Leaderboard

Cybersecurity researchers have discovered previously undocumented payloads associated with a Romanian threat actor named Diicot, revealing its potential for launching distributed denial-of-service (DDoS) attacks. "The Diicot name is significant, as it's also the name of the Romanian organized crime and anti-terrorism policing unit," Cado Security said in a technical report. "In addition, artifacts from the group's campaigns contain messaging and imagery related to this organization." Diicot (née Mexals) was first documented by Bitdefender in July 2021, uncovering the actor's use of a Go-based SSH brute-forcer tool called Diicot Brute to breach Linux hosts as part of a cryptojacking campaign. Then earlier this April, Akamai disclosed what it described as a "resurgence" of the 2021 activity that's believed to have started around October 2022, netting the actor about $10,000 in illicit profits. "The attackers use a long chain of payloads before eventually dropping a Monero cryptominer," Akamai researcher Stiv Kupchik said at the time. "New capabilities include usage of a Secure Shell Protocol (SSH) worm module, increased reporting, better payload obfuscation, and a new LAN spreader module." The latest analysis from Cado Security shows that the group is also deploying an off-the-shelf botnet referred to as Cayosin, a malware family that shares characteristics with Qbot and Mirai. The development is a sign that the threat actor now possesses the ability to mount DDoS attacks. Other activities carried out by the group include doxxing of rival hacking groups and its reliance on Discord for command-and-control and data exfiltration. "Deployment of this agent was targeted at routers running the Linux-based embedded devices operating system, OpenWrt," the cybersecurity company said. "The use of Cayosin demonstrates Diicot's willingness to conduct a variety of attacks (not just cryptojacking) depending on the type of targets they encounter." Diicot's compromise chains have remained largely consistent, leveraging the custom SSH brute-forcing utility to gain a foothold and drop additional malware such as the Mirai variant and the crypto miner. Some of the other tools used by the actor are as follows - Chrome - An internet scanner based on Zmap that can write the results of the operation to a text file ("bios.txt"). Update - An executable that fetches and executes the SSH brute-forcer and Chrome if they don't exist in the system. History - A shell script that's designed to run Update The SSH brute-forcer tool (aka aliases), for its part, parses the text file output of Chrome to break into each of the identified IP addresses, and if successful, establishes remote connection to the IP address. This is then followed by running a series of commands to profile the infected host and using it to either deploy a cryptominer or make it act as a spreader if the machine's CPU has less than four cores. To mitigate such attacks, organizations are recommended to implement SSH hardening and firewall rules to limit SSH access to specific IP addresses. "This campaign specifically targets SSH servers exposed to the internet with password authentication enabled," Cado Security said. "The username/password list they use is relatively limited and includes default and easily-guessed credential pairs." Source: https://thehackernews.com/2023/06/from-cryptojacking-to-ddos-attacks.html

🤣 Acelasi synscan facut de bios in 2001. In 22 de ani, nu a mai facut vreunul ceva. Aceleasi tools rescrise si adaugati pupicei, sorcove si balarii in bash

Nu prea inteleg ce se intampla in lumea asta, porcarii dinastea se fac de zeci de ani...

The U.S. Department of Justice (DoJ) on Thursday unveiled charges against a Russian national for his alleged involvement in deploying LockBit ransomware to targets in the U.S., Asia, Europe, and Africa. Ruslan Magomedovich Astamirov, 20, of Chechen Republic has been accused of perpetrating at least five attacks between August 2020 and March 2023. He was arrested in the state of Arizona last month. "Astamirov allegedly participated in a conspiracy with other members of the LockBit ransomware campaign to commit wire fraud and to intentionally damage protected computers and make ransom demands through the use and deployment of ransomware," the DoJ said. Astamirov, as part of his LockBit-related activities, managed various email addresses, IP addresses, and other online accounts to deploy the ransomware and communicate with the victims. Law enforcement agencies said they were able to trace a chunk of an unnamed victim's ransom payment to a virtual currency address operated by Astamirov. The defendant, if convicted, faces a maximum penalty of 20 years in prison on the first charge and a maximum penalty of five years in prison on the second charge. Astamirov is the third individual to be prosecuted in the U.S. in connection with LockBit after Mikhail Vasiliev, who is currently awaiting extradition to the U.S., and Mikhail Pavlovich Matveev, who was indicted last month for his participation in LockBit, Babuk, and Hive ransomware. Matveev remains at large. In a recent interview with The Record, Matveev said he was not surprised by the Federal Bureau of Investigation's (FBI) decision to include his name in the Cyber Most Wanted list and that the "news about me will be forgotten very soon." Matveev, who said he is self-taught, also admitted to his role as an affiliate for the now-defunct Hive operation, and professed his desire to "take IT in Russia to the next level." The DoJ statement also comes a day after cybersecurity authorities from Australia, Canada, France, Germany, New Zealand, the U.K., and the U.S. released a joint advisory warning of LockBit ransomware. LockBit functions under the ransomware-as-a-service (RaaS) model, in which the core team recruits affiliates to carry out the attacks against corporate networks on their behalf in return for a cut of the ill-gotten proceeds. The affiliates are known to employ double extortion techniques by first encrypting victim data and then exfiltrating that data while threatening to post that stolen data on leak sites in an attempt to pressurize the targets into paying ransoms. The group is estimated to have launched nearly 1,700 attacks since emerging on the scene in late 2019, although the exact number is believed to be higher since the dark web data leak site only reveals the names and leaked data of victims who refuse to pay ransoms. Source: https://thehackernews.com/2023/06/20-year-old-russian-lockbit-ransomware.html