Cybercrime | Breaking Cybersecurity News | The Hacker News

A malware botnet called  Ebury  is estimated to have compromised 400,000 Linux servers since 2009, out of which more than 100,000 were still compromised as of late 2023. The findings come from Slovak cybersecurity firm ESET, which characterized it as one of the most advanced server-side malware campaigns for financial gain. "Ebury actors have been pursuing monetization activities [...], including the spread of spam, web traffic redirections, and credential stealing," security researcher Marc-Etienne M.Léveillé  said  in a deep dive analysis. "[The] operators are also involved in cryptocurrency heists by using AitM and credit card stealing via network traffic eavesdropping, commonly known as server-side web skimming." Ebury was first documented over a decade ago as part of a campaign codenamed  Operation Windigo  that targeted Linux servers to deploy the malware, alongside other backdoors and scripts like Cdorked and Calfbot to redirect web traffic and send spam

Malicious Android apps masquerading as Google, Instagram, Snapchat, WhatsApp, and X (formerly Twitter) have been observed to steal users' credentials from compromised devices. "This malware uses famous Android app icons to mislead users and trick victims into installing the malicious app on their devices," the SonicWall Capture Labs threat research team  said  in a recent report. The distribution vector for the campaign is currently unclear. However, once the app is installed on the users' phones, it requests them to grant it permissions to the accessibility services and the  device administrator API , a now-deprecated feature that provides device administration features at the system level. Obtaining these permissions allows the rogue app to gain control over the device, making it possible to carry out arbitrary actions ranging from data theft to malware deployment without the victims' knowledge. The malware is designed to establish connections with a comman

The U.K. National Crime Agency (NCA) has unmasked the administrator and developer of the LockBit ransomware operation, revealing it to be a 31-year-old Russian national named  Dmitry Yuryevich Khoroshev . In addition, Khoroshev has been sanctioned  by the U.K. Foreign, Commonwealth and Development Office (FCD), the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC), and the Australian Department of Foreign Affairs. Europol, in a  press statement , said authorities are in possession of over 2,500 decryption keys and are continuing to contact LockBit victims to offer support. Khoroshev, who went by the monikers LockBitSupp and putinkrab, has also become the subject of asset freezes and travel bans, with the U.S. Department of State offering a reward of up to $10 million for information leading to his arrest and/or conviction. Previously, the agency had  announced  reward offers of up to $15 million seeking information leading to the identity and location of k

Cybercriminals are vipers. They're like snakes in the grass, hiding behind their keyboards, waiting to strike. And if you're a small- and medium-sized business (SMB), your organization is the ideal lair for these serpents to slither into.  With cybercriminals becoming more sophisticated, SMBs like you must do more to protect themselves. But at what price? That's the daunting question many SMBs are forced to ask. Amidst your everyday challenges, the answer seems obvious: forgo investing in a robust cybersecurity solution for the time being. However, the alternative is to cross your fingers and hope hackers don't find you. That, of course, isn't the most prudent strategy, as the uncomfortable truth is threat actors now see your organization as a quick path to profit. Therefore, if your defenses are weak—or just not there—these digital crooks are likely to disrupt your operations, access sensitive data, and extort a heavy ransom. In this article, we'll explore the financial burdens

A Russian operator of a now-dismantled BTC-e cryptocurrency exchange has  pleaded guilty  to money laundering charges from 2011 to 2017. Alexander Vinnik, 44, was charged in January 2017 and taken into custody in Greece in July 2017. He was subsequently  extradited  to the U.S. in August 2022. Vinnik and his co-conspirators have been accused of owning and managing BTC-e, which allowed its criminal customers to trade in Bitcoin with high levels of anonymity. BTC-e is said to have facilitated transactions for cybercriminals worldwide, receiving illicit proceeds from numerous computer intrusions and hacking incidents, ransomware scams, identity theft schemes, corrupt public officials, and narcotics distribution rings. The crypto exchange received more than $4 billion worth of bitcoin over the course of its operation, according to the U.S. Department of Justice (DoJ). It also processed over $9 billion-worth of transactions and served over one million users worldwide, several of them i

A Ukrainian national has been sentenced to more than 13 years in prison and ordered to pay $16 million in restitution for carrying out thousands of ransomware attacks and extorting victims. Yaroslav Vasinskyi (aka Rabotnik), 24, along with his co-conspirators part of the  REvil ransomware group  orchestrated more than 2,500 ransomware attacks and demanded ransom payments in cryptocurrency totaling more than $700 million. "The co-conspirators demanded ransom payments in cryptocurrency and used cryptocurrency exchangers and mixing services to hide their ill-gotten gains," the U.S. Department of Justice (DoJ)  said . "To drive their ransom demands higher, Sodinokibi/REvil co-conspirators also publicly exposed their victims' data when victims would not pay ransom demands." Vasinskyi was  extradited  to the U.S. in March 2022 following his arrest in Poland in October 2021. REvil, prior to formally going offline in late 2021, was responsible for a series of high

Fake browser updates are being used to push a previously undocumented Android malware called  Brokewell . "Brokewell is a typical modern banking malware equipped with both data-stealing and remote-control capabilities built into the malware," Dutch security firm ThreatFabric  said  in an analysis published Thursday. The malware is said to be in active development, adding new commands to capture touch events, textual information displayed on screen, and the applications a victim launches. The list of Brokewell apps that masquerade as Google Chrome, ID Austria, and Klarna is as follows - jcwAz.EpLIq.vcAZiUGZpK (Google Chrome) zRFxj.ieubP.lWZzwlluca (ID Austria) com.brkwl.upstracking (Klarna) Like other recent Android malware families of its kind, Brokewell is capable of getting around restrictions imposed by Google that prevent sideloaded apps from requesting  accessibility service permissions . The banking trojan, once installed and launched for the first time, pro

The U.S. Department of Justice (DoJ) on Wednesday  announced  the arrest of two co-founders of a cryptocurrency mixer called Samourai and seized the service for allegedly facilitating over $2 billion in illegal transactions and for laundering more than $100 million in criminal proceeds. To that end, Keonne Rodriguez, 35, and William Lonergan Hill, 65, have been charged with conspiracy to commit money laundering and conspiracy to operate an unlicensed money transmitting business from 2015 through February 2024. Rodriguez and Hill face a maximum sentence of 25 years in prison each. Rodriguez, the CEO of the company, and CTO Hill intentionally designed Samourai to help "criminals to engage in large-scale money laundering and sanctions evasion," while ostensibly marketing as a privacy-oriented service, the DoJ said. Samourai laundered money from illegal dark web marketplaces, including Silk Road and Hydra, as well as spear-phishing schemes and scams aimed at defrauding multip

European Police Chiefs said that the complementary partnership between law enforcement agencies and the technology industry is at risk due to end-to-end encryption (E2EE). They called on the industry and governments to take urgent action to ensure public safety across social media platforms. "Privacy measures currently being rolled out, such as end-to-end encryption, will stop tech companies from seeing any offending that occurs on their platforms," Europol  said . "It will also stop law enforcement's ability to obtain and use this evidence in investigations to prevent and prosecute the most serious crimes such as child sexual abuse, human trafficking, drug smuggling, homicides, economic crime, and terrorism offenses." The idea that E2EE protections could stymie law enforcement is often referred to as the  "going dark" problem , triggering concerns it could create  new obstacles  to gather evidence of nefarious activity. The development comes ag

Cybersecurity breaches can be devastating for both individuals and businesses alike. While many people tend to focus on understanding how and why they were targeted by such breaches, there's a larger, more pressing question: What is the true financial impact of a cyberattack? According to research by Cybersecurity Ventures, the global cost of cybercrime is projected to reach an astonishing 10.5 trillion USD annually by 2025, which marks a dramatic increase from the 3 trillion USD reported in 2015. This sharp rise highlights a concerning trend: cybercriminals have significantly improved their methods for conducting sophisticated and successful cyberattacks over the years. According to research firm Cybersecurity Ventures, the cost of global cybercrime will reach a staggering 10.5 trillion USD annually by 2025, up from the 3 trillion USD that it was in 2015. It's clear, then, that these threat actors have found ways to pull off sophisticated and successful cyberattacks over the yea

The infamous cybercrime syndicate known as FIN7 has been linked to a spear-phishing campaign targeting the U.S. automotive industry to deliver a known backdoor called Carbanak (aka Anunak). "FIN7 identified employees at the company who worked in the IT department and had higher levels of administrative rights," the BlackBerry research and intelligence team  said  in a new write-up. "They used the lure of a free IP scanning tool to run their well-known Anunak backdoor and gain an initial foothold utilizing living off the land binaries, scripts, and libraries ( LOLBAS )." FIN7, also known as Carbon Spider, Elbrus, Gold Niagara, ITG14, and Sangria Tempest, is a well-known  financially motivated e-crime group  that has a track record of striking a wide range of industry verticals to deliver malware capable of stealing information from point-of-sale (PoS) systems since 2012. In recent years, the threat actor has  transitioned  to  conducting ransomware operations ,

As many as 37 individuals have been arrested as part of an international crackdown on a cybercrime service called  LabHost  that has been used by criminal actors to steal personal credentials from victims around the world. Described as one of the largest Phishing-as-a-Service ( PhaaS ) providers, LabHost offered phishing pages targeting banks, high-profile organizations, and other service providers located primarily in Canada, the U.S., and the U.K. As part of the operation, codenamed PhishOFF and Nebulae (referring to the Australian arm of the probe), two LabHost users from Melbourne and Adelaide were arrested on April 17, with three others arrested and charged with drug-related offenses. "Australian offenders are allegedly among 10,000 cybercriminals globally who have used the platform, known as LabHost, to trick victims into providing their personal information, such as online banking logins, credit card details and passwords, through persistent phishing attacks sent via te

Threat actors are exploiting unpatched Atlassian servers to deploy a Linux variant of Cerber (aka C3RB3R) ransomware. The attacks leverage  CVE-2023-22518  (CVSS score: 9.1), a critical security vulnerability impacting the Atlassian Confluence Data Center and Server that allows an unauthenticated attacker to reset Confluence and create an administrator account. Armed with this access, a threat actor could take over affected systems, leading to a full loss of confidentiality, integrity, and availability. According to cloud security firm Cado, financially motivated cybercrime groups have been observed abusing the newly created admin account to install the Effluence web shell plugin and allow for the execution of arbitrary commands on the host. "The attacker uses this web shell to download and run the primary Cerber payload," Nate Bill, threat intelligence engineer at Cado,  said  in a report shared with The Hacker News. "In a default install, the Confluence applicati

Cybersecurity researchers have discovered a new Raspberry Robin campaign wave that has been propagating the malware through malicious Windows Script Files ( WSFs ) since March 2024. "Historically, Raspberry Robin was known to spread through removable media like USB drives, but over time its distributors have experimented with other initial infection vectors," HP Wolf Security researcher Patrick Schläpfer  said  in a report shared with The Hacker News. Raspberry Robin, also called QNAP worm, was  first spotted  in September 2021 that has since  evolved into a downloader  for various other payloads in recent years, such as SocGholish, Cobalt Strike, IcedID, BumbleBee, and TrueBot, and also serving as a precursor for ransomware. While the malware was initially distributed by means of USB devices containing LNK files that retrieved the payload from a compromised QNAP device, it has since  adopted other methods  such as social engineering and malvertising. It's attribute

2023 CL0P Growth  Emerging in early 2019, CL0P was first introduced as a more advanced version of its predecessor the 'CryptoMix' ransomware, brought about by its owner CL0P ransomware, a cybercrime organisation. Over the years the group remained active with significant campaigns throughout 2020 to 2022. But in 2023 the CL0P ransomware gang took itself to new heights and became one of the most active and successful ransomware organizations in the world.  Capitalizing on countless vulnerabilities and exploits for some of the world's largest organizations. The presumed Russian gang took its name from the Russian word "klop," which translates to "bed bug" and is often written as "CLOP" or "cl0p". Once their victims' files are encrypted, ".clop" extensions are added to their files.  CL0P's Methods & Tactics  The CL0P ransomware gang (closely associated with the TA505. FIN11, and UNC2546 cybercrime groups) was renowned for their extremely destructive and aggressive ca