The Hacker News Logo
Subscribe to Newsletter
CrowdSec

The Hacker News - Cybersecurity News and Analysis: Cyber Crime

Everything We Learned From the LAPSUS$ Attacks

Everything We Learned From the LAPSUS$ Attacks

May 12, 2022The Hacker News
In recent months, a cybercriminal gang known as LAPSUS$ has claimed responsibility for a number of high-profile attacks against technology companies, including: T-Mobile (April 23, 2022) Globant  Okta Ubisoft Samsung Nvidia Microsoft Vodafone In addition to these attacks, LAPSUS$ was also able to successfully launch a ransomware attack against the Brazilian Ministry of Health. While high-profile cyber-attacks are certainly nothing new, there are several things that make LAPSUS$ unique. The alleged mastermind of these attacks and several other alleged accomplices were all teenagers. Unlike more traditional ransomware gangs, LAPSUS$ has a very strong social media presence. The gang is best known for data exfiltration. It has stolen source code and other proprietary information and has often leaked this information on the Internet. LAPSUS$ stolen credentials  In the case of Nvidia, for example, the  attackers gained access to hundreds of gigabytes of proprietary data ,
U.S. Offering $10 Million Reward for Information on Conti Ransomware Hackers

U.S. Offering $10 Million Reward for Information on Conti Ransomware Hackers

May 08, 2022Ravie Lakshmanan
The U.S. State Department has  announced  rewards of up to $10 million for any information leading to the identification of key individuals who are part of the infamous Conti cybercrime gang. Additionally, it's offering another $5 million for intelligence information that could help arrest or convict individuals who are conspiring or attempting to affiliate with the group in a ransomware attack. The department called the Conti variant the "costliest strain of ransomware ever documented." Conti , the work of a Russia-based transnational organized crime group dubbed Gold Ulrick, is one most prolific ransomware cartels that has continued to strike entities globally while simultaneously  expanding its empire  by absorbing TrickBot and running side hustles that involve data extortion. After the syndicate expressed public support for Russia's invasion of Ukraine in February, it  suffered a major breach  of its own after its source code and internal chats were released
Spanish Police Arrest SIM Swappers Who Stole Money from Victims Bank Accounts

Spanish Police Arrest SIM Swappers Who Stole Money from Victims Bank Accounts

February 14, 2022Ravie Lakshmanan
Spain's National Police Agency, the Policía Nacional, said last week it dismantled an unnamed cybercriminal organization and arrested eight individuals in connection with a series of SIM swapping attacks that were carried out with the goal of financial fraud. The suspects of the crime ring masqueraded as trustworthy representatives of banks and other organizations and used traditional phishing and smishing techniques to obtain personal information and bank data of victims before draining money from their accounts. "They usurped the identity of their victims through the falsification of official documents and tricked employees of telephone stores into getting the duplicate of SIM cards, cards where they received security confirmation messages from banks that allowed them to empty their victims' accounts," the authorities  said . Seven of the arrests were made in Barcelona and one in Seville. As many as 12 bank accounts were frozen as part of the illicit operation.
140,000 Reasons Why Emotet is Piggybacking on TrickBot in its Return from the Dead

140,000 Reasons Why Emotet is Piggybacking on TrickBot in its Return from the Dead

December 08, 2021Ravie Lakshmanan
The operators of TrickBot malware have infected an estimated 140,000 victims across 149 countries a little over a year after attempts were to dismantle its infrastructure, even as the advanced Trojan is fast becoming an entry point for Emotet, another botnet that was taken down at the start of 2021. Most of the victims detected since November 1, 2020, are from Portugal (18%), the U.S. (14%), and India (5%), followed by Brazil (4%), Turkey (3%), Russia (3%), and China (3%), Check Point Research noted in a report shared with The Hacker News, with government, finance, and manufacturing entities emerging the top affected industry verticals. "Emotet is a strong indicator of future ransomware attacks, as the malware provides ransomware gangs a backdoor into compromised machines," said the researchers, who detected 223 different Trickbot campaigns over the course of the last six months. Both TrickBot and Emotet are botnets, which are a network of internet-connected devices infe
Suspected REvil Ransomware Affiliates Arrested in Global Takedown

Suspected REvil Ransomware Affiliates Arrested in Global Takedown

November 08, 2021Ravie Lakshmanan
Romanian law enforcement authorities have  announced  the arrest of two individuals for their roles as affiliates of the REvil ransomware family, dealing a severe blow to one of the most prolific cybercrime gangs in history. The suspects are believed to have  orchestrated  more than 5,000 ransomware attacks and extorted close to $600,000 from victims, according to Europol. The arrests, which happened on November 4, are part of a coordinated operation called GoldDust , which has resulted in the arrest of three other REvil affiliates and two suspects connected to GandCrab in Kuwait and South Korea since February 2021. This also includes a 22-year-old Ukrainian national, Yaroslav Vasinskyi, who was arrested in early October and has been accused of perpetrating the  devastating attack  on Florida-based software firm Kaseya in July 2021, affecting up to 1,500 downstream businesses. In all, the seven suspects linked to the two ransomware families are said to have targeted about 7,000 vic
Ukraine Arrests Operator of DDoS Botnet with 100,000 Compromised Devices

Ukraine Arrests Operator of DDoS Botnet with 100,000 Compromised Devices

October 11, 2021Ravie Lakshmanan
Ukrainian law enforcement authorities on Monday disclosed the arrest of a hacker responsible for the creation and management of a "powerful botnet" consisting of over 100,000 enslaved devices that was used to carry out distributed denial-of-service (DDoS) and spam attacks on behalf of paid customers. The unnamed individual, from the Ivano-Frankivsk region of the country, is also said to have leveraged the automated network to detect vulnerabilities in websites and break into them as well as stage brute-force attacks in order to guess email passwords. The Ukrainian police agency said it conducted a raid of the suspect's residence and seized their computer equipment as evidence of illegal activity. "He looked for customers on the closed forums and Telegram chats and payments were made via blocked electronic payment systems," the Security Service of Ukraine (SSU)  said  in a press statement. The payments were facilitated via WebMoney, a Russian money transfer p
Numando: A New Banking Trojan Targeting Latin American Users

Numando: A New Banking Trojan Targeting Latin American Users

September 19, 2021Ravie Lakshmanan
A newly spotted banking trojan has been caught leveraging legitimate platforms like YouTube and Pastebin to store its encrypted, remote configuration and commandeer infected Windows systems, making it the latest to join the  long list of malware  targeting Latin America (LATAM) after Guildma, Javali, Melcoz, Grandoreiro, Mekotio, Casbaneiro, Amavaldo, Vadokrist, and Janeleiro. The threat actor behind this malware family — dubbed " Numando " — is believed to have been active since at least 2018. "[Numando brings] interesting new techniques to the pool of Latin American banking trojans' tricks, like using seemingly useless ZIP archives or bundling payloads with decoy BMP images," ESET researchers  said  in a technical analysis published on Friday. "Geographically, it focuses almost exclusively on Brazil with rare campaigns in Mexico and Spain." Written in Delphi, the malware comes with an array of backdoor capabilities that allow it to control compr
3 Former U.S. Intelligence Officers Admit to Hacking for UAE Company

3 Former U.S. Intelligence Officers Admit to Hacking for UAE Company

September 15, 2021Ravie Lakshmanan
The U.S. Department of Justice (DoJ) on Tuesday disclosed it fined three intelligence community and military personnel $1.68 million in penalties for their role as cyber-mercenaries working on behalf of a U.A.E.-based cybersecurity company. The trio in question — Marc Baier, 49, Ryan Adams, 34, and Daniel Gericke, 40 — are accused of "knowingly and willfully combine, conspire, confederate, and agree with each other to commit offenses, "furnishing defense services to persons and entities in the country over a three year period beginning around December 2015 and continuing through November 2019, including developing invasive spyware capable of breaking into mobile devices without any action by the targets. "The defendants worked as senior managers at a United Arab Emirates (U.A.E.)-based company (U.A.E. CO) that supported and carried out computer network exploitation (CNE) operations (i.e., 'hacking') for the benefit of the U.A.E. government," the DoJ  said
Dutch Police Arrest Two Hackers Tied to "Fraud Family" Cybercrime Ring

Dutch Police Arrest Two Hackers Tied to "Fraud Family" Cybercrime Ring

July 23, 2021Ravie Lakshmanan
Law enforcement authorities in the Netherlands have  arrested  two alleged individuals belonging to a Dutch cybercriminal collective who were involved in developing, selling, and renting sophisticated phishing frameworks to other threat actors in what's known as a "Fraud-as-a-Service" operation. The apprehended suspects, a 24-year-old software engineer and a 15-year-old boy, are said to have been the main developer and seller of the phishing frameworks that were employed to collect login data from bank customers. The attacks primarily singled out users in the Netherlands and Belgium. The 15-year-old suspect has since been released from custody "pending further investigation," Dutch police said. Believed to be active since at least 2020, the cybercriminal syndicate has been codenamed " Fraud Family " by cybersecurity firm Group-IB. The frameworks come with phishing kits, tools designed to steal information, and web panels, which allow the fraudsters
REvil Ransomware Gang Mysteriously Disappears After High-Profile Attacks

REvil Ransomware Gang Mysteriously Disappears After High-Profile Attacks

July 14, 2021Ravie Lakshmanan
REvil, the infamous ransomware cartel behind some of the biggest cyberattacks targeting JBS and Kaseya, has mysteriously disappeared from the dark web, leading to speculations that the criminal enterprise may have been taken down. Multiple darknet and clearnet sites maintained by the Russia-linked cybercrime syndicate, including the data leak, extortion, and payment portals, remained inaccessible, displaying an error message "Onionsite not found."  The group's  Tor network infrastructure  on the dark web consists of one data leak blog site and 22 data hosting sites. It's not immediately clear what prompted the infrastructure to be knocked offline. REvil is one of the most prolific ransomware-as-a-service (RaaS) groups that first appeared on the threat landscape in April 2019. It's an evolution of the  GandCrab  ransomware, which hit the underground markets in early 2018. "If REvil has been permanently disrupted, it'll mark the end of a group which ha
Interpol Arrests Moroccan Hacker Engaged in Nefarious Cyber Activities

Interpol Arrests Moroccan Hacker Engaged in Nefarious Cyber Activities

July 06, 2021Ravie Lakshmanan
Law enforcement authorities with the Interpol have apprehended a threat actor responsible for targeting thousands of unwitting victims over several years and staging malware attacks on telecom companies, major banks, and multinational corporations in France as part of a global phishing and credit card fraud scheme. The two-year investigation, dubbed  Operation Lyrebird  by the international, intergovernmental organization, resulted in the arrest of a Moroccan citizen nicknamed Dr HeX, cybersecurity firm Group-IB disclosed today in a report shared with The Hacker News. Dr HeX is said to have been "active since at least 2009 and is responsible for a number of cybercrimes, including phishing, defacing, malware development, fraud, and carding that resulted in thousands of unsuspecting victims," the Singapore-headquartered company said . The cyber attacks involved deploying a phishing kit consisting of web pages that spoofed banking entities in the country, followed by sendin
Four Plead Guilty to Aiding Cyber Criminals with Bulletproof Hosting

Four Plead Guilty to Aiding Cyber Criminals with Bulletproof Hosting

May 09, 2021Ravie Lakshmanan
Four Eastern European nationals face 20 years in prison for Racketeer Influenced Corrupt Organization (RICO) charges after pleading guilty to providing bulletproof hosting services between 2008 and 2015, which were used by cybercriminals to distribute malware to financial entities across the U.S. The individuals, Aleksandr Grichishkin, 34, and Andrei Skvortsov, 34, of Russia; Aleksandr Skorodumov, 33, of Lithuania; and Pavel Stassi, 30, of Estonia, have been accused of renting their wares to cybercriminal clients, who used the infrastructure to disseminate malware such as Zeus, SpyEye, Citadel, and the Blackhole Exploit Kit that were capable of co-opting victim machines into a botnet, and stealing sensitive information. The deployment of malware caused or attempted to cause millions of dollars in losses to U.S. victims, the U.S. Department of Justice (DoJ) said in a statement on Friday. "A key service provided by the defendants was helping their clients to evade detection by
DeepDotWeb Admin Pleads Guilty to Money Laundering Charges

DeepDotWeb Admin Pleads Guilty to Money Laundering Charges

April 01, 2021Ravie Lakshmanan
The U.S. Department of Justice (DoJ) on Wednesday said that an Israeli national pleaded guilty for his role as an "administrator" of a portal called DeepDotWeb ( DDW ), a "news" website that "served as a gateway to numerous dark web marketplaces." According to the unsealed court documents, Tal Prihar , 37, an Israeli citizen residing in Brazil, operated DDW alongside Michael Phan , 34, of Israel, starting October 2013, in return for which they received kickbacks from the operators of the marketplaces in the form of virtual currency amounting to 8,155 bitcoins (worth $8.4 million at the time of the transactions). In an attempt to conceal the illicit payments, Prihar is said to have transferred the money to other bitcoin accounts and to bank accounts under his control in the name of shell companies. "Tal Prihar served as a broker for illegal Darknet marketplaces — helping such marketplaces find customers for fentanyl, firearms, and other dangerous
Tesla Ransomware Hacker Pleads Guilty; Swiss Hacktivist Charged for Fraud

Tesla Ransomware Hacker Pleads Guilty; Swiss Hacktivist Charged for Fraud

March 19, 2021Ravie Lakshmanan
The U.S. Department of Justice yesterday announced updates on two separate cases involving cyberattacks—a Swiss hacktivist and a Russian hacker who planned to plant malware in the Tesla company. A Swiss hacker who was involved in the intrusion of cloud-based surveillance firm Verkada and exposed camera footage from its customers was charged by the U.S. Department of Justice (DoJ) on Thursday with conspiracy, wire fraud, and identity theft. Till Kottmann (aka "deletescape" and "tillie crimew"), 21, of Lucerne, Switzerland, and their co-conspirators were accused of hacking dozens of companies and government agencies since 2019 by targeting their "git" and other source code repositories and posting the proprietary data of more than 100 entities on a website called git[.]rip, according to the indictment. Kottmann is alleged to have cloned the source code and other confidential files containing hard-coded administrative credentials and access keys, using th
CEO of Encrypted Chat Platform Indicted for Aiding Organised Criminals

CEO of Encrypted Chat Platform Indicted for Aiding Organised Criminals

March 15, 2021Ravie Lakshmanan
The U.S. Department of Justice (DoJ) on Friday announced an indictment against Jean-Francois Eap, the CEO of encrypted messaging company Sky Global, and an associate for wilfully participating in a criminal enterprise to help international drug traffickers avoid law enforcement. Eap (also known as "888888") and Thomas Herdman, a former high-level distributor of Sky Global devices, have been charged with a conspiracy to violate the federal Racketeer Influenced and Corrupt Organizations Act (RICO), according to warrants issued for their arrests. "The indictment alleges that Sky Global generated hundreds of millions of dollars providing a service that allowed criminal networks around the world to hide their international drug trafficking activity from law enforcement," Acting U.S. Attorney Randy Grossman  said  in the announcement. "This groundbreaking investigation should send a serious message to companies who think they can aid criminals in their unlawful ac
Gootkit RAT Using SEO to Distribute Malware Through Compromised Sites

Gootkit RAT Using SEO to Distribute Malware Through Compromised Sites

March 01, 2021Ravie Lakshmanan
A framework notorious for delivering a banking Trojan has received a facelift to deploy a wider range of malware, including ransomware payloads. "The  Gootkit  malware family has been around more than half a decade – a mature Trojan with functionality centered around banking credential theft," Sophos researchers Gabor Szappanos and Andrew Brandt  said  in a write-up published today. "In recent years, almost as much effort has gone into improvement of its delivery method as has gone into the NodeJS-based malware itself." Dubbed "Gootloader," the expanded malware delivery system comes amid a surge in the number of infections targeting users in France, Germany, South Korea, and the U.S. First documented in 2014, Gootkit is a Javascript-based malware platform capable of carrying out an array of covert activities, including web injection, capturing keystrokes, taking screenshots, recording videos, as well as email and password theft. Over the years, the
2 Hackers Charged for Defacing Sites after U.S. Airstrike Killed Iranian General

2 Hackers Charged for Defacing Sites after U.S. Airstrike Killed Iranian General

September 16, 2020Ravie Lakshmanan
The US Department of Justice (DoJ) on Tuesday indicted two hackers for their alleged involvement in defacing several websites in the country following the assassination of Iranian major general Qasem Soleimani earlier this January. Behzad Mohammadzadeh (aka Mrb3hz4d), 19, and Marwan Abusrour (aka Mrwn007), 25, have been charged with conspiracy to commit intentional damage to a protected computer for a widespread "cyber-assault" that affected over 1,400 websites with pro-Iranian and pro-Palestinian messages. "The hackers victimized innocent third parties in a campaign to retaliate for the military action that killed Soleimani, a man behind countless acts of terror against Americans and others that the Iranian regime opposed," said Assistant Attorney General for National Security John C. Demers in a statement. The defendants, from Iran and Palestine, respectively, are now wanted by the US authorities and are no longer free to travel outside their countries wi
US Charges 2 Chinese Hackers for Targeting COVID-19 Research and Trade Secrets

US Charges 2 Chinese Hackers for Targeting COVID-19 Research and Trade Secrets

July 22, 2020Ravie Lakshmanan
The U.S. Department of Justice (DoJ) yesterday revealed charges against two Chinese nationals for their alleged involvement in a decade-long hacking spree targeting dissidents, government agencies, and hundreds of organizations in as many as 11 countries. The 11-count indictment , which was unsealed on Tuesday, alleges LI Xiaoyu (李啸宇) and DONG Jiazhi (董家志) stole terabytes of sensitive data, including from companies developing COVID-19 vaccines, testing technology, and treatments while operating both for private financial gain and behalf of China's Ministry of State Security. "China has now taken its place, alongside Russia, Iran and North Korea, in that shameful club of nations that provide a safe haven for cyber criminals in exchange for those criminals being 'on call' to work for the benefit of the state, [and] to feed the Chinese Communist party's insatiable hunger for American and other non-Chinese companies' hard-earned intellectual property, includ
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.