Massive IP-address blocking in Turkmenistan, Telegram hacker activity, and other cybersecurity developments

We round up the week’s most important cybersecurity news.

In Telegram, the market for criminal cybercrime services has doubled

In Q2 2022, Positive Technologies experts noted a record number of hacker-themed posts — more than 27,000, 2.5 times higher than the same period last year.

Experts attribute this rise to a mass migration of cybercriminals from forums to messaging apps:

“This happened after the 2020-2021 discovery of a range of critically dangerous vulnerabilities in dark-web forum engines and their subsequent breaches”.

The majority of analyzed posts focus on:

• trading user data and fraudulent operations — 52%;
• cybercriminal services — 29%;
• malware distribution — 15%.

Among malware, the most in-demand were remote-access tools (30%) and stealer programs (16%). The latter can cost from $10 to $3,500.

The price of a ready-made RAT depends on the type of malware, its features and the usage period. Obfuscation tools cost from $20 to $100, botnets or guides to building one — up to $750. The price of a miner ranges from $10 to $1,000.

66% of posts on cybercrime services discuss cashing out, including cryptocurrency withdrawals. DDoS attacks were the second most popular — 16%. About 9% of posts are offers to hack resources, including theft of email accounts and social media pages.

Posts about hacking social media accounts such as VKontakte, Telegram, WhatsApp, Viber and other networks account for 72% of all posts about hacking resources. Compromising a VKontakte account costs from $10 to $50. Hacking a messaging app starts at $350.

The majority of credential-related posts relate to selling accounts for streaming platforms, social networks, Bitcoin exchanges and brokerage firms.

The study also notes the popularity of in Telegram services for SMS spam (54%) and mass email campaigns (32%). Prices are usually calculated based on the duration of the campaign or the number of messages. The average price for a single email address is around 50 rubles per hour of spam or per 1000 messages.

Turkmenistan blocks more than 1.2 billion 32-bit IP addresses, about a third of the global total

The Turkmen authorities have blocked more than 1.2 billion 32-bit IP addresses, roughly a third of the total. Local media report.

Journalists obtained a copy of the state cybersecurity programme for 2022–2025, which envisages creating an autonomous national digital network by isolating Turkmenistan’s internet sector.

Additionally, the government plans to train specialists, hold public briefings with citizens and run cybersecurity competitions.

Currently Turkmenistan blocks access to Facebook, Twitter, VKontakte, YouTube and other Western news sites as well as local independent outlets.

In 2022 the country ranked last in the world for internet speed — 0.7 Mbps.

Moreover, VPN services are blocked, and citizens are fined for using them.

The Minecraft server was hit by the largest botnet DDoS attack

Cloudflare, the network services provider, stopped a DDoS attack on the Minecraft Wynncraft server launched by the Mirai botnet.

The attack lasted about two minutes and consisted of UDP and TCP packets as attackers tried to overwhelm the server to prevent hundreds of thousands of players from logging in. Peak power reached 2.5 Tbps.

Experts called the incident record-breaking in terms of bitrate.

Minecraft Wynncraft — the largest MMORPG server of the game, which entered the Guinness World Records in 2017.

Toyota Motor Corporation warns customers of possible personal data exposure

The Toyota Motor Corporation warned customers about a potential personal data leak.

The company acknowledged that a key used to access a server containing data from the official T-Connect app had been publicly available on GitHub for five years. The app links a smartphone with the vehicle’s infotainment system for calls, music, navigation, notifications, driving data, engine status and fuel consumption.

Between December 2017 and September 2022, third parties could have accessed email addresses of 296,019 Toyota customers. The company has since made the repository private and rotated the access key.

According to the company, the leak did not involve customer names, credit card details or phone numbers, as these were not stored in the compromised database.

The breach was attributed to an unnamed external contractor.

Italian police blocked 545 pirate Telegram channels

Italian authorities carried out a large-scale crackdown on free distribution of licensed content on Telegram, according to local media.

Police blocked 545 channels aimed at Italian audiences with a combined audience of 430,000 people.

Warrants were executed at eight suspected administrators in Lombardy, Piedmont, Veneto, Emilia-Romagna and Campania. They were charged with piracy.

Since 2019 authorities have monitored Telegram channels linked to pirate content, identifying at least 6,500 users involved in illegal distribution of films, TV shows, newspapers and magazines.

BidenCash card data published for free: 1.2 million cards

The BidenCash darknet site operators published a dump containing data on 1,221,551 bank cards from around the world, allowing anyone to download the data. Cyble drew attention to this.

The cards’ validity periods range from 2023 to 2026. Most belong to users in the United States. The dump also affects banking clients in India, Brazil, the United Kingdom, Mexico, Turkey, Spain, Italy, Australia and China.

For most cards the following data fields are available:

• Card number;
• Expiry date;
• CVV number;
• Cardholder name;
• Bank name;
• Card type, status and class;
• Owner’s address (state and postal code);
• Email address;
• Social security number;
• Phone number.

Cyble suspects hackers gained access to the cards via web skimmers — malicious scripts embedded in online shops.

Although the dump is largely repackaged and drawn from other breaches, such as the All World Cards marketplace, D3Lab researchers confirmed the authenticity of about 30% of the data from several Italian banks.

As a result, roughly 350,000 cards circulated by criminals may still be valid. Italian card issuers have already blocked half of them after detecting fraudulent activity. The loot’s value to hackers may thus be around 10% of the leak.

Polonium hackers used seven backdoors against Israeli organisations

Security researchers ESET have uncovered previously unknown malware used by the Lebanese hacking group Polonium against Israeli IT, legal, communications, marketing and insurance organisations. The group’s campaigns remain active at the time of writing.

Polonium activity was first documented by Microsoft Threat Intelligence in June 2022, linking the hackers to Iran’s Ministry of Intelligence and Security.

According to available data, Polonium engages solely in cyber-espionage and does not deploy data-wipers, ransomware or other tools that destroy files.

Since September 2021 the hackers have used at least seven user backdoors, including four previously undocumented — TechnoCreep, FlipCreep, MegaCreep and PapaCreep.

Some of them use legitimate cloud services OneDrive, Dropbox and Mega as command-and-control (C2) servers. Others rely on standard TCP connections to remote C2 servers or receive commands from files hosted on FTP servers.

The backdoors can log keystrokes, take screenshots and webcam photos, exfiltrate files from the host, install additional malware and execute commands on the infected device.

The PapaCreep malware is modular and can split command execution into small, independent components, making it harder to detect.

ESET did not find Polonium’s tactic for network compromise, but Microsoft had previously noted the group’s use of known VPN service vulnerabilities to breach networks.

Also on ForkLog:

• Hacker agreed to return Transit Swap another $2.74 million for a $686,000 reward.
• A Lightning Network outage was caused by a complex Bitcoin transaction.
• An unknown actor withdrew more than $1 million from the QANplatform on the blockchain.
• The hacker stole $2.3 million from TempleDAO.
• DeFi platform Mango Markets lost over $100 million due to price manipulation of its native token. The hack was commented on by Sam Bankman-Fried.
• BNB Chain will undergo a hard fork after the hack of $100 million.
• Chainalysis: October broke the record for losses from hacks.
• In Moscow, authorities will collect data from all Russian street cameras.

What to read this weekend?

We invite you to revisit a piece on trends in the decline of online freedom.

Follow ForkLog’s Bitcoin news in our Telegram — cryptocurrency news, prices and analysis.