, 4 June 2021

Plus, a Russian hacking group poses as USAID and cybercriminals face their peers in a shadow court system

According to the United Nations Security Council’s Panel of Experts on Libya, military drones used in a March 2020 skirmish between the Libyan government and a breakaway military faction operated in a “highly effective” autonomous mode whereby they hunted enemy soldiers on their own. “The lethal autonomous weapons systems were programmed to attack targets without requiring data connectivity between the operator and the munition: in effect, a true ‘fire, forget and find’ capability,” wrote the UN in a report obtained by New Scientist magazine. In another passage, the report describes the drones as having “hunted down” soldiers from the breakaway military faction. The drones in question are Kargu-2 quadcopters produced by Turkish military tech company STM. They are fitted with explosive charges that detonate on impact in kamikaze-style attacks. Learn more at The Daily Star. 

White House suspects Russian ransomware group in JBS attack

At a press briefing on Air Force One, Principal Deputy Press Secretary Karine Jean-Pierre commented that JBS, the world’s largest beef producer, reported that it had been the victim of a ransomware attack. “JBS notified the administration that the ransom demand came from a criminal organization likely based in Russia,” Jean-Pierre said, adding that the FBI and CISA were investigating the incident and that “the White House is engaging directly with the Russian government on this matter and delivering the message that responsible states do not harbor ransomware criminals.” 

Russian hacking group poses as USAID

Microsoft told NPR that it discovered a breach last week that involved hackers posing as members of the United States Agency for International Development (USAID). The attack affected about 150 organizations and may have resulted in up to 3,000 compromised accounts. Microsoft believes the Russian group Cozy Bear (AKA Apt29 and Nobelium) is behind the attack, based on the targets – human rights groups and think tanks – and the techniques used. The breach began when the group infiltrated email marketing company Constant Contact, which has USAID as a client. Cozy Bear then compromised USAID’s contact list, launching a spear-phishing campaign that aimed to install malware on its victims’ systems.

DoJ seizes Cozy Bear domains used in USAID attack

Further to the above story, the U.S. Department of Justice announced this week that it seized two internet domains that were used in the USAID spear-phishing attacks. The DoJ wrote in a press release that the malware hiding in the initial spear-phishing emails was programmed to reach out to one of two domains – “theyardservice” or “worldhomeoutlet” – to retrieve the Colbalt Strike tool, a remote access tool that allows hackers to manipulate other systems. “As demonstrated by the court-authorized seizure of these malicious domains, we are committed to using all available tools to protect the public and our government from these worldwide hacking threats,” said Acting U.S. Attorney Raj Parekh for the Eastern District of Virginia.

DarkSide faces shadow court system on dark web

Ransomware group DarkSide, which was responsible for last month’s Colonial Pipeline attack, is having trouble paying debts owed to its criminal affiliates and so has set up its own court-like system for settling complaints. Plaintiffs are asked to report their grievances on DarkSide’s dark web criminal forum, and admins then settle the claims in a “hackers’ courtroom,” making cryptocurrency payments to owed affiliates from a DarkSide account they control. “Cybercrime has matured so much,” one researcher told TheatPost, “there is a strange ‘People’s Court’ to dispute claims and wrongdoings in the underground syndicate.” 

This week’s ‘must-read’ on The Avast Blog

Everything comes back in style if you wait long enough, but safe internet practices are always in fashion. Emma McGowan breaks down the best (and worst) fashion trends from “Y2K” from bucket hats to Finstas.