Tag Archive for: Countries

‘TheMoon’ malware shows its dark side, grows to 40,000 bots from 88 countries

/in


A multi-year campaign leveraging an updated version of “TheMoon” malware has been targeting end-of-life (EoL) small business routers and IoT devices via a cybercriminal proxy service known as “Faceless.”

The Black Lotus Lab team at Lumen Technologies described in a March 26 blog post that they found that “TheMoon” malware, which first emerged in 2014, was operating quietly while growing to more than 40,000 bots from 88 countries by January and February of this year.

Black Lotus Labs first described “TheMoon” malware in 2019 and said it has entered a new phase. For their most recent post, the researchers identified at least one campaign by the Faceless criminal proxy service that began in the first week of March which targeted more than 6,000 ASUS routers in less than 72 hours.

The researchers said Faceless has been growing at a pace of 7,000 users per week and has become an ideal choice for cybercriminals seeking anonymity. The researchers said their telemetry found that this service has been used by operators of botnets such as SolarMarker and IcedID.  

“This is not the first instance of infected devices being enrolled into a proxy service, and it’s a growing trend,” wrote the researchers. “We suspect that with the increased attention paid to the cybercrime ecosystem by both law enforcement and intelligence organizations, criminals are looking for new methods to obfuscate their activity.”

John Gallagher, vice president of Viakoo Labs, said that IoT devices are designed to be “set-it-and-forget-it,” leading to their being favored by threat actors. So even if they are not EoL, they are likely unmanaged and not updated. 

“This is a much bigger issue for enterprises than consumers,” explained Gallagher. “The operators of IoT devices are often cost centers, and have an incentive to not replace equipment unless it isn’t functional anymore. So, enterprises offer vast fleets of IoT devices for threat actors to leverage for DDoS and other attack vectors.”

The result: Gallagher said we now have vast botnet armies of infected IoT devices because there has never been a focus (or incentive) around bot eradication. He said organizations are told to focus on bot…

Source…

GhostSec and Stormous Launch Joint Ransomware Attacks in Over 15 Countries

/in


The cybercrime group called GhostSec has been linked to a Golang variant of a ransomware family called GhostLocker.

“TheGhostSec and Stormous ransomware groups are jointly conducting double extortion ransomware attacks on various business verticals in multiple countries,” Cisco Talos researcher Chetan Raghuprasad said in a report shared with The Hacker News.

“GhostLocker and Stormous ransomware have started a new ransomware-as-a-service (RaaS) program STMX_GhostLocker, providing various options for their affiliates.”

Attacks mounted by the group have targeted victims in Cuba, Argentina, Poland, China, Lebanon, Israel, Uzbekistan, India, South Africa, Brazil, Morocco, Qatar, Turkiye, Egypt, Vietnam, Thailand, and Indonesia.

Some of the most impacted business verticals include technology, education, manufacturing, government, transportation, energy, medicolegal, real estate, and telecom.

GhostSec – not to be confused with Ghost Security Group (which is also called GhostSec) – is part of a coalition called The Five Families, which also includes ThreatSec, Stormous, Blackforums, and SiegedSec.

Cybersecurity

It was formed in August 2023 to “establish better unity and connections for everyone in the underground world of the internet, to expand and grow our work and operations.”

Late last year, the cybercrime group ventured into ransomware-as-a-service (RaaS) with GhostLocker, offering it to other actors for $269.99 per month. Soon after, the Stormous ransomware group announced that it will use Python-based ransomware in its attacks.

The latest findings from Talos show that the two groups have banded together to not only strike a wide range of sectors, but also unleash an updated version of GhostLocker in November 2023 as well as start a new RaaS program in 2024 called STMX_GhostLocker.

“The new program is made up of three categories of services for the affiliates: paid, free, and another for the individuals without a program who only want to sell or publish data on their blog (PYV service),” Raghuprasad explained.

STMX_GhostLocker, which comes with its own leak site on the dark web, lists no less than six victims from India, Uzbekistan, Indonesia, Poland, Thailand, and Argentina.

GhostLocker…

Source…

How ransomware could cripple countries, not just companies

/in


The scale of the problem is not easy to measure. Companies that are hacked or pay a ransom are reluctant to own up to it. Rising numbers can reflect better detection rather than more attacks. But what is clear is that, after a lull in 2022, caused in part by a split between Russian and Ukrainian hackers, ransomware attacks are back at their peak. Officials expect that 2023 will turn out to be the worst year on record.

The number of victims is troubling (see chart). In the four months to October the number listed on “leak sites”, where attackers name victims who refuse to pay, was the highest ever recorded, according to Secureworks, a cyber-security firm. Sophos, another such firm, estimates that on average individual ransom payments doubled from around $800,000 in 2022 to more than $1.5m in the first three months of 2023. And Chainalysis, a data company, estimates that ransom payments between January and June 2023 added up to $449m, compared with about $559m for the entirety of 2022. These numbers might reflect just the tip of the problem.

The growing threat from ransomware is occurring amid a shift in the nature of the business. An activity once dominated by a few large criminal groups is giving way to a mosaic of smaller attackers, many of them based in Russia or other ex-Soviet states, who can buy the necessary hacking tools. Western countries are striking back with sanctions and cyber-attacks of their own. Yet this does not seem to have stopped the wave of ransom payments, which is enriching criminal groups—and so potentially exacerbating the problem for years to come.

Ransomware has been mainly a Western problem but it is spreading globally. America, Australia, Britain, Canada and Germany are the most affected countries, but Brazil and India are not far behind them. Victims span the public and private sectors—in recent weeks attacks have hit an Italian cloud-service provider that hosts government data, Germany’s energy agency and a Chinese bank in New York, among others. An attack on Christmas Eve disrupted emergency care at a German hospital network, and attacks on the…

Source…

UK among countries to sign ransomware payments agreement

/in


The UK is among more than 40 countries to have signed a pledge agreeing that central government funds should not be used to pay ransomware demands to cyber criminals.

A joint statement from the Counter Ransomware Initiative (CRI) said the countries “would lead by example” by not paying ransomware demands and “strongly discourage anyone” from doing so.

The UK’s National Cyber Security Centre (NCSC) has always advised businesses and individuals to never pay ransomware demands, and it has been long-standing Government policy to not do so.

The agreement has also been signed by countries including the US, Australia, Canada, France, Germany, Japan and South Korea, as well as Interpol.

Security minister Tom TugendhatSecurity minister Tom Tugendhat

Security minister Tom Tugendhat hailed the pledge ‘an important step forward’ (PA)

Security minister Tom Tugendhat said the agreement would help set a new “global norm”.

“Crime shouldn’t pay. That’s why the UK and her allies are demonstrating leadership on cybersecurity by pledging not to pay off criminals when they try and extort the taxpayer using ransomware,” he said.

“This pledge is an important step forward in our efforts to disrupt highly organised and sophisticated cyber criminals, and sets a new global norm that will help disrupt their business models and deter them from targeting our country.”

Ransomware is a type of malicious software used by cyber criminals which often encrypts or steals data once it has gained access to a computer system.

The victim is then told to pay a large fee – often in cryptocurrency, which is harder to trace – in order to get their files back.

However, cybersecurity experts, including those at the NCSC, argue that paying a fee only benefits the criminals as it provides an incentive to continue offending and it does not guarantee the release of the affected data – a stance the CRI has now publicly backed in the agreement.

NCSC chief operating officer Felicity Oswald said: “Ransomware poses a significant threat to organisations in the UK and around the world and so international collaboration is essential for bearing down on cyber-criminal operations.

“The joint statement today demonstrates that the UK and a like-minded community of countries…

Source…