Cryptojacking in Ukraine

 The act of exploiting a computer to mine cryptocurrenciesis called "cryptojacking".

The Ukrainian National Police and Europol have announced the arrest of an individual believed to be involved in a $2 million cryptojacking operation. The operation started in 2021.

The hacker created more than ONE MILLION virtual computers to mine cryptocurrency.

“By stealing cloud resources to mine cryptocurrencies, the criminals can avoid paying the necessary servers and power, the cost of which typically outweighs the profits. The compromised account holders are left with huge cloud bills,” Europol notes.

https://www.securityweek.com/hacker-accused-of-running-2-million-cryptocurrency-mining-scheme-arrested-in-ukraine/?is=5a5d7ed30c1b46eb1c21fcf1e6c51b4c49dc532ddd4c930a7f4472ce34fe37c3

"As part of the operation, which started in 2021, the miscreant targeted the servers of one of the largest ecommerce companies, hacking more than 1,500 user accounts in automated password brute-forcing attacks, the Ukrainian authorities announced.

The attacker then gained management access and infected the service with cryptocurrency mining malware."

"Threat actors are known to target cloud servers for cryptojacking due to the high computing power these environments provide."

"In October, Palo Alto Networks revealed that, for two years, a threat actor had been harvesting IAM credentials from public GitHub repositories within minutes of exposure, using them to set up AWS Elastic Compute (EC2) instances for illicit crypto-mining."

Hack of Danish Energy Companies

There are still many people in the companies who are still not aware of the cybersecurity risks and who underestimate the cyber threats. They wake up after they see their company in the hacking news on the internet while considering to pay (or not pay) the ransom which is requested by the hacker groups.

So be aware before you see your company in the hacking news the next day. Be aware that it is not a joke. Be aware that cyber threats are for real. Do not hesitate to spend enough budget for cyber security. Otherwise you will have to spend much more then that for hackers after you have been hit by a ransomware attack.

It is known that Ukrainian critical infrastructures are being attacked for more than 10 years (Allegedly by Russian affiliated hacker groups.) But Ukraine remained not the only victim.

Nearly two dozen Danish energy companies were hacked through a firewall bug in May 2023 which is also stated in a report of Forescout which is published this week. (A Critical Analysis of Recent Energy Sector Attacks in Denmark and Ukraine.)

You can read the report of Forescout in the link below:

https://www.forescout.com/resources/clearing-the-fog-of-war/?is=5a5d7ed30c1b46eb1c21fcf1e6c51b4c49dc532ddd4c930a7f4472ce34fe37c3

https://therecord.media/denmark-attacks-forescout-analysis-zyxel?is=5a5d7ed30c1b46eb1c21fcf1e6c51b4c49dc532ddd4c930a7f4472ce34fe37c3

"What happened in Denmark can also happen to you, cybersecurity researchers are warning in a new report that examines attacks against the country’s energy sector last year."

"The takeaway is that 'critical infrastructure organizations across Europe should remain alert to attacks on unpatched network infrastructure devices.'"

""...Nearly two dozen companies were affected, and the intrusions usually involved the abuse of products from the Taiwan-based manufacturer Zyxel,..."

"...The problem for administrators, Forescout said, is the 'common lack of detection and hardening capabilities around native OT scripting functionality.'"

Justice over IP (JoIP)?

 If you use Justice over IP (JoIP) then you do have to be much more careful. Judical systems have not been a primary target for most of the hackers most of the time but this does not mean that they are not vulnerable and won't ever be hacked. If you are in the IP world then you need to take measures against bad guys. Otherwise it might result finding you or your company on the front pages of the internet media the next day.

As the well-known saying goes, "Justice delayed, justice denied," a new version of this saying may emerge if judicial systems are not adequately protected: "Justice hacked, case files exposed."

Well, this concern became a reality in Australia towards the end of 2023 when the court system of Victoria (CSV), Australia, fell victim to a suspected ransomware attack in which audiovisual recordings of court hearings may have been accessed. "From legal proceedings to potential YouTube fodder."

https://bit.ly/3tQy5KL

"The court system of Victoria, Australia, was subject to a suspected ransomware attack in which audiovisual recordings of court hearings may have been accessed."

"The incident began on December 8 and attackers may have accessed hearings between November 1 and December 21, with a small number of recordings generated before this range also potentially compromised."

"Concerns exist over the potential leaking of information from particularly sensitive cases heard during the last two months of 2023."

"Speaking to ABC News, security expert Robert Potter said the attack is likely the work of the Russia-based Qilin ransomware group."

"If the incident is playing out as Potter says, it means the court recordings may be leaked online if CSV refuses to meet the attacker's demands."

"Like many countries, Australia officially advises against organizations paying ransoms. The country is also part of the International Counter Ransomware Initiative (CRI), which is working toward a joint pledge to refuse ransom payments at the government level."

FBI vs. BlackCat

Ransomware attacks keep increasing. It is quite limited what local or international authorities can do against these attacks. The authorities intervene mostly after the ransomware attacks occurred and most of the time it is too late for after you got hit by a ransomware gang.

So be aware that it is YOU who can prevent ransomware attacks and it must be YOU who take actions against the ransomware gangs. DO take actions before you got hit. Allocate enough budget for cyber security before it's too late.

Well, it seems that cat-and-mouse-game between local or international authorities and ransomware gangs won't come to an end in the near future. (You guess who is the cat and who is the mouse in this game.)

Close to the end of the last year (2023), FBI seized the website of a ransomware gang, who are known as BlackCat or AlphV, and obtained some decryptor keys. The cat seems to have nine lives and the gang denied this partly and claimed that they are still -almost- fully operational though.

https://bit.ly/48Fq0av

"The FBI created a decryption tool for the ransomware used by the gang known as BlackCat and/or AlphV, as part of a wider disruption campaign against the extortionists.

The existence of the decryptor was revealed in a Tuesday announcement by the United States Department of Justice that reports the FBI has offered the tool to over 500 orgs and believes $68 million of ransom payments were avoided as a result."

"...The Feds said they were able to access 946 public-private key pairs for Tor-hidden sites the BlackCat gang used to communicate with victims and host its blog,..."

"In other words, it sounds as though the Feds were not only able to seize and shut down the ransomware-as-a-service crew's dark-web presence, agents also obtained enough internal info to provide decryption assistance to victims..."

"The FBI operation was carried out in partnership with the plod in the UK and Australia, and Europol. Their probe into AlphV is ongoing and authorities have advised a reward may be offered to those who offer further information about the crew."

"The gang, believed to be Russian, today boasted it had "unseized" its main dark-web site by pointing it at a web server the miscreants control, rather than an FBI one. The crew used its restored blog to name new alleged victims of its ransomware."

"The FBI's claim of offering a decryptor to more than 500 victims has also been watered down by the group. According to the criminals, the number sits more at the 400 mark while still leaving 3,000 without a decryptor key."