By Waqas
The V3G4 malware was caught leveraging several vulnerabilities in IoT devices to spread its infection from July to December of 2022. 
This is a post from HackRead.com Read the original post: Mirai Variant V3G4 Exploiting IoT Devices for DDoS Attacks

Like the original Mirai botnet, V3G4 infects IoT devices by exploiting default data login credentials such as usernames and passwords.

The IT security researchers at Palo Alto Networks’ Unit 42 have identified a new variant of the infamous Mirai malware, which was responsible for several large-scale DDoS attacks (Distributed Denial of Service attacks) on Dyn DNS in October 2016.

Dubbed V3G4 by researchers, it is a type of malware that specifically targets Internet of Things (IoT) devices. Like the original Mirai botnet, V3G4 infects IoT devices by exploiting default data login credentials such as usernames and passwords.

In the campaign tracked by Unit 42, one of the prime targets of the V3G4 malware has been exposed IP cameras. The malware uses the exposed servers and devices to create a powerful botnet, which can be used to launch DDoS attacks or perform other malicious activities, such as stealing data or installing additional malware.

According to Unit 42’s report, researchers observed the V3G4 malware leveraging several vulnerabilities to spread its infection from July to December of 2022. These vulnerabilities include the following:

CVE-2019-15107

Webmin Command Injection Vulnerability

CVE-2012-4869

FreePBX Elastix Remote Command Execution Vulnerability

CVE-2020-8515

DrayTek Vigor Remote Command Execution Vulnerability

CVE-2020-15415

DrayTek Vigor Remote Command Injection Vulnerability

CVE-2022-36267

Airspan AirSpot Remote Command Execution Vulnerability

CVE-2022-26134

Atlassian Confluence Remote Code Execution Vulnerability

CVE-2022-4257

C-Data Web Management System Command Injection Vulnerability

CVE-2017-5173

Geutebruck IP Cameras Remote Command Execution Vulnerability

CVE-2014-9727

FRITZ!Box Webcam Remote Command Execution Vulnerability

Gitorious Remote Command Execution Vulnerability

Mitel AWC Remote Command Execution Vulnerability

Spree Commerce Arbitrary Command Execution Vulnerability

FLIR Thermal Camera Remote Command Execution Vulnerability

Source: Unit 42

Researchers also noted that within the botnet client, there is a stop list of process names that it endeavours to eliminate by cross-checking the names of currently running processes on the targeted host. These process names are associated with other botnet malware families and have previously identified different variants of Mirai.

V3G4’s stop list.

This should not come as a surprise, as there have been several Mirai variants that have surfaced over the years. Some of them included MooBot, Demonbot, OMG, and several others.

> The vulnerabilities mentioned above have less attack complexity than previously observed variants, but they maintain a critical security impact that can lead to remote code execution. 
> 
> Palo Alto Networks – Unit 42

To protect against V3G4 and other IoT malware, it is important to follow best practices for securing IoT devices. This includes changing default usernames and passwords, keeping software up to date with the latest security patches, and disabling unnecessary services and protocols. Network segmentation can also help to contain the spread of malware if a device is infected.

1.  Cloudflare thwarts the largest DDoS attack
2.  EV Charging Stations at Risk of DoS Attacks
3.  Tor Network Hit By a Series of DDoS Attacks
4.  Tiny Mantis DDoS attacks powerful than Mirai
5.  New malware targeting IoT devices, Android TV

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Mirai Variant V3G4 Exploiting IoT Devices for DDoS Attacks

**COMMERCE, Mich.****,** **Feb. 15, 2023** **/PRNewswire/ --** Nuspire, a leading managed security services provider (MSSP), today announced the release of its Q4 and Year in Review 2022 Threat Report. The quarterly report provides a comprehensive analysis of the threat landscape, parsing malware, botnet and exploit data as well as breaking down the tactics, techniques and procedures (TTPs) favored by cybercriminals.

Nuspire's latest report validates the presumption that 2022 yielded the most threat activity in history. While Q4 saw dips across all three sectors Nuspire monitors, including malware, botnets and exploits, the net sum for the year shows a marked increase, especially in the case of exploits, which nearly doubled.

"We saw some normal ebbs in threat activity over the year, but the surges were stunning, delivering a volume of attacks we've never seen before," said J.R. Cunningham, Chief Security Officer at Nuspire. "While many of the methods focused on securing quick wins, like phishing and exploiting unpatched vulnerabilities, we also saw a rise in more coordinated threat group attacks on large organizations and critical infrastructure. Expect 2023 to have more of this activity, as well as adversaries' increased attention toward attacking consumer IoT devices."

Notable findings from Nuspire's quarterly report include:

*   Exploit activity grew by 105% in Q4 2022, with total 2022 exploits nearly doubling over 2021. Brute forcing was the most popular tactic, increasing by nearly 400% over Q3 2022.
*   Malware jumped nearly 35% in Q4, with its year-over-year increase reaching 6.85%. Nuspire attributes this relatively smaller increase to the positive effects of Microsoft's decision to block Visual Basic for Applications (VBA) macros by default for Office files. 
*   Botnets jumped by 30% in 2022, with banking trojan Torpig Mebroot comprising more than 40% of all botnet activity throughout the year.   

"If 2022 showed us anything, it's that threat actors are not only increasingly adept at finding ways to circumnavigate established cybersecurity defenses, but also, they bring a level of agility that lets them quickly course correct when a vector loses viability," said Craig Robinson, Research VP for Security Services at IDC. "We've seen the emergence of new security technologies aimed at thwarting a more creative and sophisticated adversary population, but no specific technology can replace the value of targeted threat intelligence to understand what's out there, how they're doing it and what you can do to protect yourself."

Access Nuspire's Q4 and Year in Review 2022 Threat Report to view the data and learn key mitigation strategies for protecting your organization's environment.

**About Nuspire** 

_Nuspire is a managed security services provider (MSSP), offering managed security services (MSS), managed detection and response (MDR), endpoint detection and response (EDR) that supports best in breed EDR solutions, and cybersecurity consulting services (CSC) that includes incident readiness and response, threat modeling, digital forensics, technology optimization, posture assessments and more. Our self-service, technology-agnostic platform, myNuspire, allows greater visibility into your entire security program. Powered by the self-healing always on Nuspire Cyber X Platform (CXP), myNuspire will help CISOs alleviate the pain associated with tech sprawl, provide intelligence driven recommendations, solve for alert fatigue and help their clients become more secure over time. Our deep bench of cybersecurity experts, award-winning threat intelligence and three 24×7 security operations centers (SOCs) detect, respond, and remediate advanced cyber threats. Our client base spans thousands of enterprises from midsized to large enterprises that span across multiple industries and geographic footprints. For more information, visit_ www.nuspire.com _and follow us at on LinkedIn @Nuspire._

SOURCE Nuspire

Report Reveals Record-Breaking Year for Cyber Threats

By Waqas
Sophisticated hackers can now breach vulnerable networks and devices at the controller level of critical infrastructure, causing physical damage to crucial assets.
This is a post from HackRead.com Read the original post: Controller-level flaws can let hackers physically damage moving bridges

By exploiting these flaws, hackers can access anything from sensors responsible for gauging temperature, pressure, liquid, air, and gas levels, as well as analyzers used to determine chemical compositions.

Forescout’s Vedere Labs has released a new research report that delves into the topic of deep lateral movement. According to researchers, this is the first comprehensive investigation of how hackers can laterally move between devices at the Purdue Level 1, or L1 (also known as the controller level) of **OT networks** (Operational Technology).

This means “sophisticated hackers” can now breach vulnerable networks and devices at the controller level of critical infrastructure, managing to cause **physical damage** to crucial assets, such as movable bridges.

Their research indicated the presence of a lot of network crawlspace, such as links running between security zones at deep system levels. Asset owners are generally unaware of this space. Hence, there’s a need to close this gap in L1 devices as the segments these are present in require a “corresponding perimeter security profile,” noted Vedere Labs.

**Proof-of-Concept**

The PoC for this research was developed using two vulnerabilities that weren’t previously disclosed. These vulnerabilities (**CVE-2022-45788** and **CVE-2022-45789**) allow authentication bypass and remote code execution on Schneider Electric Modicon PLCs (programmable logic controllers).

This was concerning because these are one of the world’s most famous PLCs and are widely used to construct critical infrastructures, including wastewater/water management, mining, energy, and manufacturing sectors.

Forescout discovered that around 1,000 PLCs had been exposed. Of these exposed PLCs, 33% were found in France, 17% in Spain, 15% in Italy, and 6% in the USA. Many of these devices were connected to solar parks, hydropower plants, and airports.

**How Deeply Can Lateral Movement Affect System Security?**

Through deep lateral movement, hackers can get deeper access to ICTs (industrial control systems) and cross all those security perimeters they previously couldn’t. So, they can carry out advanced granular and stealthy exploitations of the ICTs, while successfully overriding safety and functional restrictions.

Hackers can access anything from sensors responsible for gauging temperature, pressure, liquid, air, and gas levels, as well as analyzers used to determine chemical compositions.

They can even target actuators that are used to move machines. At the lowest level of deep lateral movement, adversaries can evade built-in safety functional limitations and cause service disruptions/damage or even threaten lives.

Forescout’s head of security research, Daniel Dos Santos, stated that “mitigating the risks of deep lateral movement requires a careful balance of network monitoring to detect adversaries as early as possible, gaining visibility into often overlooked security perimeters at the lower Purdue levels, and hardening the most interconnected and exposed devices accordingly.”

Forescout’s technical research is available **here** (PDF), while their blog post can be accessed **here**.

1.  **Encoding Physical DNA and Malware Infection**
2.  **IoT botnet of heaters can cause power outages**
3.  **The Most Commonly Hacked Smart Home Tech**
4.  **Using laser on Alexa, Google Home to unlock doors**
5.  **Unlocking doors with Industrial Control Systems flaw**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Controller-level flaws can let hackers physically damage moving bridges

By Waqas
A new record has been set for the largest reported HTTP DDoS attack, exceeding the previous record of 46 million requests per second (rps) in June 2022.
This is a post from HackRead.com Read the original post: Cloudflare thwarts largest reported HTTP DDoS attack

Cloudflare stated that it had managed to mitigate multiple “hyper-volumetric” DDoS attacks that originated from more than 30,000 IP addresses.

According to a recent blog post by Cloudflare, a vendor specializing in **DDoS attack** mitigation, its customers were targeted by a series of volumetric DDoS (Distributed Denial of Service) attacks over the past weekend.

These DDoS attacks were intended to overwhelm their websites with a high volume of HTTP requests, but what’s worse, **Cloudflare** revealed that this was the largest reported HTTP DDoS attack on record.

Cloudflare further stated that it had to mitigate multiple “hyper-volumetric” DDoS attacks that originated from more than 30,000 IP addresses. This is part of a growing trend in DDoS attacks, which not only continue to increase in size but also originate from IP addresses within cloud-computing ecosystems.

“The majority of attacks peaked in the ballpark of 50–70 million requests per second (rps) with the largest exceeding 71 million rps. This is the largest reported HTTP DDoS attack on record, more than 35% higher than the previously reported record of 46 million rps in June 2022,” Cloudflare wrote in its **blog post** published Monday 13th, February 2023.

“Some of the attacked websites included a popular gaming provider, cryptocurrency companies, hosting providers and cloud computing platforms. The attacks originated from numerous cloud providers, and we have been working with them to crack down on the botnet.”

Cloudflare has also warned about the rising number of HTTP DDoS attacks. According to the company, such attacks increased by 79% year-over-year in Q4 of 2022.

While volumetric attacks are not as common as application-layer and protocol attacks, the firm warned that they still pose a significant threat to websites and networks.

With **DDoS-for-hire services** becoming increasingly available, it is easier than ever for threat actors to launch such attacks. Cloudflare noted that the larger and longer the attack, the more the threat actor is likely to charge.

Therefore, it is essential for organizations to take measures to protect themselves from these types of attacks, including implementing DDoS mitigation services and monitoring their networks for unusual traffic patterns.

**Difference between a DDoS attack and a volumetric DDoS attack**

A DDoS attack, as we know it, is a type of cyber attack in which multiple **compromised Internet of Things (IoT) devices** including security cameras, websites, computers, etc. are used to flood a targeted system or network with traffic, overwhelming its capacity and causing it to become inaccessible to legitimate users.

On the other hand, a volumetric DDoS attack is a specific type of DDoS attack that focuses on overwhelming the target system or network with a vast amount of malicious internet traffic. This can include floods of packets, requests, or data that exceed the capacity of the target to handle, effectively clogging or blocking its network connections and rendering it inaccessible.

Simply put: all volumetric DDoS attacks are DDoS attacks, but not all DDoS attacks are volumetric. Volumetric attacks are characterized by their extreme scale and are often difficult to mitigate, as they necessitate significant network capacity to handle the incoming traffic.

Other types of DDoS attacks may **focus on specific vulnerabilities** or weaknesses in the target’s infrastructure, such as application-level attacks or DNS amplification attacks.

1.  **The Threat of Growing Ransom DDoS Attacks**
2.  **Akamai Mitigated Record-Breaking DDoS Attack**
3.  **Imperva mitigated massive ransom DDoS attacks**
4.  **Google Fends Off Largest Ever Layer 7 DDoS Attack**
5.  **Cloudflare Thwarts Largest Ever HTTPS DDoS Attack**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Cloudflare thwarts largest reported HTTP DDoS attack

Web infrastructure company Cloudflare on Monday disclosed that it thwarted a record-breaking distributed denial-of-service (DDoS) attack that peaked at over 71 million requests per second (RPS).
"The majority of attacks peaked in the ballpark of 50-70 million requests per second (RPS) with the largest exceeding 71 million," the company said, calling it a "hyper-volumetric" DDoS attack.
It's also

Web infrastructure company Cloudflare on Monday disclosed that it thwarted a record-breaking distributed denial-of-service (DDoS) attack that peaked at over 71 million requests per second (RPS).

"The majority of attacks peaked in the ballpark of 50-70 million requests per second (RPS) with the largest exceeding 71 million," the company said, calling it a "hyper-volumetric" DDoS attack.

It's also the largest HTTP DDoS attack reported to date, more than 35% higher than the previous 46 million RPS DDoS attack that Google Cloud mitigated in June 2022.

Cloudflare said the attacks singled out websites secured by its platform and they emanated from a botnet comprising more than 30,000 IP addresses that belonged to "numerous" cloud providers.

Targeted websites included a popular gaming provider, cryptocurrency companies, hosting providers, and cloud computing platforms.

HTTP attacks of this kind are designed to send a tsunami of HTTP requests toward a target website, typically in order of magnitude higher than what the website can handle, with the goal of rendering it inaccessible.

"Given a sufficiently high amount of requests, the website's server will not be able to process all of the attack requests along with the legitimate user requests," Cloudflare said.

"Users will experience this as website-load delays, timeouts, and eventually not being able to connect to their desired websites at all."

The development comes as the size, sophistication, and frequency of DDoS attacks are on the rise, with the company recording a 79% spike in HTTP DDoS attacks year-over-year in the final quarter of 2022.

What's more, the number of volumetric attacks lasting more than three hours surged by 87% when compared to the previous three-month period.

Some of the major attacked industry verticals during the time period include aviation, education, gaming, hospitality, and telecom. Georgia, Belize, and San Marino emerged as some of the top countries targeted by HTTP DDoS attacks in Q4 2022.

Network-layer DDoS attacks, on the other hand, singled out China, Lithuania, Finland, Singapore, Taiwan, Belgium, Costa Rica, the U.A.E, South Korea, and Turkey.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Massive HTTP DDoS Attack Hits Record High of 71 Million Requests/Second

By Habiba Rashid
The Trickbot botnet was dismantled in 2019, but its use by ransomware gangs evolved over the years.
This is a post from HackRead.com Read the original post: Trickbot Hacking Group Jointly Sanctioned By the US and Britain

The US and Britain have sanctioned seven members of the notorious Trickbot gang, which, according to authorities, is based in Russia.

The Trickbot ransomware bot **was dismantled** by cybersecurity companies in 2022, but somehow it managed to re-emerge. Now, the United States and the United Kingdom have come together for historic joint cyber sanctions against seven members of the notorious Russian hacking group known as **Trickbot**, officials announced on Friday.

These sanctions are the first for the UK, with officials stating that it was just the first wave of new, coordinated action against cyber criminals.

Malicious emails used in one of the Trickbot attacks

“The United States is taking action today in partnership with the United Kingdom because international cooperation is key to addressing Russian cybercrime,” U.S. Secretary of State Antony Blinken said in a statement on February 9th, 2023.

It is worth noting that, despite Trickbot’s absence in the past couple of years, the individuals behind it remain active and coordinate other attacks. According to experts, Trickbot’s operations were taken over by another ransomware gang known as **Conti**. The group was first identified in the latter half of December 2019 using TrickBot to drop its payload.

U.S. and British authorities have accused Trickbot and Conti of being associated with Russian intelligence services. Not only that, but the **leak of Conti gang chats** also revealed its soft corner for Russia. Additionally, Conti declared its support for Russia soon after the country sent its troops to Ukraine on February 28th,2022.

“During the height of the COVID-19 pandemic in 2020, Trickbot targeted hospitals and healthcare centres, launching a wave of ransomware attacks against hospitals across the United States,” read the **announcement** by the U.S. Department of the Treasury. 

Along with other major ransomware attacks **orchestrated by the Trickbot gang**, the press release gives details, including their names, involvement with the Trickbot gang, and online monikers, regarding the seven individuals designated by the U.S. 

1.  **Emotet reemerged with botnet via Trickbot**
2.  **TrickBot crashes devices to evade analysis**
3.  **BLM movement exploited to spread Trickbot**

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Trickbot Hacking Group Jointly Sanctioned By the US and Britain

The cyberwar to attack Russia has never really stopped, despite a decreasing interest from the West.

Almost a year ago, Russia invaded Ukraine.

Due to the unprovoked aggression by Russia, worldwide condemnation was quickly followed by a call to arms to help Ukraine, both on the ground and in cyberspace. #OpRussia was born.

A year on, you'd be forgiven for thinking that #OpRussia had died down. What happened to it? What did it achieve?

First, let's look at the numbers and the participants. While it's hard to pin down exactly how many people are active in the cyberwarfare aspect of the conflict, estimates range from 150,000 to 400,000, based on the number of subscribers to various Telegram channels. Count active subscribers to the various Discord channels and active reactions to such posts, however, and you get closer to 200,000 — many of which are found in the IT army Telegram channel, the main repository for target listing and action in the ongoing cyberwarfare.

To confuse matters, there are also participants in various auxiliary organizations that have flocked to the Ukrainian banner. Hacken.io — a bug bounty outfit based out of Kyiv that specializes in security of crypto tokens, extended the call to arms to its own army of hackers. While the initial callout was to find vulnerabilities in Russian infrastructure, this was walked back a few weeks later to protect Ukrainian infrastructure. Then we have Anonymous (the infamous, nebulous organization that anyone can identify with), which pushed the #OpRussia tag to prioritize attacks against Russian interests in cyberspace. On top of this, disparate hackers and entities joined the fray. For example, Network Battalion 65, a pro-Ukrainian outfit, appeared on Twitter in February 2022 and almost immediately started compromising high-profile Russian targets with alarming regularity, under the #OpRussia banner.

**The Tools and Initiatives**

A lot of high-profile initiatives were born from the drive to damage Russian interests (and, eventually, Western entities that still maintained a presence in Russia). The most popular and still actively used is Disbalancer (also called "Liberator"), a DDoS tool used to take down infrastructure targets. The barrier to entry for this tool is extremely low: simply download the flavor of your choice — Windows, Mac, or Linux — and run it, and your bandwidth is used to attack a rotating target list.

Disbalancer has had remarkable success, with an average running load of 3,000 users (still a formidable botnet), with peaks of more than 34,000 users. The tool has had more than 200,000 downloads to date. There is a rotating target list of up to a dozen targets, and Disbalancer claims to have attacked more than 700 Russian targets.

On top of this were some more esoteric efforts, such as PlayforUkraine.life, a simple Web-based game of 2048, which performed application-level DDoS in the background. This was responsible for taking down Alfabank, Russia's largest domestic bank. PlayforUkraine.life isn't active anymore and seems to have gone quiet in mid-July or August of last year.

Another such site is WasteRussianTime.today, which automatically connected two government officials with each other. As the name implies, the only outcome was wasted time and some hilarious results. The website is currently showing a 502 error and looks like it went out of action in about June or July of last year.

**The Impact and Breaches**

The one notable constant in the cyber conflict is how the Russian mythos of invulnerability has quickly evaporated (a parallel can be drawn here to its "physical" forces too). The breaches from February to August would be too numerous to list here, but for brevity I've listed the biggest ones. (For similar reasons I've also omitted DDoS takedowns, as these are now in the hundreds of targets.)

At the top of the list we have Roskomnadzor, at a whopping 900GB. It effectively is the mass surveillance department for the Russian population. This was quickly followed up byVGTRK — the Russian state broadcaster, essentially a propaganda mouthpiece for the Kremlin — that was 20 years' worth of emails and 700GB of data. Then lots of other government affiliated entities follow: Rosatom (state nuclear agency), the Central Bank of Russia, Gazprom, Petrofort, the Russian interior ministry, Transneft, SberBank, the Federal Security Service, and even the Russian Orthodox Church all get their turn. For the first six months of 2022, the Russian government was suffering a breach every three days, for a total equivalent of 20TB (!) of breached data in the first few months of the war.

This is only counting the leaks made public via various entities such as Ddossecrets.com, where most of these leaks can be found.

But then, after the first six months, things got a bit quiet. Even the most prolific actor on the scene, Network Battalion 65 — which was tearing through Russian companies since February — went dark in August 2022 and never resurfaced. In its wake, more than 20 high-profile breaches and something north of 4TB of data leaked by them alone in the space of four months.

**So, What's Happening Now, and Why Have Things Subsided?**

The cyberwar never really stopped, and the attacks rumble on at a lower rhythm, but the intensity remains. At the time of this writing, for example, atol.ru (tech company supporting automation) and ofd.ru (a cloud company) are the current targets of the IT army of Ukraine, and that's not mentioning the dozen or so rotating targets of the Disbalancer tool.

Interest in Ukraine has sadly waned in the Western press as the conflict rumbles on. Google Trends shows that, aside form a large peak in February/March 2022 and a follow-up jump in May, interest in Ukraine in search terms has slowly decreased. The impact on the overall course of the war, however, remains unclear, and if anything proves that true cyberwar is a long way off and that the real outcome of the war will be decided in real space with guns and steel.

What Happened to #OpRussia?

The US Treasury Department linked the notorious cybercrime gang to Russian Intelligence Services because cyberattacks that disrupted hospitals and other critical infrastructure align with Russian state interests.

The US and the UK have issued joint sanctions against alleged members of the TrickBot cybercrime gang for their role in cyberattacks against critical infrastructure.

Trickbot, as a malware, began life as a lowly banking Trojan before its authors started adding modules for other forms of malicious activity. It thus evolved into a multifaceted cyber-Swiss Army knife, often used as a first- or second-stage implant that, once ensconced on a victim machine, fetches ransomware or other payloads. The group ultimately grew into to acting as a ransomware affiliate for Conti and other groups. 

"During the height of the COVID-19 pandemic in 2020, Trickbot targeted hospitals and healthcare centers, launching a wave of ransomware attacks against hospitals across the United States," according to an announcement from the US Treasury Department. "In one of these attacks, the Trickbot Group deployed ransomware against three Minnesota medical facilities, disrupting their computer networks and telephones, and causing a diversion of ambulances. Members of the Trickbot group publicly gloated over the ease of targeting the medical facilities and the speed with which the ransoms were paid to the group."

The announcement, intriguingly, ties the seven sanctioned people to Russian Intelligence Services, since the 2020 attacks "aligned them to Russian state objectives and targeting previously conducted by Russian Intelligence Services. This included targeting the US government and US companies." Trickbot has previously been widely considered to be a financially motivated cybercrime gang, Russian-speaking but not Russia-sponsored.

The sanctioned individuals are:

*   Vitaly Kovalev, aka Bentley or Ben
*   Maksim Mikhailov, aka Baget
*   Valentin Karyagin, aka Globus
*   Mikhail Iskritskiy, aka Tropa
*   Dmitry Pleshevskiy, aka Iseldor
*   Ivan Vakhromeyev, aka Mushroom
*   Valery Sedletski, aka Strix

The sanctions mean that the government can seize any assets that they may have in the US or UK, and it prevents US- and UK-based organizations and individuals from doing business with them. All seven perps remain at large, presumably under the comforting protection of the Russian state, which continues to look the other way when it comes to cybercriminals residing within its borders.

"These sanctions are a welcome sight although they may be academic," Timothy Morris, chief security adviser at Tanium, tells Dark Reading. "What it would, or should do, is make it harder for the seven involved to launder their ill-gotten gains. Also, they will probably be careful with any vacation plans for fear of capture or extradition. It is good to see sanctions and takedowns that have cross-jurisdiction cooperation."

As for the gang itself, a law-enforcement takedown in 2020 saw its activity slowly "wither," according to a report last year from Intel 471, with the malware's operators instead turning to the Emotet botnet to continue its incursions into businesses.

"We've not seen any Trickbot activity since the Feb. 2022 blog post," Michael DeBolt, chief intelligence officer at Intel 471, said in an emailed statement. "It is highly likely that Trickbot won't be seen again. One possible scenario is that the source code may be sold or leaked, and other threat actors could re-use it or fork the source into a new project."

Trickbot Members Sanctioned for Pandemic-Era Ransomware Hits

In a first-of-its-kind coordinated action, the U.K. and U.S. governments on Thursday levied sanctions against seven Russian nationals for their affiliation to the TrickBot, Ryuk, and Conti cybercrime operation.
The individuals designated under sanctions are Vitaly Kovalev (aka Alex Konor, Bentley, or Bergen), Maksim Mikhailov (aka Baget), Valentin Karyagin (aka Globus), Mikhail Iskritskiy (aka

In a first-of-its-kind coordinated action, the U.K. and U.S. governments on Thursday levied sanctions against seven Russian nationals for their affiliation to the TrickBot, Ryuk, and Conti cybercrime operation.

The individuals designated under sanctions are Vitaly Kovalev (aka Alex Konor, Bentley, or Bergen), Maksim Mikhailov (aka Baget), Valentin Karyagin (aka Globus), Mikhail Iskritskiy (aka Tropa), Dmitry Pleshevskiy (aka Iseldor), Ivan Vakhromeyev (aka Mushroom), and Valery Sedletski (aka Strix).

"Current members of the TrickBot group are associated with Russian Intelligence Services," the U.S. Treasury Department noted. "The TrickBot group's preparations in 2020 aligned them to Russian state objectives and targeting previously conducted by Russian Intelligence Services."

TrickBot, which is attributed to a threat actor named ITG23, Gold Blackburn, and Wizard Spider, emerged in 2016 as a derivative of the Dyre banking trojan and evolved into a highly modular malware framework capable of distributing additional payloads. The group most recently shifted focus to attack Ukraine.

The infamous malware-as-a-service (MaaS) platform, up until its formal closure early last year, served as a prominent vehicle for countless Ryuk and Conti ransomware attacks, with the latter eventually taking over control of the TrickBot criminal enterprise prior to its own shutdown in mid-2022.

Over the years, Wizard Spider has expanded its custom tooling with a set of sophisticated malware such as Diavol, BazarBackdoor, Anchor, and BumbleBee, while simultaneously targeting multiple countries and industries, including academia, energy, financial services, and governments.

"While Wizard Spider's operations have significantly reduced following the demise of Conti in June 2022, these sanctions will likely cause disruption to the adversary's operations while they look for ways to circumvent the sanctions," Adam Meyers, head of intelligence at CrowdStrike, said in a statement.

"Often, when cybercriminal groups are disrupted, they will go dark for a time only to rebrand under a new name."

Per the Treasury Department, the sanctioned persons are said to be involved in the development of ransomware and other malware projects as well as money laundering and injecting malicious code into websites to steal victims' credentials.

Kovalev has also been charged with conspiracy to commit bank fraud in connection with a series of intrusions into victim bank accounts held at U.S.-based financial institutions with the goal of transferring those funds to other accounts under their control.

The attacks, which occurred in 2009 and 2010 and predate Kovalev's tryst with Dyre and TrickBot, are said to have led to unauthorized transfers amounting to nearly $1 million, out of which at least $720,000 was transferred overseas.

What's more, Kovalev is also said to have worked closely on Gameover ZeuS, a peer-to-peer botnet that was temporarily dismantled in 2014. Vyacheslav Igorevich Penchukov, one of the operators of the Zeus malware, was arrested by Swiss authorities in November 2022.

U.K. intelligence officials further assessed that the organized crime group has "extensive links" to another Russia-based outfit known as Evil Corp, which was also sanctioned by the U.S. in December 2019.

The announcement is the latest salvo in an ongoing battle to disrupt ransomware gangs and the broader crimeware ecosystem, and comes close on the heels of the takedown of Hive infrastructure last month.

The efforts are also complicated as Russia has long offered a safe haven for criminal groups, enabling them to carry out attacks without facing any repercussions as long as the assaults don't single out domestic targets or its allies.

The sanctions "give law enforcement and financial institutions the mandates and mechanisms needed to seize assets and cause financial disruption to the designated individuals while avoiding criminalizing and re-victimising the victim by placing them in the impossible position of choosing between paying a ransom to recover their business or violating sanctions," Don Smith, vice president of threat research at Secureworks, said

According to data from NCC Group, ransomware attacks witnessed a 5% decline in 2022, dropping from 2,667 the previous year to 2,531, even as victims are increasingly refusing to pay up, leading to a slump in illicit revenues.

"This decline in attack volume and value is probably in part due to an increasingly hardline, collaborative response from governments and law enforcement, and of course the global impact of the war in Ukraine," Matt Hull, global head of threat intelligence at NCC Group, said.

Despite the dip, ransomware actors are also turning out to be "effective innovators" who are "willing to find any opportunity and technique to extort money from their victims with data leaks and DDoS being added to their arsenal to mask more sophisticated attacks," the company added.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

U.K. and U.S. Sanction 7 Russians for TrickBot, Ryuk, and Conti Ransomware Attacks

Avast researchers also discovered and reported two zero-day vulnerabilities, and observed the spread of information-stealing malware, remote access trojans, and botnets.

**TEMPE, Ariz.** **and** **PRAGUE****,** **Feb. 9, 2023** **/PRNewswire/ --** Avast, a leader in digital security and privacy, and a brand of Gen™ (NASDAQ: GEN), saw an increase in threats using social engineering to steal money, such as refund and invoice fraud and tech support scams, during Q4 of the calendar year 2022. Cybercriminals also remained active in spying and information stealing, with lottery-themed adware campaigns used as a tactic to obtain people's contact details. Avast threat researchers also discovered zero-day exploits in Google Chrome and Windows. These vulnerabilities have since been patched. These insights are covered in the Avast Q4/2022 Threat Report.

"At the end of 2022, we have seen an increase in human-centered threats, such as scams tricking people into thinking their computer is infected, or that they have been charged for goods they didn't order. It's human nature to react to urgency, fear and try to regain control of issues, and that's where cybercriminals succeed," said Jakub Kroustek, Avast Malware Research Director. "When people face surprising pop-up messages or emails, we recommend they stay calm and take a moment to think before they act. Threats are so ubiquitous today that it's hard for consumers to keep up. It is our mission to help protect people by detecting threats and alerting users before they can do any harm, using the latest AI-based technology."

**Growth in refund and invoice fraud, and tech support scams**

The Avast threat labs also saw an increase in tech support scam activity. Top affected countries include the United States, Brazil, Japan, Canada, and France. These scams often start with a pop-up window that alerts people of an alleged malware infection and urges them to call a helpline to resolve the issue. Scammers will convince the caller to set up a remote connection to their computer, opening the door to theft of personal information and money, as the criminals try to access people's bank accounts or crypto wallets, and ask for a payment for their services.

"We recommend people ignore such pop-up messages and close the window with the escape key, or if that's not possible, restart their computer," advises Kroustek. "Also, never give remote access to your computer to somebody you don't know."

The Avast threat labs also saw an uptick in refund and invoice fraud of 14% from October to November 2022, and another increase of 22% in December. Refund fraud works in a comparable way to tech support scams, and often comes in the form of an email that looks like it was sent from a trusted company. People will receive an email including a fake receipt making them believe they were charged for a purchase they didn't make. People are then tricked into calling a phone number, where an agent asks them to create a remote connection to their computer and open their banking account, so the person can see how the refund is done. The goal of the attacker is to steal the person's money. In the case of invoice fraud, people, and more often businesses, receive bills for goods or services the business never ordered or received.

"To avoid invoice fraud, people need to pay close attention to invoices they receive. Fraudulent invoices often look legitimate, and people need to verify whether an order really was made, the service received, and whether the sender is truly who they pretend to be," said Kroustek.

**Information stealing adware, remote access trojans and bots**

Web-based adware was also prevalent in the quarter, not only annoying people with intrusive ads, but also trying to steal their personal data. For example, people are asked to take part in a lottery, spinning a roulette wheel to win, and are then asked to enter their contact information and pay a "handling fee" using their credit card or Google Pay or Apple Pay account. Avast researchers also saw a flood of DealPly adware, which comes as a Google Chrome extension and sends statistical and search information to the attackers. The risk to get infected by DealPly increased around the world, most significantly in the Americas, in Europe, and South and Southeast Asia.

Avast researchers saw a significant increase of 437% in the global spread of the Arkei information stealer, which is known for stealing data from browsers' autofill forms, passwords and other sources. There was also a 57% increase in people and businesses protected against AgentTesla, a strain of malware that often spreads through phishing emails to businesses and designed to steal credentials, as well as a 37% increase in RedLine stealer, which often spreads in cracked games and services, stealing information from browsers and cryptowallets.

Avast telemetry also shows that the global spread of LimeRAT tripled in Q4. LimeRAT is a remote access trojan capable of stealing passwords, cryptocurrencies, driving Distributed Denial of Service (DDoS) attacks and installing ransomware on a victim's computer. It was mostly active in South and Southeast Asia and Latin America. The Emotet botnet, also a malware distributor with a wide variety of capabilities to steal information and spread malware, has evolved its technique of evading detection by antivirus software in the past few months through the use of timers to incrementally continue the payload's execution. The Qakbot information stealer botnet has also evolved further and started using "HTML smuggling" to hide an encoded malicious script within an email attachment. For example, the threat actors have started abusing SVG images to hide malicious payloads and the code used for its reassembly.

**Zero-day exploits in the wild**  
Two sophisticated zero-day exploits were also discovered by Avast researchers in the quarter. Avast protected its users as both were exploited in the wild. The first, CVE-2022-3723, was a type confusion in V8 and used to do a 'get Remote Code Execution' (RCE) against Google Chrome. Avast reported this vulnerability to Google who quickly rolled out a patch in just two days, on October 27, 2022. The second zero-day CVE-2023-21674, was an LPE vulnerability in ALPC that allowed attackers to get from the browser sandbox all the way into the Windows kernel. Microsoft patched this exploit in the January 2023 Patch Tuesday update. In addition, the Avast Q4/2022 Threat Report from the Avast Threat Labs shares insights into spyware, and the latest in mobile banking Trojans and Trojan SMS. Avast helps protect its users from all threats covered in the report. The Avast Q4/2022 Threat Report can be found on the Decoded blog: https://decoded.avast.io/threatresearch/avast-q4-2022-threat-report

**About Avast:** 

Avast is a leader in digital security and privacy, and a brand of Gen™ (NASDAQ: GEN), a global company dedicated to powering Digital Freedom through its family of trusted consumer brands. Avast protects hundreds of millions of users from online threats with a threat detection network that is among the most advanced in the world, using machine learning and artificial intelligence technologies to detect and stop threats in real time. Avast digital security products for Mobile, PC or Mac are top-ranked and certified by VB100, AV-Comparatives, AV-Test, SE Labs and others. Avast is a member of the Coalition Against Stalkerware, No More Ransom and Internet Watch Foundation. Visit: www.avast.com.

SOURCE Avast Software, Inc.

Tag

#botnet