One of the World’s Biggest Hacker Forums Dismantled in Global Law Enforcement Operation
Read also: Ukraine thwarts a Sandworm cyberattack against an energy provider, Microsoft disrupts the ZLoader botnet, and more.
Thursday, April 14, 2022
Police seize domains of RaidForums hacker forum, admin arrested
Three domains belonging to RaidForums, one of the world’s biggest hacker forums, were seized as part of an international police operation called “Operation Tourniquet” carried out by law enforcement agencies from the US, UK, Sweden, Portugal, and Romania. The three confiscated domains include "raidforums[.]com," "Rf[.]ws," and "Raid[.]lol."
RaidForums was a well-known cyber criminal marketplace that offered for sale stolen personal and financial data obtained from data breaches. The website has been operating since 2015 and had more than 500,000 users.
The US Department of Justice unsealed charges against alleged RaidForums’ founder and chief administrator, Diogo Santos Coelho (aka “Omnipotent”). The man was apprehended in the UK on January 31, 2022, at the request of the US authorities and remains in custody pending the resolution of his extradition proceedings.
Russia-linked hackers targeted Ukraine’s energy infrastructure with Industroyer2, CaddyWiper malware
The Computer Emergency Response Team of Ukraine (CERT-UA) announced it disrupted a cyberattack against an unnamed Ukrainian energy provider orchestrated by Sandworm, an advanced persistent threat actor believed to be a unit of Russia’s military intelligence service that specializes on cyber-espionage and cyber warfare.
The attack involved the Industroyer2 ICS framework, CaddyWiper data wiping malware and other malicious tools using which the adversary attempted to take down several components of the victim’s infrastructure, more specifically, high-voltage electrical substations, computing systems running Windows operating system (including servers and industrial control systems), Linux-operated server equipment, and active network equipment.
According to officials, the attackers breached the victim’s network “no later than February 22.” The destructive actions against the energy provider were scheduled to take place on April 8, 2022, but the attack was interrupted before its final stage started.
Microsoft dismantles the ZLoader cyber criminal botnet
Microsoft in collaboration with a number of telecommunications providers and cybersecurity firms took legal and technical steps to sinkhole 65 domains that cyber criminals behind the ZLoader botnet used to control and communicate with the infected devices.
The ZLoader botnet is comprised of computing devices in businesses, hospitals, schools, and homes worldwide and is controlled by a global internet-based organized crime gang operating malware as a service, a delivery platform to distribute ransomware including Ryuk.
As part of the same operation Microsoft has also seized control of 319 backup domains generated via a domain generation algorithm embedded within the ZLoader malware.
Senior EU officials targeted with Israeli NSO’s spyware
At least five senior officials at the European Commission were reportedly targeted with spyware developed by the Israeli technology firm NSO Group.
According to Reuters, one of the targeted individuals was Didier Reynders, a senior Belgian statesman who has served as the European Justice Commissioner since 2019.
The attack came to light in November last year after Apple sent messages to thousands of iPhone owners warning them that they were targeted by state-sponsored hackers.
Reuters did not specify who used the commercial surveillance tool against the EU officials, or what information was obtained following the breach.
US security agencies: State-sponsored hackers developed custom tools to gain full access to industrial control systems
The Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) have released a joint security advisory warning that certain state-backed hacker groups are using custom-made tools that allow them to gain full access to industrial control system (ICS) and supervisory control and data acquisition (SCADA) devices and elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions.
According to the agencies, ICS/SCADA devices at risk of being compromised include Schneider Electric programmable logic controllers (PLCs), OMRON Sysmac NEX PLCs, and Open Platform Communications Unified Architecture (OPC UA) servers.
In this regard, the agencies are urging critical infrastructure organizations, especially those in the energy sector, to implement proactive measures to prevent such attacks, including isolating ICS/SCADA systems and networks from corporate and internet networks using strong perimeter controls, and limiting any communications entering or leaving ICS/SCADA perimeters.
What’s next:
- Follow ImmuniWeb on Twitter and LinkedIn
- Subscribe to newsletter to get the next post automatically
- Explore 18 use cases how ImmuniWeb can help
- See the benefits of our partner program
- Request a demo, quote or special price
- Subscribe to our newsletter
Application Security Weekly is a weekly review of the most important news and events in cybersecurity, privacy and compliance. We cover innovative cyber defense technologies, new hacking techniques, data breaches and evolving cyber law. 
