Tag Archive for: Web’

Shadowy Hack-for-Hire Group Behind Sprawling Web of Global Cyberattacks

/in


A security vendor’s 11-month long review of non-public data obtained by investigative journalists at Reuters has corroborated previous reports tying an Indian hack-for-hire group to numerous — sometimes disruptive — incidents of cyber espionage and surveillance against individuals and entities worldwide.

The shadowy New Delhi-based group known as Appin no longer exists — at least in its original form or branding. But for several years starting around 2009, Appin’s operatives brazenly — and sometimes clumsily — hacked into computers belonging to businesses and business executives, politicians, high-value individuals, and government and military officials worldwide. And its members remain active in spinoffs to this day.

Hacking on a Global Scale

The firm’s clientele included private investigators, detectives, government organizations, corporate clients, and often entities engaged in major litigation battles from the US, UK, Israel, India, Switzerland, and several other countries.

Journalists at Reuters who investigated Appin’s activities collected detailed information on its operations and clients from multiple sources, including logs connected to an Appin site called “MyCommando”. Appin clients used the site to order services from what Reuters described as a menu of options for breaking into emails, phones, and computers of targeted entities.

The Reuters investigation showed that Appin tied to a wide range of sometimes previously reported hacking incidents over the years. These included everything from the leakage of private emails that derailed a lucrative casino deal for a small Native American tribe in New York, to an intrusion involving a Zurich-based consultant attempting to bring the 2012 soccer world cup to Australia. Other incidents that Reuters mentioned in its report involved Malaysian politician Mohamed Azmin Ali, Russian entrepreneur Boris Berezovsky, a New York art dealer, a French diamond heiress, and an intrusion at Norwegian telecommunications firm Telenor that resulted in the theft of 60,000 emails.

Prior investigations, that Reuters mentioned in its report, have tied Appin to some of these incidents — like the one at Telenor and the one involving the…

Source…

Ransomware Mastermind Uncovered After Oversharing on Dark Web

/in


When researchers responded to an ad to join up with a ransomware-as-a-service (RaaS) operation, they wound up in a cybercriminal job interview with one of the most active threat actors in the affiliate business, who turns out to be behind at least five different strains of ransomware.

Meet “farnetwork,” who was unmasked after giving over too many specifics to a Group-IB threat researcher pretending to be a potential affiliate for the Nokoyawa ransomware group. The cybercriminal is also known by aliases including jingo, jsworm, razvrat, piparuka, and farnetworkit, the team learned.

After the undercover researcher was able to demonstrate they could execute privilege escalation, use ransomware to encrypt files, and ultimately demand cash for an encryption key, farnetwork was ready to talk details.

During the course of their correspondence, the Group-IB researcher learned farnetwork already had a foothold into various enterprise networks, and just needed someone to take the next step — i.e., to deploy the ransomware, and collect money. The deal would work like this, Group IB’s team learned: the Nokoyawa affiliate would get 65% of the extortion money, the botnet owner gets 20%, and the ransomware owner gets 15%.

But Nokayawa was just the latest ransomware operation farnetwork was running, Group-IB explained in its latest report. The threat actor ultimately gave over enough details for the team to trace farnetwork’s ransomware activities as far back as 2019.

Farnetwork bragged to the researchers about past operations with Nefilim and Karma ransomware, as well as being on the receiving end of ransomware payments as high as $1 million. The crook also mentioned past work with Hive and Nemty.

A ransom note
Source: Group-IB

That was enough information for the Group-IB team to piece together a prolific ransomware resume in farnetwork’s past.

From 2019 to 2021, Group-IB said farnetwork was behind ransomware strains JSWORM, Karma, Nemty, and Nefilim. Nefilim’s RaaS program alone accounted for more than 40 victims, the report added.

By 2022, farnetwork found a home with the Nokoyawa operation, and by last February, was actively recruiting affiliates to the program.

“Based on the timeline of their operations,…

Source…

EU Tries To Slip In New Powers To Intercept Encrypted Web Traffic Without Anyone Noticing

/in


from the QWACs-in-the-web dept

The EU is currently updating eIDAS (electronic IDentification, Authentication and trust Services), an EU regulation on electronic identification and trust services for electronic transactions in the European Single Market. That’s clearly a crucial piece of legislation in the digital age, and updating it is sensible given the fast pace of development in the sector. But it seems that something bad has happened in the process. Back in March 2022, a group of experts sent an open letter to MEPs [pdf] with the dramatic title “Global website security ecosystem at risk from EU Digital Identity framework’s new website authentication provisions”. It warned:

The Digital Identity framework includes provisions that are intended to increase the take-up of Qualified Website Authentication Certificates (QWACs), a specific EU form of website certificate that was created in the 2014 eIDAS regulation but which – owing to flaws with its technical implementation model – has not gained popularity in the web ecosystem. The Digital Identity framework mandates browsers accept QWACs issued by Trust Service Providers, regardless of the security characteristics of the certificates or the policies that govern their issuance. This legislative approach introduces significant weaknesses into the global multi-stakeholder ecosystem for securing web browsing, and will significantly increase the cybersecurity risks for users of the web.

The near-final text for eIDAS 2.0 has now been agreed by the EU’s negotiators, and it seems that it is even worse than the earlier draft. A new site from Mozilla called “Last Chance to fix eIDAS” explains how new legislative articles will require all Web browsers in Europe to trust the the certificate authorities and cryptographic keys selected by the government of EU Member States. Mozilla explains:

These changes radically expand the capability of EU governments to surveil their citizens by ensuring cryptographic keys under government control can be used to intercept encrypted web traffic across the EU. Any EU member state has the ability to designate cryptographic keys for distribution in web browsers and browsers are…

Source…

Kaspersky Reveals Alarming IoT Threats and Dark Web DDoS Boom

/in


The cybersecurity researchers at Kaspersky have unveiled alarming statistics about the expanding cybercrime economy on the dark web.

Key Findings:

  1. DDoS Demand Soars: Kaspersky’s analysts discovered over 700 dark web ads for DDoS attack services in H1 2023, highlighting the escalating demand among hackers.
  2. Cost of DDoS Services: Rates for DDoS attack services on the dark web ranged from $20 per day to $10,000 per month, with an average cost of $63.50 per day or $1,350 per month.
  3. IoT Malware Evolution: Fierce competition among cybercriminals has driven the development of IoT malware, with features designed to thwart rival malware, including firewall rules and process terminations.
  4. Brute-Force Attacks Prevalent: Brute-forcing weak passwords remains the primary method for compromising IoT devices, with 97.91% of attacks focusing on Telnet, compared to 2.09% on SSH.
  5. Global Attack Landscape: While China, India, and the United States were the primary targets of IoT attacks, China, Pakistan, and Russia emerged as the most active attackers, highlighting the global reach of cyber threats.

The Internet of Things (IoT) landscape is under siege, with a growing underground economy centered around IoT-related services, particularly for Distributed Denial of Service (DDoS) attacks, according to a recent report by cybersecurity firm Kaspersky.

The study delves into the evolving threats targeting the IoT sector, shedding light on the modus operandi of cybercriminals and the alarming prevalence of malware types.

IoT devices are poised to surpass a staggering 29 billion by 2030, making them an attractive target for cybercriminals. Kaspersky’s research presents crucial insights into dark web activities, prevalent malware strains, and the tactics employed by hackers.

While DDoS protection and mitigation services are utilizing all available resources to secure their clients’ infrastructure; DDoS attacks orchestrated through IoT botnets are experiencing a surge in demand within the cybercriminal community. Kaspersky’s Digital Footprint Intelligence service analysts unearthed over 700 ads for DDoS attack services on various dark web forums in the first half of…

Source…