This page is for anyone trying to find their way in the overwhelming world of open-source intelligence. It's a collection of my favorite OSINT resources, and I hope it helps you find new ways to learn from some amazing people.

Key Findings

• A network of at least 123 websites operated from within the People’s Republic of China while posing as local news outlets in 30 countries across Europe, Asia, and Latin America, disseminates pro-Beijing disinformation and ad hominem attacks within much larger volumes of commercial press releases. We name this campaign PAPERWALL.
• PAPERWALL has similarities with HaiEnergy, an influence operation first reported on in 2022 by the cybersecurity company Mandiant. However, we assess PAPERWALL to be a distinct campaign with different operators and unique techniques, tactics and procedures.
• PAPERWALL draws significant portions of its content from Times Newswire, a newswire service that was previously linked to HaiEnergy. We found evidence that Times Newswire regularly seeds pro-Beijing political content, including ad hominem attacks, by concealing it within large amounts of seemingly benign commercial content.
• A central feature of PAPERWALL, observed across the network of websites, is the ephemeral nature of its most aggressive components, whereby articles attacking Beijing’s critics are routinely removed from these websites some time after they are published.
• We attribute the PAPERWALL campaign to Shenzhen Haimaiyunxiang Media Co., Ltd., aka Haimai, a PR firm in China based on digital infrastructure linkages between the firm’s official website and the network.
• While the campaign’s websites enjoyed negligible exposure to date, there is a heightened risk of inadvertent amplification by the local media and target audiences, as a result of the quick multiplication of these websites and their adaptiveness to local languages and content.
• These findings confirm the increasingly important role private firms play in the realm of digital influence operations and the propensity of the Chinese government to make use of them.

Why Exposing this Type of Campaign Matters

Beijing is increasing its aggressive activities in the spheres of influence operations (IOs), both online and offline. In the online realm, relevant to the findings in this report, Chinese IOs are shifting their tactics and increasing their volume of activity. For example, in November 2023 Meta – owner of the social media platforms Facebook, Instagram, and WhatsApp – announced the removal of five networks engaging in “coordinated inauthentic behavior” (i.e. influence operations) and targeting foreign audiences. Meta noted it as a marked increase in IO activity by China, stating that “for comparison, between 2017 and November 2020, we took down two CIB networks from China, and both mainly focused on the Asia-Pacific region. This represents the most notable change in the threat landscape, when compared with the 2020 [US] election cycle.”

Seeding ad hominem attacks on Beijing’s critics can result in particularly harmful consequences for the targeted individuals, especially when, as in PAPERWALL’s case, it happens within much larger amounts of ostensibly benign news or promotional content that lends credibility to and expands the reach of the attacks. The consequences to these individuals can include, but are not limited to, their delegitimization in the country that hosts them; the loss of professional opportunities; and even verbal or physical harassment and intimidation by communities sympathetic to the Chinese government’s agenda.

This report adds yet more evidence, to what has been reported by other researchers, of the increasingly important role played by private firms in the management of digital IOs on behalf of the Chinese government. For example, an October 2023 blog post by the RAND corporation summarized recent public findings on this issue, and advocated for the disruption of the disinformation-for-hire industry through the use of sanctions or other available legal and policy means.

It should be noted that disinformation-for-hire companies, driven by revenue, not ideology, tend not to be discerning about the motivations of their clients. As major recent press investigations have shown, both their origin and their client base can truly be global. Exposing this actor type, and its tactics, can help understand how governments seek plausible deniability through the hiring of corporate proxies. It can also refocus research on the latter, increasing deterrence by exposing their actions.

We're very familiar with the many projects in which Raspberry Pi hardware is used, from giving old computers a new lease of life through to running the animated displays so beloved by retailers. But cracking BitLocker? We doubt the company will be bragging too much about that particular application.

The technique was documented in a YouTube video over the weekend, which demonstrated how a Raspberry Pi Pico can be used to gain access to a BitLocker-secured device in under a minute, provided you have physical access to the device.

A Lenovo laptop was used in the video, posted by user stacksmashing, although other hardware will also be vulnerable. The technique also relies on having a Trusted Platform Module (TPM) separate from the CPU. In many cases, the two will be combined, in which case the technique shown cannot be used.

However, if you get your hands on a similarly vulnerable device secured with BitLocker, gaining access to the encrypted storage appears embarrassingly simple. The crux of it is sniffing out the key to the device as it is passed from TPM to CPU. The key is helpfully not encrypted.

This particular laptop had connections that could be put to use alongside a custom connector to access the signals between chips. Stir in an analyzer running on the Raspberry Pi Pico and for less than $10 in components, you can get hold of the master key for the laptop hardware.

Microsoft has long accepted that such attacks are possible, although it describes them as a "targeted attack with plenty of time; the attacker opens the case, solder, and uses sophisticated hardware or software."

At less than a minute in the example, we'd dispute the "plenty of time" claim, and while the Raspberry Pi Pico is undoubtedly impressive for the price, at less than $10, the hardware spend is neither expensive nor specific.

If your hardware is vulnerable, mitigation can be achieved through the use of a PIN.

It's enough to send administrators scurrying to their inventory lists to check for hardware they would be forgiven for assuming had been safely encrypted.

As one wag observed: "Congratulations! You found the FBI's backdoor."

Hackers allegedly connected to China’s government are conducting attacks with the long-term goal of causing physical destruction, according to a new advisory from several of the world’s leading cyber agencies.

The Cybersecurity and Infrastructure Security Agency (CISA), NSA and FBI published an advisory alongside the cybersecurity directorates in Australia, New Zealand and the U.K. outlining the tactics of Volt Typhoon — a China-based hacking group that has caused alarm at the senior-most levels of government over the last year.

“The U.S. authoring agencies assess Volt Typhoon primarily collects information that would facilitate follow-on actions with physical impacts,” the advisory said.

The agencies “assess that People’s Republic of China (PRC) state-sponsored cyber actors are seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.”

In one example, Volt Typhoon — which overlaps with BRONZE SILHOETTE and TAG-87 — stole multiple zipped files that “included diagrams and documentation related to OT equipment, including supervisory control and data acquisition (SCADA) systems, relays, and switchgear.”

“This data is crucial for understanding and potentially impacting critical infrastructure systems, indicating a focus on gathering intelligence that could be leveraged in actions targeting physical assets and systems,” the agencies said.

The advisory, first reported by CNN, says that several U.S. agencies have seen that Volt Typhoon hackers have been “maintaining access and footholds within some victim IT environments for at least five years.”

Since last summer, U.S. agencies have been on high alert about Volt Typhoon’s actions — which were first discovered through espionage attacks on critical infrastructure organizations in Guam and other parts of the U.S. around military bases.

The New York Times and Washington Post reported last summer that U.S. officials believed the campaign to be tied to preparatory efforts around a potential invasion of Taiwan, where Chinese officials would allegedly seek to slow down the U.S. deployment of forces. President Xi Jinping has allegedly ordered his military to be prepared to invade Taiwan by 2027.

Since the initial report on the group’s actions in Guam, dozens of reports have been released about Volt Typhoon’s efforts and researchers have since uncovered multiple campaigns with the goal of burrowing into U.S. critical infrastructure enough to enable destructive actions.

Last week, the U.S. Justice Department confirmed that it disrupted the “KV Botnet” malware run by Volt Typhoon. FBI Director Christopher Wray said in a statement that Chinese hackers are “targeting American civilian critical infrastructure, pre-positioning to cause real-world harm to American citizens and communities in the event of conflict.”

Communications, water, energy and transportation

The lengthy advisory published Wednesday highlights Volt Typhoon’s wide-ranging success in pre-positioning themselves on the IT networks of multiple critical infrastructure organizations — most notably those involved in the communications, energy, transportation, and water and wastewater systems sectors.

The attacks included organizations in the continental and non-continental United States and its territories, including Guam. Some of the victims identified are smaller organizations with limited cybersecurity protections.

“Volt Typhoon’s choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions,” the advisory explained.

“The U.S. authoring agencies are concerned about the potential for these actors to use their network access for disruptive effects in the event of potential geopolitical tensions and/or military conflicts.”

The advisory notes that Canada’s threat exposure is “likely lower than that to U.S. infrastructure” but said any attack on the U.S. would likely affect Canada “due to cross-border integration.” The officials made a similar assessment of Australia and New Zealand critical infrastructure.

Volt Typhoon typically relies on valid accounts and other tools that allow for long-term, undiscovered persistence. The hackers conduct extensive research into their targets and tailor their techniques for each organization they plan to breach.

They also “dedicate ongoing resources to maintaining persistence and understanding the target environment over time, even after initial compromise.”

The hackers track an organization’s security apparatus, user behavior and the actions of IT staff. The agencies said they have seen situations where hackers refrained from using stolen credentials outside of normal working hours to avoid triggering security alerts.

They typically gain initial access by exploiting known and unknown vulnerabilities in public-facing network appliances like routers, firewalls and virtual private networks. From there, they attempt to obtain administrator credentials to pivot into wider access to the network.

“Volt Typhoon uses elevated credentials for strategic network infiltration and additional discovery, often focusing on gaining capabilities to access OT assets,” the authoring agencies said.

“Volt Typhoon actors have been observed testing access to domain-joint OT assets using default OT vendor credentials, and in certain instances, they have possessed the capability to access OT systems whose credentials were compromised.”

These kinds of attack enable the group to cause a variety of disruptions, including “manipulating heating, ventilation, and air conditioning (HVAC) systems in server rooms or disrupting critical energy and water controls, leading to significant infrastructure failures (in some cases, Volt Typhoon actors had the capability to access camera surveillance systems at critical infrastructure facilities).”

The agencies have seen in at least one confirmed compromise that the hackers had moved laterally into a control system and were positioned to move into a second if they wanted.

At times, Volt Typhoon hackers will compromise legitimate accounts and conduct almost no activity, suggesting their goal is persistence instead of immediate impact. Some organizations are targeted repeatedly, sometimes over the span of several years. They also delete logs in order to hide their actions.

The advisory notes that the group typically used compromised Cisco and NETGEAR end-of-life home routers as part of the KV Botnet to support their operations. The hackers have also been seen exploiting vulnerabilities in networking appliances such as those from Fortinet, Ivanti Connect Secure, NETGEAR, Citrix, and Cisco.

“They often use publicly available exploit code for known vulnerabilities but are also adept at discovering and exploiting zero-day vulnerabilities,” the advisory states.

The hackers rarely deploy malware in their attacks, instead using hands-on-keyboard activity to maintain their access.

In one attack on a water utility, the hackers used a VPN with administrator credentials to spend nine months moving laterally throughout the system, eventually obtaining access to a server with information on OT assets.

The access gave them critical information on water treatment plants, water wells, an electrical substation, OT systems, and network security devices.

The agencies urged critical infrastructure organizations to apply a range of mitigations and urgently reach out to CISA or FBI field offices in the event of an attack.

“It is vital that operators of U.K critical infrastructure heed this warning about cyber attackers using sophisticated techniques to hide on victims’ systems,” said Paul Chichester, director of Operations at the U.K.’s National Cyber Security Centre.

“Threat actors left to carry out their operations undetected present a persistent and potentially very serious threat to the provision of essential services. Organizations should apply the protections set out in the latest guidance to help hunt down and mitigate any malicious activity found on their networks.”

Some smart folks have found a way to automatically unscramble documents encrypted by the Rhysida ransomware, and used that know-how to produce and release a handy recovery tool for victims.

Rhysida is a newish ransomware gang that has been around since May last year.

The extortion crew targets organizations in education, healthcare, manufacturing, information technology, and government; the crooks' most high-profile attack to date has been against the British Library. The gang is thought to be linked to the Vice Society criminal group, and it's known to lease out malware and infrastructure to affiliates for a cut of the proceeds.

In research [PDF] published February 9, South Korea's Giyoon Kim, Soojin Kang, Seungjun Baek, Kimoon Kim, and Jongsung Kim explained how they uncovered an "implementation vulnerability" in the random number generator used by Rhysida to lock up victims' data.

This flaw "enabled us to regenerate the internal state of the random number generator at the time of infection," and then decrypt the data, "using the regenerated random number generator," the team wrote. The Korea Internet and Security Agency (KISA) is now distributing the free Rhysida ransomware recovery tool which is the first successful decryptor of this particular strain of ransomware.

"We aspire for our work to contribute to mitigating the damage inflicted by the Rhysida ransomware," the boffins, based variously at Kookmin University and KISA, noted in their paper.

Rhysida ransomware uses LibTomCrypt's ChaCha20-based cryptographically secure pseudo-random number generator (CSPRNG) to create encryption keys for each file.

The random number output by the CSPRNG is based on the ransomware's time of execution – a method the researchers realized limits the possible combinations for each encryption key. Specifically, the malware use the current time-of-execution as a 32-bit seed for the generator. That means the keys can be derived from the time of execution, and used to decrypt and recover scrambled files.

Some additional observations: the Rhysida ransomware uses intermittent encryption. It partially encrypts documents rather than entire files, a technique made popular by LockBit and other gangs because it's faster than encrypting everything. This approach means the criminals are less likely to be caught on the network before they've finished messing up a decent number of documents. It also speeds up the restoration process, though the usual caveats apply: Don't trust machines that have had intruders code running on them. Restoring data is one thing, but the PCs will need wiping to be safe.

The Rhysida malware, once on a victim's Windows PC, locates the documents it wishes to scramble, compiles them into a list, and fires up some simultaneous threads to perform that encryption. Each thread picks the next file on its todo pile to process, and uses the CSPRNG to generate a key to encrypt that document using the standard AES-256 algorithm. The key is stored in the scrambled file albeit encrypted using a hardcoded RSA public key. You'll need the private half of that RSA key pair to recover the file's AES key and unscramble the data.

However, as a result of this research, it's possible to use each file's mtime – the last time of modification – to determine the order of processing, and the time at which each thread executed, and thus the seed to generate the file's AES decryption key, giving you the final decryption key.

The researchers explained that these discoveries allowed them to unlock victims' files "despite the prevailing belief that ransomware renders data irretrievable without paying the ransom."

In November, the US government issued a security advisory that included extensive technical details to help orgs not become the next Rhysida victim.

The pro-Ukrainian hacker group Blackjack is claiming that it breached a Moscow internet provider to seek revenge for a Russian cyberattack on Ukraine’s largest telecom company, Kyivstar.

The attack on M9com was carried out in cooperation with Ukraine’s security forces (SBU), said a source in Ukraine’s law enforcement agency who requested anonymity because he is not authorized to speak publicly about the incident.

There isn't much information available about the attack, and the SBU's role in the operation. Hackers said Monday on their Telegram channel that they will reveal more details soon. So far, the only confirmation of the incident they have provided includes screenshots of the allegedly hacked systems of the internet provider.

The group also published some of the data obtained during the hack on a darknet site accessible via the Tor browser.

The time frame of the attack on M9com is unclear, but as of the time of writing, the allegedly hacked website is up and running. There has been no mention of the operator’s shutdown in the Russian media or on its official website. The company has not replied to requests for comment.

This is not the first time Ukrainian civilian hackers have allegedly cooperated with security services to attack Russian organizations. In an incident publicized in October, two groups of pro-Ukrainian hackers and the SBU claimed to have breached Russia's largest private bank, Alfa-Bank.

The disclosure of the M9com hack closely resembles how information was shared in the Alfa-Bank incident: First, pro-Ukrainian hackers claimed they acquired troves of data, released a portion of it, and then a source within Ukraine's security service confirmed the SBU's involvement in the operation without providing additional details.

Earlier this week, attackers involved in the Alfa-Bank hack released all the data of 30 million bank customers, which they reportedly obtained during the operation.

Alfa-Bank denied reports of a data leak and called the published data, which includes phone and banking card numbers, “a compilation from various sources.”

Russian cybersecurity expert Oleg Shakirov discovered that some of his acquaintances were included in the data breach. He verified that the leak included authentic Alfa-Bank card numbers, with most of the cards having the last digit replaced with 0. Additionally, in some instances, the leak displayed incorrect expiration dates. Shakirov also noted that the compromised data included accurate contact information and dates of birth.

Earlier this week, Ukraine’s military intelligence agency (GUR) claimed to have seized 100 gigabytes of classified data worth around $1.5 billion from a Russian military equipment manufacturer.

This company produces Orlan reconnaissance drones, electronic warfare systems, and other equipment used by the Russian military during the war in Ukraine.

GUR stated that they were able to gain access to this information with the help of “patriotic representatives of civil society and the media community,” but didn’t elaborate on what they meant.

Such public claims about the hacks from both Ukraine and Russia have become more common recently, but in most cases, they are hard to independently verify.

In cooperation with Dutch Police and Avast, Cisco Talos recovered a decryptor for encrypted files from systems affected by the Babuk ransomware variant known as Tortilla. We first described the operations of Tortilla ransomware in a blog post in November 2021.

Dutch Police used the intelligence provided by Talos to discover and apprehend the actor behind this malware. During the Amsterdam Police operation, Talos obtained and analyzed the decryptor, recovered the decryption key and shared the key with engineers from Avast Threat Labs in charge of development and maintenance of the decryptor for several other Babuk variants.

The generic Avast Babuk decryptor was already used as the de facto industry standard Babuk decryptor by many affected users and it made perfect sense to be updated with the keys Talos recovered from the Tortilla decryptor.

This way, the users can access programs such as NoMoreRansom to download the single decryptor containing all currently known Babuk keys and do not have to choose between competing decryptors for individual variants.

SonicWall says it has observed thousands of daily attempts to exploit an Apache OFBiz zero-day for nearly a fortnight.

The near-maximum severity zero-day vuln in OFBiz, an open source ERP system with what researchers described as a surprisingly wide install base, was first disclosed on December 26. Since then, attackers have gone for it with large numbers of exploitation attempts.

The numbers have remained consistent since the turn of the new year, SonicWall confirmed to The Register today.

If you use the Apache Software Foundation framework, which includes business process automation apps and other enterprise-friendly functions, you should upgrade to OFBiz version 18.12.11 immediately to patch both this and a second, equally serious hole.

Tracked as CVE-2023-51467, the 9.8-rated vulnerability is an authentication bypass flaw. A successful exploit of it would let an attacker circumvent authentication processes, enabling them to remotely execute arbitrary code, meaning they can access and expose sensitive information.

The threat researchers said they found the flaw while investigating the root cause of the other flaw, a separate, equally severe authentication bypass RCE vulnerability tracked as CVE-2023-49070.

Apache's patch for the '070 bug involved removing the code for the XML-RPC API, which was no longer maintained, but further analysis from SonicWall revealed the root cause to be in the login functionality.

Failing to patch the root cause of CVE-2023-49070 meant the authentication bypass vulnerability, currently under widespread exploitation, still remained in OFBiz.

Apache OFBiz is believed to have a large number of users, with SonicWall noting Atlassian's Jira alone is relied upon by more than 120,000 companies. Atlassian customer support, however, has since said Jira's implementation isn't vulnerable.

"We have contacted Prodsec, looking at the code in Jira DC, Jira Cloud, Confluence DC, and Confluence Cloud to confirm that we are not using the vulnerable framework. Jira only uses a fork of Apache's OfBiz Entity Engine module, which does not include the affected areas of code. Additionally, Confluence does not use the Entity Engine module at all."

SonicWall researchers developed two test cases that showed how exploitation of the issue was possible.

The blog post by Hasib Vhora, senior threat researcher at SonicWall, goes into the finer details about the two test cases, but the main takeaway is that the authentication bypass is caused by unexpected behavior when the requirePasswordChange parameter of the login function is set to "Y" in the URI.

Vhora commended the response of the Apache OFBiz team, fixing the problem swiftly. The two test cases developed by SonicWall have been used against the patched version (18.12.11) and are no longer successful.

"We appreciate the prompt response and remediation by the Apache OFBiz team," Vhora said. "They demonstrated extreme care for the security of their customers and were a pleasure to work with."

Flight information display screens at Beirut’s international airport were hacked over the weekend to display politically motivated messages, and the incident also temporarily affected baggage inspection, local media reported.

The hackers replaced the plane departure and arrival data on the screens of Beirut-Rafic Al Hariri International Airport with a statement accusing the Iran-backed, Lebanon-based militant group Hezbollah of dragging Lebanon into the war with Israel.

“You bear your responsibility and its consequences, Hezbollah,” part of the message said.

Airport authorities told local media that the attack briefly disrupted the passenger baggage inspection system but did not impact the flight schedule. Lebanese media reported that hackers also sent messages to some passengers on behalf of Middle East Airlines, which the company said were fake.

Tensions between Lebanon and Israel have recently escalated, with forces exchanging fire almost every day. On Monday, an Israeli strike on Lebanon reportedly killed a senior commander in Hezbollah's elite forces. Israeli officials said earlier that they prefer to restore security in the area without going to war with Hezbollah, but that they are ready to do so if necessary.

Two domestic hacker groups are believed to be behind the airport hack: a little-known gang calling itself The One Who Spoke; and a Christian group, Soldiers of God, known for its campaigns against the LGBTQ+ community in Lebanon. The second group denied its involvement.

Local media Lebanon24 reported, citing sources involved in the investigation of the incident, that the attack could have been carried out by “external parties” who used the names of Lebanese hacker groups to cover their tracks or stir up tension. Local hackers may lack the technologies and capabilities needed to execute such an attack, according to the report.

Another anonymous security source, speaking to a Lebanese TV channel, implicated Israel as a potential culprit behind the attack.

Lebanon's minister of public works and transportation, Ali Hamieh, said during a press conference on Monday that approximately 70% of the hacked airport screens have resumed their normal work. The airport was disconnected from the internet “in order to limit the damage,” he added.

The country’s security services are investigating the hack. “The answer will be within days to determine whether the breach is internal or external,” Hamieh said.

An official at the Bangladesh Election Commission has claimed that a cyberattack “from Ukraine and Germany” caused an election information app to crash as voters went to the polls on Sunday.

There has not been an allegation that the incident affected votes in the country, where incumbent Prime Minister Sheikh Hasina secured her fourth straight term in office after a record low turnout, as reported by BBC News.

Hasina, who has held power since 2009, is currently the longest-serving female head of government in the world. Her government has faced criticism from the international community, including the United Nations, amid allegations of human rights abuses and extrajudicial killings.

“Her long reign in power has been marked by arrests of opposition leaders, crackdowns on free speech and suppression of dissent,” as Reuters reported.

The country’s main opposition, the Bangladesh Nationalist Party (BNP), boycotted the general election on the grounds that the vote would be rigged. BBC News reported that while official figures for Sunday’s vote put turnout at around 40%, critics have claimed even that figure may be inflated. Bangladesh has about 120 million eligible voters.

Mohammed Jahangir Alam, the Election Commission’s official secretary, told journalists on Sunday that the election app had been “slowed down from Ukraine and Germany,” without specifying the nature of the cyberattack. “Our team has been working round the clock to fix the issue. Although the app is functioning slowly, it’s still working,” said Alam.

The app, Smart Election Management BD, was not essential for voting. It provided “historical and current data on electoral candidates and associate parties” alongside updates on how many votes had been cast.

Although not formally confirmed, the incident as described by Alam may have been a distributed denial of service (DDoS) attack — an unsophisticated type of cyber nuisance that works by flooding targeted network resources with junk requests, making them unreachable.

The nature of the attack was not disclosed, however it is not possible to spoof the source IP address in an application-layer DDoS that is sending HTTP requests to the target server.

Cloudflare, which has historically included Germany and Ukraine among the largest sources of DDoS traffic — although both accounted for far less traffic than China and the United States — said this “usually indicates the presence of botnets operating from within the country's borders.”

Allegations of foreign interference

Prior to the election, both of the main political parties have made claims and counter-claims about foreign states attempting to influence the vote.

Thousands of BNP activists have been arrested following rallies that turned violent, something which the party alleged was instigated by government provocateurs. Arrest warrants are outstanding for many of the party’s senior figures, some of whom live in exile.

The BNP accused Russian foreign ministry spokeswoman Maria Zakharova of interference after she claimed that the party’s rallies were being sponsored by the U.S. government in a bid to secure Bangladesh’s support for the U.S. Indo-Pacific strategy.

The chief commissioner at the Bangladesh Election Commission has also alleged that “Western nations, including the U.S., are trying to influence the course and results of the general elections in Bangladesh.”

Following Sunday’s vote, Andrei Shutoff, a Russian election observer, reportedly warned: “In case the U.S.A. is not satisfied with the results of the people’s vote, attempts to further destabilize the situation in Bangladesh along the lines of the Arab Spring are likely.”

During the wave of attacks on Albanian organizations earlier in December, Iran-linked hackers used wiper malware that researchers are calling No-Justice.

The attacks, attributed to the Iranian threat actor Homeland Justice, targeted the Albanian parliament, two local telecom companies (ONE Albania and Eagle Mobile), and Albania’s flag air carrier (Air Albania). The hackers claimed to have stolen data from the targeted systems, but this claim has not been confirmed yet.

Researchers at the Israel-based cybersecurity firm ClearSky identified (PDF) two main tools used in this campaign: No-Justice, which can crash the targeted Windows operating system “in a way that it cannot be rebooted,” and a PowerShell script designed “to copy and propagate the wiper to other machines in the organizational network before its activation.”

No-Justice had a valid digital signature to appear legitimate and required administrator privileges to wipe the data from the victim’s computer, researchers said.

The hackers likely used publicly available tools for the attack, including a set of network communication software utilities called Plink; a tool named RevSocks, employed for data exfiltration, command and control, or maintaining persistent access in a compromised network; and the Windows 2000 resource kit, which can be used for reconnaissance and persistent remote access.

The extent of the damage is still not clear. Earlier in December, local media reported that during the attack on the parliament, hackers attempted to interfere with the infrastructure and delete data but were unsuccessful.

ClearSky estimates that Homeland Justice’s operations may threaten other countries.

The latest attacks on Albania were a possible retaliation for its government sheltering members of the Iranian opposition group Mujahedeen-e-Khalq, or MEK, in the Albanian county of Durrës — the hackers named their campaign “Destroy Durres Military Camp.”

According to ClearSky’s report, the attack on the Albanian parliament followed the publication of an image showing Albanian parliament members together with Mariam Rajavi, president of MEK.

Homeland Justice launched its first campaign against Albania last July, targeting the country’s e-government systems right before MEK’s planned conference. The conference was canceled following the attack.

In September, Albania reported that hackers linked to Iran's government targeted computer systems used by the national police to track individuals entering and leaving the country. The attack prompted authorities to shut down computer control systems at border crossings and airports.

Researchers described Homeland Justice as an “Iranian psychological operation group.” It is likely state-sponsored.

Even as the New Year approached and the world celebrated the festive Christmas season, the cybercriminal community did not pause their activities. Instead, they marked the holiday season in their unique way. On Christmas Eve, Resecurity observed multiple actors on the Dark Web releasing substantial data dumps. These were the result of data breaches and network intrusions to a variety of companies and government agencies. Numerous leaks disseminated in the underground cyber world were tagged with 'Free Leaksmas,' indicating that these significant leaks were shared freely among various cybercriminals as a form of mutual gratitude.

Ironically, this display of generosity among cybercriminals is far from a cause for celebration for victims globally. It will inevitably result in them facing a host of adverse effects, such as account takeovers (ATO), business email compromises (BEC), identity theft, and financial fraud. Significantly, the data breaches weren't confined to the United States; they extended globally, impacting individuals in a wide range of countries including France, Peru, Vietnam, Italy, Russia, Mexico, the Philippines, Switzerland, Australia, India, South Africa, and even mixed international sources. This widespread geographical distribution highlights the extensive global reach and severe impact of these cybercriminal activities.

A significant event during the 'Leaksmas' in the Dark Web involved the release of a large dataset from Movistar, a leading telecommunications provider in Peru. This dataset contained over 22 million records, including customers' phone numbers and DNI (Documento Nacional de Identidad) numbers. The DNI, being the sole identity card recognized by the Peruvian Government for all civil, commercial, administrative, and judicial activities, makes its exposure on the Dark Web a serious threat, potentially leading to widespread identity theft and fraud. This incident underscores the critical need for robust Digital Identity Protection programs, particularly in Latin America, where there is an escalating trend of cyber-attacks resulting in major data breaches and significant damages.

On Christmas, a government agency in Chile experienced a security breach.

In another incident targeting the Asia-Pacific region, cybercriminals released a substantial leak involving one of the major credit services in the Philippines. The perpetrators disclosed over 15.77 GB of data in this breach.

The "Leaksmas" event continued with another significant breach, this time involving a French company. Approximately 1.5 million records from this company were shared freely on the Dark Web.

Cybercriminals also "gifted" a leak involving 1.4 million records, associated with a project that was later acquired by Klarna, a Swedish fintech company. Interestingly, rumors of a potential data breach had been circulating since 2022, and several users had received notifications regarding it. However, the complete data dump had not been freely available on the Dark Web until this event.

Returning to the Asia-Pacific region, another significant leak that was freely shared on the Dark Web involved a Vietnam-based fashion store. This breach exposed over 2.5 million victim records. Such a database is a valuable asset for spammers and illegal affiliate marketing specialists, offering them the potential to generate substantial profits during the winter holiday season.

An additional noteworthy leak involved a hacked online military gear shop based in Italy. While the database contained only 2,000 records, the nature of the audience – individuals interested in military gear – makes it particularly attractive to foreign cyber actors, especially those with a focus on defense-related information.

The perpetrators also targeted India, a country known for its vast economy and rapid pace of digitization.

On Christmas, there was a relatively new leak involving a sushi restaurant network from Russia, comprising over 164,052 records. This dataset was notable for not having been previously seen on the Dark Web, making it potentially of particular interest to certain actors.

There was a significant leak involving over 2 million records of banking customers from Mexico. It's highly probable that these records were obtained directly from a breached financial institution, a lending provider, or a telemarketing operator that specializes in generating leads for the financial industry. Interestingly, this particular dataset had been previously offered for sale but became freely available during this event. Our assessment suggests that this data might have originated from an older breach, possibly dating back to 2021-2022. Despite its age, the information remains relevant in 2024, as it's unlikely that all the affected individuals would have updated their personal information since the breach.

Another significant incident involved a massive data leak from ESSEMTEC.

In addition to these individual leaks, the perpetrators also released larger compilations of data, consisting of multiple separate data breaches. Some of these were extensive packages, known as combo-lists, containing millions of records that included emails and passwords.

"All I want for Christmas is the destruction of the government."

The most prominent figures in the data leaking activity on the Dark Web during the Christmas period were undoubtedly the actors from SiegedSec. They gained particular notoriety for previously releasing exfiltrated data from the Idaho National Labs.

The group SiegedSec has made public claims about successfully hacking into unspecified government resources. Before this, they had celebrated a successful attack on Shufersal, Israel's largest supermarket chain, which they referred to as a “Christmas Gift” in support of Palestine. They also targeted BEZEQ! and Cellcom, one of Israel's leading telecommunications companies. It's worth noting that there have been claims from some groups about ending their associations with SiegedSec due to their stance, but the authenticity of these claims has not been fully verified.

In their Christmas message, SiegedSec mentioned the exfiltration of citizen data, suggesting that we can anticipate more unexpected actions from them in the upcoming year.

cont...

The Google-owned cybersecurity firm Mandiant said it is looking into an incident where its X account was taken over by someone sharing links to a cryptocurrency platform.

On Wednesday afternoon around 3:30 pm EST, Mandiant’s account on the social media platform tweeted out links to a company called Phantom, which offers customers a wallet for cryptocurrency.

The account appeared to have been deleted for several minutes before returning with Mandiant logos but its username changed to “@phantomsolw.”

As of 5:30 p.m. EST, the account has retweeted dozens of messages sent out by Phantom.

“We are aware of the incident impacting the Mandiant X account and are working to resolve the issue,” a Mandiant spokesperson told Recorded Future News.

Representatives for Phantom did not respond to requests for comment. The company’s wallet is widely regarded and available on the app stores for both Google and Apple.

Mandiant was purchased by Google in 2022 for $5.3 billion and incorporated into Google Cloud.

In recent months, concerns have grown over X’s ability to protect high-profile accounts from takeovers. Since being purchased by Tesla CEO Elon Musk, the social media site has cut hundreds of security employees, exposing it to a wave of spam accounts.

On Tuesday, a Canadian senator had their Twitter account taken over to spread a scam.

Last month, two researchers discovered vulnerabilities in Twitter that were not addressed for weeks by the social media site’s team.

Chaofan Shou, a Ph.D. student at the University of California - Berkeley, told Recorded Future News that the company never replied to his email about the issue. In a post on the platform, he said the bugs would allow anyone to take over an account.

“Both vulnerabilities are obvious and easy to find for folks working in security,” he said on December 13.

“The exploit I disclosed is built up on two vulnerabilities. One discovered by @rabbit_2333 and one discovered by me. Twitter has acknowledged neither of them.”

The owner of an apartment in Veliky Novgorod in Russia has been arrested for discrediting the country’s armed forces after a neighbor alerted the police to the message ‘Slava Ukraini’ scrolling across their LED curtains.

When police went to the scene, they saw the garland which the owner had hung in celebration of the New Year and a “slogan glorifying the Armed Forces of Ukraine,” as a spokesperson for the Ministry of Internal Affairs told state-owned news agency TASS.

The apartment owner said the garland was supposed to display a “Happy New Year” greeting, TASS reported.

Several other people in Russia described a similar experience on the AlexGyver web forum, linked to a DIY blog popular in the country. They said at the stroke of midnight on New Year’s Eve, their LED curtains also began to show the “Glory to Ukraine” message in Ukrainian.

It is not clear whether any of these other posters were also arrested. The man in Veliky Novgorod will have to defend his case in court, according to TASS. Police have seized the curtain itself.

An independent investigation into the cause of the message by the AlexGyver forum users found that affected curtains all used the same open-source firmware code.

The original code appears to have originated in Ukraine before someone created a fork translated into Russian. According to the Telegram channel for AlexGyver, the code had been added to the original project on October 18, and then in December the people or person running the fork copied and pasted that update into their own version.

“Everyone who downloaded and updated the firmware in December received a gift,” the Telegram channel wrote. The message was “really encrypted, hidden from the ‘reader’ of the code, and is displayed on the first day of the year exclusively for residents of Russia by [geographic region].”

Oleg Shakirov, an independent Russian cyber policy researcher, compared on social media the LED incident to other examples of open-source software manipulation within the context of protesting the invasion of Ukraine.

These included an intentional amendment to the JavaScript library node-ipc that checked to see if its host machine used an IP address based in Russia or Belarus, and if it did write over all of the device’s files with a heart symbol, as reported by The Register.

Beyond the consequences for the arrested man, the LED prank is unlikely to be remembered as one of the more significant cyber actions of the war between Russia and Ukraine, although it highlights the potential vulnerabilities caused by software dependencies.

Last month, an investigation by Radio Free Europe reported that Russia's intelligence services might have been obtaining video footage from thousands of Ukrainian surveillance cameras equipped with a Russian software program known as Trassir.

On Tuesday, Ukraine’s security officers said they took down two online surveillance cameras that were allegedly hacked by Russia to spy on air defense forces and critical infrastructure in Ukraine’s capital, Kyiv.

Numerous supply chain attacks have been observed during the course of the conflict, with Google’s Mandiant unit last year warning that hackers had been targeting Ukrainian government networks using fake Windows installers.

In March of last year, Rosaviatsia — responsible for regulating civil aviation in Russia — reportedly had to switch to pen and paper after a reported supply-chain attack, resulting in the collapse of its entire network and the loss of more than a year’s worth of emails. The agency denied the reports.

Crypto platform Orbit Chain said it is working with the Korean National Police Agency and Korea Internet & Security Agency (KISA) to address a cyberattack that led to the theft of more than $81 million worth of cryptocurrency.

On the night of New Years Eve, Orbit Chain confirmed that they began to see unauthorized transactions on their platform involving several cryptocurrencies including U.S.-dollar-pegged coins USDC and USDT as well as ETH and others.

Orbit Chain’s platform supports communication between different blockchain networks. The company hired blockchain security company ChainLight to lead the investigation.

Other blockchain research companies, including CertiK and PeckShield, pegged the losses at around $81.5 million, with $30 million taken in USDT and $10 million in USDC.

“Orbit Chain team has developed a system for investigation support and cause analysis with the Korean National Police Agency and KISA (Korea Internet & Security Agency), enabling a more proactive and comprehensive investigation approach. Furthermore, we are also discussing close cooperation with domestic and foreign law enforcement agencies,” they said in a notice on Tuesday.

“In order to resolve this issue, the Orbit Chain team will utilize all available methods to track down the hackers and recover the funds. We sincerely request that all members of the Orbit Chain community and the Web3 ecosystem help spread this information as widely as possible.”

They asked other global cryptocurrency exchanges to freeze the stolen assets and warned customers to be wary of scams related to potential repayment of lost funds.

The company noted that it has tried to communicate with the attackers, sending them multiple messages on Monday. It is unclear if the hackers have responded, and the company did not respond to requests for comment about their communications with those behind the incident.

Orbit Chain, which is based in South Korea, added that it is looking into the possibility that the attack was launched by hackers based in North Korea — whose government has been implicated in dozens of the largest crypto thefts over the last three years.

PeckShield noted that including the funds stolen from Orbit Chain, nearly $100 million was taken from crypto platforms in December 2023.

U.S. officials say North Korean hackers have stolen over $2 billion worth of cryptocurrency to help fund the North Korean government’s activities — including its weapons of mass destruction and ballistic missile programs.

Ukraine’s security officers said they took down two online surveillance cameras that were allegedly hacked by Russia to spy on air defense forces and critical infrastructure in Ukraine’s capital, Kyiv.

The cameras were installed on residential buildings in Kyiv and were initially used by residents to monitor the surrounding area and parking lot. After hacking them, the Russian intelligence services supposedly gained remote access to the cameras, changed their viewing angles, and connected them to YouTube to stream sensitive footage.

According to Ukraine’s security service, SBU, this footage likely helped Russians direct drones and missiles toward Kyiv during a large-scale missile strike against Ukraine on Tuesday. During the attack, Russia fired almost 100 drones and missiles, primarily targeting Kyiv and Kharkiv, Ukraine’s second-largest city. At least 5 people were killed, and 129 were injured.

Since Russia invaded Ukraine in February 2022, the SBU said it has blocked about 10,000 digital security cameras that Moscow might have used to prepare for missile strikes on Ukraine.

According to the investigation by Radio Free Europe, Russia's intelligence services might have been getting video footage from thousands of Ukrainian surveillance cameras equipped with a Russian software program known as Trassir. This surveillance system can capture the movements of people and vehicles and is capable of recognizing faces and license plates.

The journalists found that the footage from those cameras went directly to servers in Moscow and could likely be accessed by Russia’s security services. Ukraine started to abandon Russian software only after the start of the invasion.

Online footage, including photos and videos, could be a valuable source of information for both Ukrainian and Russian intelligence agencies.

Ukrainian laws prohibit citizens from sharing photos or videos of residential buildings or critical infrastructure objects hit by Russians during missile strikes, as it helps the enemy forces to “correct” their targeting. The penalty for this offense is a potential prison term of up to 12 years.

The SBU called on the owners of street surveillance cameras to stop online broadcasts from their devices and to report any detected streams from such cameras on YouTube.

A voice over internet protocol (VoIP) service provider charged with sending billions of illegal robocalls was issued a $10 million penalty and is banned from supporting certain telemarketing practices as part of a settlement, the Federal Trade Commission (FTC) and Department of Justice (DOJ) announced Tuesday.

XCast Labs was accused of allowing the robocalls to flow through its network and ignoring multiple warnings — beginning in January 2020 — to stop the practice. The behavior violates the FTC’s Telemarketing Sales Rule, which mandates telemarketers disclose who they are, bars misrepresentations and blocks calls to consumers listed on the federal Do Not Call (DNC) registry.

Tuesday’s court order, issued through the U.S. District Court for the Central District of California, also imposed the $10 million fine, which has been put on hold because XCast Labs can’t pay it. The company is also required to take steps to comply with telemarketing laws, including setting up additional screening of customers and transmissions to better police illegal robocalls.

Some of the robocalls that XCast Labs was accused of facilitating involved scams from companies pretending to be government agencies, according to the May complaint. For example, some of the calls claimed to be from the Social Security Administration and warned that utility services like heat and water would be cut off unless payments were made, the complaint said. Other calls told consumers to act quickly to reverse made up credit card charges.

The robocalls featured prerecorded marketing messages, many of which were sent to DNC-registered phone numbers, the complaint said.

The illegal calls began in at least January 2018, according to the complaint, which said some of the calls marketed goods and services with a “history of deceptive sales practices,” including extended warranties for cars.

Even calls that did not fraudulently purport to be from the government did not “truthfully identify” the seller, the DOJ press release said. Instead, those calls included “false or misleading statements to induce purchases or were transmitted with ‘spoofed’ caller ID information.”

XCast kept extensive records of its transmissions, including the exact date and time of a call, the phone numbers involved and exact durations of the calls. The FTC said records produced for just three of XCast Labs’ customers showed almost two billion of the robocalls were sent to numbers included on the DNC Registry.

The FTC warned other robocallers to take notice.

“XCast was warned several times that illegal robocallers were using its services and did nothing,” Director Samuel Levine of the FTC’s Bureau of Consumer Protection said in a prepared statement. “Companies that turn a blind eye to illegal robocalling should expect to hear from the FTC.”

Security researchers say info-stealing malware can still access victims' compromised Google accounts even after passwords have been changed.

A zero-day exploit of Google account security was first teased by a cybercriminal known as "PRISMA" in October 2023, boasting that the technique could be used to log back into a victim's account even after the password is changed. It can also be used to generate new session tokens to regain access to victims' emails, cloud storage, and more as necessary.

Since then, developers of info-stealer malware – primarily targeting Windows, it seems – have steadily implemented the exploit in their code. The total number of known malware families that abuse the vulnerability stands at six, including Lumma and Rhadamanthys, while Eternity Stealer is also working on an update to release in the near future. They're called info stealers because once they're running on some poor sap's computer, they go to work finding sensitive information – such as remote desktop credentials, website cookies, and cryptowallets - on the local host and leaking them to remote servers run by miscreants.

Eggheads at CloudSEK say they found the root of the exploit to be in the undocumented Google OAuth endpoint "MultiLogin."

The exploit revolves around stealing victims' session tokens. That is to say, malware first infects a person's PC – typically via a malicious spam or a dodgy download, etc – and then scours the machine for, among other things, web browser session cookies that can be used to log into accounts.

Session cookies ideally expire frequently, something that can limit their usefulness in account takeover attacks. However, recent cases such as Okta's in October, which involved the theft of HAR files that often contain session cookies, have demonstrated that session hijackings are entirely practical and can lead to major security incidents.

Those session tokens are then exfiltrated to the malware's operators to enter and hijack those accounts. It turns out that these tokens can still be used to login even if the user realizes they've been compromised and change their Google password. It appears users should log out entirely, and thus invalidate their session tokens, to prevent exploitation.

MultiLogin is responsible for synchronizing Google accounts across different services. It accepts a vector of account IDs and auth-login tokens to manage simultaneous sessions or switch between user profiles.

Reverse engineering the info-stealer malware revealed that the account IDs and auth-login tokens from logged-in Google accounts are taken from the token_service table of WebData in Chrome.

This table contains two columns crucial to the exploit's functionality: service (contains a GAIA ID) and encrypted_token. The latter is decrypted using a key stored in Chrome's Local State file, which resides in the UserData directory.

The stolen token:GAIA ID pairs can then be used together with MultiLogin to continually regenerate Google service cookies even after passwords have been reset, and those can be used to log in.

Pavan Karthick M, threat intelligence researcher at CloudSEK, reckons the discovery provides evidence of cybercriminals' high degree of sophistication. In Lumma's case, each token:GAIA ID pair is encrypted by the malware, masking the finer details of the mechanism.

In a more recent update, however, Lumma introduced SOCKS proxies to bypass Google's IP-based restrictions on token regeneration. In doing so, the malware's developers now expose some details of the requests and responses, potentially undoing some of their earlier efforts to conceal the functionality's inner workings.

The encryption of the traffic between the malware's C2 and MultiLogin also lessens the chances of standard security measures detecting the malicious activity, Karthick said, since encrypted traffic is more likely to be overlooked.

"The tactical decision to encrypt the exploit's key component showcases a deliberate move towards more advanced, stealth-oriented cyber threats," he added. "It signifies a shift in the landscape of malware development, where the emphasis is increasingly on the concealment and protection of exploit methodologies, as much as on the effectiveness of the exploits themselves."

Imagine discovering a zero-click attack targeting Apple mobile devices of your colleagues and managing to capture all the stages of the attack. That’s exactly what happened to us! This led to the fixing of four zero-day vulnerabilities and discovering of a previously unknown and highly sophisticated spyware that had been around for years without anyone noticing. We call it Operation Triangulation. We've been teasing this story for almost six months, while thoroughly analyzing every stage of the attack. Now, for the first time, we're ready to tell you all about it. This is the story of the most sophisticated attack chain and spyware ever discovered by Kaspersky.

In this presentation, we will share:

• How we managed to discover and capture all stages of a zero-click attack on iOS, despite the attackers’ efforts to hide and protect it,
• a comprehensive analysis of the entire attack chain, which exploited five vulnerabilities, including four zero-days
• the capabilities of the malware that transforms your phone into the ultimate surveillance tool,
• and the links to previously known malware we were able to find.

Kaspersky's Global Research and Analysis Team (GReAT) has exposed a previously unknown "feature" in Apple iPhones that allowed malware to bypass hardware-based memory protection.

Addressed as CVE-2023-38606, which was patched in July 2023, the issue affected iPhones running iOS versions up to 16.6, according to the cybersecurity outfit this week.

Kaspersky reckons the hardware feature (technical details here) may have been intended for testing or debugging. Yeah, hopefully that. Certainly, the GReAT gang couldn't find any public documentation on it, which meant the attack vector proved tricky to detect and analyze using the team's usual tools when miscreants came to exploit the hole.

According to Kaspersky, "attackers leveraged this hardware feature to bypass hardware-based security protections and manipulate the contents of protected memory regions."

Researchers had to reverse-engineer the device to track down the vulnerability exploited. Particular attention was paid to Memory-Mapped IO (MMIO) addresses used for communication between the CPU and other devices. The problem was that the attackers used unknown MMIO addresses to bypass hardware-based kernel protection. Therefore, the team had to pick through the hardware, firmware, and kernel images to work out what was going on.

"This is no ordinary vulnerability," said Boris Larin, Principal Security Researcher at Kaspersky's GReAT.

"Due to the closed nature of the iOS ecosystem, the discovery process was both challenging and time-consuming, requiring a comprehensive understanding of both hardware and software architectures. What this discovery teaches us once again is that even advanced hardware-based protections can be rendered ineffective in the face of a sophisticated attacker, particularly when there are hardware features allowing to bypass these protections."

The vulnerability played a critical role in the "Operation Triangulation" campaign earlier this year, which allowed miscreants to gain access to targeted devices, deploy spyware, and snoop user data. Kaspersky informed Apple about the exploitation of the hardware feature, which was swiftly mitigated.

However, as Larin observed, all the hardware protections in the world won't help if somebody leaves in an undocumented something that allows those protections to be bypassed. 'Security through obscurity' just doesn't cut it anymore.

Researchers have discovered a new cyber operation against Ukrainian and Polish organizations, attributing it to the Russian state-controlled hacker group known as Fancy Bear.

During the attacks in December, Russian hackers sent phishing emails to their victims with malicious attachments. Once opened, these attachments infected targeted devices with the novel Masepie malware, according to a report from Ukraine’s computer emergency response team (CERT-UA).

The malware, written in the Python programming language, can upload files and execute commands, researchers said. In the latest campaign, the hackers used it to upload data-stealing malware called Steelhook, which targets web browsers, and a backdoor called Oceanmap, which leverages email software.

After the initial compromise, hackers also integrate open-source tools like Impacket and Smbexec into the system to perform reconnaissance. These tools are commonly used in penetration testing and ethical hacking to understand and exploit network vulnerabilities. However, they could also be misused by hackers for malicious purposes.

Researchers said that the hackers' goal in this campaign was not to infect just one computer but to expand the attack to the entire network of the organization.

In Ukraine, the group’s victims included unnamed government agencies. Poland’s cyber agency hasn’t responded to a request for comment.

In 2023 alone, Fancy Bear, also known as APT28, targeted Ukrainian energy facilities, government agencies, and the military. France also accused the hackers of spying on French universities, businesses and think tanks.

The group is linked to Russia’s military intelligence agency (GRU) and primarily attacks government, energy, transportation and nongovernmental organizations in the U.S., Europe, and the Middle East.

The hackers commonly exploit publicly available vulnerabilities such as Microsoft Outlook flaws or a popular file archiver utility for Windows called WinRAR.

Earlier in December, the Polish cybersecurity agency said that Fancy Bear exploited the Microsoft Outlook vulnerability to gain access to mailboxes containing “high-value information.”

When AlphV/BlackCat's website went dark this month, it was like Chrimbo came early for cybersecurity defenders, some of whom seemingly believed law enforcement had busted one of the most menacing cyber criminal crews.

The excitement lasted just five days, though, and its website is now back online, albeit in worse shape than before. New victims are already being posted to the site. Regardless, many are skeptical of the ransomware group's explanation that a "hardware fault" was to blame, and rumors that police infiltrated the ring are still wafting throughout the industry.

Though it happens rarely, it's always a good day when a ransomware group is taken down by law enforcement. Rarer still is a takedown where one gets a detailed look at the methods that were used in these infiltrations.

Singapore-based Group-IB celebrated its 20th anniversary in the cybersecurity industry this year, and during this time its researchers have broken into an array of ransomware groups and their affiliates. The full number remains a secret.

Before the authorities got their hands on Hive at the start of this year, Group-IB's researchers were inside as early as 2021, tricking their affiliates into accepting them, learning how they operated, and ultimately gathering the kind of information usually reserved for insiders only.

In 2023 alone, the serial intruders have infiltrated affiliates from Qilin and farnetwork, and over the past few years there have been many more to add to that list, though the details of which have scarcely been made public.

Group-IB's threat intelligence team spoke to The Register about how they're able to consistently break into cybercriminals' ranks and the vast work that goes into each operation. Four-step foundation

The initial infiltration, Group-IB says, can be broken down into four key stages all connected by the common theme of gathering as much information about the ransomware-as-a-service (RaaS) group as possible.

"First, the team is gathering intel about a specific RaaS of interest. Certain RaaS programs, such as Qilin and Hive, are very private and close, hence it's important to learn about it as much as you can before you engage with the threat actor.

"Consequently, threat intelligence specialists start looking for RaaS programs' terms and conditions for affiliates, entry prerequisites, etc. Any valuable information we could use during the interview stage.

"Then the team starts obtaining contact information for the ransomware manager associated with the targeted RaaS program and attempts to establish communication with them. The most intricate phase is the interview typically facilitated through encrypted messengers."

All of this sets up the researchers for the later stages of the intrusion, and having a deep understanding of how the criminals operate proves especially useful during the interview if the target group has a particularly stringent vetting process, though this isn't always the case.

Some groups will spend time assessing each candidate for their RaaS program, including their technical expertise and grasp of specific terms, while others will simply grant access to an affiliate program seemingly with little to no thought.

It's generally understood, by the good guys and the bad, that the cybercrime underworld is teeming with researchers trying to unearth secrets from ransomware groups and as a result, it's becoming a vastly more difficult feat to infiltrate them. The interview

Getting to the interview stage is the next step in the intrusion and where the quality of the research into the group will determine the success of the operation.

Questions will typically revolve around the candidate's prior experience with attacking organizations, which is where the preparation shines. RaaS managers will quiz potential affiliates on the ransomware landscape generally, and how other groups operate, discussing unconventional tactics, techniques, and procedures, the researchers say.

They'll also ask about the candidate's own experience in attacking organizations – light work for researchers whose job it is to analyze exactly how attacks unfold day in, day out. It's a case of taking an incident they examined recently and reciting it to pass themselves off as a genuine bad guy.

Just like any other employer, RaaS groups will also do their due diligence as regards a candidate's character, as well as their capability. Group-IB says it's important to apply for affiliate positions through conversations on cybercrime forums, using accounts that have been developed for years, given they operate in a landscape where infiltration attempts are rife.

Using mature accounts that appear to be genuine members of, and active participants in, the cybercrime community is vital in dampening suspicions of foul play. The team isn't willing to discuss with us the specifics of how to make an account seem genuine, through fear of jeopardizing future intrusion attempts. We're told they're being as genuine as can be, but will naturally be holding some details back.

It requires a great deal of leg work just to make sure the intruders appear genuine online, in the digital realm, but doing so in the actual interview, without giving oneself away, is another challenge entirely.

Communication here is crucial. Unlike Brad Pitt's Basterds in Tarantino's masterpiece of a Nazi tavern scene, the researchers understand that native speakers can flush out a foreigner with ease. One slip of the tongue or misused turn of phrase can make the difference in the operation's success. A diverse team is a successful one.

"The most challenging part is to establish trust without arousing suspicion," the researchers say.

One of the less straightforward methods RaaS managers use is to evaluate the candidate's use of language. They'll specifically look at the nuances in their communication, such as idioms, that could suggest they're not native speakers from whichever country they claim to be.

Group-IB's threat intelligence unit is blessed with proficient speakers in Chinese, English, Arabic, Russian, Turkish, Hindi, Dutch, French, Spanish, Thai, and "many other languages" to help them bypass this filter.

Predictably, a candidate will also be expected to demonstrate their technical understanding of how to carry out an attack, including their knowledge of the different tools they use. Access granted, and the timer begins

Passing the interview stage is the biggest hurdle to surmount and once that's done and a base level of trust is earned, the real intel-gathering can begin.

During previous infiltrations, the Group-IB team has published various revelations about the world's top ransomware gangs. With Hive, it was able to identify the exact number of attacks as well as make an educated assumption about the number of companies that paid their ransom demands to keep their data confidential.

The farnetwork case revealed the group's payment structure and policy around initial intrusions into victims' networks. The Qilin operation also revealed a lucrative payment structure, as well as an inside look at how affiliates build their custom ransomware payload using the group's builder.

However, there is a limit on what can be achieved before the lack of criminality will be spotted and the researchers are rumbled. If it ever got to the point where they had to "prove themselves" to keep a degree of trust, by carrying out an attack or any other illegal act, the researchers are staunch in their position that the operation would end there.

"It's important to emphasize that as a threat intelligence analyst, you should strictly refrain from any illegal methods," they say.

"Your primary objective is to obtain as much information about the victim to mitigate further damage. For example, during the interview with farnetwork, we were provided a set of compromised credentials. We established the victims, found the source of the breach, and sent the notification to the affected company.

"It is essential to operate within the confines of the law. If security researchers engage in unlawful activities to catch a 'big fish,' they become indistinguishable from cybercriminals themselves." Value of the operation

When illegality is out of the question, these operations have an inherently limited shelf life. Researchers who can't ever fully earn the trust of criminals by becoming one of them will never secure the long-term access to a RaaS group that's required to understand how it operates on a deep level. Which raises the question: What use is such an endeavor? Is it worth the outlay of resources?

Group-IB says it absolutely is. As demonstrated during previous encounters, insiders can help victims manage their incidents by alerting them to what the attacker has stolen, even if the attack itself can't at that point be reversed. These infiltrations also provide defenders with information that can help inform a wide range of investigative activities down the line and support industry-wide mitigation efforts.

"Such information helps understand the specific capabilities of gangs' builders, how malicious actors make payments to group owners, what manuals RaaS owners provide to affiliates, and track malicious infrastructure," its threat intel team says.

"These insights not only aid cybercrime investigations but also enhance our incident response capabilities as we are able to analyze new malware samples, gather Indicators of Compromise, and valuable information for threat attribution. This ultimately helps us to better understand how to protect our customers against the threat of ransomware."

However, as the Group-IB mentioned earlier, none of this would be possible without a team – "you simply cannot do it alone," they say. Being able to rely on a bank of intelligence, years of combined experience, and, in the case of the interview, multi-lingual colleagues is crucial to target any RaaS affiliate.

And they really do go after anyone, they say – any group of interest to their customers and that the industry needs to understand more deeply is a target for the team's infiltrators.

Thanks to extensive preparation and an experienced team, in most cases, they're successful on the first attempt. Long may it continue.

Billions of people around the world are expected to go to the polls in 2024 in what will be the most consequential election year in recent memory. Although many in the U.S. will be focused on what is expected to be a messy presidential contest at home, voters in the European Union, India, Russia and dozens of other countries will cast their ballots in parliamentary races, constitutional referendums, and presidential elections.

Cybersecurity researchers and government officials are already warning that countries are cooking up influence operations in an effort to sway voters. Disinformation operations and hacking attempts on election infrastructure could also threaten to sow discord and undermine confidence in elections.

Although the U.S. intelligence community said this week that they had no evidence that the 2022 midterm elections were targeted by a “whole-of-government influence campaign” like the one seen in 2016, they declared that Russia and China attempted to influence voters in more subtle ways. Researchers from Recorded Future, the publisher of The Record, also wrote last week that China, Russia, Iran, domestic violent extremists, and hacktivist groups will likely take advantage of the evolving geopolitical threat landscape — namely Russia’s war against Ukraine, Israel’s ongoing conflict with Hamas, and China’s increasing assertiveness over Taiwan — to aggressively target the U.S. election.

“While advanced influence actors will very likely conduct pre-planned strategic influence operations, they will very likely opportunistically leverage official announcements, events, and public statements by prominent U.S. political figures, media personalities, celebrities, and U.S.-based organizations operating at the nexus of controversial political topics in tactical influence operations in pursuit of their objectives,” the report said.

Some officials and social media executives have warned that it could be even more challenging to secure elections in 2024 than it was in 2016. Michigan Secretary of State Jocelyn Benson, for example, said last month that artificial intelligence can make it easier for threat actors to disseminate disinformation on a scale never seen before.

Europol joined law enforcement agencies from 17 countries in warning 443 online sellers that the payment card data of their customers had been compromised.

In a press release on Friday, the agency said the two-month operation was led by Greece and supported by cybersecurity firms Group-IB and Sansec — two companies with experience monitoring digital skimming attacks.

In skimming attacks hackers embed tools or malware onto e-commerce sites that allow them to siphon credit card information from online stores during the checkout process. The tactic has long been a problem for popular internet sellers.

With the help of several incident response teams and the European Union Agency for Cybersecurity (ENISA), hundreds of unnamed websites were notified that they were being used by hackers for digital skimming attacks.

“Digital skimming attacks can go undetected for a long time. Payment or credit card information stolen as a result of these criminal acts is often offered for sale on illicit marketplaces on the darknet,” Europol said.

“Customers are usually not aware that their payment details have been compromised until the criminals have already used them to carry out an unauthorized transaction. Generally, it is difficult for customers to find the point of compromise.”

All of the law enforcement agencies worked with the online stores, providing technical assistance to help them remove the tools and protect customers.

The countries involved in the effort included the United States, United Kingdom, Germany, Colombia, Spain, the Netherlands and more.

The payment fraud industry has shown signs of recovery following Russian law enforcement's crackdown on domestic cybercriminals and the Russian invasion of Ukraine in 2022, according to an annual payment fraud report from Recorded Future, which owns The Record.

Researchers found 119 million cards posted for sale on dark web carding shops, with an estimated $9.4 billion in preventable fraud losses for card issuers and $35 billion in potential chargeback fees for merchants and acquirers in 2023.

In 2022, e-skimmers led to 45.6 million compromised payment card records posted for sale on dark web platforms, according to last year's report.

The type of stores embedded with e-skimmers in 2023 included restaurants — which accounted for 18.5% of all victim companies — automotive parts sellers, clothing stores, and more.

The U.S. had the most cards available with more than 50 million on the dark web. No other region or country tracked had more than 2.5 million.

“Looking ahead to 2024, fraudsters are expected to refine their tactics, continuing to compromise cards using both old and new methods. Stolen payment cards from North American and European financial institutions led in volume throughout 2023 and are likely to persist in 2024.

“The report concludes that in 2024, fraudsters will likely combine sophisticated technical solutions, nuanced workflows, and social engineering tactics to bypass rules-based fraud detection.”