Tag Archive for: Forums

Nation states buying hacking tools from underground Russian cyber forums


Nation states have been identified shopping on Russian cyber crime forums for malware they can use to wipe computers of data in hostile hacking attacks.

Russian-speaking hacking forums, including Exploit and XSS, run black markets in tools and services used by cyber criminals intent on making money by hacking computer systems and stealing data.

According to Sergey Shykevich, a threat intelligence expert at cyber security company Check Point Software, nation states are increasingly using underground cyber crime forums to pose as cyber criminals and hackers.

“Nation states understand that to pretend to be involved in hacktivism allows them deniability,” he told Computer Weekly. “They don’t want to be accused, even if everyone knows it’s Russia, or Iran.”

Russian forums

Some of Russia’s cyber crime forums have been in operation for more than 20 years. One of the oldest Russian-speaking forums is Exploit, which was established in 2000 and contains one million messages on over 200,000 topics, said Shykevich.  

“They offer everything you could imagine,” he told Computer Weekly. “It starts with software vulnerabilities. You can rent malware, ransomware as a service and spam as a service to distribute fake phishing emails and currently even AI [artificial intelligence]-related services, and deep fake platforms.”

The forums generally exist on the deep web and don’t require a specialist Tor browser to access. But they are strictly members only.

Iran suspected of buying wiper software

Check Point discovered last year that Russian underground forums were offering wiper software, which is designed to destroy computer data irreversibly.

Wiper software is of no interest to cyber criminals who normally inhabit Russia’s hacking forums – strongly suggesting nation-state involvement.

“We saw someone, probably the Iranian government, looking for wiper software,” said Shykevich.

State-sponsored hacking groups are better funded than typical cyber criminal groups, and are not shy of advertising their spending power, said Shykevich.

They typically pay larger deposits to the administrators of cyber crime forums than other members of the hacking community.

“From all…

Source…

United States Leads Seizure of One of the World’s Largest Hacker Forums and Arrests Administrator


The Department of Justice announced Tuesday the seizure of the RaidForums website, a popular marketplace for cybercriminals to buy and sell hacked data, and unsealed criminal charges against RaidForums’ founder and chief administrator, Diogo Santos Coelho, 21, of Portugal. Coelho was arrested in the United Kingdom on Jan. 31, at the United States’ request and remains in custody pending the resolution of his extradition proceedings.

Court records unsealed today indicate that the United States recently obtained judicial authorization to seize three domains that long hosted the RaidForums website. These domains were “raidforums.com,” “Rf.ws,” and “Raid.lol.” According to the affidavit filed in support of these seizures, from in or around 2016 through February 2022, RaidForums served as a major online marketplace for individuals to buy and sell hacked or stolen databases containing the sensitive personal and financial information of victims in the United States and elsewhere, including stolen bank routing and account numbers, credit card information, login credentials and social security numbers.

“The takedown of this online market for the resale of hacked or stolen data disrupts one of the major ways cybercriminals profit from the large-scale theft of sensitive personal and financial information,” said Assistant Attorney General Kenneth A. Polite, Jr. of the Justice Department’s Criminal Division. “This is another example of how working with our international law enforcement partners has resulted in the shutdown of a criminal marketplace and the arrest of its administrator.”

“Our interagency efforts to dismantle this sophisticated online platform – which facilitated a wide range of criminal activity – should come as a relief to the millions victimized by it, and as a warning to those cybercriminals who participated in these types of nefarious activities,” said U.S. Attorney Jessica D. Aber for the Eastern District of Virginia. “Online anonymity was not able to protect the defendant in this case from prosecution, and it will not protect other online criminals either.”

“The seizure of the RaidForums website – which facilitated the sale of…

Source…

Windows MSHTML zero-day exploits shared on hacking forums


Microsoft Defender

Threat actors are sharing Windows MSHTML zero-day (CVE-2021-40444) tutorials and exploits on hacking forums, allowing other hackers to start exploiting the new vulnerability in their own attacks.

Last Tuesday, Microsoft disclosed a new zero-day vulnerability in Windows MSHTML that allows threat actors to create malicious documents, including Office and RTF docs, to execute commands on a victim’s computer remotely.

Even though there are no security updates available for the CVE-2021-40444 vulnerability, as it was discovered used in active attacks by EXPMOM and Mandiant, Microsoft decided to disclose the vulnerability and provide mitigations to help prevent its exploitation.

These mitigations work by blocking ActiveX controls and Word/RTF document previews in Windows Explorer.

However, researchers have been able to modify the exploit not to use ActiveX, effectively bypassing Microsoft’s mitigations.

Guides and PoCs shared on hacking forums

When Microsoft first disclosed the Windows MSHTML zero-day, tracked as CVE-2021-40444, security researchers quickly found the malicious documents used in attacks.

While they soon reproduced the exploits, modified them for further capabilities, and discovered a new document preview vector, the researchers did not disclose details for fear other threat actors would abuse it.

Unfortunately, threat actors have been able to reproduce the exploit on their own from information, and malicious document samples posted online and have begun sharing detailed guides and information on hacking forums.

Forums post on a hacking forum

Forums posts with guides on reproducing the CVE-2021-40444 exploit
Forums posts with guides on reproducing the CVE-2021-40444 exploit

The information is simple to follow and allows anyone to create their own working version of the CVE-2021-40444 exploit, including a python server to distribute the malicious documents and CAB files.

Using this information, BleepingComputer could reproduce the exploit in about 15 minutes, as demonstrated in the video below.

Defending against the CVE-2021-40444 MSHTML vulnerability 

The good news is that since the vulnerability was disclosed, Microsoft Defender and other security programs can detect and block malicious documents and CAB files used in this attack.

For example, you…

Source…

Hackers update Gootkit RAT to use Google searches and discussion forums to deliver malware


Security analysts and an SEO expert explain how this new approach uses legitimate websites to trick users into downloading infected files.

istock-519335916.jpg

computer safety concept, trojan horse in electronic environment.computer safety concept, trojan horse in electronic environment.

the-lightwriter, Getty Images/iStockphoto

It was only a matter of time before cybercriminals turned their attention to one of the most common activities on the internet— a Google search. The latest trick is using long-tail search terms and legitimate websites to deliver the Gootkit remote access trojan.

This latest iteration of the Gootkit RAT uses “malicious search engine optimization techniques to squirm into Google search results,” as Sophos analysts describe it in a blog post. The cybersecurity firm reports that criminals are using this new variation they call Gootloader to deliver malware payloads in North America, South Korea, Germany and France. The Sophos research found that bad actors are not targeting other search engines as frequently or as successfully. 

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)

Chris Rodgers, CEO and founder of Colorado SEO Pros, said that this new tactic uses Google as a gateway and SEO knowledge, particularly about long-tail searches.

“They had to go in and find topics that are low competition and low search volume and they  have to be doing this at massive volume for it to be lucrative,” he said.

Hackers seem to be getting control through content management systems like WordPress and via plugins.

“That is a definite doorway and from there being able to create these fake forms,” he said. “It’s pretty creative as shady hacking stuff goes.”

Gaurav Banga, founder and CEO of cybersecurity company Balbix, said that with the recent Gootloader malware, bad actors are “SEO poisoning” by compromising legitimate and highly -trafficked websites by accessing the site back-end, editing content to improve SEO, and…

Source…