Tag Archive for: Romanian

10-Year-Old ‘RUBYCARP’ Romanian Hacker Group Surfaces with Botnet

/in


Apr 09, 2024NewsroomBotnet / Crypto Mining

Romanian Hacker Group

A threat group of suspected Romanian origin called RUBYCARP has been observed maintaining a long-running botnet for carrying out crypto mining, distributed denial-of-service (DDoS), and phishing attacks.

The group, believed to be active for at least 10 years, employs the botnet for financial gain, Sysdig said in a report shared with The Hacker News.

“Its primary method of operation leverages a botnet deployed using a variety of public exploits and brute-force attacks,” the cloud security firm said. “This group communicates via public and private IRC networks.”

Evidence gathered so far suggests that RUBYCARP may have crossover with another threat cluster tracked by Albanian cybersecurity firm Alphatechs under the moniker Outlaw, which has a history of conducting crypto mining and brute-force attacks and has since pivoted to phishing and spear-phishing campaigns to cast a wide net.

Cybersecurity

“These phishing emails often lure victims into revealing sensitive information, such as login credentials or financial details,” security researcher Brenton Isufi said in a report published in late December 2023.

A notable aspect of RUBYCARP’s tradecraft is the use of a malware called ShellBot (aka PerlBot) to breach target environments. It has also been observed exploiting security flaws in the Laravel Framework (e.g., CVE-2021-3129), a technique also adopted by other threat actors like AndroxGh0st.

Romanian Hacker Group

In a sign that the attackers are expanding their arsenal of initial access methods to expand the scale of the botnet, Sysdig said it discovered signs of WordPress sites being compromised using commonly used usernames and passwords.

“Once access is obtained, a backdoor is installed based on the popular Perl ShellBot,” the company said. “The victim’s server is then connected to an [Internet Relay Chat] server acting as command-and-control, and joins the larger botnet.”

The botnet is estimated to comprise over 600 hosts, with the IRC server (“chat.juicessh[.]pro”) created on May 1, 2023. It heavily relies on IRC for general communications as well as for managing its botnets and coordinating crypto mining campaigns.

Furthermore, members of the group – named…

Source…

Bitcoin Ransomware Takes Down 100 Romanian Hospitals Offline

/in


Sujha Sundararajan

Last updated:

| 1 min read

Source: Pete Linforth / Pixabay

More than 100 hospitals in Romania were affected by a crypto ransomware attack on Tuesday, the National Cyber Security Directorate (DNSC) confirmed. The unidentified perpetrators have demanded 3.5 Bitcoin (BTC), or about $180,000, to decrypt the data.

The ransomware took down over 100 hospitals, affecting their IT systems and encrypting data, forcing the hospitals to operate offline.

Per a recent update from the DNSC, 25 hospitals in Romania using Hipocrate Information System (HIS) are directly affected by the attack. “As a result of the attack, the system is down, files and databases are encrypted,” the Ministry of Health noted.

“The incident is under investigation by IT specialists, including cyber security experts from the National Cyber ​​Security Directorate, and resumption possibilities are being assessed,” the Ministry added. However, it did not specify whether the authorities are ready to pay the ransom in Bitcoin, as demanded by attackers.

Dubbed ‘Backmydata’, the ransomware is a variant of Phobos malware family, that are distributed via hacked Remote Desktop (RDP) connections. The ransom note informs victim about the severity of the situation by threatening to sell confidential…

Source…

Ransomware attack knocks 20 Romanian hospitals offline: Report

/in


A ransomware attack on Hipocrate Information System (HIS), used by hospitals to manage medical activity and patient data knocked, impacted at least 21 hospitals in Romania forcing them offline.

The attack launched over the weekend targeted the production servers running HIS information system, resulting in the system’s database being encrypted.

The incident, currently under investigation, impacted various hospitals across Romania, including regional and cancer treatment centers, a report from the Bleeping Computer said.

There is no information on what ransomware operation targeted the hospitals’ system or if the patient’s personal or medical data was stolen. Romania’s National Cyber Security Directorate (DNSC) is currently investigating the cyber incident.

(For top technology news of the day, subscribe to our tech newsletter Today’s Cache)

Technological advancements in the healthcare industry like remote health monitoring, electronic health records and the Internet of Thins (IoT) has provided cybercriminals with more opportunities to attack the sector.

Also Read | How safe is our personal health data with the Indian government? 

Attacks on the healthcare sector have also impacted India, with the country registered the second highest number of attacks on the sector in 2022.

Attacks on hospitals could lead to sensitive data being exposed to threat actors. This data can then be used to perform digital identity theft, online banking thefts, tax frauds and other financial crimes.

This is a Premium article available exclusively to our subscribers. To read 250+ such premium articles every
month

You have exhausted your free article limit.
Please support quality journalism.

You have exhausted your free article limit.
Please support quality journalism.

This is your last free article.

Source…

Romanian Malware Hosting Vendor Extradited to US

/in


Mihai Paunescu, aka Virus, Faces 3 Criminal Counts in Court

Mihir Bagwe (MihirBagwe) •
July 20, 2022    

Romanian Malware Hosting Vendor Extradited to US
Mihai Paunescu after his detention in Colombia (Photo courtesy of the Office of the Attorney General of Colombia)

A Romanian man accused of managing the digital infrastructure behind a banking Trojan that stole tens of millions of dollars now finally faces trial in the United States after his extradition from South America.

See Also: OnDemand | Fireside Chat | Zero Tolerance: Controlling The Landscape Where You’ll Meet Your Adversaries

Federal authorities yesterday presented Mihai Ionut Paunescu, aka Virus, in Manhattan federal court a year after Colombian authorities detained the fugitive in a Bogota airport. Romanian authorities arrested Paunescu in 2012 but released him on bail. A U.S. grand jury returned a three-count indictment against him in 2013. If convicted on all charges – conspiracy to commit bank fraud, wire fraud and computer intrusion – the 37-year-old faces a maximum of 60 years imprisonment.

Paunescu offered cybercriminals so-called “bulletproof hosting,” including a command-and-control server for the Gozi malware that during the early 2000s infected more than 1 million computers. Among them were 60 computers belonging to NASA, through which thieves stole about $19,000.

His business model was to rent servers and network connectivity from legitimate providers and sublease the infrastructure to other cybercriminals. Other malware Paunescu is accused of facilitating include the Zeus and SpyEye Trojans. He also allegedly allowed his criminal clientele to execute DDoS attacks by hosting the BlackEnergy bot toolkit.

Paunescu kept a database to manage his server subleasing operation that included labels such as “zeus 100%SBL” and “100%SBL malware.”

The indictment shows he helped clients evade detection by law enforcement agencies by scanning lists of suspicious or untrustworthy IP addresses maintained by the Spamhaus Project. In case of a match, he relocated his…

Source…