Cryptophishing via a service from Google, sanctions against Trickbot and other cybersecurity events

We have collected the most important news from the world of cybersecurity for the week.

Trickbot hackers hit by US and UK sanctions

The US and UK authorities have imposed sanctions on 11 Russian citizens involved in cybercriminal operations with Trickbot ransomware. This was reported in OFAC.

In addition to the seven previous defendants, the list includes administrators, managers, developers and programmers of the group.

All UK and US entities are prohibited from conducting financial transactions with these individuals, including the payment of a ransom.

According to the US Department of the Treasury, Trickbot hackers have ties to Russian intelligence agencies. Their attacks targeted government agencies and critical infrastructure enterprises around the world, in particular American hospitals.

At the same time, the US Department of Justice filed charges against nine individuals associated with Trickbot and the Conti ransomware.

Google’s service was used to attack cryptocurrency owners

Cybercriminals use Google’s legitimate Looker Studio tool to carry out phishing attacks against cryptocurrency holders. Check Point experts drew attention to this.

A cyberattack involving Google #LookerStudio is making the rounds ⚠️

Here’s how hackers are using it to create fake crypto pages and how the attack occurs: https://t.co/Lzzoan7gkb

— Check Point Software (@CheckPointSW) September 7, 2023

Looker Studio is designed to create custom reports based on third-party sources. Since the service has a good reputation, hackers embed the URLs of these pages into phishing emails to bypass email security checks.

The mailing is made on behalf of Google and contains the company’s letterhead with a notification that the user allegedly won ~0.75 BTC (over $19,300 at the time of writing).

The link inside the email redirects the victim to a phishing page where they are asked to enter their crypto wallet login details. As a result, all information goes directly to hackers.

The researchers informed Google of these abuses on August 22, but it is not known if the company has taken any action.

British military-linked company hacked via Windows 7 computer

The hacker group LockBit has published gigabytes of confidential data of the British company Zaun, which specializes in the construction of protective structures for correctional facilities, military bases and public utilities. The supplier confirmed the leak.

As it turned out, the hacking occurred through a computer running Windows 7, on which software for production equipment was installed. Extended support for this operating system ended in 2020.

The cyberattack took place on August 5-6. While Zaun managed to prevent the encryption, the hackers were able to steal 10GB of unclassified information, including some emails, orders, blueprints, and project files.

The incident is being investigated.

Graphic designers attacked by hidden miners

Cybercriminals are using Windows’ legitimate Advanced Installer tool to infect graphic designers’ computers with cryptocurrency miners. This was reported by Cisco Talos specialists.

We are actively tracking a new campaign in which adversaries are targeting graphic designers and other users of 3-D modeling software with #cryptocurrency mining malware. (As you may have guessed, it’s because these users have large GPUs) https://t.co/bala5vWMXY pic.twitter.com/iQnAbMeNAB

— Cisco Talos Intelligence Group (@TalosSecurity) September 7, 2023

The malware resides inside the installers of popular 3D modeling and graphic design software such as Adobe Illustrator, Autodesk 3ds Max, and SketchUp Pro.

This choice of applications is explained by the fact that designers, animators and video editors are more likely to use computers with powerful GPUs, which makes cryptojacking more profitable.

The campaign has been running since at least November 2021. Most of the victims are in France and Switzerland, and infections have also been recorded in the United States, Canada, Germany, Algeria and Singapore.

North Korean hackers hacked into a number of defense and government facilities in Russia

Microsoft experts said that hacker groups from the DPRK since the beginning of 2023 have hacked into several objects of the Russian government and defense in order to collect intelligence information.

The report does not name the specific organizations affected, but does give an idea of ​​when some of the attacks took place.

According to experts, during March, three independent groups hacked into an aerospace research institute in the Russian Federation, compromised a device belonging to a Russian university, and also organized phishing mailings to diplomatic government agencies.

Phishing “Gosuslugi” found in Telegram

The scammers created a closed Telegram channel with the logo of the Russian state portal Gosuslugi, which promises various “benefits” in the amount of up to 100,000 rubles. It is reported by RIA Novosti.

The user who applied for a payout is redirected to a bot that reports an error and offers to follow another link.

It leads to a phishing page – through it, attackers try to hack into an account or gain access to other data on the victim’s phone.

Also on ForkLog:

What to read on the weekend?

An interview with a person who worked in fraudulent projects and advises no one to repeat his experience.

Found a mistake in the text? Select it and press CTRL+ENTER