How Russia-Based Groups Attacked the Hive Virus: A Second Look at the History and Targeting Patterns of Ransomware Attacks
The FBI announced this week that it had foiled the operations of one of the world’s most prolific and disruptive ransomware groups, known as Hive, taking down its dark-web site and recovering decryption keys to unlock the systems of victims who were facing $130 million in total ransom demands. Monaco told reporters at a press conference that the US Attorney General’s office hacked the hackers. Hive collected over $100 million in ransom payments in previous years, according to the FBI. But working with numerous law enforcement agencies, including German and Dutch federal police, the FBI surreptitiously gained access to the group’s systems, surveilling and ultimately disrupting them. No arrests were made as a result of that victory, indicating that the hacker may be located in non-extradition countries beyond the reach of western law enforcement.
The data was used to compare the timing and location of attacks for groups we think are based out of Russia and everywhere else, Neresh told WIRED before her talk. “Our model looked at the number of attacks on any given day, and what we find is this interesting relationship where for these Russia-based groups, we see an increase in the number of attacks starting four months before an election and moving three, two, one month in, up to the event.”
The data was culled from the dark web sites that have been used by the gangs to bully victims into paying up. Nershi and fellow researcher Shelby Grossman, a scholar at the Stanford Internet Observatory, focused on popular so-called “double extortion” attacks in which hackers breach a target network and exfiltrate data before planting ransomware to encrypt systems. The attackers want a large amount of money to keep the data secret, not to sell it. The researchers may not have captured data from every single double-extortion actor out there, and attackers may not post about all of their targets, but Nershi says the data collection was thorough and that the groups typically have an interest in publicizing their attacks.
When Mandiant looked at the command-and-control servers for the Andromeda malware that had started that infection chain, its analysts saw that the domain used to control the Andromeda sample—whose name was a vulgar taunt of the antivirus industry—had actually expired and been reregistered in early 2022. Looking at other Andromeda samples and their command-and-control domains, Mandiant saw that at least two more expired domains had been reregistered. In total, those domains connected to hundreds of Andromeda infections, all of which Turla could sort through to find subjects worthy of their spying.
Andromeda is a relatively common banking trojan that cybercriminals have used to steal victims’ credentials since as early as 2013. But on one of the infected machines, Mandiant’s analysts saw that the Andromeda sample had quietly downloaded two other, more interesting pieces of malware. The first, a reconnaissance tool called Kopiluwak, has been previously used by Turla; the second piece of malware, a backdoor known as Quietcanary that compressed and siphoned carefully selected data off the target computer, has been used exclusively by Turla in the past. “That was a red flag for us,” says Mandiant threat intelligence analyst Gabby Roncone.
When you run a major app, all it takes is one mistake to put countless people at risk. Such is the case with Diksha, a public education app run by India’s Ministry of Education that exposed the personal information of around 1 million teachers and millions of students across the country. The data, which included things like full names, email addresses, and phone numbers, was publicly accessible for at least a year and likely longer, potentially exposing those impacted to phishing attacks and other scams.
What is the domain of criminals? The ADS-B Exchange exits a key flight tracking platform, Elon Musk, and Jetnet
Speaking of cybercrime, the LockBit ransomware gang has long operated under the radar, thanks to its professional operation and choice of targets. But over the past year, a series of missteps and drama have thrust it into the spotlight, potentially threatening its ability to continue operating with impunity.
Encrypting everything on your machine isn’t just the domain of criminals, however. This week, we explained how to protect your files under digital lock and key on both macOS and Windows. What is the domain of criminals? According to a new report, only five virtual currency exchanges facilitate money-laundering as four helped people cash out over one billion dollars.
Billionaires like Elon Musk may have reason to celebrate. The flight-tracking platform ADS-B Exchange, which provided data for the @ElonJet account that tracked the Tesla and Twitter CEO’s private plane, has sold out. The company is now owned by aviation intelligence firm Jetnet, which is owned by private equity. The creators of the aircraft company, ElonJet, have decided to leave because they think that the new owner will be willing to acquiesce to the wishes of Musk and the Saudi royal family.
Source: https://www.wired.com/story/meduza-russia-outlaw-security-roundup/
Rounding up the Meduza News in Latvia: Measures, Rules, and Public Phenomena in the Cryptocurrency World
There is much more that is also available. We didn’t cover the stories in depth ourselves, so each week we round them up. Click on the headlines to read the full stories. And stay safe out there.
While Meduza has long been based in Latvia to shield it from Russia’s media restrictions and retaliation, the new measure makes it a crime for anyone in Russia to work for the news outlet, speak to its journalists, post a link to its website, or even so much as “like” one of its social media posts. A first violation of those restrictions is a misdemeanor defense under Russian law, punishable by a fine, but repeated violations are a felony, with years in prison as a possible sentence.
The FBI pointed the finger at North Korea as the culprit of the large-scale thefts and breaches in the criptocurrency world. The Bureau said it accused two hacker groups that were connected to Kim’s regime of being involved in a raid last year that stole $100 million in tHe digital currency. The bridge used to allow currency to be sent to another was targeted by the hackers. Thieves have taken hundreds of millions of dollars in digital currency from bridges in the last few years. 40 million dollars of the stolen loot is still in storage, but the FBI says some of it was seized when the hackers tried to sell it on the black market.
Source: https://www.wired.com/story/meduza-russia-outlaw-security-roundup/
Madison Square Garden did not ban lawyers from a lawsuit, but it had safeguards against bias in using facial recognition technology to spot people that were identified in facial recognition
If Madison Square Garden didn’t want a legal scandal from its experiment in using face recognition technology to spot people it sought to ban from its venue, perhaps it shouldn’t have started by banning lawyers. The New York attorney general demanded more information about the practices of the venue after it was revealed that they had used facial recognition to prevent attorneys who were involved in lawsuits from attending its events. The letter, which suggests the ban on lawyers is meant to dissuade people from filing lawsuits against MSG, asked about the reliability of the facial recognition technology MSG is using and whether it had safeguards against bias. James wrote a statement stating that anyone with a ticket to an event should not be worried about being denied entry based on their appearance.
A WIRED analysis of dozens of council meetings, minutes, and documents reveals the scale of disruption the ransomware caused to the council and, crucially, the thousands of people it serves. The criminal group’s attack caused problems for people’s health, housing situations and finances. The attack against Hackney stands out not just because of its severity, but also the amount of time it has taken for the organization to recover and help people in need.
You can think of local governments as complex machines. They’re made up of thousands of people running hundreds of services that touch almost every part of a person’s life. Most of this work goes unnoticed until something goes wrong. For Hackney, the ransomware attack ground the machine to a halt.
Among the hundreds of services Hackney Council provides are social and children’s care, waste collection, benefits payments to people in need of financial support, and public housing. Many of these services are run using in-house technical systems and services. In many ways, these can be considered critical infrastructure, making the Hackney Council not dissimilar to hospitals or energy providers.
The US Treasury and the Trickbot Group Identify Russian Intelligence Services in a Cynical Cyberattack on UK, Russia and New Jersey
“By sanctioning these cybercriminals, we are sending a clear signal to them and others involved in ransomware that they will be held to account,” UK foreign secretary James Cleverly said in a statement on Thursday. “These cynical cyberattacks cause real damage to people’s lives and livelihoods.”
The two governments have names for the seven gang members. All the members have online handles, such as Baget and Tropa, that they used to communicate with each other without using their real-world identities.
Similarly, the US Department of the Treasury has concluded that Trickbot Group members are “associated with Russian Intelligence Services.” It added that the group’s actions in 2020 were aligned with Russia’s international interests and “targeting previously conducted by Russian Intelligence Services.”
According to the US Treasury, these members were involved in malware and ransomware development, money laundering, fraud, injection of malicious code into websites to steal login details, and managerial roles. The UK banned travel for the ransomware actors as part of the sanctions. An indictment was filed against Vitaliy Kovalev in the US district court for the district of New Jersey, charging him with conspiracy to commit bank fraud and eight counts of bank fraud.