CybserSecurity News

Category: Cyber Security

  • Apex Legends Finals Halted: Integrity Breach Rocks Tournament

    The finale of the North American division of the esteemed eSports discipline Apex Legends was abruptly suspended due to a breach of “competitive integrity.”

    A nefarious individual managed to infiltrate the computers of professional players with cheating software—aimbots (for automatic targeting) and wallhacks (to see opponents through obstacles)—during the final matches of the tournament. The situation escalated when a player was banned for using an aimbot cheat before the organizers decided to suspend the competition.

    Following the incident, social networks were abuzz with rumors of a potential large-scale hack into the Apex Legends security systems, affecting not just the eSports community but the entire gaming audience. Some users reported detecting viruses on their computers after conducting scans, though there is no confirmation yet that this is directly linked to the mentioned hack.

    At present, the identity of the hacker remains unknown, but speculation suggests the involvement of a hacker known as Destroyer2009, who previously targeted Apex Legends athletes. Unconfirmed reports indicate that the perpetrator exploited a vulnerability to remotely execute malicious code on the tournament players’ computers.

    The circumstances surrounding the incident remain uncertain. Respawn and publisher EA have merely postponed the finals, without issuing any official statements. Some influential streamers recommend refraining from launching Apex Legends until the issue is resolved, although there have been no calls for a mass uninstallation of the game yet.

    The introduction of cheating programs into the accounts of professional eSports athletes to disrupt a major tournament and the subsequent ban of a participant transcends ordinary in-game cheating. The developers at Respawn are tasked with thoroughly investigating the root causes of the incident and swiftly announcing specific measures to restore security and rectify the situation.

    Adding to the concern is the recent dismissal of 23 employees from Respawn, including Apex Legends developers, which could indicate a need to bolster the game’s security team.

  • Stolen Crypto Funneled Through Tornado Cash by Lazarus Group

    Recent research from the blockchain analytics firm Elliptic reveals that the North Korean hacker group Lazarus has resumed using the Tornado Cash service to launder stolen funds. A total of $23 million, pilfered during an attack on the cryptocurrency exchange HTX in November, was recently laundered through this service.

    Tornado Cash, a cryptocurrency mixing service, faced sanctions from U.S. authorities in August 2022, yet its decentralized structure has allowed it to continue operating. The U.S. Department of the Treasury also imposed sanctions against a similar service, Sinbad.io, in November of the previous year.

    Lazarus Tornado Cash

    Lazarus Group’s return to Tornado Cash highlights the limited availability of major mixing services still operational after stringent law enforcement actions. Elliptic reports that the hackers conducted over 60 transactions totaling more than $23 million through Tornado Cash to obscure the trail of the funds.

    The use of services like Tornado Cash and Sinbad.io enables North Korean cybercriminals to conceal the origins of the stolen funds and legitimize them. According to the U.S. government, such activities facilitate the circumvention of international sanctions related to North Korea’s military programs.

    Over the past three years, hacking groups linked to North Korea have stolen vast amounts of cryptocurrency: approximately $1.7 billion in 2022 and around $1 billion in 2023.

    Elliptic continues to track the movement of $112.5 million stolen since the HTX attack in November. The stolen cryptocurrency remained static until March 13, when transactions through Tornado Cash were detected. Other blockchain security companies have also confirmed the movement of funds.

    Elliptic’s research underscores the importance of monitoring and analyzing cryptocurrency transactions to secure digital assets and counteract the financing of malicious activities on the international stage.

    In their attempts to cover their tracks, hackers may bide their time before transferring funds from one crypto wallet to another. Nonetheless, blockchain experts remain vigilant, always ready to inform law enforcement of the precise destination of the stolen cryptocurrency.

  • Hackers Abuse Windows Feature: RedCurl’s Stealthy Attack

    Trend Micro has unveiled novel cyberattack methodologies employed by the RedCurl group, which manipulates a legitimate Windows component to execute malevolent commands.

    The Program Compatibility Assistant (PCA), designed to address compatibility issues with older programs, is now being exploited by malefactors to bypass security systems and covertly execute commands by using the tool as an alternative command-line interpreter.

    RedCurl’s attack sequence involves phishing emails with malicious attachments in ISO and IMG formats to initiate a multistage process. This begins with downloading the curl utility from a remote server, which then serves as a conduit for delivering the loader (ms.dll or ps.dll).

    RedCurl

    The malicious DLL library, in turn, utilizes PCA to initiate the download process, establishing a connection with the same domain used by curl to download the loader. Additionally, cybercriminals employ the open-source software Impacket for unauthorized command execution.

    Active since 2018 and first identified in 2019, the RedCurl group specializes in cyber espionage. The malefactors employ distinctive tools to pilfer business correspondence, personal employee data, and legal documents.

  • Cyber-Threat Alert: Blind Eagle Strikes Spanish-Speaking Businesses

    The cybercriminal collective known as Blind Eagle has intensified its attacks on Spanish-speaking users, particularly those employed in the manufacturing sector of North America.

    To disseminate malware, the hackers have adopted a novel type of downloader named Ande Loader. The aim of these attacks is the delivery of Remote Access Trojans (RATs), including well-known examples such as Remcos and NjRAT.

    According to the Canadian cybersecurity firm eSentire, cybercriminals employ phishing emails containing RAR and BZ2 archives as the key to triggering the malicious chain. Password-protected archives contain a Visual Basic Script (VBScript) file, which ensures the malware’s persistence in the target system and initiates the Ande Loader. The loader, in turn, activates the Remcos RAT Trojan.

    In an alternative attack variant observed by specialists, the perpetrators use a Discord link to distribute a BZ2 archive, which launches Ande Loader to deliver NjRAT instead of Remcos RAT.

    eSentire notes that the Blind Eagle group utilizes special encryptors (crypters) to camouflage malicious components, crafted by hackers under the aliases Roda and Pjoao1578. Among these encryptors, researchers highlight the programs FuckCrypt and UpCry.

    Thus, the Blind Eagle group has demonstrated an expansion of its attack geography and the refinement of its methods for delivering malware, targeting industrial enterprises while actively employing sophisticated means to circumvent protective mechanisms.

    To avoid such attacks, companies need to implement multilayered protection measures, including advanced solutions for monitoring endpoints, network traffic, and cloud activity.

    Furthermore, it is crucial to regularly conduct cybersecurity training for employees to counteract social engineering and phishing attacks, often the initial point of intrusion.

    Only a comprehensive approach to cybersecurity, combining protective measures, monitoring, and increased awareness, can ensure enterprises’ resilience against modern cyber threats.

  • Canada Cracks Down on Ransomware: LockBit Hacker Sentenced

    In Canada, a verdict was rendered against one of the administrators of the notorious LockBit group, which specializes in the dissemination of ransomware.

    34-year-old Mikhail Vasiliev, holding citizenships in Canada and Russia, pleaded guilty to eight charges and was sentenced to nearly four years in prison. Vasiliev was arrested about a year and a half ago, in October 2022, in Bradford, Canada, as part of an international operation involving authorities from Europe, the USA, and Canada.

    Justice Michelle Fuerst branded Vasiliev a “cyberterrorist” and highlighted that his actions were motivated by personal financial interests. In addition to his prison sentence, the man was also ordered to pay $860,000 in restitution to the victims.

    PGA ransomware

    Vasiliev admitted to charges related to cyber extortion, illegal possession of weapons, and other crimes. His activities inflicted severe damage on three Canadian companies in 2021 and 2022. Moreover, the criminal was involved in LockBit’s operations during the COVID-19 pandemic.

    It is also reported that Vasiliev agreed to extradition to the USA, where charges have been brought against him, including conspiracy to intentionally damage protected computers and transmitting ransom demands. If found guilty in the USA, he faces up to five years of imprisonment.

    Vasiliev is one of two known members of LockBit currently in custody. In the USA, Ruslan Astamirov also awaits trial, accused of using LockBit against victims in Florida, Kenya, France, and Japan.

    The past few months have been marked by an international fight against LockBit. In February, British authorities managed to dismantle the group’s infrastructure and identify numerous affiliated individuals. Two members of the group were arrested in Ukraine and Poland, although their identities have not yet been disclosed.

    Despite authorities’ attempts to cease the group’s operations, LockBit’s leadership mocks the efforts of the special services and claims to grow stronger with each blow from law enforcement.

    To this day, LockBit remains one of the most active ransomware operations, with thousands of government institutions, businesses, and organizations worldwide falling victim.

    The group began its activities in 2019, offering its software as a service. According to Recorded Future, these extortionists are responsible for nearly 2,300 attacks, with total ransoms exceeding $120 million.

  • Zero-Day Attack: DarkGate Targets Windows CVE-2024-21412 Vulnerability

    In mid-January, security researchers identified a significant campaign distributing the malicious software DarkGate, exploiting a recently patched Microsoft Windows security vulnerability in a zero-day fashion, that is, before its correction.

    According to Trend Micro, the attacks commenced with the use of PDF files containing Google DoubleClick open redirects, leading victims to compromised websites. These sites utilized the vulnerability CVE-2024-21412, circumventing Windows SmartScreen protection and installing malicious installers masquerading as popular applications like iTunes, Notion, and NVIDIA, distributed in the “.msi” format.

    CVE-2024-21412

    CVE-2024-21412, rated at 8.1 on the CVSS scale, allows unauthenticated attackers to bypass SmartScreen protection using a specially crafted malicious file.

    As previously mentioned, Microsoft addressed this vulnerability in the February Patch Tuesday update package. However, before this, it was exploited for the distribution of DarkGate and the delivery of the DarkMe malware, used by the Water Hydra group targeting financial institutions.

    In the DarkGate operation, hackers leveraged CVE-2024-21412 in conjunction with redirects from Google Ads to disseminate malicious software. Victims clicking on a link from a PDF attachment received via a phishing email led to the download of the malicious file exploiting the aforementioned vulnerability.

    Besides CVE-2024-21412, experts also recorded the use of another Windows SmartScreen vulnerability, CVE-2023-36025, rated 8.8 on the CVSS scale, which hackers from TA544 successfully exploited in November of the previous year.

    Security researchers emphasize the importance of vigilance and the necessity of avoiding software installation from unreliable sources. This includes not only counterfeit installers but also the misuse of Google Ads technologies, allowing attackers to scale their operations.

    Furthermore, there is a noted increase in the number of new malware families capable of stealing confidential information, as well as a rise in the use of popular platforms for malware distribution, often incorporating elements of social engineering.

    The findings underscore the complexity of securing modern cyberspace and the need for a comprehensive approach to digital protection for both organizations and individual users.

  • Leicester Suffers Major Cyber Attack

    Authorities in Leicester, a city in Leicestershire, Britain, have reported a serious cyber incident that necessitated the temporary shutdown of the city’s operational systems and critical telephone lines.

    The disruption to services was first noticed on March 7, and the decision to temporarily disconnect was taken to avert potential adverse consequences.

    By March 8, local authorities officially labeled the emerging problem as a “cyber incident,” commonly understood to imply attacks involving malicious software, though no official confirmation has been made yet.

    Cybersecurity experts have speculated that the disruption might stem from a ransomware attack, but to date, no known ransomware groups have claimed responsibility for the incident.

    Cyber Espionage

    Leicester’s authorities assert they are collaborating with cybersecurity specialists and law enforcement to investigate the incident’s circumstances and restore system operations, with a particular focus on critical services.

    Some online forms for reporting child protection and accessing housing services became temporarily unavailable due to the attack, prompting the establishment of emergency telephone numbers. City officials have apologized for the inconvenience and vow to minimize the impact on essential services.

    Eerke Boiten, a cybersecurity professor at De Montfort University in Leicester, highlighted that such cyberattacks are not uncommon for municipalities, and their repercussions can significantly hinder the everyday operations of city services. However, he expressed confidence in the Leicester City Council’s strong information management reputation, which could minimize potential damage from the compromise.

    Leicester is not alone in facing such threats: over the past year, several other British municipalities have fallen victim to similar attacks.

    Cyber incidents involving malicious software and ransomware always deal a serious blow to the operations of city services and critical municipal systems, directly affecting citizens’ lives by creating obstacles and inconveniences to accessing everyday city services they rely on.

    Furthermore, in addition to virtual attacks, Britain has recently seen an increase in physical assaults on network infrastructure, including the cutting of communication cables and vandalism of equipment. Affected internet providers attribute these incidents to mere vandalism, though such attacks may be conducted with deliberate and malicious intent.

  • French Government Websites Crippled in DDoS Attack

    Several French governmental organizations have experienced cyberattacks of unprecedented intensity, as reported by the country’s Prime Minister’s office on March 11th. These attacks commenced on the evening of March 10th, and while their exact nature remains unspecified, they are presumed to be Distributed Denial of Service (DDoS) attacks.

    The French government highlighted that the attacks employed well-known technical methods, yet the intensity of these assaults was unparalleled. DDoS attacks, by design, do not permit the malefactors to steal information but can obstruct access to network resources by overloading servers with spurious requests.

    Such incidents are occasionally linked to state-sponsored groups; however, the simplicity of execution means that any malefactor, even those with limited hardware resources, can carry out such an attack.

    Pegasus spyware Jordan

    The French government has refrained from speculating about the origins of these attacks, leaving the true identity of the digital assailants unknown.

    Nonetheless, the hacktivist group Anonymous Sudan quickly claimed responsibility, announcing in their Telegram channel that they had conducted a massive cyberattack poised to inflict substantial damage across various governmental sectors, including critical websites and their subdomains.

    Anonymous Sudan is a well-known hacktivist organization that, in the past year, has launched numerous DDoS attacks on websites in countries such as Sweden, Denmark, and Israel, largely in response to their perceived anti-Muslim stance on certain issues.

    DDoS attacks involve using one computer or a network of computers to send a flood of requests to a target system, thereby limiting its ability to respond to legitimate users.

    The attacks reportedly targeted several government services, though it remains unclear if they were confined solely to the publicly accessible sites of the French government.

    The French government’s statement also noted that experts promptly implemented measures to mitigate the impact, significantly reducing the effect on most services and eventually fully restoring access.

  • Magnet Goblin Exploits 1-Day Flaws: Act Now!

    The group known as Magnet Goblin has been actively exploiting vulnerabilities in publicly accessible servers to deploy malware on Windows and Linux systems.

    This group focuses on exploiting 1-day vulnerabilities—security flaws that have been disclosed and patched, requiring swift action from adversaries before the targeted systems are updated.

    Check Point analysts, who uncovered Magnet Goblin’s activities, observed the group’s eagerness to exploit vulnerabilities immediately after the publication of exploit proof-of-concept (PoC). Targets of these attacks include devices or services such as Ivanti Connect Secure, Apache ActiveMQ, ScreenConnect, Qlik Sense, and Magento, whose utilization leads to server infections with specialized malware, including NerbianRAT and MiniNerbian, as well as a custom JavaScript malware variant WARPWIRE for credential theft.

    An analysis of the infrastructure involved in campaigns against Magento and Ivanti revealed the use of additional tools for Linux and Windows, including the ScreenConnect program. A possible connection to the ransomware CACTUS, utilized in attacks on the Qlik Sense business analytics platform, was also noted.

    Particular attention is given to the Linux malware NerbianRAT, known since 2022, and its simplified version MiniNerbian. Both versions are capable of gathering system information, executing Command and Control (C2) server commands, and facilitating encrypted communication. Experts note that MiniNerbian uses HTTP for data transmission and is active only during specific hours.

    Magnet Goblin employs its tools to maintain persistent control over compromised systems, utilizing various communication methods: MiniNerbian communicates via HTTP, while NerbianRAT uses raw TCP sockets.

    According to Check Point, identifying specific threats like Magnet Goblin’s attacks among all 1-day exploit data poses a challenging task. This issue allows hackers to remain undetected amidst the chaos following the disclosure of vulnerabilities.

    To counter the exploitation of 1-day vulnerabilities, the timely application of patches is critically important. Additional measures, such as network segmentation, endpoint protection, and multi-factor authentication, can help mitigate the risk and impact of potential breaches.

  • Fake Government Emails: TA4903 Targets Businesses

    A report by the leading company Proofpoint has unveiled a sophisticated cyber fraud scheme orchestrated by the hacker group TA4903. This gang specializes in Business Email Compromise (BEC) attacks and has, over the past few years, launched phishing campaigns under the guise of various U.S. government institutions.

    To mask their illicit activities, the cybercriminals pose as the Department of Transportation, the Department of Agriculture, and the Small Business Administration of the United States. The emails they distribute contain malicious PDF attachments with QR codes.

    When the QR code is scanned, the victim is redirected to meticulously disguised phishing sites that mimic the official portals of these institutions. Depending on the bait used, users may be directed to counterfeit Office 365 login pages.

    Although the TA4903 group has been active since at least 2019, Proofpoint experts have noted a sharp increase in its activity from mid-2023 to the present. In the past, the malefactors utilized the EvilProxy tool to bypass multifactor authentication, but this method has not been observed this year.

    TA4903’s motivation is purely financial. Having gained unauthorized access to corporate networks and email accounts, the cybercriminals meticulously scour them for banking details, payment information, and data on trade partners. Based on this information, they conduct BEC attacks, sending fraudulent payment requests or altering payment details on behalf of the compromised accounts.

    In several incidents recorded since mid-2023, the malefactors have dispatched letters on behalf of compromised partner organizations, nearly indistinguishable from authentic ones. Victims were informed about a fictitious cyberattack and advised to update their payment details.

    According to Proofpoint, TA4903 poses a significant threat to organizations worldwide, targeting a broad range of entities. Recently, experts have noted a shift in focus from hacking government institutions to targeting small businesses, though it remains unclear whether this is a temporary tactic or the beginning of a new trend.

    The complexity of the BEC attack scheme, involving multiple stages, provides organizations with numerous opportunities to detect malicious activity. Nonetheless, a comprehensive multilayered approach to information security remains the most effective means of countering such threats.