The increased proliferation of IoT devices paved the way for the rise of IoT botnets that amplifies DDoS attacks today. This is a dangerous warning that the possibility of a sophisticated DDoS attack and a prolonged service outage will prevent businesses from growing.

The increased proliferation of IoT devices paved the way for the rise of IoT botnets that amplifies DDoS attacks today. This is a dangerous warning that the possibility of a sophisticated DDoS attack and a prolonged service outage will prevent businesses from growing.

While data breaches and ransomware are still considered among the more significant concern for businesses, the threats sometimes come from a direction we weren’t expecting. Cybercriminals use botnets for various malicious purposes, most significantly for DDoS attacks against targets. The most important change is now the bot armies are increasingly made of IoT devices.

As the total installed base of IoT devices worldwide is expected to reach 30.9 billion by 2025, the IoT botnet threat and its overall power continue to expand.

Attackers seized the opportunity to create large botnets, to large complex DDoS attacks to disable or knock offline a target website. Although the IoT botnets can steal confidential data, as seen in the instance of the Torri botnet, most of the botnets have been used for DDoS attacks.

This is a dangerous warning for an online business to ensure they have effective anti-DDoS protection and bot takeover prevention.

**High-Level Anatomy of IoT DDoS Attack**

So, what is a botnet? – A botnet is a group of infected computers under the control of attackers used to perform various scams and cyber-attacks. Here, the attackers use malware to take control of vulnerable IoT devices to block legitimate users from accessing internet services by executing DDoS attacks.

A simple principle governs a DDoS attack: it takes down websites offline by consuming more resources or occupying all available bandwidth. Attackers with more hijacked IoT devices can consume more resources and launch a more damaging attack. The three main goals of attackers include:

*   *   To cause consumption of limited resources
    *   To cause destructive changes to network devices
    *   To change or destroy configuration information

**Why Are IoT Devices Easy Prey for Botnet Malware?**

The increased proliferation of IoT devices has become an attractive target for attackers. Further, most IoT devices include serious security issues like weak passwords, open access to management systems, default administrative credentials, or weak security configurations. As millions of IoT devices and their numbers continue to increase, they are not constantly updated to patch against security vulnerabilities.

Botnet attacks seize the opportunity of IoT vulnerabilities to take control of the devices and lead to disruptions in online services. They’re most placed on networks that are not monitored for the attack, making it easy for attackers to access them. Further, in most cases, the network where they reside offers a high-speed connection that enables a large amount of DDoS attack traffic.

**Major IoT Botnet DDoS Attack Trends**

IoT botnet DDoS attacks are not new; Mirai was the most prevalent and has continued to target IoT devices since 2016. Mirai made its debut on September 20, 2016, with a DDoS attack against cybersecurity expert Krebs’s blog. The next notable IoT botnet DDoS attack was in October 2016 against Dyn, a major DNS (Domain Name Service). The Mirai botnet assaulted the victim with one terabit traffic per second, which made a new record in a DDoS attack.

According to the ENISA threat landscape report, in 2019, the Mirai variants increased by 57%. The Verizon data breach investigations report recorded 103 699 botnet incidents primarily targeting professional, financial, and information services industry verticals.

A new variant of Mirai called Mozi accounted for the most observed flooded traffic in late 2019 through 2020. The Mirai and its variant continue to pose a threat in 2021; they broadened their attack with its significant new capabilities.

Attackers use multiple botnets based on Mirai and Mozi botnets like Echobot, BotenaGo, Moonet, and Loli to target devices. According to Sam’s report on the IoT security landscape, more than 1 billion IoT security attacks took place in 2021, nearly 62 million of which were IoT-related DDoS attacks.

**How Can You Protect Against IoT Botnet DDoS Attacks Today?**

As the botnet landscape expands and highly sophisticated threats become inevitable, enterprises must move beyond legacy security solutions.

The first step to addressing these ongoing security challenges is moving to comprehensive risk-based security solutions. In addition, advanced, automated endpoint detection and protection solutions must offer complete visibility into IoT devices and their security state.

As always, prevention steps should be implemented to stay protected from such attacks:

*   Monitor incoming and outgoing traffic on your network for malicious activities with a web application firewall. Next-gen WAF like Indusface AppTrana can block bad bots from specific IPs while ensuring a smooth transfer of legitimate bot traffics.
*   Monitor login attempts and create a lookout for spikes
*   Keep IoT devices on protected networks
*   Perform continuous security testing on IoT devices

**The Closure**

DDoS attacks are the standard intent of an IoT botnet. DDoS may be an unavoidable part of the new reality, but you don’t need to take it as the new norm. Architect robust security solutions to properly secure your businesses.

IoT Botnets Fuels DDoS Attacks – Are You Prepared?

New research shows how deep learning models trained for network intrusion detection can be bypassed

New research shows how deep learning models trained for network intrusion detection can be bypassed

Recent years have seen a growing interest in the use of machine learning and deep learning in cybersecurity, especially in network intrusion detection and prevention.

However, according to a study by researchers at the Citadel, a military college in South Carolina, US, deep learning models trained for network intrusion detection can be bypassed through adversarial attacks, specially crafted data that fools neural networks to change their behavior.

**DNS amplification attacks**

The study (PDF) focuses on DNS amplification, a kind of denial-of-service attack in which the attacker spoofs the victim’s IP address and sends multiple name lookup requests to a DNS server.

The server will then send all the responses to the victim. Since a DNS request is much smaller than the response, it results in an amplification attack where the victim is flooded with bogus traffic.

**RELATED** Adversarial attacks against machine learning systems – everything you need to know

“We decided to study deep learning in DNS amplification due to the increasing popularity of machine learning-based intrusion detection systems,” Jared Mathews, the lead author of the paper, told _The Daily Swig_.

“DNS amplification is one of the more popular and destructive forms of DoS attacks so we wanted to explore the viability and resilience of a deep learning model trained on this type of network traffic.”

**Attacking the model**

To test the resilience of network intrusion detection systems, the researchers created a machine learning model to detect DNS amplification traffic.

They trained a deep neural network on the open source KDD DDoS dataset. The model achieved above 98% accuracy in detecting malignant data packets.

Architecture of machine learning model for DNS amplification attacks

To test the resilience of the ML-based network intrusion detection system, the authors pitted it against Elastic-Net Attack on Deep Neural Networks (EAD) and TextAttack, two popular adversarial attack techniques.

“We chose TextAttack and Elastic-Net Attack due to their proven results in both natural language processing and image processing respectively,” Mathews said.

Read more of the latest information security research news

Although the attack algorithms were not initially intended to be applied to network packets, the researchers were able to adapt them for the purpose. They used the algorithms to generate DNS amplification packets that passed as benign traffic when processed by the target NIDS system.

Both attack techniques proved to be effective, significantly reducing the network intrusion detection system’s accuracy, and causing large amounts of both false positives and false negatives.

“While both attacks could easily generate adversarial examples with the DNS Amplification data we used, TextAttack was more suited for minimally perturbing the datatypes in the packet features,” Mathews said.

The researchers have not yet tested the attack on off-the-shelf intrusion detection systems, but plan to do so and report the findings in the future.

  
Structure of adversarial attack against ML-based network intrusion detection system

**Complexities of using ML in cybersecurity**

The researchers conclude that it is relatively easy to deceive a machine learning network intrusion detection systems with adversarial attacks, and it is possible to take adversarial algorithms that were initially meant for another application and adapt them to network classifiers.

“The biggest takeaway would be that using deep learning in network security is not a simple solution, and as a standalone NIDS, they are quite fragile,” Mathews said.

“For a classifier used to detect attacks on critical networks, there should be extensive testing. Using these DL models in conjunction with a rules-based NIDS as a secondary detector can prove to be very effective as well.”

The team is in the process of expanding their findings to other kinds of attacks, including IoT DDoS traffic.

**READ MORE** Zyxel firewall vulnerabilities left business networks open to abuse

Adversarial attacks can cause DNS amplification, fool network defense systems, machine learning study finds

Dark Reading's weekly roundup of all the OTHER important stories of the week.

Welcome to Dark Reading's weekly digest of the can't-miss stories of the week, featuring the lowdown on the Neopets breach and what it means for consumer-facing companies of all kinds; Google Drive and the trouble with the malicious use of cloud applications; a slew of disclosures about state-sponsored campaigns; and a Google Ads-related malvertising issue.  

Dark Reading's editors have gathered all of the interesting threat intelligence and cyber-incident stories that we just didn't get to earlier but would feel wrong not covering. In this week's "in case you missed it" (ICYMI) digest, read on for more on the following:

*   Neopets & Gaming's Lax Security
*   SolarWinds Hackers Embrace Google Drive in Embassy Attacks
*   Nation-State Attacks Ramp Up in APT-a-Palooza
*   Google Ads Abused as Part of Tech Support Scams

**Neopets & Gaming's Lax Security**

Neopets this week became the third gaming platform in the space of a week to be hit with a cyberattack (after Bandai Namco and Roblox), highlighting the interest that attackers have in hitting "leisure-activity" companies during the summer months. According to reports, the purveyor of virtual pets was robbed for its source code as well as the personal information belonging to its 69 million users.

A hacker who goes by the handle of "TarTarX" is putting the ill-gotten goods up for sale for 4 bitcoins, which translates to around $92,000 using Friday's exchange rate. The stolen PII appears to include data includes members' usernames, names, email addresses, ZIP codes, dates of birth, gender, country, and game-related information.

It's unclear how TarTarX gained access to the website, but Javvad Malik, security awareness advocate at KnowBe4, notes that the attack should be a wake-up call to all consumer-focused enterprises to better secure their data.

“We've seen toy manufacturers and games developers hit in the past due to the vast amount of personal data they collect," he says. "Such organizations should be mindful of the information they gather and the purpose of it. Holding excessive data means greater liability should a breach occur."

Any users impacted by the breach should ensure the password they used for Neopets isn’t used elsewhere, given the potential for credential-stuffing attacks, he adds.

**SolarWinds Hackers Embrace Google Drive in Embassy Attacks**

The hackers behind the sprawling SolarWinds supply chain attack are at it again, this time abusing Google Drive to smuggle malware onto targets' machines.

The advanced persistent threat (APT), tracked as APT29, Cloaked Ursa, Cozy Bear, or Nobellium, launched two waves of email-borne attacks between May and June. According to an analysis from Palo Alto Networks' Unit 42, the attacks targeted a foreign embassy in Portugal and another in Brazil. The group used a supposed agenda for an upcoming meeting with an ambassador as a lure.

"In both cases, the phishing documents contained a \[Google Drive\] link to a malicious HTML file (EnvyScout) that served as a dropper for additional malicious files in the target network, including a Cobalt Strike payload," according to Unit 42's post this week.

APT29 is believed by the US government to be affiliated with Russia’s Foreign Intelligence Service (SVR), and is widely considered to be responsible not only for SolarWinds but also the hack of the United States Democratic National Committee (DNC) in 2016.

The use of legitimate cloud services to deliver malicious payloads is on the rise as cybercriminals look to take advantage of the entrenched trust that millions of business users (and email gateways) have in them. Lior Yaari, CEO and co-founder of Grip Security, noted that this points to the need to better vet content coming from software-as-a-service (SaaS) app.

“The recent malicious activity discovered using Google Drive is emblematic of the SaaS security challenge — universal accessibility and ease of deployment," he said in a statement to Dark Reading. "Before Google Drive, there was Dropbox and before Dropbox, APT29 was hitting Microsoft 365. The SaaS security challenge for campaigns like these only illustrates the trend toward exploiting SaaS’s strengths for nefarious ends. And the matter only becomes worse with more SaaS out-of-sight for many security teams.”

**Nation-State Attacks Ramp Up in APT-a-Palooza**

Speaking of APTs, several nation-state-backed campaigns came to light this week. For instance, Citizen Lab said that it had forensically confirmed that at least 30 individuals were infected with NSO Group’s Pegasus mobile spyware after an extensive espionage campaign that took place late last year. The effort targeted Thai pro-democracy protesters and activists calling for reforms to the monarchy.

Google's Threat Analysis Group for its part flagged an odd false-flag operation in Ukraine. The Russia-linked hacking group Turla (aka Snake, Uroburos, and Venomous Bear) have created a malicious Android app that masquerades as a tool for Ukrainian hackers looking to carry out distributed denial-of-service (DDoS) attacks against Russian websites. Turla dubbed the app CyberAzov, in reference to the Azov Regiment or Battalion, a far-right group that has become part of Ukraine’s national guard.

CyberAzov is "hosted on a domain controlled by the actor and disseminated via links on third party messaging services," according to Google TAG. While the app is distributed under the guise of performing DDoS attacks, "the 'DoS' consists only of a single GET request to the target website, not enough to be effective."

In reality, the app is "designed to map out and figure out who would want to use such an app to attack Russian websites," according to an additional commentary from Bruce Schneier.

Meanwhile, Cisco Talos observed an unusual campaign targeting Ukrainian entities, which it said is likely attributable to Russia. This attack stood out amidst the barrage of cyberattacks that have been mounted against Ukraine, researchers said, because the attack targeted a large software development company whose wares are used in various state organizations within Ukraine.

"As this firm is involved in software development, we cannot ignore the possibility that the perpetrating threat actor's intent was to gain access to source a supply chain-style attack," researchers said in a posting this week, adding that the persistent access could also have been leveraged in other ways, including gaining deeper access into the company's network or launching additional attacks such as ransomware.

Also notable is the fact the effort revolved around "a fairly uncommon piece of malware" called GoMet; GoMet is an open source backdoor that was first seen in the wild in March.

And finally, the government of Belgium issued a statement disclosing a spate of attacks against its defense sector and public safety organizations emanating from three China-linked threat groups: APT27, APT30, and APT31 (aka Gallium or UNSC 2814).

The "malicious cyber activities … significantly affected our sovereignty, democracy, security and society at large by targeting the FPS Interior and the Belgian Defence," according to the statement.

**Google Ads Abused as Part of Tech Support Scams**

People performing a Google search for Amazon, Facebook, YouTube, or Walmart could find themselves browser-hijacked, researchers warned this week.

A malvertising campaign is abusing Google’s ad network to redirect visitors to an infrastructure of tech support scams, according to Malwarebytes.

"The threat actors are … purchasing ad space for popular keywords and their associated typos," researchers explained in a posting. "A common human behavior is to open up a browser and do a quick search to get to the website you want without entering its full URL. Typically a user will (blindly) click on the first link returned (whether it is an ad or an organic search result)."

In Google search results, those first returned links could be ads that redirect users to fake warnings urging them to call rogue Microsoft agents for support, researchers explained.

"Victims were simply trying to visit those websites and relied on Google Search to take them there. Instead, they ended up with an annoying browser hijack trying to scam them," researchers lamented.

The approach could just as easily be used to redirect to malicious sites serving up malware or phishing pages, researchers noted. Users — especially business users — should always take care to be skeptical when unexpected browser redirects occur.

ICYMI: Neopets & the Gaming Problem; SolarWinds Hackers Are Back; Google Ads Abused

Also known as the Atlantis Cyber-Army, the emerging organization has an enigmatic leader and a core set of admins that offer a range of services, including exclusive data leaks, DDoS and RDP.

Also known as the Atlantis Cyber-Army, the emerging organization has an enigmatic leader and a core set of admins that offer a range of services, including exclusive data leaks, DDoS and RDP.

A for-hire cybercriminal group is feeling the talent-drought in tech just like the rest of the sector and has resorted to recruiting so-called “cyber-mercenaries” to carry out specific illicit hacks that are part of larger criminal campaigns.

Dubbed Atlas Intelligence Group (A.I.G.), the cybergang has been spotted by security researchers recruiting independent black-hat hackers to execute specific aspects of its own campaigns. A.I.G., also known as Atlantis Cyber-Army, functions as a cyber-threats-as-a-service criminal enterprise. The threat group markets services that include data leaks, distributed denial of service (DDoS), remote desktop protocol (RDP) hijacking and additional network penetration services, according to a Thursday report by threat intelligence firm Cyberint.

“\[A.I.G.\] has introduced us to out-of-the-box thinking,” Cyberint’s Shmuel Gihon wrote in the report.

**_\[FREE On-demand Event: Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office. WATCH HERE.\]_**

A.I.G., according to researchers, is unique in its outsourcing approach to committing cybercrimes. Organized threat groups tend to recruit individuals with certain capabilities that they can reuse and incent them with profit sharing. For example, Ransomware-as-a-Service organized crime campaigns can involve multiple threat actors – each getting a cut of any extorted lucre or digital assets stolen. What makes A.I.G. different is it outsources specific aspects of an attack to “mercenaries” who have no further involvement in an attack.

The report’s author, Gihon, said only A.I.G. administrators and the group’s leader—dubbed Mr. Eagle—know fully what the campaign will be and outsource isolated tasks to hired guns based on their skillsets.

****Unique Business Model****

This uncommon business model also allows the group, which has been operating since the beginning of May, to offer a range of cybercriminal services instead of a single core competency, he said.

“While many groups are focusing on one, maybe two, services that they offer, Atlas seems to grow rapidly and expand its operations in an efficient way which allows them to offer many services,” Gihon wrote.

A.I.G. tends to target government and state assets in countries all over the world, including the United States, Pakistan, Israel, Colombia and United Arab Emirates, researchers found.

Mr. Eagle not only leads the campaigns but also doubles as a chief marketing officer of sorts, putting a significant effort into advertising A.I.G.’s various cybercriminal services, he said.

****Anatomy of a Threat Group****

Researchers took a deep dive into how A.I.G. operates, communicates and manages its operations, as well observed the specific cybercriminal services it offers.

DDoS seems to be the group specialty, with Atlas providing solid proof of execution to customers for as little as 20 euros per victim, researchers said. The group also offers a popular data-leak services that focuses on anything that might be valuable to potential buyers, Gihon said.

A.I.G. has published leaked databases from all over the world for sale, with a starting price from 15 euros, researchers said. The group targeted various sectors in the breaches, including education, finance, government entities, manufacturing and technology, they said.

A.I.G. also has premium services that demand more skill and demonstrate the group’s sophistication, researchers said. One of these products is hacked panels and initial access to organizations, with prices for these services starting from about $1,000.

The group also offers “VIP services” that claim ties to people in law-enforcement positions across Europe that can give customers access to sensitive information about specific individuals, researchers said.

****Multi-Channel Communication****

Telegram is the communication platform of choice for A.I.G., with the group operating three different Telegram channels with thousands of subscribers, researchers said. One is a database marketplace for selling leaked databases, and another is a commercial channel that also includes announcements and updates from the group, they said.

Atlas also operates a unique Telegram channel in which Mr. Eagle and the group’s administrators publish the contracts that the group offers to those hired to perform attacks. This allows subscribers to sign up depending on what they can offer and helps the group recruit various cybercriminals, such as red teamers, social engineers and malware developers, researchers said.

Atlas sells its services primarily on an e-commerce store on the site Sellix.io, a forum that offers payment with cryptocurrency and acts as a broker, providing the privacy-conscious group with an extra layer of anonymity, Gihon said.

“Observing the behavior of the group in general and the leader in particular, it seems that operation security (OpSec) is a top priority,” he wrote.

****The (Mr.) Eagle Has Landed****

Indeed, the group’s leader is an enigmatic figure who appears to run a tight ship in terms of his overall maturity and professionalism, exhibiting logical and meticulous decision-making and behavior that leaves “no room for errors,” Gihon wrote.

“Mr.Eagle tends to have very strict rules in the management of the group, including banning and throwing \[out\] scammers and other threat actors that try to advertise their products,” he wrote. “It seems that Mr.Eagle maintains very high reliability among the group.”

This type of leadership apparently comes in handy when delegating tasks to general administrators, of which A.I.G. appears to have at least four—dubbed El Rojo, Mr.Shawji, S41T4M4 and Coffee, researchers said. The administrators carry out day-to-day advertising tasks as well as management of group operations and communication channels, researchers said.\\

The hired contractors, or “mercenaries,” who carry out the nefarious activities of the group are the lowest rung of the A.I.G. structural ladder. This part of the group is a revolving door of cybercriminals who are hired to work only on a particular campaign based on their skillset, researchers said.

**_\[FREE On-demand Event: Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office. WATCH HERE.\]_**

Hackers for Hire: Adversaries Employ ‘Cyber Mercenaries’

By Deeba Ahmed
The pro-Ukraine groups thought they were fighting back against Russia with a new DDoS app, but it turns…
This is a post from HackRead.com Read the original post: App Meant to Hit Russia with DDoS Attack Infected Android Phones of Ukraine Activists

****The pro-Ukraine groups thought they were fighting back against Russia with a new DDoS app, but it turns out the app itself is malware that has been infecting their devices, Google has confirmed.****

Google Threat Analysis Group (TAG) has published its findings on the activities of an Advanced Persistent Threat (APT) group Turla, aka Venomous Bear, Krypton, Uroburos, and Waterbug, against Ukrainian targets.

This APT group is affiliated with the Federal Security Service, Russia, and according to TAG security engineer Billy Leonard, it is deploying Android malware disguised as a DDoS attack tool.

It is worth noting that Turla is the same group that was found to control malware via Instagram posts of the popular American singer and dancer Britney Spears back in June 2017.

**Ukrainians Trapped with Fake DDoS Tools**

As per Google Tag’s report, Turla’s fake DDoS app is hosted on a spoofed version of the Ukrainian Azov Regiment (the country’s far-right inventory unit) identified as cyberazovcom.

Leonard explained that this is the first time they have seen Turla distributing Android malware. The fake apps weren’t delivered via the Google Play Store but on the spoofed domain, which the attackers controlled. They also used third-party messaging services to promote the domain.

However, according to Lab52, this is not the first time the Turla APT group has been caught spreading Android malware. In its report published in April 2022, the company stated that the Turla group has been distributing Android malware capable of tracking GPS location and spying on victims.

At the moment, Turla is focusing on targeting pro-Ukrainian activists, primarily those who enlisted to volunteer for the IT army to launch DDoS attacks against Russian IT infrastructure.

Screenshot of the fake website controlled by Tusla hackers to spread the malicious Android app disguised as the DDoS app (Image: Google’s TAG)

**Scam Details**

According to Google TAG’s blog post, the malicious Cyber Azov app is being distributed among Pro-Ukrainian activists and organizations to launch DDoS attacks against Russian sites from their smartphones quickly.

> “The app is distributed under the guise of performing Denial of Service (DoS) attacks against a set of Russian websites. However, the ‘DoS’ consists only of a single GET request to the target website, not enough to be effective.”
> 
> Billy Leonard – Google TAG

The final malicious payload is unclear, and Leonard noted that the number of installs is also relatively low. The fake app was detected in March 2022, after which TAG security researchers warned Ukrainian activities to remain cautious while downloading DDoS tools from unverified platforms.

In conclusion, be very careful about who you trust online. Russian hackers are highly sophisticated not only in developing and malware but in social engineering aimed at targeting their victims.

1.  Ukraine Thwart Russian Industroyer 2 Malware Attack on Energy Provider
2.  Feds Dismantle Russian Rsocks Botnet Powered by Millions of IoT Devices
3.  Russia Hackers Abusing BRc4 Red Team Penetration Tool in Recent Attacks
4.  Russia’s Yandex hit by largest DDoS attack involving 200,000 hacked devices
5.  Google takes down sites with ties to hack-for-hire groups in UAE, Russia, India

App Meant to Hit Russia with DDoS Attack Infected Android Phones of Ukraine Activists

The rapidly growing Atlas Intelligence Group relies on cyber-mercenaries to carry out its missions.

A threat group calling itself the Atlas Intelligence Group (AIG, aka Atlantis Cyber-Army) has recently surfaced with what appears to be a somewhat different — and potentially trend-setting — cybercrime model.

Researchers from Cyberint who were the first to spot the group described the threat actor as selling a variety of services via its main website, including access to stolen databases, exclusive data leaks, distributed denial-of-service (DDoS) services, and initial access to enterprise networks via RDP clients and Web shells. Cyberint said this week that its researchers spotted AIG in May and have observed it growing rapidly since then.

What makes the threat actor different from the myriad others with similar offerings is the fact that the operators themselves appear to be entirely outsourcing the actual hacking activities to independent cyber-mercenaries who have no direct connection to the operation. For instance, when a client purchases AIG's DDoS, data theft, or malicious spam services, the group advertises for and hires independent contractors to execute the actual tasks. That's unlike most threat groups. which recruit and maintain the same team of hackers for different campaigns.

**A Model for OpSec**

AIG's model appears designed to ensure a high level of operations security for its leaders by keeping them segregated from those doing the criminal hacking activity, according to Cyberint.

"AIG is the first group I've seen that is using this business model," says Shmuel Gihon, security researcher with Cyberint. "Every team has its leaders, and every team has key members. But here it's different: we have one leader that controls everything and everyone."

AIG's business model appears designed to take advantage of the growing number of hacker-for-hire groups that have begun surfacing all over the world in recent years. The groups, many of which operate out of India, Russia, or the United Arab Emirates, specialize in breaking into target networks, stealing data, and carrying out a variety of other malicious activities on behalf of the clients who hire them. One example of such a group is Russia-based "Void Balaur," a cyber-mercenary group that researchers at Trend Micro and others have linked to attacks on thousands of organizations and individuals for several years.

Gihon says Cyberint's analysis of AIG's activities shows it is being run by a secretive individual using the handle "Mr. Eagle." This individual appears responsible for initiating all AIG campaigns and plans. Cyberint has so far been able to identify at least four other individuals that are operating under this leader, and who are responsible for tasks such as advertising the group's services, communicating with customers, and operating its Telegram channels.

"What makes them different is the fact that they are very good \[at\] making themselves anonymous and approaching this operation as entrepreneurs and not as technical people," Gihon says. The group's behavior suggests the core members — or at least its leader — were red teamers or malicious hackers that have decided to lead rather than operate.

"They have been around in the darknet and in the cybercrime industry for a while and observed how things are operating," he added.

**Telegram Communications**

Cyberint said it has observed the group use three different Telegram channels, with thousands of subscribers between them, for its operations.

One of the channels is a marketplace for leaked databases. The databases appear to belong to organizations in different sectors such as government, finance, manufacturing, and technology, from around the world. The collection of databases on sale via the Telegram channel suggests that AIG isn't focusing on any specific region or sector. Rather, the group appears to be targeting organizations that it thinks might be valuable for potential buyers.

Some of the databases are available for as little as 15 euros and contain information such as email and physical addresses, phone numbers, and other information likely of interest to distributors of malicious spam, spear-phishing groups, and hacktivists.

"AIG claims that these databases are exclusive, so the assumption is that they obtained it \[via\] their contractors," Gihon says. Given the low price, it is unlikely that AIG obtained them from a third-party and is reselling them, he says.

AIG has a second Telegram channel that it uses to publish ads for various hacking services that it might be looking for, and where hackers have an opportunity to bid for contracts. The channel serves as the threat group's source for finding malware developers, social engineers, red teamers, and other cyber-mercenaries.

AIG's third Telegram channel, which serves as its communication channel, is where the group posts announcements, lists of intended targets, and other information. The threat actor also maintains an e-commerce store where people can purchase AIG's services and stolen databases using cryptocurrency.

Gihon says AIG's business model gives it a level of flexibility that other threat groups do not have.

"The leader is not bound to any one of the members because they are all contractors," he says. "So, while other groups have their ups and downs given the fact that they are the same group of people most of the time, Mr. Eagle has the privilege to hire the best of the best anytime," he says. "This could make this team very lethal in the end game."

'AIG' Threat Group Launches With Unique Business Model

The LAPSUS$ group emerged with a big splash at the end of 2021, targeting companies, including Okta, with a "reckless and disruptive" approach to hacking.

The LAPSUS$ extortion group has gone quiet following a notorious and rapid rise through the threat landscape, targeting companies including Microsoft, NVIDIA, and Okta, and earning notoriety for its freewheeling, decentralized approach to cybercrime.  

However, researchers said the group is likely not gone — and, in any case, its "brazen" tactics may leave a legacy.

A new report from exposure management specialist Tenable digs into the group's background and the tactics, techniques, and procedures (TTPs) it has used, maturing from distributed denial-of-service (DDoS) attacks and website vandalism to more sophisticated methods. These include the use of social engineering techniques to reset user passwords and co-opt multifactor authentication (MFA) tools.

"Characterized by erratic behavior and outlandish demands that cannot be met — at one point, the group even accused a target of hacking back — the LAPSUS$ group’s tenure at the forefront of the cybersecurity news cycle was chaotic," the report notes.

**Chaos, Lack of Logic Part of the Plan**

"You could absolutely call LAPSUS$ 'a little punk rock,' but I try to avoid making bad actors sound that cool," notes Claire Tills, senior research engineer at Tenable. "Their chaotic and illogical approaches to attacks made it much harder to predict or prepare for the incidents, often catching defenders on the back foot."

She explains that perhaps due to the group’s decentralized structure and crowdsourced decisions, its target profile is all over the place, which means organizations can’t operate from the "we're not an interesting target" point of view with actors like LAPSUS$.

Tills adds that it’s always hard to say whether a threat group has disappeared, rebranded, or just gone temporarily dormant.

"Regardless of whether the group identifying themselves as LAPSUS$ ever claims another victim, organizations can learn valuable lessons about this type of actor," she says. "Several other extortion-only groups have gained prominence in recent months, likely inspired by LAPSUS$’s brief and boisterous career."

As noted in the report, extortion groups are likely to target cloud environments, which often contain sensitive, valuable information that extortion groups seek.

"They are also often misconfigured in ways that offer attackers access to such information with lower permissions," Tills adds. "Organizations must ensure their cloud environments are configured with least-privilege principles and institute robust monitoring for suspect behavior."

As with many threat actors, she says, social engineering remains a reliable tactic for extortion groups, and the first step many organizations will need to take is assuming they could be a target.

"After that, robust practices like multifactor and passwordless authentication are critical," she explains. "Organizations must also continuously assess for and remediate known-exploited vulnerabilities, particularly on virtual private network products, Remote Desktop Protocol, and Active Directory."

She adds that while initial access was typically achieved through social engineering, legacy vulnerabilities are invaluable to threat actors when seeking to elevate their privileges and move laterally through systems to gain access to the most sensitive information they can find.

**LAPSUS$ Members Likely Still Active**

Just because LAPSUS$ has been quiet for months does not mean the group is suddenly defunct. Cybercrime groups often go dark to stay out of the spotlight, recruit new members, and refine their TTPs.

"We would not be surprised to see LAPSUS$ resurface in the future, possibly under a different name in an effort to distance themselves from the infamy of the LAPSUS$ name," says Brad Crompton, director of intelligence for Intel 471’s Shared Services.

He explains that even though LAPSUS$ group members have been arrested, he believes the group’s communication channels will stay operational and that many businesses will be targeted by threat actors once affiliated with the group.

"Additionally, we may also see these previous LAPSUS$ group members develop new TTPs or potentially create spinoffs of the group with trusted group members," he says. "However, these are unlikely to be public groups and will probably enact a higher degree of operational security, unlike their predecessors."

**Money as the Main Motivator**

Casey Ellis, founder and CTO at Bugcrowd, a crowdsourced cybersecurity provider, explains that cybercriminals are motivated by money while nation-states are motivated by national goals. So, while LAPSUS$ isn't playing by the rules, its actions are somewhat predictable.

"The most dangerous aspect, in my opinion, is that most organizations have spent the last five or more years developing symmetric defensive strategies based on threat actors with reasonably well-defined definitions and goals," he says. "When a chaotic threat actor is introduced into the mix, the game tilts and becomes asymmetric, and my main concern about LAPSUS$ and other similar actors is that defenders haven't really been preparing for this type of threat for quite some time." 

He points out LAPSUS$ relies heavily on social engineering to gain an initial foothold, so assessing your organization's readiness to social engineering threats, both on the human training and technical control levels, is a prudent precaution to take here.

Ellis says while the stated goals of LAPSUS$ and Anonymous/Antisec/Lulzsec are very different, he believes they will behave similarly in the future as threat actors.

He says the evolution of Anonymous in the early 2010s saw various subgroups and actors rise to prominence, then fade away, only to be replaced by others that replicated and doubled down on successful techniques.

"Perhaps LAPSUS$ has vanished completely and forever," he says, "but, as a defender, I wouldn't rely on this as my primary defensive strategy against this type of chaotic threat."

Chaotic LAPSUS$ Group Goes Quiet, but Threat Likely Persists

Russian threat actors capitalized on the ongoing conflict against Ukraine to distribute Android malware camouflaged as an app for pro-Ukrainian hacktivists to launch distributed denial-of-service (DDoS) attacks against Russian sites.
Google Threat Analysis Group (TAG) attributed the malware to Turla, an advanced persistent threat also known as Krypton, Venomous Bear, Waterbug, and Uroburos, and

Russian threat actors capitalized on the ongoing conflict against Ukraine to distribute Android malware camouflaged as an app for pro-Ukrainian hacktivists to launch distributed denial-of-service (DDoS) attacks against Russian sites.

Google Threat Analysis Group (TAG) attributed the malware to Turla, an advanced persistent threat also known as Krypton, Venomous Bear, Waterbug, and Uroburos, and linked to Russia's Federal Security Service (FSB).

"This is the first known instance of Turla distributing Android-related malware," TAG researcher Billy Leonard said. "The apps were not distributed through the Google Play Store, but hosted on a domain controlled by the actor and disseminated via links on third party messaging services."

It's worth noting that the onslaught of cyberattacks in the immediate aftermath of Russia's unprovoked invasion of Ukraine prompted the latter to form an IT Army to stage counter-DDoS attacks against Russian websites. The goal of the Turla operation, it appears, is to use this volunteer-run effort to their own advantage.

The decoy app was hosted on a domain masquerading as the Azov Regiment, a unit of the National Guard of Ukraine, calling on people from around the world to fight "Russia's aggression" by initiating a denial-of-service attack on the web servers belonging to "Russian websites to overwhelm their resources."

Google TAG said the actors drew inspiration from another Android app distributed through a website named "stopwar\[.\]pro" that's also designed to conduct DoS attacks by continually sending requests to the target websites.

That said, the actual number of times the malicious Cyber Azov app was installed is minuscule, posing no major impact on Android users.

Additionally, the Sandworm group (aka Voodoo Bear) has been connected to a separate set of malicious activities leveraging the Follina vulnerability (CVE-2022-30190) in the Microsoft Windows Support Diagnostic Tool (MSDT) to send links pointing to Microsoft Office documents hosted on compromised websites targeting media entities in Ukraine.

UAC-0098, a threat actor that CERT-UA last month warned of distributing tax-themed documents carrying a Follina exploit, has also been assessed to be a former initial access broker with ties to the Conti group in charge of disseminating the IcedID banking trojan.

Other kinds of cyber activity include credential phishing attacks mounted by an adversary referred to as COLDRIVER (aka Callisto) aimed at government and defense officials, politicians, NGOs and think tanks, and journalists.

These involve sending emails either directly, including the phishing domain or containing links to documents hosted on Google Drive and Microsoft OneDrive that, in turn, feature links to an attacker-controlled website designed to steal passwords.

The latest developments are yet another indication of how Russian threat actors are exhibiting continued signs of increasing sophistication in their attempts to target in ways that highlight their evolving techniques.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Russian Hackers Tricked Ukrainians with Fake "DoS Android Apps to Target Russia"

A use of hard-coded cryptographic key vulnerability [CWE-321] in FortiDDoS API 5.5.0 through 5.5.1, 5.4.0 through 5.4.2, 5.3.0 through 5.3.1, 5.2.0, 5.1.0 may allow an attacker who managed to retrieve the key from one device to sign JWT tokens for any device.

** PSIRT Advisories**

**FortiDDoS - Use of hardcoded key for the JWT token**

**Summary**

A use of hard-coded cryptographic key vulnerability \[CWE-321\] in FortiDDoS API may allow an attacker who managed to retrieve the key from one device to sign JWT tokens for any device.

**Affected Products**

FortiDDoS version 5.5.0 through 5.5.1  
FortiDDoS version 5.4.0 through 5.4.2  
FortiDDoS version 5.3.0 through 5.3.1  
FortiDDoS version 5.2.0  
FortiDDoS version 5.1.0

**Solutions**

Please upgrade to upcoming FortoDDoS 5.6.0 or above.

**Acknowledgement**

Fortinet is pleased to thank Victor Pasman for bringing this issue to our attention under responsible disclosure.

CVE-2022-29060: Fortiguard

Plus: A wild Indian cricket scam, an elite CIA hacker is found guilty of passing secrets to WikiLeaks, and more of the week's top security news.

The websites you visit can reveal (almost) everything about you. If you are looking up health information, reading about trade unions, or researching details around certain types of crime, then you can potentially give away a huge amount of detail about yourself that a malicious actor could use against you. Researchers this week have detailed a new attack, using the web’s basic functions, that can unmask anonymous users online. The hack uses common web browser features—included in every major browser—and CPU functions to analyze whether you’re logged in to services such as Twitter or Facebook and subsequently identify you.

Elsewhere, we detailed how the Russian “hacktivist” group Killnet is attacking countries that backed Ukraine but aren’t directly involved in the war. Killnet has launched DDoS attacks against official government websites and businesses in Germany, the United States, Italy, Romania, Norway, and Lithuania in recent months. And it’s only one of the pro-Russian hacktivist groups causing chaos.

We’ve also looked at a new privacy scandal in India where donors to nonprofit organizations have had their details and information handed to police without their consent. We also looked at the new “Retbleed” attack that can steal data from Intel and AMD chips. And we took stock of the ongoing January 6 committee hearings—and predicted what’s to come.

But that’s not all. Each week we round up the news that we didn’t break or cover in-depth. Click on the headlines to read the full stories. And stay safe out there!

For years, Amazon-owned security camera firm Ring has been building relationships with law enforcement. By the start of 2021, Amazon had struck more than 2,000 partnerships with police and fire departments across the US, building out a huge surveillance network with officials being able to request videos to help with investigations. In the UK, Ring has partnered with police forces to give cameras away to local residents.

This week, Amazon admitted to handing police footage recorded on Ring cameras without their owners’ permission. As first reported by Politico, Ring has given law enforcement officials footage on at least 11 occasions this year. This is the first time the firm has admitted to passing on data without consent or a warrant. The move will raise further concerns over Ring’s cameras, which have been criticized by campaign groups and lawmakers for eroding people’s privacy and making surveillance technology ubiquitous. In response, Ring says it doesn’t give anyone “unfettered” access to customer data or video but may hand over data without permission in emergency situations where there is imminent danger of death or serious harm to a person.

In 2017, the Vault 7 leaks exposed the CIA’s most secretive and powerful hacking tools. Files published by WikiLeaks showed how the agency could hack Macs, your router, your TV, and a whole host of other devices. Investigators soon pointed the finger at Joshua Schulte, a hacker in the CIA’s Operations Support Branch (OSB), which was responsible for finding exploits that could be used in the CIA’s missions. Schulte has now been found guilty of leaking the Vault 7 files to Wikileaks and is potentially facing decades in prison. Following an earlier mistrial in 2018, Schulte was this week found guilty on all nine charges against him. Weeks ahead of his second trial, _The New Yorker_ published this comprehensive feature exploring Schulte’s dark history and how the CIA’s OSB operates.

Hackers linked to China, Iran, and North Korea have been targeting journalists and media outlets, according to new research from security firm Proofpoint. Alongside efforts to compromise the official accounts of members of the press, Proofpoint says, multiple Iranian hacking groups have posed as journalists and tried to trick people into handing over their online account details. The Iranian-linked group Charming Kitten has sent detailed interview requests to its potential hacking targets, and they have also tried to impersonate multiple Western news outlets. “This social engineering tactic successfully exploits the human desire for recognition and is being leveraged by APT actors wishing to target academics and foreign policy experts worldwide, likely in an effort to gain access to sensitive information,” Proofpoint says.

In any company or organization, items will go missing from time to time. Usually these are misplaced phones, security passes, and files occasionally being left at bus stops by mistake. Losing any of these things may open up security risks if devices are insecure or if sensitive information is made public. Less commonly lost are desktop computers—unless you’re the FBI. According to FBI records obtained by VICE’s _Motherboard_, the agency lost 200 desktop machines between July and December 2021. Also lost, or in some cases stolen, were pieces of body armor and night-vision scopes.

Scams don’t get much more elaborate than this. This week, police in India busted a fake “Indian Premier League” cricket tournament. A group of alleged scammers set up the fake league in the western Indian state of Gujarat and hired young men to play cricket matches, posing as professional teams while they livestreamed the matches for people to bet on. According to police, the group hired a fake commentator, created onscreen graphics showing real-time scores, and played crowd noises downloaded from the internet. To hide the fact that the matches took place on a farm instead of inside a large stadium, the videofeed only showed closeups of the action. Police said they caught the gang as a quarterfinal match was being played. Police believe the gang was potentially running multiple leagues and was planning to expand to a volleyball league, too. The match footage is worth watching.

Tag

#ddos