Tag Archive for: operation

Long-running RUBYCARP botnet operation examined

/in


BleepingComputer reports that intrusions involving known security flaws and brute force tactics have been deployed by Romanian threat operation RUBYCARP for at least a decade, with the group currently operating a botnet with more than 600 breached servers.

After several months of targeting Laravel apps impacted by the remote code execution flaw, tracked as CVE-2021-3129, RUBYCARP has transitioned to brute-force attacks against SSH servers to distribute a shellbot payload that would make the server a part of its botnet infrastructure, according to a report from the Sysdig Threat Research Team.

Moreover, cryptocurrency miners XMRig, NanoMiner, and C2Bash have been used by the threat group to exfiltrate cryptocurrency assets, said researchers. The findings also showed that aside from engaging in phishing attacks involving emails spoofing European financial and logistics entities to facilitate financial data theft, RUBYCARP has also entered the business of cyber weapon development and trade.

Source…

Authorities Dismantle Grandoreiro Banking Malware Operation

/in


Group-IB, a cybersecurity firm, helped INTERPOL and Brazil dismantle the Grandoreiro banking trojan operation, as their expertise in threat intelligence and investigation was key. 

Malware samples collected during independent investigations in Brazil and Spain (2020-2022) were analyzed by Group-IB and other partners, which helped track the constantly shifting infrastructure of the attackers and pinpoint the active command and control server. 

The combined effort led to the arrest of five administrators in January 2024.

Grandoreiro, a major threat since 2017, used phishing emails mimicking legitimate organizations to target victims in Spanish-speaking countries. 

The malware steals financial data by employing a multi-pronged approach, which monitors keystrokes to capture login credentials, simulates mouse clicks for potentially fraudulent transactions, shares the victim’s screen for real-time hijacking, and displays deceptive pop-ups to trick users into compromising information.

Targeting bank accounts, the malware specifically gathers usernames and bank identifiers, granting unauthorized access, which enables criminals to completely control the victim’s account and siphon funds. 

To launder the money, they employ a money mule network, likely transferring stolen funds to Brazil and estimates suggest the malware has defrauded victims of over EUR 3.5 million, with potential losses exceeding EUR 110 million if attempted thefts were successful. 

In response to a cybercrime campaign targeting Spanish banks with Grandoreiro malware, Brazilian and Spanish authorities independently collected samples between 2020 and 2022. 

To improve their investigations, they collaborated with INTERPOL’s Cyber Crime Unit, and Group-IB, a cybersecurity firm, joined the effort to analyze the malware samples. 

Their threat intelligence and cyber investigation specialists played a key role in dissecting the Grandoreiro samples, enabling investigators to track the malware’s ever-changing network infrastructure and pinpoint the command and control server’s IP address. 

Document

Free Webinar : Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need…

Source…

Duvel ransomware attack admitted by Stormous operation

/in



Beer manufacturer Duval Moortgat Brewery had operations across Belgium and at its U.S. site disrupted following a ransomware attack.

Source…

LockBit ransomware gang disrupted by international law enforcement operation

/in


LockBit — the most prolific ransomware group in the world — had its website seized Monday as part of an international law enforcement operation that involved the U.K.’s National Crime Agency, the FBI, Europol and several international police agencies.

“This site is now under the control of the National Crime Agency of the UK, working in close cooperation with the FBI and the international law enforcement task force, ‘Operation Cronos’,” a seizure notice on the group’s website said. “We can confirm that Lockbit’s services have been disrupted as a result of International Law Enforcement action — this is an ongoing and developing operation.”

The group has far outpaced other ransomware gangs since it emerged in late 2019, with researchers at Recorded Future attributing nearly 2,300 attacks to the group. Conti — the second most active group — has only been publicly linked to 883 attacks.

2024_0209 - Ransomware Tracker - Most Prolific Groups.jpg

But LockBit has also gained a reputation for the damage it has caused and the organizations it has targeted. Although the group previously claimed to have rules prohibiting attacks on hospitals, it hit Canada’s largest children’s hospital during the 2022 Christmas season, as well as multiple healthcare facilities in the U.S. and abroad. Last month, the group said it was behind a November attack on a hospital system that forced multiple facilities in Pennsylvania and New Jersey to cancel appointments.

“In a highly competitive and cutthroat marketplace, LockBit rose to become the most prolific and dominant ransomware operator,” said Don Smith, vice president of threat research at Secureworks CTU. “It approached ransomware as a global business opportunity and aligned its operations, accordingly, scaling through affiliates at a rate that simply dwarfed other operations.”

The takedown is just the latest in a series of law enforcement actions targeting ransomware gangs — late last year, the FBI and other agencies took down sites and infrastructure belonging to Qakbot, Rangar Locker and other groups.

“This has been a year of action for the Justice Department in our efforts to pivot to a strategy of disruption,” Deputy Attorney General Lisa Monaco said Friday at…

Source…