Competitor markets working to replace Hydra's money-laundering services for cybercriminals.

During the first few months of 2022, business was booming at Hydra Marketplace, _the_ premiere Dark Web destination for cybercrime money laundering and selling narcotics and other illegal goods and services.

In fact, until its takedown in April 2022, Hydra owned a full 93% of all illicit underground economic activities.

Here's how massive Hydra's presence was on the Dark Web: In the days leading up to Hydra's takedown, the average daily revenue for all underground markets was about $4.2 million. That number fell to just $447,000 after Hydra disappeared, according to new data released by Chainalysis.

Year-over-year, Dark Web marketplace revenues at the end of 2021 were about $3.1 billion, but by the end of 2022 they totaled only about $1.5 billion.

**Hydra Takedown Leaves Void**

Fast forward 10 months after the demise of Russian-based Hydra, and the Dark Web marketplace ecosystem is still struggling to recover. Namely, it's been tough to replicate or replace Hydra's money-laundering services for cybercriminals.

Out of the rubble of the demolished Hydra Marketplace, three early contenders for biggest player emerged: OMG!OMG! Market, Blacksprut, and Mega Darknet Market, according to Chainalysis' research.

Early on, OMG was the frontrunner, peaking at just over 65% of the underground market business, but a June distributed denial-of-service (DDoS) attack on OMG drove users to competitors Mega Darknet Market and Blacksprut Market, according to Chainalysis.

So far, no other marketplace has been able to dominate the Dark Web market like Hydra did in its heyday.

**Fraud Services Falter Post-Hydra**

Four of the top five most successful darknet markets focused on illicit substance sales. The fifth, a platform called "Brian Dumps," is the only one among the top underground marketplaces dealing in stolen credit card and other personally identifying information (PII), a business model Chainalysis calls a "fraud shop."

Bypass Shop, another similar fraud shop, was shuttered by Russian authorities last March, the report said. Brian Dumps appears to have also suffered some disruption last October, dropping its revenues for that month to zero, according to Chainalysis. But the reason behind the issue remains unclear.

**A New Mission**

Mounting struggles in the darknet ecosystem present an enormous opportunity to absorb Hydra's user base and reign the underground supreme. But the key to attracting users to these platforms is providing cryptocurrency and fiat currency-laundering services, the research shows.

All three top markets, Mega Darknet, Blacksprut, and OMG, show signs they have started offering cryptocurrency money-laundering services to lure in Hydra users, according to Chainalysis. There is also some evidence of collaboration between the platforms, the report pointed out.

Early after Hydra's closure, OMG's market share of business exploded because it offered money-laundering services, says Eric Jardine, cybercrimes research lead at Chainalysis. That business shifted to Mega Darknet once it was able to spin up similar services.

**New Cybercrime Business Opportunity**

Dark Web marketplaces are evolving into financial services providers for cybercriminals, Jardine says.

"With Hydra and the evolution of money-laundering services as a feature of the darknet market ecosystem, a number of new financial motivations come into play," Jardine says. "Previous markets, such as Silk Road, largely connected buyers and sellers of drugs, but providing money laundering and fiat currency off-ramp services to cybercriminals ties darknet markets more to the ebb and flow of ransomware and cybercrime than had previously been the case."

As these platforms continue to provide digital asset services, cybercriminals will be motivated to commit more digital asset-based cybercrimes, says Karl Steinkamp, with cybersecurity advisory firm Coalfire.

Dark Web Revenue Down Dramatically After Hydra's Demise

Killnet claims DDoS attack against NATO Special Operations Headquarters, Strategic Airlift Capability, and more.

NATO's Special Operations Headquarters and Strategic Airlift Capability — both working to deliver humanitarian aid to victims of the recent Turkish-Syrian earthquake — were among NATO organizations disrupted by a weekend cyberattack.

Russian-based Killnet threat group has claimed responsibility for launching distributed denial-of-service (DDoS) attacks against NATO, according to reports.

"We are carrying out strikes on NATO," Killnet wrote on its Telegram channel, according to The Telegraph.

Reports added NATO's NR network, reportedly used to transmit sensitive and classified data, was also targeted. Besides knocking sites temporarily offline, the cyberattack disrupted communications between NATO and at least one of its airplanes transporting search and rescue equipment to Incirlik Air Base in Turkey, The Telegraph reported.

A devastating earthquake hit in southeastern Turkey and Syria on Feb, 6 and along with its aftershocks. has already claimed 35,000 lives. Emergency workers from around the world have converged on the area to join in efforts to pull survivors from the rubble.

"NATO cyber experts are actively addressing an incident affecting some NATO websites," a NATO spokesperson told The Telegraph confirming the hack. "NATO deals with cyber incidents on a regular basis, and takes cyber security very seriously."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Russian Hackers Disrupt NATO Earthquake Relief Operations

The cyberwar to attack Russia has never really stopped, despite a decreasing interest from the West.

Almost a year ago, Russia invaded Ukraine.

Due to the unprovoked aggression by Russia, worldwide condemnation was quickly followed by a call to arms to help Ukraine, both on the ground and in cyberspace. #OpRussia was born.

A year on, you'd be forgiven for thinking that #OpRussia had died down. What happened to it? What did it achieve?

First, let's look at the numbers and the participants. While it's hard to pin down exactly how many people are active in the cyberwarfare aspect of the conflict, estimates range from 150,000 to 400,000, based on the number of subscribers to various Telegram channels. Count active subscribers to the various Discord channels and active reactions to such posts, however, and you get closer to 200,000 — many of which are found in the IT army Telegram channel, the main repository for target listing and action in the ongoing cyberwarfare.

To confuse matters, there are also participants in various auxiliary organizations that have flocked to the Ukrainian banner. Hacken.io — a bug bounty outfit based out of Kyiv that specializes in security of crypto tokens, extended the call to arms to its own army of hackers. While the initial callout was to find vulnerabilities in Russian infrastructure, this was walked back a few weeks later to protect Ukrainian infrastructure. Then we have Anonymous (the infamous, nebulous organization that anyone can identify with), which pushed the #OpRussia tag to prioritize attacks against Russian interests in cyberspace. On top of this, disparate hackers and entities joined the fray. For example, Network Battalion 65, a pro-Ukrainian outfit, appeared on Twitter in February 2022 and almost immediately started compromising high-profile Russian targets with alarming regularity, under the #OpRussia banner.

**The Tools and Initiatives**

A lot of high-profile initiatives were born from the drive to damage Russian interests (and, eventually, Western entities that still maintained a presence in Russia). The most popular and still actively used is Disbalancer (also called "Liberator"), a DDoS tool used to take down infrastructure targets. The barrier to entry for this tool is extremely low: simply download the flavor of your choice — Windows, Mac, or Linux — and run it, and your bandwidth is used to attack a rotating target list.

Disbalancer has had remarkable success, with an average running load of 3,000 users (still a formidable botnet), with peaks of more than 34,000 users. The tool has had more than 200,000 downloads to date. There is a rotating target list of up to a dozen targets, and Disbalancer claims to have attacked more than 700 Russian targets.

On top of this were some more esoteric efforts, such as PlayforUkraine.life, a simple Web-based game of 2048, which performed application-level DDoS in the background. This was responsible for taking down Alfabank, Russia's largest domestic bank. PlayforUkraine.life isn't active anymore and seems to have gone quiet in mid-July or August of last year.

Another such site is WasteRussianTime.today, which automatically connected two government officials with each other. As the name implies, the only outcome was wasted time and some hilarious results. The website is currently showing a 502 error and looks like it went out of action in about June or July of last year.

**The Impact and Breaches**

The one notable constant in the cyber conflict is how the Russian mythos of invulnerability has quickly evaporated (a parallel can be drawn here to its "physical" forces too). The breaches from February to August would be too numerous to list here, but for brevity I've listed the biggest ones. (For similar reasons I've also omitted DDoS takedowns, as these are now in the hundreds of targets.)

At the top of the list we have Roskomnadzor, at a whopping 900GB. It effectively is the mass surveillance department for the Russian population. This was quickly followed up byVGTRK — the Russian state broadcaster, essentially a propaganda mouthpiece for the Kremlin — that was 20 years' worth of emails and 700GB of data. Then lots of other government affiliated entities follow: Rosatom (state nuclear agency), the Central Bank of Russia, Gazprom, Petrofort, the Russian interior ministry, Transneft, SberBank, the Federal Security Service, and even the Russian Orthodox Church all get their turn. For the first six months of 2022, the Russian government was suffering a breach every three days, for a total equivalent of 20TB (!) of breached data in the first few months of the war.

This is only counting the leaks made public via various entities such as Ddossecrets.com, where most of these leaks can be found.

But then, after the first six months, things got a bit quiet. Even the most prolific actor on the scene, Network Battalion 65 — which was tearing through Russian companies since February — went dark in August 2022 and never resurfaced. In its wake, more than 20 high-profile breaches and something north of 4TB of data leaked by them alone in the space of four months.

**So, What's Happening Now, and Why Have Things Subsided?**

The cyberwar never really stopped, and the attacks rumble on at a lower rhythm, but the intensity remains. At the time of this writing, for example, atol.ru (tech company supporting automation) and ofd.ru (a cloud company) are the current targets of the IT army of Ukraine, and that's not mentioning the dozen or so rotating targets of the Disbalancer tool.

Interest in Ukraine has sadly waned in the Western press as the conflict rumbles on. Google Trends shows that, aside form a large peak in February/March 2022 and a follow-up jump in May, interest in Ukraine in search terms has slowly decreased. The impact on the overall course of the war, however, remains unclear, and if anything proves that true cyberwar is a long way off and that the real outcome of the war will be decided in real space with guns and steel.

What Happened to #OpRussia?

Categories: News
Tags: VMware ESXi

Tags:  Safer Internet Day

Tags:  Malwarebytes Mobile Security

Tags:  ION

Tags:  LockBit ransomware

Tags:  ransomware

Tags:  GoAnywhere

Tags:  Ryuk

Tags:  Malwarebytes Application Block

Tags:  BEC

Tags:  business email compromise

Tags:  fake Facebook

Tags:  Facebook

Tags:  Reddit breach

Tags:  Killnet

Tags:  DDoS attack

The most interesting security related news from the week of February 6 to 12.



(Read more...)




The post A week in security (February 6 - 12) appeared first on Malwarebytes Labs.

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

FOR PERSONAL

Windows

Mac

iOS

Android

VPN Connection

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

MY ACCOUNT

Sign In

SOLUTIONS

Free Rootkit Scanner

Free Trojan Scanner

Free Virus Scanner

Free Spyware Scanner

Anti Ransomware Protection

SEE ALL

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus  

What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (February 6 - 12)

Categories: Cybercrime
Categories: News
Tags: KillNet

Tags:  CISA

Tags:  DDoS

Tags:  HC3

According to CISA, the pro-Russian KillNet group is actively targeting the US and European healthcare sectors with DDoS attacks.



(Read more...)




The post KillNet hits healthcare sector with DDoS attacks appeared first on Malwarebytes Labs.

At the end of January, the Health Sector Cybersecurity Coordination Center warned that the KillNet group is actively targeting the US healthcare sector with distributed denial-of-service (DDoS) attacks.

The Cybersecurity and Infrastructure Security Agency (CISA) says it helped dozens of hospitals respond to these DDoS incidents.

**DDoS**

A distributed denial-of-service attack uses numerous systems to send network communication requests to one specific target. Often the attackers use enslaved computers, "bots", to send the requests. The result is that the receiving server is overloaded by nonsense requests that either crash the server or keep it so busy that normal users are unable to connect to it.

This type of attack has been popularized by numerous hacker groups, and has been used in state-sponsored attacks conducted by governments. Why? Because they are easy to pull off and hard to defend against.

**KillNet**

KillNet is a pro-Russian group that has been notably active since January 2022. Until the Russian invasion of Ukraine, KillNet was known as a DDoS-for-hire group. Now they are better known for the DDoS campaigns launched against countries supporting Ukraine. In previous campaigns the gang has targeted sites belonging to US airlines, the British royal family, Lithuanian government websites, and many others, but now their main focus has shifted to the healthcare sector. Not for the first time by the way—the group has targeted the US healthcare industry in the past too.

These attacks are not limited to the US. Recently, the University Medical Center Groningen (UMCG) in the Netherlands saw its website flooded with traffic. That attack was attributed to KillNet by the country’s healthcare computer emergency response team, Z-CERT.

The KillNet group runs a Telegram channel which allows pro-Russian sympathizers to volunteer their participation in cyberattacks against Western interests. This sometimes makes it hard to attribute the attacks to this particular group since the attacks will originate from different sources.

**The attacks**

KillNet’s DDoS attacks don't usually cause major damage, but they can cause service outages lasting several hours or even days. For healthcare providers, long outages can result in appointment delays, electronic health records (EHRs) being unavailable, and ambulance diversions.

According to CISA, only half of the KillNet attacks have been able to knock websites offline. CISA says it worked with several tech companies to provide free resources to under-funded organizations that can help them reduce the impact of DDoS attacks. It also plans to continue working with the US Department of Health and Human Services (HHS) to communicate with hospitals about government assistance and third-party services.

**Mitigation**

Although it can be difficult to mitigate DDoS risks, the Health Sector Cybersecurity Coordination Center (HC3) is encouraging healthcare organizations to enable firewalls to mitigate application-level DDoS attacks and use content delivery networks (CDN).

Scrambling for a solution at the moment you find out that you are the target of a DDoS attack is not the best strategy, especially if your organization depends on Internet-facing servers. So, if you don’t have an “always-on” type of protection, make sure you at least have a plan or protocols in place that you can follow if an attack occurs.

Depending on the possible consequences that would do the most harm to your organization, the chosen solution should offer you one or more of these options:

*   Allow users to use the site as normally as possible.
*   Protect your network from breaches during an attack.
*   Offer an alternative system to work from.

The least you should do is make sure you're aware of the fact that an attack is ongoing. The sooner you know what's going on, the faster you can react in an appropriate manner. Ideally, you want to detect, identify, and mitigate DDoS attacks before they reach their target. You can do that through two types of defenses:

*   On-premise protection (e.g. identifying, filtering, detection, and network protection).
*   Cloud-based counteraction (e.g. deflection, absorption, rerouting, and scrubbing).

The best of both worlds is a hybrid solution that detects an attack on-premise early on and escalates to the cloud-based solution when it reaches a volume that the on-premise solution cannot handle. Some DDoS protection solutions use DNS redirection to persistently reroute all traffic through the protectors’ network, which is cloud-based and can be scaled up to match the attack. From there, the normal traffic can be rerouted to the target of the attack or their alternative architecture.

CISA encourages all network defenders and leaders to review these three documents:

*   Joint guide: nderstanding and Responding to Distributed Denial-of-Service Attacks
*   CEG: Additional DDoS Guidance for Federal Agencies
*   Tip: Understanding Denial-of-Service Attacks

**Ransomware warning**

Several security agencies and providers have warned that DDoS attacks are being used as cover for actual intrusions involving ransomware and data theft. In these attacks, the DDoS acts as a smokescreen, drawing attention from the far greater danger posed by the ransomware.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

KillNet hits healthcare sector with DDoS attacks

Authentication Bypass by Primary Weakness in GitHub repository modoboa/modoboa prior to 2.0.4.

@@ -16,6 +16,7 @@  
from modoboa.core.password\_hashers import get\_password\_hasher from modoboa.core.utils import check\_for\_updates from modoboa.lib.throttle import UserLesserDdosUser, LoginThrottle, PasswordResetApplyThrottle, PasswordResetRequestThrottle, PasswordResetTotpThrottle from modoboa.parameters import tools as param\_tools  
from smtplib import SMTPException @@ -25,9 +26,20 @@ logger \= logging.getLogger("modoboa.auth")  
  
def delete\_cache\_key(class\_target, throttles, request): """Attempt to delete cache key from throttling on login/password reset success."""  
for throttle in throttles: if type(throttle) \== class\_target: throttle.reset\_cache(request) return  
  
class TokenObtainPairView(jwt\_views.TokenObtainPairView): """We overwrite this view to deal with password scheme update."""  
throttle\_classes \= \[LoginThrottle\]  
def post(self, request, \*args, \*\*kwargs): serializer \= self.get\_serializer(data\=request.data) try: @@ -42,6 +54,10 @@ def post(self, request, \*args, \*\*kwargs):  
user \= serializer.user login(request, user)  
\# Reset login throttle delete\_cache\_key(LoginThrottle, self.get\_throttles(), request)  
logger.info( \_("User '%s' successfully logged in"), user.username ) @@ -85,6 +101,8 @@ class EmailPasswordResetView(APIView): An Api View which provides a method to request a password reset token based on an e-mail address. """  
throttle\_classes \= \[PasswordResetRequestThrottle\]  
def post(self, request, \*args, \*\*kwargs): serializer \= serializers.PasswordRecoveryEmailSerializer( data\=request.data, context\={'request': request}) @@ -96,6 +114,7 @@ def post(self, request, \*args, \*\*kwargs): "type": "email", "reason": "Error while sending the email. Please contact an administrator." }, 503)  
\# Email response return response.Response({"type": "email"}, 200)  
@@ -114,13 +133,16 @@ def post(self, request, \*args, \*\*kwargs): serializer.is\_valid(raise\_exception\=True) except serializers.NoSMSAvailable: return super().post(request, \*args, \*\*kwargs)  
\# SMS response return response.Response({"type": "sms"}, 200)  
  
class PasswordResetSmsTOTP(APIView): """ Check SMS Totp code. """  
throttle\_classes \= \[PasswordResetTotpThrottle\]  
def post(self, request, \*args, \*\*kwargs): try: if request.data\["type"\] \== "confirm": @@ -140,12 +162,15 @@ def post(self, request, \*args, \*\*kwargs): "id": serializer\_response\[1\], "type": "confirm" }) delete\_cache\_key(PasswordResetTotpThrottle, self.get\_throttles(), request) return response.Response(payload, 200)  
  
class PasswordResetConfirmView(APIView): """ Get and set new user password. """  
throttle\_classes \= \[PasswordResetApplyThrottle\]  
def post(self, request, \*args, \*\*kwargs): serializer \= serializers.PasswordRecoveryConfirmSerializer( data\=request.data) @@ -159,12 +184,15 @@ def post(self, request, \*args, \*\*kwargs): data.update({"errors": errors}) return response.Response(data, 400) serializer.save() delete\_cache\_key(PasswordResetApplyThrottle, self.get\_throttles(), request) return response.Response(status\=200)  
  
class ComponentsInformationAPIView(APIView): """Retrieve information about installed components."""  
throttle\_classes \= \[UserLesserDdosUser\]  
@extend\_schema(responses\=serializers.ModoboaComponentSerializer(many\=True)) def get(self, request, \*args, \*\*kwargs): status, extensions \= check\_for\_updates()

CVE-2023-0777: Merge pull request #2767 from modoboa/api-throttling · modoboa/modoboa@47d17ac

Valve's unpatched JavaScript engine and incomplete modification vetting process for Steam-delivered mods led to user systems being backdoored.

A threat actor recently uploaded four "mods" containing malicious code into the catalog in the official Steam store that players of the popular Dota 2 online game use for downloading community-developed game additions and other custom items.

Mods, short for "modifications," offer in-game content that players create rather than the developers.

Users who installed the mods ended up with a backdoor on their systems that the threat actor used to download an exploit for a vulnerability (CVE-2021-38003) in the V8 open source JavaScript engine version present in a framework called Panorama that players use to develop custom items in Dota 2.

Researchers from Avast discovered the issue and reported it to Valve, the developer of the game. Valve immediately updated the game's code to a new (patched) version of V8, and took down the rogue game mods from its Steam online store. The gaming company — whose portfolio includes Counter-Strike, Left 4 Dead, and Day of Defeat — also notified the small handful of users who downloaded the backdoor about the issue and implemented unspecified "other measures" to reduce Dota 2's attack surface, Avast said.

Valve did not immediately respond to a Dark Reading request for comment.

**Taking Advantage of Dota 2's Customization Features**

The attack that Avast discovered is somewhat similar in approach to the numerous incidents where a threat actor has uploaded malicious applications to Google Play and Apple's App Store, or malicious code blocks to repositories like npm or PyPI.

In this case, the individual who uploaded the code to Valve's Steam store took advantage of the fact that Dota 2 allows players to customize the game in many ways. Dota's game engine gives anyone with even basic programming skills the ability to develop custom items such as wearables, loading screens, chat emojis, and even entire custom game modes — or new games, Avast said. They can then upload those custom items to the Steam store, which vets the offerings for unsuitable content, and then publishes them for other players to download and use. 

However, because the Steam vetting process is more focused on moderation than security, bad actors can sneak malicious code into the store without too much trouble, the researchers warned. "We believe the verification process exists mostly for moderation reasons to prevent inappropriate content from getting published," according to Avast's blog post. "There are many ways to hide a backdoor within a game mode, and it would be very time-consuming to attempt to detect them all during verification."

Boris Larin, lead security researcher at Kaspersky's global research and analysis team, says that while game companies are not directly responsible for malicious code embedded into third-party modifications, incidents like these still harm the company's reputation. This is especially true when modifications are distributed through special repositories owned by the game developer that may contain vulnerabilities.

"In this particular case, the timely updating of third-party components would have helped to protect the players," Larin says. "JavaScript engines and built-in Web browsers also require special attention as they often contain vulnerabilities that can be exploited for remote code execution."

**Gaming Industry Continues to Be a Massive Target**

The incident at Valve is the latest in a string of attacks that have targeted online gaming companies and players in recent years — and especially since the COVID-19 outbreak, when social distance mandates drove a surge in online gaming. In early January, attackers broke into Riot Games' systems and stole source code for the company's League of Legends and Teamfight Tactics games. The attackers demanded $10 million from Riot Games in return for not publicly leaking the source code. In another incident, an attacker breached systems at Rockstar Games last year and downloaded early footage of the next version of the company's popular Grand Theft Auto game.

A report that Akamai released last year showed a 167% increase in Web application attacks on player accounts and gaming companies last year. A plurality of these Web application attacks — 38% — involved local file inclusion attacks; 34% were SQL injection attacks, and 24% involved cross-site scripting. Akamai's survey also showed that the gaming industry accounted for some 37% of all distributed denial-of-service (DDoS) attacks, which was double that of the second-most-targeted sector.

Akamai, like others previously, attributed the major attacker interest in gaming to the highly lucrative nature of the industry as a whole, and to the billions of dollars that users spend via in-game microtransactions while playing games. In 2022, PwC pegged gaming industry revenues at $235.7 billion for the year. The consulting firm estimated that industry revenues will grow at some 8.4% through 2026 at least.

The attacks have put growing pressure on gaming companies to ramp up their security processes. Industry experts have previously noted how gaming companies that experience major security incidents face the risk of losing player trust and player engagement on their platforms.

"Gaming companies should regularly update and scan their systems and employ a comprehensive defensive concept that equips, informs, and guides their team in their fight against the most sophisticated and targeted cyberattacks," Larin says.

"All repositories, whether an app store, an open source package repository, or even game modification repositories, should be automatically checked for malicious content," he says. This should include static checks for obfuscated or dangerous functionality and scanning with an antivirus engine SDK, he notes.

Larin adds: "Open source code repository poisoning has become more widespread in recent years and its early detection can prevent larger incidents."

Malicious Game Mods Target Dota 2 Game Users

In a first-of-its-kind coordinated action, the U.K. and U.S. governments on Thursday levied sanctions against seven Russian nationals for their affiliation to the TrickBot, Ryuk, and Conti cybercrime operation.
The individuals designated under sanctions are Vitaly Kovalev (aka Alex Konor, Bentley, or Bergen), Maksim Mikhailov (aka Baget), Valentin Karyagin (aka Globus), Mikhail Iskritskiy (aka

In a first-of-its-kind coordinated action, the U.K. and U.S. governments on Thursday levied sanctions against seven Russian nationals for their affiliation to the TrickBot, Ryuk, and Conti cybercrime operation.

The individuals designated under sanctions are Vitaly Kovalev (aka Alex Konor, Bentley, or Bergen), Maksim Mikhailov (aka Baget), Valentin Karyagin (aka Globus), Mikhail Iskritskiy (aka Tropa), Dmitry Pleshevskiy (aka Iseldor), Ivan Vakhromeyev (aka Mushroom), and Valery Sedletski (aka Strix).

"Current members of the TrickBot group are associated with Russian Intelligence Services," the U.S. Treasury Department noted. "The TrickBot group's preparations in 2020 aligned them to Russian state objectives and targeting previously conducted by Russian Intelligence Services."

TrickBot, which is attributed to a threat actor named ITG23, Gold Blackburn, and Wizard Spider, emerged in 2016 as a derivative of the Dyre banking trojan and evolved into a highly modular malware framework capable of distributing additional payloads. The group most recently shifted focus to attack Ukraine.

The infamous malware-as-a-service (MaaS) platform, up until its formal closure early last year, served as a prominent vehicle for countless Ryuk and Conti ransomware attacks, with the latter eventually taking over control of the TrickBot criminal enterprise prior to its own shutdown in mid-2022.

Over the years, Wizard Spider has expanded its custom tooling with a set of sophisticated malware such as Diavol, BazarBackdoor, Anchor, and BumbleBee, while simultaneously targeting multiple countries and industries, including academia, energy, financial services, and governments.

"While Wizard Spider's operations have significantly reduced following the demise of Conti in June 2022, these sanctions will likely cause disruption to the adversary's operations while they look for ways to circumvent the sanctions," Adam Meyers, head of intelligence at CrowdStrike, said in a statement.

"Often, when cybercriminal groups are disrupted, they will go dark for a time only to rebrand under a new name."

Per the Treasury Department, the sanctioned persons are said to be involved in the development of ransomware and other malware projects as well as money laundering and injecting malicious code into websites to steal victims' credentials.

Kovalev has also been charged with conspiracy to commit bank fraud in connection with a series of intrusions into victim bank accounts held at U.S.-based financial institutions with the goal of transferring those funds to other accounts under their control.

The attacks, which occurred in 2009 and 2010 and predate Kovalev's tryst with Dyre and TrickBot, are said to have led to unauthorized transfers amounting to nearly $1 million, out of which at least $720,000 was transferred overseas.

What's more, Kovalev is also said to have worked closely on Gameover ZeuS, a peer-to-peer botnet that was temporarily dismantled in 2014. Vyacheslav Igorevich Penchukov, one of the operators of the Zeus malware, was arrested by Swiss authorities in November 2022.

U.K. intelligence officials further assessed that the organized crime group has "extensive links" to another Russia-based outfit known as Evil Corp, which was also sanctioned by the U.S. in December 2019.

The announcement is the latest salvo in an ongoing battle to disrupt ransomware gangs and the broader crimeware ecosystem, and comes close on the heels of the takedown of Hive infrastructure last month.

The efforts are also complicated as Russia has long offered a safe haven for criminal groups, enabling them to carry out attacks without facing any repercussions as long as the assaults don't single out domestic targets or its allies.

The sanctions "give law enforcement and financial institutions the mandates and mechanisms needed to seize assets and cause financial disruption to the designated individuals while avoiding criminalizing and re-victimising the victim by placing them in the impossible position of choosing between paying a ransom to recover their business or violating sanctions," Don Smith, vice president of threat research at Secureworks, said

According to data from NCC Group, ransomware attacks witnessed a 5% decline in 2022, dropping from 2,667 the previous year to 2,531, even as victims are increasingly refusing to pay up, leading to a slump in illicit revenues.

"This decline in attack volume and value is probably in part due to an increasingly hardline, collaborative response from governments and law enforcement, and of course the global impact of the war in Ukraine," Matt Hull, global head of threat intelligence at NCC Group, said.

Despite the dip, ransomware actors are also turning out to be "effective innovators" who are "willing to find any opportunity and technique to extort money from their victims with data leaks and DDoS being added to their arsenal to mask more sophisticated attacks," the company added.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

U.K. and U.S. Sanction 7 Russians for TrickBot, Ryuk, and Conti Ransomware Attacks

Avast researchers also discovered and reported two zero-day vulnerabilities, and observed the spread of information-stealing malware, remote access trojans, and botnets.

**TEMPE, Ariz.** **and** **PRAGUE****,** **Feb. 9, 2023** **/PRNewswire/ --** Avast, a leader in digital security and privacy, and a brand of Gen™ (NASDAQ: GEN), saw an increase in threats using social engineering to steal money, such as refund and invoice fraud and tech support scams, during Q4 of the calendar year 2022. Cybercriminals also remained active in spying and information stealing, with lottery-themed adware campaigns used as a tactic to obtain people's contact details. Avast threat researchers also discovered zero-day exploits in Google Chrome and Windows. These vulnerabilities have since been patched. These insights are covered in the Avast Q4/2022 Threat Report.

"At the end of 2022, we have seen an increase in human-centered threats, such as scams tricking people into thinking their computer is infected, or that they have been charged for goods they didn't order. It's human nature to react to urgency, fear and try to regain control of issues, and that's where cybercriminals succeed," said Jakub Kroustek, Avast Malware Research Director. "When people face surprising pop-up messages or emails, we recommend they stay calm and take a moment to think before they act. Threats are so ubiquitous today that it's hard for consumers to keep up. It is our mission to help protect people by detecting threats and alerting users before they can do any harm, using the latest AI-based technology."

**Growth in refund and invoice fraud, and tech support scams**

The Avast threat labs also saw an increase in tech support scam activity. Top affected countries include the United States, Brazil, Japan, Canada, and France. These scams often start with a pop-up window that alerts people of an alleged malware infection and urges them to call a helpline to resolve the issue. Scammers will convince the caller to set up a remote connection to their computer, opening the door to theft of personal information and money, as the criminals try to access people's bank accounts or crypto wallets, and ask for a payment for their services.

"We recommend people ignore such pop-up messages and close the window with the escape key, or if that's not possible, restart their computer," advises Kroustek. "Also, never give remote access to your computer to somebody you don't know."

The Avast threat labs also saw an uptick in refund and invoice fraud of 14% from October to November 2022, and another increase of 22% in December. Refund fraud works in a comparable way to tech support scams, and often comes in the form of an email that looks like it was sent from a trusted company. People will receive an email including a fake receipt making them believe they were charged for a purchase they didn't make. People are then tricked into calling a phone number, where an agent asks them to create a remote connection to their computer and open their banking account, so the person can see how the refund is done. The goal of the attacker is to steal the person's money. In the case of invoice fraud, people, and more often businesses, receive bills for goods or services the business never ordered or received.

"To avoid invoice fraud, people need to pay close attention to invoices they receive. Fraudulent invoices often look legitimate, and people need to verify whether an order really was made, the service received, and whether the sender is truly who they pretend to be," said Kroustek.

**Information stealing adware, remote access trojans and bots**

Web-based adware was also prevalent in the quarter, not only annoying people with intrusive ads, but also trying to steal their personal data. For example, people are asked to take part in a lottery, spinning a roulette wheel to win, and are then asked to enter their contact information and pay a "handling fee" using their credit card or Google Pay or Apple Pay account. Avast researchers also saw a flood of DealPly adware, which comes as a Google Chrome extension and sends statistical and search information to the attackers. The risk to get infected by DealPly increased around the world, most significantly in the Americas, in Europe, and South and Southeast Asia.

Avast researchers saw a significant increase of 437% in the global spread of the Arkei information stealer, which is known for stealing data from browsers' autofill forms, passwords and other sources. There was also a 57% increase in people and businesses protected against AgentTesla, a strain of malware that often spreads through phishing emails to businesses and designed to steal credentials, as well as a 37% increase in RedLine stealer, which often spreads in cracked games and services, stealing information from browsers and cryptowallets.

Avast telemetry also shows that the global spread of LimeRAT tripled in Q4. LimeRAT is a remote access trojan capable of stealing passwords, cryptocurrencies, driving Distributed Denial of Service (DDoS) attacks and installing ransomware on a victim's computer. It was mostly active in South and Southeast Asia and Latin America. The Emotet botnet, also a malware distributor with a wide variety of capabilities to steal information and spread malware, has evolved its technique of evading detection by antivirus software in the past few months through the use of timers to incrementally continue the payload's execution. The Qakbot information stealer botnet has also evolved further and started using "HTML smuggling" to hide an encoded malicious script within an email attachment. For example, the threat actors have started abusing SVG images to hide malicious payloads and the code used for its reassembly.

**Zero-day exploits in the wild**  
Two sophisticated zero-day exploits were also discovered by Avast researchers in the quarter. Avast protected its users as both were exploited in the wild. The first, CVE-2022-3723, was a type confusion in V8 and used to do a 'get Remote Code Execution' (RCE) against Google Chrome. Avast reported this vulnerability to Google who quickly rolled out a patch in just two days, on October 27, 2022. The second zero-day CVE-2023-21674, was an LPE vulnerability in ALPC that allowed attackers to get from the browser sandbox all the way into the Windows kernel. Microsoft patched this exploit in the January 2023 Patch Tuesday update. In addition, the Avast Q4/2022 Threat Report from the Avast Threat Labs shares insights into spyware, and the latest in mobile banking Trojans and Trojan SMS. Avast helps protect its users from all threats covered in the report. The Avast Q4/2022 Threat Report can be found on the Decoded blog: https://decoded.avast.io/threatresearch/avast-q4-2022-threat-report

**About Avast:** 

Avast is a leader in digital security and privacy, and a brand of Gen™ (NASDAQ: GEN), a global company dedicated to powering Digital Freedom through its family of trusted consumer brands. Avast protects hundreds of millions of users from online threats with a threat detection network that is among the most advanced in the world, using machine learning and artificial intelligence technologies to detect and stop threats in real time. Avast digital security products for Mobile, PC or Mac are top-ranked and certified by VB100, AV-Comparatives, AV-Test, SE Labs and others. Avast is a member of the Coalition Against Stalkerware, No More Ransom and Internet Watch Foundation. Visit: www.avast.com.

SOURCE Avast Software, Inc.

Avast Threat Report: Consumers Plagued With Refund Fraud, Tech Support Scams, and Adware

By Habiba Rashid
Has your Tor browser been slow for the past few months? Well, you are not alone; the ongoing DDoS attacks on the Tor network are keeping it slow worldwide.
This is a post from HackRead.com Read the original post: Tor Network Hit By a Series of Ongoing DDoS Attacks

The Tor Project revealed that its network has been suffering from “several different types of ongoing DDoS attacks (Distributed Denial of Service attacks) for at least seven months.

For Tor Browser users who have been wondering why the onion has been having network connectivity and performance issues lately, you are not alone; many others have had problems with the sites loading altogether. 

The Tor Project’s Executive Director, Isabela Dias Fernandes, reported on Tuesday that the network has been targeted by a wave of DDoS attacks (Distributed Denial of Service attacks) for at least the past seven months.

“At some points, the attacks impacted the network severely enough that users could not load pages or access onion services,” Fernandes said on Tuesday.

“We have been working hard to mitigate the impacts and defend the network from these attacks. The methods and targets of these attacks have changed over time and we are adapting as these attacks continue.”

Fernandes also promises that the Tor team will keep tweaking and improving the network defences to counter the ongoing issue. However, they have not yet discovered the goal of these attacks or the identity of the attackers behind them. The Tor Network team will also be expanded to include two new members focusing on .onion service development.

“To clarify, our services have not been down, but on occasion slow for some users, and it is important to note that the user experience is affected by a variety of factors, including what onion services are being used, or which relays get picked when they build a circuit through Tor.”

**_Quick FAQs_****What is Tor Browser?**

Tor Browser or “The Onion Router,” is a free, open-source web browser that allows users to browse the internet anonymously. It was originally developed for US Naval Intelligence in the mid-1990s and was released into the public domain in October 2002.

It is worth noting that the Tor browser utilizes multi-layered encryption of data packets, making it difficult, but not impossible, for anyone to track or monitor user activity on the internet.

The core concept behind Tor is that it creates a network of nodes with each layer acting as an encrypted tunnel so that when a user sends out information, they are virtually untraceable. With every node encrypted; no one can trace where the data originated from or who may have accessed it during transmission. As such, this makes Tor ideal for those looking to keep their online activities private and secure especially journalists and whistleblowers.

**What is a DDoS Attack?**

A DDoS attack stands for Distributed Denial-of-Service attack. It is a type of cyberattack that uses multiple compromised Internet of Things (IoT) or smart devices including computers, routers, cameras, etc. to create a botnet and send massive amounts of traffic to a single targeted server or website to overwhelm it and make it inaccessible for regular users.

1.  23% of Tor browser relays steal Bitcoin
2.  Tor Browser Flaw Leaks Your Real IP Address
3.  Best Dark Web Search Engines for Tor Browser
4.  Fake Tor Browser Spreads Malware Via YouTube
5.  Download official Tor browser on Android devices
6.  What Are Dark Web Search Engines – How to Find Them?

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Tag

#ddos