I considered delaying writing this post to gather more facts regarding the situation. On day 1, nothing but speculation and suppositions were available. Today, some of the facts appear, allowing me to make a comprehensive analysis of the case.

Ukrainian Mobile Operator Kyivstar Hacked by Russians

Early on December 12, Kyivstar services stopped working. As the company operates not only in the cell carrier segment, but also provides home Internet and connectivity services for businesses, these were down as well. The “national roaming” option, that allows switching between operators with certain limitations, was unresponsive, meaning that the network structure is severely disrupted.

At around 12:00, the first official comments from the company appeared. They claimed a cyberattack disrupting their services, and told about a rather long recovery process ahead. Further statements specified that the estimated time of major services recovery is not earlier than on December 13.

Until the evening of the same day, the details were lean. Some analysts tried to make conclusions, though they were at best blurred. Certain sources of information also supposed that Kyivstar suffered outages due to the DDoS attack, but that was likely just a confusion due to the simultaneous launch of a DDoS attack on one of Ukrainian banks. Meanwhile, the company succeeded with recovering part of its services, particularly the home Internet service to the end of the day.

On the morning of December 13, 2023, some facts and even more rumors began to surface. Among the latter, the brightest was the responsibility claim from a previously unknown Solntsepek threat actor. The gang published their statement along with the screenshots of what they claim to be insight into the hacked network. Nonetheless, I heavily doubt credibility of both claims and screenshots, since no one heard of the group before, and no identifiable details are present on those pictures.

Unpredicted outcomes

As Kyivstar is the biggest cellular operator in Ukraine, the outage caused obvious troubles for over 24 million users. Considering the population of the country is around 40 million in total, the outage touched every second citizen to a certain extent. That obviously uncovered how hard people are dependent on technology nowadays, but some of the issues caused by the Kyivstar hack were not that clear.

For instance, the air raid alarms – a heavily needed thing in a belligerent country – were reliant on the Kyivstar’s cell network. As a result, numerous cities across the country did not hear air raid alarms, and even online air raid maps were not able to work properly. That is especially unfortunate as rocket and UAV strikes happen on a daily basis.

What is less unfortunate for Ukraine though is that Russian troops who reside in the occupied areas of Kherson and Zaporizhzhia regions experienced cell coverage issues as well. Since invaders used stolen SIM cards of Ukrainian operators, their phones stopped working once the attack happened. Pay day for stolen SIM-cards, one may say.

Kyivstar Hack – Who is Responsible?

Well, all symptoms aside, let’s think of what exactly happened and figure out who is responsible for the hack. The character of destruction and the way the recovery goes supposes that hackers managed to establish persistence in the majority of infrastructural elements of the corporate network. Further, they destroyed all they could reach. That was not just a “DROP DATABASE”, as someone supposed before – in that case the recovery would not take that much time. Moreover, Kyivstar themselves claim that they are forced into recovering the network “piece by piece”.

The executor is, most likely, one of Russian APT groups. Sure enough, there is no confirmation, but there is no one to hack Ukrainian companies for pure vandalism except for Russians. Even though I doubt the claims of a no-name hack group, the nationality of hackers is almost certain.

Another edge of responsibility lies on the Kyivstar itself. Having such a large number of users creates significant responsibility, not only in the matter of service availability, but also data safety. Addresses, passport info, phone numbers, emails – all this was successfully leaked. Bad luck for a country in peacetime, culpable negligence for a country at war.

If the screenshots shared by the Solntsepek group are real, things can be much worse. An analyst under the nickname of Sean Townsend shares his thoughts regarding what the pics say. Spoiler – things may be extremely bad, and the security was non-existent at all.

Update 12/13 (21:00 GMT)

Olexandr Komarov, CEO of Kyivstar, uncovered some of the details regarding the beginning of the hack. The initial access was gained through a compromised account of an employee.

Are Other Companies in Danger?

What is the conclusion from such a situation? This is what all Ukrainian companies should be ready to counteract. And not only Ukrainian – Russian hackers are now naught on limitations in attacks on countries “rival” to Russia. Since hackers aim only for vandalism and do not try to monetize their job, the effects may be rapid and irreversible. A sturdy, well-engineered security system should be mandatory for all companies.

The post Kyivstar, Ukraine’s Biggest Cell Carrier, Hacked appeared first on Gridinsoft Blog.

Microsoft discovered a phishing campaign conducted by a Threat Actor named Storm-0978. The targets were government and defense entities in Europe and North America. The Threat Actor used lures related to the Ukraine World Congress and exploited the vulnerability known as CVE-2023-36884.

Who is Storm-0978?

The cybercriminal group known as Storm-0978, based in Russia, is infamous for engaging in various illegal activities. These activities include conducting ransomware and extortion operations, targeted campaigns to collect credentials, developing and distributing the RomCom backdoor, and deploying the Underground Ransomware.

Underground ransomware is associated with Industrial Spy Ransomware, detected in the wild in May 2022. Microsoft identified a recent campaign in June 2023 that exploited CVE-2023-36884 to distribute a RomCom-like backdoor. This was done by a group known as Storm-0978, who use a phishing site masquerading as legitimate software to infect users. The impersonated products include Adobe products, SolarWinds Network Performance Monitor, SolarWinds Orion, Advanced IP Scanner, KeePass, and Signal. Users unwittingly download and execute files that result in the infection of the RomCom backdoor by visiting these phishing sites.

CVE-2023-36884 Exploitation

Storm-0978 conducted a phishing campaign in June 2023, using a fake OneDrive loader to deliver a backdoor similar to RomCom. The phishing emails targeted defense and government entities in Europe and North America, with lures related to the Ukrainian World Congress, and led to exploitation via CVE-2023-36884 vulnerability.

During a phishing attempt, Microsoft detected that Storm-0978 used an exploit to target CVE-2023-36884.

BlackBerry documented the attacks on guests for the upcoming NATO Summit on July 8, but the use of the zero-day in the attacks was unknown at the time.

The attackers used the RomCom variant for espionage, and Underground Ransomware was deployed for ransomware operations. The campaign indicates that Storm-0978 is a highly sophisticated group that seems to be also targeting multiple organizations in the future.

How do you avoid vulnerability?

Organizations should adopt all possible mitigation strategies until a patch is released. The vulnerability has been used in targeted attacks, and news of its existence will doubtlessly lead other attackers to attempt to replicate the exploit.

Microsoft offers performing the registry trick in order to prevent exploitation. In Regedit, go by the following path and find there FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION key.

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\

There, create REG_DWORD values with data 1 with the names of exploitable applications:

Though, patching the breach in such a way is not always enough. Hackers know about the offered fix and can find a way to revert it or exploit the breach by circumventing any registry blocks. For that reason, I also recommend having proactive and reactive security measures.

• Activate cloud-delivered protection in your antivirus software to defend against constantly changing attacker methods. Cloud-based machine learning can detect and block most new and unknown threats.
• Back up your data and store those backups offline or on a separate network for added protection. Backups are the ransomware attacks’ kryptonite, as they can do nothing if you just recover everything back.
• Wherever possible and practical, enable automatic software updates on all connected devices, including your computer and mobile phone.
• To stay safe online, it’s crucial to always verify the authenticity of links and email attachments before opening them, especially if they’re from an untrusted source.
• Use CDR solutions. CDR, or Content Disarm and Reconstruction, is the name of a content management system that aims particularly at document security. It removes active content from the document, making it impossible to exploit.

Patch CVE-2023-36884

Microsoft still needs to release a patch for CVE-2023-36884. This section will be updated as more information becomes available. However, even after a patch is found, it pays to be cautious, watch your every move on the Internet, and always follow the Zero Trust rule.

The post Microsoft CVE-2023-36884 Vulnerability Exploited in the Wild appeared first on Gridinsoft Blog.

As a reminder, we previously reported on the divergence of hacker groups, some siding with Russia and others with Ukraine. Additionally, Microsoft accused Russia of cyberattacks against Ukraine’s allies.

Recent media coverage also highlighted the arrest of two members of the DoppelPaymer Group by law enforcement in Germany and Ukraine.

The report details that the attackers, employing spear phishing and bait emails, capitalized on the Russian invasion of Ukraine. The hackers crafted spear-phishing emails with news topics related to Ukraine, appearing as legitimate media content.

The campaign demonstrated a high level of readiness by hackers who quickly turned news content into bait for recipients. The spear-phishing emails contained news topics related to Ukraine, with topics and content reflecting legitimate media sources.

Recipients were compelled to open the malicious messages, exploiting old vulnerabilities in Roundcube (CVE-2020-35730, CVE-2020-12641, and CVE-2021-44026) to compromise unpatched servers—requiring no user interaction with malicious attachments.

The attachment contained JavaScript code that executed additional JavaScript payloads from BlueDelta controlled infrastructure.

If the compromise succeeded, the attackers deployed malicious scripts redirecting incoming messages to an email address under their control. These scripts were also employed to locate and pilfer victims’ address books, session cookies, and other data stored in the Roundcube database.

Researchers suggest that the infrastructure used in these attacks has been active since around November 2021, with APT28‘s activities focused on “gathering military intelligence.”

We have identified BlueDelta activity, most likely targeted at the regional Ukrainian prosecutor’s office and the [unnamed] central executive body of the country, and also found intelligence activities associated with other Ukrainian state structures and organizations, including those involved in the modernization and repair of infrastructure for the Ukrainian military aviation.

This collaboration between Recorded Future and CERT-UA emphasizes the crucial role of partnerships between organizations and governments in ensuring collective defense against strategic threats—particularly in the context of Russia’s ongoing conflict with Ukraine.

The post APT28 Attacked Ukrainian and Polish Organizations appeared first on Gridinsoft Blog.

• The effectiveness of destructive malware
• The attribution of cyber activity in wartime
• The distinction between nation-state, hacktivism, and offensive cybercriminal activity
• Cyber warfare and its impact on defense pacts
• The ability of cyber operations to engage in tactical warfare and necessary training

The impact on global cyberspace is already visible in some areas.

Wipers comeback

Wiper is a malware that disrupts the operation of target systems as it can delete or corrupt important files, though its use is relatively rare. However, wiper malware has become much more widespread over the past year, not just in Eastern Europe. For example, at the beginning of the Russian-Ukrainian war, the number of cyber attacks on Ukraine by malicious actors affiliated with Russia increased dramatically. Before the full-scale ground invasion, pro-Russian hackers used three wipers – HermeticWiper, HermeticWizard, and HermeticRansom – and a little later, in April, hackers used Industroyer. This is an updated version of the same malware used in a similar attack in 2016. Thus, at least nine wipers have been deployed in Ukraine in less than a year. They were developed by Russian secret services and use different wiping and evasion mechanisms.

Multi-pronged Cyberattacks

Let’s look at the vector of cyberattacks in the Russian-Ukrainian war. Same as any other attack within the war course, they can be divided into two types – strategical and tactical. The first type of cyber attack is aimed at causing widespread damage and disrupting the daily lives of civilians. In turn, the second type of attack is more targeted, coordinated with real combat operations, and aimed at achieving tactical goals. Such goals may include:

• Disabling or disrupting critical military infrastructure systems
• Hacking into and infiltrating military organizations’ networks
• Launching a disinformation campaign
• Cyber espionage

Strategical attacks

A few hours before the ground invasion of Ukraine, hackers launched a cyber attack on Viasat. This attack aimed to interfere with satellite communications, which provide services to both military and civilian organizations in Ukraine. In this attack, hackers used a wiper called AcidRain, designed to destroy modems and routers and disable Internet access for tens of thousands of systems.

In addition, even before the full-scale invasion, Ukrainian government agencies, such as Diia, and some banks were subjected to cyberattacks. The purpose of these attacks was to cause the Ukrainian population to distrust the government. Another curious incident took place on November 3, 2022. At that time, a certain “Joker DNR” hacked into the Instagram page of Valery Zaluzhny, the commander-in-chief of the AFU, installing a photo of the Russian dictator on his profile photo. Later, an image appeared on the page with the caption, “So, I confirm that Joker DNR infiltrated DELTA“. However, Ukrainians ridiculed the incident rather than taking it seriously. This is far from the only case of hacking into Ukrainians’ social networks. Since the start of the full-scale Russian-Ukrainian war, Ukrainian users have periodically received phishing emails asking them to click a link.

Tactical cyberattacks

Any tactical, high-precision cyber attack requires careful preparation and planning. Prerequisites include accessing target networks and creating customizable tools for different attack stages. One example of a coordinated tactical attack occurred on March 1. That day, Russian missiles struck the Kyiv TV tower, causing television broadcasts in the city to stop. Next, hackers orchestrated a cyber attack to amplify the effect.

Adaptive cyberattacks

According to the available data, the Russians were not preparing for a lengthy campaign—the abrupt change in the characterization of cyber attacks in April evidence this. They shift from fairly precise attacks with clear tactical objectives to less elaborate ones. Similar to the change of tactics on the battlefield, where Russian troops were rebuffed with dignity and decided to fight civilians, the hackers also changed their vector – they tried to harm Ukrainian civilians. The use of multiple new tools and wipers was replaced by detected capabilities using already-known attack tools and tactics, such as Caddywiper and FoxBlade.

The head of Britain’s intelligence, cybersecurity, and security agency called Ukraine’s response “the most effective defensive cyber activity in history. This is not surprising, as part of Ukraine’s success is because it has been repeatedly subjected to cyber attacks since 2014. The impact of the Indistroyer2 attack on the energy sector in March 2022 is evidence of this because compared to the first deployment of Industroyer in 2016, the effect in March was negligible. In addition, Ukraine has received significant external assistance to repair the damage caused by these cyberattacks. For example, foreign governments and private companies helped Ukraine quickly move its IT infrastructure to the cloud. As a result, data centers were physically removed from combat zones and received additional layers of protection from service providers.

Shift in the focus

Since September, data show a gradual but significant decrease in cyber-attacks against Ukrainian targets. Instead, the number of attacks on NATO members has increased significantly. Moreover, while the number is negligible in some countries, in others, the number of attacks has increased by almost half:

• U.S. by 6 percent
• United Kingdom by 11%
• Poland by 31%
• Denmark by 31%
• Estonia by 57%.

This suggests that Russia and related groups have shifted their attention from Ukraine to NATO countries that support Ukraine.

The New Era of Hacktivism

A new era of hacktivism began with the creation and leadership of the “IT Army of Ukraine,” composed of volunteer IT specialists. Whereas hacktivism used to be characterized by free cooperation between individuals in ad hoc interactions, new-era hacktivist groups have significantly increased their organization and control and now conduct military-like operations. The new mode of operation includes recruitment and training, intelligence and target allocation, tool sharing, etc. Nevertheless, anti-Russian hacktivist activity continued throughout the year, affecting infrastructure, financial, and government organizations. Since September 2022, the number of attacks on organizations in Russia has increased significantly, especially in the government and military sectors.

Not all hacktivists are good

Unfortunately, not all hacktivists have good intentions. For example, while groups such as Team OneFist rigorously enforce the rules of war and take steps to avoid potential damage to hospitals and civilians, the pro-Russian group Killnet carried out targeted DDoS attacks on critical infrastructure in the United States. Predictably, their primary targets were not military installations but U.S. medical organizations, hospitals, and airports. In addition, most new hacktivist groups have a clear and consistent political ideology tied to government narratives.

As a result, pro-Russian hacktivists have shifted their focus from Ukrainian targets to NATO member states and other Western allies. For example, another Russian-linked hacktivist group, NoName057(16), attacked the Czech presidential election. In addition, the hacktivist group From Russia with Love (FRwL), also known as Z-Team, deployed Somnia ransomware against Ukrainian targets. In turn, the CryWiper malware was deployed against municipalities and courts in Russia.

Hacking Russia was off-limits before Russian-Ukrainian War

Some cybercrime organizations have been forced to join the nationwide effort and curtail their criminal activities. Attacks on Russian enterprises, once considered impregnable by many cybercriminal organizations, are now on the rise. Russia is struggling with hacking attacks caused by the government and its criminal activities. In addition, other countries have also stepped up their spying activities in Russia to attack Russian state defense institutions. For example, Cloud Atlas constantly attacks Russian and Belarusian organizations.

War impact to other regions and domains

Against the backdrop of the Russian-Ukrainian war, wiper activity began to spread to other countries. For example, Iranian-linked groups have attacked facilities in Albania, and the Azov ransomware has spread worldwide. However, Azov is more of a destructive wiper than a ransomware program because it does not provide for decrypting and restoring encrypted data. Various state actors have also taken advantage of the war to advance their interests. For example, several campaigns by different APT groups have used the ongoing battle between Russia and Ukraine to intensify their activities. The Russian-Ukrainian war has dramatically affected cyber tactics in many areas. Undoubtedly, as long as the war continues, its events will affect other regions and locations.

The post One Year of Russian-Ukrainian War in Cybersecurity appeared first on Gridinsoft Blog.

CERT-UA has published a report on ongoing DDoS attacks on Ukrainian websites and a government web portal.

Unknown attackers compromise WordPress sites and inject malicious JavaScript code into the HTML structure. The script is base64 encoded to avoid detection like in this picture.

The code is executed on the visitor’s computer and generates a huge number of requests in order to stop the websites from working. Cyberattacks occur without the knowledge of the owners of compromised sites and create subtle performance disruptions for users.

By the way, we talked about the State Department Offers $1 million for Info on Russian Hackers.

CERT-UA works closely with the National Bank of Ukraine to implement protective measures against DDoS campaigns and numerous previous cyberattacks. In their report, the CERT-UA team provided instructions for removing malicious JavaScript code and added a threat detection tool to scan sites for hacking.

In addition, it is important to keep the content management systems (Content Management Systems, CMS) of the site up to date, update plugins and restrict access to site management.

We also note that it seems that the Chinese comrades do not support Russian hackers: we wrote that Chinese Mustang Panda Cyberspies Attack Russian Officials.

The post Ukraine Was Hit by DDoS Attacks from Hacked WordPress Sites appeared first on Gridinsoft Blog.

Bleeping Computer says that there has been a serious split in the hacker community.

For example, the administrator of the database and trading platform RaidForums openly stated that he was imposing his own sanctions and blocking access for users from Russia. He made his position clear, saying that he opposes the Kremlin’s actions.

Another RaidForums participant posted an even harsher message as a warning to the “Russians”. He also posted on the forum a database with e-mail addresses and hashed passwords and the fsb.ru domain. Although the authenticity of this information has not yet been verified, the same user previously hosted similar databases for US .mil domains.

Let me remind you that we also said that Anonymous hackers declared war on the Russian government.

At the same time, extortionist groups also took up the opposite sides of the conflict. For example, members of one of the most aggressive hacker groups, Conti, declared “the full support of the Russian government” and threatened to retaliate with cyberattacks against anyone who attacks Russia, promising to use all their resources “to strike back at the enemy’s critical infrastructures.”

A little later, the hackers changed the statement, noting that in doing so they “do not ally with any government, and condemn the ongoing war”.

Another far less well-known hack group, CoomingProject, has also said it will support the Russian government if cyberattacks are directed against the country.

Interesting statistics about the “political position” of various hacker groups are also collected by journalists from The Record. According to them, two more groups have publicly declared their position.

UNC1151, allegedly based in Minsk, supports Russia. This hack group is considered to be Belarusian “government hackers” and is allegedly already working on hacking the emails of Ukrainian military personnel.

The Red Bandits also took the side of Russia. Back on February 22, the group announced on Twitter:

We also said that the FBI and NSA release a statement about attacks by Russian hackers.

The post Hacker groups split up: some of them support Russia, others Ukraine appeared first on Gridinsoft Blog.

In fact, the detected threat is a classic wiper, that is, malware designed to deliberately destroy data on an infected host.

WhisperGate wiper

Such malware is usually used either to mask other attacks and remove important evidence of a hack, or to perform sabotage in order to inflict maximum damage on the victim and prevent it from performing its usual activities, as was the case with the Shamoon, NotPetya or Bad Rabbit attacks.

According to the company, the attacks began on January 13, and the affected systems belonged to several Ukrainian state institutions, as well as non-profit organizations and information technology companies. Similarly to cases of NotPetya and BadRabbit wipers, the new malware also comes with a component that overwrites the MBR and prevents infected systems from booting.

The researchers have not yet been able to determine the vector of malware distribution, and therefore it is unclear whether the attack affected anyone else besides Ukrainian targets.

WhisperGate replaces the usual boot screen with a ransom note, which researchers say contains an amount, a bitcoin address, and a Tox ID to contact the attackers. So far, no payments have been made to the wallet of criminals.

However, experts note that it is useless to pay: even if the victims manage to restore the MBR, the malware deliberately damages files with certain extensions, overwriting their contents with a fixed number of bytes 0xCC, bringing the total file size to 1 MB. The affected extensions are listed below.

3DM .3DS .7Z .ACCDB .AI .ARC .ASC .ASM .ASP .ASPX .BACKUP .BAK .BAT .BMP .BRD .BZ .BZ2 .CGM .CLASS .CMD .CONFIG .CPP .CRT .CS .CSR .CSV .DB .DBF .DCH .DER .DIF .DIP .DJVU.SH .DOC .DOCB .DOCM .DOCX .DOT .DOTM .DOTX .DWG .EDB .EML .FRM .GIF .GO .GZ .HDD .HTM .HTML .HWP .IBD .INC .INI .ISO .JAR .JAVA .JPEG .JPG .JS .JSP .KDBX .KEY .LAY .LAY6 .LDF .LOG .MAX .MDB .MDF .MML .MSG .MYD .MYI .NEF .NVRAM .ODB .ODG .ODP .ODS .ODT .OGG .ONETOC2 .OST .OTG .OTP .OTS .OTT .P12 .PAQ .PAS .PDF .PEM .PFX .PHP .PHP3 .PHP4 .PHP5 .PHP6 .PHP7 .PHPS .PHTML .PL .PNG .POT .POTM .POTX .PPAM .PPK .PPS .PPSM .PPSX .PPT .PPTM .PPTX .PS1 .PSD .PST .PY .RAR .RAW .RB .RTF .SAV .SCH .SHTML .SLDM .SLDX .SLK .SLN .SNT .SQ3 .SQL .SQLITE3 .SQLITEDB .STC .STD .STI .STW .SUO .SVG .SXC .SXD .SXI .SXM .SXW .TAR .TBK .TGZ .TIF .TIFF .TXT .UOP .UOT .VB .VBS .VCD .VDI .VHD .VMDK .VMEM .VMSD .VMSN .VMSS .VMTM .VMTX .VMX .VMXF .VSD .VSDX .VSWP .WAR .WB2 .WK1 .WKS .XHTML .XLC .XLM .XLS .XLSB .XLSM .XLSX .XLT .XLTM .XLTX .XLW .YML .ZIP file

Microsoft experts have said that so far, they have not been able to link these attacks to any specific hack group, and they are currently tracking the attackers under the ID DEV-0586.

Attacks on Ukrainian sites

At the end of last week, we already wrote that many Ukrainian sites suffered from cyberattacks and were defaced.

As the Ukrainian authorities have now said, Russian hackers are responsible for this attack:

The ministry says that the purpose of this attack is “not only to intimidate the public,” but also “to destabilize the situation in Ukraine by shutting down the public sector and undermining confidence in the government on the part of Ukrainians.”

I also recall that I reported that Russian-speaking hackers attacked the government infrastructure of Poland.

The post Microsoft discovered the WhisperGate wiper attacking Ukrainian users appeared first on Gridinsoft Blog.

The Record notes that all resources have been deleted and their contents replaced with a statement published in Russian, Ukrainian and Polish.

The fact of the attack was officially confirmed by the country’s authorities by posting relevant messages on official websites, as well as on Facebook and Twitter. All affected resources have been temporarily down and some sites are still down, reporting that they are under maintenance.

Officials say they are investigating the attack and so far everything points to Russian hackers.

According to security researcher Gary Warner, the distortions appear to have been aimed at creating divisions between various ethnic groups, especially between native Ukrainians and the Polish minority.

Information security journalist Kim Zetter writes that sources in the Ukrainian government told her that a vulnerability in CMS October was used for the attack, which was used by all affected resources.

Later, this information was confirmed in the Ukrainian CERT.

Let me remind you that we recently wrote that Russian-speaking hackers attacked the government infrastructure of Poland, and also that the FBI and NSA release a statement about attacks by Russian hackers.

The post Most likely russian hackers defaced Ukrainian government websites appeared first on Gridinsoft Blog.

Law enforcement officers report that the group included five citizens of Ukraine (residents of Kyiv and Kharkiv), and all of them had a higher technical education. The group’s activity lasted at least two years, and during this time the hackers managed to break into the accounts of several hundred people.

The goal of the Phoenix hack group was to gain remote access to user accounts of mobile devices, and then monetize this access by hacking e-wallets and bank accounts, as well as by selling victims’ personal information to third parties.

To gain access to other people’s accounts, hackers used phishing resources – copies of Apple, Samsung, and so on. If the victim downloaded an application from such a fake site, they had to provide the attackers with their credentials. Then the attackers copied the information stored on the broken phone.

Also, hackers offered their services of remote hacking of mobile phones at prices ranging from $100 to $200. In addition, the group was also involved in unlocking stolen or lost Apple devices. Subsequently, such gadgets were sold in a network of stores controlled by criminals in Kyiv and Kharkiv.

As a result, law enforcement officers conducted five searches at each place of detention, seizing computer equipment, mobile phones that were being prepared for sale, specialized software and equipment.

The attackers were charged under Article 361 of the Criminal Code of Ukraine (illegal interference in the operation of electronic computers (computers), systems and computer networks).

Let me remind you that we reported that the Cyber police of Ukraine arrested persons linked with the Clop ransomware and that the Ukrainian cyber police arrested the author of uPanel phishing kit.

The post Ukrainian law enforcement officers arrested members of the hacker group Phoenix appeared first on Gridinsoft Blog.

One of the addresses violating the rights of TRC Ukraine pointed to 127.0.0.1, that is, the anti-pirates found prohibited content in their own systems.

Journalists note that under the DMCA (Digital Millennium Copyright Act) Google processes requests to remove approximately five million URLs every week, and in total, the search giant has already removed more than 5 billion links.

But in efforts to combat piracy, companies often make mistakes and “shoot themselves in the foot”, for example, recently the service Toomics asked Google to remove dangerous URLs of its own website from the results.

A similar situation has now occurred with the request of the Ukrainian anti-piracy company Vindex. The link violating the copyright of TRK Ukraine to broadcast football matches pointed to 127.0.0.1:6878/ace/manifest.m3u. That is, the pirated playlist file was found on Vindex’s own computer.

The publication writes that this file can be a playlist for the Ace Stream P2P platform, which is often used for pirated content.

TorrentFreak writes that Vindex should set up its bots properly. The fact is that the company previously had vague reputation: from all links that Vindex demanded from Google to be removed, a little more than 10% were removed.

Let me remind you that I also talked about the fact that Ukrainian law enforcement discovered a mining farm consisting of thousands of PlayStation 4 consoles.

The post Ukrainian fighters against pirates asked Google to block 127.0.0.1 appeared first on Gridinsoft Blog.