Apple recently yielded to government pressure and removed several virtual private network (VPN) apps from the Russian App Store. The action affected 25 mobile VPN service providers, including ProtonVPN, NordVPN, Red Shield VPN, and Le VPN, as reported by MediaZona. Le VPN expressed dissatisfaction, citing non-compliance with Article 15.1 of the Federal Law dated July 27, 2006 (No. 149-fz), which requires official notice from the watchdog before app removal. Meanwhile, Red Shield VPN accused Apple of prioritizing revenue over principles, actively supporting an authoritarian regime.
Russian Government Faces APT Threat: CloudSorcerer Emerges
Reports reveal that the Russian government is at risk of cyberattacks from a group known as CloudSorcerer. This sophisticated APT (Advanced Persistent Threat) leverages cloud services for command-and-control (C2) operations and data exfiltration. Kaspersky, a Russian security vendor, describes CloudSorcerer as a stealthy cyber espionage tool that exploits cloud infrastructure from Microsoft Graph, Yandex Cloud, and Dropbox.
The malware’s C2 servers operate via APIs using authentication tokens, with GitHub serving as the initial C2 server. While analysts haven’t pinpointed the attackers’ infiltration method, the use of C-based portable executables, backdoors, and shellcode injection aligns with the tradecraft seen in CloudWizard attacks.
Dark Web Malware Log Exposes Child Abuse Material Consumers
A recent discovery on the dark web sheds light on child abuse crimes. An information-stealing malware log revealed details of over 3,300 consumers of child sexual abuse material (CSAM). Approximately 4.2% of these users had credentials for multiple CSAM sources, indicating a higher likelihood of criminal behaviour.
Countries like Brazil, India, and the United States have the highest counts of users with access to known CSAM sources. The exposed information could be crucial in convicting those involved in these heinous activities.
Recorded future confirmed, “approximately 3,300 unique users were found with accounts on known CSAM sources, a notable 4.2% had credentials for multiple sources, suggesting a higher likelihood of criminal behaviour.” Analysis of the details revealed countries like Brazil, India and the United States have the highest counts of users with credentials to known Child Sexual Abuse Material.
Cactus Ransomware Group Targets Businesses, Exfiltrate and Disclose Data
The Cactus ransomware group has launched attacks against several businesses, resulting in varying degrees of damage:
Daystar: The attack led to the exfiltration of 125GB of data, now fully disclosed on the black market. Daystar, a U.S.-based business, boasts an estimated revenue of $120.3 million.
Fbttransport: This California transportation company, with over 200 employees and $70.8 million in revenue, suffered the exfiltration of 180GB of data, also exposed on the dark web.
Millimages: Known for production, distribution, animation, and merchandising, Millimages faced an attack that exposed 147GB of data. The French company’s estimated revenue stands at $12.6 million.
Windows and Linux Systems Under Risk of New Ransomware-as-a-Service
First, Eldorado, a cross-platform ransomware-as-a-service (RaaS), has set its sights on both Windows and Linux systems. Its Golang-based architecture ensures adaptability, while encryption techniques like Chacha20 and RSA-OAEP make it formidable. Meanwhile, CloudSorcerer, an advanced persistent threat (APT) group, operates stealthily in the cloud. Leveraging services like Microsoft Graph and GitHub poses a significant risk to the Russian government. As these threats escalate, vigilance and robust security measures remain crucial for organizations and individuals.
A researcher named Nikolay Kichatov and Sharmine Low explained, “The Eldorado ransomware uses Golang for cross-platform capabilities, employing Chacha20 for file encryption and Rivest Shamir Adleman-Optimal Asymmetric Encryption Padding (RSA-OAEP) for key encryption, It can encrypt files on shared networks using Server Message Block (SMB) protocol.”