Tag Archive for: Operators

U.S. DoJ Dismantles Warzone RAT Infrastructure, Arrests Key Operators

/in


Feb 11, 2024NewsroomMalware / Cybercrime

Warzone RAT Infrastructure

The U.S. Justice Department (DoJ) on Friday announced the seizure of online infrastructure that was used to sell a remote access trojan (RAT) called Warzone RAT.

The domains – www.warzone[.]ws and three others – were “used to sell computer malware used by cybercriminals to secretly access and steal data from victims’ computers,” the DoJ said.

Alongside the takedown, the international law enforcement effort has arrested and indicted two individuals in Malta and Nigeria for their involvement in selling and supporting the malware and helping other cybercriminals use the RAT for malicious purposes.

The defendants, Daniel Meli (27) and Prince Onyeoziri Odinakachi (31) have been charged with unauthorized damage to protected computers, with the former also accused of “illegally selling and advertising an electronic interception device and participating in a conspiracy to commit several computer intrusion offenses.”

Cybersecurity

Meli is alleged to have offered malware services at least since 2012 through online hacking forums, sharing e-books, and helping other criminals use RATs to carry out cyber attacks. Prior to Warzone RAT, he had sold another RAT known as Pegasus RAT.

Like Meli, Odinakachi also provided online customer support to purchasers of Warzone RAT malware between June 2019 and no earlier than March 2023. Both individuals were arrested on February 7, 2024.

Warzone RAT, also known as Ave Maria, was first documented by Yoroi in January 2019 as part of a cyber attack targeting an Italian organization in the oil and gas sector towards the end of 2018 using phishing emails bearing bogus Microsoft Excel files exploiting a known security flaw in the Equation Editor (CVE-2017-11882).

Sold under the malware-as-a-service (Maas) model for $38 a month (or $196 for a year), it functions as an information stealer and facilitates remote control, thereby allowing threat actors to commandeer the infected hosts for follow-on exploitation.

Some of the notable features of the malware include the ability to browse victim file systems, take screenshots, record keystrokes, steal victim usernames and passwords, and activate the computer’s webcams without the…

Source…

Cerber Ransomware Operators Exploit Latest Atlassian Bug

/in


Fraud Management & Cybercrime
,
Governance & Risk Management
,
Patch Management

Analysts Suggest Cerber Ransomware Is a Conti Derivative

Mihir Bagwe (MihirBagwe) •
November 8, 2023    

Cerber Ransomware Operators Exploit Latest Atlassian Bug
Ransomware hackers are exploiting a recently patched zero-day flaw in Atlassian Confluence instances. (Image: Shutterstock)

Ransomware hackers have seized on an exploit of a recently disclosed zero-day vulnerability in Atlassian Confluence instances days after the company urged its customers to patch immediately.

See Also: Live Webinar | Generative AI: Myths, Realities and Practical Use Cases

Security companies Rapid7 and GreyNoise said they began detecting on Sunday a surge in hacks exploiting a bug Atlassian described as an improper authorization vulnerability (see: Atlassian Urges Patching Against Data Loss Vulnerability).

The Australian content collaboration and management workspace developer on Monday elevated the bug’s criticality to 10, the maximum possible on the CVSS scale.

Researchers initially described the danger from the flaw, tracked as CVE-2023-22518, as data destruction. Multiple cybersecurity firms said hackers are using it to deploy Cerber ransomware.

Security volunteers from The DFIR Report said a group using the name “C3RB3R” in the ransom note had exploited the Atlassian bug.

Cerber was among the top three ransomware variants of 2021, along with Ryuk and SamSam, according to Proofpoint. The company counted 52.5 million Cerber attacks that year, second only to Ryuk’s 93.9 million. Whether those attacks came…

Source…

Mirai Botnet operators are using TP-Link routers for DDoS attacks, says US government

/in


Why it matters: The US government’s Cybersecurity and Infrastructure Security Agency (CISA) has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog and warned that they are being actively exploited in the wild. One of those vulnerabilities affects the TP-Link Archer AX21 (AX1800) WiFi router, and is being exploited by operators of the Mirai malware botnet.

Alongside the TP-Link router exploit, the two other vulnerabilities placed on the CISA’s list include the Oracle WebLogic Server Unspecified Vulnerability tracked as CVE-2023-21839 and the Apache Log4j2 Deserialization of Untrusted Data Vulnerability, tracked as CVE-2021-45046. According to the agency, all three types of vulnerabilities are frequent attack vectors for cybercriminals and pose “significant threat” to users.

The TP-Link router exploit was first detected at the Pwn2Own Toronto hacking event last December, where two different teams were able to breach the device using the LAN and WAN interfaces. The issue was reported to TP-Link in January and the company released a patch for it last month.

In a statement addressing the issue, TP-Link said that it takes security vulnerabilities “very seriously” and works diligently to mitigate any flaw that could jeopardize the security and privacy of its customers. The company also urged all users of the AX21 router to download and install the update as soon as possible.

As per the National Vulnerability Database (NVD), TP-Link’s Archer AX21 Wi-Fi 6 routers with firmware versions prior to 1.1.4 Build 20230219 contained an unauthenticated command injection vulnerability which allowed surreptitious remote code execution, enabling hackers to take over the device and use it for distributed denial-of-service (DDoS) attacks against game servers.

However, despite the fix being available, Trend Micro’s Zero Day Initiative (ZDI) research group has found that cybercriminals are exploiting the vulnerability in the wild. As per the report, the attacks were first detected on April 11 in Eastern Europe, but have since spread worldwide.

Operators of the Mirai botnet are known for quickly exploiting vulnerabilities in IoT devices, so it’s not a major…

Source…

US and UK impose sanctions on operators of infamous TrickBot botnet

/in


The U.S. and the U.K. have sanctioned seven Russian nationals for their alleged involvement in running the infamous TrickBot botnet.

TrickBot dates back to 2016 and has a network of more than 1 million machines. Initially used to target banking credentials with malware of the same name, TrickBot evolved several times over the years.

In 2017 a new version went after niche financial institutions, followed by another new variant in 2018  that targeted cryptocurrency accounts. In 2019 TrickBot targeted email accounts in a phishing campaign and then switched to COVID-19 scams in March 2020. TrickBot was disrupted by Microsoft Corp. in 2020, only to emerge again with a new campaign in July 2021.

TrickBot was taken over by the Conti ransomware gang in February 2022, leading to the sanctions announced today. In March, an unknown member of Conti leaked internal documentation that exposed the group’s inner workings, including those of TrickBot, providing a treasure trove of data for law enforcement officials to dig through.

Notably, although the U.S. Treasury Department release today said the sanctions were imposed on members of TrickBot, the same sanctions are described by the U.K. government as targeting members of Conti. In February 2023, they’re one and the same.

The sanctions include U.S. and U.K. officials seizing all property and interests in any property of the individuals targeted. The U.S. Office of Foreign Assets Control has also imposed a ban on any U.S. citizens or people within the U.S. dealing with the seven sanctioned people.

“Cyber criminals, particularly those based in Russia, seek to attack critical infrastructure, target U.S. businesses, and exploit the international financial system,” Under Secretary Brian E. Nelson said. “The United States is taking action today in partnership with the United Kingdom because international cooperation is key to addressing Russian cybercrime.”

The seven sanctioned alleged hackers were Vitaliy Kovalev, known online as Bentle; Mikhail Isktritskiy, or Tropa; Valentin Karyagin, or Globus; Maksim Michailov, or Baget; Dmitry Pleshevskiy, or Iseldor; Valery Sedletski, or Strix; and Ivan Vakhromeyev, or…

Source…