Tag Archive for: western

Western Capitals Riled by Russian Hacking

/in


Cybercrime
,
Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime

Australian Official Says Russia Should Bring Russian ‘Hackers to Heel’

Akshaya Asokan (asokan_akshaya) •
March 9, 2023    

Western Capitals Riled by Russian Hacking
St. Basil’s Cathedral in Moscow (Image: Michael Wong/CC BY-NC 2.0)

A top Australian official demanded that Russia crack down on hackers operating inside country borders, another sign of deepening Western frustration with Moscow’s permissive attitude toward cybercriminals.

See Also: OnDemand | Navigating the Difficulties of Patching OT

Michael Pezzullo, secretary of the Department of Home Affairs, called the notion that conventional law enforcement pressure will curtail Russian hacking activity “completely naive.” “They are not a ‘rule of law’ country,” he said during a Wednesday business summit in Sydney, reported Reuters.

“We call on the Russian government to bring those hackers to heel,” he said. The comments from Pezzullo, a civil servant, come just weeks after U.S. Secretary of State Antony Blinken accused the Kremlin of harboring groups such as TrickBot, calling Russia “a safe haven for cybercriminals” (see: US and UK Sanction Members of Russian TrickBot Gang).

Australia experienced a wave of data breaches and ransomware attacks during the second half of 2022. Australian Federal Police fingered cybercriminals likely based in Russia as perpetrators of an invasive leak of information collected from 10 million customers of private insurer Medibank.

The Biden administration has gone from cautiously engaging Russia on cybersecurity in 2021 to making containment of Russian hackers an explicit policy goal. “We want to shrink the surface of the…

Source…

Russian Ransomware Projects Rebranded to Avoid Western Sanctions: Report

/in


Blockchain intelligence company TRM Labs revealed that some major Russian-linked ransomware syndicates rebranded their activities in 2022 to avoid sanctions from Western countries.

According to a new report published recently, the rebranding and other significant activities showed notable changes in the cybercrime space and darknet markets (DNMs) after Russia invaded Ukraine.

Ransomware Operators Rebranded to Evade Sanctions

In the wake of Russia’s invasion of Ukraine, several Western law enforcement agencies imposed tighter sanctions on Russian ransomware platforms.

Similarly, sanctions imposed by the U.S. Office of Foreign Assets Control (OFAC) on the popular darknet platform Hydra took a toll on ransomware projects as they struggled to gain market dominance while avoiding law enforcement agencies.

To strengthen their anonymity through alterations in on-chain behavior, two major ransomware syndicates, LockBit and Conti, restructured their activities.

Through TRM’s on-chain analysis, open source reporting, and proprietary information, the intelligence firm discovered that Conti ceased its original operation and restructured into three smaller groups named Black Basta, BlackByte, and Karakut. Before the diversification, Karakut was a side project run by Conti operators.

LockBit, on the other hand, rebranded its operations since Ukraine’s invasion last February. Four months later, the syndicate launched LockBit 3.0, which it projected as apolitical and focused on monetary gain.

“LockBit’s claim that it had no intention to purposely attack Western countries may have been motivated by the possibility of Western sanctions against Russian entities. Moreover, LockBit stated that it had prohibited attacks against entities related to critical infrastructure, probably to minimize the risk of law enforcement attention and potential sanctions,” TRM said.

Western Sanctions had Little Impact on DNMs

Furthermore, TRM’s analysis also found significant growth in the usage of Russian-speaking darknet markets. Due to sanctions imposed on DNMs, criminals fled to Russian-related platforms to evade Western law enforcement.

Collectively, Russian-speaking…

Source…

China using top consumer routers to hack Western comms networks

/in


Long-standing vulnerabilities in popular consumer and home office Wi-Fi routers made by the likes of Cisco, D-Link, Netgear and ZyXel are being routinely exploited by threat actors backed by the Chinese government as a means to compromise the wider telco networks behind them, according to an advisory from the US Cybersecurity and Infrastructure Security Agency (CISA) and its partners at the FBI and NSA.

In the advisory, the authorities explain how China-sponsored actors readily exploit routers and other devices such as network attached storage (NAS) devices to serve as access points that they can use to route command and control (C2/C&C) traffic and conduct intrusions on other identities.

“Over the last few years, a series of high-severity vulnerabilities for network devices provided cyber actors with the ability to regularly exploit and gain access to vulnerable infrastructure devices. In addition, these devices are often overlooked by cyber defenders, who struggle to maintain and keep pace with routine software patching of internet-facing services and endpoint devices,” the agency said in its advisory.

CISA said these actors typically conduct their intrusions through servers or “hop points” from China-based IP addresses that resolve to various Chinese ISPs. Most usually they obtain these by leasing them from hosting providers. These are used to register and access operational email accounts, host C2 domains, and interact with their target networks. They also serve as a useful obfuscator when doing so.

The agencies warned the groups behind these intrusions are consistently evolving and adapting their tactics, techniques and procedures (TTPs), and have even been observed monitoring the activity of network defenders and changing things up on the fly to outwit them. They also mix their customised tools with publicly available ones – notably ones native to their target environments – to blend in, and are quick to modify their infrastructure and toolsets if information on their campaigns becomes public.

Many of the vulnerabilities used are well-known ones, some of them dating back four years or more. They include CVE-2018-0171, CVE-2019-1652, CVE-2019-15271, all…

Source…