Tag Archive for: Underground

Nation states buying hacking tools from underground Russian cyber forums

/in


Nation states have been identified shopping on Russian cyber crime forums for malware they can use to wipe computers of data in hostile hacking attacks.

Russian-speaking hacking forums, including Exploit and XSS, run black markets in tools and services used by cyber criminals intent on making money by hacking computer systems and stealing data.

According to Sergey Shykevich, a threat intelligence expert at cyber security company Check Point Software, nation states are increasingly using underground cyber crime forums to pose as cyber criminals and hackers.

“Nation states understand that to pretend to be involved in hacktivism allows them deniability,” he told Computer Weekly. “They don’t want to be accused, even if everyone knows it’s Russia, or Iran.”

Russian forums

Some of Russia’s cyber crime forums have been in operation for more than 20 years. One of the oldest Russian-speaking forums is Exploit, which was established in 2000 and contains one million messages on over 200,000 topics, said Shykevich.  

“They offer everything you could imagine,” he told Computer Weekly. “It starts with software vulnerabilities. You can rent malware, ransomware as a service and spam as a service to distribute fake phishing emails and currently even AI [artificial intelligence]-related services, and deep fake platforms.”

The forums generally exist on the deep web and don’t require a specialist Tor browser to access. But they are strictly members only.

Iran suspected of buying wiper software

Check Point discovered last year that Russian underground forums were offering wiper software, which is designed to destroy computer data irreversibly.

Wiper software is of no interest to cyber criminals who normally inhabit Russia’s hacking forums – strongly suggesting nation-state involvement.

“We saw someone, probably the Iranian government, looking for wiper software,” said Shykevich.

State-sponsored hacking groups are better funded than typical cyber criminal groups, and are not shy of advertising their spending power, said Shykevich.

They typically pay larger deposits to the administrators of cyber crime forums than other members of the hacking community.

“From all…

Source…

The Underground History of Turla, Russia’s Most Ingenious Hacker Group

/in


Ask Western cybersecurity intelligence analysts who their “favorite” group of foreign state-sponsored hackers is—the adversary they can’t help but grudgingly admire and obsessively study—and most won’t name any of the multitudes of hacking groups working on behalf of China or North Korea. Not China’s APT41, with its brazen sprees of supply chain attacks, nor the North Korean Lazarus hackers who pull off massive cryptocurrency heists. Most won’t even point to Russia’s notorious Sandworm hacker group, despite the military unit’s unprecedented blackout cyberattacks against power grids or destructive self-replicating code.

Instead, connoisseurs of computer intrusion tend to name a far more subtle team of cyberspies that, in various forms, has silently penetrated networks across the West for far longer than any other: a group known as Turla.

Last week, the US Justice Department and the FBI announced that they had dismantled an operation by Turla—also known by names like Venomous Bear and Waterbug—that had infected computers in more than 50 countries with a piece of malware known as Snake, which the US agencies described as the “premiere espionage tool” of Russia’s FSB intelligence agency. By infiltrating Turla’s network of hacked machines and sending the malware a command to delete itself, the US government dealt a serious setback to Turla’s global spying campaigns.

View more

But in its announcement—and in court documents filed to carry out the operation—the FBI and DOJ went further, and officially confirmed for the first time the reporting from a group of German journalists last year which revealed that Turla works for the FSB’s Center 16 group in Ryazan, outside Moscow. It also hinted at Turla’s incredible longevity as a top cyberspying outfit: An affidavit filed by the FBI states that Turla’s Snake malware had been in use for nearly 20 years.

In fact, Turla has arguably been operating for at least 25 years, says Thomas Rid, a professor of strategic studies and cybersecurity historian at Johns Hopkins University. He points to evidence that it was Turla—or at least a kind of proto-Turla that would become the group we know today—that carried out the first-ever…

Source…

Data breach at Social Blade confirmed. Hacker offers to sell database on underground website

/in


Social media analytics service Social Blade has confirmed that it is investigating a security breach after a hacker offered its user database for sale on an underground criminal website.

In a notification sent to Social Blade users, the firm said that it had confirmed that its database was being offered for sale on a hacking forum after being notified of a potential breach on December 14th.

According to Bleeping Computer, Social Blade’s data was first put on sale on the underground forum on December 12, 2022.

The hacker, meanwhile, claims to have stolen the database of 5.6 million records in September.

Social Blade, which monitors the social media accounts of tens of millions of users, issued a reassurance that no credit card information had been leaked, but did say that the leaked data included email addresses, IP addresses, password hashes, client IDs and tokens for business API users, auth tokens for connected accounts, and “many other pieces of non-personal and internal data.”

In addition, the firm warned that “a very small subset of the data (about a tenth of a percent)”” also included the addresses of users.

Social Blade went on to say that although password hashes had been leaked, it did not believe they were at risk as the strong bcrypt encryption algorithm had been used. Nonetheless, it would be sensible for affected Social Blade users to change their passwords, ensuring that new passwords are hard-to-crack or guess, and are unique.

Business API tokens have meanwhile been reset to prevent exploitation by unauthorised third parties.

Social Blade believes that the individual who stole its data accessed it by exploiting a website vulnerability. It says it has closed the security hole and is conducting additional reviews of its systems to ensure that security is further hardened.

Anyone who has used Social Blade would be wise to not only change their password but also to be on the lookout for scams and phishing attacks which attempt to use the breached information to trick the unwary into handing over further details.

Source…

Hackers Behind EA Data Breach Are Selling FIFA 21 Source Code on an Underground Hacking Forum

/in


Hackers stole Electronic Arts’ source code for FIFA 21, the Frostbite engine, and game development tools, according to MotherBoard.

Earlier this week, the hackers behind the EA data breach also announced that they were selling about 780 gigabytes of the stolen game source code and tools on an underground hacking forum.

The threat actors shared screenshots of the stolen source code and directory listings to prove the legitimacy of their claims. Additionally, the hackers claim they have Microsoft’s Xbox and Sony’s SDKs and API keys for sale.

Electronic Arts data breach had no impact on business, gaming, or players’ privacy

An EA spokesman acknowledged the data breach that exposed a “limited” number of source code repositories and development tools.

“We are investigating a recent incident of intrusion into our network where a limited amount of game source code and related tools were stolen. No player data was accessed, and we have no reason to believe there is any risk to player privacy.”

The company added that it did not expect an impact on its business or gaming activity after the data breach.

Additionally, EA disclosed that it was working with law enforcement officials and other experts as part of the ongoing criminal investigation.

Electronic Arts also clarified that the data breach was not a ransomware incident, unlike recent high-profile compromises against Colonial Pipeline and JBS.

Threat actors list stolen data on an underground hacking forum

The threat actors responsible for the EA data breach announced they were selling the stolen data on an underground hacking forum.

For $28 million, they promised potential buyers that they would also transfer the “full capability of exploiting” the video game company to their customers.

“You have full capability of exploiting on all EA services,” screenshots from the underground hacking forum shared by Motherboard read.

Part of the stolen data includes API keys for FIFA 22, Xbox, Sony, and SDK debug tools. The hackers also accessed XB PS and EA pfx and crt with key, according to Bleeping Computer.

Apart from the security details, the hackers also stole FIFA 22,…

Source…