russian hacker | Breaking Cybersecurity News | The Hacker News

Microsoft has disclosed that it's detected a spike in credential-stealing attacks conducted by the Russian state-affiliated hacker group known as Midnight Blizzard. The intrusions, which make use of residential proxy services to obfuscate the source IP address of the attacks, target governments, IT service providers, NGOs, defense, and critical manufacturing sectors, the tech giant's threat intelligence team said. Midnight Blizzard, formerly known as Nobelium , is also tracked under the monikers APT29, Cozy Bear, Iron Hemlock, and The Dukes. The  group , which drew worldwide attention for the SolarWinds supply chain compromise in December 2020, has  continued  to rely on  unseen tooling  in its targeted attacks aimed at foreign ministries and diplomatic entities. It's a sign of how determined they are to keep their operations up and running despite being exposed, which makes them a particularly formidable actor in the espionage area. "These credential attacks us

An ongoing phishing campaign with invoice-themed lures is being used to distribute the SmokeLoader malware in the form of a polyglot file, according to the Computer Emergency Response Team of Ukraine (CERT-UA). The emails, per the  agency , are sent using compromised accounts and come with a ZIP archive that, in reality, is a  polyglot file  containing a decoy document and a JavaScript file. The JavaScript code is then used to launch an executable that paves for the execution of the  SmokeLoader malware . SmokeLoader, first detected in 2011, is a  loader  whose main objective is to download or load a stealthier or more effective malware onto infected systems. CERT-UA attributed the activity to a threat actor it calls UAC-0006 and characterized it as a financially motivated operation carried out with the goal of stealing credentials and making unauthorized fund transfers. In a related advisory, Ukraine's cybersecurity authority also revealed details of destructive attacks orch

A Russia-linked threat actor has been observed deploying a new information-stealing malware in cyber attacks targeting Ukraine. Dubbed Graphiron by Broadcom-owned Symantec, the malware is the handiwork of an espionage group known as  Nodaria , which is tracked by the Computer Emergency Response Team of Ukraine (CERT-UA) as UAC-0056. "The malware is written in Go and is designed to harvest a wide range of information from the infected computer, including system information, credentials, screenshots, and files," the Symantec Threat Hunter Team  said  in a report shared with The Hacker News. Nodaria was  first spotlighted  by CERT-UA in January 2022, calling attention to the adversary's use of  SaintBot and OutSteel malware  in spear-phishing attacks targeting government entities. Also called DEV-0586, TA471, and UNC2589, the hacking crew has been linked to the destructive WhisperGate (aka PAYWIPE ) data wiper attacks targeting Ukrainian entities around the same time.

A Russian national on February 7, 2023, pleaded guilty in the U.S. to money laundering charges and for attempting to conceal the source of funds obtained in connection with Ryuk ransomware attacks. Denis Mihaqlovic Dubnikov, 30, was  arrested  in Amsterdam in November 2021 before he was extradited from the Netherlands in August 2022. He is awaiting sentencing on April 11, 2023. "Between at least August 2018 and August 2021, Dubnikov and his co-conspirators laundered the proceeds of Ryuk ransomware attacks on individuals and organizations throughout the United States and abroad," the Department of Justice (DoJ)  said . Dubnikov and his accomplices are said to have engaged in various criminal schemes designed to obscure the trail of the ill-gotten proceeds. According to DoJ, a chunk of the 250 Bitcoin ransom paid by a U.S. company in July 2019 after a Ryuk attack was sent to Dubnikov in exchange for about $400,000. The crypto was subsequently converted to Tether and trans

The State Cyber Protection Centre (SCPC) of Ukraine has called out the Russian state-sponsored threat actor known as  Gamaredon  for its targeted cyber attacks on public authorities and critical information infrastructure in the country. The advanced persistent threat, also known as Actinium, Armageddon, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, and UAC-0010, has a  track record  of  striking   Ukrainian entities  dating as far back as 2013. "UAC-0010 group's ongoing activity is characterized by a multi-step download approach and executing payloads of the spyware used to maintain control over infected hosts," the SCPC  said . "For now, the UAC-0010 group uses  GammaLoad and GammaSteel  spyware in their campaigns." GammaLoad is a VBScript dropper malware engineered to download next-stage VBScript from a remote server. GammaSteel is a PowerShell script that's capable of conducting reconnaissance and executing additional commands. The goal of t

The Russia-linked APT29 nation-state actor has been found leveraging a "lesser-known" Windows feature called Credential Roaming following a successful phishing attack against an unnamed European diplomatic entity. "The diplomatic-centric targeting is consistent with Russian strategic priorities as well as historic APT29 targeting," Mandiant researcher Thibault Van Geluwe de Berlaere  said  in a technical write-up. APT29, a Russian espionage group also called Cozy Bear, Iron Hemlock, and The Dukes, is  known  for its intrusions aimed at collecting intelligence that align with the country's strategic objectives. It's believed to be sponsored by the Foreign Intelligence Service (SVR). Some of the adversarial collective's cyber activities are tracked publicly under the moniker  Nobelium , a threat cluster responsible for the widespread supply chain compromise through SolarWinds software in December 2020. The Google-owned threat intelligence and inciden

The Computer Emergency Response Team of Ukraine (CERT-UA) has  cautioned  of a new set of spear-phishing attacks exploiting the "Follina" flaw in the Windows operating system to deploy password-stealing malware. Attributing the intrusions to a Russian nation-state group tracked as APT28 (aka Fancy Bear or Sofacy), the agency said the attacks commence with a lure document titled "Nuclear Terrorism A Very Real Threat.rtf" that, when opened, exploits the recently disclosed vulnerability to download and execute a malware called CredoMap. Follina ( CVE-2022-30190 , CVSS score: 7.8), which concerns a case of remote code execution affecting the Windows Support Diagnostic Tool (MSDT), was addressed by Microsoft on June 14, as part of its Patch Tuesday updates , but not before it was subjected to widespread zero-day exploit activity by numerous threat actors. According to an independent report published by Malwarebytes,  CredoMap  is a variant of the .NET-based credenti

An unknown advanced persistent threat (APT) group has been linked to a series of spear-phishing attacks targeting Russian government entities since the onset of the Russo-Ukrainian war in late February 2022. "The campaigns [...] are designed to implant a Remote Access Trojan (RAT) that can be used to surveil the computers it infects, and run commands on them remotely," Malwarebytes  said  in a technical report published Tuesday. The cybersecurity company attributed the attacks with low confidence to a Chinese hacking group, citing infrastructure overlaps between the RAT and Sakula Rat malware used by a threat actor known as  Deep Panda . The attack chains, while leveraging different lures over the course of two months, all employed the same malware barring small differences in the source code. The campaign is said to have commenced around February 26, days after Russia's military invasion of Ukraine, with the emails distributing the RAT under the guise of an interac

Yaroslav Vasinskyi , a Ukrainian national, linked to the Russia-based  REvil ransomware group  has been extradited to the U.S. to face charges for his role in carrying out the file-encrypting malware attacks against several companies, including Kaseya last July. The 22-year-old had been previously arrested in Poland in October 2021, prompting the U.S. Justice Department (DoJ) to  file charges  of conspiracy to commit fraud and related activity in connection with computers, damage to protected computers, and conspiracy to commit money laundering. Ransomware is the digital equivalent of extortion wherein cybercrime actors encrypt victims' data and take it hostage in return for a monetary payment to recover the data, failing which the stolen information is published online or sold to other third-parties. According to the DoJ, in addition to the headline-grabbing attacks on JBS and Kaseya, REvil is said to have propagated its infection to more than 175,000 computers, netting the

In an unprecedented move, Russia's Federal Security Service (FSB), the country's principal security agency, on Friday disclosed that it arrested several members belonging to the notorious REvil ransomware gang and neutralized its operations. The surprise takedown, which it said was carried out at the request of the U.S. authorities, saw the law enforcement agency conduct raids at 25 addresses in the cities of Moscow, St. Petersburg, Moscow, Leningrad and Lipetsk regions that belonged to 14 suspected members of the organized cybercrime syndicate. "In order to implement the criminal plan, these persons developed malicious software, organized the theft of funds from the bank accounts of foreign citizens and their cashing, including through the purchase of expensive goods on the Internet," the FSB  said  in a statement. In addition, the FSB seized over 426 million rubles, including in cryptocurrency, $600,000, €500,000, as well as computer equipment, crypto wallets u

Ukraine's premier law enforcement and counterintelligence agency on Thursday disclosed the real identities of five individuals allegedly involved in digital intrusions attributed to a cyber-espionage group named Gamaredon , linking the members to Russia's Federal Security Service (FSB). Calling the hacker group "an FSB special project, which specifically targeted Ukraine," the Security Service of Ukraine (SSU)  said  the perpetrators "are officers of the 'Crimean' FSB and traitors who defected to the enemy during the occupation of the peninsula in 2014." The names of the five individuals the SSU alleges are part of the covert operation are Sklianko Oleksandr Mykolaiovych, Chernykh Mykola Serhiiovych, Starchenko Anton Oleksandrovych, Miroshnychenko Oleksandr Valeriiovych, and Sushchenko Oleh Oleksandrovych. Since its inception in 2013, the Russia-linked  Gamaredon  group (aka Primitive Bear, Armageddon, Winterflounder, or Iron Tilden) has been re

A Russian national, who was arrested in South Korea last month and extradited to the U.S. on October 20, appeared in a federal court in the state of Ohio on Thursday to face charges for his alleged role as a member of the infamous TrickBot group. Court documents showed that Vladimir Dunaev , 38, along with other members of the transnational, cybercriminal organization, stole money and confidential information from unsuspecting victims, including individuals, financial institutions, school districts, utility companies, government entities, and private businesses. Starting its roots as a banking trojan in 2016, TrickBot has  evolved  into a modular, multi-stage Windows-based crimeware solution capable of pilfering valuable personal and financial information, and even dropping ransomware and post-exploitation toolkits on compromised devices. The malware is also  notorious  for its  resilience , having survived at least two takedowns spearheaded by Microsoft and the U.S. Cyber Command

An "aggressive" financially motivated threat actor has been identified as linked to a string of RYUK ransomware attacks since October 2018, while maintaining close partnerships with TrickBot-affiliated threat actors and using a publicly available arsenal of tools such as Cobalt Strike Beacon payloads to interact with victim networks. Cybersecurity firm Mandiant attributed the intrusions to a Russian-speaking hacker group rechristened as FIN12, and previously tracked under the name  UNC1878 , with a disproportionate focus on healthcare organizations with more than $300 million in revenue, among others, including education, financial, manufacturing, and technology sectors, located in North America, Europe, and the Asia Pacific. The designation marks the first time a ransomware affiliate group has been promoted to the status of a distinct threat actor. "FIN12 relies on partners to obtain initial access to victim environments," Mandiant researchers  said . "Not

A nascent information-stealing malware sold and distributed on underground Russian underground forums has been written in Rust, signalling a new trend where threat actors are increasingly adopting  exotic programming languages  to bypass security protections, evade analysis, and hamper reverse engineering efforts. Dubbed " Ficker Stealer ," it's notable for being propagated via Trojanized web links and compromised websites, luring in victims to scam landing pages purportedly offering free downloads of  legitimate paid services  like Spotify Music, YouTube Premium, and other Microsoft Store applications. "Ficker is sold and distributed as Malware-as-a-Service (MaaS), via underground Russian online forums," BlackBerry's research and intelligence team said in a report published today. "Its creator, whose alias is @ficker, offers several paid packages, with different levels of subscription fees to use their malicious program." First seen in the wi

Russia-linked state-sponsored threat actor known as Sandworm has been linked to a three-year-long stealthy operation to hack targets by exploiting an IT monitoring tool called Centreon . The intrusion campaign — which breached "several French entities" — is said to have started in late 2017 and lasted until 2020, with the attacks particularly impacting web-hosting providers, said the French information security agency ANSSI in an advisory. "On compromised systems, ANSSI discovered the presence of a backdoor in the form of a webshell dropped on several Centreon servers exposed to the internet," the agency  said  on Monday. "This backdoor was identified as being the PAS webshell, version number 3.1.4. On the same servers, ANSSI found another backdoor identical to one described by ESET and named Exaramel." The Russian hacker group (also called APT28, TeleBots, Voodoo Bear, or Iron Viking) is said to be behind some of the most devastating cyberattacks in p

Cybersecurity researchers, for the first time, may have found a potential connection between the backdoor used in  the SolarWinds hack  to a previously known malware strain. In new  research  published by Kaspersky researchers today, the cybersecurity firm said it discovered several features that overlap with another backdoor known as  Kazuar , a .NET-based malware first documented by Palo Alto Networks in 2017. Disclosed early last month, the  espionage campaign  was notable for its scale and stealth, with the attackers leveraging the trust associated with SolarWinds Orion software to infiltrate government agencies and other companies so as to deploy a custom malware codenamed "Sunburst." Shared Features Between Sunburst and Kazuar Attribution for the SolarWinds supply-chain compromise has been difficult in part due to little-to-no clues linking the attack infrastructure to previous campaigns or other well-known threat groups. But Kaspersky's latest analysis of th

Cybersecurity researchers today took the wraps off a previously undocumented backdoor and document stealer that has been deployed against specific targets from 2015 to early 2020. Codenamed " Crutch " by ESET researchers, the malware has been attributed to  Turla  (aka Venomous Bear or Snake), a Russia-based advanced hacker group known for its extensive attacks against governments, embassies, and military organizations through various watering hole and spear-phishing campaigns. "These tools were designed to exfiltrate sensitive documents and other files to Dropbox accounts controlled by Turla operators," the cybersecurity firm said in an analysis shared with The Hacker News. The backdoor implants were secretly installed on several machines belonging to the Ministry of Foreign Affairs in an unnamed country of the European Union. Besides identifying strong links between a Crutch sample from 2016 and Turla's yet another second-stage backdoor called  Gazer , t