Pro-Russian Hacktivist Group XakNet Has Ties to Kremlin, Coordinates Efforts With Killnet
RansomHouse group may have breached AMD, Former Uber security chief must face wire fraud charges related to breach, Hacking group has infected wide range of routers with new malware, much more
Don’t miss my latest CSO column, which examines Microsoft’s latest report on cyber activity in Ukraine and the lessons learned from the war.
Researchers at Mandiant say that XakNet, a pro-Russian “hacktivist” group that targeted Ukraine and its allies, may be tied to the Kremlin. U.S. officials say the group has been active since March, claiming credit for several cyber incidents targeting Ukraine, including the defacement of a news ticker during a live March broadcast on Ukraine 24 TV, which falsely reported that President Volodymyr Zelensky surrendered to the Russians, and the defacement of a Ukrainian bank website.
Mandiant says that Russian intelligence operatives were likely behind a recent breach of an unnamed organization, resulting in data theft. Information stolen in that breach wound up in the hands of XakNet. Mandiant believes XakNet and a similar group, known as Killnet, have directly coordinated some of their activity, although it’s unclear whether Russian authorities back Killnet. (Jack Gillum / Bloomberg)
Chipmaker AMD said it is investigating a potential data breach after a relatively new cybercrime operation, RansomHouse, claims to have extorted data from the U.S. chipmaker.
RansomHouse, which claimed responsibility for a cyberattack on Shoprite, Africa’s largest retailer, claims to have breached AMD on January 5 to steal 450GB of data. The group claimed to be targeting companies with weak security and claimed it was able to compromise AMD due to the use of weak passwords throughout the organization. (Carly Page / TechCrunch)
According to four digital investigators, the collapse in cryptocurrency markets has wiped out millions of dollars in funds stolen by North Korean hackers, threatening a key source of funding for the sanctions-stricken country and its weapons programs.
According to Chainalysis, old, unlaundered North Korean crypto holdings they monitor, which include funds stolen in 49 hacks from 2017 to 2021, have decreased in value from $170 million to $65 million since the beginning of the year. Nick Carlsen, an analyst with TRM Labs, another U.S.-based blockchain analysis firm, says one of North Korea’s cryptocurrency caches from a 2021 heist, which had been worth tens of millions of dollars, has lost 80% to 85% of its value in the last few weeks and is now worth less than $10 million. (Josh Smith / Reuters)
U.S. District Judge William Orrick in San Francisco said former Uber Technologies Inc. security chief Joseph Sullivan must face wire fraud charges over his alleged role in trying to cover up a 2016 hacking that exposed the personal information of 57 million passengers and drivers.
The Justice Department accuses Sullivan of arranging to pay money to two hackers in exchange for their silence while trying to conceal the hacking from passengers, drivers, and the U.S. Federal Trade Commission. Orrick rejected Sullivan's claim that prosecutors did not adequately allege he concealed the hacking to ensure that Uber drivers would not flee and would continue paying service fees. (Jonathan Stempel / Reuters)
Reuters @ReutersUber ex-security chief accused of hacking coverup must face fraud charges, judge rules https://t.co/xldf1xdKPF https://t.co/WD5kjd1U8D
Researchers at Mandiant say that a Chinese influence operation known as Dragonbridge unsuccessfully tried to mobilize U.S. protests against an Australian rare earth mining company, Lynas Rare Earths, planning an expansion in Texas to defend Beijing’s dominance in the market.
The company is planning a new facility in Texas and has a $120 million contract with the U.S. Department of Defense. The activity dates to at least 2019 and shows increasing sophistication in its attempts to micro-target receptive authentic audiences. The campaign also promoted content criticizing President Joe Biden’s March 31 invocation of the Defense Production Act to increase domestic mining of critical minerals as a matter of national defense. (AJ Vicens / Cyberscoop)
In a public service announcement published on its Internet Crime Complaint Center (IC3), the Federal Bureau of Investigation (FBI) warns of increasing complaints that cybercriminals are using Americans' stolen Personally Identifiable Information (PII) and deepfakes to apply for remote work positions.
The announcement says the deepfakes used to apply for positions in online interviews include convincingly altered videos or images. The targeted remote jobs include positions in the tech field that would allow the malicious actors to gain access to company and customer confidential information after being hired. (Sergiu Gatlan / Bleeping Computer)
The California Department of Justice’s 2022 Firearms Dashboard Portal went live with publicly-accessible files that include identifying information for those who have concealed carry permits.
The leaked information includes the person’s full name, race, home address, date of birth, and date their permit was issued. The data also shows the type of permit issued, indicating if the permit holder is a member of law enforcement or a judge. 2,891 people in Los Angeles County with standard licenses also had their information compromised by the leak, though the database also appears to include some duplicate entries. (Stephen Gutowski / The Reload)
Researchers from Lumen Technologies' Black Lotus Labs say that an unusually advanced hacking group has spent almost two years infecting a wide range of routers in North America and Europe with malware they call ZuoRAT that takes complete control of connected devices running Windows, macOS, and Linux.
They say they've identified at least 80 targets infected by the stealthy malware, infecting routers made by Cisco, Netgear, Asus, and DayTek. Dubbed ZuoRAT, the remote access Trojan is part of a broader hacking campaign that has existed since at least the fourth quarter of 2020 and continues to operate. (Dan Goodin / Ars Technica)
UK ready-to-make food company Apeitito, which also owns Wiltshire Farm Foods, was hit by a cyberattack, like a ransomware attack, causing problems with deliveries at both firms.
The company apologized for the delays and said it could not contact customers personally because it does not have access to their telephone numbers. (BBC News)
Researchers at Kaspersky Lab say that Afghanistan, Malaysia, and Pakistan entities are in the crosshairs of an attack campaign targeting unpatched Microsoft Exchange Servers as an initial access vector to deploy the ShadowPad malware.
The company first detected the activity in mid-October 2021 and attributed it to a previously unknown Chinese-speaking threat actor. Targets include organizations in the telecommunications, manufacturing, and transport sectors. Although the final goals of the campaign remain unknown, the attackers are believed to be interested in long-term intelligence gathering. (Ravie Lakshmanan / The Hacker News)
According to Sekoia analysts, the Raccoon Stealer malware is back with a second major version circulating on cybercrime forums, offering hackers elevated password-stealing functionality and upgraded operational capacity.
The Raccoon Stealer operation shut down in March 2022 when its operators announced that one of the lead developers was killed during Russia’s invasion of Ukraine. The remaining team promised to come back with a second version. (Bill Toulas / Bleeping Computer)
The hacker behind the attack on blockchain bridge company Horizon has seemingly declined the protocol’s $1 million bounty offer on the $100 million in cryptocurrency they stole by starting to launder the funds through TornadoCash.
The stolen assets are being laundered across multiple transactions at a rate of 100 ETH roughly every 6 minutes. At the time of writing, over $50 million worth of ETH has already been routed through TornadoCash, signifying a refusal of Harmony’s terms. (Jordan Lyanchev / CryptoPotato)
Researchers at Cyble discovered ver 900,000 misconfigured Kubernetes clusters exposed on the internet to potentially malicious scans, some even vulnerable to data-exposing cyberattacks.
Cyble conducted an exercise to locate exposed Kubernetes instances across the internet, using similar scanning tools and search queries to those employed by malicious actors. The results show a massive 900,000 Kubernetes servers, with 65% of them (585,000) being located in the United States, 14% in China, 9% in Germany, while Netherlands and Ireland accounted for 6% each. (Bill Toulas / Bleeping Computer)
Cyber pirates are prowling ship controls, and hackers have hit major port logistics operations several times already this year. For example, in February 2019, a large container ship sailing for New York identified a cyber intrusion on board that did not ultimately control the vessel’s movement but startled the US Coast Guard.
Jawaharlal Nehru Port Trust, India’s busiest container port, suffered a ransomware attack in February. A targeted attack on Expeditors International of Washington Inc., a sizeable freight-forwarding company, crippled its systems for about three weeks and led to $60 million in expenses. Blume Global Inc., a supply-chain tech company, based in Pleasanton, California, said in early May that a cyber incident temporarily made its asset-management platform inaccessible. Rear Admiral Wayne Arguin, the Coast Guard’s assistant commandant for prevention policy, said shipping faces cyber risks similar to those in other industries, but the stakes are much higher. (Brendan Murray / Bloomberg)
Palo Alto Networks Unit 42 researchers disclosed details of a new security flaw called FabricScape affecting Microsoft's Service Fabric that could be exploited to obtain elevated permissions and seize control of all nodes in a cluster.
FabricScape could be exploited on containers that are configured to have runtime access. It has been remediated as of June 14, 2022, in Service Fabric 9.0 Cumulative Update 1.0. Although there is no evidence that the vulnerability has been exploited in real-world attacks, organizations must take immediate action to determine if their environments are susceptible and implement the patches. (Ravie Lakshmanan / The Hacker News)
Related: Palo Alto Networks
Cyolo, an Israeli startup building technology for zero-trust networking, announced a new $60 million Series B venture funding investment.
National Grid Partners led the round with the full support of existing investors Glilot Capital Partners, Flint Capital, Differential Ventures, and Merlin Ventures. (Ryan Naraine / Security Week)
Paris-based Stoïk, SMB-focused cybersecurity, and cybersecurity insurance product provider, has raised €11 million (around $11.6 million) in a Series A venture round.
Andreessen Horowitz led the round with the participation of existing investors Alven and Anthemis Group and angel investors, including former AXA CEO Henri De Castries and wefox CEO Julian Teicke.