dark web | Breaking Cybersecurity News | The Hacker News

Between crossovers - Do threat actors play dirty or desperate? In our dataset of over 11,000 victim organizations that have experienced a Cyber Extortion / Ransomware attack, we noticed that some victims re-occur. Consequently, the question arises why we observe a re-victimization and whether or not this is an actual second attack, an affiliate crossover (meaning an affiliate has gone to another Cyber Extortion operation with the same victim) or stolen data that has been travelling and re-(mis-)used. Either way, for the victims neither is good news.  But first thing's first, let's explore the current threat landscape, dive into one of our most recent research focuses on the dynamics of this ecosystem; and then explore our dataset on Law Enforcement activities in this space. Might the re-occurrence that we observe be foul play by threat actors and thus show how desperately they are trying to regain the trust of their co-offenders after disruption efforts by Law Enforcement? Or are th

The  ransomware industry surged in 2023  as it saw an alarming 55.5% increase in victims worldwide, reaching a staggering 5,070.  But 2024 is starting off showing a very different picture.  While the numbers skyrocketed in Q4 2023 with 1309 cases, in Q1 2024, the ransomware industry was down to 1,048 cases. This is a 22% decrease in ransomware attacks compared to Q4 2023. Figure 1: Victims per quarter There could be several reasons for this significant drop.  Reason 1: The Law Enforcement Intervention Firstly, law enforcement has upped the ante in 2024 with actions against both LockBit and ALPHV. The LockBit Arrests In February, an international operation named "Operation Cronos" culminated in the arrest of at least three associates of the infamous LockBit ransomware syndicate in Poland and Ukraine.  Law enforcement from multiple countries collaborated to take down LockBit's infrastructure. This included seizing their dark web domains and gaining access to their backend sys

Imagine a world where the software that powers your favorite apps, secures your online transactions, and keeps your digital life could be outsmarted and taken over by a cleverly disguised piece of code. This isn't a plot from the latest cyber-thriller; it's actually been a reality for years now. How this will change – in a positive or negative direction – as artificial intelligence (AI) takes on a larger role in software development is one of the big uncertainties related to this brave new world. In an era where AI promises to revolutionize how we live and work, the conversation about its security implications cannot be sidelined. As we increasingly rely on AI for tasks ranging from mundane to mission-critical, the question is no longer just, "Can AI  boost cybersecurity ?" (sure!), but also "Can AI  be hacked? " (yes!), "Can one use AI  to hack? " (of course!), and "Will AI  produce secure software ?" (well…). This thought leadership article is about the latter. Cydrill  (a

The Cyber Police of Ukraine has  arrested  three individuals on suspicion of hijacking more than 100 million emails and Instagram accounts from users across the world. The suspects, aged between 20 and 40, are said to be part of an organized criminal group living in different parts of the country. If convicted, they face up to 15 years in prison. The accounts, authorities said, were taken over by carrying out brute-force attacks, which employ trial-and-error methods to guess login credentials. The group operated under the direction of a leader, who distributed the hacking tasks to other members. The cybercrime group subsequently monetized their ill-gotten credentials by putting them up for sale on dark web forums. Other threat actors who purchased the information used the compromised accounts to conduct a variety of  fraudulent schemes , including those in which scammers reach out to the victim's friends to urgently transfer money to their bank account. "You can protect

The threat actors behind the LockBit ransomware operation have resurfaced on the dark web using new infrastructure, days after an international law enforcement exercise  seized control  of its servers. To that end, the notorious group has moved its data leak portal to a new .onion address on the TOR network, listing 12 new victims as of writing. The administrator behind LockBit, in a  lengthy follow-up message , said some of their websites were confiscated by most likely exploiting a critical PHP flaw tracked as CVE-2023-3824, acknowledging that they didn't update PHP due to "personal negligence and irresponsibility." "I realize that it may not have been this CVE, but something else like 0-day for PHP, but I can't be 100% sure, because the version installed on my servers was already known to have a known vulnerability, so this is most likely how the victims' admin and chat panel servers and the blog server were accessed," they noted. They also cla

LockBitSupp, the individual(s) behind the persona representing the LockBit ransomware service on cybercrime forums such as Exploit and XSS, "has engaged with law enforcement," authorities said. The development comes following the  takedown  of the prolific ransomware-as-a-service (RaaS) operation as part of a coordinated international operation codenamed Cronos. Over 14,000 rogue accounts on third-party services like Mega, Protonmail, and Tutanota used by the criminals have been shuttered. "We know who he is. We know where he lives. We know how much he is worth. LockbitSupp has engaged with law enforcement," according to a  message  posted on the now-seized (and offline) dark web data leak site. The move has been  interpreted  by long-term watchers of LockBit as an attempt to create suspicion and sow the seeds of distrust among affiliates, ultimately undermining trust in the group within the cybercrime ecosystem. According to research published by Analyst1 in A

Update: The U.K. National Crime Agency (NCA) has confirmed the takedown of LockBit infrastructure. Read here for more details . An international law enforcement operation has led to the seizure of multiple darknet domains operated by  LockBit , one of the most prolific ransomware groups, marking the latest in a long list of digital takedowns. While the full extent of the effort, codenamed  Operation Cronos , is presently unknown, visiting the group's .onion website displays a seizure banner containing the message "The site is now under the control of law enforcement." Authorities from 11 countries, Australia, Canada, Finland, France, Germany, Japan, the Netherlands, Sweden, Switzerland, the U.K., and the U.S., alongside Europol participated in the joint exercise. Malware research group VX-Underground, in a  message  posted on X (formerly Twitter), said the websites were taken down by exploiting a critical security flaw impacting PHP ( CVE-2023-3824 , CVSS score: 9.8

A malicious Python script known as  SNS Sender  is being advertised as a way for threat actors to send bulk smishing messages by abusing Amazon Web Services (AWS) Simple Notification Service ( SNS ). The SMS phishing messages are designed to propagate malicious links that are designed to capture victims' personally identifiable information (PII) and payment card details, SentinelOne  said  in a new report, attributing it to a threat actor named ARDUINO_DAS. "The smishing scams often take the guise of a message from the United States Postal Service (USPS) regarding a missed package delivery," security researcher Alex Delamotte said. SNS Sender is also the first tool observed in the wild that leverages AWS SNS to conduct SMS spamming attacks. SentinelOne said that it identified links between ARDUINO_DAS and more than 150 phishing kits offered for sale. The malware requires a list of phishing links stored in a file named links.txt in its working directory, in addition t

The U.S. Department of State has  announced  monetary rewards of up to $10 million for information about individuals holding key positions within the Hive ransomware operation. It is also giving away an additional $5 million for specifics that could lead to the arrest and/or conviction of any person "conspiring to participate in or attempting to participate in Hive ransomware activity." The multi-million-dollar rewards come a little over a year after a coordinated law enforcement effort  covertly infiltrated and dismantled  the darknet infrastructure associated with the Hive ransomware-as-a-service (RaaS) gang. One person with suspected ties to the group was  arrested  in Paris in December 2023. Hive, which emerged in mid-2021, targeted more than 1,500 victims in over 80 countries, netting about $100 million in illegal revenues. In November 2023, Bitdefender  revealed  that a new ransomware group called Hunters International had acquired the source code and infrastructure

The operators of  Raspberry Robin  are now using two new one-day exploits to achieve local privilege escalation, even as the malware continues to be refined and improved to make it stealthier than before. This means that "Raspberry Robin has access to an exploit seller or its authors develop the exploits themselves in a short period of time," Check Point  said  in a report this week. Raspberry Robin (aka QNAP worm), first documented in 2021, is an  evasive malware family  that's known to act as one of the  top initial access facilitators  for other malicious payloads, including ransomware. Attributed to a threat actor named Storm-0856 (previously DEV-0856), it's propagated via several entry vectors, including infected USB drives, with Microsoft  describing  it as part of a "complex and interconnected malware ecosystem" with ties to other e-crime groups like  Evil Corp, Silence, and TA505 . Raspberry Robin's use of one-day exploits such as CVE-2020-

Employment agencies and retail companies chiefly located in the Asia-Pacific (APAC) region have been targeted by a previously undocumented threat actor known as  ResumeLooters  since early 2023 with the goal of stealing sensitive data. Singapore-headquartered Group-IB said the hacking crew's activities are geared towards job search platforms and the theft of resumes, with as many as 65 websites compromised between November 2023 and December 2023. The stolen files are estimated to contain 2,188,444 user data records, of which 510,259 have been taken from job search websites. Over two million unique email addresses are present within the dataset. "By using SQL injection attacks against websites, the threat actor attempts to steal user databases that may include names, phone numbers, emails, and DoBs, as well as information about job seekers' experience, employment history, and other sensitive personal data," security researcher Nikita Rostovcev  said  in a report sh