From cryptocurrency thefts to intrusions into telecom giants, state-backed attackers have had a field day in the year’s first half.

Whether the first six months of 2022 have felt interminable or fleeting—or both—massive hacks, data breaches, digital scams, and ransomware attacks continued apace throughout the first half of this complicated year. With the Covid-19 pandemic, economic instability, geopolitical unrest, and bitter human rights disputes grinding on around the world, cybersecurity vulnerabilities and digital attacks have proved to be thoroughly enmeshed in all aspects of life.

With another six months left in the year, though, there's more still to come. Here are the biggest digital security debacles that have played out so far.

For years, Russia has aggressively and recklessly mounted digital attacks against Ukraine, causing blackouts, attempting to skew elections, stealing data, and releasing destructive malware to rampage across the country—and the world.  After invading Ukraine in February, though, the digital dynamic between the two countries has changed as Russia struggles to support a massive and costly kinetic war and Ukraine mounts resistance on every front it can think of. This has meant that while Russia has continued to pummel Ukrainian institutions and infrastructure with cyberattacks, Ukraine has also been hacking back with surprising success. Ukraine formed a volunteer “IT Army” at the beginning of the war, which has focused on mounting DDoS attacks and disruptive hacks against Russian institutions and services to cause as much chaos as possible. Hacktivists from around the world have also turned their attention—and digital firepower—toward the conflict. And as Ukraine launches other types of hacks against Russia, including attacks utilizing custom malware, Russia has suffered data breaches and service disruptions at an unprecedented scale.

The digital extortion gang Lapsus$ went on an extreme hacking bender in the first months of 2022. The group emerged in December and began stealing source code and other valuable data from increasingly prominent and sensitive companies—including Nvidia, Samsung, and Ubisoft—before leaking it in apparent extortion attempts. The spree reached its zenith in March when the group announced that it had breached and leaked portions of Microsoft Bing and Cortana source code and compromised a contractor with access to the internal systems of the ubiquitous authentication service Okta. The attackers, who appeared to be based in the United Kingdom and South America, largely relied on phishing attacks to gain access to targets’ systems. At the end of March, British police arrested seven people believed to have associations with the group and charged two at the beginning of April. Lapsus$ seemed to briefly continue to operate following the arrests but then became dormant.

In one of the most disruptive ransomware attacks to date, Russia-linked cybercrime gang Conti brought Costa Rica to a screeching halt in April—and the disruptions would last for months. The group's attack on the country's Ministry of Finance paralyzed Costa Rica's import/export businesses, causing losses of tens of millions of dollars a day. So serious was the attack that Costa Rica's president declared a “national emergency”—the first country to do so because of a ransomware attack—and one security expert described Conti's campaign as “unprecedented.” A second attack in late May, this one on the Costa Rican Social Security Fund, was attributed to the Conti-linked HIVE ransomware and caused widespread disruptions to the country's health care system. While Conti's attack on Costa Rica is historic, some believe that it was meant as a diversion while the gang attempts to rebrand to evade sanctions against Russia over its war with Ukraine.

As the cryptocurrency ecosystem has evolved, tools and utilities for storing, converting, and otherwise managing it have developed at breakneck speed. Such rapid expansion has come with its share of oversights and missteps, though. And cybercriminals have been eager to capitalize on these mistakes, frequently stealing vast troves of cryptocurrency worth tens or hundreds of millions of dollars. At the end of March, for example, North Korea's Lazarus Group memorably stole what at the time was $540 million worth of Ethereum and USDC stablecoin from the popular Ronin blockchain “bridge.” Meanwhile, in February, attackers exploited a flaw in the Wormhole bridge to grab what was then about $321 million worth of Wormhole's Ethereum variant. And in April, attackers targeted the stablecoin protocol Beanstalk, granting themselves a “flash loan” to steal about $182 million worth of cryptocurrency at the time.

Health care providers and hospitals have long been a favorite target of ransomware actors, who look to create maximum urgency to entice victims to pay up in the hopes of restoring their digital systems. But health care data breaches have also continued in 2022 as criminals pool data they can monetize through identity theft and other types of financial fraud. In June, the Massachusetts-based service provider Shields Health Care Group disclosed that it suffered a data breach throughout much of March impacting roughly 2 million people in the United States. The stolen data included names, Social Security numbers, birth dates, addresses, and billing information, as well as medical information like diagnoses and medical record indicators. In Texas, patients of Baptist Health System and Resolute Health Hospital announced a similar breach in June that exposed similar data, including Social Security numbers and sensitive patient medical information. Both Kaiser Permanente and Yuma Regional Medical Center in Arizona also disclosed data breaches in June.

At the beginning of June, the US Cybersecurity and Infrastructure Security Agency warned that Chinese government-backed hackers had breached a number of sensitive victims worldwide, including “major telecommunications companies.” They did so, according to CISA, by targeting known router vulnerabilities and bugs in other network equipment, including those made by Cisco and Fortinet among other vendors. The warning did not identify any specific victims, but it hinted at alarm over the findings and a need for organizations to step up their digital defenses, especially when handling massive quantities of sensitive user data. “The advisory details the targeting and compromise of major telecommunications companies and network service providers,” CISA wrote. “Over the last few years, a series of high-severity vulnerabilities for network devices provided cyber actors with the ability to regularly exploit and gain access to vulnerable infrastructure devices. In addition, these devices are often overlooked.”

Separately, hackers likely conducting Chinese espionage breached News Corp in an intrusion that was discovered by the company on January 20. Attackers accessed journalists' emails and other documents as part of the breach. News Corp owns a number of high-profile news outlets, including _The Wall Street Journal_ and its parent, Dow Jones, the _New York Post_, and several publications in Australia.

Just days after a consequential US Supreme Court decision at the end of June pertaining to concealed-carry permit laws, an unrelated data breach potentially exposed the information of everyone who applied for a concealed-carry permit in California between 2011 and 2021. The incident impacted data including names, ages, addresses, and license types. The breach occurred after a misconfiguration in the California Department of Justice 2022 Firearms Dashboard Portal exposed data that should not have been publicly accessible. "This unauthorized release of personal information is unacceptable and falls far short of my expectations for this department," state attorney general Rob Bonta said in a statement. "The California Department of Justice is entrusted to protect Californians and their data. We acknowledge the stress this may cause those individuals whose information was exposed. I am deeply disturbed and angered."

The Worst Hacks and Breaches of 2022 So Far

Dark Reading's digest of the other don't-miss stories of the week, including YouTube account takeovers and a sad commentary on cyber-pro hopelessness.

There's no such thing as a slow week for cybercrime, which means that covering the waterfront on all of the threat intelligence and interesting stories out there is a difficult, if not impossible, task. This week was no exception and, in fact, seemed to offer a veritable trove of important happenings that we would be remiss not to mention.

To wit: Dangerous malware campaigns! Info-theft! YouTube Account Takeovers! Crypto under siege! Microsoft warnings!

In light of this, Dark Reading is debuting a weekly "in case you missed it" (ICYMI) digest, rounding up important news from the week that our editors just didn't have time to cover before.

This week, read on for more on the following, ICYMI:

*   Smart Factories Face Snowballing Cyberactivity
*   Lazarus Group Likely Behind $100M Crypto-Heist
*   8220 Gang Adds Atlassian Bug to Active Attack Chain
*   Critical Infrastructure Cyber Pros Feel Hopeless
*   Hacker Impersonates TrustWallet in Crypto Phishing Scam
*   Cookie-Stealing YTStealer Takes Over YouTube Accounts
*   Follina Bug Used to Spread XFiles Spyware

**Smart Factories Face Snowballing Cyberactivity**

A whopping 40% of smart factories globally have experienced a cyberattack, according to a survey out this week.

Smart factories – in which industrial Internet of things IIoT) sensors and equipment are used to reduce costs, obtain telemetry, and bolster automation – are officially a thing, with the digitization of manufacturing well underway. But cyberattackers are taking notice too, according to Capgemini Research Institute.

Among sectors, heavy industry faced the highest volume of cyberattacks (51%). Those attacks take many forms, too: 27% of firms have seen an increase of 20% or more in bot-herders taking over IIoT endpoints for distributed denial-of-service (DDoS) attacks; and 28% of firms said they have seen an increase of 20% or more in employees or vendors bringing in infected devices, for instance.

"With the smart factory being one of the emblematic technologies of the transition to digitization, it is also a prime target for cyberattackers, who are scenting new blood," according to the report.

At the same time, the firm also uncovered that in nearly half (47%) of organizations, smart factory cybersecurity is not a C-level concern.

**Lazarus Group Likely Behind $100M Crypto-Heist**

Security researchers are laying the $100 million hack of the Horizon Bridge crypto exchange at the feet of North Korea's notorious Lazarus Group advanced persistent threat.

Horizon Bridge enables users of the Harmony blockchain to interact with other blockchains. The heist occurred June 24, with the culprits making off with various cryptoassets, including Ethereum (ETH), Tether (USDT), Wrapped Bitcoin (WBTC), and BNB.

According to Elliptic, there are strong indications that Lazarus is behind the incident. The group not only carries out classic APT activity like cyber-espionage, but also acts as a money-earner for the North Korean regime, researchers noted.

The thieves in this case have so far sent 41% of the $100 million in stolen crypto assets into the Tornado Cash mixer, Elliptic noted, which essentially acts as a money launderer.

**8220 Gang Adds Atlassian Bug to Active Attack Chain**

The 8220 Gang has added the latest critical security vulnerability affecting Atlassian Confluence Server and Data Center to its bag of tricks in order to distribute cryptominers and an IRC bot, Microsoft warned this week.

The Chinese-speaking threat group has been actively exploiting the bug since it was disclosed in early June.

"The group has actively updated its techniques and payloads over the last year. The most recent campaign targets i686 and x86\_64 Linux systems and uses RCE exploits for CVE-2022-26134 (Confluence) and CVE-2019-2725 (WebLogic) for initial access," Microsoft's Security Intelligence Centre tweeted.

**Critical Infrastructure Cyber Pros Feel Hopeless**

A staggering 95% of cybersecurity leaders at critical national infrastructure organizations in the UK say they could see themselves leaving their jobs in the next year.

According to a survey from Bridewell, 42% feel a breach is inevitable and don't want to tarnish their career, while 40% say they are experiencing stress and burnout which is impacting their personal life.

Meanwhile more than two -thirds of the respondents say that the volume of threats and successful attacks has increased over the past year – and 69% say it is harder to detect and respond to threats.

**Hacker Impersonates TrustWallet in Crypto Phishing Scam**

More than 50,000 phishing emails sent from a malicious Zendesk account made their way to email boxes in recent weeks, looking to take over TrustWallet accounts and drain funds.

TrustWallet is an Ethereum wallet and a popular platform for storing non-fungible tokens (NFTs). Researchers at Vade said that the phish impersonates the service, using a slick and convincing TrustWallet-branded site to ask for users' password recovery phrases on a sleek TrustWallet phishing page.

The emails, meanwhile, are unlikely to trigger email gateway filters, since they're being sent from Zendesk.com, which is a trusted, high-reputation domain.

"As NFTs and cryptocurrencies overall have seen a significant downturn in recent weeks, on-edge investors are likely to react quickly to emails about their crypto accounts," according to Vade's analysis this week.

**Cookie-Stealing YTStealer Takes Over YouTube Accounts**

A never-before-seen malware-as-a-service threat has emerged on Dark Web forums, aimed at taking over YouTube accounts.

Researchers at Intezer noted that the malware, which it straightforwardly calls YTStealer, works to steal YouTube authentication cookies from content creators in order to feed the underground demand for access to YouTube accounts. The cookies are extracted from the browser’s database files in the user’s profile folder.

"To validate the cookies and to grab more information about the YouTube user account, the malware starts one of the installed web browsers on the infected machine in headless mode and adds the cookie to its cookie store," according to the analysis. "\[That way\] the malware can operate the browser as if the threat actor sat down on the computer without the current user noticing anything."

From there, YTStealer navigates to YouTube’s Studio content-management page and nabs data, including the channel name, how many subscribers it has, how old it is, if it is monetized, if it's an official artist channel, and if the name has been verified.

**Follina Bug Used to Spread X-Files Spyware**

A rash of cyberattacks is underway, looking to exploit the Microsoft Follina vulnerability to lift scores of sensitive information from victims.

Follina is a recently patched remote code-execution (RCE) bug that's exploitable through malicious Word documents. It started life as an unpatched zero-day that quickly caught on among cybercrime groups.

According to a Cyberint Research Team report shared with Dark Reading via email, analysts found several XFiles stealer campaigns where Follina vulnerability was exploited as part of the delivery phase.

"The group that is selling the stealer is a Russia-region based and is currently looking to expand," researchers said. "Recent evidence suggests worldwide threat actor campaigns \[underway\]."

The stealer sniffs out data from all Chromium-based browsers, Opera, and Firefox, including history, cookies, passwords, and credit card information. It also lifts FTP, Telegram and Discord credentials, and looks for predefined file types that are located on the victim's Desktop along with a screenshot. It also targets other clients, such as Steam, and crypto-wallets.

ICYMI: A Microsoft Warning, Follina, Atlassian, and More

All versions of package scss-tokenizer are vulnerable to Regular Expression Denial of Service (ReDoS) via the  loadAnnotation() function, due to the usage of insecure regex.



Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

    regex = /A(B|C+)+D/
    

This regular expression accomplishes the following:

*   A The string must start with the letter 'A'
*   (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
*   D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

    $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
    0.04s user 0.01s system 95% cpu 0.052 total
    
    

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

1.  CCC
2.  CC+C
3.  C+CC
4.  C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String

Number of C's

Number of steps

ACCCX

3

38

ACCCCX

4

71

ACCCCCX

5

136

ACCCCCCCCCCCCCCX

14

65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

CVE-2022-25758: Regular Expression Denial of Service (ReDoS) in org.webjars.npm:scss-tokenizer | CVE-2022-25758 | Snyk

The simplepush server iterates through the application installations and pushes a notification to the server provided by deviceToken. But this is user controlled. If a bogus applications is registered with bad deviceTokens, one can generate endless exceptions when those endpoints can't be reached or can slow the server down by purposefully wasting it's time with slow endpoints. Similarly, one can provide whatever HTTP end point they want. This turns the server into a DDOS vector or an anonymizer for the posting of malware and so on.

CVE-2014-3648

By Deeba Ahmed
The attack seems to be a retaliatory effort from Killnet following the diplomatic tensions between the two countries.…
This is a post from HackRead.com Read the original post: Pro-Russia Killnet Group Hit Top Lithuanian websites with Massive DDoS Attacks

****The attack seems to be a retaliatory effort from Killnet following the diplomatic tensions between the two countries.****

Pro-Russia threat actors Killnet have targeted Lithuania government institutions and networks in a series of highly disruptive DDoS attacks (distributed denial of service attacks). The country’s National Cyber Security Center (NKSC) confirmed the attack impacted the Secure National Data Transfer Network and private and public sector firms.

This “intense” attack occurred on 27 June 2022 and prevented users from accessing services. Although the attack has been managed now, and most of the sites are back online, the possibility of another attack cannot be ignored.

> “It is highly probable that such or even more intense attacks will continue into the coming days, especially against the communications, energy, and financial sectors.”
> 
> Jonas Skardinskas – Director NKSC

**The Bone of Contention- Kaliningrad**

The attack seems to be in reaction to the diplomatic row between Russia and Lithuania regarding the Russian exclave of Kaliningrad. For your information, it is situated on the Baltic Sea shores and was previously a part of Germany before WWII and then a part of the Soviet Union. Kaliningrad was later cut off from Russia after Lithuania became independent in 1990 as there were no ground routes.

After Russia’s invasion of Ukraine, Lithuania supported the EU ban on Russian exports after it was implemented across EU territories and blocked the transport of key materials like metals, coal, and construction materials to Kaliningrad, infuriating Kremlin. 

**Killnet Response**

The Russia-aligned hacktivist group Killnet claimed responsibility for the DDoS attack in a video and added that the group would again target the country until it lifted the blockage on Russian exports.

The group’s spokesperson told Reuters that Killnet demolished 1,652 web resources and plans to cause more damage soon. As seen by Hackread.com, Killnet is currently active on Telegram posting a list of Luthinian sites targeted by the group. In one of its statements in the Russian language, the group claimed the following:

> In 39 hours, we achieved the isolation of 70% of the entire network infrastructure in Lithuania. I will explain on the fingers: Web integration of Lithuanian websites and electronic systems is in the “Blockade”, that is, “Geo block”, web traffic and other means of communication are available only within the republic. Thus, we are disrupting Lithuania’s network interaction with the rest of the world. At the moment, Lithuania is in sadder conditions than Kaliningrad. And we keep our promise! 😉

**Impact of the Attack**

Lithuania’s government stated that the DDoS attack flooded several institutions’ websites with malicious traffic. Some of the websites taken down by Killnet include Lithuania’s State Tax Inspectorate (STI) and the country’s leading accounting services provider B1.lt among others.

The attack disrupted the Secure National Data Transfer Network, which is among the most critical components of the country’s national security in the cyberworld, particularly during wartime. Lithuania’s Core Center of State Telecommunications is currently identifying the impacted sites to offer DDoS mitigation.

Killnet on Telegram

**Previous Coverage**

Killnet angered the hacktivists collective Anonymous after declaring allegiance to Russia after the latter invaded Ukraine and started a war. Since the allegiance, Killnet has been active on its Telegram channel ‘We Are Killnet.’ 

Flashpoint researchers observed chats between the group members in which they mentioned a large-scale, coordinated attack on June 27th 2022, which they referred to as Judgment Day.

The attackers selected Lithuania as its target for closing transit routes to Kaliningrad. The group has also targeted European institutions. Hackread.com previously reported that the group leaked private info of Killnet hacktivists in a data dump and took the group’s website Killnet.ru offline.

**More Cyber Attack News**

*   Cloudflare Thwarted Largest Ever HTTPS DDoS Attack
*   Cloudflare Successfully Thwarted One of The Largest DDoS Attacks
*   DDoS Attacks by Hacktivists Disrupted Russian Alcohol Supply Chain
*   Pro-Iran Group ALtahrea Hits Port of London Website by DDoS Attack
*   President Putin’s Economic Forum Speech Delayed due to DDoS Attack

Pro-Russia Killnet Group Hit Top Lithuanian websites with Massive DDoS Attacks

On December 7, 2021, Google announced it had sued two Russian men allegedly responsible for operating the Glupteba botnet, a global malware menace that has infected millions of computers over the past decade. That same day, AWM Proxy -- a 14-year-old anonymity service that rents hacked PCs to cybercriminals -- suddenly went offline. Security experts had long seen a link between Glupteba and AWM Proxy, but new research shows AWM Proxy's founder is one of the men being sued by Google.

On December 7, 2021, **Google** announced it was suing two Russian men allegedly responsible for operating the **Glupteba** botnet, a global malware menace that has infected millions of computers over the past decade. That same day, **AWM Proxy** — a 14-year-old anonymity service that rents hacked PCs to cybercriminals — suddenly went offline. Security experts had long seen a link between Glupteba and AWM Proxy, but new research shows AWM Proxy’s founder is one of the men being sued by Google.

AWMproxy, the storefront for renting access to infected PCs, circa 2011.

Launched in March 2008, AWM Proxy quickly became the largest service for crooks seeking to route their malicious Web traffic through compromised devices. In 2011, researchers at **Kaspersky Lab** showed that virtually all of the hacked systems for rent at AWM Proxy had been compromised by **TDSS** (a.k.a TDL-4 and Alureon), a stealthy “rootkit” that installs deep within infected PCs and loads even before the underlying Windows operating system boots up.

In March 2011, security researchers at **ESET** found TDSS was being used to deploy Glupteba, another rootkit that steals passwords and other access credentials, disables security software, and tries to compromise other devices on the victim’s network — such as Internet routers and media storage servers — for use in relaying spam or other malicious traffic.

A report from the Polish computer emergency response team (CERT Orange Polksa) found Glupteba was by far the biggest malware threat in 2021.

Like its predecessor TDSS, Glupteba is primarily distributed through “pay-per-install” or PPI networks, and via traffic purchased from traffic distribution systems (TDS). Pay-per-install networks try to match cybercriminals who already have access to large numbers of hacked PCs with other crooks seeking broader distribution of their malware.

In a typical PPI network, clients will submit their malware—a spambot or password-stealing Trojan, for example —to the service, which in turn charges per thousand successful installations, with the price depending on the requested geographic location of the desired victims. One of the most common ways PPI affiliates generate revenue is by secretly bundling the PPI network’s installer with pirated software titles that are widely available for download via the web or from file-sharing networks.

An example of a cracked software download site distributing Glupteba. Image: Google.com.

Over the past decade, both Glupteba and AWM Proxy have grown substantially. When KrebsOnSecurity first covered AWM Proxy in 2011, the service was selling access to roughly 24,000 infected PCs scattered across dozens of countries. Ten years later, AWM Proxy was offering 10 times that number of hacked systems on any given day, and Glupteba had grown to more than one million infected devices worldwide.

There is also ample evidence to suggest that Glupteba may have spawned **Meris**, a massive botnet of hacked Internet of Things (IoT) devices that surfaced in September 2021 and was responsible for some of the largest and most disruptive distributed denial-of-service (DDoS) attacks the Internet has ever seen.

But on Dec. 7, 2021, Google announced it had taken technical measures to dismantle the Glupteba botnet, and filed a civil lawsuit (PDF) against two Russian men thought to be responsible for operating the vast crime machine. AWM Proxy’s online storefront disappeared that same day.

AWM Proxy quickly alerted its customers that the service had moved to a new domain, with all customer balances, passwords and purchase histories seamlessly ported over to the new home. However, subsequent takedowns targeting AWM Proxy’s domains and other infrastructure have conspired to keep the service on the ropes and frequently switching domains ever since.

Earlier this month, the United States, Germany, the Netherlands and the U.K. dismantled the “**RSOCKS**” botnet, a competing proxy service that had been in operation since 2014. KrebsOnSecurity has identified the owner of RSOCKS as a 35-year-old from Omsk, Russia who runs the world’s largest forum catering to spammers.

The employees who kept things running for RSOCKS, circa 2016.

Shortly after last week’s story on the RSOCKS founder, I heard from **Riley Kilmer**, co-founder of Spur.us, a startup that tracks criminal proxy services. Kilmer said RSOCKS was similarly disabled after Google’s combined legal sneak attack and technical takedown targeting Glupteba.

“The RSOCKS website gave you the estimated number of proxies in each of their subscription packages, and that number went down to zero on Dec. 7,” Kilmer said. “It’s not clear if that means the services were operated by the same people, or if they were just using the same sources (i.e., PPI programs) to generate new installations of their malware.”

Kilmer said each time his company tried to determine how many systems RSOCKS had for sale, they found each Internet address being sold by RSOCKS was also present in AWM Proxy’s network. In addition, Kilmer said, the application programming interfaces (APIs) used by both services to keep track of infected systems were virtually identical, once again suggesting strong collaboration.

“One hundred percent of the IPs we got back from RSOCKS we’d already identified in AWM,” Kilmer said. “And the IP port combinations they give you when you access an individual IP were the same as from AWM.”

In 2011, KrebsOnSecurity published an investigation that identified one of the founders of AWM Proxy, but Kilmer’s revelation prompted me to take a fresh look at the origins of this sprawling cybercriminal enterprise to determine if there were additional clues showing more concrete links between RSOCKS, AWM Proxy and Glupteba.

**IF YOUR PLAN IS TO RIP OFF GOOGLE…**

Supporting Kilmer’s theory that AWM Proxy and RSOCKS may simply be using the same PPI networks to spread, further research shows the RSOCKS owner also had an ownership stake in **AD1\[.\]ru**, an extremely popular Russian-language pay-per-install network that has been in operation for at least a decade.

Google took aim at Glupteba in part because its owners were using the botnet to divert and steal vast sums in online advertising revenue. So it’s more than a little ironic that the critical piece of evidence linking all of these operations begins with a Google Analytics code included in the HTML code for the original AWM Proxy back in 2008 (**UA-3816536**).

That analytics code also was present on a handful of other sites over the years, including the now-defunct Russian domain name registrar **Domenadom\[.\]ru**, and the website **web-site\[.\]ru**, which curiously was a Russian company operating a global real estate appraisal business called American Appraisal.

Two other domains connected to that Google Analytics code — Russian plastics manufacturers **techplast\[.\]ru** and **tekhplast.ru** — also shared a different Google Analytics code (**UA-1838317**) with web-site\[.\]ru and with the domain “**starovikov\[.\]ru**.”

The name on the WHOIS registration records for the plastics domains is an “**Alexander I. Ukraincki**,” whose personal information also is included in the domains tpos\[.\]ru and alphadisplay\[.\]ru, both apparently manufacturers of point-of-sale payment terminals in Russia.

Constella Intelligence, a security firm that indexes passwords and other personal information exposed in past data breaches, revealed dozens of variations on email addresses used by Alexander I. Ukraincki over the years. Most of those email addresses start with some variation of “**uai@**” followed by a domain from one of the many Russian email providers (e.g., yandex.ru, mail.ru). \[Full disclosure: Constella is currently an advertiser on this website\].

But Constella also shows those different email addresses all relied on a handful of passwords — most commonly “**2222den**” and “**2222DEN**.” Both of those passwords have been used almost exclusively in the past decade by the person who registered more than a dozen email addresses with the username “**dennstr**.”

The dennstr identity leads to several variations on the same name — Denis Strelinikov, or Denis Stranatka, from Ukraine, but those clues ultimately led nowhere promising. And maybe that was the point.

Things began looking brighter after I ran a search in DomainTools for web-site\[.\]ru’s original WHOIS records, which shows it was assigned in 2005 to a “private person” who used the email address **lycefer@gmail.com**. A search in Constella on that email address says it was used to register nearly two dozen domains, including starovikov.ru and **starovikov\[.\]com**.

A cached copy of the contact page for Starovikov\[.\]com shows that in 2008 it displayed the personal information for a **Dmitry Starovikov**, who listed his Skype username as “lycefer.”

Finally, Russian incorporation documents show the company LLC Website (web-site\[.\]ru)was registered in 2005 to two men, one of whom was named **Dmitry Sergeevich Starovikov**.

Bringing this full circle, Google says Starovikov is one of the two operators of the Glupteba botnet:

The cover page for Google’s lawsuit against the alleged Glupteba botnet operators.

Mr. Starovikov did not respond to requests for comment. But attorneys for Starovikov and his co-defendant last month filed a response to Google’s complaint in the Southern District of New York, denying (PDF) their clients had any knowledge of the scheme.

Despite all of the disruption caused by Google’s legal and technical meddling, AWM is still around and nearly as healthy as ever, although the service has been branded with a new name and there are dubious claims of new owners. Advertising customer plans ranging from $50 a day to nearly $700 for “VIP access,” AWM Proxy says its malware has been running on approximately 175,000 systems worldwide over the last 24 hours, and that roughly 65,000 of these systems are currently online.

AWM Proxy, as it exists today.

Meanwhile, the administrators of RSOCKS recently alerted customers that the service and any unspent balances will soon be migrated over to a new location.

Many people seem to equate spending time, money and effort to investigate and prosecute cybercriminals with the largely failed war on drugs, meaning there is an endless supply of up-and-coming crooks who will always fill in any gaps in the workforce whenever cybercriminals face justice.

While that may be true for many low-level cyber thieves today, investigations like these show once again how small the cybercriminal underground really is. It also shows how it makes a great deal of sense to focus efforts on targeting and disrupting the relatively small number of established hackers who remain the real force multipliers of cybercrime.

The Link Between AWM Proxy & the Glupteba Botnet

Cyber collective Killnet claims it won’t let up until the Baltic country opens trade routes to and from the Russian exclave of Kaliningrad.

Cyber collective Killnet claims it won’t let up until the Baltic country opens trade routes to and from the Russian exclave of Kaliningrad.

Russia-linked cyber collective Killnet has claimed responsibility for DDoS attacks Monday on the Lithuanian government and other entities in the Baltic country over closure of transit routes within the Russian exclave of Kaliningrad, according to researchers. The threat group warns that it will keep up attacks until the issue is resolved.

On Monday, Lithuania’s National Cyber Security Center (NKSC) under the Ministry of National Defense warned of intense and ongoing DDoS attacks against Lithuania’s Secure National Data Transfer Network as well as other governmental institutions and private companies in the country.

The attacks—which the government expects to be ongoing as well as target other critical infrastructure in Lithuania–disrupted access to services of users of the secure data network, the NKSC said in a public statement.

“It is highly probable that such or even more intense attacks will continue into the coming days, especially against the communications, energy and financial sectors,” Jonas Skardinskas, acting NKSC director and head of cyber security management department, said in a statement.

****Motivation for Attacks****

Russia-based Killnet apparently launched the attacks in response to the Lithuanian government’s announcement on June 18 that it would close routes between the Baltic country and the Russian exclave of Kaliningrad for transport of steel and other metals, according to Flashpoint, which published a blog post by the Flashpoint team on the attacks Monday.

“These train routes, according to the Russian government, are essential in bringing in at least half of the exclave’s imports, prompting Russian officials to label the move as a ‘blockade’ and warn of a harsh retaliation,” a Flashpoint spokesperson wrote in an email to Threatpost.

Meanwhile, Lithuania has justified the closure as a necessary requirement to fulfill the obligations of European Union (EU) sanctions against Russia for its invasion of Ukraine in late February, where the war is ongoing.

On its Telegram channel, Killnet claimed that it would stop the attacks as soon as the Lithuanian government reinstates transit routes with Kaliningrad, according to Flashpoint.

A spokesperson for Killnet group also told Reuters it plans to continue attacks until the blockade is lifted, adding that it has already “demolished 1652 web resources–and that’s just so far.”

****Cyber Attack as Political Weapon****

There was some warning prior to the attacks that they were imminent, according to Flashpoint. Indeed, DDoS attacks have been a typical weapon of choice for Russian cyber actors since Russia’s invasion of Ukraine, with Russian threat actors using them both before the war on the ground started and after alongside other cyber-attacks to support military operations. This year alone, Killnet reportedly already has targeted Romania, Moldova, Czech Republic and Italy with cyber-attacks.

“On June 25, Flashpoint analysts observed chatter regarding a plan for a mass-coordinated attack to take place on June 27, which Killnet referred to as ‘judgment day,'” researchers wrote in the post.  In retrospect, they said that this conversation was likely a reference to Monday’s attacks.

Flashpoint researchers also observed smaller attacks prior to Monday, including one that took place on June 22, they said. This appears to support Killnet’s claim that the attacks were in retaliation to the closure of transit routes to Kaliningrad, researchers wrote.

It also seems that Killnet is using the attacks against Lithuanian as a proving ground for new tools and tactics and even may be gearing up to team up with the Conti ransomware gang, according to Flashpoint.

In a post from June 26, Killnet labeled Lithuania a “testing ground for our new skills” and mentioned that their “friends from Conti” are eager to fight. This pairing would make sense, as both groups had already expressed an allegiance to Russia at the beginning of the group’s invasion of Ukraine, researchers said..

No matter, it’s clear now that cyber-attacks will be used as a frequent weapon—albeit not necessarily a deadly one–for the world’s military powers, either alongside a physical war or to support a political stance, one security professional noted.

“Every significant military power in the world has developed cyber capabilities \[that\] have evolved from espionage tools into full-fledged weapons to be used as part of a coordinated military response,” observed Chris Clymer, director and CISO of Inversion6, in an email to Threatpost. “Targeting another country with these arguably constitutes an act of war, but one less severe than kinetic attacks with missiles and tanks. This harassment will continue.”

‘Killnet’ Adversary Pummels Lithuania with DDoS Attacks Over Blockade

By Deeba Ahmed
The Singaporean identity fraud scammer also tricked Google and Amazon Web Services (AWS) into providing $5.4 million worth…
This is a post from HackRead.com Read the original post: Scammer Who Used Info of Riot Games’ Co-Founder to Mine Crypto is Jailed

****The Singaporean identity fraud scammer also tricked Google and Amazon Web Services (AWS) into providing $5.4 million worth of cloud computing services by using the personal details of the co-founder and co-chairman of Riot Games Mr. Marc Merrill.****

A Singaporean national, Ho Jun Jia (a/k/a Matthew Ho, a/k/a, Prefinity a/k/a Ethereum Vendor), has been sentenced to ten years in jail for several offenses. He was sentenced on Thursday after pleading guilty to twelve charges, including cheating, drug consumption, and unauthorized access to computer material.

According to local media, fifteen additional charges were also considered for his sentencing. The convict is currently out on bail after his father paid $180,000. District Judge Brenda Tan let Ho defer serving a sentence by a month to fulfill personal commitments.

Ho Jun Jia (Image: ST PHOTO: KELVIN CHNG)

**Details of the Offence**

The 32-year-old secondary school dropout impersonated two individuals, including a US-based video game developer, to trick Google and Amazon Web Services (AWS) into providing $5.4 million worth of cloud computing services for an extensive cryptocurrency mining operation.

The convict obtained the developers’ personal information illegally via the Dark Web. Ho Jun Jia forged the US driving licenses for others to get their details. He forged the driving licenses in 2017, and after using photoshop, he traded them on a Dark Web forum in exchange for the names and credit card details of around 70 individuals.

The case was reported in October 2019 after the US Department of Justice stated that he had been charged with aggravated identity theft, wire fraud, and other federal crimes.

**Who Were the Victims?**

According to Straits Times, one of Ho Jun Jia’s victims of this cryptocurrency mining operation was Marc Merrill. He’s the co-founder and co-chairman of Riot Games. His company has developed popular games like Valorant and League of Legends.

Ho used Merrill’s information to open an account on Amazon Web Services, for which the latter’s American Express card (AMEX) was charged around $7 million after Ho accessed cloud computing services on 40 occasions between Nov 2017 and Jan 2018 mine for cryptocurrency.

He also used Merrill’s information for registering/buying cloud-computing services worth $250,000 via the Google cloud platform. He even convinced AWS to continue providing services despite not paying the withstanding $1.8 million bill.

Later, Ho used the details of Harold Borland in a similar scam with AWS and tricked the company into accessing cloud computing services worth around $21.

Ho mined for around 1,470 units of Ether between Nov 2017 and Mar 2018 and sold 203 units for $350,000. In 2019 , he was convicted of drug offenses for consuming methamphetamine.

The district judge stated that the accused didn’t make any restitution to his victims. Hence, the court considered the extent of his offenses, the harm caused to the victims, and the sophistication of scams while determining Ho’s sentence.

**More Cybercrime and Dark Web News**

*   Fraud & hacking guides are the most sold item on the dark web

*   On Dark Web, Your Facebook ID is worth $5.20 & Gmail ID is just $1

*   9 Years Jail for iCloud Phishing Scam Hacker Who Stole Nude Photos

*   Admin of DDoS-For-Hire Service “DownThem” Gets 2 Years Prison Sentence

*   Hacking tools & ready-made phishing pages being sold on the dark web for $2

Scammer Who Used Info of Riot Games’ Co-Founder to Mine Crypto is Jailed

Larger organizations are statistically more at risk, warns Imperva

Larger organizations are statistically more at risk, warns Imperva

API insecurity is responsible for between 4.1% and 7.5% of cybersecurity incidents, according to a new study.

The study, conducted by the Marsh McLennan Cyber Risk Analytics Center and based on an analysis of nearly 117,000 unique cybersecurity incidents, found that larger organizations were statistically more likely to have a greater preponderance of API\-related incidents.

Large enterprises were three to four times more likely to experience API insecurity than small or midsize businesses.

The accelerating pace of digital transformation and business development leaves large enterprises more at risk from exposed or unprotected APIs, according to Imperva, the cybersecurity vendor sponsoring the research.

Catch up on the latest API-related security research

APIs (application programming interfaces) are a class of software technology that offer a bridge to enable applications to access data or hook up with external software components, operating systems, or microservices.

Many APIs connect directly to backend databases where sensitive data is stored, a feature that attackers have latched onto resulting in an increase of attacks targeting what have become building blocks of modern online services.

APIs enable damaging attacks, from DDoS attacks taking a service out of commission to manipulator-in-the-middle attacks to intercept, steal, and modify or redirect communications, to injecting malicious code, taking over services or accounts, or simply stealing from the vast databases that many APIs connect to.

“As many as one in every 13 cyber incidents can be attributed to API insecurity,” according to Imperva. “As the number of APIs in production multiplies, this figure is expected to grow in the coming years.”

**Scale up**

Imperva told The Daily Swig that larger organizations are particularly exposed to the issue because they have “more APIs and limited visibility leaves a larger number of APIs vulnerable”.

Lebin Cheng, vice president of API security at Imperva, commented: “The growing security risks associated with APIs correlate with the proliferation of APIs, combined with the lack of visibility that organizations have into these ecosystems. At the same time, since every API is unique, every incident will have a different attack pattern. A traditional approach to security where one simple patch addresses all vulnerabilities doesn’t work with APIs.”

Cheng added: “The proliferation of APIs, combined with the lack of visibility into these ecosystems, creates opportunities for massive, and costly, data leakage.”

**Running the numbers**

Imperva’s study found a wide disparity in the extent to which different industries are exposed to API security-related issues.

For example, in the information technology industry the estimated percentage of incidents caused by API insecurity was between 18% and 23%.

By the same metric, professional services were also highly exposed to API-related problems (10%-15%) while manufacturing, transportation, and utilities (all 4-6%) are all in the mid-range. Industries such as healthcare have less than 1% of security incidents attributable to API-related security problems.

Many organizations are failing to protect their APIs because it requires equal participation from the security and development teams, which have historically have been somewhat at odds.

Cheng told The Daily Swig: “Developers move quickly and modify APIs constantly, making it nearly impossible for security teams to keep up. It means that many have defaulted to relying on ineffective tools because they hope a standardized approach can minimize threats.

“However, these defenses aren’t equipped to stop sophisticated API-related attacks targeting business logic vulnerabilities.”

“APIs are created and managed by the development team, often outside of the security team’s purview. Complicating matters, each API is designed for a specific application’s needs,” they concluded.

The Imperva-commissioned report, entitled Quantifying the Cost of API Insecurity, concludes with advice in getting a handle on the problem. This includes identifying and classifying data flowing through every API, automating discovery of APIs, and enabling an API governance model.

RECOMMENDED Internet scans find 1.6 million secrets leaked by websites

One in every 13 incidents blamed on API insecurity – report

By Deeba Ahmed
The Russian Economic Forum was taking place in St. Petersburg when its proceedings were stalled due to a…
This is a post from HackRead.com Read the original post: President Putin’s Economic Forum Speech Delayed due to DDoS Attack

****The Russian Economic Forum was taking place in St. Petersburg when its proceedings were stalled due to a DDoS attack.****

A Distributed Denial of Service attack (DDoS attack) disrupted the proceedings at the 25th St Petersburg International Economic Forum, regarded as the Russian answer to the Davos World Economic Forum.

The incident occurred on Friday.  As a result, the speech of Russian premier Vladimir Putin got delayed for around 100 minutes at the country’s flagship forum.  Putin had to start his speech more than an hour after its scheduled start time. 

Another aspect worth noting was the absence of Western businesses and stakeholders at the forum, which is due to the recent wave of sanctions against Russia after the country invaded Ukraine. However, At the forum, state companies signed deals, and many companies displayed floor-to-ceiling display screens. 

**More Cyber Attackers on Russia News**

*   Top Russian Banks Suffer Powerful DDoS Attacks
*   Official website of Russian Parliament, MoD and Kremlin go offline
*   Russian electronic voting system hit by 19 DDoS attacks in one day
*   DDoS Attacks by Hacktivists Disrupted Russian Alcohol Supply Chain
*   Anonymous hacks & defaces Russian Space Research Institute Website

**Kremlin Confirms the Attack**

According to Reuters, the Russian government’s spokesperson Dmitry Peskov confirmed the DDoS attack, explaining that the accreditation and admissions systems were cut off after the attack.

However. Peskov didn’t specify any particular entity or individual responsible for the attack. The forum continually suffered from internet connectivity issues and low speed even during the premier’s speech. 

During his speech, Putin lashed out at the Western world’s sanctioning and referred to it as a “blitzkrieg” on the Russian economy. 

**More DDoS Attack News**

*   Cloudflare Thwarted Largest Ever HTTPS DDoS Attack
*   Admin of DDoS-For-Hire Service “DownThem” Gets 2 Years Jailtime
*   FBI Seizes WeLeakInfo, IPStress and OVH-Booter Cybercrime Portals
*   Pro-Iran Group ALtahrea Hits Port of London Website by DDoS Attack
*   The Growing Threat of Ransom DDoS Attacks Requires Effective Mitigation

Tag

#ddos