Carding 4 Carders
Professional
Hackers claimed that they hacked the servers of the extortionate group Trigona and completely cleaned them, after stealing all available information.
According to the hackers, the Trigona infrastructure was compromised using a publicly available exploit for the critical vulnerability CVE-2023-22515, affecting the Confluence Data Center and Server. This issue can be used remotely and used for privilege escalation.
A representative of the hack group under the nickname herm1t, said that the Trigona Confluence server was hacked about a week ago, after which the attackers gained a foothold in the system and quietly studied the ransomware infrastructure.
The Bleeping Computer publication writes that after herm1t published screenshots of the group's internal documents on social networks, Trigona operators panicked, changed their password and disabled the infrastructure available from the outside.
However, the hacktivists managed to retain access and gradually extract information from the Trigona administration panels, the grouping blog and the data drain site, as well as internal tools (Rocket servers.Chat, Jira, and Confluence). Herm1t told reporters that data from the development environment, cryptocurrency hot wallets, source codes, databases and three backups containing hundreds of gigabytes of documents allegedly stolen by ransomware were also stolen.
It is not yet known whether the stolen information contains decryption keys, but herm1t said that they will be published if they are found.
After collecting all the available data, the hackers completely cleaned and defaced the Trigona sites, and also published the key to the administration panel. "Welcome to the world you created for others," the hackers wrote on the defaced site.
The Trigona ransomware was first detected in October 2022. Then it was reported that malware operators accept payments only in the Monero cryptocurrency, and Trigona encrypts all files on victims ' devices, except for files in certain folders (including Windows and Program Files). The attackers also claimed that before encryption, they steal confidential documents, which will then be published on their "leak site" on the darknet.
Although some researchers linked Trigona with the Russian-speaking extortionist group BlackCat (ALPHV), Trend Micro analysts noted that all the similarities found "are only indirect" and admitted that the ALPHV group collaborated with Trigona operators, but did not participate in the development of malware and its operation.
As cybersecurity experts now point out, most likely, it will not be difficult for Trigona operators to close the old site for leaks and raise new servers and hosting elsewhere.
• Source: https://twitter.com/vx_herm1t/status/1714442927168966865
According to the hackers, the Trigona infrastructure was compromised using a publicly available exploit for the critical vulnerability CVE-2023-22515, affecting the Confluence Data Center and Server. This issue can be used remotely and used for privilege escalation.
A representative of the hack group under the nickname herm1t, said that the Trigona Confluence server was hacked about a week ago, after which the attackers gained a foothold in the system and quietly studied the ransomware infrastructure.
The Bleeping Computer publication writes that after herm1t published screenshots of the group's internal documents on social networks, Trigona operators panicked, changed their password and disabled the infrastructure available from the outside.
However, the hacktivists managed to retain access and gradually extract information from the Trigona administration panels, the grouping blog and the data drain site, as well as internal tools (Rocket servers.Chat, Jira, and Confluence). Herm1t told reporters that data from the development environment, cryptocurrency hot wallets, source codes, databases and three backups containing hundreds of gigabytes of documents allegedly stolen by ransomware were also stolen.
It is not yet known whether the stolen information contains decryption keys, but herm1t said that they will be published if they are found.
After collecting all the available data, the hackers completely cleaned and defaced the Trigona sites, and also published the key to the administration panel. "Welcome to the world you created for others," the hackers wrote on the defaced site.
The Trigona ransomware was first detected in October 2022. Then it was reported that malware operators accept payments only in the Monero cryptocurrency, and Trigona encrypts all files on victims ' devices, except for files in certain folders (including Windows and Program Files). The attackers also claimed that before encryption, they steal confidential documents, which will then be published on their "leak site" on the darknet.
Although some researchers linked Trigona with the Russian-speaking extortionist group BlackCat (ALPHV), Trend Micro analysts noted that all the similarities found "are only indirect" and admitted that the ALPHV group collaborated with Trigona operators, but did not participate in the development of malware and its operation.
As cybersecurity experts now point out, most likely, it will not be difficult for Trigona operators to close the old site for leaks and raise new servers and hosting elsewhere.
• Source: https://twitter.com/vx_herm1t/status/1714442927168966865
