US Seizes Domains Used by SolarWinds Hackers in Cyber Espionage Attacks
Days after Microsoft, Secureworks, and Volexity shed light on a new spear-phishing activity unleashed by the Russian hackers who breached SolarWinds IT management software, the U.S. Department of Justice Tuesday said it intervened to take control of two command-and-control and malware distribution domains used in the campaign.
The two domains in question — theyardservice com and worldhomeoutlet com — were used to communicate and control a Cobalt Strike beacon called NativeZone that the actors implanted on the victim networks. The wide-scale campaign, which was detected on May 25, leveraged a compromised USAID account at a mass email marketing company called Constant Contact to send phishing emails to approximately 3,000 email accounts at more than 150 different organizations.
While BoomBox is a downloader to obtain a later-stage payload from an actor-controlled Dropbox account, VaporRage is a shellcode loader used to download, decode, and execute an arbitrary payload fully in-memory. EnvyScout, on the other hand, is a malicious dropper capable of de-obfuscating and writing a malicious ISO file to disk and is delivered in the form of a malicious HTML attachment to spear-phishing emails.
Source — https://thehackernews.com/2021/06/us-seizes-domains-used-by-solarwinds.html
Pay Attention: These Unsubscribe Emails Only Lead to Further Spam
Scammers send out fake ‘unsubscribe’ spam emails to validate legitimate email addresses for future phishing and spam campaigns.
Spammers have been sending emails that merely inquire if the user wants to unsubscribe or subscribe for a long time. These emails don’t specify what the user is unsubscribing or subscribing to, and spammers are using them to see if the recipient’s email address is real and vulnerable to phishing scams and other nefarious activity.
If the user clicks on the embedded subscribe/unsubscribe links, the mail client will generate a new email that will be forwarded to a large number of different email addresses controlled by the spammer.
After sending the mail, users expect to be unsubscribed from future communications but they are, however, confirming for the spammers that their email address is real and under surveillance.
BleepingComputer created a new email account for testing purposes, which they never used on any website or service. This test also revealed that spammers are utilizing these subscribe/unsubscribe emails to fine-tune their mailing lists and confirm email addresses that are vulnerable to phishing and frauds.
It was also stated that these attacks aren’t restricted to spam emails; nothing stops scammers from using phishing or social engineering against the target email, which is sometimes more hazardous and difficult to detect and stop.
Source — https://www.ehackingnews.com/2021/06/pay-attention-these-unsubscribe-emails.html
Russian Hacker Jailed for Running a Darkweb Market Place that Sells Stolen Credit card Details
The Russian citizen Kirill Victorovich Firsov has been sentenced to jail by the Southern District Court of California, and Firsov has been sentenced to 2.5 years in prison.
According to the report, Firsov has been running a Dark web market, that provides all kinds of services to different cybercriminals. On March 7 in New York Firsov got arrested, and after that, he continues to be held in custody by the security authorities. Here, the US department stated that all the data that has been collected by Kirill Viktorovich Firsov is used for all criminal purposes.
To know all the key details of Firsov, the FBI purchased some accounts from the website. And on March 4, 2020, the FBI has acquired 1100 gamer accounts, after that on March 5, 2020, the FBI acquired the personal information of over 3,600 US citizens.
After purchasing different accounts, the FBI came to know that there are many victims that belong from the US and Europe.
Source — https://gbhackers.com/russian-hacker-jailed-for-running-a-darkweb-market-place/
US seizes 2 domains used by APT29 in a recent phishing campaign
The US Department of Justice and the Federal Bureau of Investigation have seized two domains used by the Russia-linked APT29 group in spear-phishing attacks that targeted government agencies, think tanks, consultants, and NGOs.
Russia-linked SVR group along with APT28 cyber espionage group was involved in the Democratic National Committee hack and the wave of attacks aimed at the 2016 US Presidential Elections.
«On May 28, pursuant to court orders issued in the Eastern District of Virginia, the United States seized two command-and-control and malware distribution domains used in recent spear-phishing activity that mimicked email communications from the U.S. Agency for International Development .» reported the DoJ. «This malicious activity was the subject of a May 27 Microsoft security alert, titled »New sophisticated email-based attack from Nobelium,« and a May 28 FBI and Cybersecurity and Infrastructure Security Agency joint cybersecurity advisory».
Upon a recipient clicking on a link included in the messages, the victim was directed to download malware from a sub-domain of theyardservice com. Once gained an initial foothold, the attackers then downloaded the Cobalt Strike tool to achieve in the target system and deploy additional tools or malicious payloads.
Source — https://securityaffairs.co/wordpress/118495/apt/doj-seized-apt29-domains.html
Stay Focused. Stay Vigilant.
Cyber Threat Incident Management Team — Cyber Security Community @ SLIIT