www.theregister.com
Open in
urlscan Pro
104.18.5.22
Public Scan
URL:
https://www.theregister.com/2023/02/23/russian_nlbrute_hacking_malware/
Submission: On February 24 via api from TR — Scanned from DE
Submission: On February 24 via api from TR — Scanned from DE
Form analysis 2 forms found in the DOM
POST /CBW/custom
<form id="RegCTBWFAC" action="/CBW/custom" class="show_regcf_custom" method="POST">
<h5>Manage Cookie Preferences</h5>
<ul>
<li>
<label>
<input type="checkbox" disabled="disabled" checked="checked" name="necessary" value="necessary">
<strong>Necessary</strong>. <strong>Always active</strong>
</label>
<label for="accordion_necessary" class="accordion_toggler">Read more<img width="7" height="10" alt="" src="/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/icon/arrow_down_grey.svg" class="accordion_arrow"></label>
<div class="accordion">
<input type="checkbox" id="accordion_necessary">
<p class="accordion_info"> These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect. </p>
</div>
</li>
<li>
<label>
<input type="checkbox" name="tailored_ads" value="tailored_ads">
<strong>Tailored Advertising</strong>. </label>
<label for="accordion_advertising_tailored_ads" class="accordion_toggler">Read more<img width="7" height="10" alt="" src="/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/icon/arrow_down_grey.svg"
class="accordion_arrow"></label>
<div class="accordion">
<input type="checkbox" id="accordion_advertising_tailored_ads">
<p class="accordion_info"> These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers,
and in some cases selecting advertisements that are based on your interests. </p>
</div>
</li>
<li>
<label>
<input type="checkbox" name="analytics" value="analytics">
<strong>Analytics</strong>. </label>
<label for="accordion_analytics" class="accordion_toggler">Read more<img width="7" height="10" alt="" src="/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/icon/arrow_down_grey.svg" class="accordion_arrow"></label>
<div class="accordion">
<input type="checkbox" id="accordion_analytics">
<p class="accordion_info"> These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our
sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance. </p>
</div>
</li>
</ul> See also our <a href="https://www.theregister.com/Profile/cookies/">Cookie policy</a> and <a href="https://www.theregister.com/Profile/privacy/">Privacy policy</a>. <input type="submit" value="Accept Selected" class="reg_btn_primary"
name="accept" id="RegCTBWFBAC">
</form>POST /CBW/all
<form id="RegCTBWFAA" action="/CBW/all" method="POST" class="hide_regcf_custom">
<input type="submit" value="Accept All Cookies" name="accept" class="reg_btn_primary" id="RegCTBWFBAA">
</form>Text Content
Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”. REVIEW AND MANAGE YOUR CONSENT Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer. MANAGE COOKIE PREFERENCES * Necessary. Always active Read more These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect. * Tailored Advertising. Read more These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests. * Analytics. Read more These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance. See also our Cookie policy and Privacy policy. Customize Settings Sign in / up TOPICS Security SECURITY All SecurityCyber-crimePatchesResearchCSO (X) Off-Prem OFF-PREM All Off-PremEdge + IoTChannelPaaS + IaaSSaaS (X) On-Prem ON-PREM All On-PremSystemsStorageNetworksHPCPersonal Tech (X) Software SOFTWARE All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization (X) Offbeat OFFBEAT All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us (X) VENDOR VOICE Vendor Voice VENDOR VOICE All Vendor VoiceAmazon Web Services (AWS) Business TransformationDDNGoogle Cloud for Startups (X) Resources RESOURCES Whitepapers Webinars Newsletters CYBER-CRIME SUSPECTED RUSSIAN NLBRUTE MALWARE BOSS EXTRADITED TO US DARIY PANKOV ACCUSED OF INFILTRATING SYSTEMS, SELLING TOOL AND PASSWORDS TO OTHER MISCREANTS Jeff Burt Thu 23 Feb 2023 // 23:30 UTC A Russian national accused of developing the NLBrute brute-force hacking tool has made his first court appearance this week in Florida over accusations he used the tool to spawn a criminal empire. Dariy Pankov, also known as "dpxaker," created the NLBrute malware that cracked the Windows credentials of improperly secured Remote Desktop Protocol (RDP) systems through the brute-force technique of throwing massive numbers of password guesses at them, according to the US Department of Justice. He was arrested in the country of Georgia four months ago and extradited to the US recently. Between 2016 and 2019, Pankov allegedly made hundreds of thousands of dollars by selling NLBrute to other miscreants and by allowing some to resell the tool. He also, the documents claim, had a sideline selling stolen login credentials on a dark web marketplace for criminals to use in further attacks. In total, Pankov put more the credentials of more than 35,000 compromised systems from around the world up for sale, generating more than $350,000 in ill-gotten gain for himself, according to the US Attorney's Office for the Middle District of Florida. Pankov faces conspiracy, access device fraud, and computer fraud charges, which prosecutors said could land him in jail for up to 47 years. US authorities also plan to seize $358,437 that they have linked to Pankov's offenses. He is being held at Pinellas County Jail near Tampa until his trial. * Dole production plants crippled by ransomware, stores run short * Intruder alert: FBI tackles 'isolated' IT security breach * ESXiArgs ransomware fights off Team America's data recovery script * Ransomware crooks steal 3m+ patients' medical records, personal info In the indictment handed up in April 2019, Pankov is accused of creating NLBrute in 2016 and began working with unnamed people to sell the tool on the dark web for $250 in Bitcoin. He began advertising the tool in June 2016 and two months later told a conspirator that he had the login credentials to 3,000 computers in the US, UK, France, Italy, and Australia and could get more, the Feds say. In November 2016 on an online hacking forum, Pankov said he had developed NLBrute and allowed a conspirator to sell it, according to the indictment. From then until 2018 he allegedly ran his operations – including selling the credentials to compromised systems - for $1,000 or more.Two unnamed US law firms in Florida were cited as being among the victims. NLBrute was making a name for itself during that time, when brute-force attacks were on the rise. In a 2017 researchers at Sophos reported that NLBrute was a key tool in ransomware attacks that year that were using Microsoft's RDP as a way into vulnerable systems. NLBrute has also been linked to ransomware groups like REvil and Netwalker. In 2018, The Register covered a report by McAfee about the growth of so-called "RDP shops" on the dark web selling accessed to compromised systems for as little as $10 each, with the miscreants using NLBrute and other brute-force tools like Hydra and RDP Forcer to gain access. Analysts with cybersecurity firm CloudSEK in 2021 said they found a dark web forum advertising a NLBrute tool that runs on the NLBrute 1.2 version, and it looks like the use of the malware won't be ending soon. ® Get our Tech Resources Share SIMILAR TOPICS * Malware * Microsoft * Password More like these × SIMILAR TOPICS * Malware * Microsoft * Password * Ransomware * Russia NARROWER TOPICS * Active Directory * Advanced persistent threat * Azure * Bing * BSoD * Credential stuffing * Excel * Exchange Server * HoloLens * Internet Explorer * LastPass * LinkedIn * Microsoft 365 * Microsoft Build * Microsoft Edge * Microsoft Ignite * Microsoft Office * Microsoft Surface * Microsoft Teams * .NET * Office 365 * OS/2 * Outlook * Patch Tuesday * Pluton * Remote Access Trojan * REvil * Roscosmos * SharePoint * Skype * SQL Server * Visual Studio * Visual Studio Code * Wannacry * Windows * Windows 10 * Windows 11 * Windows 7 * Windows 8 * Windows Server * Windows Server 2003 * Windows Server 2008 * Windows Server 2012 * Windows Server 2013 * Windows Server 2016 * Windows Subsystem for Linux * Windows XP * Xbox * Xbox 360 BROADER TOPICS * APAC * Bill Gates * EMEA * Europe * Security SIMILAR TOPICS Share POST A COMMENT SIMILAR TOPICS * Malware * Microsoft * Password More like these × SIMILAR TOPICS * Malware * Microsoft * Password * Ransomware * Russia NARROWER TOPICS * Active Directory * Advanced persistent threat * Azure * Bing * BSoD * Credential stuffing * Excel * Exchange Server * HoloLens * Internet Explorer * LastPass * LinkedIn * Microsoft 365 * Microsoft Build * Microsoft Edge * Microsoft Ignite * Microsoft Office * Microsoft Surface * Microsoft Teams * .NET * Office 365 * OS/2 * Outlook * Patch Tuesday * Pluton * Remote Access Trojan * REvil * Roscosmos * SharePoint * Skype * SQL Server * Visual Studio * Visual Studio Code * Wannacry * Windows * Windows 10 * Windows 11 * Windows 7 * Windows 8 * Windows Server * Windows Server 2003 * Windows Server 2008 * Windows Server 2012 * Windows Server 2013 * Windows Server 2016 * Windows Subsystem for Linux * Windows XP * Xbox * Xbox 360 BROADER TOPICS * APAC * Bill Gates * EMEA * Europe * Security TIP US OFF Send us news -------------------------------------------------------------------------------- OTHER STORIES YOU MIGHT LIKE GODADDY JOINS THE DOTS AND REALIZES IT'S BEEN UNDER ATTACK FOR THREE YEARS In brief Also: Russia may legalize hacking; Oakland declares ransomware emergency; the CVEs you should know about this week Security4 days | 18 SENSITIVE DOD EMAILS EXPOSED BY UNSECURED AZURE SERVER AWS, Google and Oracle may benefit as Microsoft blames the Pentagon and the Pentagon blames Microsoft Security7 hrs | 4 LOCKBIT'S ROYAL MAIL RANSOM DEADLINE FLIES BY. NO DATA RELEASED in brief Also: Russian wiper malware authors turn to data theft, plus this week's critical vulns Cyber-crime11 days | 9 AWS DOUBLES DOWN ON INNOVATIONS THAT REDEFINE THE DATABASE MANAGEMENT EXPERIENCE Unveiling Amazon Aurora zero-ETL integration with Amazon Redshift and much more Advertorial MICROSOFT HIJACKS GOOGLE'S CHROME DOWNLOAD PAGE TO BEG YOU NOT TO DITCH EDGE Monopoly giant can't stand it when anyone else has a monopoly Applications18 hrs | 128 DO YOU RELY ON MICROSOFT BING SEARCH APIS? PRICE HIKE INCOMING Updated Depending on tier you use, rises of between 257% and 900% scheduled for May 1 Software3 days | 20 HAPPY VALENTINE'S DAY: HERE'S THE FINAL NAIL IN INTERNET EXPLORER'S COFFIN Browser finally gone, but its memory, engine, wails of user and dev torment live on until at least 2029 Software9 days | 19 ESXIARGS RANSOMWARE FIGHTS OFF TEAM AMERICA'S DATA RECOVERY SCRIPT Want a clue to what you’re dealing with? Check the ransom note Security8 days | 1 MICROSOFT ADMITS CLOUD CASH GRAB IS OVER AS IT PUSHES MORE COST-EFFECTIVE AZURE VMS Just as everyone looks to optimize what they spend for computing services Off-Prem1 day | 2 MICROSOFT'S NEW AI BINGBOT BERATES USERS AND CAN'T GET ITS FACTS STRAIGHT +Comment Ask it more than 15 questions in a single conversation and Redmond admits the responses get ropey AI + ML7 days | 60 VMWARE, WINDOWS 11 SHAFTED BY WINDOWS SERVER 2022 Updated OS won't start on some systems with ESXi VMs, while Win11 updates may not make it to devices Patches7 days | 16 MICROSOFT'S OUTLOOK: CLOUDY WITH A CHANCE OF JUNK-MAIL-STUFFED INBOXES Redmond fixed the spam filtering problem, but it was a wild day-long ride for some Off-Prem2 days | 9 The Register Biting the hand that feeds IT ABOUT US * Contact us * Advertise with us * Who we are OUR WEBSITES * The Next Platform * DevClass * Blocks and Files YOUR PRIVACY * Cookies Policy * Your Consent Options * Privacy Policy * T's & C's Copyright. All rights reserved © 1998–2023