At a glance.
- Law enforcement disrupts pro-Russian hacker group.
- Malware campaign targets end-of-life SonicWall devices.
- Former US Army soldier pleads guilty to hacking and extorting telcos.
Law enforcement disrupts pro-Russian hacker group.
An international law enforcement operation has disrupted the pro-Russian hacker group NoName057(16). The group is a loose collective of criminals and hacktivists known for launching DDoS attacks against Ukraine and its allies. The operation, which was coordinated by Europol and Eurojust, involved over a dozen European countries, as well as Canada and the US.
Europol stated, "The actions led to the disruption of an attack-infrastructure consisting of over one hundred computer systems worldwide, while a major part of the group's central server infrastructure was taken offline. Germany issued six warrants for the arrest of offenders living in the Russian Federation. Two of these persons are accused of being the main instigators responsible for the activities of "NoName057(16)". In total, national authorities have issued seven arrest warrants, which are directed, inter alia, against six Russian nationals for their involvement in the NoName057(16) criminal activities. All of the suspects are listed as internationally wanted, and in some cases, their identities are published in media."
Malware campaign targets end-of-life SonicWall devices.
Google's Threat Intelligence Group (GTIG) has published a report on an ongoing malware campaign targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances. The threat actor is using credentials and one-time password seeds stolen during previous attacks, and installing a newly observed rootkit dubbed "OVERSTEP." Google states, "[O]ur analysis shows this malware modifies the appliance's boot process to maintain persistent access, steal sensitive credentials, and conceal its own components. GTIG assesses with moderate confidence that UNC6148 may have used an unknown zero-day remote code execution vulnerability to deploy OVERSTEP on opportunistically targeted SonicWall SMA appliances." The goal of the operation appears to be data theft, extortion, and possibly ransomware deployment.
Google recommends that "all organizations with SMA appliances perform analysis to determine if they have been compromised," noting that "[o]rganizations should acquire disk images for forensic analysis to avoid interference from the rootkit anti-forensic capabilities."
Former US Army soldier pleads guilty to hacking and extorting telcos.
A former US Army soldier has pleaded guilty to hacking and attempting to extort at least ten telecom companies. 21-year-old Cameron John Wagenius was arrested in Texas last December, and was accused of working with co-conspirators to steal data from telcos and threatening to publish the data unless the victims paid a ransom. The US Justice Department states, "After data was stolen, the conspirators extorted the victim organizations both privately and in public forums. The extortion attempts included threats to post the stolen data on cybercrime forums such as BreachForums and XSS.is. The conspirators offered to sell stolen data for thousands of dollars via posts on these forums. They successfully sold at least some of this stolen data and also used stolen data to perpetuate other frauds, including SIM-swapping."
Wagenius carried out this activity between April 2023 and December 2024, while he was on active duty with the US Army.
