Normal view
-
Cybersecurity News and Magazine
- AridSpy Malware Targets Android Users in Middle East: Messaging Apps Used to Spread Spyware
Ethical banking in the UK: how to put your everyday account to good use
With spotlight on investments behind banks, we ask whether three top providers still offer a good deal
Protests outside Barclays branches and the recent arguments over Baillie Gifford’s sponsorship of book festivals have put the spotlight on the investments behind big banking institutions. For most people, choosing an ethical home for their current account will be the easiest way to ensure their money is being used in an environmentally friendly or socially responsible way.
The consumer group Which? names three “eco providers” for current accounts: the Co-operative Bank, Nationwide building society and Triodos Bank. These three also do well on the green money website MotherTree, which has ranked major UK banks on how much £10,000 in a current account contributes in carbon emissions. At the bottom of its table – so therefore the winner – is Triodos, followed by the Co-op Bank and then Nationwide.
Continue reading...© Photograph: BrianAJackson/Getty Images/iStockphoto
© Photograph: BrianAJackson/Getty Images/iStockphoto
-
Cybersecurity News and Magazine
- CyberDragon Hacking Group Shuts Down Multiple South Korean Sites for Support, Aid to Ukraine
CyberDragon Hacking Group Shuts Down Multiple South Korean Sites for Support, Aid to Ukraine
Government, Financial Sites Attacked by CyberDragon Hacking Group
Irked by its support being garnered against Russia, CyberDragon launched an extensive cyberattack on key South Korean sites and criticized the country for its alleged promotion of Russophobia.![CyberDragon](../themes/icons/grey.gif)
![CyberDragon Hacking Group](../themes/icons/grey.gif)
Previous Operations by CyberDragon Hacking Group
The CyberDragon group gained popularity after it took down the website and app for almost 24 hours after a massive data breach in March 2024. CyberDragon had then posted evidence of the attack on its TOR platform but LinkedIn didn’t comment on the attack. The peculiar hacking actor has both Chinese and Russian ties. It carries out cyberattacks with many pro-Russian hackers and most of its statements are posted in Russian. Both China and Russia are global allies and the targets of CyberDragon indicate their ideological and political affiliations. This scenario is, however, not new in the cybercrime world. Organizations around the world must deal with the fallout of cyberattacks by groups like CyberDragon. Their attacks indicate why it is crucial to remain vigilant and implement stringent security measures against cyberattacks.-
Cybersecurity News and Magazine
- Monti Ransomware Sold! New Owners Claims Interesting Things in the Future
Monti Ransomware Sold! New Owners Claims Interesting Things in the Future
Monti Ransomware Group and Change in Ownership
[caption id="attachment_76870" align="alignnone" width="938"]![Monti ransomware](../themes/icons/grey.gif)
A Deeper Dive into Monti Ransomware Group
A deeper dive into the Monti ransomware incident reveals a sophisticated operation orchestrated through the exploitation of vulnerabilities like the notorious Log4Shell. The attackers infiltrated networks, encrypted user desktops, and disrupted critical server clusters, leaving organizations grappling with the aftermath. Despite its relative obscurity, the Monti ransomware group has garnered attention within the cybersecurity community. Analysts speculate that the group's emulation of Conti's strategies may stem from the leaked trove of Conti's internal data, providing a blueprint for nefarious activities. As cybersecurity threats evolve, it becomes imperative for organizations to fortify their defenses and stay vigilant against threat actors like the Monti ransomware. Collaborative efforts between cybersecurity experts and stakeholders are essential to mitigate risks and safeguard critical infrastructures from malicious actors. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.-
Cybersecurity News and Magazine
- Ukraine National Police Arrest Conti and LockBit Ransomware Cryptor Developer
Ukraine National Police Arrest Conti and LockBit Ransomware Cryptor Developer
Cryptor Developer Worked with Conti, LockBit
Ukraine cyber police and National Police investigators say they established that the man was involved in the LockBit and Conti ransomware groups. The Kyiv man infected a company in the Netherlands with Conti ransomware in 2021, demanded a ransom and threatened to release confidential company information if payment wasn’t made, according to the Dutch announcement, which cited work by the Netherlands’ High Tech Crime Team of the National Operations and Interventions Unit and the National Public Prosecution Service. They requested Ukraine’s assistance in the case as part of their investigation. As part of the arrest, Ukrainian police conducted house searches in the city of Kyiv and the Kharkiv region on April 18 and seized computer equipment, mobile phones and documents for further investigation (pictured below). [caption id="attachment_76895" align="alignnone" width="300"]![Ukraine ransomware arrest seized items](../themes/icons/grey.gif)
LockBit Remains Active Despite Repeated Enforcement Activities
The Conti ransomware group reportedly dissolved in 2022 after a Ukrainian researcher leaked the group's source code in retaliation for the group's support of Russia's invasion of Ukraine, but LockBit has remained persistent. Despite the Ukraine arrest and law enforcement successes like Operation Endgame, Operation Cronos, and the unmasking of formerly anonymous LockBit leader Dmitry Khoroshev, LockBit has shown an ability to continually regroup and reestablish threat activities, recently launching high-profile ransomware attacks such as one that the city of Wichita is finally recovering from. Ukraine officials said the investigation is ongoing. The suspect is being charged under part 5 of Article 361, Unauthorized interference in the work of information (automated), electronic communication, information and communication systems, electronic communication networks, of the Criminal Code of Ukraine. The article provides for publishment of up to 15 years of imprisonment, and additional charges are possible. Netherlands officials thanked the Ukrainian investigators for their assistance and said they “are very pleased with the arrest in Ukraine and are grateful for the space that the Ukrainian police have found for this in times of war.”-
Cybersecurity News and Magazine
- Medusa Ransomware Group Claims Cyberattack on Organizations in USA, Canada
Medusa Ransomware Group Claims Cyberattack on Organizations in USA, Canada
MEDUSA Ransomware Attack: The Latest Victims
GEMCO Constructors is headquartered in Indianapolis, Indiana, USA. The ransomware actors have claimed to have access to 1.0 TB of the organization's data and has threatened to publish it within 6-7 days. The second company that the group has claimed to have targeted is Dynamo, which is based in Saskatchewan, Canada. Data of the company, which specializes in electrical and electronic manufacturing, has allegedly been compromised. MEDUSA has claimed to have exfiltrated 149.6 GB of the organization's data and plans to publish it within 6-7 days. Farnell Packaging, a Canadian company in the packaging and container industry, has also allegedly been attacked. The attackers claimed to have accessed 193.9 GB of the organization's data and warned the data would be published within 8–9 days.![MEDUSA Ransomware Group](../themes/icons/grey.gif)
Background of MEDUSA Ransomware Group
MEDUSA first burst onto the scene in June 2021 and has since targeted organizations in various countries across multiple industries, including healthcare, education, manufacturing, and retail. Most of the companies, though, have been established in the United States of America. MEDUSA functions as a Ransomware-as-a-Service (RaaS) platform. It provides would-be attackers with malicious software and infrastructure required to carry out disruptive ransomware attacks. The ransomware group also has a public Telegram channel that threat actors use to post data that might be stolen, which could be an attempt to extort organizations and demand payment.Previous Ransomware Attacks
Less than three weeks ago, MEDUSA ransomware group claimed a cyberattack on Comwave, a Canadian communications giant renowned for providing internet, network security solutions, and customer support services. In January 2024, a prominent non-profit organization, Water For People, was targeted by the group. The organization faced the pressure of a deadline to comply with the demands of the ransomware group. MEDUSA also targeted four organizations across different countries, including France, Italy, and Spain. The group’s modus operandi remains uniform, with announcements being made on their dark web forum accompanied by deadlines and ransom demands. As organizations deal with the fallout of cyberattacks by groups like MEDUSA, it becomes crucial to remain vigilant and implement stringent security measures. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.-
Cybersecurity News and Magazine
- Findlay Automotive Hit by Cybersecurity Attack, Investigation Ongoing
Findlay Automotive Hit by Cybersecurity Attack, Investigation Ongoing
![Findlay Automotive cybersecurity issue](../themes/icons/grey.gif)
Operational Impact of Findlay Automotive Cybersecurity Issue
Despite the restrictions imposed by the Findlay Automotive cybersecurity issue, all dealership locations remain open. Customers with vehicles currently in service are encouraged to visit or contact their respective service departments directly for assistance from Findlay’s dedicated staff. "At Findlay Automotive, we have been serving our communities with pride and integrity since 1961," reads the company’s Facebook Post. "We take our responsibility to our customers and the community very seriously. We will continue to provide updates as the investigation continues and more information becomes available.” The urgency and gravity of the situation are highlighted by recent trends in cybersecurity, particularly the rising threat of ransomware attacks in the industrial sector.Rising Cyber Threats in the Industrial Sector
In 2019, industrial companies faced significant financial burdens due to ransomware, collectively paying out $6.9 million, which accounted for 62% of the total $11 million spent on ransomware that year. Despite representing only 18% of ransomware cases, the manufacturing sector bore the brunt of the financial impact. By 2020, the cross-industry cost of ransomware had escalated to a staggering $20 billion. Gartner, a research firm, has projected that by 2023, the financial repercussions of cyberattacks on industrial systems, including potential fatal casualties, could exceed $50 billion. The automotive sector, in particular, has become a prime target for cybercriminals. As these threats intensify, paying ransoms become increasingly weak, emphasizing the necessity of enhanced cybersecurity measures to protect assets. The recent Volkswagen incident exemplifies the magnitude of these threats. In April 2024, Volkswagen faced a cyberattack, suspected to originate from Chinese hackers. The breach exposed sensitive data, including development plans for gasoline engines and critical information on e-mobility initiatives. Investigations by ZDF Frontal and “Der Spiegel” revealed more than 40 internal documents, highlighting the severity of the cyberattack. Similarly, in February 2024, Thyssenkrupp's automotive unit in Duisburg, Germany, experienced a cyberattack that disrupted production in its car parts division. Although no data theft or manipulation was detected, the company had to take several systems offline to prevent further unauthorized access, underlining the operational risks posed by such cyber incidents. Closer to home, Eagers Automotive Limited faced a cyber incident on December 27, 2023, leading to a temporary trading halt to address its continuous disclosure obligations. The company issued an apology to its customers for the inconvenience caused by the disruption, reflecting the broad and often immediate impact of cyberattacks on automotive businesses. Findlay Automotive’s proactive response to the current cybersecurity issue demonstrates its commitment to safeguarding its operations and customer trust. The company is maintaining open lines of communication with customers, providing regular updates as the investigation progresses and more information becomes available.Four major UK supermarkets accused of misleading ‘freshly baked’ bread claim
Real Bread Campaign makes trading standards complaint over marketing by Sainsbury’s, Tesco, Lidl and Co-op
They were the best thing since sliced bread. Supermarket bakeries, with their aroma of oven-hot goods, attracted customers who wanted a fresher product than the standard pre-packed offering.
But campaigners have cast doubt on just how fresh these baked goods are, with four big supermarkets accused of misleading claims and breaches of consumer protection regulations.
Continue reading...© Photograph: Tolga Akmen/EPA
© Photograph: Tolga Akmen/EPA
Rail firm FirstGroup plans to expand cut-price Lumo services
Train and bus group applies for more ‘open access’ services as government attempts to increase competition
The British transport operator FirstGroup has applied for two more “open access” services outside the main train operating contracts as the government attempts to increase competition on the rail network and cut fares.
Open access means the operator takes full commercial risk, running services on infrastructure owned by a third party, on a chosen route that is not subject to a rail franchise set by the Department for Transport.
Continue reading...© Photograph: David Parry/PA
© Photograph: David Parry/PA
-
Security Boulevard
- The Tolly Group Report Highlights SlashNext’s Gen AI-Powered Email Security Prowess
The Tolly Group Report Highlights SlashNext’s Gen AI-Powered Email Security Prowess
In the ever-evolving landscape of cyberthreats, email remains a prime target for malicious actors, with zero-hour Business Email Compromise (BEC) and advanced phishing attacks posing significant risks to organizations. A recent independent study by The Tolly Group, commissioned by SlashNext, highlights the company’s Gen AI powered Integrated Cloud Email Security (ICES) solution, demonstrating its superior […]
The post The Tolly Group Report Highlights SlashNext’s Gen AI-Powered Email Security Prowess first appeared on SlashNext.
The post The Tolly Group Report Highlights SlashNext’s Gen AI-Powered Email Security Prowess appeared first on Security Boulevard.
World’s top banks ‘greenwashing their role in destruction of the Amazon’
Institutions alleged to have given billions of dollars to oil and gas companies involved in projects that are harming the rainforests
Five of the world’s biggest banks are “greenwashing” their role in the destruction of the Amazon, according to a report that indicates that their environmental and social guidelines fail to cover more than 70% of the rainforest.
The institutions are alleged to have provided billions of dollars of finance to oil and gas companies involved in projects that are impacting the Amazon, destabilising the climate or impinging on the land and livelihoods of Indigenous peoples.
Continue reading...© Photograph: Bram Ebus/The Guardian
© Photograph: Bram Ebus/The Guardian
-
The Kingston Whig-Standard
- $25-million donation to Queen's will impact cancer research, treatment across Canada
$25-million donation to Queen's will impact cancer research, treatment across Canada
-
CISO2CISO.COM & CYBER SECURITY GROUP
- Qilin RaaS Group Believed to Be Behind Synnovis, NHS Attack – Source: www.databreachtoday.com
Qilin RaaS Group Believed to Be Behind Synnovis, NHS Attack – Source: www.databreachtoday.com
Source: www.databreachtoday.com – Author: 1 Fraud Management & Cybercrime , Healthcare , Industry Specific Patient Care, Including Transplants, Still Disrupted at London Hospitals, Clinics Marianne Kolbasuk McGee (HealthInfoSec) • June 7, 2024 Image: Synnovis A ransomware attack on a pathology services vendor earlier in the week continues to disrupt patient care, including transplants, […]
La entrada Qilin RaaS Group Believed to Be Behind Synnovis, NHS Attack – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
-
Cybersecurity News and Magazine
- Akira Ransomware Group Claims Attack on Panasonic Australia; Singapore Tells Victims to Not Pay Ransom
Akira Ransomware Group Claims Attack on Panasonic Australia; Singapore Tells Victims to Not Pay Ransom
Akira Ransomware Group Attack on Panasonic Australia
The ransomware group alleged that it had exfiltrated sensitive project information and business agreements from the electronics manufacturer Panasonic Australia. No sample documents were posted to verify the authenticity of the breach claims. The potential impact of the breach on Panasonic Australia is unknown but could present a serious liability for the confidentiality of the company's stolen documents.Cyber Security Agency of Singapore Issues Advisory
Singapore's Cyber Security Agency (CSA) along with the country's Personal Data Protection Commission (PDPC) issued an advisory to organizations instructing them to report Akira ransomware attacks to respective authorities rather than paying ransom demands. The advisory was released shortly after an Akira ransomware group attack on the Shook Lin & Bok law firm. While the firm still continued to operate as normal, it had reportedly paid a ransom of US$1.4 million in Bitcoin to the group. The Akira ransomware group had demanded a ransom of US$2 million from the law firm earlier, which was then negotiated down after a week, according to the SuspectFile article. The Cyber Security Agency of Singapore (CSA) stated that it was aware of the incident and offered assistance to the law firm. However, it cautioned against similar payments from other affected victims. "Paying the ransom does not guarantee that the data will be decrypted or that threat actors will not publish your data," the agency stated. "Furthermore, threat actors may see your organisation as a soft target and strike again in the future. This may also encourage them to continue their criminal activities and target more victims." The Singaporean authorities offered a number of recommendations to organizations:- Enforce strong password policies with at least 12 characters, using a mix of upper and lower case letters, numbers, and special characters.
- Implement multi-factor authentication for all internet-facing services, such as VPNs and critical system accounts.
- Use reputable antivirus or anti-malware software to detect ransomware through real-time monitoring of system processes, network traffic, and file activity. Configure the software to block suspicious files, prevent unauthorized remote connections, and restrict access to sensitive files.
- Periodically scan systems and networks for vulnerabilities and apply the latest security patches promptly, especially for critical functions.
- Migrate from unsupported applications to newer alternatives.
- Segregate networks to control traffic flow between sub-networks to limit ransomware spread. Monitor logs for suspicious activities and carry out remediation measures as needed.
- Conduct routine backups following the 3-2-1 rule: keep three copies of backups, store them in two different media formats, and store one set off-site.
- Conduct incident response exercises and develop business continuity plans to improve readiness for ransomware attacks.
- Retain only essential data and minimize the collection of personal data to reduce the impact of data breaches.
-
Cybersecurity News and Magazine
- Sen. Wyden Urges HHS to Raise Cybersecurity Standards for Healthcare Sector
Sen. Wyden Urges HHS to Raise Cybersecurity Standards for Healthcare Sector
“It is clear that HHS’ current approach to healthcare cybersecurity — self-regulation and voluntary best practices — is woefully inadequate and has left the health care system vulnerable to criminals and foreign government hackers.” - Wyden.He stated that the sub-par cybersecurity standards have allowed hackers to steal patient information and disrupt healthcare services, which has caused “actual harm to patient health.”
MFA Could Have Stopped Change Healthcare Attack
The call from Wyden comes on the back of the ransomware attack on Change Healthcare — a subsidiary of UnitedHealth Group — which, according to its Chief Executive Officer Andrew Witty, could have been prevented with the basic cybersecurity measure of Multi-Factor Authentication (MFA). The lack of MFA on a Citrix remote access portal account that Change Healthcare used proved to be a key vulnerability that allowed attackers to gain initial access using compromised credentials, Witty told the Senate Committee on Finance in a May 1 hearing.“HHS’ failure to regulate the cybersecurity practices of major health care providers like UHG resulted in what the American Hospital Association has described as the worst cyberattack against the healthcare sector in U.S. history.” - WydenThe use of MFA is a fundamental cybersecurity practice that HHS should mandate for all healthcare organizations, Wyden argued. He called for the implementation of broader minimum and mandatory technical cybersecurity standards, particularly for critical infrastructure entities that are designated as "systemically important entities" (SIE) by the U.S. Cybersecurity and Infrastructure Security Agency. “These technical standards should address how organizations protect electronic information and ensure the healthcare system’s resiliency by maintaining critical functions, including access to medical records and the provision of medical care,” Wyden noted. He suggested that HHS enforce these standards by requiring Medicare program participants to comply.
Wyden’s Proposed Cybersecurity Measures for HHS
Wyden said HHS should mandate a range of cybersecurity measures as a result of the attack. “HHS must follow the lead of other federal regulators in mandating cybersecurity best practices necessary to protect the healthcare sector from further, devastating, easily-preventable cyberattacks,” Wyden argued. The Democratic senator proposed several measures to enhance cybersecurity in the healthcare sector, including:- Mandatory Minimum Standards: Establish mandatory cybersecurity standards, including MFA, for critical healthcare infrastructure.
- Rapid Recovery Capabilities: Ensure that organizations can rebuild their IT infrastructure within 48 to 72 hours following an attack.
- Regular Audits: Conduct regular audits of healthcare organizations to assess and improve their cybersecurity practices.
- Technical Assistance: Provide technical security support to healthcare providers.
The State of Ransomware in Healthcare
The healthcare sector was the most common ransomware target among all critical infrastructure sectors, according to FBI’s Internet Crime Report 2023. The number of attacks and individuals impacted have grown exponentially over the last three years. [caption id="attachment_75474" align="aligncenter" width="1024"]![Healthcare ransomware attacks](../themes/icons/grey.gif)
“In 2023, 46 hospital systems with a total of 141 hospitals were impacted by ransomware, and at least 32 of the 46 had information, including protected health information, stolen.” - EmsisoftA study from McGlave, Neprash, and Nikpay from the University of Minnesota School of Public Health found that in a five-year period starting in 2016, ransomware attacks likely killed between 42 and 67 Medicare patients. Their study further observed a decrease in hospital volume and services by 17-25% during the week following a ransomware attack that not only hit revenue but also increased in-hospital mortality among patients who were already admitted at the time of attack.
HHS Cybersecurity Response
HHS announced in December plans to update its cybersecurity regulations for the healthcare sector for the first time in 21 years. These updates would include voluntary cybersecurity performance goals and efforts to improve accountability and coordination. The Healthcare and Public Health Sector Coordinating Council also unveiled a five-year Health Industry Cybersecurity Strategic Plan in April, which recommends 10 cybersecurity goals to be implemented by 2029. Wyden acknowledged and credited the latest reform initiatives from HHS and the HSCC, but remains concerned about the lengthy implementation timeline, which he said requires urgency when it comes to the healthcare sector. The latest letter follows Wyden’s request last week to the SEC and FTC to investigate for any negligence in cybersecurity practices of UnitedHealth Group. HHS is currently investigating the potential UHG breach that resulted in the exposure of protected health information of hundreds of thousands of Americans.Akira Ransomware Claims Cyberattack on German Manufacturer E-T-A
![Akira ransomware group](../themes/icons/grey.gif)
Akira Ransomware: Previous Track Record
The Akira ransomware gang has arisen as a danger to small and medium-sized organizations (SMBs), mostly in Europe, North America, and Australia. The group uses advanced tactics to infiltrate systems, frequently acquiring illegal access to a company's virtual private networks (VPNs). Sophos X-Ops research shows that Akira often uses compromised login credentials or exploits weaknesses in VPN technologies such as Cisco ASA SSL VPN or Cisco AnyConnect. Recently, in May 2024, Akira targeted Western Dovetail, a well-known woodworking shop. In April 2024, Akira was identified as the gang responsible for a series of cyberattacks against businesses and key infrastructure in North America, Europe, and Australia. According to the US Federal Bureau of Investigation (FBI), Akira has hacked over 250 firms since March 2023, collecting roughly $42 million in ransom payments. Initially, Akira's attacks targeted Windows systems. However, the gang has since broadened its tactics to include Linux computers, causing anxiety among international cybersecurity agencies. These cyberattacks show Akira's strategy of targeting a wide range of industries and businesses of all sizes, frequently resulting in major operational interruptions and financial losses. As it stands, the Akira ransomware group's claims against E-T-A Cyberattack are unsubstantiated. The lack of an official response from the company creates a vacuum in the confirmation of these claims. While the company's website is still operational, signaling no immediate disruption, a data breach might have serious consequences, compromising client confidentiality, financial integrity, and employee privacy. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.-
Cybersecurity News and Magazine
- Andariel APT Using DoraRAT and Nestdoor Malware to Spy on South Korean Businesses
Andariel APT Using DoraRAT and Nestdoor Malware to Spy on South Korean Businesses
![Andariel APT](../themes/icons/grey.gif)
Malware Used by Andariel APT in this Campaign
The first of the two malware strains used in the latest campaign was Nestdoor, a remote access trojan (RAT) that has been active since May 2022. This RAT can execute commands from the threat actor to control infected systems. Nestdoor has been found in numerous Andariel attacks, including those exploiting the VMware Horizon product’s Log4Shell vulnerability (CVE-2021-44228). The malware is developed in C++ and features capabilities such as file upload/download, reverse shell, command execution, keylogging, clipboard logging, and proxy functionalities. A specific case in 2022 involved Nestdoor being distributed alongside TigerRAT using the same command and control (C&C) server. Another incident in early 2024 saw Nestdoor disguised as an OpenVPN installer. This version maintained persistence via the Task Scheduler and communicated with a C&C server. The Andariel APT has been developing new malware strains in the Go language for each campaign. Dora RAT, a recent discovery is one such malware strain. The backdoor malware supports reverse shell and file transfer operations and exists in two forms: a standalone executable and an injected process within "explorer.exe." The latter variant uses an executable in WinRAR SFX format, which includes an injector malware. The Dora RAT has been signed with a valid certificate from a UK software developer in an attempt to make it look legitimate.Additional Malware Strains
- Keylogger/Cliplogger: Performs basic functions like logging keystrokes and clipboard contents, stored in the “%TEMP%” directory.
- Stealer: It is designed to exfiltrate files from the system, potentially handling large quantities of data.
- Proxy: Includes both custom-created proxy tools and open-source Socks5 proxy tools. Some proxies are similar to those used by the Lazarus group in past attacks.
IoCs to Watch for Signs of Andariel APT Attacks
IoCs to monitor for attacks from Andariel APT group include: MD5s – 7416ea48102e2715c87edd49ddbd1526: Nestdoor – Recent attack case (nest.exe) – a2aefb7ab6c644aa8eeb482e27b2dbc4: Nestdoor – TigerRAT attack case (psfile.exe) – e7fd7f48fbf5635a04e302af50dfb651: Nestdoor – OpenVPN attack case (openvpnsvc.exe) – 33b2b5b7c830c34c688cf6ced287e5be: Nestdoor launcher (FirewallAPI.dll) – 4bc571925a80d4ae4aab1e8900bf753c: Dora RAT dropper (spsvc.exe) – 951e9fcd048b919516693b25c13a9ef2: Dora RAT dropper (emaupdate.exe) – fee610058c417b6c4b3054935b7e2730: Dora RAT injector (version.dll) – afc5a07d6e438880cea63920277ed270: Dora RAT injector (version.dll) – d92a317ef4d60dc491082a2fe6eb7a70: Dora RAT (emaupdate.exe) – 5df3c3e1f423f1cce5bf75f067d1d05c: Dora RAT (msload.exe) – 094f9a757c6dbd6030bc6dae3f8feab3: Dora RAT (emagent.exe) – 468c369893d6fc6614d24ea89e149e80: Keylogger/Cliplogger (conhosts.exe) – 5e00df548f2dcf7a808f1337f443f3d9: Stealer (msload.exe) C&Cs – 45.58.159[.]237:443: Nestdoor – Recent attack case – 4.246.149[.]227:1443: Nestdoor – TigerRAT attack case – 209.127.19[.]223:443: Nestdoor – OpenVPN attack case – kmobile.bestunif[.]com:443 – Dora RAT – 206.72.205[.]117:443 – Dora RAT-
Cybersecurity News and Magazine
- UnitedHealth’s Leadership Criticized by Senator Wyden for Appointment of Underqualified CISO
UnitedHealth’s Leadership Criticized by Senator Wyden for Appointment of Underqualified CISO
![Cybetattack on Change Healthcare](../themes/icons/grey.gif)
Broader Context of Cyberattack on Change Healthcare
At the heart of the criticism is the appointment of a Chief Information Security Officer (CISO) who had no prior full-time experience in cybersecurity before assuming the role in June 2023. This, according to Wyden, epitomizes the corporate negligence that has placed countless stakeholders at risk. Wyden argues that Martin's appointment exemplifies a broader pattern of poor decision-making by UHG’s senior executives and board of directors, who should be held accountable for the company’s cybersecurity lapses. The comparison to SolarWinds is particularly telling. The SolarWinds incident exposed vulnerabilities in software supply chains, leading to widespread consequences across multiple sectors. Similarly, UHG's data breach, if proven to result from preventable lapses, highlights the critical need for stringent cybersecurity practices in healthcare, an industry that handles sensitive personal and medical data.The Incident and Initial Reactions
The incident in question involved hackers exploiting a remote access server at Change Healthcare, which lacked multi-factor authentication (MFA). This basic cybersecurity lapse allowed the attackers to gain an initial foothold, leading to a ransomware infection that crippled UHG’s operations. During testimony before the Senate Finance Committee on May 1, 2024, UHG CEO Andrew Witty admitted that the company’s MFA policy was not uniformly implemented across all external servers. Witty's revelations highlighted a broader issue of inadequate cybersecurity defenses at UHG, despite the industry's reliance on MFA as a fundamental safeguard.Industry Standards and Regulatory Expectations
Wyden’s letter points out that the Federal Trade Commission (FTC) has mandated MFA for financial services companies under the Safeguards Rule and has enforced its use in cases against companies like Drizly and Chegg. These precedents establish MFA as a non-negotiable standard for protecting consumer data. UHG's failure to implement this basic security measure on all its servers is a glaring oversight, suggesting a disconnect between its stated policies and actual practices. Moreover, Wyden highlights the necessity of multiple lines of defense in cybersecurity. The fact that hackers could escalate their access from one compromised server to the entire network indicates a lack of network segmentation and other best practices designed to contain breaches. This deficiency exacerbates the initial failure to secure remote access points.Consequences and Broader Implications
The implications of UHG’s cybersecurity failures are profound. The immediate aftermath saw significant disruptions, with some of UHG's systems taking weeks to restore. Witty admitted that while cloud-based systems were quickly recovered, many critical services running on UHG's own servers were not engineered for rapid restoration. This lack of resilience in UHG’s infrastructure planning highlights a failure to anticipate and mitigate the risk of ransomware attacks, a known and escalating threat. Wyden’s letter also addresses the financial fallout. UHG has already estimated the breach's cost at over a billion dollars, reflecting the significant economic impact of the cyberattack. This financial burden, coupled with negative media coverage, exposes UHG to substantial political and market risks. The case echoes the SEC’s stance in the SolarWinds case, where cybersecurity practices were deemed crucial for investor decisions. Investors in UHG would similarly consider enhanced cybersecurity practices essential, given the potential for massive breaches to affect stock value and company reputation.Accountability and Regulatory Action
Senator Wyden calls for the FTC and SEC to investigate UHG’s cybersecurity and technology practices, aiming to determine if any federal laws were violated and to hold senior officials accountable. This push for accountability highlights the role of corporate governance in cybersecurity. The Audit and Finance Committee of UHG’s board, responsible for overseeing cybersecurity risks, is criticized for its apparent failure to fulfill its duties. Wyden suggests that the board's lack of cybersecurity expertise likely contributed to the oversight failures, a critical point in an era where cybersecurity threats are increasingly sophisticated and pervasive.-
Cybersecurity News and Magazine
- NoName Ransomware Claims Cyberattacks on Spain and Germany, But Evidence Unclear
NoName Ransomware Claims Cyberattacks on Spain and Germany, But Evidence Unclear
![NoName Ransomware](../themes/icons/grey.gif)
![NoName Ransomware](../themes/icons/grey.gif)
![NoName Targeting Spain and Germany](../themes/icons/grey.gif)
![NoName Targeting Spain and Germany](../themes/icons/grey.gif)
Historical Context of NoName Ransomware Cyber Activities
This isn’t the first instance of NoName targeting prominent organizations. In April 2024, the group allegedly launched a cyberattack on Moldova, affecting key government websites such as the Presidency, Ministry of Foreign Affairs, Ministry of Internal Affairs, and the State Registry. These websites were rendered inaccessible, displaying the message, “This Site Can’t be Reached.” The attack hinted at a politically motivated agenda, though NoName did not explicitly disclose their motives. In March 2024, NoName targeted multiple websites in Denmark, including significant entities like Movia, Din Offentlige Transport, the Ministry of Transport, Copenhagen Airports, and Danish Shipping. Similarly, in January 2024, the group attacked high-profile websites in the Netherlands, including OV-chipkaart, the Municipality of Vlaardingen, the Dutch Tax Office (Belastingdienst), and GVB. More recently, NoName’s cyber onslaught on Finland raised further alarms. Finnish government organizations, including Traficom, the National Cyber Security Centre Finland (NCSC-FI), The Railways, and the Agency for Regulation and Development of Transport and Communications Infrastructure, faced temporary inaccessibility due to DDoS attacks.Implications and the Need for Vigilance
The sophistication and scale of NoName ransomware operations, combined with their apparent political motives, highlight the urgent need for enhanced cybersecurity measures and international cooperation. The rising frequency of cyberattacks targeting governmental institutions across Europe demands a coordinated response from both national and international cybersecurity agencies. If NoName's recent claims about targeting Spain and Germany are proven true, the implications could be far-reaching. Cyberattacks on such critical institutions could disrupt governmental functions, compromise sensitive data, and undermine public trust. However, any definitive conclusions must await official statements from the allegedly targeted companies in Spain and Germany. The alleged ongoing cyberattacks by NoName ransomware serve as a reminder of the persistent and evolving threat landscape. As the investigation continues, the cybersecurity community must remain vigilant and proactive in protecting digital infrastructure from such malicious actors. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.-
Cybersecurity News and Magazine
- CL0P Ransomware Targets Financial Cooperative Unicred, Exfiltrating Sensitive Documents
CL0P Ransomware Targets Financial Cooperative Unicred, Exfiltrating Sensitive Documents
![Unicred Cyberatatck](../themes/icons/grey.gif)
![CL0P Ransomware](../themes/icons/grey.gif)
![cyberattack on Unicred](../themes/icons/grey.gif)
Potential Impact of the Alleged Unicred Cyberattack
Should the CL0P ransomware group's claim of a Unicred cyberattack be validated, the repercussions could be substantial for both Unicred and its customers. Ransomware attacks typically involve not only the exfiltration of sensitive data but also the potential for that data to be publicly released or sold, leading to severe privacy breaches and financial loss. Given Unicred's role in handling significant financial transactions and sensitive customer information, a confirmed Unicred cyberattack could undermine customer trust, disrupt business operations, and result in regulatory scrutiny and potential fines. The exposure of financial documents and personal data could also lead to identity theft and financial fraud, posing a serious threat to the affected individuals.CL0P Ransomware Notorious Track Record
The CL0P ransomware group has a well-documented history of targeting high-profile organizations. Earlier this month, the group listed three new victims on its leak site: McKinley Packing, Pilot, and Pinnacle Engineering Group. In January 2024, CL0P claimed responsibility for compromising S&A Law Offices, a prominent India-based firm specializing in litigation services and intellectual property rights. The cybercriminals posted sensitive employee details, including phone numbers, addresses, vehicle numbers, PAN card details, internal communications, and other personally identifiable information (PII) as proof of the breach. In 2023, the CL0P group was behind a series of significant data breaches exploiting the MOVEit vulnerability. This widespread campaign led the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) to issue a joint cybersecurity advisory. The advisory disseminated Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs) associated with CL0P's operations, emphasizing the group's threat to organizations across various sectors.Conclusion
The alleged cyberattack on Cooperativa de Crédito y Vivienda Unicred Limitada by the CL0P ransomware group highlights the ongoing and evolving threat landscape in the digital age. While the claims remain unverified, the potential impact on Unicred and its customers is a reminder of the importance of cybersecurity vigilance. As CL0P continues to target high-profile entities, organizations must prioritize cybersecurity to protect their data, maintain customer trust, and ensure business continuity. As this situation develops, further verification and responses from Unicred will be crucial in determining the full extent of the impact and the measures needed to address it. Meanwhile, the cybersecurity community must remain vigilant and proactive in countering the ever-present threat of ransomware attacks. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.-
Cybersecurity News and Magazine
- 7 New Pegasus Infections Found on Media and Activists’ Devices in the EU
7 New Pegasus Infections Found on Media and Activists’ Devices in the EU
Threats Against Critics of Russian and Belarusian Regimes
In September 2023, Citizen Lab and Access Now reported the hacking of exiled Russian journalist Galina Timchenko, CEO and publisher of Meduza, with Pegasus spyware. Building on these findings, the investigation, in collaboration with digital security expert Nikolai Kvantiliani, now reveals the targeting of seven additional Russian and Belarusian-speaking civil society members and journalists. Many of these individuals, living in exile, have vocally criticized the Russian government, including its invasion of Ukraine, and have faced severe threats from Russian and Belarusian state security services. Critics of the Russian and Belarusian governments typically face intense retaliation, including surveillance, detention, violence, and hacking. The repression has escalated following Russia’s 2022 invasion of Ukraine, with laws severely curtailing the operations of media and civil society organizations. An example of this is the Russian government designating the Munk School of Global Affairs & Public Policy at the University of Toronto, home to the Citizen Lab, as an “Undesirable Organization,” in March 2024. Many opposition activists and independent media groups have relocated abroad to continue their work. Despite the geographic distance, these exiled communities face ongoing threats, including violent attacks, surveillance, and digital risks. For instance, Meduza reported a significant Distributed Denial of Service (DDoS) attack on their website during Russia’s 2024 presidential elections.Investigation Confirmed Pegasus Spyware Targeting
The investigation confirmed that the following individuals were targeted or infected with Pegasus spyware. Their names are published with their consent. [caption id="attachment_73182" align="aligncenter" width="1532"]![Pegasus Spyware, New Pegasus Spyware Infections, Latest Pegasus Spyware Infections](../themes/icons/grey.gif)
![Pegasus Spyware](../themes/icons/grey.gif)
Concerns Over Digital Transnational Repression
This pattern of targeting raises serious concerns about the legality and proportionality of such actions under international human rights law. The attacks occurred in Europe, where the targeted individuals sought safety, prompting questions about host states’ obligations to prevent and respond to these human rights violations. The ongoing investigation highlights the persistent threats faced by exiled Russian and Belarusian journalists and activists. As digital transnational repression continues, it underscores the urgent need for robust international measures to protect freedom of expression and privacy for these vulnerable groups.“Access Now [urged] governments to establish an immediate moratorium on the export, sale, transfer, servicing, and use of targeted digital surveillance technologies until rigorous human rights safeguards are put in place to regulate such practices, and to ban the use of spyware technologies such as Pegasus that have a history of enabling human rights abuses.”Apple recently issued notifications to users in more than 90 countries alerting them of possible mercenary spyware attacks. The tech giant replaced the term "state-sponsored" in its alerts with "mercenary spyware attacks," drawing global attention. Previously, Apple used "state-sponsored" for malware threats, but now it highlights threats from hacker groups. Apple noted that while these attacks were historically linked to state actors and private entities like the NSO Group’s Pegasus, the new term covers a broader range of threats.
-
Cybersecurity News and Magazine
- Family-Owned Woodworking Company Western Dovetail Hit by Akira Ransomware Attack
Family-Owned Woodworking Company Western Dovetail Hit by Akira Ransomware Attack
Western Dovetail Cyberattack: Verification Efforts and Official Response
Despite this disclosure, Akira has remained tight-lipped about their motives behind targeting Western Dovetail. Upon investigating Western Dovetail's official website, no signs of foul play were immediately evident, as the website appeared to be fully functional. To corroborate further, The Cyber Express Team reached out to Western Dovetail officials for comment. However, at the time of compiling this report, no official response had been received, leaving the claim of the Western Dovetail data breach unverified. [caption id="attachment_72947" align="aligncenter" width="850"]![Akira ransomware](../themes/icons/grey.gif)
Akira Ransomware Trail of Cyber Destruction
The latest cyberattack on Western Dovetail adds to a growing list of cyber onslaughts orchestrated by the Akira ransomware group. In April 2024, the group was identified as the mastermind behind a series of devastating cyberattacks targeting businesses and critical infrastructure entities across North America, Europe, and Australia. According to the U.S. Federal Bureau of Investigation (FBI), Akira has breached over 250 organizations since March 2023, raking in a staggering $42 million in ransom payments. Initially focusing on Windows systems, Akira has expanded its tactics to include Linux variants, raising alarm bells among global cybersecurity agencies. Before targeting Western Dovetail, the ransomware group had set its sights on prominent entities such as DENHAM the Jeanmaker, a renowned denim brand based in Amsterdam, and TeraGo, a Canada-based provider of secure cloud services and business-grade internet solutions.Conclusion and Awaited Response
In the wake of the Western Dovetail cyberattack, the cybersecurity landscape remains fraught with uncertainty. While the company's official response is eagerly awaited, the incident serves as a reminder of the ever-present threat posed by cybercriminals. As organizations strive to protect themselves against such cyberattacks, collaboration between cybersecurity experts, law enforcement agencies, and affected entities becomes increasingly crucial in combating the pervasive menace of ransomware. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.-
Cybersecurity News and Magazine
- Russian Cyber Army Claims Alleged Cyberattack on Bulgarian Ports Infrastructure Company
Russian Cyber Army Claims Alleged Cyberattack on Bulgarian Ports Infrastructure Company
Russian Cyber Army Assets Bulgarian Ports Infrastructure Company Cyberattack
Contrary to typical cyberattacks that result in website defacements or distributed denial-of-service (DDoS) disruptions, the purported assault by the Russian Cyber Army appears to have had minimal impact, if any, on the targeted website's operations. This suggests a potentially brief and ineffective attack, diverging from the more disruptive tactics commonly associated with cyber warfare. [caption id="attachment_70364" align="alignnone" width="462"]![Bulgarian Ports Infrastructure Company Cyberattack](../themes/icons/grey.gif)
Who is the Russian Cyber Army Hacker Group?
While the Russian Cyber Army portrays itself as a formidable force in the information warfare arena, experts caution against overestimating its influence, suggesting that the group's actions may primarily serve to bolster nationalist sentiments domestically rather than exert significant influence abroad. Moreover, the group's exposure by cybersecurity firms and government agencies highlights its emergence as a noteworthy entity on the global stage. Despite the hype surrounding the Russian Cyber Army's activities, analysts warn against succumbing to fear-mongering tactics, emphasizing the need for measured responses to cyber threats. As for the Bulgarian Ports Infrastructure Company cyberattack, this is an ongoing story and The Cyber Express will be closely monitoring the situation. We'll update this post once we have more information on the alleged Bulgarian Ports Infrastructure Company cyberattack or any official confirmation from the organization. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.-
Cybersecurity News and Magazine
- Ransomhub’s Latest Attack Raises Alarms for Industrial Control Systems (ICS) Security
Ransomhub’s Latest Attack Raises Alarms for Industrial Control Systems (ICS) Security
Ransomhub Group Targets Industrial Control Systems (ICS)
[caption id="attachment_69992" align="alignnone" width="811"]![Ransomhub group](../themes/icons/grey.gif)
![Ransomhub group](../themes/icons/grey.gif)
Precautions Against Industrial Control Systems (ICS) Ransomware Attack
Recent ransomware attacks, like the one orchestrated by Ransomhub on Industrial Control Systems (ICS), highlight the pressing need for organizations to fortify their cybersecurity defenses. Key recommendations include implementing robust network segmentation to reduce exposure to external threats and ensuring regular software updates through patch management protocols. Secure remote access, facilitated by methods like Virtual Private Networks (VPNs), coupled with diligent monitoring of network logs, aids in early detection and response to potential breaches Furthermore, meticulous asset management practices, such as maintaining detailed inventories of OT/IT assets and deploying continuous monitoring solutions, enhance overall security posture. Developing and testing incident response plans are vital to minimize downtime and data loss in the event of a ransomware attack. The incident involving Ransomhub serves as a stark reminder of the escalating risks faced by ICS environments. Heightened awareness and proactive security measures are crucial to mitigate these threats and protect critical infrastructure from online cyber threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.-
CISO2CISO.COM & CYBER SECURITY GROUP
- Stark Industries Solutions: An Iron Hammer in the Cloud – Source: krebsonsecurity.com
Stark Industries Solutions: An Iron Hammer in the Cloud – Source: krebsonsecurity.com
Source: krebsonsecurity.com – Author: BrianKrebs The homepage of Stark Industries Solutions. Two weeks before Russia invaded Ukraine in February 2022, a large, mysterious new Internet hosting firm called Stark Industries Solutions materialized and quickly became the epicenter of massive distributed denial-of-service (DDoS) attacks on government and commercial targets in Ukraine and Europe. An investigation into […]
La entrada Stark Industries Solutions: An Iron Hammer in the Cloud – Source: krebsonsecurity.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
Stark Industries Solutions: An Iron Hammer in the Cloud
![](../themes/icons/grey.gif)
The homepage of Stark Industries Solutions.
Two weeks before Russia invaded Ukraine in February 2022, a large, mysterious new Internet hosting firm called Stark Industries Solutions materialized and quickly became the epicenter of massive distributed denial-of-service (DDoS) attacks on government and commercial targets in Ukraine and Europe. An investigation into Stark Industries reveals it is being used as a global proxy network that conceals the true source of cyberattacks and disinformation campaigns against enemies of Russia.
At least a dozen patriotic Russian hacking groups have been launching DDoS attacks since the start of the war at a variety of targets seen as opposed to Moscow. But by all accounts, few attacks from those gangs have come close to the amount of firepower wielded by a pro-Russia group calling itself “NoName057(16).”
![](../themes/icons/grey.gif)
This graphic comes from a recent report from NETSCOUT about DDoS attacks from Russian hacktivist groups.
As detailed by researchers at Radware, NoName has effectively gamified DDoS attacks, recruiting hacktivists via its Telegram channel and offering to pay people who agree to install a piece of software called DDoSia. That program allows NoName to commandeer the host computers and their Internet connections in coordinated DDoS campaigns, and DDoSia users with the most attacks can win cash prizes.
![](../themes/icons/grey.gif)
The NoName DDoS group advertising on Telegram. Image: SentinelOne.com.
A report from the security firm Team Cymru found the DDoS attack infrastructure used in NoName campaigns is assigned to two interlinked hosting providers: MIRhosting and Stark Industries. MIRhosting is a hosting provider founded in The Netherlands in 2004. But Stark Industries Solutions Ltd was incorporated on February 10, 2022, just two weeks before the Russian invasion of Ukraine.
PROXY WARS
Security experts say that not long after the war started, Stark began hosting dozens of proxy services and free virtual private networking (VPN) services, which are designed to help users shield their Internet usage and location from prying eyes.
Proxy providers allow users to route their Internet and Web browsing traffic through someone else’s computer. From a website’s perspective, the traffic from a proxy network user appears to originate from the rented IP address, not from the proxy service customer.
These services can be used in a legitimate manner for several business purposes — such as price comparisons or sales intelligence — but they are also massively abused for hiding cybercrime activity because they can make it difficult to trace malicious traffic to its original source.
What’s more, many proxy services do not disclose how they obtain access to the proxies they are renting out, and in many cases the access is obtained through the dissemination of malicious software that turns the infected system into a traffic relay — usually unbeknownst to the legitimate owner of the Internet connection. Other proxy services will allow users to make money by renting out their Internet connection to anyone.
Spur.us is a company that tracks VPNs and proxy services worldwide. Spur finds that Stark Industries (AS44477) currently is home to at least 74 VPN services, and 40 different proxy services. As we’ll see in the final section of this story, just one of those proxy networks has over a million Internet addresses available for rent across the globe.
Raymond Dijkxhoorn operates a hosting firm in The Netherlands called Prolocation. He also co-runs SURBL, an anti-abuse service that flags domains and Internet address ranges that are strongly associated with spam and cybercrime activity, including DDoS.
Dijkxhoorn said last year SURBL heard from multiple people who said they operated VPN services whose web resources were included in SURBL’s block lists.
“We had people doing delistings at SURBL for domain names that were suspended by the registrars,” Dijkhoorn told KrebsOnSecurity. “And at least two of them explained that Stark offered them free VPN services that they were reselling.”
Dijkxhoorn added that Stark Industries also sponsored activist groups from Ukraine.
“How valuable would it be for Russia to know the real IPs from Ukraine’s tech warriors?” he observed.
CLOUDY WITH A CHANCE OF BULLETS
Richard Hummel is threat intelligence lead at NETSCOUT. Hummel said when he considers the worst of all the hosting providers out there today, Stark Industries is consistently near or at the top of that list.
“The reason is we’ve had at least a dozen service providers come to us saying, ‘There’s this network out there inundating us with traffic,'” Hummel said. “And it wasn’t even DDoS attacks. [The systems] on Stark were just scanning these providers so fast it was crashing some of their services.”
Hummel said NoName will typically launch their attacks using a mix of resources rented from major, legitimate cloud services, and those from so-called “bulletproof” hosting providers like Stark. Bulletproof providers are so named when they earn or cultivate a reputation for ignoring any abuse complaints or police reports about activity on their networks.
Combining bulletproof providers with legitimate cloud hosting, Hummel said, likely makes NoName’s DDoS campaigns more resilient because many network operators will hesitate to be too aggressive in blocking Internet addresses associated with the major cloud services.
“What we typically see here is a distribution of cloud hosting providers and bulletproof hosting providers in DDoS attacks,” he said. “They’re using public cloud hosting providers because a lot of times that’s your first layer of network defense, and because [many companies are wary of] over-blocking access to legitimate cloud resources.”
But even if the cloud provider detects abuse coming from the customer, the provider is probably not going to shut the customer down immediately, Hummel said.
“There is usually a grace period, and even if that’s only an hour or two, you can still launch a large number of attacks in that time,” he said. “And then they just keep coming back and opening new cloud accounts.”
MERCENARIES TEAM
Stark Industries is incorporated at a mail drop address in the United Kingdom. UK business records list an Ivan Vladimirovich Neculiti as the company’s secretary. Mr. Neculiti also is named as the CEO and founder of PQ Hosting Plus S.R.L. (aka Perfect Quality Hosting), a Moldovan company formed in 2019 that lists the same UK mail drop address as Stark Industries.
![](../themes/icons/grey.gif)
Ivan Neculiti, as pictured on LinkedIn.
Reached via LinkedIn, Mr. Neculiti said PQ Hosting established Stark Industries as a “white label” of its brand so that “resellers could distribute our services using our IP addresses and their clients would not have any affairs with PQ Hosting.”
“PQ Hosting is a company with over 1,000+ of [our] own physical servers in 38 countries and we have over 100,000 clients,” he said. “Though we are not as large as Hetzner, Amazon and OVH, nevertheless we are a fast growing company that provides services to tens of thousands of private customers and legal entities.”
Asked about the constant stream of DDoS attacks whose origins have traced back to Stark Industries over the past two years, Neculiti maintained Stark hasn’t received any official abuse reports about attacks coming from its networks.
“It was probably some kind of clever attack that we did not see, I do not rule out this fact, because we have a very large number of clients and our Internet channels are quite large,” he said. “But, in this situation, unfortunately, no one contacted us to report that there was an attack from our addresses; if someone had contacted us, we would have definitely blocked the network data.”
DomainTools.com finds Ivan V. Neculiti was the owner of war[.]md, a website launched in 2008 that chronicled the history of a 1990 armed conflict in Moldova known as the Transnistria War and the Moldo-Russian war.
![](../themes/icons/grey.gif)
An ad for war.md, circa 2009.
Transnistria is a breakaway pro-Russian region that declared itself a state in 1990, although it is not internationally recognized. The copyright on that website credits the “MercenarieS TeaM,” which was at one time a Moldovan IT firm. Mr. Neculiti confirmed personally registering this domain.
DON CHICHO & DFYZ
The data breach tracking service Constella Intelligence reports that an Ivan V. Neculiti registered multiple online accounts under the email address dfyz_bk@bk.ru. Cyber intelligence firm Intel 471 shows this email address is tied to the username “dfyz” on more than a half-dozen Russian language cybercrime forums since 2008. The user dfyz on Searchengines[.]ru in 2008 asked other forum members to review war.md, and said they were part of the MercenarieS TeaM.
Back then, dfyz was selling “bulletproof servers for any purpose,” meaning the hosting company would willfully ignore abuse complaints or police inquiries about the activity of its customers.
DomainTools reports there are at least 33 domain names registered to dfyz_bk@bk.ru. Several of these domains have Ivan Neculiti in their registration records, including tracker-free[.]cn, which was registered to an Ivan Neculiti at dfyz_bk@bk.ru and referenced the MercenarieS TeaM in its original registration records.
Dfyz also used the nickname DonChicho, who likewise sold bulletproof hosting services and access to hacked Internet servers. In 2014, a prominent member of the Russian language cybercrime community Antichat filed a complaint against DonChicho, saying this user scammed them and had used the email address dfyz_bk@bk.ru.
The complaint said DonChicho registered on Antichat from the Transnistria Internet address 84.234.55[.]29. Searching this address in Constella reveals it has been used to register just five accounts online that have been created over the years, including one at ask.ru, where the user registered with the email address neculitzy1@yandex.ru. Constella also returns for that email address a user by the name “Ivan” at memoraleak.com and 000webhost.com.
Constella finds that the password most frequently used by the email address dfyz_bk@bk.ru was “filecast,” and that there are more than 90 email addresses associated with this password. Among them are roughly two dozen addresses with the name “Neculiti” in them, as well as the address support@donservers[.]ru.
Intel 471 says DonChicho posted to several Russian cybercrime forums that support@donservers[.]ru was his address, and that he logged into cybercrime forums almost exclusively from Internet addresses in Tiraspol, the capital of Transnistria. A review of DonChicho’s posts shows this person was banned from several forums in 2014 for scamming other users.
Cached copies of DonChicho’s vanity domain (donchicho[.]ru) show that in 2009 he was a spammer who peddled knockoff prescription drugs via Rx-Promotion, once one of the largest pharmacy spam moneymaking programs for Russian-speaking affiliates.
Mr. Neculiti told KrebsOnSecurity he has never used the nickname DonChicho.
“I may assure you that I have no relation to DonChicho nor to his bulletproof servers,” he said.
Below is a mind map that shows the connections between the accounts mentioned above.
Earlier this year, NoName began massively hitting government and industry websites in Moldova. A new report from Arbor Networks says the attacks began around March 6, when NoName alleged the government of Moldova was “craving for Russophobia.”
“Since early March, more than 50 websites have been targeted, according to posted ‘proof’ by the groups involved in attacking the country,” Arbor’s ASERT Team wrote. “While NoName seemingly initiated the ramp of attacks, a host of other DDoS hacktivists have joined the fray in claiming credit for attacks across more than 15 industries.”
CORRECTIV ACTION
The German independent news outlet Correctiv.org last week published a scathing investigative report on Stark Industries and MIRhosting, which notes that Ivan Neculiti operates his hosting companies with the help of his brother, Yuri.
The report points out that Stark Industries continues to host a Russian disinformation news outlet called “Recent Reliable News” (RRN) that was sanctioned by the European Union in 2023 for spreading links to propaganda blogs and fake European media and government websites.
“The website was not running on computers in Moscow or St. Petersburg until recently, but in the middle of the EU, in the Netherlands, on the computers of the Neculiti brothers,” Correctiv reporters wrote.
“After a request from this editorial team, a well-known service was installed that hides the actual web host,” the report continues. “Ivan Neculiti announced that he had blocked the associated access and server following internal investigations. “We very much regret that we are only now finding out that one of our customers is a sanctioned portal,” said the company boss. However, RRN is still accessible via its servers.”
Correctiv also points to a January 2023 report from the Ukrainian government, which found servers from Stark Industries Solutions were used as part of a cyber attack on the Ukrainian news agency “Ukrinform”. Correctiv notes the notorious hacker group Sandworm — an advanced persistent threat (APT) group operated by a cyberwarfare unit of Russia’s military intelligence service — was identified by Ukrainian government authorities as responsible for that attack.
PEACE HOSTING?
Public records indicate MIRhosting is based in The Netherlands and is operated by 37-year old Andrey Nesterenko, whose personal website says he is an accomplished concert pianist who began performing publicly at a young age.
DomainTools says mirhosting[.]com is registered to Mr. Nesterenko and to Innovation IT Solutions Corp, which lists addresses in London and in Nesterenko’s stated hometown of Nizhny Novgorod, Russia.
This is interesting because according to the book Inside Cyber Warfare by Jeffrey Carr, Innovation IT Solutions Corp. was responsible for hosting StopGeorgia[.]ru, a hacktivist website for organizing cyberattacks against Georgia that appeared at the same time Russian forces invaded the former Soviet nation in 2008. That conflict was thought to be the first war ever fought in which a notable cyberattack and an actual military engagement happened simultaneously.
Responding to questions from KrebsOnSecurity, Mr. Nesterenko said he couldn’t say whether his network had ever hosted the StopGeorgia website back in 2008 because his company didn’t keep records going back that far. But he said Stark Industries Solutions is indeed one of MIRhsoting’s colocation customers.
“Our relationship is purely provider-customer,” Nesterenko said. “They also utilize multiple providers and data centers globally, so connecting them directly to MIRhosting overlooks their broader network.”
“We take any report of malicious activity seriously and are always open to information that can help us identify and prevent misuse of our infrastructure, whether involving Stark Industries or any other customer,” Nesterenko continued. “In cases where our services are exploited for malicious purposes, we collaborate fully with Dutch cyber police and other relevant authorities to investigate and take appropriate measures. However, we have yet to receive any actionable information beyond the article itself, which has not provided us with sufficient detail to identify or block malicious actors.”
In December 2022, security firm Recorded Future profiled the phishing and credential harvesting infrastructure used for Russia-aligned espionage operations by a group dubbed Blue Charlie (aka TAG-53), which has targeted email accounts of nongovernmental organizations and think tanks, journalists, and government and defense officials.
Recorded Future found that virtually all the Blue Charlie domains existed in just ten different ISPs, with a significant concentration located in two networks, one of which was MIRhosting. Both Microsoft and the UK government assess that Blue Charlie is linked to the Russian threat activity groups variously known as Callisto Group, COLDRIVER, and SEABORGIUM.
Mr. Nesterenko took exception to a story on that report from The Record, which is owned by Recorded Future.
“We’ve discussed its contents with our customer, Stark Industries,” he said. “We understand that they have initiated legal proceedings against the website in question, as they firmly believe that the claims made are inaccurate.”
Recorded Future said they updated their story with comments from Mr. Neculiti, but that they stand by their reporting.
Mr. Nesterenko’s LinkedIn profile says he was previously the foreign region sales manager at Serverius-as, a hosting company in The Netherlands that remains in the same data center as MIRhosting.
In February, the Dutch police took 13 servers offline that were used by the infamous LockBit ransomware group, which had originally bragged on its darknet website that its home base was in The Netherlands. Sources tell KrebsOnSecurity the servers seized by the Dutch police were located in Serverius’ data center in Dronten, which is also shared by MIRhosting.
Serverius-as did not respond to requests for comment. Nesterenko said MIRhosting does use one of Serverius’s data centers for its operations in the Netherlands, alongside two other data centers, but that the recent incident involving the seizure of servers has no connection to MIRhosting.
“We are legally prohibited by Dutch law and police regulations from sharing information with third parties regarding any communications we may have had,” he said.
A February 2024 report from security firm ESET found Serverius-as systems were involved in a series of targeted phishing attacks by Russia-aligned groups against Ukrainian entities throughout 2023. ESET observed that after the spearphishing domains were no longer active, they were converted to promoting rogue Internet pharmacy websites.
PEERING INTO THE VOID
A review of the Internet address ranges recently added to the network operated by Stark Industries Solutions offers some insight into its customer base, usage, and maybe even true origins. Here is a snapshot (PDF) of all Internet address ranges announced by Stark Industries so far in the month of May 2024 (this information was graciously collated by the network observability platform Kentik.com).
Those records indicate that the largest portion of the IP space used by Stark is in The Netherlands, followed by Germany and the United States. Stark says it is connected to roughly 4,600 Internet addresses that currently list their ownership as Comcast Cable Communications.
A review of those address ranges at spur.us shows all of them are connected to an entity called Proxyline, which is a sprawling proxy service based in Russia that currently says it has more than 1.6 million proxies globally that are available for rent.
![](../themes/icons/grey.gif)
Proxyline dot net.
Reached for comment, Comcast said the Internet address ranges never did belong to Comcast, so it is likely that Stark has been fudging the real location of its routing announcements in some cases.
Stark reports that it has more than 67,000 Internet addresses at Santa Clara, Calif.-based EGIhosting. Spur says the Stark addresses involving EGIhosting all map to Proxyline as well. EGIhosting did not respond to requests for comment.
EGIhosting manages Internet addresses for the Cyprus-based hosting firm ITHOSTLINE LTD (aka HOSTLINE-LTD), which is represented throughout Stark’s announced Internet ranges. Stark says it has more than 21,000 Internet addresses with HOSTLINE. Spur.us finds Proxyline addresses are especially concentrated in the Stark ranges labeled ITHOSTLINE LTD, HOSTLINE-LTD, and Proline IT.
Stark’s network list includes approximately 21,000 Internet addresses at Hockessin, De. based DediPath, which abruptly ceased operations without warning in August 2023. According to a phishing report released last year by Interisle Consulting, DediPath was the fourth most common source of phishing attacks in the year ending Oct. 2022. Spur.us likewise finds that virtually all of the Stark address ranges marked “DediPath LLC” are tied to Proxyline.
![](../themes/icons/grey.gif)
Image: Interisle Consulting.
A large number of the Internet address ranges announced by Stark in May originate in India, and the names that are self-assigned to many of these networks indicate they were previously used to send large volumes of spam for herbal medicinal products, with names like HerbalFarm, AdsChrome, Nutravo, Herbzoot and Herbalve.
The anti-spam organization SpamHaus reports that many of the Indian IP address ranges are associated with known “snowshoe spam,” a form of abuse that involves mass email campaigns spread across several domains and IP addresses to weaken reputation metrics and avoid spam filters.
It’s not clear how much of Stark’s network address space traces its origins to Russia, but big chunks of it recently belonged to some of the oldest entities on the Russian Internet (a.k.a. “Runet”).
For example, many Stark address ranges were most recently assigned to a Russian government entity whose full name is the “Federal State Autonomous Educational Establishment of Additional Professional Education Center of Realization of State Educational Policy and Informational Technologies.”
A review of Internet address ranges adjacent to this entity reveals a long list of Russian government organizations that are part of the Federal Guard Service of the Russian Federation. Wikipedia says the Federal Guard Service is a Russian federal government agency concerned with tasks related to protection of several high-ranking state officials, including the President of Russia, as well as certain federal properties. The agency traces its origins to the USSR’s Ninth Directorate of the KGB, and later the presidential security service.
Stark recently announced the address range 213.159.64.0/20 from April 27 to May 1, and this range was previously assigned to an ancient ISP in St. Petersburg, RU called the Computer Technologies Institute Ltd.
According to a post on the Russian language webmaster forum searchengines[.]ru, the domain for Computer Technologies Institute — ctinet[.]ru — is the seventh-oldest domain in the entire history of the Runet.
Curiously, Stark also lists large tracts of Internet addresses (close to 48,000 in total) assigned to a small ISP in Kharkiv, Ukraine called NetAssist. Reached via email, the CEO of NetAssist Max Tulyev confirmed his company provides a number of services to PQ Hosting.
“We colocate their equipment in Warsaw, Madrid, Sofia and Thessaloniki, provide them IP transit and IPv4 addresses,” Tulyev said. “For their size, we receive relatively low number of complains to their networks. I never seen anything about their pro-Russian activity or support of Russian hackers. It is very interesting for me to see proofs of your accusations.”
Spur.us mapped the entire infrastructure of Proxyline, and found more than one million proxies across multiple providers, but by far the biggest concentration was at Stark Industries Solutions. The full list of Proxyline address ranges (.CSV) shows two other ISPs appear repeatedly throughout the list. One is Kharkiv, Ukraine based ITL LLC, also known as Information Technology Laboratories Group, and Integrated Technologies Laboratory.
The second is a related hosting company in Miami, called Green Floid LLC. Green Floid featured in a 2017 scoop by CNN, which profiled the company’s owner and quizzed him about Russian troll farms using proxy networks on Green Floid and its parent firm ITL to mask disinformation efforts tied to the Kremlin’s Internet Research Agency (IRA). At the time, the IRA was using Facebook and other social media networks to spread videos showing police brutality against African Americans in an effort to encourage protests across the United States.
Doug Madory, director of Internet analysis at Kentik, was able to see at a high level the top sources and destinations for traffic traversing Stark’s network.
“Based on our aggregate NetFlow, we see Iran as the top destination (35.1%) for traffic emanating from Stark (AS44477),” Madory said. “Specifically, the top destination is MTN Irancell, while the top source is Facebook. This data supports the theory that AS44477 houses proxy services as Facebook is blocked in Iran.”
On April 30, the security firm Malwarebytes explored an extensive malware operation that targets corporate Internet users with malicious ads. Among the sites used as lures in that campaign were fake Wall Street Journal and CNN websites that told visitors they were required to install a WSJ or CNN-branded browser extension (malware). Malwarebytes found a domain name central to that operation was hosted at Internet addresses owned by Stark Industries.
![](../themes/icons/grey.gif)
Image: threatdown.com
-
Cybersecurity News and Magazine
- CyberNiggers Group Announces New Web Domain Following BreachForums Downfall
CyberNiggers Group Announces New Web Domain Following BreachForums Downfall
The Aftermath of the BreachForums Seizure
The seizure of BreachForums by the FBI marks a significant development in the ongoing battle against cybercrime. The platform used by ransomware criminals to sell stolen corporate data has now been brought under law enforcement scrutiny. With potential access to sensitive data such as email addresses, IP addresses, and private messages, law enforcement agencies aim to expose and investigate members involved in criminal activities associated with the cybercriminal forum. The FBI's appeal to victims and individuals for information highlights the gravity of the situation, seeking cooperation from the public to aid in their investigations. Dedicated channels have been established for reporting, including email, Telegram, TOX, and a page on the FBI’s Internet Crime Complaint Center (IC3) portal. Despite debates surrounding the forum's status as a potential HoneyPot, CyberNiggers' activities have transcended speculation. Notably, the group gained attention for allegedly offering General Electrics data for sale towards the end of 2023, showcasing their capacity to target critical entities, particularly in the US.CyberNiggers Takes Aim at Numerous Targets Within a Short Span
Although the CyberNiggers group is perceived as a relatively small group, their impact cannot be underestimated. Operating within BreachForums, they have attracted the attention of global surveillance agencies, including Five-Eyes. A prominent figure within the group, the Serbian hacker IntelBroker, has assumed a pivotal role, taking many data breaches under his name. The leaked data and cyberattacks claimed by the hacker group pose multifaceted risks to targeted organizations and individuals alike. Potential consequences encompass reputational damage, financial losses, and legal repercussions. Moreover, the exposure of sensitive data, such as military files, highlights the broader national security implications of CyberNiggers' activities. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Donald Trump’s Wealth Now Hinges on Trump Media
© Mark Harris
-
Cybersecurity News and Magazine
- Comwave Networks Faces Alleged Cyberattack from Medusa Ransomware Group
Comwave Networks Faces Alleged Cyberattack from Medusa Ransomware Group
Comwave Cyberattack Allegedly Targets Sensitive Data
[caption id="attachment_69372" align="alignnone" width="1381"]![Comwave Cyberattack](../themes/icons/grey.gif)
Who is the Medusa Ransomware Group?
The operational status of Comwave's website appears unaffected, suggesting that the attack may have targeted backend systems rather than launching a frontal assault. This modus operandi aligns with Medusa's established tactics, which often involve exploiting vulnerable Remote Desktop Protocols (RDP) and deploying deceptive phishing campaigns. By utilizing PowerShell for command execution and systematically erasing shadow copy backups, Medusa disrupts data restoration efforts, leaving victims in a precarious position. The Medusa ransomware, which first emerged in June 2021, has grown increasingly audacious over time. Its latest iteration, marked by the creation of the "Medusa Blog," serves as a repository for data leaked from non-compliant victims. Operating within the dark recesses of the internet, Medusa's TOR website serves as a grim reminder of the far-reaching consequences of cybercrime. As organizations grapple with the fallout from cyberattacks like the one targeting Comwave Networks Inc., it becomes imperative to remain vigilant and implement stringent security measures. Detecting and mitigating the threat posed by Medusa and similar ransomware strains requires a concerted effort, one that extends beyond individual companies to encompass collaborative industry-wide initiatives. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Smartphones Can Now Last 7 Years. Here’s How to Keep Them Working.
© Derek Abella
Few Chinese Electric Cars Are Sold in U.S., but Industry Fears a Flood
© Aly Song/Reuters
Key Solar Panel Ingredient Is Made in the U.S.A. Again
© Ruth Fremson/The New York Times
How Pastor Chad Nedohin Helped Turn Trump Media Into a Meme Stock
© Amber Bracken for The New York Times
How G.M. Tricked Millions of Drivers Into Being Spied On (Including Me)
© Cole Wilson for The New York Times
Calendar Meeting Links Used to Spread Mac Malware
Malicious hackers are targeting people in the cryptocurrency space in attacks that start with a link added to the target’s calendar at Calendly, a popular application for scheduling appointments and meetings. The attackers impersonate established cryptocurrency investors and ask to schedule a video conference call. But clicking the meeting link provided by the scammers prompts the user to run a script that quietly installs malware on macOS systems.
KrebsOnSecurity recently heard from a reader who works at a startup that is seeking investment for building a new blockchain platform for the Web. The reader spoke on condition that their name not be used in this story, so for the sake of simplicity we’ll call him Doug.
Being in the cryptocurrency scene, Doug is also active on the instant messenger platform Telegram. Earlier this month, Doug was approached by someone on Telegram whose profile name, image and description said they were Ian Lee, from Signum Capital, a well-established investment firm based in Singapore. The profile also linked to Mr. Lee’s Twitter/X account, which features the same profile image.
The investor expressed interest in financially supporting Doug’s startup, and asked if Doug could find time for a video call to discuss investment prospects. Sure, Doug said, here’s my Calendly profile, book a time and we’ll do it then.
When the day and time of the scheduled meeting with Mr. Lee arrived, Doug clicked the meeting link in his calendar but nothing happened. Doug then messaged the Mr. Lee account on Telegram, who said there was some kind of technology issue with the video platform, and that their IT people suggested using a different meeting link.
Doug clicked the new link, but instead of opening up a videoconference app, a message appeared on his Mac saying the video service was experiencing technical difficulties.
“Some of our users are facing issues with our service,” the message read. “We are actively working on fixing these problems. Please refer to this script as a temporary solution.”
Doug said he ran the script, but nothing appeared to happen after that, and the videoconference application still wouldn’t start. Mr. Lee apologized for the inconvenience and said they would have to reschedule their meeting, but he never responded to any of Doug’s follow-up messages.
It didn’t dawn on Doug until days later that the missed meeting with Mr. Lee might have been a malware attack. Going back to his Telegram client to revisit the conversation, Doug discovered his potential investor had deleted the meeting link and other bits of conversation from their shared chat history.
In a post to its Twitter/X account last month, Signum Capital warned that a fake profile pretending to be their employee Mr. Lee was trying to scam people on Telegram.
The file that Doug ran is a simple Apple Script (file extension “.scpt”) that downloads and executes a malicious trojan made to run on macOS systems. Unfortunately for us, Doug freaked out after deciding he’d been tricked — backing up his important documents, changing his passwords, and then reinstalling macOS on his computer. While this a perfectly sane response, it means we don’t have the actual malware that was pushed to his Mac by the script.
But Doug does still have a copy of the malicious script that was downloaded from clicking the meeting link (the online host serving that link is now offline). A search in Google for a string of text from that script turns up a December 2023 blog post from cryptocurrency security firm SlowMist about phishing attacks on Telegram from North Korean state-sponsored hackers.
“When the project team clicks the link, they encounter a region access restriction,” SlowMist wrote. “At this point, the North Korean hackers coax the team into downloading and running a ‘location-modifying’ malicious script. Once the project team complies, their computer comes under the control of the hackers, leading to the theft of funds.”
![](../themes/icons/grey.gif)
Image: SlowMist.
SlowMist says the North Korean phishing scams used the “Add Custom Link” feature of the Calendly meeting scheduling system on event pages to insert malicious links and initiate phishing attacks.
“Since Calendly integrates well with the daily work routines of most project teams, these malicious links do not easily raise suspicion,” the blog post explains. “Consequently, the project teams may inadvertently click on these malicious links, download, and execute malicious code.”
SlowMist said the malware downloaded by the malicious link in their case comes from a North Korean hacking group dubbed “BlueNoroff, which Kaspersky Labs says is a subgroup of the Lazarus hacking group.
“A financially motivated threat actor closely connected with Lazarus that targets banks, casinos, fin-tech companies, POST software and cryptocurrency businesses, and ATMs,” Kaspersky wrote of BlueNoroff in Dec. 2023.
The North Korean regime is known to use stolen cryptocurrencies to fund its military and other state projects. A recent report from Recorded Future finds the Lazarus Group has stolen approximately $3 billion in cryptocurrency over the past six years.
While there is still far more malware out there today targeting Microsoft Windows PCs, the prevalence of information-stealing trojans aimed at macOS users is growing at a steady clip. MacOS computers include X-Protect, Apple’s built-in antivirus technology. But experts say attackers are constantly changing the appearance and behavior of their malware to evade X-Protect.
“Recent updates to macOS’s XProtect signature database indicate that Apple are aware of the problem, but early 2024 has already seen a number of stealer families evade known signatures,” security firm SentinelOne wrote in January.
According to Chris Ueland from the threat hunting platform Hunt.io, the Internet address of the fake meeting website Doug was tricked into visiting (104.168.163,149) hosts or very recently hosted about 75 different domain names, many of which invoke words associated with videoconferencing or cryptocurrency. Those domains indicate this North Korean hacking group is hiding behind a number of phony crypto firms, like the six-month-old website for Cryptowave Capital (cryptowave[.]capital).
In a statement shared with KrebsOnSecurity, Calendly said it was aware of these types of social engineering attacks by cryptocurrency hackers.
“To help prevent these kinds of attacks, our security team and partners have implemented a service to automatically detect fraud and impersonations that could lead to social engineering,” the company said. “We are also actively scanning content for all our customers to catch these types of malicious links and to prevent hackers earlier on. Additionally, we intend to add an interstitial page warning users before they’re redirected away from Calendly to other websites. Along with the steps we’ve taken, we recommend users stay vigilant by keeping their software secure with running the latest updates and verifying suspicious links through tools like VirusTotal to alert them of possible malware. We are continuously strengthening the cybersecurity of our platform to protect our customers.”
The increasing frequency of new Mac malware is a good reminder that Mac users should not depend on security software and tools to flag malicious files, which are frequently bundled with or disguised as legitimate software.
As KrebsOnSecurity has advised Windows users for years, a good rule of safety to live by is this: If you didn’t go looking for it, don’t install it. Following this mantra heads off a great deal of malware attacks, regardless of the platform used. When you do decide to install a piece of software, make sure you are downloading it from the original source, and then keep it updated with any new security fixes.
On that last front, I’ve found it’s a good idea not to wait until the last minute to configure my system before joining a scheduled videoconference call. Even if the call uses software that is already on my computer, it is often the case that software updates are required before the program can be used, and I’m one of those weird people who likes to review any changes to the software maker’s privacy policies or user agreements before choosing to install updates.
Most of all, verify new contacts from strangers before accepting anything from them. In this case, had Doug simply messaged Mr. Lee’s real account on Twitter/X or contacted Signum Capital directly, he would discovered that the real Mr. Lee never asked for a meeting.
If you’re approached in a similar scheme, the response from the would-be victim documented in the SlowMist blog post is probably the best.
![](../themes/icons/grey.gif)
Image: SlowMist.
Update: Added comment from Calendly.