Ragnar Locker, Trigona ransomware go down
An international police operation involving Europol and law enforcement authorities from the US, Germany, France, Italy, Japan, Spain, Netherlands, Czech Republic, and Latvia took down the Ragnar Locker ransomware gang's Tor negotiation and data leak sites, which are now displaying a seizure message. Europol has confirmed the takedown but declined to comment further, citing an ongoing action targeting the Ragnar Locker ransomware operation.
Additionally, a group of pro-Ukraine hacktivists known as Ukrainian Cyber Alliance commandeered a data leak site of the Trigona ransomware, exfiltrated data and wiped the servers. The group said they used a privilege escalation vulnerability (CVE-2023-22515) in Atlassian Confluence software said to have been exploited by at least one threat actor (Storm-0062) since September 2023.
The activists said they exfiltrated the information from Trigona’s administration and victim panels, their blog and data leak site, as well as the developer environment, cryptocurrency hot wallets, the source code and database records.
Currently, it’s unclear if the exfiltrated data contains any decryption keys.
E-Root cybercrime marketplace admin extradited to the US
A Moldovan national, Sandu Diaconu, was extradited from the UK to the United States where he was charged with multiple offenses related to his administration of the E-Root marketplace that sold access to hacked computers worldwide. If convicted, he could face up to 20 years in prison.
E-Root, dismantled in 2020, operated across a widely distributed network and allowed customers to search for compromised credentials, such as RDP and SSH access, by desired criteria such as price, geographic location, internet service provider, and operating system. It also used the Perfect Money payment system to help hide buyers’ payments and offered its illicit cryptocurrency exchange service for converting Bitcoin to Perfect Money and vice-versa. The authorities estimate that more than 350,000 compromised credentials were listed for sale on E-Root.
Indian authorities bust tech support scammers
India’s Central Bureau of Investigation (CBI) raided call centers in 76 locations across the country involved in tech support and cryptocurrency scams. The illegal call centers raided by CBI were set up to impersonate Microsoft and Amazon customer support. They targeted over 2,000 customers across Amazon and Microsoft primarily based in the US, but also in Canada, Germany, Australia, Spain, and the UK.
As part of the operation, dubbed ‘Operation Chakra-II’, 32 mobile phones, 48 laptops / hard disks, images of two servers, 33 SIM cards, and pen drives were confiscated and numerous bank accounts were frozen. CBI also seized a dump of 15 email accounts.
Recently patched Citrix NetScaler bug has been under exploitation since August 2023
A Citrix NetScaler RCE vulnerability addressed earlier this month has been exploited as zero-day since August 2023, security researchers said.
Tracked as CVE-2023-4966, the bug is a buffer overflow issue that allows a remote attacker to execute arbitrary code on the target system by sending specially crafted data. It’s worth noting that successful exploitation of the vulnerability requires that the appliance is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as AAAvirtualserver.
According to Mandiant Consulting CTO Charles Carmakal, simply applying the patch is not enough, organizations should also terminate all active sessions.
Signal denies rumors of a zero-day bug
Signal has denied reports of a zero-day vulnerability in its encrypted messaging app that have been circulating online over the weekend. The company said it conducted a thorough investigation and found no evidence that the rumored zero-day vulnerability is real.
The number of compromised Cisco IOS XE devices reaches almost 42,000
The Censys search platform said it found 41,983 Cisco IOS XE devices compromised via a new zero-day vulnerability affecting IOS XE software.
Previously, LeakIX reported about 30,000 infected Cisco devices, including routers, switches and VPN solutions, with the majority of them located in the US, followed by the Philippines, Chile and Mexico.
The flaw, tracked as CVE-2023-20198 resides in the web UI feature and can be exploited by a remote non-authenticated attacker via a specially crafted HTTP request sent to the affected device. The attacker then can create an account with privilege level 15 access. The vulnerability affects all IOS XE versions.
Russian and Chinese nation-state actors target recently patched WinRAR zero-day
Several nation-state actors associated with Russia and China (Sandworm, APT28 and APT40) have been abusing a high-severity flaw in the WinRar file archiver utility as part of their operations, Google’s Threat Analysis Group (TAG) said.
Tracked as CVE-2023-38831, the flaw could be exploited by a remote attacker using a specially crafted archive with executable malicious files designed to spoof a file extension to look like .jpeg or .txt.
Additionally, Microsoft reported that two North Korean threat actors it tracks as Diamond Sleet (aka Zinc) and Onyx Sleet (Plutonium) have been observed exploiting a remote code execution vulnerability (CVE-2023-42793) affecting the JetBrains TeamCity build management and continuous integration server.
The Diamond Sleet attacks exploited the flaw to deploy the Forest Tiger backdoor to establish persistent access to the target system, while Onyx Sleet created a new user account on the compromised system with administrator-level access.
US seizes 17 domains used by North Korean IT workers to defraud businesses worldwide
The US authorities announced the takedown of 17 website domains used by North Korean overseas IT workers in a scheme to allegedly defraud businesses in the US and across the globe, evade sanctions and fund the development of North Korea's weapons program. According to the US Department of Justice, North Korean IT workers collected nearly $1.5 million of revenue through the fraud schemes. The DoJ said the criminal proceeds have been seized in October 2022 and January 2023.
Iranian OilRig APT targets governments in the Middle East in 8-months-long espionage campaign
Symantec’s threat hunter team released a report detailing a new cyber espionage campaign by an Iran-linked threat actor known as OilRig, APT34 or Crumbus, that lasted 8 months. During the campaign, which targeted a government in the Middle East, the attackers stole files and passwords and, in one case, installed a PowerShell backdoor (dubbed PowerExchange) that was used to monitor incoming mails sent from an Exchange Server to execute attackers’ commands and surreptitiously forwarded results to the intruders.
Telecom providers in Ukraine targeted with destructive attacks
At least 11 telecommunications services providers in Ukraine have been hit with destructive attacks between May 11, 2023, and September 27, 2023, CERT-UA said. The agency has attributed these campaigns to Sandworm (UAC-0165), a threat actor believed to be one of Russia's military cyber units. The attackers planted a backdoor in the form of a PAM module, tracked as POEMGATE, on compromised machines. In some cases, the hackers installed a variant of the Poseidon remote access tool (RAT), or the Weevely backdoor (if the target company provides hosting services).
CISA shares bugs, misconfigs and weaknesses linked to ransomware campaigns
The US Cybersecurity and Infrastructure Security Agency (CISA) announced an update to its known exploited vulnerabilities (KEV) catalog, which will now list information about which vulnerabilities are commonly associated with ransomware campaigns. The agency has also developed a second new RVWP resource that serves as a companion list of misconfigurations and weaknesses known to be used in ransomware campaigns.
Separately, CISA, NSA, the FBI, and MS-ISAC issued an advisory on commonly used phishing techniques. The advisory also offers recommendations on how to mitigate phishing attacks.
Additionally, NSA published a repository named Elitewolf which contains various ICS/SCADA/OT-focused signatures and analytics to help defenders identify and detect potentially malicious cyber activity in their OT environments.
ESET releases report on cybercrime in Latin America
ESET has released an analytical report highlighting the threat landscape in Latin America (LATAM). The report examines various documented campaigns targeting exclusively the LATAM region between 2019 and 2023.
Hackers can now hide malicious code in Web3 smart contracts
Hackers devised a novel way to embed malicious code in Binance smart contracts to steal partial payments from blockchain contracts. Dubbed “EtherHiding,” the attack involves compromising WordPress websites by implanting code that retrieves partial payloads from blockchain contracts, subsequently deploying these payloads within BSC smart contracts. These smart contracts effectively function as clandestine, anonymous hosting platforms for malicious code.
AI algorithm intercepts MitM attacks on military robots
Researchers from Charles Sturt University (Australia) and the University of South Australia (UniSA) developed a novel algorithm that allows to block a Man-in-the-Middle (MitM) attack on an unmanned military robot in a matter of seconds. The new algorithm has been tested on a replica of a US Army combat ground vehicle and shown to be 99% successful at preventing a malicious attack, with false positive rates of less than 2%.
Casio reveals a data breach
Japanese electronics giant Casio said that hackers broke into its ClassPad server and stole a database with personal information belonging to customers in 149 countries.
The company said that the attackers were able to gain access to the database because “some of the network security settings in the development environment were disabled due to an operational error of the system by the department in charge and insufficient operational management.”
The compromised information includes customer names, email addresses, country/region of residence, purchasing information (order details, payment method, license code, etc.), and service usage information (log data, nicknames, etc.).