The 2026 Industrial Control Systems (ICS) Cybersecurity Conference takes place October 6-8, 2026, at the W Nashville.
The post SecurityWeek ICS Cybersecurity Conference Heads to Nashville for Special 25-Year Anniversary Edition appeared first on SecurityWeek.
Read more of this story at Slashdot.
Authorities on Thursday disrupted a botnet, a malware framework and seized infrastructure that Evil Corp and other cybercrime groups used to steal data and break into various networks.
The globally coordinated effort targeted SocGholish, multi-stage malware that has compromised websites, redirected users to traffic distribution systems (TDS) and slipped malware into their networks since 2017.
“The malware establishes an initial foothold into victim computers, collectively known as a botnet, and is then used by threat actors for further targeting with ransomware campaigns and espionage,” the FBI’s cyber division said in a statement.
Cybersecurity firms, researchers and officials from the United States, Canada, Germany, the Netherlands and Europol took down 106 servers and remediated nearly 15,000 sites that were infected with the malware. Officials also disabled the botnet and notified victims.
Sites infected with SocGholish, which are primarily hosted on WordPress, were widespread and provided everyday services including restaurants and auto repair shops, according to the Dutch National Police.
The botnet, also known as “FakeUpdates,” is linked to the Russian cybercrime group Evil Corp. It also provided initial access to other ransomware variants, including DoppelPaymer, WastedLoocker, Hades Ransomware, LockBit, RansomHub and others, according to Infoblox, which participated in the takedown.
Proofpoint, which also participated in the disruption, described Evil Corp as one of the most prominent cybercrime groups in operation and the “grandfather” of a threat type that compromises websites and uses TDS to redirect users to malware.
Following the takedown, the FBI issued a public service announcement warning about cybercriminals using TDS to break into victim networks for ransomware or other financial scams.
Cybercriminals redirect traffic from sites to bypass firewalls, obscure their activity, identify potential victims and send them to phishing pages to steal credentials, initiate financial scams, access networks, deliver other malware, and sell access to other cybercriminals, officials said.
The law enforcement action was part of Operation Endgame, a multinational effort targeting cybercrime since 2024, and more narrowly for the FBI part of Operation Riptide, an ongoing campaign targeting cybercriminals and the infrastructure and financial networks they use to commit fraud.
The post Authorities disrupt Evil Corp’s SocGholish botnet appeared first on CyberScoop.
Authorities arrested and unsealed charges against a Canadian man accused of running Kimwolf, one of the most far-reaching DDoS botnets on record, the Justice Department said Thursday.
Jacob Butler was arrested Wednesday in Ottawa, Canada, and awaits extradition to the United States where he is charged with aiding and abetting computer intrusions and, if convicted, faces up to 10 years in prison.
Investigators said the 23-year-old, also known as “Dort,” was a principal administrator of Kimwolf, a variant of the record-setting Aisuru DDoS botnet that spread like wildfire and eventually took over more than 2 million Android TV devices after its operators figured out how to abuse residential-proxy networks for local control.
Authorities in March seized infrastructure powering the Kimwolf, Aisuru, JackSkid and Mossad botnets, which hijacked a combined three million devices and launched more than 300,000 DDoS attacks collectively.
Kimwolf, which operated as a DDoS-for-hire service for other cybercriminals, initiated more than 25,000 attacks, resulting in network outages, disruptions and financial losses exceeding millions of dollars, officials said. Officials also said they found evidence linking Kimwolf to DDoS attacks targeting Department of Defense Information Network IP addresses.
“Kimwolf and the botnets associated with this operation have supported persistent corporate intrusion efforts and been used by a wide range of serious threat actors,” Zach Edwards, staff threat researcher at Infoblox, told CyberScoop.
Authorities searched Butler’s residence during the globally coordinated operation, but did not arrest him until Wednesday, roughly two months later. Officials filed a criminal complaint against Butler in the U.S. District Court for the District of Alaska in April, and unsealed the complaint following his arrest.
A special agent with the Defense Criminal Investigative Service confirmed Butler’s identity and involvement in the Kimwolf botnet after Butler used the same IP address to access multiple email accounts he controlled and Discord accounts linked to Kimwolf.
“I have observed significant operational security lapses on Butler’s part resulting in patterns of overlapping IP usage among a Google account in Butler’s true name, other Google accounts that I believe to be controlled by Butler due to use of the same machine cookies, and Discord accounts which have been used in support of the KimWolf operation,” the special agent said in an affidavit.
“The Discord accounts show patterns of overlapping IP usage with the KimWolf backend server. These IP addresses appear to be proxy or VPN IPs which were likely used by Butler in an unsuccessful attempt to evade law enforcement scrutiny. However, like many cybercriminals, Butler did not use proxy or VPN IP addresses exclusively,” the special agent added.
Authorities described the botnet takedowns in March in nearly conclusive terms at the time, yet court records indicate the Kimwolf botnet is back in operation.
“While today’s announcement is encouraging to see, there are still hundreds of millions of insecure IoT and network devices connected to sensitive government, corporate and home networks, and these remain a priority target for threat actors looking to build the next version of Kimwolf,” Edwards said.
“Until we find solutions to this underlying problem,” he added, “we’ll unfortunately continue to play Whac-A-Mole with botnet operators year after year.”
You can read the affidavit supporting the criminal complaint against Butler below.
The post Alleged leader of Kimwolf, a sweeping botnet for cybercriminals, arrested in Canada appeared first on CyberScoop.
Using a vulnerability in the portal, hackers accessed names, addresses, email addresses, and phone numbers.
The post Skoda Data Breach Hits Online Shop Customers appeared first on SecurityWeek.
Campaigns employing commercial surveillance vendors tracked targets by exploiting mobile phone network vulnerabilities in what researchers said Thursday was the first-ever linking of “real-world attack traffic to mobile operator signalling infrastructure.”
The two unknown parties behind the campaigns mimicked the identities of mobile phone operators with customized surveillance tools, and manipulated signaling protocols and steered traffic through network pathways to hide, according to research from the University of Toronto’s Citizen Lab.
“Our findings highlight a systemic issue at the core of global telecommunications: operator infrastructure designed to enable seamless international connectivity is being leveraged to support covert surveillance operations that are difficult to monitor, attribute, and regulate,” a report published Thursday reads.
“Despite repeated public reporting, this activity continues unabated and without consequence,” Gary Miller and Swantje Lange wrote for Citizen Lab. “The continued use of mobile networks, built on a close inter-operator trust model and relied upon by users worldwide, raises broader questions for national regulators, policymakers, and the telecom industry about accountability, oversight, and global security.”
The attackers relied on identifiers and infrastructure associated with operators around the world, including networks based in Cambodia, China, the self-governing Island of Jersey, Israel, Italy, Lesotho, Liechtenstein, Morocco, Mozambique, Namibia, Poland, Rwanda, Sweden, Switzerland, Thailand, Uganda and the United Kingdom.
They shifted between SS7 and Diameter protocols, the signalling protocols known for 3G and 4G/most of 5G, respectively, according to the report. While Diameter was meant to be more secure than SS7, the Federal Communications Commission in 2024 opened a probe into both its vulnerabilities and SS7’s, and Sen. Ron Wyden, D-Ore., has asked for a Cybersecurity and Information Security Agency report about telecommunications vulnerabilities rooted in both protocols.
But identifying the vendors used in the two surveillance campaigns, or who was behind them, was beyond the researchers’ reach.
“The reality is that there are a number of known surveillance vendors and bad actors in this space, but given the opaque nature of telecommunications signalling protocols, those vendors are able to operate without revealing exactly who they really are,” Ron Deibert, director of Citizen Lab, wrote in his newsletter. “Much of the malicious things they are doing blend into the otherwise voluminous flow of billions of normal messages and roaming signals. They are ‘ghost operators’ within the global telecom ecosystem.”
One of the operators mentioned in Citizen Lab’s report, Israel-based 019 Mobile, wrote back that it didn’t recognize the hostnames referenced in the report as 019 Mobile’s network nodes, and couldn’t attribute the signaling activity it represents to 019 Mobile-operated infrastructure.
Another operator, Sure, said it has taken preventative measures to defend against misuse.
“Sure acknowledges that digital services can be misused, which is why we take a number of
steps to mitigate this risk,” CEO Alistair Beak said in a statement to CyberScoop. “Sure has implemented several protective measures to prevent the misuse of signalling services, including monitoring and blocking inappropriate signalling. Any evidence or valid complaint relating to the misuse of Sure’s network results in the service being immediately suspended and, where malicious or inappropriate activity is confirmed following investigation, permanently terminated.”
019 Mobile and a third operator, Tango Networks UK, didn’t respond to requests for comment from CyberScoop. The Citizen Lab report afforded some grace to the operators.
“It is important to note that the operator signalling addresses observed in the attacks do not necessarily imply direct operator involvement,” it states. “In some cases, access to the signalling ecosystem can be obtained through third-party providers, commercial leasing arrangements, or other intermediary services that allow actors to send messages using operator identifiers from legitimate networks.”
Updated 4/24/26: to include quote from Alistair Beak.
The post Surveillance campaigns use commercial surveillance tools to exploit long-known telecom vulnerabilities appeared first on CyberScoop.
Cookeville Regional Medical Center was targeted last year by the Rhysida ransomware group, which stole 500GB of data.
The post Data Breach at Tennessee Hospital Affects 337,000 appeared first on SecurityWeek.
Iranian government hackers are launching disruptive cyberattacks on American energy and water infrastructure, U.S. government agencies “urgently” warned Tuesday.
The hackers are taking aim at devices and systems that control industrial processes, and have harmed victims in the last month following the onset of U.S.-Israel strikes against Iran, according to the joint alert from the FBI, National Security Agency, Cybersecurity and Infrastructure Security Agency, Environmental Protection Agency, Energy Department and Cyber Command.
“Iran-affiliated advanced persistent threat (APT) actors are conducting exploitation activity targeting internet-facing operational technology (OT) devices, including programmable logic controllers (PLCs) manufactured by Rockwell Automation/Allen-Bradley,” the alert states. “This activity has led to PLC disruptions across several U.S. critical infrastructure sectors through malicious interactions with the project file and manipulation of data on human machine interface (HMI) and supervisory control and data acquisition (SCADA) displays.”
U.S. government agencies have warned before about Iranian hackers going after similar targets with those similar methods. The first such warning came after an Iranian government-linked group took credit for attacking a Pennsylvania water facility in late 2023.
Since March of this year, however, the agencies said they have seen new victims emerge from an advanced persistent threat group tied to Iran.
“The authoring agencies identified (through engagements with victim organizations) an Iranian-affiliated APT-group that disrupted the function of PLCs,” the alert reads. “These PLCs were deployed across multiple U.S. critical infrastructure sectors (including Government Services and Facilities, WWS, and Energy sectors) within a wide variety of industrial automation processes. Some of the victims experienced operational disruption and financial loss.”
The earlier campaign compromised at least 75 devices, the alert states.
The latest disruptions include “maliciously interacting with project files, and manipulating data displayed on HMI and SCADA displays,” according to the agencies’ warning.
After the U.S.-Israel conflict with Iran began, Tehran-connected hackers claimed victims including major medtech company Stryker, local governments and more.
The FBI warned last month that Iranian hackers were deploying malware over the Telegram app, although that campaign also predated the current Iran conflict.
The post Iranian hackers launching disruptive attacks at U.S. energy, water targets, feds warn appeared first on CyberScoop.
By Troy Wojewoda During a recent Breach Assessment engagement, BHIS discovered a highly stealthy and persistent intrusion technique utilized by a threat actor to maintain Command-and-Control (C2) within the client’s […]
The post The Curious Case of the Comburglar appeared first on Black Hills Information Security, Inc..
Financial regulators in Canada this week levied $176 million in fines against Cryptomus, a digital payments platform that supports dozens of Russian cryptocurrency exchanges and websites hawking cybercrime services. The penalties for violating Canada’s anti money-laundering laws come ten months after KrebsOnSecurity noted that Cryptomus’s Vancouver street address was home to dozens of foreign currency dealers, money transfer businesses, and cryptocurrency exchanges — none of which were physically located there.
On October 16, the Financial Transactions and Reports Analysis Center of Canada (FINTRAC) imposed a $176,960,190 penalty on Xeltox Enterprises Ltd., more commonly known as the cryptocurrency payments platform Cryptomus.
FINTRAC found that Cryptomus failed to submit suspicious transaction reports in cases where there were reasonable grounds to suspect that they were related to the laundering of proceeds connected to trafficking in child sexual abuse material, fraud, ransomware payments and sanctions evasion.
“Given that numerous violations in this case were connected to trafficking in child sexual abuse material, fraud, ransomware payments and sanctions evasion, FINTRAC was compelled to take this unprecedented enforcement action,” said Sarah Paquet, director and CEO at the regulatory agency.
In December 2024, KrebsOnSecurity covered research by blockchain analyst and investigator Richard Sanders, who’d spent several months signing up for various cybercrime services, and then tracking where their customer funds go from there. The 122 services targeted in Sanders’s research all used Cryptomus, and included some of the more prominent businesses advertising on the cybercrime forums, such as:
-abuse-friendly or “bulletproof” hosting providers like anonvm[.]wtf, and PQHosting;
-sites selling aged email, financial, or social media accounts, such as verif[.]work and kopeechka[.]store;
-anonymity or “proxy” providers like crazyrdp[.]com and rdp[.]monster;
-anonymous SMS services, including anonsim[.]net and smsboss[.]pro.
Flymoney, one of dozens of cryptocurrency exchanges apparently nested at Cryptomus. The image from this website has been machine translated from Russian.
Sanders found at least 56 cryptocurrency exchanges were using Cryptomus to process transactions, including financial entities with names like casher[.]su, grumbot[.]com, flymoney[.]biz, obama[.]ru and swop[.]is.
“These platforms were built for Russian speakers, and they each advertised the ability to anonymously swap one form of cryptocurrency for another,” the December 2024 story noted. “They also allowed the exchange of cryptocurrency for cash in accounts at some of Russia’s largest banks — nearly all of which are currently sanctioned by the United States and other western nations.”
Reached for comment on FINTRAC’s action, Sanders told KrebsOnSecurity he was surprised it took them so long.
“I have no idea why they don’t just sanction them or prosecute them,” Sanders said. “I’m not let down with the fine amount but it’s also just going to be the cost of doing business to them.”
The $173 million fine is a significant sum for FINTRAC, which imposed 23 such penalties last year totaling less than $26 million. But Sanders says FINTRAC still has much work to do in pursuing other shadowy money service businesses (MSBs) that are registered in Canada but are likely money laundering fronts for entities based in Russia and Iran.
In an investigation published in July 2024, CTV National News and the Investigative Journalism Foundation (IJF) documented dozens of cases across Canada where multiple MSBs are incorporated at the same address, often without the knowledge or consent of the location’s actual occupant.
Their inquiry found that the street address for Cryptomus parent Xeltox Enterprises was listed as the home of at least 76 foreign currency dealers, eight MSBs, and six cryptocurrency exchanges. At that address is a three-story building that used to be a bank and now houses a massage therapy clinic and a co-working space. But the news outlets found none of the MSBs or currency dealers were paying for services at that co-working space.
The reporters also found another collection of 97 MSBs clustered at an address for a commercial office suite in Ontario, even though there was no evidence any of these companies had ever arranged for any business services at that address.
This blog will be referencing the ICS/OT Backdoors & Breaches expansion deck created by BHIS and Dragos. We will be reviewing the ICS-focused Initial Compromise cards that are used to simulate a cyber incident and suggest potential mitigations to what is presented.
The post ICS Hard Knocks: Mitigations to Scenarios Found in ICS/OT Backdoors & Breaches appeared first on Black Hills Information Security, Inc..
Troy Wojewoda // In honor of Shark Week1, I decided to write this blog to demonstrate various techniques I’ve found useful when analyzing network traffic with Wireshark, as well as […]
The post Welcome to Shark Week: A Guide for Getting Started with Wireshark and TShark appeared first on Black Hills Information Security, Inc..
Have you heard of Backdoors & Breaches, or even have a deck of your own, and yet… still don’t know how to use it? We created an incident response card […]
The post How to Use Backdoors & Breaches to do Tabletop Exercises and Learn Cybersecurity appeared first on Black Hills Information Security, Inc..
Sally Vandeven // OR How to Pentest with AD Explorer! Mark Russinovich’s Sysinternals tools (Microsoft) are nothing new. They have been a favorite among system administrators for many, many years. […]
The post Domain Goodness – How I Learned to LOVE AD Explorer appeared first on Black Hills Information Security, Inc..
Login