The Good | TrickBot Developer was imprisoned for five years.
Vladimir Dunaev, a Russian national and the creator and distributor of the infamous TrickBot malware, was sentenced to 5 years and 4 months in prison this week. The DoJ claims that TrickBot lost tens of millions of dollars and used ransomware to attack hospitals, schools, and businesses in the United States.
TrickBot began as a specialized banking trojan but over time developed into an intricate malware framework, focusing on business environments and incorporating features like network profiling, mass data collection, and side-by-side exploits. TrickBot was thought to be used by both crimeware actors and APTs at its peak.
Back in 2021, Dunaev was detained in South Korea before being extradited to the United States. In November 2023, he was finally put on trial after entering a guilty plea to conspiracy to commit identity theft, computer fraud, and wire fraud as well as bank fraud. The DoJ claims that Dunaev developed tools for credential harvesting and data mining as well as programs to get around AV software.
He is the second member of the gang responsible for TrickBot’s jail sentence; Alla Witte, a Latvian woman, was given two years and eight months in June of last year. U.S. authorities have indicted and sanctioned a number of other people.
The Negative: Google Search Risks for Researchers
In light of growing abuse by various threat actors of Google Ads, a service that places paid advertisements above organic search results, security researchers are raising concerns about Google Search.
Researchers observed in one report this week that Chinese-speaking Googlers were receiving Remote Administration Trojans (RATs ) through malicious advertisements displayed at the top of search results for messaging apps like Telegram, which are blocked in China.
According to KrebsOnSecurity, closer to home When using Google to conduct software searches, S and other English-speaking users were targeted. In one recent instance, links to the malicious freecad- us [. ] were returned when searches for the ( legitimate ) FreeCAD graphic design program. Above the actual freecad is the org domain. website for org. Corel Draw, GitHub Desktop, RoboForm, and TeamViewer are a few examples of well-known software that have been found to return malicious paid advertisements.
Tom Hegel of SentinelLabs claims that in order to avoid Google’s detection, the threat actors behind the malicious schemes mix legitimate software with serving malware. Hegel was quoted by Krebs as saying,” In the malicious ad campaigns we’ve seen, they would wait until the domains gain legitimacy on the search engines, then flip the page [to serve malware ] for about one day before flipping back.”
Additionally, malicious websites use scripts to identify visitors and decide whether to serve malware based on factors like location, browser, and language. As a result, websites are able to ignore users from other countries while focusing on, say, American users. According to an earlier investigation into this type of malvertising, many of these websites are used to deliver trojans and infostealers like IcedID, Formbook, and others.
Google responded by stating that it had removed the ads that the report had brought to its attention, but researchers are still worried that Google is unable to fully control the issue. When clicking sponsored links that are returned in Google searches, users are advised to use caution.
Russian APT invades Microsoft and HP Networks in an ugly manner.
This week, Microsoft and Hewlett Packard Enterprise both disclosed that they had each been the target of Russian state-sponsored intrusions by APT 29, also known as Midnight Blizzard, The Dukes, Nobelium, and NobleBaron. The supply chain attack on SolarWinds in 2021 was attributed to the same threat actor.
On January 12th, Microsoft disclosed that APT29, also known as Midnight Blizzard, had access to emails for corporate leadership, cyber security personnel, and legal personnel.
Hewlett-Packard discloses on January 24 that they were hacked by APT29.
— on January 24, 2024, underground ( @vxunderground )
Microsoft claimed in a statement made public on Thursday that it had found evidence of an attack across multiple states on January 12, 2024. The threat actor compromised a vulnerable account by using password spray attacks. They then created numerous OAuth applications and targeted Microsoft corporate email accounts using this initial access.
Other than to point out that the attackers concealed the attack’s origin by using residential proxies, the company has not provided many additional details about the nature of the compromise. The method involves directing traffic using numerous IP addresses that are also used by authorized users. It is challenging for non-behavioral solutions to identify malicious traffic due to the high change over rate of IP addresses.
Meanwhile, HP claimed that Midnight Blizzard, a suspected nation-state actor, had gained unauthorized access to the company’s cloud-based email environment in an SEC filing from last Friday.
According to the filing, the business thinks the activity was caused by an intrusion that started at least in May 2023 and involved the exfiltration of several SharePoint files. Further information regarding the compromise is still unknown, but it was further stated that it had “determined that such activity did not materially impact the Company.”
Five-year prison sentence for the developer of a Trojan horseCommon Cybersecurity Threats
(Opens in a new browser tab)Google Chrome
(Opens in a new browser tab)How to get rid of people-finder websites ‘ information
Week 5 of” The Good, the Bad, and the Ugly in Cybersecurity