CYBERSECURITY NEWS V. February – Anonymous declares cyberwar on Russia, decryption keys for Egregor, Sekhmet, and Maze

hexway cybersecurity blog brings you the latest news about attacks and data breaches, emerging malware, and vendor security updates

News FYI

13 NFTs stolen, $3 million lost

A Twitter user calling himself larrylawliet (@iloveponzi) reported the loss of his NTF collection and asked for help.

larrylawliet gave access to his NFT collection to a decentralized application that he thought would help him sell NFT pictures. However, it turned out to be not a dAPP at all, but a personal cryptocurrency wallet of scammers who successfully stole his entire collection. The attackers stole seven NFTs from larrylawliet: one from the Bored Ape Yacht Club, five from the Mutant Ape Yacht Club and one Doodle.

Ransomware developer releases decryption keys for Egregor, Sekhmet, and Maze

Master decryption keys for the Maze, Egregor, and Sekhmet ransomware were published on the BleepingComputer forum. The keys were published by a user under the pseudonym Topleak, who claims to be the developer of all three malware.

The publication contains a link to download a 7zip file with four archives containing the Maze, Egregor, and Sekhmet decryption keys, as well as the source code for the M0yv malware used by the operators. Each of the archives contains a public encryption key and a private decryption key associated with a particular "ad" or ransomware partner:

According to Topleak, the leak is planned and is not related to recent law enforcement operations that led to the takeover of servers and arrests of ransomware partners. As Topleak stated, none of his team members will ever return to ransomware, and the source code of the malware has been destroyed.

Hackers distribute malware disguised as a Windows 11 installer

Attackers have begun distributing fake Windows 11 update installers to Windows 10 users, tricking them into downloading and running the RedLine infostealer. The timing of the attacks coincides with Microsoft's announcement of a large-scale rollout of Windows 11: the attackers were well prepared for this event and were waiting for the right moment for their operation.

RedLine is currently the most common malware for stealing passwords, browser cookies, credit card information, and crypto wallets. Upon clicking the Download Now button, the user is presented with a 1.5 MB ZIP archive called Windows11InstallationAssistant.zip downloaded directly from the Discord CDN. When the victim runs the executable from the folder, a PowerShell script with the encoded argument is included. Then the cmd.exe process is launched with a pause of 21 seconds, after which the .jpg file is downloaded from the remote web server. The file contains a DLL with contents in reverse order.

Conti brought in "several elite developers and managers" of TrickBot, turning the operation into its subsidiary

In mid-February, it became known that Trickbot malware operators organized phishing attacks on clients of 60 large organizations. TrickBot operators use well-known brands during attacks, including Bank of America, Wells Fargo, Microsoft, Amazon, PayPal, American Express, Robinhood, Blockchain.com. It also became known that after four years of malicious activity, the TrickBot group decided to end its criminal operation, since the main participants came under the leadership of Conti.

The Ryuk group initially partnered with TrickBot, but the latter was soon replaced by Conti operators, who used malware over the past year to gain access to corporate networks.

Anonymous declares cyberwar on Russia

Hackers hacked into the control of the equipment of an agrohub in the Moscow region and tried to spoil thousands of tons of frozen products. The attackers changed the key parameters responsible for maintaining the temperature from -24° C to +30 degrees Celsius in order to spoil 40,000 tons of frozen meat and fish products.

Anonymous also attacked Russian information resources. Hacktivists have published messages with appeals on the websites of TASS, Kommersant, Fontanka, RBC, Forbes, Izvestia, Znak. com, BURO 24/7, Mel, E1, "Such things", as well as the Belarusian resource Onliner.by.

The hacker group NB65, associated with the Anonymous group, reported that the Roscosmos MCC had been hacked, as a result of which communication with the satellites was allegedly lost. The head of Roscosmos, Dmitry Rogozin, said that the control channels for the orbital constellation of satellites and the Russian segment of the International Space Station are reliably protected. There is no loss of control over Russian satellites, and all control centers are operating as they should.