and targeted most of the country’s Government and financial sites. The CyberDragon hacking group has a mixture of Chinese and Russian ties and has been critically targeting countries that have been condemning Russia for the ongoing war in Ukraine.
South Korea President Yoon Suk Yeol had recently confirmed his country's participation in a Ukraine peace summit in Switzerland this weekend to rally support for the country ending its war with Russia. Last year, Seoul had increased its Ukraine Aid package to $394 Million For 2024.
Government, Financial Sites Attacked by CyberDragon Hacking Group
Irked by its support being garnered against Russia, CyberDragon launched an extensive cyberattack on key South Korean sites and criticized the country for its alleged promotion of Russophobia.
In its post on darkweb, CyberDragon said, “We are joining the “South Korean Company”. This is a country that has long been promoting Russophobia by supporting the Kyiv regime.” The list of websites reportedly targetted by CyberDragon include:
Shinhan Financial Group: It was founded in September 2001 and is one of South Korea's big five financial groups. Its subsidiaries provide a full range of financial services, including banking, securities, life insurance, and investment banking.
State Korean Import-Export Bank KEXIM: The Export-Import Bank of Korea, also commonly known as the Korea Eximbank (KEXIM), is the official export credit agency of South Korea. The bank was first established in 1976. Its primary purpose is to support South Korea's export-led economy by providing loans, financing mega projects and thereby facilitating economic cooperation with other countries.
[caption id="attachment_77014" align="alignnone" width="1600"] Home Page of Korea Eximbank[/caption]
Korea Customs Service: The Korea Customs Service was established in 1970 and is one of tax organizations in South Korea and is run under the Ministry of Economy and Finance. The headquarters is in Seo District, Daejeon.
Korean National Police: The Korean National Police Agency (KNPA), also known as the Korean National Police (KNP), is one of the national police organizations in South Korea. It is run under the Ministry of the Interior and Safety and is headquartered in Seodaemun, Seoul.
National Tax Service: It is the tax organization in South Korea and is run under the Ministry of Economy and Finance. Its headquarters is in Sejong City.
Like many of the previous attacks carried out by the Cyberdragon hacking group, it is unclear if sensitive data of the organisations listed above was compromised. Prima Facie, it looks like the group carried out a DDoS attack meant to disrupt the platform’s services. None of the organizations have publicly responded to the alleged breach. Most of the organizations too seem to have restored the functioning of its websites, hours after the group claimed to have carried out a cyberattack.
Previous Operations by CyberDragon Hacking Group
The CyberDragon group gained popularity after it took down the website and app for almost 24 hours after a massive data breach in March 2024. CyberDragon had then posted evidence of the attack on its TOR platform but LinkedIn didn’t comment on the attack.
The peculiar hacking actor has both Chinese and Russian ties. It carries out cyberattacks with many pro-Russian hackers and most of its statements are posted in Russian. Both China and Russia are global allies and the targets of CyberDragon indicate their ideological and political affiliations. This scenario is, however, not new in the cybercrime world.
Organizations around the world must deal with the fallout of cyberattacks by groups like CyberDragon. Their attacks indicate why it is crucial to remain vigilant and implement stringent security measures against cyberattacks.
The notorious Monti ransomware has been sold to new owners. According to the actor's latest update, "This project was bought. It was bought because it suited our goals perfectly and did not have a bad reputation."The change in ownership and a shift in focus towards Western countries highlights a new approach towards ransomware. According to recent statements, the project has been acquired, with new owners expressing their intentions to revamp its infrastructure for future endeavors.In a cryptic post on their platform, the group hinted at upcoming developments, rallying for a collaborative effort to "build the future of the USA and Europe together."
Monti Ransomware Group and Change in Ownership
[caption id="attachment_76870" align="alignnone" width="938"] Source: Dark Web[/caption]
This announcement follows a string of cyberattacks perpetrated by the Monti ransomware gang. Notably, a recent incident in the South of France targeted three prominent institutions simultaneously: the Pau-Pyrénées airport, the Pau business school, and the city's digital campus. These attacks, occurring overnight from May 12 to May 13, 2024, disrupted operations and raised concerns regarding cybersecurity vulnerabilities in critical sectors.While the affected institutions scrambled to mitigate the fallout, journalists uncovered insights from the Chamber of Commerce and Industry (CCI) shedding light on the situation. Despite assurances of minimal disruption to activities, the compromised digital infrastructure left a trail of compromised data, including sensitive documents and personal information of employees and students.The modus operandi of the Monti ransomware group draws parallels to its predecessors, notably the Conti ransomware, which ceased operations in May 2022. The emergence of Monti, with its similar tactics and techniques, suggests a strategic emulation aimed at exploiting the void left by Conti's absence.
A Deeper Dive into Monti Ransomware Group
A deeper dive into the Monti ransomware incident reveals a sophisticated operation orchestrated through the exploitation of vulnerabilities like the notorious Log4Shell. The attackers infiltrated networks, encrypted user desktops, and disrupted critical server clusters, leaving organizations grappling with the aftermath.Despite its relative obscurity, the Monti ransomware group has garnered attention within the cybersecurity community. Analysts speculate that the group's emulation of Conti's strategies may stem from the leaked trove of Conti's internal data, providing a blueprint for nefarious activities.As cybersecurity threats evolve, it becomes imperative for organizations to fortify their defenses and stay vigilant against threat actors like the Monti ransomware. Collaborative efforts between cybersecurity experts and stakeholders are essential to mitigate risks and safeguard critical infrastructures from malicious actors.Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
Ukraine National Police have arrested a man they say helped disguise ransomware used by Russia-based threat groups.
The 28-year-old cryptor developer was unnamed in Ukraine and Netherlands announcements of the arrest, but the Dutch statement said he was arrested on April 18, 2024 in a lead-up to May’s massive “Operation Endgame” botnet takedown.
Cryptor Developer Worked with Conti, LockBit
Ukraine cyber police and National Police investigators say they established that the man was involved in the LockBit and Conti ransomware groups.
The Kyiv man infected a company in the Netherlands with Conti ransomware in 2021, demanded a ransom and threatened to release confidential company information if payment wasn’t made, according to the Dutch announcement, which cited work by the Netherlands’ High Tech Crime Team of the National Operations and Interventions Unit and the National Public Prosecution Service. They requested Ukraine’s assistance in the case as part of their investigation.
As part of the arrest, Ukrainian police conducted house searches in the city of Kyiv and the Kharkiv region on April 18 and seized computer equipment, mobile phones and documents for further investigation (pictured below).
[caption id="attachment_76895" align="alignnone" width="300"] Items seized in Ukraine ransomware arrest[/caption]
The Ukraine cyber police said the man “specialized in the development of cryptors,” or “special software for masking computer viruses under the guise of safe files” (quotes translated from the Ukraine statement).
“Thanks to his programming skills, the person involved was able to hide malicious software from the most popular antiviruses,” the Ukraine statement added.
LockBit Remains Active Despite Repeated Enforcement Activities
The Conti ransomware group reportedly dissolved in 2022 after a Ukrainian researcher leaked the group's source code in retaliation for the group's support of Russia's invasion of Ukraine, but LockBit has remained persistent.
Despite the Ukraine arrest and law enforcement successes like Operation Endgame, Operation Cronos, and the unmasking of formerly anonymous LockBit leader Dmitry Khoroshev, LockBit has shown an ability to continually regroup and reestablish threat activities, recently launching high-profile ransomware attacks such as one that the city of Wichita is finally recovering from.
Ukraine officials said the investigation is ongoing. The suspect is being charged under part 5 of Article 361, Unauthorized interference in the work of information (automated), electronic communication, information and communication systems, electronic communication networks, of the Criminal Code of Ukraine. The article provides for publishment of up to 15 years of imprisonment, and additional charges are possible.
Netherlands officials thanked the Ukrainian investigators for their assistance and said they “are very pleased with the arrest in Ukraine and are grateful for the space that the Ukrainian police have found for this in times of war.”
The MEDUSA ransomware group has reared its ugly head again and this time it has claimed to have targeted three new victims: GEMCO Constructors, Dynamo Electric and Farnell Packaging. The ransomware group’s dark web portal highlighted these additions, adding to their growing list of victims.
Like many of its earlier attacks, the group has not disclosed crucial details, such as the type of compromised data. It has, however, demanded a bounty of US $900,000 from GEMCO and $100,000 each from Dynamo and Farnell Packaging to stop leaking its internal data.
MEDUSA Ransomware Attack: The Latest Victims
GEMCO Constructors is headquartered in Indianapolis, Indiana, USA. The ransomware actors have claimed to have access to 1.0 TB of the organization's data and has threatened to publish it within 6-7 days.
The second company that the group has claimed to have targeted is Dynamo, which is based in Saskatchewan, Canada. Data of the company, which specializes in electrical and electronic manufacturing, has allegedly been compromised. MEDUSA has claimed to have exfiltrated 149.6 GB of the organization's data and plans to publish it within 6-7 days.
Farnell Packaging, a Canadian company in the packaging and container industry, has also allegedly been attacked. The attackers claimed to have accessed 193.9 GB of the organization's data and warned the data would be published within 8–9 days.
Despite the gigantic claims made by the ransomware group, the official websites of the targeted companies seem to be fully operational, with no signs of foul play. The organizations, however, have not yet responded to the alleged cyberattack, leaving the claims made by the ransomware group unverified. The article would be updated once the respective organizations respond to the claims.
The absence of confirmation raises the question of the authenticity of the ransomware claim. It remains to be seen whether it is a tactic employed by MEDUSA to garner attention or if there are ulterior motives attached to their actions. Only an official statement by the affected companies can shed light on the true nature of the situation.
However, if the claims made by the MEDUSA ransomware group do turn out to be true, then the consequences could be far-reaching. The potential leak of sensitive data could pose a significant threat to the affected organizations and their employees.
Background of MEDUSA Ransomware Group
MEDUSA first burst onto the scene in June 2021 and has since targeted organizations in various countries across multiple industries, including healthcare, education, manufacturing, and retail. Most of the companies, though, have been established in the United States of America.
MEDUSA functions as a Ransomware-as-a-Service (RaaS) platform. It provides would-be attackers with malicious software and infrastructure required to carry out disruptive ransomware attacks.
The ransomware group also has a public Telegram channel that threat actors use to post data that might be stolen, which could be an attempt to extort organizations and demand payment.
Previous Ransomware Attacks
Less than three weeks ago, MEDUSA ransomware group claimed a cyberattack on Comwave, a Canadian communications giant renowned for providing internet, network security solutions, and customer support services. In January 2024, a prominent non-profit organization, Water For People, was targeted by the group. The organization faced the pressure of a deadline to comply with the demands of the ransomware group.
MEDUSA also targeted four organizations across different countries, including France, Italy, and Spain. The group’s modus operandi remains uniform, with announcements being made on their dark web forum accompanied by deadlines and ransom demands.
As organizations deal with the fallout of cyberattacks by groups like MEDUSA, it becomes crucial to remain vigilant and implement stringent security measures.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
Findlay Automotive Group, a prominent dealership network with operations spanning Nevada, Utah, Arizona, Washington, and Idaho, recently identified a cybersecurity issue impacting certain areas of its IT infrastructure.
Upon discovery, the company swiftly launched an investigation, joining the expertise of leading cybersecurity professionals and collaborating with law enforcement agencies to address the Findlay Automotive cybersecurity issue.
While the investigation is ongoing, Findlay Automotive is actively working to mitigate the issue and restore full operational capabilities. However, no details related to the data compromised and the extent of the data breach have been provided by the Officials of Findlay Automotive Group.
“Promptly after becoming aware of the issue, we launched an investigation with the assistance of leading cybersecurity experts and law enforcement. Our investigation is ongoing, and we are working diligently to resolve the matter,” reads the company’s statement on Facebook.
[caption id="attachment_76709" align="aligncenter" width="760"] Source: Findlay Automotive's Facebook Post[/caption]
Operational Impact of Findlay Automotive Cybersecurity Issue
Despite the restrictions imposed by the Findlay Automotive cybersecurity issue, all dealership locations remain open. Customers with vehicles currently in service are encouraged to visit or contact their respective service departments directly for assistance from Findlay’s dedicated staff.
"At Findlay Automotive, we have been serving our communities with pride and integrity since 1961," reads the company’s Facebook Post. "We take our responsibility to our customers and the community very seriously. We will continue to provide updates as the investigation continues and more information becomes available.”
The urgency and gravity of the situation are highlighted by recent trends in cybersecurity, particularly the rising threat of ransomware attacks in the industrial sector.
Rising Cyber Threats in the Industrial Sector
In 2019, industrial companies faced significant financial burdens due to ransomware, collectively paying out $6.9 million, which accounted for 62% of the total $11 million spent on ransomware that year. Despite representing only 18% of ransomware cases, the manufacturing sector bore the brunt of the financial impact. By 2020, the cross-industry cost of ransomware had escalated to a staggering $20 billion.
Gartner, a research firm, has projected that by 2023, the financial repercussions of cyberattacks on industrial systems, including potential fatal casualties, could exceed $50 billion. The automotive sector, in particular, has become a prime target for cybercriminals. As these threats intensify, paying ransoms become increasingly weak, emphasizing the necessity of enhanced cybersecurity measures to protect assets.
The recent Volkswagen incident exemplifies the magnitude of these threats. In April 2024, Volkswagen faced a cyberattack, suspected to originate from Chinese hackers. The breach exposed sensitive data, including development plans for gasoline engines and critical information on e-mobility initiatives. Investigations by ZDF Frontal and “Der Spiegel” revealed more than 40 internal documents, highlighting the severity of the cyberattack.
Similarly, in February 2024, Thyssenkrupp's automotive unit in Duisburg, Germany, experienced a cyberattack that disrupted production in its car parts division. Although no data theft or manipulation was detected, the company had to take several systems offline to prevent further unauthorized access, underlining the operational risks posed by such cyber incidents.
Closer to home, Eagers Automotive Limited faced a cyber incident on December 27, 2023, leading to a temporary trading halt to address its continuous disclosure obligations. The company issued an apology to its customers for the inconvenience caused by the disruption, reflecting the broad and often immediate impact of cyberattacks on automotive businesses.
Findlay Automotive’s proactive response to the current cybersecurity issue demonstrates its commitment to safeguarding its operations and customer trust. The company is maintaining open lines of communication with customers, providing regular updates as the investigation progresses and more information becomes available.
Real Bread Campaign makes trading standards complaint over marketing by Sainsbury’s, Tesco, Lidl and Co-op
They were the best thing since sliced bread. Supermarket bakeries, with their aroma of oven-hot goods, attracted customers who wanted a fresher product than the standard pre-packed offering.
But campaigners have cast doubt on just how fresh these baked goods are, with four big supermarkets accused of misleading claims and breaches of consumer protection regulations.
The British transport operator FirstGroup has applied for two more “open access” services outside the main train operating contracts as the government attempts to increase competition on the rail network and cut fares.
Open access means the operator takes full commercial risk, running services on infrastructure owned by a third party, on a chosen route that is not subject to a rail franchise set by the Department for Transport.
In the ever-evolving landscape of cyberthreats, email remains a prime target for malicious actors, with zero-hour Business Email Compromise (BEC) and advanced phishing attacks posing significant risks to organizations. A recent independent study by The Tolly Group, commissioned by SlashNext, highlights the company’s Gen AI powered Integrated Cloud Email Security (ICES) solution, demonstrating its superior […]
Institutions alleged to have given billions of dollars to oil and gas companies involved in projects that are harming the rainforests
Five of the world’s biggest banks are “greenwashing” their role in the destruction of the Amazon, according to a report that indicates that their environmental and social guidelines fail to cover more than 70% of the rainforest.
The institutions are alleged to have provided billions of dollars of finance to oil and gas companies involved in projects that are impacting the Amazon, destabilising the climate or impinging on the land and livelihoods of Indigenous peoples.
A significant gift to Queen’s University will be the starting point for brand-new cancer research and treatment therapies in Kingston and will add significant resources to Canada’s cancer treatment ecosystem. Read More
Source: www.databreachtoday.com – Author: 1 Fraud Management & Cybercrime , Healthcare , Industry Specific Patient Care, Including Transplants, Still Disrupted at London Hospitals, Clinics Marianne Kolbasuk McGee (HealthInfoSec) • June 7, 2024 Image: Synnovis A ransomware attack on a pathology services vendor earlier in the week continues to disrupt patient care, including transplants, […]
The Akira ransomware group claims on its dark web leak site to have compromised data from Panasonic Australia. Shortly after that announcement, Singapore authorities issued an advisory advising affected companies to not heed the ransomware group's demands, in response to local law firm Shook Lin & Bok confirming that it had been struck by the group.
Panasonic Australia is a regional subsidiary of Panasonic Holdings Corporation headquartered in Japan. It manufactures electronic equipment and devices such as cameras, home equipment, sound equipment, personal care devices, power tools, and air conditioning.
The Akira ransomware group has previously targeted several high-profile organizations while netting millions in ransom payments from affected victims.
Akira Ransomware Group Attack on Panasonic Australia
The ransomware group alleged that it had exfiltrated sensitive project information and business agreements from the electronics manufacturer Panasonic Australia. No sample documents were posted to verify the authenticity of the breach claims.
The potential impact of the breach on Panasonic Australia is unknown but could present a serious liability for the confidentiality of the company's stolen documents.
Cyber Security Agency of Singapore Issues Advisory
Singapore's Cyber Security Agency (CSA) along with the country's Personal Data Protection Commission (PDPC) issued an advisory to organizations instructing them to report Akira ransomware attacks to respective authorities rather than paying ransom demands.
The advisory was released shortly after an Akira ransomware group attack on the Shook Lin & Bok law firm. While the firm still continued to operate as normal, it had reportedly paid a ransom of US$1.4 million in Bitcoin to the group. The Akira ransomware group had demanded a ransom of US$2 million from the law firm earlier, which was then negotiated down after a week, according to the SuspectFile article.
The Cyber Security Agency of Singapore (CSA) stated that it was aware of the incident and offered assistance to the law firm. However, it cautioned against similar payments from other affected victims.
"Paying the ransom does not guarantee that the data will be decrypted or that threat actors will not publish your data," the agency stated. "Furthermore, threat actors may see your organisation as a soft target and strike again in the future. This may also encourage them to continue their criminal activities and target more victims."
The Singaporean authorities offered a number of recommendations to organizations:
Enforce strong password policies with at least 12 characters, using a mix of upper and lower case letters, numbers, and special characters.
Implement multi-factor authentication for all internet-facing services, such as VPNs and critical system accounts.
Use reputable antivirus or anti-malware software to detect ransomware through real-time monitoring of system processes, network traffic, and file activity. Configure the software to block suspicious files, prevent unauthorized remote connections, and restrict access to sensitive files.
Periodically scan systems and networks for vulnerabilities and apply the latest security patches promptly, especially for critical functions.
Migrate from unsupported applications to newer alternatives.
Segregate networks to control traffic flow between sub-networks to limit ransomware spread. Monitor logs for suspicious activities and carry out remediation measures as needed.
Conduct routine backups following the 3-2-1 rule: keep three copies of backups, store them in two different media formats, and store one set off-site.
Conduct incident response exercises and develop business continuity plans to improve readiness for ransomware attacks.
Retain only essential data and minimize the collection of personal data to reduce the impact of data breaches.
"Organisations should periodically scan their systems and networks for vulnerabilities and regularly update all operating systems, applications, and software by applying the latest security patches promptly, especially for functions critical to the business," the police, CSA and PDPC said in a joint statement.
The criminal group had previously also come under the attention of various other governments and security agencies, with the FBI and CISA releasing a joint cybersecurity advisory as part of the #StopRansomware effort.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
Senator Ron Wyden (D-Ore.) is pressing the U.S. government to accelerate cybersecurity enhancements within the healthcare sector following the devastating Change Healthcare ransomware attack that exposed the protected health information of nearly a third of Americans.
In a letter to Xavier Becerra, secretary of the U.S. Department of Health and Human Services, Wyden urged HHS to implement immediate, enforceable steps to improve “lax cybersecurity practices” of large healthcare organizations.
“It is clear that HHS’ current approach to healthcare cybersecurity — self-regulation and voluntary best practices — is woefully inadequate and has left the health care system vulnerable to criminals and foreign government hackers.” - Wyden.
He stated that the sub-par cybersecurity standards have allowed hackers to steal patient information and disrupt healthcare services, which has caused “actual harm to patient health.”
MFA Could Have Stopped Change Healthcare Attack
The call from Wyden comes on the back of the ransomware attack on Change Healthcare — a subsidiary of UnitedHealth Group — which, according to its Chief Executive Officer Andrew Witty, could have been prevented with the basic cybersecurity measure of Multi-Factor Authentication (MFA).
The lack of MFA on a Citrix remote access portal account that Change Healthcare used proved to be a key vulnerability that allowed attackers to gain initial access using compromised credentials, Witty told the Senate Committee on Finance in a May 1 hearing.
“HHS’ failure to regulate the cybersecurity practices of major health care providers like UHG resulted in what the American Hospital Association has described as the worst cyberattack against the healthcare sector in U.S. history.” - Wyden
The use of MFA is a fundamental cybersecurity practice that HHS should mandate for all healthcare organizations, Wyden argued. He called for the implementation of broader minimum and mandatory technical cybersecurity standards, particularly for critical infrastructure entities that are designated as "systemically important entities" (SIE) by the U.S. Cybersecurity and Infrastructure Security Agency.
“These technical standards should address how organizations protect electronic information and ensure the healthcare system’s resiliency by maintaining critical functions, including access to medical records and the provision of medical care,” Wyden noted.
He suggested that HHS enforce these standards by requiring Medicare program participants to comply.
Wyden’s Proposed Cybersecurity Measures for HHS
Wyden said HHS should mandate a range of cybersecurity measures as a result of the attack.
“HHS must follow the lead of other federal regulators in mandating cybersecurity best practices necessary to protect the healthcare sector from further, devastating, easily-preventable cyberattacks,” Wyden argued.
The Democratic senator proposed several measures to enhance cybersecurity in the healthcare sector, including:
Mandatory Minimum Standards: Establish mandatory cybersecurity standards, including MFA, for critical healthcare infrastructure.
Rapid Recovery Capabilities: Ensure that organizations can rebuild their IT infrastructure within 48 to 72 hours following an attack.
Regular Audits: Conduct regular audits of healthcare organizations to assess and improve their cybersecurity practices.
Technical Assistance: Provide technical security support to healthcare providers.
Wyden criticized HHS for its current insufficient regulatory oversight, which he believes contributes to the ongoing cyberattacks harming patients and national security.
“The current epidemic of successful cyberattacks against the health care sector is a direct result of HHS’s failure to appropriately regulate and oversee this industry, harming patients, providers, and our national security,” Wyden said. He urged HHS to use all of its authorities to protect U.S. healthcare providers and patients from mounting cybersecurity risks.
The State of Ransomware in Healthcare
The healthcare sector was the most common ransomware target among all critical infrastructure sectors, according to FBI’s Internet Crime Report 2023.
The number of attacks and individuals impacted have grown exponentially over the last three years.
[caption id="attachment_75474" align="aligncenter" width="1024"] Ransomware attacks on healthcare in last three years. (Source: Emsisoft)[/caption]
“In 2023, 46 hospital systems with a total of 141 hospitals were impacted by ransomware, and at least 32 of the 46 had information, including protected health information, stolen.” - Emsisoft
A study from McGlave, Neprash, and Nikpay from the University of Minnesota School of Public Health found that in a five-year period starting in 2016, ransomware attacks likely killed between 42 and 67 Medicare patients. Their study further observed a decrease in hospital volume and services by 17-25% during the week following a ransomware attack that not only hit revenue but also increased in-hospital mortality among patients who were already admitted at the time of attack.
HHS Cybersecurity Response
HHS announced in December plans to update its cybersecurity regulations for the healthcare sector for the first time in 21 years. These updates would include voluntary cybersecurity performance goals and efforts to improve accountability and coordination.
The Healthcare and Public Health Sector Coordinating Council also unveiled a five-year Health Industry Cybersecurity Strategic Plan in April, which recommends 10 cybersecurity goals to be implemented by 2029.
Wyden acknowledged and credited the latest reform initiatives from HHS and the HSCC, but remains concerned about the lengthy implementation timeline, which he said requires urgency when it comes to the healthcare sector.
The latest letter follows Wyden’s request last week to the SEC and FTC to investigate for any negligence in cybersecurity practices of UnitedHealth Group. HHS is currently investigating the potential UHG breach that resulted in the exposure of protected health information of hundreds of thousands of Americans.
The Akira ransomware group allegedly targeted E-T-A Elektrotechnische Apparate GmbH, an organization located in Germany. The ransomware group claims to have stolen 24 gigabytes of sensitive material, including customer information, non-disclosure agreements (NDAs), financial records, and employee personal information.
To substantiate these claims, the threat actor has attached a screenshot with all this information.
E-T-A Elektrotechnische Apparate GmbH operates six production facilities and has a presence in 60 countries worldwide. The company’s product range includes a variety of electrical protection solutions essential to numerous industries. The company is renowned for manufacturing circuit breakers, electronic circuit protectors, and various other electronic components.Despite the ransomware group's claims, the company's official website appeared to be fully functional, and there were no signs of foul play. Further to verify Akira's cyberattack on E-T-A claims, The Cyber Express Team reached out to E-T-A Elektrotechnische Apparate GmbH for an official statement.
As of the time of writing, no response has been received from the company. This leaves the ransomware claims unverified, with no confirmation or denial from E-T-A's officials.
Akira Ransomware: Previous Track Record
The Akira ransomware gang has arisen as a danger to small and medium-sized organizations (SMBs), mostly in Europe, North America, and Australia. The group uses advanced tactics to infiltrate systems, frequently acquiring illegal access to a company's virtual private networks (VPNs).Sophos X-Ops research shows that Akira often uses compromised login credentials or exploits weaknesses in VPN technologies such as Cisco ASA SSL VPN or Cisco AnyConnect.Recently, in May 2024, Akira targeted Western Dovetail, a well-known woodworking shop. In April 2024, Akira was identified as the gang responsible for a series of cyberattacks against businesses and key infrastructure in North America, Europe, and Australia.According to the US Federal Bureau of Investigation (FBI), Akira has hacked over 250 firms since March 2023, collecting roughly $42 million in ransom payments. Initially, Akira's attacks targeted Windows systems. However, the gang has since broadened its tactics to include Linux computers, causing anxiety among international cybersecurity agencies.These cyberattacks show Akira's strategy of targeting a wide range of industries and businesses of all sizes, frequently resulting in major operational interruptions and financial losses.As it stands, the Akira ransomware group's claims against E-T-A Cyberattack are unsubstantiated. The lack of an official response from the company creates a vacuum in the confirmation of these claims. While the company's website is still operational, signaling no immediate disruption, a data breach might have serious consequences, compromising client confidentiality, financial integrity, and employee privacy.Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
Researchers have uncovered new attacks by a North Korean advanced persistent threat actor – Andariel APT group – targeting Korean corporations and other organizations. The victims include educational institutions and companies in the manufacturing and construction sectors.
The attackers employed keyloggers, infostealers, and proxy tools alongside backdoors to control and extract data from compromised systems, said researchers at the AhnLab Security Intelligence Center (ASEC).
The malware used in these attacks includes strains previously attributed to the Andariel APT group, including the backdoor "Nestdoor." Additional tools include web shells and proxy tools linked to the North Korean Lazarus group that now contain modifications compared to earlier versions.
Researchers first observed a confirmed attack case where a malware was distributed via a web server running an outdated 2013 version of Apache Tomcat, which is vulnerable to various attacks. "The threat actor used the web server to install backdoors, proxy tools, etc.," the researchers said.
[caption id="attachment_73866" align="aligncenter" width="1000"] Apache Tomcat compromised to spread malware by Andariel APT. (Credit: Ahnlab)[/caption]
Malware Used by Andariel APT in this Campaign
The first of the two malware strains used in the latest campaign was Nestdoor, a remote access trojan (RAT) that has been active since May 2022. This RAT can execute commands from the threat actor to control infected systems.
Nestdoor has been found in numerous Andariel attacks, including those exploiting the VMware Horizon product’s Log4Shell vulnerability (CVE-2021-44228). The malware is developed in C++ and features capabilities such as file upload/download, reverse shell, command execution, keylogging, clipboard logging, and proxy functionalities.
A specific case in 2022 involved Nestdoor being distributed alongside TigerRAT using the same command and control (C&C) server. Another incident in early 2024 saw Nestdoor disguised as an OpenVPN installer. This version maintained persistence via the Task Scheduler and communicated with a C&C server.
The Andariel APT has been developing new malware strains in the Go language for each campaign. Dora RAT, a recent discovery is one such malware strain.
The backdoor malware supports reverse shell and file transfer operations and exists in two forms: a standalone executable and an injected process within "explorer.exe." The latter variant uses an executable in WinRAR SFX format, which includes an injector malware. The Dora RAT has been signed with a valid certificate from a UK software developer in an attempt to make it look legitimate.
Additional Malware Strains
Keylogger/Cliplogger: Performs basic functions like logging keystrokes and clipboard contents, stored in the “%TEMP%” directory.
Stealer: It is designed to exfiltrate files from the system, potentially handling large quantities of data.
Proxy: Includes both custom-created proxy tools and open-source Socks5 proxy tools. Some proxies are similar to those used by the Lazarus group in past attacks.
The Andariel group, part of the larger Lazarus umbrella, has shifted from targeting national security information to also pursuing financial gains. Last month, the South Korean National Police Agency revealed a targeted campaign of the Andariel APT aimed at stealing the country’s defense technology.
Andariel APT hackers gained access to defense industry data by compromising an employee account, which was used in maintaining servers of a defense industry partner. The hackers injected malicious code into the partner’s servers around October 2022, and extracted stored defense technology data. This breach exploited a loophole in how employees used their personal and professional email accounts for official system access.
Andariel APT's initial attack methodology primarily includes spear phishing, watering hole attacks, and exploiting software vulnerabilities. Users should remain cautious with email attachments from unknown sources and executable files from websites. Security administrators are advised to keep software patched and updated, including operating systems and browsers, to mitigate the risk of malware infections, the researchers recommended.
IoCs to Watch for Signs of Andariel APT Attacks
IoCs to monitor for attacks from Andariel APT group include:
MD5s
– 7416ea48102e2715c87edd49ddbd1526: Nestdoor – Recent attack case (nest.exe)
– a2aefb7ab6c644aa8eeb482e27b2dbc4: Nestdoor – TigerRAT attack case (psfile.exe)
– e7fd7f48fbf5635a04e302af50dfb651: Nestdoor – OpenVPN attack case (openvpnsvc.exe)
– 33b2b5b7c830c34c688cf6ced287e5be: Nestdoor launcher (FirewallAPI.dll)
– 4bc571925a80d4ae4aab1e8900bf753c: Dora RAT dropper (spsvc.exe)
– 951e9fcd048b919516693b25c13a9ef2: Dora RAT dropper (emaupdate.exe)
– fee610058c417b6c4b3054935b7e2730: Dora RAT injector (version.dll)
– afc5a07d6e438880cea63920277ed270: Dora RAT injector (version.dll)
– d92a317ef4d60dc491082a2fe6eb7a70: Dora RAT (emaupdate.exe)
– 5df3c3e1f423f1cce5bf75f067d1d05c: Dora RAT (msload.exe)
– 094f9a757c6dbd6030bc6dae3f8feab3: Dora RAT (emagent.exe)
– 468c369893d6fc6614d24ea89e149e80: Keylogger/Cliplogger (conhosts.exe)
– 5e00df548f2dcf7a808f1337f443f3d9: Stealer (msload.exe)
C&Cs
– 45.58.159[.]237:443: Nestdoor – Recent attack case
– 4.246.149[.]227:1443: Nestdoor – TigerRAT attack case
– 209.127.19[.]223:443: Nestdoor – OpenVPN attack case
– kmobile.bestunif[.]com:443 – Dora RAT
– 206.72.205[.]117:443 – Dora RAT
"I write to request that your agencies investigate UnitedHealth Group’s (UHG) negligent cybersecurity practices, which caused substantial harm to consumers, investors, the healthcare industry, and U.S. national security. The company, its senior executives, and board of directors must be held accountable," declared Senator Ron Wyden, Chairman of the Senate Committee on Finance, in a letter to federal regulators on May 30.
This urgent plea follows the devastating cyberattack on Change Healthcare, a subsidiary of UHG, raising critical questions about the company's cybersecurity integrity.
In a four-page letter, Senator Wyden linked the recent cyberattack on Change Healthcare to the infamous SolarWinds data breach, blaming UHG's leadership for a series of risky decisions that ended in this tragic cyberattack.
[caption id="attachment_73457" align="aligncenter" width="1024"] Source: SEC[/caption]
Broader Context of Cyberattack on Change Healthcare
At the heart of the criticism is the appointment of a Chief Information Security Officer (CISO) who had no prior full-time experience in cybersecurity before assuming the role in June 2023. This, according to Wyden, epitomizes the corporate negligence that has placed countless stakeholders at risk.
Wyden argues that Martin's appointment exemplifies a broader pattern of poor decision-making by UHG’s senior executives and board of directors, who should be held accountable for the company’s cybersecurity lapses.
The comparison to SolarWinds is particularly telling. The SolarWinds incident exposed vulnerabilities in software supply chains, leading to widespread consequences across multiple sectors. Similarly, UHG's data breach, if proven to result from preventable lapses, highlights the critical need for stringent cybersecurity practices in healthcare, an industry that handles sensitive personal and medical data.
The Incident and Initial Reactions
The incident in question involved hackers exploiting a remote access server at Change Healthcare, which lacked multi-factor authentication (MFA). This basic cybersecurity lapse allowed the attackers to gain an initial foothold, leading to a ransomware infection that crippled UHG’s operations.
During testimony before the Senate Finance Committee on May 1, 2024, UHG CEO Andrew Witty admitted that the company’s MFA policy was not uniformly implemented across all external servers. Witty's revelations highlighted a broader issue of inadequate cybersecurity defenses at UHG, despite the industry's reliance on MFA as a fundamental safeguard.
Industry Standards and Regulatory Expectations
Wyden’s letter points out that the Federal Trade Commission (FTC) has mandated MFA for financial services companies under the Safeguards Rule and has enforced its use in cases against companies like Drizly and Chegg.
These precedents establish MFA as a non-negotiable standard for protecting consumer data. UHG's failure to implement this basic security measure on all its servers is a glaring oversight, suggesting a disconnect between its stated policies and actual practices.
Moreover, Wyden highlights the necessity of multiple lines of defense in cybersecurity. The fact that hackers could escalate their access from one compromised server to the entire network indicates a lack of network segmentation and other best practices designed to contain breaches. This deficiency exacerbates the initial failure to secure remote access points.
Consequences and Broader Implications
The implications of UHG’s cybersecurity failures are profound. The immediate aftermath saw significant disruptions, with some of UHG's systems taking weeks to restore.
Witty admitted that while cloud-based systems were quickly recovered, many critical services running on UHG's own servers were not engineered for rapid restoration. This lack of resilience in UHG’s infrastructure planning highlights a failure to anticipate and mitigate the risk of ransomware attacks, a known and escalating threat.
Wyden’s letter also addresses the financial fallout. UHG has already estimated the breach's cost at over a billion dollars, reflecting the significant economic impact of the cyberattack. This financial burden, coupled with negative media coverage, exposes UHG to substantial political and market risks.
The case echoes the SEC’s stance in the SolarWinds case, where cybersecurity practices were deemed crucial for investor decisions. Investors in UHG would similarly consider enhanced cybersecurity practices essential, given the potential for massive breaches to affect stock value and company reputation.
Accountability and Regulatory Action
Senator Wyden calls for the FTC and SEC to investigate UHG’s cybersecurity and technology practices, aiming to determine if any federal laws were violated and to hold senior officials accountable. This push for accountability highlights the role of corporate governance in cybersecurity.
The Audit and Finance Committee of UHG’s board, responsible for overseeing cybersecurity risks, is criticized for its apparent failure to fulfill its duties.
Wyden suggests that the board's lack of cybersecurity expertise likely contributed to the oversight failures, a critical point in an era where cybersecurity threats are increasingly sophisticated and pervasive.
The NoName ransomware group has claimed responsibility for a series of cyberattacks targeting key institutions in Spain and Germany. The group’s latest alleged victims include the Royal Household of Spain, Corts Valencianes, and the Government of the Principality of Asturias, as well as German entities such as Energie Baden-Württemberg AG, Leistritz AG, and Aareal Bank AG.
In a message posted on a dark web forum, NoName declared, "We continue attack on the Spanish internet infrastructure and destroy the state websites of Russophobic authorities."
[caption id="attachment_73295" align="aligncenter" width="528"] Source: X[/caption]
[caption id="attachment_73296" align="aligncenter" width="530"] Source: X[/caption]
Similarly, they stated regarding Germany, "We continue to punish Germany and destroy several websites of this Russophobic country." These statements underscore the group’s purported motive of targeting entities they deem as "Russophobic."
[caption id="attachment_73298" align="aligncenter" width="527"] Source: X[/caption]
[caption id="attachment_73297" align="aligncenter" width="522"] Source: X[/caption]
Despite these bold claims, the NoName group has not provided concrete evidence or detailed context regarding the nature and impact of these alleged cyberattacks. The Cyber Express team attempted to verify these claims by reaching out to the allegedly implicated organizations.
As of the writing of this report, no responses have been received from the officials of the alleged target companies, leaving the claims unverified.
Upon accessing the official websites of the listed Spanish and German companies, no disruptions or signs of cyberattack were observed, as the websites were fully functional. This raises questions about the veracity of NoName's claims and the potential for misinformation as a tactic in their cyber operations.
Historical Context of NoName Ransomware Cyber Activities
This isn’t the first instance of NoName targeting prominent organizations. In April 2024, the group allegedly launched a cyberattack on Moldova, affecting key government websites such as the Presidency, Ministry of Foreign Affairs, Ministry of Internal Affairs, and the State Registry.
These websites were rendered inaccessible, displaying the message, “This Site Can’t be Reached.” The attack hinted at a politically motivated agenda, though NoName did not explicitly disclose their motives.
In March 2024, NoName targeted multiple websites in Denmark, including significant entities like Movia, Din Offentlige Transport, the Ministry of Transport, Copenhagen Airports, and Danish Shipping. Similarly, in January 2024, the group attacked high-profile websites in the Netherlands, including OV-chipkaart, the Municipality of Vlaardingen, the Dutch Tax Office (Belastingdienst), and GVB.
More recently, NoName’s cyber onslaught on Finland raised further alarms. Finnish government organizations, including Traficom, the National Cyber Security Centre Finland (NCSC-FI), The Railways, and the Agency for Regulation and Development of Transport and Communications Infrastructure, faced temporary inaccessibility due to DDoS attacks.
Implications and the Need for Vigilance
The sophistication and scale of NoName ransomware operations, combined with their apparent political motives, highlight the urgent need for enhanced cybersecurity measures and international cooperation. The rising frequency of cyberattacks targeting governmental institutions across Europe demands a coordinated response from both national and international cybersecurity agencies.
If NoName's recent claims about targeting Spain and Germany are proven true, the implications could be far-reaching. Cyberattacks on such critical institutions could disrupt governmental functions, compromise sensitive data, and undermine public trust. However, any definitive conclusions must await official statements from the allegedly targeted companies in Spain and Germany.
The alleged ongoing cyberattacks by NoName ransomware serve as a reminder of the persistent and evolving threat landscape. As the investigation continues, the cybersecurity community must remain vigilant and proactive in protecting digital infrastructure from such malicious actors.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
CL0P ransomware group has claimed to have added Cooperativa de Crédito y Vivienda Unicred Limitada to their growing list of victims. The group alleges they have exfiltrated various sensitive financial documents, including invoices and forms, from Unicred cyberattack.
The CL0P ransomware group, known for its high-profile cyberattacks, has detailed basic information about Unicred on their leak site, including links to the cooperative's official website.
Unicred, founded in 1989 by a consortium of experienced businessmen and financial professionals, specializes in various financing instruments, such as the assignment of deferred payment checks, invoice credits, electronic invoices, and work certificates. The cooperative, with a reported revenue of $15.3 million, has built a reputation for its expertise in credit administration.
[caption id="attachment_73263" align="aligncenter" width="678"] Source: X[/caption]
Despite the serious nature of CL0P's claims, initial investigations show no immediate signs of a cyberattack on Unicred's official website, which remains fully operational.
To clarify the situation, The Cyber Express Team reached out to Unicred's officials. However, at the time of writing, no response has been received, leaving the ransomware group's assertions unverified.
[caption id="attachment_73265" align="aligncenter" width="819"] Source: X[/caption]
[caption id="attachment_73266" align="aligncenter" width="793"] Source: X[/caption]
Potential Impact of the Alleged Unicred Cyberattack
Should the CL0P ransomware group's claim of a Unicred cyberattack be validated, the repercussions could be substantial for both Unicred and its customers. Ransomware attacks typically involve not only the exfiltration of sensitive data but also the potential for that data to be publicly released or sold, leading to severe privacy breaches and financial loss.
Given Unicred's role in handling significant financial transactions and sensitive customer information, a confirmed Unicred cyberattack could undermine customer trust, disrupt business operations, and result in regulatory scrutiny and potential fines. The exposure of financial documents and personal data could also lead to identity theft and financial fraud, posing a serious threat to the affected individuals.
CL0P Ransomware Notorious Track Record
The CL0P ransomware group has a well-documented history of targeting high-profile organizations. Earlier this month, the group listed three new victims on its leak site: McKinley Packing, Pilot, and Pinnacle Engineering Group.
In January 2024, CL0P claimed responsibility for compromising S&A Law Offices, a prominent India-based firm specializing in litigation services and intellectual property rights. The cybercriminals posted sensitive employee details, including phone numbers, addresses, vehicle numbers, PAN card details, internal communications, and other personally identifiable information (PII) as proof of the breach.
In 2023, the CL0P group was behind a series of significant data breaches exploiting the MOVEit vulnerability. This widespread campaign led the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) to issue a joint cybersecurity advisory.
The advisory disseminated Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs) associated with CL0P's operations, emphasizing the group's threat to organizations across various sectors.
Conclusion
The alleged cyberattack on Cooperativa de Crédito y Vivienda Unicred Limitada by the CL0P ransomware group highlights the ongoing and evolving threat landscape in the digital age. While the claims remain unverified, the potential impact on Unicred and its customers is a reminder of the importance of cybersecurity vigilance.
As CL0P continues to target high-profile entities, organizations must prioritize cybersecurity to protect their data, maintain customer trust, and ensure business continuity.
As this situation develops, further verification and responses from Unicred will be crucial in determining the full extent of the impact and the measures needed to address it.
Meanwhile, the cybersecurity community must remain vigilant and proactive in countering the ever-present threat of ransomware attacks.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
Seven Russian and Belarusian-speaking independent journalists and opposition activists based in Europe were targeted or infected with NSO Group’s proprietary Pegasus spyware.
A joint investigation by Citizen Lab and Access Now detailed incidents from August 2020 to January 2023 and concluded that a single NSO Group customer might be responsible for at least five of these cases.
Threats Against Critics of Russian and Belarusian Regimes
In September 2023, Citizen Lab and Access Now reported the hacking of exiled Russian journalist Galina Timchenko, CEO and publisher of Meduza, with Pegasus spyware. Building on these findings, the investigation, in collaboration with digital security expert Nikolai Kvantiliani, now reveals the targeting of seven additional Russian and Belarusian-speaking civil society members and journalists.
Many of these individuals, living in exile, have vocally criticized the Russian government, including its invasion of Ukraine, and have faced severe threats from Russian and Belarusian state security services.
Critics of the Russian and Belarusian governments typically face intense retaliation, including surveillance, detention, violence, and hacking. The repression has escalated following Russia’s 2022 invasion of Ukraine, with laws severely curtailing the operations of media and civil society organizations.
An example of this is the Russian government designating the Munk School of Global Affairs & Public Policy at the University of Toronto, home to the Citizen Lab, as an “Undesirable Organization,” in March 2024.
Many opposition activists and independent media groups have relocated abroad to continue their work. Despite the geographic distance, these exiled communities face ongoing threats, including violent attacks, surveillance, and digital risks. For instance, Meduza reported a significant Distributed Denial of Service (DDoS) attack on their website during Russia’s 2024 presidential elections.
Investigation Confirmed Pegasus Spyware Targeting
The investigation confirmed that the following individuals were targeted or infected with Pegasus spyware. Their names are published with their consent.
[caption id="attachment_73182" align="aligncenter" width="1532"] Table Showing Individuals Identified in the Latest Pegasus Spyware Infections (Credit: Citizen Lab)[/caption]
Access Now and Citizen Lab confirmed that five victims' phones had Apple IDs used by Pegasus operators in hacking attempts. Exploits leveraging bugs in HomeKit can leave the attacker's Apple ID email address on the victim's device. Citizen Lab believes each Apple ID is tied to a single Pegasus operator, although one operator may use multiple IDs.
The same Apple ID was found on the phones of Pavlov, Radzina, and a second anonymous victim. A different email account targeted both Erlikh and Pavlov’s phones on November 28, 2022. Artifacts from Andrei Sannikov and Natallia Radzina’s phones contained another identical email. This indicates that a single Pegasus spyware operator may have targeted at least three of the victims, possibly all five.
[caption id="attachment_73184" align="aligncenter" width="1024"] Credit: Citizen Lab[/caption]
The investigators could not attribute the attacks to a specific operator but certain trends pointed to Estonia’s involvement. Based on previous investigation, Poland, Russia, Belarus, Lithuania, and Latvia are all known to be customers of the NSO Group’s spyware, but the likeliness of their involvement is low as they do not target victims outside their borders, the investigators said. Estonia, however, is known to use Pegasus extensively beyond its borders, including in multiple European countries.
Concerns Over Digital Transnational Repression
This pattern of targeting raises serious concerns about the legality and proportionality of such actions under international human rights law. The attacks occurred in Europe, where the targeted individuals sought safety, prompting questions about host states’ obligations to prevent and respond to these human rights violations.
The ongoing investigation highlights the persistent threats faced by exiled Russian and Belarusian journalists and activists. As digital transnational repression continues, it underscores the urgent need for robust international measures to protect freedom of expression and privacy for these vulnerable groups.
“Access Now [urged] governments to establish an immediate moratorium on the export, sale, transfer, servicing, and use of targeted digital surveillance technologies until rigorous human rights safeguards are put in place to regulate such practices, and to ban the use of spyware technologies such as Pegasus that have a history of enabling human rights abuses.”
Apple recentlyissued notifications to users in more than 90 countries alerting them of possible mercenary spyware attacks. The tech giant replaced the term "state-sponsored" in its alerts with "mercenary spyware attacks," drawing global attention. Previously, Apple used "state-sponsored" for malware threats, but now it highlights threats from hacker groups.
Apple noted that while these attacks were historically linked to state actors and private entities like the NSO Group’s Pegasus, the new term covers a broader range of threats.
The notorious Akira ransomware group has added another victim to its growing list of targeted organizations, striking at Western Dovetail, a prominent woodworking company founded in 1993 by Maxfield Hunter, its president, and CEO, along with support from his father, George Hunter, and brother, Josh Hunter.
The family-owned business, known for its dedication to woodworking craftsmanship, has become the latest casualty of cybercrime.
The Akira ransomware group took to online forums to announce their latest Western Dovetail data breach, proclaiming the availability of "a few GB of their data" for public access.
The compromised data reportedly includes sensitive employee information such as addresses, emails, phone numbers, and even details of relatives, along with tax and payment information, and a snippet of medical records.
Western Dovetail Cyberattack: Verification Efforts and Official Response
Despite this disclosure, Akira has remained tight-lipped about their motives behind targeting Western Dovetail.
Upon investigating Western Dovetail's official website, no signs of foul play were immediately evident, as the website appeared to be fully functional.
To corroborate further, The Cyber Express Team reached out to Western Dovetail officials for comment. However, at the time of compiling this report, no official response had been received, leaving the claim of the Western Dovetail data breach unverified.
[caption id="attachment_72947" align="aligncenter" width="850"] Source: X[/caption]
Akira Ransomware Trail of Cyber Destruction
The latest cyberattack on Western Dovetail adds to a growing list of cyber onslaughts orchestrated by the Akira ransomware group. In April 2024, the group was identified as the mastermind behind a series of devastating cyberattacks targeting businesses and critical infrastructure entities across North America, Europe, and Australia.
According to the U.S. Federal Bureau of Investigation (FBI), Akira has breached over 250 organizations since March 2023, raking in a staggering $42 million in ransom payments.
Initially focusing on Windows systems, Akira has expanded its tactics to include Linux variants, raising alarm bells among global cybersecurity agencies.
Before targeting Western Dovetail, the ransomware group had set its sights on prominent entities such as DENHAM the Jeanmaker, a renowned denim brand based in Amsterdam, and TeraGo, a Canada-based provider of secure cloud services and business-grade internet solutions.
Conclusion and Awaited Response
In the wake of the Western Dovetail cyberattack, the cybersecurity landscape remains fraught with uncertainty. While the company's official response is eagerly awaited, the incident serves as a reminder of the ever-present threat posed by cybercriminals.
As organizations strive to protect themselves against such cyberattacks, collaboration between cybersecurity experts, law enforcement agencies, and affected entities becomes increasingly crucial in combating the pervasive menace of ransomware.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
The notorious Russian Cyber Army hacker group has allegedly claimed the Bulgarian Ports Infrastructure Company cyberattack. The threat actor asserts a targeted assault on the organization’s website. While the hacker group asserts the website's downtime, initial observations contradict this claim, indicating that the site remains operational without visible signs of a cyber onslaught.The Cyber Express has reached out to the Bulgarian Ports Infrastructure Company to verify the claims of the cyberattack incident. However, at the time of writing this, no official statement or response has been forthcoming, leaving the veracity of the claims surrounding the Bulgarian Ports Infrastructure Company cyberattack unconfirmed.
Russian Cyber Army Assets Bulgarian Ports Infrastructure Company Cyberattack
Contrary to typical cyberattacks that result in website defacements or distributed denial-of-service (DDoS) disruptions, the purported assault by the Russian Cyber Army appears to have had minimal impact, if any, on the targeted website's operations. This suggests a potentially brief and ineffective attack, diverging from the more disruptive tactics commonly associated with cyber warfare.
[caption id="attachment_70364" align="alignnone" width="462"] Source: X[/caption]
Talking about the Bulgarian Ports Infrastructure Company cyberattack in its post, the Russian Cyber Army states that they are attacking the “State Enterprise “Port Infrastructure” (IF)”, which is the territorial authority of the Bulgarian ports, for public transport, providing traffic management and delivery information services.The Russian Cyber Army's recent activities have garnered attention, including a peculiar interview conducted by WIRED with a purported spokesperson known as "Julia." The interview sheds light on the group's motivations, which ostensibly revolve around defending Russian interests in the face of perceived external pressure from the United States, the European Union, and Ukraine.
Who is the Russian Cyber Army Hacker Group?
While the Russian Cyber Army portrays itself as a formidable force in the information warfare arena, experts caution against overestimating its influence, suggesting that the group's actions may primarily serve to bolster nationalist sentiments domestically rather than exert significant influence abroad. Moreover, the group's exposure by cybersecurity firms and government agencies highlights its emergence as a noteworthy entity on the global stage. Despite the hype surrounding the Russian Cyber Army's activities, analysts warn against succumbing to fear-mongering tactics, emphasizing the need for measured responses to cyber threats. As for the Bulgarian Ports Infrastructure Company cyberattack, this is an ongoing story and The Cyber Express will be closely monitoring the situation. We'll update this post once we have more information on the alleged Bulgarian Ports Infrastructure Company cyberattack or any official confirmation from the organization. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
A ransomware attack of Ransomhub group on the Industrial Control Systems of a Spanish bioenergy plant has once again brought to the fore the imperils of cyberattacks on Industrial Control Systems (ICS). The latest threat intelligence report from the Cyble Research & Intelligence Labs (CRIL) said that the attack targeted the Supervisory Control and Data Acquisition (SCADA) system, a pivotal component for managing operations at the Spanish facility. Ransomhub's modus operandi involves encrypting data and leveraging access to SCADA systems to disrupt essential functions, as evidenced in their recent breach. Their claim of accessing and encrypting over 400 GB of data, coupled with persistent control over SCADA systems, highlights the severity of the threat posed by this ransomware group.
Ransomhub Group Targets Industrial Control Systems (ICS)
[caption id="attachment_69992" align="alignnone" width="811"] Ransomhub posts on their DLS.(Source: Cyble)[/caption]
The origins of Ransomhub trace back to February 2024 when it emerged as a Ransomware-as-a-Service (RaaS) on cybercrime forums. Employing sophisticated encryption techniques and targeting organizations predominantly in the IT & ITES sector, particularly in the United States, Ransomhub quickly garnered notoriety within the underground cyber community.
[caption id="attachment_69994" align="alignnone" width="728"] Alleged SCADA control of Gijón Bio-Energy Plant Digestor Tank (Source: Cyble)[/caption]
The group's aggressive recruitment of affiliates, coupled with attempts to exploit vulnerabilities in SCADA systems, signify a strategic shift towards targeting Operational Technology (OT) environments. This shift aligns with broader trends in the ransomware landscape, wherein malicious actors seek to exploit weaknesses in interconnected systems for maximum impact.CRIL's investigation into Ransomhub's activities reveals a concerning association with Initial Access Brokers (IABs) on Russian-language forums, indicating a sophisticated network for procuring compromised access to victims' networks. Such alliances highligh the need for heightened vigilance and proactive defense mechanisms to thwart potential breaches.
Precautions Against Industrial Control Systems (ICS) Ransomware Attack
Recent ransomware attacks, like the one orchestrated by Ransomhub on Industrial Control Systems (ICS), highlight the pressing need for organizations to fortify their cybersecurity defenses. Key recommendations include implementing robust network segmentation to reduce exposure to external threats and ensuring regular software updates through patch management protocols. Secure remote access, facilitated by methods like Virtual Private Networks (VPNs), coupled with diligent monitoring of network logs, aids in early detection and response to potential breaches Furthermore, meticulous asset management practices, such as maintaining detailed inventories of OT/IT assets and deploying continuous monitoring solutions, enhance overall security posture. Developing and testing incident response plans are vital to minimize downtime and data loss in the event of a ransomware attack. The incident involving Ransomhub serves as a stark reminder of the escalating risks faced by ICS environments. Heightened awareness and proactive security measures are crucial to mitigate these threats and protect critical infrastructure from online cyber threats.Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
Source: krebsonsecurity.com – Author: BrianKrebs The homepage of Stark Industries Solutions. Two weeks before Russia invaded Ukraine in February 2022, a large, mysterious new Internet hosting firm called Stark Industries Solutions materialized and quickly became the epicenter of massive distributed denial-of-service (DDoS) attacks on government and commercial targets in Ukraine and Europe. An investigation into […]
Two weeks before Russia invaded Ukraine in February 2022, a large, mysterious new Internet hosting firm called Stark Industries Solutions materialized and quickly became the epicenter of massive distributed denial-of-service (DDoS) attacks on government and commercial targets in Ukraine and Europe. An investigation into Stark Industries reveals it is being used as a global proxy network that conceals the true source of cyberattacks and disinformation campaigns against enemies of Russia.
At least a dozen patriotic Russian hacking groups have been launching DDoS attacks since the start of the war at a variety of targets seen as opposed to Moscow. But by all accounts, few attacks from those gangs have come close to the amount of firepower wielded by a pro-Russia group calling itself “NoName057(16).”
This graphic comes from a recent report from NETSCOUT about DDoS attacks from Russian hacktivist groups.
As detailed by researchers at Radware, NoName has effectively gamified DDoS attacks, recruiting hacktivists via its Telegram channel and offering to pay people who agree to install a piece of software called DDoSia. That program allows NoName to commandeer the host computers and their Internet connections in coordinated DDoS campaigns, and DDoSia users with the most attacks can win cash prizes.
The NoName DDoS group advertising on Telegram. Image: SentinelOne.com.
A report from the security firm Team Cymru found the DDoS attack infrastructure used in NoName campaigns is assigned to two interlinked hosting providers: MIRhosting and Stark Industries. MIRhosting is a hosting provider founded in The Netherlands in 2004. But Stark Industries Solutions Ltd was incorporated on February 10, 2022, just two weeks before the Russian invasion of Ukraine.
PROXY WARS
Security experts say that not long after the war started, Stark began hosting dozens of proxy services and free virtual private networking (VPN) services, which are designed to help users shield their Internet usage and location from prying eyes.
Proxy providers allow users to route their Internet and Web browsing traffic through someone else’s computer. From a website’s perspective, the traffic from a proxy network user appears to originate from the rented IP address, not from the proxy service customer.
These services can be used in a legitimate manner for several business purposes — such as price comparisons or sales intelligence — but they are also massively abused for hiding cybercrime activity because they can make it difficult to trace malicious traffic to its original source.
What’s more, many proxy services do not disclose how they obtain access to the proxies they are renting out, and in many cases the access is obtained through the dissemination of malicious software that turns the infected system into a traffic relay — usually unbeknownst to the legitimate owner of the Internet connection. Other proxy services will allow users to make money by renting out their Internet connection to anyone.
Spur.us is a company that tracks VPNs and proxy services worldwide. Spur finds that Stark Industries (AS44477) currently is home to at least 74 VPN services, and 40 different proxy services. As we’ll see in the final section of this story, just one of those proxy networks has over a million Internet addresses available for rent across the globe.
Raymond Dijkxhoorn operates a hosting firm in The Netherlands called Prolocation. He also co-runs SURBL, an anti-abuse service that flags domains and Internet address ranges that are strongly associated with spam and cybercrime activity, including DDoS.
Dijkxhoorn said last year SURBL heard from multiple people who said they operated VPN services whose web resources were included in SURBL’s block lists.
“We had people doing delistings at SURBL for domain names that were suspended by the registrars,” Dijkhoorn told KrebsOnSecurity. “And at least two of them explained that Stark offered them free VPN services that they were reselling.”
Dijkxhoorn added that Stark Industries also sponsored activist groups from Ukraine.
“How valuable would it be for Russia to know the real IPs from Ukraine’s tech warriors?” he observed.
CLOUDY WITH A CHANCE OF BULLETS
Richard Hummel is threat intelligence lead at NETSCOUT. Hummel said when he considers the worst of all the hosting providers out there today, Stark Industries is consistently near or at the top of that list.
“The reason is we’ve had at least a dozen service providers come to us saying, ‘There’s this network out there inundating us with traffic,'” Hummel said. “And it wasn’t even DDoS attacks. [The systems] on Stark were just scanning these providers so fast it was crashing some of their services.”
Hummel said NoName will typically launch their attacks using a mix of resources rented from major, legitimate cloud services, and those from so-called “bulletproof” hosting providers like Stark. Bulletproof providers are so named when they earn or cultivate a reputation for ignoring any abuse complaints or police reports about activity on their networks.
Combining bulletproof providers with legitimate cloud hosting, Hummel said, likely makes NoName’s DDoS campaigns more resilient because many network operators will hesitate to be too aggressive in blocking Internet addresses associated with the major cloud services.
“What we typically see here is a distribution of cloud hosting providers and bulletproof hosting providers in DDoS attacks,” he said. “They’re using public cloud hosting providers because a lot of times that’s your first layer of network defense, and because [many companies are wary of] over-blocking access to legitimate cloud resources.”
But even if the cloud provider detects abuse coming from the customer, the provider is probably not going to shut the customer down immediately, Hummel said.
“There is usually a grace period, and even if that’s only an hour or two, you can still launch a large number of attacks in that time,” he said. “And then they just keep coming back and opening new cloud accounts.”
MERCENARIES TEAM
Stark Industries is incorporated at a mail drop address in the United Kingdom. UK business records list an Ivan Vladimirovich Neculiti as the company’s secretary. Mr. Neculiti also is named as the CEO and founder of PQ Hosting Plus S.R.L. (aka Perfect Quality Hosting), a Moldovan company formed in 2019 that lists the same UK mail drop address as Stark Industries.
Ivan Neculiti, as pictured on LinkedIn.
Reached via LinkedIn, Mr. Neculiti said PQ Hosting established Stark Industries as a “white label” of its brand so that “resellers could distribute our services using our IP addresses and their clients would not have any affairs with PQ Hosting.”
“PQ Hosting is a company with over 1,000+ of [our] own physical servers in 38 countries and we have over 100,000 clients,” he said. “Though we are not as large as Hetzner, Amazon and OVH, nevertheless we are a fast growing company that provides services to tens of thousands of private customers and legal entities.”
Asked about the constant stream of DDoS attacks whose origins have traced back to Stark Industries over the past two years, Neculiti maintained Stark hasn’t received any official abuse reports about attacks coming from its networks.
“It was probably some kind of clever attack that we did not see, I do not rule out this fact, because we have a very large number of clients and our Internet channels are quite large,” he said. “But, in this situation, unfortunately, no one contacted us to report that there was an attack from our addresses; if someone had contacted us, we would have definitely blocked the network data.”
DomainTools.com finds Ivan V. Neculiti was the owner of war[.]md, a website launched in 2008 that chronicled the history of a 1990 armed conflict in Moldova known as the Transnistria War and the Moldo-Russian war.
An ad for war.md, circa 2009.
Transnistria is a breakaway pro-Russian region that declared itself a state in 1990, although it is not internationally recognized. The copyright on that website credits the “MercenarieS TeaM,” which was at one time a Moldovan IT firm. Mr. Neculiti confirmed personally registering this domain.
DON CHICHO & DFYZ
The data breach tracking service Constella Intelligence reports that an Ivan V. Neculiti registered multiple online accounts under the email address dfyz_bk@bk.ru. Cyber intelligence firm Intel 471 shows this email address is tied to the username “dfyz” on more than a half-dozen Russian language cybercrime forums since 2008. The user dfyz on Searchengines[.]ru in 2008 asked other forum members to review war.md, and said they were part of the MercenarieS TeaM.
Back then, dfyz was selling “bulletproof servers for any purpose,” meaning the hosting company would willfully ignore abuse complaints or police inquiries about the activity of its customers.
DomainTools reports there are at least 33 domain names registered to dfyz_bk@bk.ru. Several of these domains have Ivan Neculiti in their registration records, including tracker-free[.]cn, which was registered to an Ivan Neculiti at dfyz_bk@bk.ru and referenced the MercenarieS TeaM in its original registration records.
Dfyz also used the nickname DonChicho, who likewise sold bulletproof hosting services and access to hacked Internet servers. In 2014, a prominent member of the Russian language cybercrime community Antichat filed a complaint against DonChicho, saying this user scammed them and had used the email address dfyz_bk@bk.ru.
The complaint said DonChicho registered on Antichat from the Transnistria Internet address 84.234.55[.]29. Searching this address in Constella reveals it has been used to register just five accounts online that have been created over the years, including one at ask.ru, where the user registered with the email address neculitzy1@yandex.ru. Constella also returns for that email address a user by the name “Ivan” at memoraleak.com and 000webhost.com.
Constella finds that the password most frequently used by the email address dfyz_bk@bk.ru was “filecast,” and that there are more than 90 email addresses associated with this password. Among them are roughly two dozen addresses with the name “Neculiti” in them, as well as the address support@donservers[.]ru.
Intel 471 says DonChicho posted to several Russian cybercrime forums that support@donservers[.]ru was his address, and that he logged into cybercrime forums almost exclusively from Internet addresses in Tiraspol, the capital of Transnistria. A review of DonChicho’s posts shows this person was banned from several forums in 2014 for scamming other users.
Cached copies of DonChicho’s vanity domain (donchicho[.]ru) show that in 2009 he was a spammer who peddled knockoff prescription drugs via Rx-Promotion, once one of the largest pharmacy spam moneymaking programs for Russian-speaking affiliates.
Mr. Neculiti told KrebsOnSecurity he has never used the nickname DonChicho.
“I may assure you that I have no relation to DonChicho nor to his bulletproof servers,” he said.
Below is a mind map that shows the connections between the accounts mentioned above.
A mind map tracing the history of the user Dfyz. Click to enlarge.
Earlier this year, NoName began massively hitting government and industry websites in Moldova. A new report from Arbor Networks says the attacks began around March 6, when NoName alleged the government of Moldova was “craving for Russophobia.”
“Since early March, more than 50 websites have been targeted, according to posted ‘proof’ by the groups involved in attacking the country,” Arbor’s ASERT Teamwrote. “While NoName seemingly initiated the ramp of attacks, a host of other DDoS hacktivists have joined the fray in claiming credit for attacks across more than 15 industries.”
The report points out that Stark Industries continues to host a Russian disinformation news outlet called “Recent Reliable News” (RRN) that was sanctioned by the European Union in 2023 for spreading links to propaganda blogs and fake European media and government websites.
“The website was not running on computers in Moscow or St. Petersburg until recently, but in the middle of the EU, in the Netherlands, on the computers of the Neculiti brothers,” Correctiv reporters wrote.
“After a request from this editorial team, a well-known service was installed that hides the actual web host,” the report continues. “Ivan Neculiti announced that he had blocked the associated access and server following internal investigations. “We very much regret that we are only now finding out that one of our customers is a sanctioned portal,” said the company boss. However, RRN is still accessible via its servers.”
Correctiv also points to a January 2023 report from the Ukrainian government, which found servers from Stark Industries Solutions were used as part of a cyber attack on the Ukrainian news agency “Ukrinform”. Correctiv notes the notorious hacker group Sandworm — an advanced persistent threat (APT) group operated by a cyberwarfare unit of Russia’s military intelligence service — was identified by Ukrainian government authorities as responsible for that attack.
PEACE HOSTING?
Public records indicate MIRhosting is based in The Netherlands and is operated by 37-year old Andrey Nesterenko, whose personal website says he is an accomplished concert pianist who began performing publicly at a young age.
DomainTools says mirhosting[.]com is registered to Mr. Nesterenko and to Innovation IT Solutions Corp, which lists addresses in London and in Nesterenko’s stated hometown of Nizhny Novgorod, Russia.
This is interesting because according to the book Inside Cyber Warfare by Jeffrey Carr, Innovation IT Solutions Corp. was responsible for hosting StopGeorgia[.]ru, a hacktivist website for organizing cyberattacks against Georgia that appeared at the same time Russian forces invaded the former Soviet nation in 2008. That conflict was thought to be the first war ever fought in which a notable cyberattack and an actual military engagement happened simultaneously.
Responding to questions from KrebsOnSecurity, Mr. Nesterenko said he couldn’t say whether his network had ever hosted the StopGeorgia website back in 2008 because his company didn’t keep records going back that far. But he said Stark Industries Solutions is indeed one of MIRhsoting’s colocation customers.
“Our relationship is purely provider-customer,” Nesterenko said. “They also utilize multiple providers and data centers globally, so connecting them directly to MIRhosting overlooks their broader network.”
“We take any report of malicious activity seriously and are always open to information that can help us identify and prevent misuse of our infrastructure, whether involving Stark Industries or any other customer,” Nesterenko continued. “In cases where our services are exploited for malicious purposes, we collaborate fully with Dutch cyber police and other relevant authorities to investigate and take appropriate measures. However, we have yet to receive any actionable information beyond the article itself, which has not provided us with sufficient detail to identify or block malicious actors.”
In December 2022, security firm Recorded Future profiled the phishing and credential harvesting infrastructure used for Russia-aligned espionage operations by a group dubbed Blue Charlie (aka TAG-53), which has targeted email accounts of nongovernmental organizations and think tanks, journalists, and government and defense officials.
Recorded Future found that virtually all the Blue Charlie domains existed in just ten different ISPs, with a significant concentration located in two networks, one of which was MIRhosting. Both Microsoft and the UK government assess that Blue Charlie is linked to the Russian threat activity groups variously known as Callisto Group, COLDRIVER, and SEABORGIUM.
Mr. Nesterenko took exception to a story on that report from The Record, which is owned by Recorded Future.
“We’ve discussed its contents with our customer, Stark Industries,” he said. “We understand that they have initiated legal proceedings against the website in question, as they firmly believe that the claims made are inaccurate.”
Recorded Future said they updated their story with comments from Mr. Neculiti, but that they stand by their reporting.
Mr. Nesterenko’s LinkedIn profile says he was previously the foreign region sales manager at Serverius-as, a hosting company in The Netherlands that remains in the same data center as MIRhosting.
In February, the Dutch police took 13 servers offline that were used by the infamous LockBit ransomware group, which had originally bragged on its darknet website that its home base was in The Netherlands. Sources tell KrebsOnSecurity the servers seized by the Dutch police were located in Serverius’ data center in Dronten, which is also shared by MIRhosting.
Serverius-as did not respond to requests for comment. Nesterenko said MIRhosting does use one of Serverius’s data centers for its operations in the Netherlands, alongside two other data centers, but that the recent incident involving the seizure of servers has no connection to MIRhosting.
“We are legally prohibited by Dutch law and police regulations from sharing information with third parties regarding any communications we may have had,” he said.
A February 2024 report from security firm ESETfound Serverius-as systems were involved in a series of targeted phishing attacks by Russia-aligned groups against Ukrainian entities throughout 2023. ESET observed that after the spearphishing domains were no longer active, they were converted to promoting rogue Internet pharmacy websites.
PEERING INTO THE VOID
A review of the Internet address ranges recently added to the network operated by Stark Industries Solutions offers some insight into its customer base, usage, and maybe even true origins. Here is a snapshot (PDF) of all Internet address ranges announced by Stark Industries so far in the month of May 2024 (this information was graciously collated by the network observability platform Kentik.com).
Those records indicate that the largest portion of the IP space used by Stark is in The Netherlands, followed by Germany and the United States. Stark says it is connected to roughly 4,600 Internet addresses that currently list their ownership as Comcast Cable Communications.
A review of those address ranges at spur.us shows all of them are connected to an entity called Proxyline, which is a sprawling proxy service based in Russia that currently says it has more than 1.6 million proxies globally that are available for rent.
Proxyline dot net.
Reached for comment, Comcast said the Internet address ranges never did belong to Comcast, so it is likely that Stark has been fudging the real location of its routing announcements in some cases.
Stark reports that it has more than 67,000 Internet addresses at Santa Clara, Calif.-based EGIhosting. Spur says the Stark addresses involving EGIhosting all map to Proxyline as well. EGIhosting did not respond to requests for comment.
EGIhosting manages Internet addresses for the Cyprus-based hosting firm ITHOSTLINE LTD (aka HOSTLINE-LTD), which is represented throughout Stark’s announced Internet ranges. Stark says it has more than 21,000 Internet addresses with HOSTLINE. Spur.us finds Proxyline addresses are especially concentrated in the Stark ranges labeled ITHOSTLINE LTD, HOSTLINE-LTD, and Proline IT.
Stark’s network list includes approximately 21,000 Internet addresses at Hockessin, De. based DediPath, which abruptly ceased operations without warning in August 2023. According to a phishing report released last year by Interisle Consulting, DediPath was the fourth most common source of phishing attacks in the year ending Oct. 2022. Spur.us likewise finds that virtually all of the Stark address ranges marked “DediPath LLC” are tied to Proxyline.
Image: Interisle Consulting.
A large number of the Internet address ranges announced by Stark in May originate in India, and the names that are self-assigned to many of these networks indicate they were previously used to send large volumes of spam for herbal medicinal products, with names like HerbalFarm, AdsChrome, Nutravo, Herbzoot and Herbalve.
The anti-spam organization SpamHausreports that many of the Indian IP address ranges are associated with known “snowshoe spam,” a form of abuse that involves mass email campaigns spread across several domains and IP addresses to weaken reputation metrics and avoid spam filters.
It’s not clear how much of Stark’s network address space traces its origins to Russia, but big chunks of it recently belonged to some of the oldest entities on the Russian Internet (a.k.a. “Runet”).
For example, many Stark address ranges were most recently assigned to a Russian government entity whose full name is the “Federal State Autonomous Educational Establishment of Additional Professional Education Center of Realization of State Educational Policy and Informational Technologies.”
A review of Internet address ranges adjacent to this entity reveals a long list of Russian government organizations that are part of the Federal Guard Service of the Russian Federation. Wikipedia says the Federal Guard Service is a Russian federal government agency concerned with tasks related to protection of several high-ranking state officials, including the President of Russia, as well as certain federal properties. The agency traces its origins to the USSR’s Ninth Directorate of the KGB, and later the presidential security service.
Stark recently announced the address range 213.159.64.0/20 from April 27 to May 1, and this range was previously assigned to an ancient ISP in St. Petersburg, RU called the Computer Technologies Institute Ltd.
According to a post on the Russian language webmaster forum searchengines[.]ru, the domain for Computer Technologies Institute — ctinet[.]ru — is the seventh-oldest domain in the entire history of the Runet.
Curiously, Stark also lists large tracts of Internet addresses (close to 48,000 in total) assigned to a small ISP in Kharkiv, Ukraine called NetAssist. Reached via email, the CEO of NetAssist Max Tulyev confirmed his company provides a number of services to PQ Hosting.
“We colocate their equipment in Warsaw, Madrid, Sofia and Thessaloniki, provide them IP transit and IPv4 addresses,” Tulyev said. “For their size, we receive relatively low number of complains to their networks. I never seen anything about their pro-Russian activity or support of Russian hackers. It is very interesting for me to see proofs of your accusations.”
Spur.us mapped the entire infrastructure of Proxyline, and found more than one million proxies across multiple providers, but by far the biggest concentration was at Stark Industries Solutions. The full list of Proxyline address ranges (.CSV) shows two other ISPs appear repeatedly throughout the list. One is Kharkiv, Ukraine based ITL LLC, also known as Information Technology Laboratories Group, and Integrated Technologies Laboratory.
The second is a related hosting company in Miami, called Green Floid LLC. Green Floid featured in a 2017 scoop by CNN, which profiled the company’s owner and quizzed him about Russian troll farms using proxy networks on Green Floid and its parent firm ITL to mask disinformation efforts tied to the Kremlin’s Internet Research Agency (IRA). At the time, the IRA was using Facebook and other social media networks to spread videos showing police brutality against African Americans in an effort to encourage protests across the United States.
Doug Madory, director of Internet analysis at Kentik, was able to see at a high level the top sources and destinations for traffic traversing Stark’s network.
“Based on our aggregate NetFlow, we see Iran as the top destination (35.1%) for traffic emanating from Stark (AS44477),” Madory said. “Specifically, the top destination is MTN Irancell, while the top source is Facebook. This data supports the theory that AS44477 houses proxy services as Facebook is blocked in Iran.”
On April 30, the security firm Malwarebytesexplored an extensive malware operation that targets corporate Internet users with malicious ads. Among the sites used as lures in that campaign were fake Wall Street Journal and CNN websites that told visitors they were required to install a WSJ or CNN-branded browser extension (malware). Malwarebytes found a domain name central to that operation was hosted at Internet addresses owned by Stark Industries.
The CyberNiggers hacker group plans to set up a new web domain of their own after they lost the ability to publicly communicate following the seizure of the BreachForums. The group on Tuesday shared intentions of taking forward the legacy of the leak forum and possibly creating a similar illicit forum of their own. Initially active on ShinyHunter's BreachForums, CyberNiggers members have been using various platforms for coordination, including a Telegram channel known as 'Jacuzzi'. However, with the recent seizure of BreachForums by the FBI, the group is evolving its strategies and contemplating the launch of a new forum to address the void left by the closure of BreachForums.
The Aftermath of the BreachForums Seizure
The seizure of BreachForums by the FBI marks a significant development in the ongoing battle against cybercrime. The platform used by ransomware criminals to sell stolen corporate data has now been brought under law enforcement scrutiny. With potential access to sensitive data such as email addresses, IP addresses, and private messages, law enforcement agencies aim to expose and investigate members involved in criminal activities associated with the cybercriminal forum.The FBI's appeal to victims and individuals for information highlights the gravity of the situation, seeking cooperation from the public to aid in their investigations. Dedicated channels have been established for reporting, including email, Telegram, TOX, and a page on the FBI’s Internet Crime Complaint Center (IC3) portal.Despite debates surrounding the forum's status as a potential HoneyPot, CyberNiggers' activities have transcended speculation. Notably, the group gained attention for allegedly offering General Electrics data for sale towards the end of 2023, showcasing their capacity to target critical entities, particularly in the US.
CyberNiggers Takes Aim at Numerous Targets Within a Short Span
Although the CyberNiggers group is perceived as a relatively small group, their impact cannot be underestimated. Operating within BreachForums, they have attracted the attention of global surveillance agencies, including Five-Eyes. A prominent figure within the group, the Serbian hacker IntelBroker, has assumed a pivotal role, taking many data breaches under his name. The leaked data and cyberattacks claimed by the hacker group pose multifaceted risks to targeted organizations and individuals alike. Potential consequences encompass reputational damage, financial losses, and legal repercussions. Moreover, the exposure of sensitive data, such as military files, highlights the broader national security implications of CyberNiggers' activities.Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
Mr. Trump has treated Trump Media, which runs his social network Truth Social, as a low-cost sideshow. Now a big portion of his wealth hinges on its success.
The Medusa ransomware group has allegedly claimed a cyberattack on Comwave, a Canadian communications giant. The ransomware actors listed Comwave as its latest victim after a likely attack on May 18, which targeted critical information contained on the company's customer database.Comwave Networks Inc., claims to be the largest independent communications company in Canada and is renowned for providing internet, network security solutions, and customer support services. Based in the Toronto district of North York and run by president and CEO Yuval Barzakay, Comwave was established in 1999 and serves across Canada. The company also provides some wholesale services in the United States. In 2023, Comwave was acquired by Rogers Communications.
Medusa ransomware actors claimed infiltrating Comwave's systems, and exfiltrating a nearly 274.8 gigabytes of sensitive data.
Comwave Cyberattack Allegedly Targets Sensitive Data
[caption id="attachment_69372" align="alignnone" width="1381"] Source: Dark Web[/caption]
Among the information exfiltrated are scanned copies of various personal documents - likely belonging to its customers - such as driving licenses, birth certificates, identity cards, passports, invoices, screenshots of email correspondence, and an internal Excel database.The Medusa ransomware group has issued a deadline, giving Comwave nine days to comply with their demands, failing which they threatened to publicly release the compromised data. The severity of the situation cannot be overstated, with implications reaching far beyond Comwave Networks Inc. itself.As a leading player in Canada's telecommunications, the cyberattack on Comwave potentially impacts hundreds of thousands of users in 1,100 Canadian and 1,600 U.S. cities that use their services. The Cyber Express has tried reaching out to the organization to learn more about this Comwave Networks cyberattack. However, due to communication issues, contact was not possible, leaving the claims for the Comwave Networks cyberattack unverified.
Who is the Medusa Ransomware Group?
The operational status of Comwave's website appears unaffected, suggesting that the attack may have targeted backend systems rather than launching a frontal assault. This modus operandi aligns with Medusa's established tactics, which often involve exploiting vulnerable Remote Desktop Protocols (RDP) and deploying deceptive phishing campaigns. By utilizing PowerShell for command execution and systematically erasing shadow copy backups, Medusa disrupts data restoration efforts, leaving victims in a precarious position.The Medusa ransomware, which first emerged in June 2021, has grown increasingly audacious over time. Its latest iteration, marked by the creation of the "Medusa Blog," serves as a repository for data leaked from non-compliant victims. Operating within the dark recesses of the internet, Medusa's TOR website serves as a grim reminder of the far-reaching consequences of cybercrime.As organizations grapple with the fallout from cyberattacks like the one targeting Comwave Networks Inc., it becomes imperative to remain vigilant and implement stringent security measures. Detecting and mitigating the threat posed by Medusa and similar ransomware strains requires a concerted effort, one that extends beyond individual companies to encompass collaborative industry-wide initiatives.Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
Automakers in the United States and their supporters welcomed President Biden’s tariffs, saying they would protect domestic manufacturing and jobs from cheap Chinese vehicles.
REC Silicon says it will soon start shipping polysilicon, which has come mostly from China, reviving a Washington State factory that shut down in 2019.
REC Silicon is preparing to fulfill its first shipment of polysilicon granules, which are used in the production of solar panels, at its factory in Moses Lake, Wash.
This privacy reporter and her husband bought a Chevrolet Bolt in December. Two risk-profiling companies had been getting detailed data about their driving ever since.
Malicious hackers are targeting people in the cryptocurrency space in attacks that start with a link added to the target’s calendar at Calendly, a popular application for scheduling appointments and meetings. The attackers impersonate established cryptocurrency investors and ask to schedule a video conference call. But clicking the meeting link provided by the scammers prompts the user to run a script that quietly installs malware on macOS systems.
KrebsOnSecurity recently heard from a reader who works at a startup that is seeking investment for building a new blockchain platform for the Web. The reader spoke on condition that their name not be used in this story, so for the sake of simplicity we’ll call him Doug.
Being in the cryptocurrency scene, Doug is also active on the instant messenger platform Telegram. Earlier this month, Doug was approached by someone on Telegram whose profile name, image and description said they were Ian Lee, from Signum Capital, a well-established investment firm based in Singapore. The profile also linked to Mr. Lee’s Twitter/X account, which features the same profile image.
The investor expressed interest in financially supporting Doug’s startup, and asked if Doug could find time for a video call to discuss investment prospects. Sure, Doug said, here’s my Calendly profile, book a time and we’ll do it then.
When the day and time of the scheduled meeting with Mr. Lee arrived, Doug clicked the meeting link in his calendar but nothing happened. Doug then messaged the Mr. Lee account on Telegram, who said there was some kind of technology issue with the video platform, and that their IT people suggested using a different meeting link.
Doug clicked the new link, but instead of opening up a videoconference app, a message appeared on his Mac saying the video service was experiencing technical difficulties.
“Some of our users are facing issues with our service,” the message read. “We are actively working on fixing these problems. Please refer to this script as a temporary solution.”
Doug said he ran the script, but nothing appeared to happen after that, and the videoconference application still wouldn’t start. Mr. Lee apologized for the inconvenience and said they would have to reschedule their meeting, but he never responded to any of Doug’s follow-up messages.
It didn’t dawn on Doug until days later that the missed meeting with Mr. Lee might have been a malware attack. Going back to his Telegram client to revisit the conversation, Doug discovered his potential investor had deleted the meeting link and other bits of conversation from their shared chat history.
In a post to its Twitter/X account last month, Signum Capital warned that a fake profile pretending to be their employee Mr. Lee was trying to scam people on Telegram.
The file that Doug ran is a simple Apple Script (file extension “.scpt”) that downloads and executes a malicious trojan made to run on macOS systems. Unfortunately for us, Doug freaked out after deciding he’d been tricked — backing up his important documents, changing his passwords, and then reinstalling macOS on his computer. While this a perfectly sane response, it means we don’t have the actual malware that was pushed to his Mac by the script.
But Doug does still have a copy of the malicious script that was downloaded from clicking the meeting link (the online host serving that link is now offline). A search in Google for a string of text from that script turns up a December 2023 blog post from cryptocurrency security firm SlowMist about phishing attacks on Telegram from North Korean state-sponsored hackers.
“When the project team clicks the link, they encounter a region access restriction,” SlowMist wrote. “At this point, the North Korean hackers coax the team into downloading and running a ‘location-modifying’ malicious script. Once the project team complies, their computer comes under the control of the hackers, leading to the theft of funds.”
Image: SlowMist.
SlowMist says the North Korean phishing scams used the “Add Custom Link” feature of the Calendly meeting scheduling system on event pages to insert malicious links and initiate phishing attacks.
“Since Calendly integrates well with the daily work routines of most project teams, these malicious links do not easily raise suspicion,” the blog post explains. “Consequently, the project teams may inadvertently click on these malicious links, download, and execute malicious code.”
SlowMist said the malware downloaded by the malicious link in their case comes from a North Korean hacking group dubbed “BlueNoroff, which Kaspersky Labs says is a subgroup of the Lazarus hacking group.
“A financially motivated threat actor closely connected with Lazarus that targets banks, casinos, fin-tech companies, POST software and cryptocurrency businesses, and ATMs,” Kaspersky wrote of BlueNoroff in Dec. 2023.
The North Korean regime is known to use stolen cryptocurrencies to fund its military and other state projects. A recent report from Recorded Future finds the Lazarus Group has stolen approximately $3 billion in cryptocurrency over the past six years.
While there is still far more malware out there today targeting Microsoft Windows PCs, the prevalence of information-stealing trojans aimed at macOS users is growing at a steady clip. MacOS computers include X-Protect, Apple’s built-in antivirus technology. But experts say attackers are constantly changing the appearance and behavior of their malware to evade X-Protect.
“Recent updates to macOS’s XProtect signature database indicate that Apple are aware of the problem, but early 2024 has already seen a number of stealer families evade known signatures,” security firm SentinelOne wrote in January.
According to Chris Ueland from the threat hunting platform Hunt.io, the Internet address of the fake meeting website Doug was tricked into visiting (104.168.163,149) hosts or very recently hosted about 75 different domain names, many of which invoke words associated with videoconferencing or cryptocurrency. Those domains indicate this North Korean hacking group is hiding behind a number of phony crypto firms, like the six-month-old website for Cryptowave Capital (cryptowave[.]capital).
In a statement shared with KrebsOnSecurity, Calendly said it was aware of these types of social engineering attacks by cryptocurrency hackers.
“To help prevent these kinds of attacks, our security team and partners have implemented a service to automatically detect fraud and impersonations that could lead to social engineering,” the company said. “We are also actively scanning content for all our customers to catch these types of malicious links and to prevent hackers earlier on. Additionally, we intend to add an interstitial page warning users before they’re redirected away from Calendly to other websites. Along with the steps we’ve taken, we recommend users stay vigilant by keeping their software secure with running the latest updates and verifying suspicious links through tools like VirusTotal to alert them of possible malware. We are continuously strengthening the cybersecurity of our platform to protect our customers.”
The increasing frequency of new Mac malware is a good reminder that Mac users should not depend on security software and tools to flag malicious files, which are frequently bundled with or disguised as legitimate software.
As KrebsOnSecurity has advised Windows users for years, a good rule of safety to live by is this: If you didn’t go looking for it, don’t install it. Following this mantra heads off a great deal of malware attacks, regardless of the platform used. When you do decide to install a piece of software, make sure you are downloading it from the original source, and then keep it updated with any new security fixes.
On that last front, I’ve found it’s a good idea not to wait until the last minute to configure my system before joining a scheduled videoconference call. Even if the call uses software that is already on my computer, it is often the case that software updates are required before the program can be used, and I’m one of those weird people who likes to review any changes to the software maker’s privacy policies or user agreements before choosing to install updates.
Most of all, verify new contacts from strangers before accepting anything from them. In this case, had Doug simply messaged Mr. Lee’s real account on Twitter/X or contacted Signum Capital directly, he would discovered that the real Mr. Lee never asked for a meeting.
If you’re approached in a similar scheme, the response from the would-be victim documented in the SlowMist blog post is probably the best.
Login
Cybersecurity News and Magazine
Security Boulevard
The Kingston Whig-Standard
CISO2CISO.COM & CYBER SECURITY GROUP
