Microsoft intensifies its war against offensive security sellers. This time Microsoft has struck Sourgum. Sourgum has been actively engaged in selling cyberweapons such as DevilsTongue malware. These weapons were used to target more than 100 victims worldwide including journalists, politicians, academics, embassy workers, etc. The victims of these attacks were located in Spain, United Kingdom, Israel, and other countries. However, more than half of all victims were located in Palestine.
According to the information provided by Citizen Lab, Sourgum is based in Israel and the list of its customers includes government agencies worldwide. Together with Citizen Lab, Microsoft has been working on releasing protection against this malware in its Windows products. The company has patched previously unknown vulnerabilities including CVE-2021-31979 and CVE-2021-33771. The vulnerabilities in question are described as Windows Kernel privilege escalation security flaws.
The State Department has announced a special offer whereby individuals who provide any information about state-backed hackers can earn up to $10 million. The measure has been taken by the Department as an element of its permanent fight against the malicious actors attacking the objects of critical infrastructure in the USA through ransomware attacks and other forms of cybercrime. For the last few years, ransomware groups have been actively targeting hospitals, local governments, manufacturers, pipelines, and other objects.
According to DHS, more than $350 million were paid to malicious groups as ransom in 2020. The huge reward is the initiative of the Biden Administration that has taken the course on fighting against ransomware groups and to this end, the multi-agency task force has been created. The key role of this task force is to push public agencies and the objects of critical infrastructure to have stronger security measures in place to address cyber threats.
Ukrainian authorities have shut down one of the largest underground cryptomining operations in the country’s history. 3,800 gaming consoles were stringed together to perform malicious activities. The malicious parties acted as auditors for endless strings of blockchain ledgers that, generally, was not prohibited, however, they were stealing electricity that constituted the violation of the national law in Ukraine. Every month this group of malicious actors was stealing electricity worth from $186,200 to $259,300.
The cryptominer farm was located in Vinnytsia, in the warehouse that had been formerly owned by JSC Vinnytsiaoblenerho. In its statement, the company denied any involvement in these malicious operations. According to the Security Service of Ukraine, the cryptomining operations were causing regular outages and power surges in the area. Apart from the game consoles, authorities also seized 50 processors, 500 graphic cards, phones, and other devices.
REvil group is blamed for attacks against Travelex, Kaseya, and large meat supplier JBS. It has recently dropped offline giving rise to serious speculations. The resources associated with the REvil group like data leak and payment dark web sites became unreachable on 13 July. Although ransomware groups tend to disappear suddenly to return under a new brand, in this case, there is the possibility that the involvement of law enforcement agencies took place.
The REvil group used to generate huge criminal revenues and, thus, the risk of its return is very high. The active actions taken by the police are not likely to bring visible results since the REvil group’s affiliates can easily jump between different ransomware services or decide to work with multiple ransomware-as-a-service simultaneously. The group’s disappearance may be also caused by the political pressure associated with the growing tensions between the USA and Russia.
The threat group likely based in Romania has been discovered by security researchers representing the company Bitdefender. The group has been targeting Linux-based machines having weak SSH credentials for deploying Monero mining malware. However, the toolbox utilized by the company allows it to commit other kinds of attacks. The toolkit of these threat actors includes traditional tools like zmap and masscan as well as SSH bruteforcer written in Golang, the previously unreported tool.
Bulletproof hosting is actively used by some of these bad actors while others actively use hosting in locations where law enforcement agencies face serious troubles in fighting against these malicious activities. The threat actors discovered by Bitdefender researchers have been actively using Discord since it involuntarily provides support for malware distribution. The Bitdefender researchers connected the threat group also to several DDoS botnets.
Enter your email address to subscribe to Hacken Reseach and receive notifications of new posts by email.