The message describes these online platforms as “worryingly common threats,” detailing how threat actors used these sites for trafficking in stolen personal information: “Using strong relationships with our international partners, we will address crimes like these, which threaten privacy, security, and commerce around the world.”  

WeLeakInfo.to operators claimed to provide their users with a search engine to review and obtain personal information illegally obtained in more than 10,000 data breach incidents, with around 7 billion records indexed, exposing data such as full names, phone numbers, email addresses, and even online account passwords.

On the domains ipstress.in and ovh-booter.com, the report describes them as platforms for launching denial of service (DoS) attacks, commonly known as booting or stressor services. From these websites, threat actors could flood a specific web server with malicious traffic, making them inaccessible to legitimate users. 

As of this operation, the seized domain names, and any related domains, are now in the custody of the federal government, effectively suspending the operation of these malicious services. Visitors to the site will now find a seizure sign, reporting that U.S. federal authorities are responsible for the seizure.

The seizures of these domains were part of coordinated police action with the authorities of Belgium and the Netherlands. These police agencies arrested one of the main operators of these platforms, in addition to collaborating with various raids.

U.S. authorities have asked anyone who has information about other members of this cybercriminal operation to file a complaint immediately, as this is a critical time to act against these groups.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post FBI seizes infrastructure of Weleakinfo and other cyber criminal platforms appeared first on Information Security Newspaper | Hacking News.

A few days ago, investigators were alerted to a group of hackers with access to a username and password to the Law Enforcement Inquiry and Alerts (LEIA) system, which allows the search for information internally and in external database repositories, including data classified as “sensitive to law enforcement.” This report was shared with the Federal Bureau of Investigation (FBI) and the Department of Justice (DOJ). In total, LEIA enables federated search of 16 federal law enforcement databases in the U.S.

The report received by KerbsOnSecurity includes some screenshots indicating that hackers may have accessed the El Paso Intelligence Center (EPIC), one of the databases accessible from LEIA. In this database, threat actors would have searched for all kinds of records on seized assets, including cars, boats, weapons and even drones.

Strangely, this information was reported to KerbsOnSecurity by “KT”, administrator of an alleged online cybercriminal community known as Doxbin. This same threat actor has been identified as the leader of Lapsus$, a hacking group that recently carried out high-profile attacks against well-known companies such as Microsoft, NVIDIA and Samsung.

This hacker is also blamed for operating a service that offers fake Emergency Data Requests (EDR), using compromised email accounts from law enforcement agencies to ask tech companies for access to their users’ confidential information posing as police officers.  

Although this activity has been linked to some alleged members of Lapsus$, at the moment it is unknown exactly who is behind these attacks, and even the possibility of a hacking group sponsored by national states is still being considered. DEA will continue to investigate the reports, so it only remains to wait for new details to be officially announced.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Threat actors could have hacked the U.S. Drug Enforcement Administration (DEA) and other related law enforcement agencies. Investigation still ongoing appeared first on Information Security Newspaper | Hacking News.

The Austin, Texas, resident pleaded guilty to conspiracy to commit electronic fraud in late 2021. As part of his plea agreement, he will also have to pay a total of $1.4 million in restitution for the harm caused to his victims.

According to prosecutors, between 2015 and 2018 Ponce and his accomplices created user accounts on an illegal dark web platform, specializing in the sale of confidential information such as access credentials to PayPal and other similar services.

Employing social engineering tactics, the suspect tricked third parties into accepting money transfers from the compromised PayPal accounts, in an attempt to remove the trace of their cybercriminal activity to their own accounts.

Kenneth Polite of the DOJ’s Criminal Division believes resolutions like this are important in the fight against organized crime: “The Department remains strongly committed to protecting people from scammers like this. This sentence sends a clear message to would-be thieves: online crime has real-world consequences.”

Access credentials to PayPal accounts are a highly attractive target for cybercriminals. Last August, a group of fraudsters posed as Europol executives to threaten their victims with alleged criminal proceedings in order to access their accounts in PayPal.

Finally, Assistant Director in Charge Steven D’Antuono of the FBI’s Washington Field Office said: “Today’s sentencing sends a message that the FBI will pursue cybercriminals across the globe; hiding behind a computer does not mean you can stay anonymous or out of reach of law enforcement”.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.  

The post Man gets 5 years for buying 38,000 PayPal stolen account credentials from the Internet appeared first on Information Security Newspaper | Hacking News.

For the institution, the coup de grace was the ransomware attack, which led to the decision to close its operations as of May 13. Lincoln College notified its determination to the Illinois Department of Higher Education and Commission on Higher Learning.

On its website, Lincoln College announced that all of its computer systems were impacted by the attack and, at the time of restoring the m, they noted the impossibility to normally operate again: “Projections showed significant deficiencies, which would require a donation or partnership to sustain Lincoln College beyond the current semester.”

Finally, Institute President David Gerlach posted a message expressing his feelings for the end of a decades-long story: “Lincoln College has been serving students around the world for over 157 years. The loss of history, careers and a community of students and alumni is immense.”

Ransomware infections have become a serious threat to academic institutions around the world. According to a report by security firm Emsisoft, during 2021 alone, more than 1,000 schools in America and Europe suffered from encryption malware infections; in the U.S., a total of 88 educational institutions in 62 school districts saw their activities disrupted by these cyberattacks.

In 2020, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) warned that educational institutions would become the main target of ransomware operations alongside healthcare facilities. Just a few months later, the FBI warned school districts about a wave of Pysa ransomware attacks.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post 150-year-old college shuts down permanently after ransomware attack appeared first on Information Security Newspaper | Hacking News.

Agents of the Service to Combat Cybercrime in Romania (DCCO) carried out raids on seven houses in the cities of Gorj and Hunedoara, arresting five alleged operators of the fraudulent sites. Investigators seized 18 mobile phones, 10 laptops, 15 memory cards, 7 bank cards, 13 hard drives, a cryptocurrency wallet and multiple records related to the websites.

This was an operation coordinated by law enforcement in the United States: “Authorities in the U.S. determined that these platforms are operated by five or more people on Romanian territory; we act in a coordinated manner to carry out this operation,” said a statement from the DCCO.

The statement adds that the suspects made profits of up to 500,000 Euros. “Yura,” the hacker identified as a member in charge of this fraudulent operation, was located in Ukraine a couple of months ago with the help of Chris Monteiro, a white-hat hacker who has been attacking dark web platforms for years; Monteiro linked a suspicious IP address to a city in Romania, taking the first steps towards dismantling this cybercriminal operation.

Yura began to attract the attention of law enforcement in Europe since 2017, when the National Crime Agency (NCA) and Bulgarian Police identified him as the main operator of the illegal Platform Crime Bay. Although Montero assumes that Yura has already been arrested, he acknowledges that the cybercriminal is skilled and knows very well how to disappear before being found.

Finally, Monteiro estimates that Yura would have earned about $6,539,800 USD for his work at the head of this group, a large discrepancy from the almost 500,000 Euros that the Romanian authorities mentioned.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post 5 members of Yura, a murder-for-hire operation on the dark web, are arrested. Platforms such as Besa Mafia, Cosa Nostra and Crimebay shut down appeared first on Information Security Newspaper | Hacking News.

In addition to the time he must spend in prison, the accused must return a part of the damages caused by his attacks, accept the seizure of his property and spend a period of supervised release. Vachon-Desjardins would have been involved in at least 17 ransomware attacks, generating losses of about $2.8 million USD.

In 2020, Canadian authorities began receiving reports related to NetWalker’s activity, sent by the Federal Bureau of Investigation (FBI). Authorities in the U.S. believed there was a group affiliated with the ransomware operation working from Quebec. Thanks to the collection of IP addresses, online accounts, aliases, email addresses and logs from Apple, Google, Microsoft and Mega.nz, the researchers were able to identify Vachon-Desjardins.

The defendant was arrested in Florida a couple of months ago, when the U.S. Department of Justice (DOJ) released a report claiming that NetWalker’s unit in Canada managed to raise up to $27.5 million USD, targeting organizations such as Northwest Territories Power Corporation, College of Nurses of Ontario and a large local tire store.

Although the defendant claimed that about 1,200 Bitcoin passed through his electronic wallet, investigators have only been able to seize 720 cryptocurrencies from Vachon-Desjardins’ accounts, since the defendant managed to convert part of these assets into cash. During his arrest, Vachon-Desjardins had more than half a million dollars in cash in his possession.

For the authorities, this arrest and sentence are not minor incidents: “The defendant was not an insignificant actor in these and other crimes, as he played a dominant role and helped NetWalker and other affiliates improve their ability to extort money from their victims and launder their illegal profits,” says G. Paul Renwick, the Canadian judge in charge of the case.

Renwick notes that the defendant already had a criminal record related to drug charges, being sentenced to 3 1/2 years in prison in 2015.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post A member of one of the most dangerous hacking groups has been arrested appeared first on Information Security Newspaper | Hacking News.

Since the beginning of 2022, the Federal Bureau of Investigation (FBI) has identified at least 52 ransomware-infected organizations in 10 critical infrastructure sectors, including manufacturing, financial services, energy, information technology and government entities.

RagnarLocker is easily identifiable as it uses the “.RGNR_<ID>” extension, where <ID> is a hash of the computer’s NETBIOS name. Once the encryption process has been completed, threat actors leave a ransom note with instructions for making the payment and decrypting the affected information. RagnarLocker uses VMProtect, UPX, and custom packaging algorithms and is deployed within an attacker’s custom Windows XP virtual machine at a target’s site.

Ragnar Locker also uses the GetLocaleInfoW Windows API to identify the location of the infected machine. If the potential victim is identified as being of Azerbaijani, Armenian, Belarusian, Kazakh, Kyrgyz, Moldovan, Tajik, Russian, Turkmen, Uzbek, Ukrainian, or Georgian origin, the process will be cut short.

The malware then iterates through all executed services and terminates the services employed by managed service providers for remote network administration. The malware will also attempt to remove all shadow copies, preventing victims from recovering the compromised files.

Finally, RagnarLocker encrypts all available files of interest. Instead of choosing which files to encrypt, RagnarLocker chooses which folders will be left unencrypted, so the affected devices will continue to work normally while hundreds of victims’ files are infected in the background.

The FBI considers RagnarLocker to be an active threat and whose activity could be highly damaging to critical U.S. infrastructure, so system administrators should implement some of the following recommendations:

• Enable offline backups of critical data  
• Do not share critical information from a compromised network.
• Use multi-factor authentication and strong passwords, including for remote access services
• Keep computers, devices and applications always updated to the latest version available

The Agency also recommends not negotiating with cybercriminal groups, as this can sometimes result in a worst-case scenario for victims.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Ragnarlocker ransomware encrypts the information of 52 critical infrastructure agencies in the US appeared first on Information Security Newspaper | Hacking News.

This operation experienced an excessive growth in the first half of 2021, so the Federal Bureau of Investigation (FBI) published an alert detailing the characteristics of the Hive ransomware, its technical details and some recognizable indicators of compromise. A report by the security firm Chainalysis points out that this was one of the 10 most successful ransomware operations of 2021, using all kinds of resources at its disposal.

According to researchers at Kookmin University in South Korea, Hive uses a hybrid encryption scheme, employing its own symmetric encryption to block access to infected files, which made it possible to recover the master key and generate a decryption key independently. The researchers claimed that the infected files were successfully recovered using this method.

This is considered the first successful attempt to remove the encryption of the Hive ransomware registered so far, demonstrating a success rate of over 95%, a process described in the following diagram:

In more detail, the researchers mentioned that this ransomware variant generates 10MiB of random data to use as a master key, extracting from a segment of the master key 1MiB and 1KiB of data for each file to be encrypted and uses these pieces of information as a key stream.

These fragments of the master key are stored in the name assigned to each affected file, so it is possible to determine the rest of the master key and decrypt the compromised files.

Of all the keys recovered, approximately 72% of the files were decrypted, while the restored master key managed to decrypt approximately 82% of the infected files, which could prove incredibly beneficial for users who are still dealing with the attacks of this malware variant. It is true that the developers of Hive could correct this problem in the following versions of the ransomware, but in the meantime the researchers have made an important finding to impact their operations.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Errors in the encryption process allow victims of Hive ransomware to recover their information without paying a single dollar to hackers appeared first on Information Security Newspaper | Hacking News.

The Agency believes that the recent focus on videoconferencing platforms consists of a new attempt by threat actors to abuse the trend towards remote work due to the pandemic: “Between 2020 and 2021 we detected an increase in BEC complaints related to the use of videoconferencing platforms for malicious purposes,” the researchers note.

Threat actors have devised an attack by combining various malicious techniques focused specifically on video calling platforms, managing to deceive some members of organizations by posing as directors, owners or staff of financial areas for the purpose of collecting confidential financial information.

The FBI detailed some scenarios of this attack variant, including:

• Employing stolen images and deepfake audio, threat actors could pose as company directors, inviting employees to illegitimate virtual meetings to obtain transfers to hacker-controlled accounts
• Threat actors can pose as employees to simply intercept sensitive information of the affected company
• Using the stolen information, hackers can deploy phishing and social engineering campaigns for subsequent attacks

Through its Internet Crime Complaint Center (IC3), the FBI reports that these types of attacks proved very lucrative over the past two years, generating losses of approximately $1.8 billion USD, more than a quarter of the damages resulting from variant cybercrimes.

Of the nearly 800,000 complaints received by the IC3, 19,400 relate to BEC attacks, campaigns that primarily affect private organizations, although these attacks are not alien to government agencies.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post How scammers are using deep fake to impersonate CEO and directors during zoom calls to empty company bank accounts appeared first on Information Security Newspaper | Hacking News.

To be specific, cybercriminals made $692 million in payments in 2020 and $602 million in 2021, though the numbers could still grow as new reports are filed. The trend is clearly upward, as between 2018 and 2019 ransomware groups accumulated profits of around $190 million USD.

According to Chainalysis, the Conti ransomware variant generated the most revenue in 2021. Operating out of Russia, Conti raised at least $180 million USD from its victims, consolidating itself as the most important ransomware as a service (RaaS) platform today.

Conti has been in the crosshairs of the U.S. government for months; in mid-2021, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) reported detecting more than 400 attacks related to this strain of malware, compromising medical services agencies, industrial facilities, and utilities.

This week, the governments of Australia, the United States and the United Kingdom issued an alert about the persistent and dangerous threat that ransomware has become. According to this document, hackers continue to develop advanced attack techniques, including professional business models and even resorting to other practices derived from this infection, such as the sale of confidential information.

In this regard, the administration of President Joe Biden has implemented a series of initiatives to strengthen the cyber defenses of public and private organizations in the U.S., especially after incidents such as the attacks on Colonial Pipeline and Kaseya impacted multiple areas of critical infrastructure.

At the end of 2021, the White House hosted a meeting with representatives from 30 countries willing to work together with the intention of reducing the number of successful ransomware attacks in 2022, with proposals such as increased criminal penalties for this practice and better financial intelligence mechanisms.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Ransomware victims have paid over $1.3 billion USD ransoms since 2020 despite FBI recommendations of not paying to hackers appeared first on Information Security Newspaper | Hacking News.

According to the report, the investigative agency resorted to the so-called “geofence warrant” to force Google to hand over information about devices using its popular mobile operating system, located in the area at the time of the attack.

During the investigation of the incident, an officer stated that it all began at almost midnight, when two unidentified suspects caused intentional damage to the building using homemade explosives: “Based on this information, we believe there is probable cause to seek information in Google’s possession and related to devices located near the scene of the incident.”

In the order, Google is required to hand over location history data, including GPS data and information related to visible WiFi points and Bluetooth packets transmitted from these devices to Google, determining the devices within reach of the investigation using the coordinates, date and times provided by the FBI.

For obvious reasons, privacy activists expressed concern, believing that Google should not be able to hand over these confidential records to law enforcement without a clear case and as an attempt to locate potential suspects.

These kinds of measures can cause anyone located around a crime scene to be considered a suspect; if your mobile device shows any indication of this, the authorities can send you a subpoena and even request full access to the information stored on your smartphone.

A Google spokesperson said, “As with any other legal request, we have a rigorous process that is designed to protect the privacy of our users while supporting the important work of law enforcement,” though it has not been confirmed whether the FBI will have access to the desired information.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post “Geofence warrant” allows police to obtain location data from Google users near crime scenes and arrest them appeared first on Information Security Newspaper | Hacking News.

Of all the investigations active at the FBI, more than 2,000 relate to hacking tactics deployed by Chinese government agents, who are caught trying to spy on people of interest in the U.S., steal sensitive information, and even access software critical to North America.

Wray claims that the Chinese government has been able to steal an unprecedented volume of information, causing severe damage to all kinds of organizations at an alarming rate of 2 new incidents recorded daily.

In their quest to compromise targets in the West, Chinese hackers resort to all sorts of methods and tools. For example, the plan identified as “Made in China 2025”, lists 10 key points for the success of his republic over the next few years, demonstrating that it is vital for China to adopt a preponderant role globally in fields such as robotics, clean energy, aerospace and pharmaceutical research, even at the cost of intellectual property theft.

In addition to the obvious cyberwarfare tactics, the Chinese Communist Party turns to its most skilled intelligence agents in search of access to critical information that may affect its adversaries. As if that were not enough, the Chinese government also maintains significant investments to distribute its ideological influence and infer in key actors abroad.

Faced with this risk scenario, the FBI uses all its intelligence resources for the early identification and dismantling of hacking campaigns orchestrated by the Chinese Communist Party. In a recent operation, American agents managed to interrupt the execution of a backdoor on Microsoft Exchange servers that could have proved disastrous for thousands of public and private organizations.

U.S. agencies also try to share all of their findings with the independent research community and security firms, which will allow them to create an environment that is always up-to-date on the latest threats. In this way, the FBI shows its commitment to law enforcement agencies around the world and works to ensure that cybercrime cannot act freely against critical targets.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post China launches more cyber attacks than any other country: New FBI report appeared first on Information Security Newspaper | Hacking News.