27 September 2024

Cyber Security Week in Review: September 27, 2024


Cyber Security Week in Review: September 27, 2024

The US imposes sanctions targeting Russia’s money laundering operations

The US authorities imposed sanctions targeting Russian money laundering operations connected to cybercriminal activities, including ransomware and major data breaches. Key individuals like Sergey Sergeevich Ivanov and Timur Shakhmametov are accused of facilitating illegal cryptocurrency exchanges, including PM2BTC and Cryptex, which laundered hundreds of millions of dollars. These exchanges allegedly processed over $1.15 billion in illicit transactions, with a significant portion tied to criminal activity, such as ransomware payments and darknet markets.

Ivanov and Shakhmametov also supported carding websites like Rescator and Joker’s Stash, which sold stolen payment card data from US institutions. The US Secret Service seized domains associated the cryptocurrency money laundering exchange “Cryptex.net.” According to court records, Cryptex.net and Cryptex.one were linked to the administration and operation of Cryptex, which offers complete anonymity to Cryptex users by allowing them to register for accounts without providing know-your-customer compliance requirements. Like UAPS and PM2BTC, Cryptex advertised itself directly to cybercriminals.

Law enforcement op disrupts global botnet linked to Chinese state-sponsored hackers

A court-authorized law enforcement operation disrupted a massive botnet dubbed ‘Raptor Train’ comprising over 200,000 infected network devices across the United States and beyond. The botnet was controlled by state-sponsored hackers from the People’s Republic of China (PRC), tracked by threat intelligence teams as “Flax Typhoon.” The group is operating through the Beijing-based company Integrity Technology Group.

Russian hackers intensify attacks on Ukraine in H1 2024

Russian cyberattacks against Ukraine have significantly escalated in the first half of 2024, according to an analytical report released by the State Service of Special Communications and Information Protection of Ukraine (SSSCIP). Phishing campaigns and malicious software have been observed being the primary tools used by Russian hackers to infiltrate Ukrainian military, governmental, and critical infrastructure systems. Hackers are also exploiting vulnerabilities to steal intelligence and assess the outcomes of military operations, using cyber elements to gather feedback on kinetic strikes. Aside from espionage, Russian hacker groups have ramped up efforts to disrupt civilian infrastructure, the report noted. The CERT-UA team (Cyber Emergency Response Team of Ukraine) reported a 19% increase in cyber incidents during the first half of 2024, with a notable 40% rise in malware distribution and a 90% increase in infections.

According to ESET’s new report, Gamaredon (also known as Armageddon), remains the most active Russia-backed hacking group hacker group targeting Ukraine. Active since at least 2013, the group thought to be operating from Crimea and linked to Russia’s Federal Security Service (FSB), Gamaredon has enhanced its cyberespionage capabilities. While it mainly targets Ukrainian government institutions, the group has expanded its focus since Russia's 2022 invasion of Ukraine, attempting to attack NATO allies such as Bulgaria, Latvia, Lithuania, and Poland. Researchers from ESET suggest that Gamaredon is collaborating with another group called InvisiMole.

OCCRP’s report reveals how Russia recruits Europeans for espionage and sabotage amid is invasion of Ukraine

A joint investigation involving journalists from Delfi, OCCRP, Paper Trail Media, ZDF, and Der Standard sheds light on Russia's efforts to recruit Europeans to commit acts of sabotage in their home countries via social media.

In recent years, Russia has increasingly leveraged social media platforms like Telegram to recruit Europeans for sabotage operations in their home countries. This trend has escalated as Russia's intelligence and security resources are stretched thin due to the ongoing war in Ukraine. Security experts and intelligence officials report a sharp rise in sabotage attempts across Europe, including in Estonia, Germany, and Poland, where citizens have been arrested or convicted for espionage and attacks linked to the Kremlin. Russian actors have used social media to target and recruit individuals, highlighting a growing threat to European security.

Ukraine officially banned the use of the Telegram messaging app by government officials, military personnel, and critical infrastructure workers. The decision stems from concerns about the app's potential exploitation by Russia for intelligence and cyberattacks.

Earlier this week, Telegram updated its privacy policy, which is now stating that the platform will share users' phone numbers and IP addresses with law enforcement agencies, but only under certain conditions. The update clarifies that Telegram will comply with legal requests when users are found to be in violation of the platform's rules. Specifically, the company will respond to valid court orders confirming that a user is a suspect in a criminal case that breaches Telegram’s Terms of Service.

China-linked Salt Typhoon hackers reportedly infiltrate US ISPs

A recently identified Chinese government-backed hacker group, known as ‘Salt Typhoon,’ has reportedly infiltrated several US Internet service providers (ISPs) in an effort to steal sensitive information, according to a Wall Street Journal report. Sources familiar with the investigation revealed that the group has been active for months, potentially accessing routers that manage critical traffic for US ISPs. The attackers are suspected of targeting core network infrastructure, specifically routers, to gain access to confidential data.

New phishing campaign exploits LoL World Championship theme to spread malware

Security researchers have discovered a new phishing campaign targeting excitement around the League of Legends (LoL) World Championship. The campaign involves malicious ads on social media that offer a fake download of the already free game. Clicking these ads directs users to a lookalike download page using typosquatting techniques. Victims are then led to a Bitbucket repository containing a malicious archive. This archive includes a dropper for the Lumma Stealer info-stealing malware designed to steal sensitive data like passwords, credit card information, cryptocurrency wallets, and browser session cookies.

New RomCom variant spotted in espionage campaigns

A new variant of the RomCom Remote Access Trojan (RAT) family, dubbed SnipBot, has emerged equipped with new capabilities. Spreading since last December, the most recent variant uses valid code-signing certificates to evade detection, enabling attackers to execute commands and download additional malicious files in a multistage attack. SnipBot is based on the RomCom 3.0 framework but incorporates techniques from RomCom 4.0, effectively making it version 5.0 of RomCom.

Another report from Unit 42 details two new malware strains dubbed KLogEXE and FPSpy attributed to a North Korean threat actor known as Kimsuky, APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (formerly Thallium), Sparkling Pisces, Springtail, and Velvet Chollima.

North American transportation and logistics firms hit with a new phishing campaign

Transportation and logistics companies across North America have become the focus of a sophisticated phishing campaign, delivering a variety of information stealers and remote access trojans (RATs). According to security researchers at Proofpoint, the attackers are leveraging compromised legitimate email accounts to insert malicious content into existing email conversations.

Proofpoint said it has identified at least 15 breached email accounts used to carry out these attacks. The email accounts belong to transportation and shipping companies to make phishing messages appear even more legitimate. However, it remains unclear how the attackers initially gained access to these email accounts or who is orchestrating the campaign.

India-based SloppyLemming targets critical sectors in Pakistan

A threat actor, allegedly operating out of India, has been conducting cyberattacks on energy, defense, government, telecommunications, and technology sectors in Pakistan using various cloud services. The group, tracked as SloppyLemming, has been linked to Outrider Tiger, a threat actor with suspected ties to India. SloppyLemming is primarily interested in targeting Pakistani law enforcement agencies, with a particular focus on entities connected to Pakistan's only nuclear power facility. The group has been observed extensively using credential harvesting to gain unauthorized access to email accounts in organizations that hold intelligence value.

Iranian APT UNC1860 targets Middle Eastern networks

Google-owned cybersecurity firm Mandiant has shed some light on the operations of UNC1860, an Iranian threat actor believed to serve as an initial access provider to high-profile targets in the Middle East.UNC1860 acts as an entry point for other threat actors such as APT34, which is suspected of collaborating with the group. Once UNC1860 establishes a foothold, typically by deploying web shells on compromised servers, it uses an array of stealthy utilities and implants that enable the threat actors to dig in the victim’s network.

SilentSelfie espionage campaign targets Kurdish minority

A watering hole attack targeting the Kurdish minority has compromised up to 25 websites, harvesting sensitive information for over a year and a half, according to French cybersecurity firm Sekoia. The campaign, named ‘SilentSelfie,’ began in December 2022 and involves four variants of an information-stealing framework. These variants range from basic tools that track users' locations to more advanced ones capable of recording images via the selfie camera and tricking users into installing malicious Android applications (APKs).

Storm-0501 cybercrime group expands to hybrid cloud environments

Microsoft has observed the financially motivated threat actor Storm-0501 launching a sophisticated, multi-staged attack targeting hybrid cloud environments in the United States. The group exploited weak credentials and over-privileged accounts to perform lateral movement from on-premises to cloud environments. Their actions led to data exfiltration, credential theft, tampering, persistent backdoor access, and ransomware deployment. Storm-0501 targeted various sectors, including government, manufacturing, transportation, and law enforcement. The threat actor used commodity and open-source tools to conduct ransomware operations, mirroring tactics seen in previous attacks by groups like Octo Tempest and Manatee Tempest.

Suspected Chinese APT exploits GeoServer flaw to target Taiwan and APAC govts

Cybersecurity company Trend Micro said it uncovered a series of cyber intrusions attributed to Earth Baxia, a suspected China-based threat actor that has been targeting government organizations in Taiwan, as well as other countries across the Asia-Pacific (APAC) region, including the Philippines, South Korea, Vietnam, and Thailand.

The campaign exploits a recently patched critical vulnerability (CVE-2024-36401) in OSGeo's GeoServer GeoTools software. CVE-2024-36401 is a remote code execution vulnerability that allows attackers to download or copy malicious components to compromised systems.

Apache HugeGraph-Server, Ivanti bugs exploited in the wild

The US Cybersecurity and Infrastructure Security Agency (CISA) added a number of high-severity flaws to its Known Exploited Vulnerabilities (KEV) catalog, indicating that the vulnerabilities are being exploited in the wild.

The bugs are: CVE-2024-27348, an Apache HugeGraph-Server RCE vulnerability, CVE-2024-8963, a path traversal issue in Ivanti CSA that allows remote, unauthenticated attackers to bypass administrative controls and access restricted functionalities. Attackers are chaining CVE-2024-8963 with another vulnerability, CVE-2024-8190, a command injection bug, to gain elevated access.

Another Ivanti bug exploited in the wild is CVE-2024-7593, a high-risk authentication bypass vulnerability in Ivanti Virtual Traffic Manager that allows a remote attacker to compromise the target system. The issue exists due to incorrect implementation of authentication algorithm. A remote attacker can bypass authentication of the admin panel. Virtual Traffic Manager versions 22.2 - 22.7R1 are said to be impacted.

DCRat targets users with HTML Smuggling

Netscope researchers have shared a technical analysis of a new DCRat (Dark Crystal RAT) campaign targeting Russia-speaking users. DCRat has been available as malware-as-a-service (MaaS) since 2018. Written in C#, it has typical RAT functions, such as executing commands, stealing credentials, logging keystrokes, and exfiltrating files. Historically, DCRat has been delivered via compromised websites, password-protected archives, and phishing emails with malicious attachments. The most recent campaign employs HTML smuggling, a novel delivery technique for the malware. HTML smuggling embeds or retrieves the payload through obfuscated HTML, helping it evade network security.

British police arrest a suspect linked to the recent UK railway hack

A man has been arrested in connection with a hack that displayed Islamophobic messages to passengers attempting to connect to public Wi-Fi at UK railway stations. The British Transport Police (BTP) reported that the suspect is an employee of Global Reach Technology, a company providing Wi-Fi services to Network Rail. He is accused of abusing his access to Network Rail's Wi-Fi systems. The arrest was made on suspicion of offences under the Computer Misuse Act 1990 and the Malicious Communications Act 1988.

Ukrainian police take down a phishing gang that stole over $240,000 from victims

A criminal group in Odesa, Ukraine, is set to face trial for stealing over one million hryvnias (~$243,000) using phishing schemes. Between July and November 2023, the group created a phishing website mimicking a popular online marketplace in Ukraine. They posed as buyers and tricked sellers into providing personal and banking information by offering free delivery through a fraudulent website. Using the stolen data, they accessed victims' bank accounts and pilfered funds. The police identified 21 victims and, during searches in Odesa and Kyiv, seized computers, phones, SIM cards, bank cards, and cash tied to the scheme.

Back to the list

Latest Posts

Hackers hijack high-level accounts and sensitive data of JAXA’s execs

Hackers hijack high-level accounts and sensitive data of JAXA’s execs

The attackers commandeered roughly 200 accounts, including those of senior officials and members of JAXA’s leadership team.
7 October 2024
Over 100 orgs breached in BabyLockerKZ ransomware attacks

Over 100 orgs breached in BabyLockerKZ ransomware attacks

BabyLockerKZ is an updated variant of the MedusaLocker ransomware.
7 October 2024
Chinese hackers reportedly compromise US court wiretap systems

Chinese hackers reportedly compromise US court wiretap systems

The attack targeted major US telecom companies including Verizon, AT&T, and Lumen Technologies.
7 October 2024