The Hacker News Logo
Subscribe to Newsletter
CrowdSec

The Hacker News - Most Trusted Cyber Security and Computer Security Analysis: Cybercrime

Researchers Expose Inner Workings of Billion-Dollar Wizard Spider Cybercrime Gang

Researchers Expose Inner Workings of Billion-Dollar Wizard Spider Cybercrime Gang
May 18, 2022Ravie Lakshmanan
The inner workings of a cybercriminal group known as the Wizard Spider have been exposed, shedding light on its organizational structure and motivations. "Most of Wizard Spider's efforts go into hacking European and U.S. businesses, with a special cracking tool used by some of their attackers to breach high-value targets," Swiss cybersecurity company PRODAFT  said  in a new report shared with The Hacker News. "Some of the money they get is put back into the project to develop new tools and talent." Wizard Spider, also known as Gold Blackburn, is believed to operate out of Russia and refers to a financially motivated threat actor that's been linked to the TrickBot botnet, a modular malware that was  officially discontinued  earlier this year in favor of improved malware such as BazarBackdoor. That's not all. The TrickBot operators have also extensively cooperated with  Conti , another Russia-linked cybercrime group notorious for offering ransomware-a

New REvil Samples Indicate Ransomware Gang is Back After Months of Inactivity

New REvil Samples Indicate Ransomware Gang is Back After Months of Inactivity
May 10, 2022Ravie Lakshmanan
The notorious ransomware operation known as REvil (aka Sodin or Sodinokibi) has resumed after six months of inactivity, an analysis of new ransomware samples has revealed. "Analysis of these samples indicates that the developer has access to REvil's source code, reinforcing the likelihood that the threat group has reemerged," researchers from Secureworks Counter Threat Unit (CTU)  said  in a report published Monday. "The identification of multiple samples with varying modifications in such a short period of time and the lack of an official new version indicates that REvil is under heavy active development once again." REvil, short for Ransomware Evil, is a ransomware-as-a-service (RaaS) scheme and attributed to a Russia-based/speaking group known as  Gold Southfield , arising just as  GandCrab  activity declined and the latter announced their retirement. It's also one of the earliest groups to adopt the double extortion scheme in which stolen data from

Cybercriminals Using New Malware Loader 'Bumblebee' in the Wild

Cybercriminals Using New Malware Loader 'Bumblebee' in the Wild
April 28, 2022Ravie Lakshmanan
Cybercriminal actors previously observed delivering BazaLoader and IcedID as part of their malware campaigns are said to have transitioned to a new loader called Bumblebee that's under active development. "Based on the timing of its appearance in the threat landscape and use by multiple cybercriminal groups, it is likely Bumblebee is, if not a direct replacement for BazaLoader, then a new, multifunctional tool used by actors that historically favored other malware," enterprise security firm Proofpoint  said  in a report shared with The Hacker News. Campaigns distributing the new highly sophisticated loader are said to have commenced in March 2022, while sharing overlaps with malicious activity leading to the deployment of Conti and Diavol ransomware, raising the possibility that the loader could act as a precursor for ransomware attacks. "Threat actors using Bumblebee are associated with malware payloads that have been linked to follow-on ransomware campaigns,&q

Both Sides in Russia-Ukraine War Heavily Using Telegram for Disinformation and Hacktivism

Both Sides in Russia-Ukraine War Heavily Using Telegram for Disinformation and Hacktivism
March 04, 2022Ravie Lakshmanan
Cyber criminals and hacktivist groups are increasingly using the Telegram messaging app to coordinate their activities, leak data, and spread disinformation, as the Russia-Ukraine conflict enters its eighth day. A new analysis by Israeli cybersecurity company Check Point Research has  found  that "user volume grew a hundred folds daily on Telegram related groups, peaking at 200,000 per group." Prominent among the groups are anti-Russian cyber attack groups, including the Ukraine government-backed IT Army, which has urged its more 270,000 members to conduct distributed denial-of-service (DDoS) attacks against Russian entities. Other hacktivist-oriented Telegram groups used to coordinate the attacks on Russian targets via DDoS, SMS or call-based attacks are Anna_ and Mark_, Check Point researchers noted. That said, there may be more to these attacks than meets the eye. "It seems that many of the hacktivist groups are more focused on building self-reputation and recei

Ransomware Affiliate Arrested in Romania; 51 Stolen Data Brokers Arrested in Ukraine

Ransomware Affiliate Arrested in Romania; 51 Stolen Data Brokers Arrested in Ukraine
December 13, 2021Ravie Lakshmanan
Europol, the European Union's premier law enforcement agency, has  announced  the arrest of a third Romanian national for his role as a ransomware affiliate suspected of hacking high-profile organizations and companies and stealing large volumes of sensitive data. The 41-year-old unnamed individual was apprehended Monday morning at his home in Craiova, Romania, by the Romanian Directorate for Investigating Organized Crime and Terrorism ( DIICOT ) following a joint investigation in collaboration with the U.S. Federal Bureau of Investigation (FBI). It's not currently known which ransomware gang the suspect was working with, but the development comes a little over a month after Romanian authorities  arrested two affiliates  of the REvil ransomware family, who are believed to have orchestrated no fewer than 5,000 ransomware attacks and extorted close to $600,000 from victims. Affiliates play a key role in the subscription-based ransomware-as-a-service (RaaS) business models, a

Russian Man Gets 60 Months Jail for Providing Bulletproof Hosting to Cyber Criminals

Russian Man Gets 60 Months Jail for Providing Bulletproof Hosting to Cyber Criminals
December 01, 2021Ravie Lakshmanan
A Russian national charged with providing bulletproof hosting services for cybercriminals, who used the platform to spread malware and attack U.S. organizations and financial institutions between 2009 to 2015, has received a 60-month prison sentence. 34-year-old Aleksandr Grichishkin, along with Andrei Skvortsov, founded the bulletproof hosting service and rented its infrastructure to other criminal clientele for distributing a wide range of malware and attempted to cause millions of dollars in losses to U.S. victims.  Skvortsov is pending sentencing and faces a maximum penalty of 20 years in prison. Bulletproof hosting operations are similar to regular web hosting, but are a lot more lenient about what can be hosted on their servers. They are known for providing secure hosting for malicious content and activity and assuring anonymity to threat actors. Grichishkin, in May,  pleaded guilty  to conspiracy to engage in a racketeer-influenced corrupt organization (RICO). Acting as th

Police Arrest Suspected Ransomware Hackers Behind 1,800 Attacks Worldwide

Police Arrest Suspected Ransomware Hackers Behind 1,800 Attacks Worldwide
October 30, 2021Ravie Lakshmanan
12 people have been detained as part of an international law enforcement operation for orchestrating ransomware attacks on critical infrastructure and large organizations that hit over 1,800 victims across 71 countries since 2019, marking the latest action against cybercrime groups. The arrests were made earlier this week on October 26 in Ukraine and Switzerland, resulting in the seizure of cash worth $52,000, five luxury vehicles, and a number of electronic devices that the agencies said are being examined to uncover new forensic evidence of their malicious activities and pursue new investigative leads. The suspects have been primarily linked to LockerGoga, MegaCortex, and Dharma ransomware, in addition to being in charge of  laundering the ransom payments  by funneling the ill-gotten Bitcoin proceeds through mixing services and cashing them out. "The targeted suspects all had different roles in these professional, highly organised criminal organisations," Europol  said

Russian TrickBot Gang Hacker Extradited to U.S. Charged with Cybercrime

Russian TrickBot Gang Hacker Extradited to U.S. Charged with Cybercrime
October 29, 2021Ravie Lakshmanan
A Russian national, who was arrested in South Korea last month and extradited to the U.S. on October 20, appeared in a federal court in the state of Ohio on Thursday to face charges for his alleged role as a member of the infamous TrickBot group. Court documents showed that Vladimir Dunaev , 38, along with other members of the transnational, cybercriminal organization, stole money and confidential information from unsuspecting victims, including individuals, financial institutions, school districts, utility companies, government entities, and private businesses. Starting its roots as a banking trojan in 2016, TrickBot has  evolved  into a modular, multi-stage Windows-based crimeware solution capable of pilfering valuable personal and financial information, and even dropping ransomware and post-exploitation toolkits on compromised devices. The malware is also  notorious  for its  resilience , having survived at least two takedowns spearheaded by Microsoft and the U.S. Cyber Command

Europol Busts Major Crime Ring, Arrests Over 100 Online Fraudsters

Europol Busts Major Crime Ring, Arrests Over 100 Online Fraudsters
September 20, 2021Ravie Lakshmanan
Law enforcement agencies in Italy and Spain have dismantled an organized crime group linked to the Italian Mafia that was involved in online fraud, money laundering, drug trafficking, and property crime, netting the gang about €10 million ($11.7 million) in illegal proceeds in just a year. "The suspects defrauded hundreds of victims through phishing attacks and other types of online fraud such as SIM swapping and business email compromise before laundering the money through a wide network of money mules and shell companies," Europol  said  in a statement published today.  The group operated out of Tenerife, located in Spain's Canary Islands. The development comes following a year-long sting operation that saw as many as 16 house searches in Santa Cruz de Tenerife, Turin, and Isernia, resulting in 106 arrests — mostly in Spain and Italy — and seizure of electronic devices, 224 credit cards, SIM cards, point-of-sale terminals, a marijuana plantation, and equipment used

Researchers Warn of 4 Emerging Ransomware Groups That Can Cause Havoc

Researchers Warn of 4 Emerging Ransomware Groups That Can Cause Havoc
August 24, 2021Ravie Lakshmanan
Cybersecurity researchers on Tuesday took the wraps off four up-and-coming ransomware groups that could pose a serious threat to enterprises and critical infrastructure, as the ripple effect of a recent spurt in ransomware incidents show that attackers are growing more sophisticated and more profitable in extracting payouts from victims. "While the ransomware crisis appears poised to get worse before it gets better, the cast of cybercrime groups that cause the most damage is constantly changing," Palo Alto Networks' Unit 42 threat intelligence team  said  in a report shared with The Hacker News. "Groups sometimes go quiet when they've achieved so much notoriety that they become a priority for law enforcement. Others reboot their operations to make them more lucrative by revising their tactics, techniques and procedures, updating their software and launching marketing campaigns to recruit new affiliates." The development comes as ransomware attacks are g

16 Cybercriminals Behind Mekotio and Grandoreiro Banking Trojan Arrested in Spain

16 Cybercriminals Behind Mekotio and Grandoreiro Banking Trojan Arrested in Spain
July 14, 2021Ravie Lakshmanan
Spanish law enforcement agencies on Wednesday arrested 16 individuals belonging to a criminal network in connection with operating two banking trojans as part of a social engineering campaign targeting financial institutions in Europe. The arrests were made in Ribeira (A Coruña), Madrid, Parla and Móstoles (Madrid), Seseña (Toledo), Villafranca de los barros (Badajoz), and Aranda de Duero (Burgos) following a year-long investigation codenamed "Aguas Vivas", the Civil Guard said in a statement. "Through malicious software, installed on the victim's computer by the technique known as 'email spoofing', [the group] would have managed to divert large amounts of money to their accounts," authorities  noted . Computer equipment, mobile phones, and documents were confiscated, and more than 1,800 spam emails were analyzed, enabling law enforcement to block transfer attempts totaling €3.5 million successfully. The campaign is said to have netted the actors €2

Feds Secretly Ran a Fake Encrypted Chat App and Busted Over 800 Criminals

Feds Secretly Ran a Fake Encrypted Chat App and Busted Over 800 Criminals
June 08, 2021Ravie Lakshmanan
In an unprecedented sting operation, the U.S. Federal Bureau of Investigation (FBI) and Australian Federal Police (AFP) ran an encrypted chat service called ANoM for nearly three years to intercept 27 million messages exchanged between criminal gang members globally. Dubbed Operation Ironside (AFP), Operation Greenlight (Europol), and Operation Trojan Shield (FBI), the long-term covert probe into transnational and serious organized crime culminated in the arrests of 224 offenders on 526 charges in Australia, with 55 luxury vehicles, eight tons of cocaine, 22 tons of cannabis and cannabis resin, 250 firearms, and more than $48 million in various currencies and cryptocurrencies seized in raids around the world.  A total of more than 800 arrests have been reported across 18 countries, including New Zealand, Germany, and Sweden. Europol  called  it the "biggest ever law enforcement operation against encrypted communication." The communications allegedly involved plots to kil

SysAdmin of Billion-Dollar Hacking Group Gets 10-Year Sentence

SysAdmin of Billion-Dollar Hacking Group Gets 10-Year Sentence
April 17, 2021Ravie Lakshmanan
A high-level manager and systems administrator associated with the FIN7 threat actor has been sentenced to 10 years in prison, the U.S. Department of Justice announced Friday. Fedir Hladyr , a 35-year-old Ukrainian national, is said to have played a crucial role in a criminal scheme that compromised tens of millions of debit and credit cards, in addition to aggregating the stolen information, supervising other members of the group, and maintaining the server infrastructure that FIN7 used to attack and control victims' machines. The development comes after Hladyr pleaded guilty to conspiracy to commit wire fraud and one count of conspiracy to commit computer hacking in September 2019. He was arrested in Dresden, Germany, in 2018 and extradited to the U.S. city of Seattle. Hladyr has also been ordered to pay $2.5 million in restitution. "This criminal organization had more than 70 people organized into business units and teams. Some were hackers, others developed the malwa

What are the different roles within cybersecurity?

What are the different roles within cybersecurity?
April 17, 2021The Hacker News
People talk about the cybersecurity job market like it's a monolith, but there are a number of different roles within cybersecurity, depending not only on your skill level and experience but on what you like to do. In fact, Cybercrime Magazine came up with a list of  50 cybersecurity job titles , while CyberSN, a recruiting organization, came up with its own list of  45 cybersecurity job categories . Similarly, OnGig.com, a company that helps firms write their job ads, analyzed 150 cybersecurity job titles and came up with its  own top 30 list . This article is based on research I did with Springboard, one of the  first cybersecurity bootcamps with a job guarantee  and 1:1 mentorship. In particular, CyberSeek.org, a joint industry initiative looking at the cybersecurity job market, offers an  interactive list  of not only the various positions within cybersecurity but offers you a career path showing how you can get promoted. The complicated part is that these titles and roles

U.S. Treasury Sanctions Hacking Group Backed by Iranian Intelligence

U.S. Treasury Sanctions Hacking Group Backed by Iranian Intelligence
September 18, 2020Ravie Lakshmanan
The U.S. government on Thursday imposed  sweeping sanctions  against an Iranian threat actor backed by the country's Ministry of Intelligence and Security (MOIS) for carrying out malware campaigns targeting Iranian dissidents, journalists, and international companies in the telecom and travel sectors. According to the U.S. Treasury and the Federal Bureau of Investigation (FBI), the sanctions target Rana Intelligence Computing Company (or Rana), which the agencies said operated as a front for the threat group  APT39  (aka Chafer or Remix Kitten), Iranian cyber espionage hacking collective active since 2014 known for its attacks on companies in the U.S. and the Middle East with an aim to pilfer personal information and advance Iran's national security objectives. To that effect, 45 individuals who served in various capacities while employed at the front company, including as managers, programmers, and hacking experts, have been implicated in the sanctions, which also prohibit U

21-Year-Old Cypriot Hacker Extradited to U.S. Over Fraud and Extortion Charges

21-Year-Old Cypriot Hacker Extradited to U.S. Over Fraud and Extortion Charges
July 20, 2020Swati Khandelwal
The United States Department of Justice has extradited two criminals from the Republic of Cyprus—one is a computer hacker suspected of cyber intrusions and extortion, and the other is a money launderer with known connections to the terrorist organization Hezbollah. Both suspects— Joshua Polloso Epifaniou , 21, a resident of Nicosia, and Ghassan Diab , 37, a citizen of Lebanon—were arrested earlier last year and extradited to the United States last weekend. According to the indictment , Epifaniou conducted a brute force attack against the Phoenix-based online review portal Ripoff Report (ROR) in October 2016 and successfully override ROR's login and password protection to gain access to its database through an existing account associated with a ROR employee. In November 2016, Epifaniou tried to extort the company by emailing ROR's CEO with a hyperlink to a video demonstrating Epifaniou's unauthorized access to the ROR CEO's account, threatening him to publicly di

Researchers Uncover a Nigerian Hacker's Pursuit of his Million Dollar Dream

Researchers Uncover a Nigerian Hacker's Pursuit of his Million Dollar Dream
March 17, 2020Ravie Lakshmanan
Social engineering-driven malware threats continue to be a big threat, but new research details how cybercriminals profit off such schemes to launder hundreds of thousands of dollars from stolen credit cards of unsuspecting victims. Cybersecurity firm Check Point Research, in a report shared with The Hacker news, uncovered the digital trail of a Nigerian cybercriminal, who went by the name of "Dton" and targeted hundreds of thousands of people under the moniker of "Bill Henry" by sending them malicious emails with custom-built malware. The company said it disclosed the findings to concerned Nigerian and international law enforcement authorities for further action. A multi-stage criminal scheme The operation began with Dton buying stolen credit card details from Ferrum Shop, an online marketplace that sells over 2.5 million stolen credit card credentials, and then charging them each $550 each to fraudulently net more than $100,000 in illicit transactions

Police Shut Down xDedic – An Online Market for Cyber Criminals

Police Shut Down xDedic – An Online Market for Cyber Criminals
January 28, 2019Mohit Kumar
In an international operation involving law enforcement authorities from the U.S. and several European countries, feds have shut down an online underground marketplace and arrested three suspects in Ukraine. Dubbed xDedic, the illegal online marketplace let cybercriminals buy, sell or rent out access to thousands of hacked computers and servers across the world and personally identifiable information of U.S. residents. The underground website had been around for years with its administrators strategically maintaining and concealing the locations of its servers all over the world to facilitate the operation of the underground site. xDedic offered buyers to search for over 176,000 unique compromised servers—which were usually in the form of credentials for compromised Remote Desktop Protocol (RDP) accounts—from around the world by price, operating system, or even their geographic location from where it was stolen. xDedic impacted victims in multiple industries, "including
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.