US, UK sanction Russian criminals linked to Trickbot cyber gang
The US and UK authorities have imposed sanctions against seven Russian nationals believed to be leading members of the Trickbot cybercriminal gang accused of targeting critical infrastructure in the both countries, including hospitals and medical facilities.
The sanctioned Russians were named as:
-
Vitaly Kovalev (aka Bently and Ben), a senior figure within the Trickbot Group. He was also charged by the US Department of Justice with conspiracy to commit bank fraud and eight counts of bank fraud
-
Maksim Mikhailov (aka Baget), a developer for the Trickbot Group
-
Valentin Karyagin (aka Globus), has been involved in the development of ransomware and other malware projects
-
Mikhail Iskritskiy (aka Tropa), has worked on money-laundering and fraud projects for the Trickbot Group
-
Dmitry Pleshevskiy (aka Iseldor), worked on injecting malicious code into websites to steal victims’ credentials
-
Ivan Vakhromeyev (aka Mushroom), has worked for the Trickbot Group as a manager
-
Valery Sedletski (aka Strix), has worked as an administrator for the Trickbot Group, including managing servers
The sanctions mean that these cyber threat actors have had all their US and UK assets frozen and are banned from travelling to the two countries. US and UK companies are now forbidden from paying ransoms to the group, and financial entities are mandated to freeze any of the group's assets.
Notorious Finnish hacker “Zeekill” arrested in France
Julius “Zeekill” Kivimäki, one of the most wanted cybercriminals in Finland and former Lizard Squad hacker, was arrested by French authorities for his role in a hack of the Finnish psychotherapy center Vastaamo that exposed personal data of thousands of patients. Kivimäki has been charged with eight offenses tied to Vastaamo including hacking, leaking people's private information and falsifying evidence.
Police dismantle Exclu encrypted messaging platform used by criminals
A joint operation carried out by law enforcement authorities from the Netherlands, Belgium and Poland has resulted in the shutdown of the Exclu encrypted messaging service, which had an estimated 3 000 users, including members of organized crime groups. The law enforcement action coordinated by Europol and Eurojust has led to 45 arrests in the Netherlands and Belgium. The suspects included users of the app, as well as administrators and owners of the Exclu service. As part of the operation 79 locations were searched in the Netherlands, Germany and Poland. Two drug laboratories were dismantled and EUR 5.5 million in cash, 300 000 ecstasy tablets, 20 firearms and 200 phones were seized.
Global phishing operation used over 500 apps to steal data from phones
An 11-month joint operation conducted by Hong Kong police and Interpol disrupted a massive phishing campaign that used 563 bogus apps to steal financial and personal information from victims’ smartphones. The operation dubbed “Operation Magicflame” targeted a cybercrime group that used SMS phishing to redirect victims to malware-ladden apps masqueraded as banks, financial institutions, media players, dating and camera apps. The campaign targeted people in various countries, mostly Japan and South Korea.
Thousands of VMware ESXi servers hit with the ESXiArgs ransomware
Thousands of unpatched VMware ESXi servers worldwide have been targeted in a massive ransomware wave. The threat actors appear to be exploiting a two-year old remote execution vulnerability affecting VMware ESXi to deploy the ESXiArgs ransomware.
Tracked as CVE-2021-21974, the flaw is a heap-based buffer overflow issue in the OpenSLP service that can be exploited by a non-authenticated hacker for remote code execution on the underlying server. The bug affects ESXi versions 7.x prior to ESXi70U1c-17325551, ESXi versions 6.7.x prior to ESXi670-202102401-SG, ESXi versions 6.5.x prior to ESXi650-202102101-SG.
The US Cybersecurity and Infrastructure Security Agency (CISA) has provided a tool that allows to recover VMware ESXi servers encrypted by the ESXiArgs ransomware. However, it appears that a second ESXiArgs ransomware wave is underway that uses a modified encryption routine that encrypts far more data in large files, making it much harder to recover encrypted VMware ESXi servers.
Reddit says its employees targeted in a phishing campaign
Reddit, a popular social media site, said it suffered a data breach in early February where an attacker gained access to some internal docs, code, as well as some internal dashboards and business systems using an employee’s credentials obtained via a spear-phishing attack. Exposure included limited contact information for (currently hundreds of) company contacts and employees (current and former), as well as limited advertiser information.
The company said it has no evidence that any of users’ non-public data has been accessed, or that Reddit’s information has been leaked online.
Emergency patch released for actively exploited GoAnywhere MFT zero-day
Fortra has released an emergency fix, version 7.1.2, to address a zero-day vulnerability in the GoAnywhere MFT secure file transfer protocol that has been actively exploited by hackers. The zero-day bug resides in the administrative web interface and could be exploited by a remote attacker to achieve remote code execution via a malicious request.
British engineering company Vesuvius discloses a cyberattack
Vesuvius, the UK molten metal flow engineering company, reported it was dealing with a cyber incident that has “involved unauthorised access to our systems.” Following the incident the company shut down the affected systems and launched an investigation into the attack. Vesuvius did not provide any details regarding the nature of the incident, or whether any data was stolen.
Chip equipment maker MKS Instruments hit with ransomware
MKS Instruments Inc., a US-based process control instrumentation company, said it suffered a ransomware attack that impacted some of its business systems, including production-related systems. The company said that the incident occurred on February 3, 2023, and that the investigation into the matter is ongoing. MKS has temporarily suspended operations at certain facilities as it works to contain the incident.
Cyberattack on the largest Canadian bookstore Indigo impacts online orders, electronic payments
Indigo Books & Music, the largest bookstore chain in Canada, has been hit with a cyberattack that has impacted online customer orders. The incident affected the company’s ability to process electronic payments, accept gift cards or deal with returns. No other details of the cybersecurity issue were released. Indigo said it is working with third-party experts to restore the affected systems and determine if customer data has been accessed.
Russia-linked Nodaria APT adds new Graphiron infostealer to its toolkit
A Russia-linked threat actor knowns as Nodaria (UAC-0056) is using a new infostealer called “Graphiron” to steal data from organizations in Ukraine. Active since at least March 2021, Nodaria is a relatively new cyber-espionage group that is primarily focused on Ukraine, but has been known to target entities in Kyrgyzstan and Georgia.
The group’s new tool, Graphiron, is written in Go programming language and is meant to collect a wide range of data from infected systems, including system information, credentials, screenshots, SSH keys, and files.
Threat actors target Ukrainian government agencies with Remcos spyware
The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of phishing attacks that attempt to install the Remcos remote access tool on systems belonging to Ukrainian government bodies likely for cyber-espionage.The mass phishing campaign observed by CERT-UA has been linked to a threat actor the agency tracks as UAC-0050. According to CERT-UA, previous attacks by the threat actor involved the use of a free remote access tool called RemoteUtilities.
Microsoft says Iranian hackers behind Charlie Hebdo data leak
An Iran-linked government-backed hacker group is said to be responsible for a recent cyber operation against French satirical magazine Charlie Hebdo where attackers stole and leaked customer private data.
As per Microsoft, the Holy Souls cyber operation used several techniques previously observed in attacks by Iranian state-sponsored hackers such as a hacktivist persona claiming credit for the cyberattack, claims of a successful website defacement, leaking of private data online, the use of social media accounts with fake or stolen identities to amplify their operation, impersonation of authoritative sources, and contacting news media outlets.
TA866 targets orgs in the US and Germany with WasabiSeed and Screenshotter malware
A new threat actor tracked as TA866 has been observed targeting organizations in the United States and Germany with the goal of deploying credential-stealing malware. The attack chain also involves reconnaissance tools including malware that takes screenshots of the desktops of infected computers. In some cases, Proofpoint observed post-exploitation activity involving AHK Bot and Rhadamanthys Stealer.
First TA866’s campaigns were observed in October 2022 and activity has continued into 2023. The threat actor appears to be financially motivated, but cyber-espionage may also be the goal.
