Cybercrime | Breaking Cybersecurity News | The Hacker News

Four members of the now-defunct REvil ransomware operation have been sentenced to several years in prison in Russia, marking one of the rare instances where cybercriminals from the country have been convicted of hacking and money laundering charges. Russian news publication Kommersant reported that a court in St. Petersburg found Artem Zaets, Alexei Malozemov, Daniil Puzyrevsky, and Ruslan Khansvyarov guilty of illegal circulation of means of payment. Puzyrevsky and Khansvyarov have also been found guilty of using and distributing malware. To that end, Zaets and Malozemov were sentenced to 4.5 and 5 years in prison. Khansvyarov and Puzyrevsky received a jail term of 5.5 and 6 years, respectively. The four individuals are part of a group of 14 people who were initially detained in connection with the case. As reported by TASS back in January 2022, eight of them were charged by the court for their malicious activities. The remaining four members, Andrei Bessonov, Mikhail Golovach...

Cybersecurity researchers have discovered an advanced version of the Qilin ransomware sporting increased sophistication and tactics to evade detection. The new variant is being tracked by cybersecurity firm Halcyon under the moniker Qilin.B. "Notably, Qilin.B now supports AES-256-CTR encryption for systems with AESNI capabilities, while still retaining Chacha20 for systems that lack this support," the Halcyon Research Team said in a report shared with The Hacker News. "Additionally, RSA-4096 with OAEP padding is used to safeguard encryption keys, making file decryption without the attacker's private key or captured seed values impossible." Qilin, also known as Agenda , first came to the attention of the cybersecurity community in July/August 2022, with initial versions written in Golang before switching to Rust. A May 2023 report from Group-IB revealed that the ransomware-as-a-service (RaaS) scheme allows its affiliates to anywhere between 80% to 85% of ...

New variants of a banking malware called Grandoreiro have been found to adopt new tactics in an effort to bypass anti-fraud measures, indicating that the malicious software is continuing to be actively developed despite law enforcement efforts to crack down on the operation. "Only part of this gang was arrested: the remaining operators behind Grandoreiro continue attacking users all over the world, further developing new malware and establishing new infrastructure," Kaspersky said in an analysis published Tuesday. Some of the other freshly incorporated tricks include the use of a domain generation algorithm (DGA) for command-and-control (C2) communications, ciphertext stealing ( CTS ) encryption, and mouse tracking. Also observed are "lighter, local versions" that are specifically focused on targeting banking customers in Mexico. Grandoreiro , active since 2016, has consistently evolved over time, taking efforts to stay undetected, while also widening its geog...

Threat actors have been observed abusing Amazon S3 (Simple Storage Service) Transfer Acceleration feature as part of ransomware attacks designed to exfiltrate victim data and upload them to S3 buckets under their control. "Attempts were made to disguise the Golang ransomware as the notorious LockBit ransomware," Trend Micro researchers Jaromir Horejsi and Nitesh Surana said . "However, such is not the case, and the attacker only seems to be capitalizing on LockBit's notoriety to further tighten the noose on their victims." The ransomware artifacts have been found to embed hard-coded Amazon Web Services (AWS) credentials to facilitate data exfiltration to the cloud, a sign that adversaries are increasingly weaponizing popular cloud service providers for malicious schemes. The AWS account used in the campaign is presumed to be either their own or compromised. Following responsible disclosure to the AWS security team, the identified AWS access keys and accounts...

North Korean information technology (IT) workers who obtain employment under false identities in Western companies are not only stealing intellectual property, but are also stepping up by demanding ransoms in order to not leak it, marking a new twist to their financially motivated attacks. "In some instances, fraudulent workers demanded ransom payments from their former employers after gaining insider access, a tactic not observed in earlier schemes," Secureworks Counter Threat Unit (CTU) said in an analysis published this week. "In one case, a contractor exfiltrated proprietary data almost immediately after starting employment in mid-2024." The activity, the cybersecurity company added, shares similarities with a threat group it tracks as Nickel Tapestry, which is also known as Famous Chollima and UNC5267 . The fraudulent IT worker scheme, orchestrated with the intent to advance North Korea's strategic and financial interests, refers to an insider threat...

Threat actors are leveraging fake Google Meet web pages as part of an ongoing malware campaign dubbed ClickFix to deliver infostealers targeting Windows and macOS systems. "This tactic involves displaying fake error messages in web browsers to deceive users into copying and executing a given malicious PowerShell code, finally infecting their systems," French cybersecurity company Sekoia said in a report shared with The Hacker News. Variations of the ClickFix (aka ClearFake and OneDrive Pastejacking) campaign have been reported widely in recent months , with threat actors employing different lures to redirect users to bogus pages that aim to deploy malware by urging site visitors to run an encoded PowerShell code to address a supposed issue with displaying content in the web browser. These pages are known to masquerade as popular online services, including Facebook, Google Chrome, PDFSimpli, and reCAPTCHA, and now Google Meet as well as potentially Zoom - meet.googl...

Cybersecurity researchers have gleaned additional insights into a nascent ransomware-as-a-service (RaaS) called Cicada3301 after successfully gaining access to the group's affiliate panel on the dark web. Singapore-headquartered Group-IB said it contacted the threat actor behind the Cicada3301 persona on the RAMP cybercrime forum via the Tox messaging service after the latter put out an advertisement, calling for new partners into its affiliate program. "Within the dashboard of the Affiliates' panel of Cicada3301 ransomware group contained sections such as Dashboard, News, Companies, Chat Companies, Chat Support, Account, an FAQ section, and Log Out," researchers Nikolay Kichatov and Sharmine Low said in a new analysis published today. Cicada3301 first came to light in June 2024, with the cybersecurity community uncovering strong source code similarities with the now-defunct BlackCat ransomware group. The RaaS scheme is estimated to have compromised no less th...

Federal prosecutors in the U.S. have charged two Sudanese brothers with running a distributed denial-of-service (DDoS) botnet for hire that conducted a record 35,000 DDoS attacks in a single year, including those that targeted Microsoft's services in June 2023. The attacks, which were facilitated by Anonymous Sudan's "powerful DDoS tool," singled out critical infrastructure, corporate networks, and government agencies in the United States and around the world, the U.S. Department of Justice (DoJ) said. Ahmed Salah Yousif Omer, 22, and Alaa Salah Yusuuf Omer, 27, have been charged with one count of conspiracy to damage protected computers. Ahmed Salah has also been charged with three counts of damaging protected computers. If convicted on all charges, Ahmed Salah faces a statutory maximum sentence of life in federal prison, while Alaa Salah faces a maximum sentence of five years in federal prison. The DDoS tool is said to have been disabled in March 2024, the same...

Threat actors are attempting to abuse the open-source EDRSilencer tool as part of efforts to tamper endpoint detection and response (EDR) solutions and hide malicious activity. Trend Micro said it detected "threat actors attempting to integrate EDRSilencer in their attacks, repurposing it as a means of evading detection." EDRSilencer , inspired by the NightHawk FireBlock tool from MDSec, is designed to block outbound traffic of running EDR processes using the Windows Filtering Platform ( WFP ). It supports terminating various processes related to EDR products from Microsoft, Elastic, Trellix, Qualys, SentinelOne, Cybereason, Broadcom Carbon Black, Tanium, Palo Alto Networks, Fortinet, Cisco, ESET, HarfangLab, and Trend Micro. By incorporating such legitimate red teaming tools into their arsenal, the goal is to render EDR software ineffective and make it a lot more challenging to identify and remove malware. "The WFP is a powerful framework built into Windows for ...

AI from the attacker’s perspective: See how cybercriminals are leveraging AI and exploiting its vulnerabilities to compromise systems, users, and even other AI applications Cybercriminals and AI: The Reality vs. Hype “AI will not replace humans in the near future. But humans who know how to use AI are going to replace those humans who don't know how to use AI,” says Etay Maor, Chief Security Strategist at Cato Networks and founding member of Cato CTRL . “Similarly, attackers are also turning to AI to augment their own capabilities.” Yet, there is a lot more hype than reality around AI’s role in cybercrime. Headlines often sensationalize AI threats, with terms like "Chaos-GPT" and "Black Hat AI Tools," even claiming they seek to destroy humanity. However, these articles are more fear-inducing than descriptive of serious threats. For instance, when explored in underground forums, several of these so-called "AI cyber tools" were found to be nothing...

New variants of an Android banking trojan called TrickMo have been found to harbor previously undocumented features to steal a device's unlock pattern or PIN. "This new addition enables the threat actor to operate on the device even while it is locked," Zimperium security researcher Aazim Yaswant said in an analysis published last week. First spotted in the wild in 2019, TrickMo is so named for its associations with the TrickBot cybercrime group and is capable of granting remote control over infected devices, as well as stealing SMS-based one-time passwords (OTPs) and displaying overlay screens to capture credentials by abusing Android's accessibility services. Last month, Italian cybersecurity company Cleafy disclosed updated versions of the mobile malware with improved mechanisms to evade analysis and grant itself additional permissions to perform various malicious actions on the device, including carrying out unauthorized transactions. Some of the new varia...

Cybersecurity researchers have disclosed a new malware campaign that leverages a malware loader named PureCrypter to deliver a commodity remote access trojan (RAT) called DarkVision RAT. The activity, observed by Zscaler ThreatLabz in July 2024, involves a multi-stage process to deliver the RAT payload. "DarkVision RAT communicates with its command-and-control (C2) server using a custom network protocol via sockets," security researcher Muhammed Irfan V A said in an analysis. "DarkVision RAT supports a wide range of commands and plugins that enable additional capabilities such as keylogging, remote access, password theft, audio recording, and screen captures." PureCrypter, first publicly disclosed in 2022, is an off-the-shelf malware loader that's available for sale on a subscription basis, offering customers the ability to distribute information stealers, RATs, and ransomware. The exact initial access vector used to deliver PureCrypter and, by extensio...

North Korean threat actors have been observed using a Linux variant of a known malware family called FASTCash to steal funds as part of a financially-motivated campaign. The malware is "installed on payment switches within compromised networks that handle card transactions for the means of facilitating the unauthorized withdrawal of cash from ATMs," a security researcher who goes by HaxRob said . FASTCash was first documented by the U.S. government in October 2018 as used by adversaries linked to North Korea in connection with an ATM cashout scheme targeting banks in Africa and Asia since at least late 2016. "FASTCash schemes remotely compromise payment switch application servers within banks to facilitate fraudulent transactions," the agencies noted at the time. "In one incident in 2017, HIDDEN COBRA actors enabled cash to be simultaneously withdrawn from ATMs located in over 30 different countries. In another incident in 2018, HIDDEN COBRA actors enab...

The U.S. Department of Justice (DoJ) has announced arrests and charges against several individuals and entities in connection with allegedly manipulating digital asset markets as part of a widespread fraud operation. The law enforcement action – codenamed Operation Token Mirrors – is the result of the U.S. Federal Bureau of Investigation (FBI) taking the "unprecedented step" of creating its own cryptocurrency token and company called NexFundAI . NexFundAI, as per information on the website, was marketed as redefining the "intersection between finance and artificial intelligence" and that its aim was to "create a cryptocurrency token that not only serves as a secure store of value but also acts as a catalyst for positive change in the world of AI." "Three market makers — ZM Quant, CLS Global, and MyTrade — along with their employees are charged with allegedly wash trading and/or conspiring to wash trade on behalf of NexFundAI, a cryptocurrency co...

The Dutch police have announced the takedown of Bohemia and Cannabia, which has been described as the world's largest and longest-running dark web market for illegal goods, drugs, and cybercrime services. The takedown is the result of a collaborative investigation with Ireland, the United Kingdom, and the United States that began towards the end of 2022, the Politie said. The marketplace discontinued its operations in late 2023 following reports of service disruptions and exit scams after one of its developers allegedly went rogue in what was characterized by one of the administrators as a "shameful and disgruntled set of events." Bohemia is said to have served 82,000 ads worldwide every day, with about 67,000 transactions taking place each month. In September 2023 alone, the estimated turnover was €12 million. "Some of the sellers in the market advertised shipping from the Netherlands," the Politie said . "An initial analysis shows that at least 14...