Multiple university departments linked to the Clinical School Computing Service have been inaccessible for a month. The university has not revealed the nature of the “malicious activity.”

The University of Cambridge is constantly ranked among the world’s top universities, with its medical school and vast research facilities among the very best. But for the past month, staff at the prestigious medical school have had work hampered following “malicious activity” on its computer network.

An emailed “staff notice” seen by WIRED, believed to have been sent at the end of February, alerted staff to the disruption and said the university was working to get systems back online as soon as possible. However, weeks later, the incident is still ongoing, and little information has been made public about the nature of the incident.

“IT services provided by the Clinical School Computing Service (CSCS) have been disrupted by malicious activity,” the email reviewed by WIRED says. “We appreciate that some staff and students are experiencing significant disruption to their work and studies, and we are grateful for their patience and understanding.”

The University has confirmed to WIRED that its systems have been impacted, that some services have been voluntarily taken offline, and that while it has “contained” the incident, the disruption is ongoing and its investigations will likely take some time to complete. No data has been taken, it says. The UK’s national cybersecurity body and the country’s data regulator are also looking into the events.

The email message sent to staff last month said a “Critical Incident Management Team” has been set up to handle the response. At the time the message was sent, the email said, there was no access to the local IT network and Wi-Fi, and wired internet access had been turned off in impacted buildings, with the Wi-Fi set to be turned on again that same day.

The CSCS provides IT support to staff and researchers in the university’s School of Clinical Medicine. An archived version of its website says there are more than 5,800 devices on its network, and the team provides computers and servers to staff. The email seen by WIRED says that the CSCS also serves the Department of Zoology, Sainsbury Laboratory, which researches plant life; the Stem Cell Institute; and Milner Institute of the School of Biological Sciences, which researches emerging therapies. All have been impacted.

A University of Cambridge spokesperson confirmed the incident to WIRED, saying that “malicious activity” was found on the Clinical School Computing Service last month. “We took immediate action to contain the incident including voluntarily taking some systems offline,” the spokesperson said in a statement. “As a result, there is ongoing interruption to some services.”

It is not clear what the “malicious activity” entails or whether the activity is an attack by criminal hackers or an incident of a different nature. Multiple staff members at university departments did not respond to questions sent by WIRED about whether their work or research had been disrupted, or they directed questions to the press office as they are not authorized to speak about the incident.

The university spokesperson did not describe the nature of the problem; however, they said a business continuity plan has been implemented to minimize disruption, and all of the other university and college IT systems are working as normal and are not impacted. “This will likely take some time to complete,” the spokesperson said of its ongoing investigation. “Investigations have found no evidence that data has been taken or transferred without authorization. We have also received third-party assurance that the incident is contained.” They say the situation has moved on since the email seen by WIRED was sent, and it is not possible to characterize the level of disruption across all departments.

While little is known about the current “malicious activity,” the University of Cambridge was among a number of academic institutions, including the University of Manchester, hit by a distributed denial-of-service attack on February 19. Hacktivist group Anonymous Sudan claimed responsibility for the DDoS incident—it is unclear whether the ongoing outage is linked in any way. The day after the DDoS, the Clinical School Computing Service posted on X that the disruption to the network appeared to be “largely over,” and a university spokesperson said that normal service “should now be restored” for centrally managed IT services.

The UK’s data regulator, the Information Commissioner’s Office, tells WIRED that the University of Cambridge had made it aware of an incident and that the regulator is “making enquiries.” Meanwhile, a spokesperson for the UK’s National Cybersecurity Center says it is “working with the University of Cambridge to fully understand the impact of an incident.”

The university’s status page for IT issues lists the vast majority of services as being online, with replacements taking place for some routers on its wireless networks. However, at the time of writing, the website for the medical school displays only basic contact information, and the CSCS website appears to be offline and inaccessible. A newsletter from the Stem Cell Institute, sent on February 27, acknowledged there had been “some IT issues on campus” and that it was postponing a seminar as a result. More recent newsletters from the Institute do not reference the issues.

The email sent to staff and seen by WIRED recommended people follow best security practices, including using multifactor authentication for accounts and using strong passwords, and advised that people change their passwords immediately if they receive a notice saying someone else has logged in to their account from another device.

‘Malicious Activity’ Hits the University of Cambridge’s Medical School

Minecraft, with over 500 million registered users and 166 million monthly players, faces significant risks from distributed denial-of-service (DDoS) attacks, threatening server functionality, player experience, and the game’s reputation. Despite the prevalence of DDoS attacks on the game, the majority of incidents go unreported, leaving a gap in awareness and protection. This article explains

Crafting Shields: Defending Minecraft Servers Against DDoS Attacks

A high court in London says the WikiLeaks founder won’t be extradited “immediately” and the US must provide more “assurances” about any extradition.

The UK high court has extended WikiLeaks founder Julian Assange’s hope to avoid espionage charges in the United States, allowing Assange to further challenge his extradition from the UK to the US.

In a ruling issued in London on Tuesday, two high court judges said that Assange will not be immediately extradited to the United States. In a press summary of the 60-page decision, the court said Assange has a “real prospect of success” in appealing his extradition order and that it requires the US and UK to make further “assurances” about his treatment if he were to be extradited.

“The Court has given the Government of the United States three weeks to give satisfactory assurances: that Mr Assange is permitted to rely on the First Amendment to the United States Constitution (which protects free speech), that he is not prejudiced at trial (including sentence) by reason of his nationality, that he is afforded the same First Amendment protections as a United States citizen and that the death penalty is not imposed,” the press summary says.

Assange’s extradition was first authorized by the British government in June 2022, more than three years after his arrest. The appeals process was repeatedly delayed by the Covid-19 pandemic and Assange’s own deteriorating health, a result, his doctors say, of his prolonged pretrial confinement and his previous stay in the Ecuadorian embassy in London, where he lived under asylum for nearly seven years.

The embattled WikiLeaks founder faces an 18-count indictment in the US, which alleges a conspiracy to commit computer crimes and, most significantly, violations of the Espionage Act for soliciting and publishing classified information related primarily to the US-led wars in Iraq and Afghanistan.

For Assange, his supporters, and the US government, Tuesday’s ruling has been a long time coming, culminating more than four years of legal battles in the UK. The extensive delay inevitably gave rise to a flood of analysis and conjecture from legal scholars, human rights defenders, and envoys of the US intelligence system, spawning myriad theories about the ultimate repercussions of his potential capture, trial, and imprisonment.

Free press advocates have argued the charges against Assange amount to an attack on legal journalistic activities, portrayed by prosecutors as crimes against the state. The right of journalists to publish stolen or leaked information, even when classified “secret,” has been repeatedly affirmed by the US Supreme Court.

US prosecutors allege that Assange in 2010 took matters a step further than what is legally permitted, encouraging then-WikiLeaks source Chelsea Manning to violate the law further by stealing additional files, and by offering to help her crack a hashed password that would have, ostensibly, furthered her access inside a classified Defense Department network.

Though it is unclear whether any of Assange’s offers actually aided Manning or resulted in any additional files being leaked, under the scope of US law, legal experts widely agree, success is beside the point.

Manning, a former US Army intelligence analyst, confessed during a court martial in 2013 to leaking more than 725,000 documents to WikiLeaks, though her conviction pertains only to portions of hundreds of documents. Manning was accused but acquitted of “aiding the enemy.” Her 35-year prison sentence was commuted in January 2017 by former US president Barack Obama in one of his final acts of office.

The Espionage Act, under which Assange is charged, is among the most controversial in the nation’s criminal code, wielded by prosecutors against whistleblowers and national security leakers with the same intensity as any captured traitor or spy.

Much of the US case is based on digital logs of conversations held between WikiLeaks associates and accounts allegedly manned by Assange himself. Ironically, most if not all of this evidence has itself been leaked over the years or otherwise amassed by independent researchers. Distributed Denial of Secrets (DDOS), a WikiLeaks successor, has compiled at least hundreds of thousands of pages of relevant documents from various confidential sources, including those targeted by FBI informers and by the bureau itself via search warrants.

A private database created by DDOS, reviewed by WIRED, currently contains roughly 100 gigabytes’ worth of WikiLeaks material, including several hundred thousand internal emails and tens of thousands of chat logs, many bearing account names known to have been used by Assange personally.

Despite being rigorously cataloged by DDOS researchers, it remains difficult to quantify how many individuals’ communications were logged due to the sheer volume of text. The anti-secrecy organization’s earliest files pertaining to Assange’s activities online date back 30 years.

Emma Best, a journalist and co-founder of DDOS, says it is believed the organization possesses all—or nearly all—of the recorded conversations cited in the US government’s indictment. A large percentage of internal WikiLeaks chatter is said to have been recorded by Sigurdur Thordarson, a former WikiLeaks associate, in the years and months prior to his betrayal of the organization.

Following his stint as an FBI informer in 2011, Thordarson faced multiple convictions in Icelandic court for sex crimes involving minors and for fraud in relation to funds embezzled from WikiLeaks. According to Best, a close inspection of the files would shed even further doubt as to Thordarson’s reliability, as he often mischaracterizes statements by Assange when communicating with other WikiLeaks associates and supporters.

Best says making the WikiLeaks files public is a priority due to the US’s aggressive moves in the case and the international repercussions, but distribution remains limited currently to trusted professionals, primarily for privacy reasons. WIRED’s review found that the documents identify countless individuals, including many who are not affiliated with WikiLeaks. Additionally, while the US and UK governments presumably have access to all or most of the same files, Best says, other governments, which could seek to act upon them legally, likely do not.

“The case against WikiLeaks and Assange is as misunderstood as it is secretive and important, problems worsened by the many liars involved and the largely vibes-based analysis of it,” she tells WIRED. “The first step to fixing this is simple: Leak the case.”

Assange’s case has garnered scrutiny from human rights groups, many evaluating the conditions inside US prisons as too brutal and lousy to be considered anything but cruel and inhumane.

Concerns over American prison conditions posed a major hurdle for US prosecutors in 2021 after the UK high court ruled the odds they would result in Assange’s death by suicide as unacceptable. The court decided that the US successfully mitigated these concerns by offering assurances that Assange would not face certain treatments that, while commonplace in the US, are widely gauged to run afoul of international law, including the use of extreme isolation.

The US’s assurances did little to quell protests from rights groups and Assange family members, as they’d been offered in the past to little effect. Frequently highlighted is the case of British poet Syed Talha Ahsan, who was kept in solitary confinement for years in a Connecticut “supermax” prison known as the Northern Correctional Institution. The prison closed in June 2021.

A key assurance offered by the US is that Assange will never be confined at another supermax prison, Colorado’s ADX Florence, which currently cages more than 300 prisoners. The use of prolonged isolation, common within the prison but employed throughout the US, has been labeled “torture” by current and past United Nations prison watchdogs. Repeated studies have shown prolonged isolation to have deleterious and potentially irreversible effects on the human brain, leading to significantly higher rates of suicide, homicide, and opioid dependence among incarcerated people upon their release.

Another assurance offered by the US is that Assange will not be subjected to “special administrative measures,” an Orwellian euphemism for the government surveilling a prisoner’s attorney-client communications. Among other justifications, the US can implement this procedure—known as SAM—by claiming the monitoring is necessary to “prevent the disclosure of classified information.”

If convicted, Assange’s lawyers say he faces a maximum of 175 years in prison, though US prosecutors have downplayed in the press the likelihood of him receiving such a lengthy sentence.

_This is a developing story and is being updated with new information._

Julian Assange Won’t Be Extradited to the US Yet

By Waqas
Another day, another popular dark web marketplace bites the dust!
This is a post from HackRead.com Read the original post: International Sting Takes Down Major Dark Web Marketplace “Nemesis Market”

Nemesis Market, a major darknet marketplace for illegal goods, shut down by joint international law enforcement action – Servers seized, €94,000 in crypto confiscated. Global effort disrupts dark web criminal activity.

In a coordinated international effort, German authorities, working alongside law enforcement agencies from the United States and Lithuania, have successfully shut down the global darknet marketplace “Nemesis Market.”

The takedown, announced on March 22nd, 2024, by the Frankfurt am Main Public Prosecutor’s Office and the Federal Criminal Police Office (BKA) of Germany, marks a significant blow to cybercrime operations on the dark web.

Nemesis Market, launched in 2021, had grown rapidly to become a major player in the dark web marketplace scene. Accessible only through the Tor network, the platform offered a haven for illicit activity, facilitating the sale of narcotics, stolen data, and a variety of cybercrime services.

Source: Federal Criminal Police Office

According to the German press release, investigations into the Nemesis Market began in October 2022, culminating in a concerted action on March 20th, 2024. The operation involved seizing server infrastructure located in Germany and Lithuania, effectively shutting down the marketplace. Additionally, German authorities confiscated cryptocurrency assets worth approximately €94,000, believed to be linked to the platform’s operations.

The investigation revealed a large user base for Nemesis Market, with over 150,000 user accounts and over 1,100 seller accounts identified worldwide. Notably, nearly 20% of these sellers were traced back to Germany, highlighting the platform’s reach. The marketplace offered a diverse range of illegal goods and services, including:

*   Narcotics
*   Ransomware
*   Phishing tools
*   DDoS attack services
*   Stolen data and goods

The press release emphasizes that the seized data from the marketplace will be used for further investigations to identify and prosecute the sellers and users involved. This takedown serves as a reminder of the ongoing international efforts to combat cybercrime on the dark web. Collaboration between law enforcement agencies from different countries is proving crucial in disrupting these illicit marketplaces and holding those responsible accountable.

While the takedown of Nemesis Market is a victory for law enforcement, it’s important to acknowledge the persistence of the dark web. New marketplaces are likely to emerge, prompting the need for continued vigilance and international cooperation.

1.  Finnish Dark Web Marketplace PIILOPUOTI Seized
2.  Feds Seize Bulletproof Hosting Service ”Lolek Hosted”
3.  Student-Run Germany’s Largest Dark Web Market DiDW
4.  US Seizes Bitcoin Mixer Sinbad.io Used by Lazarus Group
5.  Genesis Market’s Clearnet domain seized; Dark Web site still online

International Sting Takes Down Major Dark Web Marketplace “Nemesis Market”

Red Hat Security Advisory 2024-1444-03 - An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1444.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: nodejs:16 security updateAdvisory ID:        RHSA-2024:1444-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1444Issue date:         2024-03-21Revision:           03CVE Names:          CVE-2023-44487====================================================================Summary: An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix(es):* nodejs: reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks (CVE-2024-22019)* nodejs: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-44487References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003https://bugzilla.redhat.com/show_bug.cgi?id=2242803https://bugzilla.redhat.com/show_bug.cgi?id=2264574

Red Hat Security Advisory 2024-1444-03

By Deeba Ahmed
Apex Legends Global Series Thrown into Chaos as Hackers Invade Live Finals!
This is a post from HackRead.com Read the original post: Pro Players Hacked Live On Stream! Apex Legends Tournament Postponed

Two esports players were hacked during a live-streamed game, causing the Apex Legends Global Series tournament to be postponed.

On Sunday night, EA and Respawn’s shooter game Apex Legends was disrupted by a hacking incident, causing the Apex Legends Global Series tournament to be postponed. The players were competing in the popular shooter game having a $5 million prize pool.

The incident occurred during a live-streamed game, where Apex pro player Noyan “Genburten” Ozkose reported his game being hacked and hijacked to deploy cheats. The player complained about the activation of cheats like wallhacks, which provided the compromised account with an unfair advantage over legitimate players.

During the livestream, Genburten yelled he was “getting hacked” when a cheat program’s settings menu appeared. Genburten’s screen also displayed an aimbot, gun recoil reducer, and autofire feature, with a box indicating “vote Putin.”

Soon after hacking, the perpetrators displayed the following message:

“Apex hacking global series, by Destroyer2009 &R4andom.”

Apparently, the hackers used a cheat program to deploy “wall hacks” or visibility hacks, allowing them to see all other players. 

In another Apex Legends match, a player named ImperialHal faced a similar incident. On their X account, the player noted getting an “aimbot,” which is a common cheating technique allowing players to hit any player without actually aiming at them. 

This led to the tournament organizers suspending and postponing the North American tournament, causing concern among players.

“Due to the competitive integrity of this series being compromised, we have made the decision to postpone the finals at this time. We will share more information soon,” Apex Legends Esports posted on their official X account.

The cause of the incident remains unclear, as Electronic Arts, publisher of Apex Legends, and Genburten and ImperialHal have not provided any more details. It was speculated that it could have been an RCE exploit or remote code execution attack. However, Easy Anti-Cheat, the game’s anti-cheat solution, maintains that its software remains secure with no known vulnerabilities.

“We are confident that there is no RCE vulnerability within EAC being exploited,” Easy Anti-Cheat confirmed.

A video showing this incident was posted on X and shared on multiple YouTube channels. The video shows Genburten seeing other players highlighted on the map, even behind walls, and through in-game obstacles before a window appears with a menu for cheats called “TSM HALAL HOOK.”

Respawn Entertainment, the developer behind Apex Legends, is currently investigating the situation. The exploitation during a major tournament raises doubts about current measures and the future of competitive gaming. Respawn’s investigation is needed to restore trust and ensure tournament integrity.

This is not the first time that a gaming tournament has gone through cybersecurity-related issues. In January 2022, cybercriminals managed to carry out successful DDoS attacks on a Minecraft event that crippled the internet of Andorra, a country based in Europe.

1.  **Online gaming and protection against cyber attacks**
2.  **Minecraft declared the most malware-infected game**
3.  **Modern Gaming Sucks Because of Abundance Fatigue**
4.  **EA Sports down – Gaming giant hit by massive DDoS attacks**
5.  **Gcore Thwarts 500 Million PPS DDoS Attack on Gaming Form**

Pro Players Hacked Live On Stream! Apex Legends Tournament Postponed

By Waqas
Another day, another malware threat emerges in a country already at war.
This is a post from HackRead.com Read the original post: New AcidRain Linux Malware Variant “AcidPour” Found Targeting Ukraine

SentinelLabs researchers have discovered “AcidPour,” a variant of the AcidRain Linux malware targeting Linux systems in Ukraine. This new strain expands on its predecessor and poses a risk to users.

Researchers at SentinelLabs have uncovered a new variant of the Acid Rain malware, dubbed “Acid Pour,” which has emerged in Ukraine. The discovery was made over the weekend, with J. A. Guerrero-Saade, AVP of SentinelLabs, sharing insights via X (formally Twitter).

The original AcidRain malware surfaced in March 2022, notably used during the ‘Viasat hack,’ which disrupted KA-SAT Surfbeam2 modems at the onset of the Russian invasion of Ukraine.

> It's been an interesting weekend! Eagle-eyed @TomHegel spotted what appears to be a new variant of AcidRain. Notably this sample was compiled for Linux x86 devices, we are calling it 'AcidPour'. Those of you that analyzed AcidRain will recognize some of the strings. Analysis 🧵 pic.twitter.com/wY3PJKaOwK
> 
> — J. A. Guerrero-Saade (@juanandres\_gs) March 18, 2024

TomHegel, Principal Threat Researcher at SentinelLabs, identified the new variant, compiled specifically for Linux x86 devices. While AcidPour shares similarities with AcidRain in certain strings, it separates significantly in its codebase, compiled for x86 architecture rather than MIPS.

It is worth noting that popular Linux distros for x86 devices include Ubuntu, Mint, Fedora, and Debian. On the other hand, MIPS (Microprocessor without Interlocked Pipelined Stages) is a type of instruction set architecture (ISA), which essentially defines the language a processor understands and uses to execute instructions. Similar to x86, it’s a set of rules and specifications for how a processor operates.

AcidRain operated as a generic wiper, targeting common directories and device paths on embedded Linux distros. AcidPour, however, introduces new elements, referencing Unsorted Block Images (UBI) and virtual block devices associated with Logical Volume Manager (LVM), suggesting a potential expansion of targets beyond previous iterations.

Despite the similarities, there are notable differences, including a distinct wiping logic for devices like LVMs, indicating a potentially evolved strategy by threat actors. The good news is that SentinelLabs has raised awareness of AcidPour among stakeholders in Ukraine, although the specific targets and scope of the operation remain unclear.

The discovery goes on to show how fast malware threats are evolving, with attackers adapting their tactics to exploit vulnerabilities in various systems. From the perspective of an unsuspecting user or an organization in the business, both must keep an eye on cybersecurity threats like AcidRain and AcidPour.

Begin by prioritizing training for yourself and your employees, as phishing attacks act as a primary gateway for malware infection. Consider leveraging AI-powered chatbots such as ChatGPT or Gemini AI to compile a concise yet essential guide outlining preventive measures against phishing, malware, ransomware, and data breaches.

1.  Someone DDoSed Ukraine’s national postal service for 48 hours
2.  DDoS Attack and Data Wiper Malware hit Computers in Ukraine
3.  Hackers Using Old WinRAR Flaw in New Cyberattack on Ukraine
4.  ‘Destructive malware’ fakes ransomware to target Ukrainian orgs
5.  Backdoor Attack Uses Russian-Ukrainian Conflict Phishing Emails

New AcidRain Linux Malware Variant “AcidPour” Found Targeting Ukraine

By Waqas
Cyber Warfare Takes Flight: Geopolitics Fuel Attacks on Airlines - Dark Web Tool Aims at E-commerce!
This is a post from HackRead.com Read the original post: Dark Web Tool Arms Ransomware Gangs: E-commerce & Aviation Industries Targeted

Cybersecurity researchers have published two concerning reports where the first report highlights the surge in cyber attacks against the aviation and aerospace industries – And the second report exposes a dark web tool called TMChecker fueling attacks against E-commerce platforms.

Recent cyber incidents targeting the aerospace and aviation sectors have raised concerns about the industry’s vulnerability to malicious attacks, according to a report by Resecurity. The report highlights the critical need for strong cybersecurity risk assessments to protect airports and aviation infrastructure.

The aerospace sector, including the design, manufacturing, and maintenance of aircraft and spacecraft, has become a prime target for cyberattacks due to its reliance on interconnected digital infrastructures and global supply chains.

The integration of Industrial Internet of Things (IIoT) technologies has further strengthened this threat, making aerospace organizations more vulnerable and susceptible to cyber attacks.

Credit: Resecurity

****Ransomware Attacks & The Aviation Industry****

Ransomware emerges as a top threat facing the aviation industry, with a 600% increase in occurrences reported by Boeing Chief Security Officer Richard Puckett at the 2023 Aviation Week MRO Americas Conference.

The European Organisation for the Safety of Air Navigation (Eurocontrol) also highlighted ransomware as the sector’s leading attack trend in 2022, accounting for 22% of all malicious incidents. Some of the examples highlighted in the report include the LockBit ransomware gang’s attack on Boeing in November 2023, which the aviation giant later confirmed.

****Geopolitical tensions & The Aviation Industry****

According to Resecurity’s blog post titled “The Aviation And Aerospace Sectors Face Skyrocketing Cyber Threats,” geopolitical tensions and the designation of aerospace and aviation as critical infrastructure by the U.S. government have fueled cyberattacks targeting the industry.

Threat actors, including hacktivist collectives, are increasingly targeting aviation organizations to advance political agendas or disrupt operations. One such example is the hacktivist group Anonymous Sudan which targeted FlyDubai, an Emirati government-owned airline in Dubai, United Arab Emirates in February 2024 citing the company’s alleged support to the Rapid Support Forces (RSF) in Sudan.

Other recent cyberattacks targeting the aerospace sector include Distributed Denial of Service (DDoS) attacks by groups such as Mysterious Team Bangladesh (MTB) against Saudi Arabian airports and ALTOUFAN TEAM against Gulf Air.

> In stand with our steadfast Palestinian people in Gaza Strip in their brave and honorable resistance,ALTOUFAN TEAM targets companies normalized with the Zionist entity , Bahrain International Airport and the Bahraini national carrier “Gulf Air” servers and website…… pic.twitter.com/OKOhR12M3S
> 
> — ALTOUFAN TEAM (@altoufanteam) November 22, 2023

Additional incidents involve ransomware attacks on airlines like Air Albania and Continental Aerospace Technologies, compromising critical data and disrupting operations.

**T**MChecker – Dark Web Tool Targeting Remote Access and E-Commerce Platforms****

In another report published on March 13, 2024, Resecurity detailed a new cybersecurity threat named TMChecker that has surfaced on the Dark Web, posing a notable risk to remote-access services and popular e-commerce applications.

Developed by an actor known as “M762” on the Russian language XSS cybercrime forum, TMChecker is a sophisticated tool that combines corporate access login (log) checking capabilities with a brute-force attack kit. Available for a monthly subscription fee of $200, TMChecker has garnered attention for its ability to target a wide range of VPN gateways, email servers, and e-commerce platforms.

Credit: Resecurity

TMChecker stands out from similar tools like ParanoidChecker due to its focus on corporate remote access gateways, which are often primary targets for ransomware attacks and other malicious activities. The tool supports 17 solutions, including Cisco VPN, Citrix VPN, Office 365, WordPress, Magento, and cPanel, among others, making it a versatile and powerful weapon.

Cybercriminals exploit TMChecker to identify compromised data containing valid credentials for corporate VPN and email accounts. In one observed incident, threat actors used TMChecker to target the email server of a government organization in Ecuador, demonstrating the tool’s real-world impact.

M762 operates a Telegram channel with over 3,270 subscribers, potentially indicating a sizable user base for TMChecker. The addition of such tools aligns with a concerning trend highlighted in recent Microsoft research, which noted a significant increase in human-operated ransomware attacks.

These attacks often involve the abuse of remote monitoring and management tools, leaving behind less evidence compared to automated attacks delivered through malicious documents.

As TMChecker and similar tools lower the barriers to obtaining remote access credentials, the risk of destructive ransomware attacks and other malicious campaigns amplifies. This threat is particularly acute in the context of mergers and acquisitions, where cybercriminals target vulnerable organizations to exploit for financial gain.

1.  Cl0p ransomware gang hits Aviation giant Bombardier
2.  Hackers Uncover Airbus EFB App Flaws, Risking Aircraft Data
3.  Israeli: Hackers Targeted EL AL Flights in Mid-Air Hijack Attempt
4.  Military Satellite Access Sold on Russian Hacker Forum for $15,000
5.  Hackers posing as LinkedIn recruiters to scam military, aerospace firms

Dark Web Tool Arms Ransomware Gangs: E-commerce & Aviation Industries Targeted

By Deeba Ahmed
Mikhail Vasiliev, a Russian-Canadian citizen faces four years in a Canadian prison and is likely to be extradited to the US after completing his sentence.
This is a post from HackRead.com Read the original post: LockBit Affiliate Sentenced to 4 Years in Canada, Faces Extradition

Mikhail Vasiliev was also fined $860,000 for his involvement in the LockBit gang’s attacks. This case highlights the international effort to combat cybercrime and the severe consequences awaiting perpetrators.

A Russian-Canadian citizen, Mikhail Vasiliev, has been sentenced to nearly four years in prison for his involvement in the notorious **LockBit ransomware operation**. Vasiliev will also pay $860,000 in restitution to his Canadian victims.

Vasiliev’s lawyer reportedly argued that he turned to cybercrime due to financial difficulties during the **COVID-19 pandemic**.  However, Justice Michelle Fuerst rejected this justification, calling Vasiliev a _Cyber Terrorist_ whose actions were motivated by _greed_ and his crimes were “_far from_ _victimless crimes_.”

Investigations revealed Vasiliev’s role as a key member of the LockBit ransomware gang, involved in a significant number of cyberattacks with ransom demands ranging between €5m-€70 million. Vasiliev took responsibility for his actions, as confirmed by his lawyer Louis Strezos.

Vasiliev, 34, was arrested in October 2022 from his residence in Bradford, Ontario where he had moved from Moscow 20 years ago. He pleaded guilty in February 2024 to stealing victims’ computer data and using it for extortion.

Moreover, according to Canadian media **reports**, he admitted targeting at least three Canadian organizations, encrypting their data, and seeking ransom payments between 2021-2022, making $100 million in ransom demands for the gang from around 1,000 cyberattacks on victims in the U.S. and globally,

Vasiliev primarily targeted businesses in Saskatchewan, Montreal, and Newfoundland. His attacks likely caused significant disruptions and financial losses to the targeted businesses.

In November 2022, the US Department of Justice announced separate charges for his involvement in LockBit attacks. Vasiliev is set to be extradited to the U.S. for facing these additional charges

**LockBit, active since 2020**, operates under a ransomware-as-a-service (RaaS) business model, where affiliates exploit intrusions and deploy ransomware in exchange for some percentage of ransom payment.

In 2023, the gang gained significant profits from targeting companies like Boeing and Allen & Overy and exploited the **Citrix bleed security flaw** tracked as CVE-2023-4966 (CVSS score: 9.4).

LockBit’s infrastructure was **dismantled** by the law enforcement authorities in February 2024 as part of Operation Cronos with the seizure of 34 servers and 200 cryptocurrency accounts. Just a week after its seizure, LockBit **reemerged** with new leak sites, but RaaS is unlikely to recover. It claimed Operation Cronos was successful due to its negligence in updating PHP settings.

So far, Authorities have arrested six suspects in connection to LockBit, including Vasiliev, Ruslan Magomedovich Astamirov who was arrested **in June 2023**, two Russian nationals Artur Sungatov and Ivan Kondratyev, alias Bassterlord, and two others **arrested** in Ukraine and Poland.

Vasiliev’s potential extradition is a sign of growing international cooperation in combating cybercrime and serves as a warning to other gangs involved in such activities.

1.  Ragnar Locker Ransomware Dismantled, Key Suspect Arrested
2.  Alcasec Hacker, aka “Robin Hood of Spanish Hackers,” Arrested
3.  Operator of Proxy Botnet ‘IPStorm’ Arrested, Pleads Guilty in US
4.  LockBit ransomware blames victim for DDoS attack on its website
5.  Multimillion-Dollar Vishing Scam Busted: Czech-Ukrainian Gang Arrested

LockBit Affiliate Sentenced to 4 Years in Canada, Faces Extradition

By Waqas
Another day, another cyber attack on a local council in England!
This is a post from HackRead.com Read the original post: Leicester City Council’s IT System and Phones Down Amid Cyber Attack

Leicester City Council grapples with a cyber attack, causing major disruption to residents. IT systems and phone lines remain down as authorities work to restore crucial services. Recovery is expected by midweek.

Leicester City Council continues to face disruption after a cyber attack forced them to shut down IT systems and phone lines last Thursday (March 7, 2024). While the nature of the attack remains undisclosed, officials are working alongside cybersecurity specialists and law enforcement to assess the damage and restore functionality.

“This incident highlights the growing vulnerability of local authorities to cyber threats,” said Richard Sword, strategic director of city developments and neighbourhoods at Leicester City Council. “Our priority is to minimize disruption to critical services and get our systems back online as swiftly as possible.”

The council anticipates a phased recovery process, prioritizing the restoration of essential services by midweek. Residents seeking urgent assistance can utilize the emergency phone lines established on the council’s website.

****Limited Services and Public Frustration****

The shutdown has caused significant inconvenience for residents. Essential services like council tax payments and license renewals are currently unavailable. Local Green Party councillor Patrick Kitterick expressed concern, stating the prolonged outage poses a serious challenge, especially considering the council’s role in civil emergency response.

****Ransomware Attack or Not?****

Since it’s not clear whether the incident was a ransomware attack or a DDoS attack, we reached out to William Wright, CEO of Closed Door Security, for his insights. Given the history of cyber attacks on local councils, William cautioned that this might turn out to be a costly and disruptive ransomware attack.

“We don’t know what type of attack Leicester City Council is suffering from but given the recent spate of ransomware attacks targeting public authorities, it’s likely to be ransomware,” William said.

He warned that the government must take action to tackle the vulnerable situation. “Earlier this week, the government responded to a report from a Parliamentary Committee on ransomware, which said it was not doing enough to keep the country safe from the threat, but the government didn’t agree with the findings, maybe this latest attack on Leicester City Council will act as a wake-up call.”

****Further Developments Expected****

Leicester City Council is expected to provide updates on the situation as progress is made. Residents are encouraged to visit the council’s website for the latest information and alternative contact methods.

This attack comes amidst a concerning trend targeting local government bodies across the UK. The incident also goes on to show the need for basic cybersecurity measures including employee training to protect critical infrastructure from sophisticated cyber threats.

1.  Freecycle Data Breach Impacts 7 Million Users
2.  UK Power and Data Manufacturer Volex Hit by Cyberattack
3.  Anonymous Sudan DDoS Attack on London Internet Exchange
4.  Hackers Attack UK’s Nuclear Waste Services Through LinkedIn
5.  Contractor Database Leaks Irish Police Vehicle Seizure Records

Tag

#ddos