Leader of pro-Russia DDoS crew Killnet 'unmasked' by Russian state media
Also: NXP China attack, Australia can't deliver on ransom payment ban (yet), and Justin Sun's very bad month
Infosec in Brief Cybercriminals working out of Russia go to great lengths to conceal their real identities, and you won't ever find the state trying to unmask them either – as long as they keep supplying the attacks on Axis nations. It's the reason why we found it so amusing that of all the ways the identity of an organized cybercrime gang leader could be revealed, it was Russian state media that may have recently outed someone of note.
Moscow-based Gazeta.ru has named a man it alleges to be the leader of pro-Russia DDoS merchants Killnet, known as "Killmilk," in an expose following earlier claims that he started targeting the Russian Federation.
Known for spearheading major attacks on targets like US government agencies, the European Parliament, and a bunch of hospitals, Killmilk has rarely done any media work but when he has, he wore a balaclava in a continued bid to evade identification.
Gazeta.ru claims to have confirmed its findings with other so-called hacktivists and sources within Russian law enforcement. The outlet alleges the person they named has been convicted of drug dealing in the past, and is claimed to have launched attacks on Russian state infrastructure and private sector organizations.
Killmilk also apparently has critics in the cybercrime underworld, with many "colleagues" considering challenging Killmilk's authority within the Killnet group, but backing down because of the individual's tendencies to retaliate.
"A lot of people are tired of Killmilk," hacktivist NET-WORKER told the publication. "Behind the scenes, a significant portion of pro-Russian groups oppose him. But they are afraid to 'have a bite' with him in public. First of all, they are afraid of de-anonymization – Killmilk likes to reveal the identities of its competitors or blackmail them with this information."
Qakbot all but dead and buried following FBI takedown
As we've seen with botnets like Emotet, coordinated law enforcement takedowns aren't always permanently effective, but the FBI's shuttering of Qakbot in August appears to be having the desired effect.
Huntress released its SMB security report this week showing that attempted Qakbot exploits have roughly halved since the takedown.
Current attempts are thought to be essentially neutered, the company said, although attempts still remain. By the end of next quarter, it's expected to be gone for good… off the map completely.
The report [PDF] is rich in insights and is well worth a look. Other highlights note that most attacks (56 percent) use no malware at all and instead use living-off-the-land methods – using legitimate tools like remote monitoring applications to blend in with normal network traffic. Attackers establish stealthy persistence with this method that can open up organizations to various follow-on attacks, such as data theft or having that remote access sold to a ransomware group.
The most often abused tool was ConnectWise, followed by AnyDesk, NetSupport, and TeamViewer. While they're not strictly remote management tools, Huntress said it aligned with CISA's more simplified categorizations of these and similar tools.
It also noted that while LockBit is still the ransomware strain used in 25 percent of all attacks, eclipsing it are unknown or defunct strains accounting for 60 percent of all ransomware incidents in Q3 2023.
Australia backs down on ransomware payment ban
A year after saying it was looking at ways to ban ransomware payments, the Australian government backtracked on this proposal, saying "it is clearly not the right time at this moment to ban ransoms" as it launched its 2023-2030 Australian Cyber Security Strategy [PDF].
While Home Affairs Minister Clare O'Neil's preference was to ban them, this proposal is now being pushed back two years while the country aims to implement the infrastructure required to impose a ban. This would include equipping its law enforcement agencies with the right resources to enforce it, and setting support systems for victims, per the Australian Financial Review.
In the meantime, among the government's many plans to tackle cybercrime is to implement a no-fault, no-liability reporting service that will mandate ransomware incident reporting across the country. This is so Australia can "build an improved picture of the ransomware threat so that [it] can develop appropriate responses."
The official line is to not pay ransoms, and that hasn't changed. Though, many have complained of a lack of support in how to deal with ransom demands, the government said, so it's going to build a ransomware playbook for victims to follow.
"This playbook will provide clear guidance to businesses and citizens on how to prepare for, deal with, and bounce back from ransom demands."
It's also funneling $26.2 million AUD into support for Pacific Island nations suffering serious cybersecurity incidents in a program called Cyber Rapid Assistance for Pacific Incidents and Disasters, or RAPID.
China-based attackers stole chip designs from NXP after lurking in network for 2 years, claims report
Dutch daily paper NRC reported on Friday that $52 billion market cap NXP Semiconductor had inadvertently played host to Chimera, a group of China-state-linked attackers for over two years, potentially as part of a bigger state spying program to nick Western semiconductor tech. According to the report, the group can be "recognized" by the password they use to encrypt the loot:
NRC's report noted that the chipmaker's data had been exfiltrated using the ChimeRAR tool, a modified version of the zip software. After initial infiltration using reused credentials in 2017, the outlet reported that the miscreants hung around for years, patiently waiting for the motherlode and checking for data only a few times a month, which they snuck out using encrypted files uploaded to OneDrive, Dropbox, and Google cloud. The group targeted chip designs and more, said the report. NXP, which spun out of Philips in 2006, makes the secure elements in iPhone chippery used for Apple Pay, as well as the MiFARE chips used in transportation access systems including the UK's TfL, the Netherlands' OV-chipkaart, Canada's Presto and Moscow's Metro.
Semiconductor designer NXP, the second biggest chip player in the Europe after fellow ex-Philips stablemate ASML, told NRC (translated from the Dutch): "As stated in our 2019 annual report, we discovered that some of our IT systems appeared to be compromised. After a thorough investigation, we determined that this did not result in material damage to our business operations. At NXP we take data security very seriously. We have learned from this experience and are prioritizing improving the protection of our IT systems to ward off cyber threats."
Justin Sun's bad month got much worse this week
After having his Poloniex exchange attacked and drained of circa $120 million earlier this month, two additional crypto projects linked to the investor have been attacked this week with losses estimated to be in the region of a further $130 million.
The HTX exchange was drained of $30 million worth of assets, CNBC reported, as well as Heco Chain ransacked for $84.5 million – most of which being stablecoins (cryptocurrencies tied to fiat currencies).
- Former infosec COO pleads guilty to attacking hospitals to drum up business
- SonicWall swallows Solutions Granted amid cybersecurity demand surge
- US govt pays AT&T to let cops search Americans' phone records – 'usually' without a warrant
- BlackCat claims it is behind Fidelity National Financial ransomware shakedown
Also succumbing to an attack this week was crypto investment house Kronos Research, leading to a total loss of $26 million in crypto assets, it said.
The incident involved an unidentified (for now) third party accessing its API keys. Despite the sizeable theft, the company reassured that the losses wouldn't materially impact the company or its partners, and that internal funds would cover the losses.
"We're prioritizing our resources to resume servicing the exchanges and token projects we provide liquidity for," it said via X. "This is the first time since 2018 we've halted trading, and we are confident we will bounce back stronger than ever." ®