Daily Brief

German authorities dismantled "Crimenetwork," the largest online criminal marketplace in Germany, and arrested its administrator. The crackdown involved the Public Prosecutor's Office in Frankfurt, the Central Office for Combating Cybercrime, and the Federal Criminal Police Office. Crimenetwork had been active since 2012, with over 100 registered sellers and 100,000 users primarily from German-speaking countries. The platform facilitated illegal activities including the sale of drugs, stolen data, forged documents, and other criminal services, with payments made in Bitcoin and Monero. Transactions from 2018 to 2024 on Crimenetwork amounted to approximately €93 million ($98 million), with the site earning at least $5 million from these transactions. The arrested administrator, known as "Techmin," allegedly managed the site's technical operations for several years and is now facing multiple charges. German authorities secured extensive user and transaction data, suggesting potential future arrests as investigations continue. This seizure is part of a series of recent actions by German officials targeting cybercrime infrastructure, including cryptocurrency services and DDoS review platforms.

The FTC has banned data brokers Mobilewalla and Gravy Analytics from selling Americans' sensitive location data. The prohibited data includes tracking at places like churches, healthcare facilities, military installations, and educational institutions. These companies, including Venntel, a subsidiary of Gravy Analytics, offered products that allowed tracking and identification using historical location data. Mobilewalla alone amassed over 2 billion unique advertising identifiers within a 2.5-year span and kept data from millions of devices. The FTC's proposed settlement also restricts Mobilewalla from gathering consumer data through online ad auctions unless directly participating in those auctions. Both companies are required to delete all stored historical location data and any products developed using that data. This regulation follows similar FTC actions against other data brokers like Kochava, InMarket Media, and Outlogic for similar privacy violations concerning location data.

An international police operation, "Operation Passionflower," successfully dismantled MATRIX, an encrypted chat service utilized by criminals. The operation involved multiple European countries including France, the Netherlands, Italy, Lithuania, Spain, and Germany, coordinated by Europol and Eurojust. Authorities monitored over 2.3 million messages in 33 languages after linking the service to the phone of a suspect in the assassination attempt of journalist Peter R. de Vries in 2021. The encrypted service, not to be confused with the legal open-source Matrix protocol, was accessed through a specialized device costing between $1350 and $1700, with features like encrypted video calls and anonymous internet browsing. During raids across several countries, law enforcement seized 40 servers, arrested five suspects, confiscated 970 encrypted phones, around €145,000 in cash, €500,000 in cryptocurrency, and four vehicles. The takedown reflects a growing competence among international law enforcement in infiltrating and dismantling high-tech criminal communication networks. Users of MATRIX who were not involved in illegal activities are being offered a chance by Dutch authorities to exclude themselves from ongoing criminal investigations.

Cisco has updated an advisory regarding active exploitation of the CVE-2014-2120 vulnerability in its Adaptive Security Appliance (ASA). The vulnerability pertains to insufficient input validation on the ASA's WebVPN login page, which could lead to a cross-site scripting (XSS) attack. Attackers could exploit this flaw by tricking users into accessing a malicious link. Recent enhancements in the malicious use of this vulnerability are associated with the AndroxGh0st threat actors and propagation of the Mozi botnet. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the CVE-2014-2120 to its Known Exploited Vulnerabilities catalog, mandating remediation by specified federal agencies by December 3, 2024. Cisco strongly recommends that ASA users update their systems to prevent exploitation and bolster cybersecurity defenses.

The UK's National Cyber Security Centre (NCSC) has identified a threefold increase in national cyber emergencies over the past year, with 12 incidents reaching maximum severity. Overall, 430 cybersecurity incidents required NCSC's Incident Management team's intervention from September 2023 to August 2024, marking a 16% year-over-year increase. Among these, 89 were classified as nationally significant, including six that exploited two significant zero-day vulnerabilities in Palo Alto and Cisco systems. The report detailed a significant prevalence of ransomware attacks, accounting for 317 out of 347 incidents involving data exfiltration and extortion. NCSC's new CEO, Richard Horne, emphasized the growing gap between the cyber threats and the UK's current defense capabilities, announcing a need for accelerated improvements in national cybersecurity resilience. The annual review highlighted an increased focus on China as a major cyber threat, alongside ongoing concerns about Russian cyber activities intensifying in the context of geopolitical tensions. NCSC continues to advocate for widespread adoption of their cybersecurity frameworks and certifications to strengthen defenses, amidst a rapid increase in complex and volumetric cyberattacks.

Cybersecurity experts detected flaws in Palo Alto Networks and SonicWall VPN clients, enabling potential remote code execution. Attackers can exploit these vulnerabilities by mimicking VPN servers and pushing malicious updates to Windows and macOS systems. A proof-of-concept tool, NachoVPN, was developed to demonstrate how these vulnerabilities could be exploited to gain elevated system access. The attack methods include installing malicious root certificates and delivering counterfeit updates signed with stolen certificates. Specific attack vectors include manipulating the GlobalProtect app to steal VPN credentials and executing code with SYSTEM privileges through the NetExtender client. Users are urged to install the latest patches for their VPN clients to protect against these vulnerabilities. Researchers at Bishop Fox also analyzed SonicWall firewall firmware to enhance vulnerability research and assess current security postures.

The North Korean hacker group, Kimsuky, has been using Russian email addresses for phishing attacks aimed at stealing credentials. Initially, the phishing campaigns utilized email services from Japan and Korea; from mid-September onwards, they switched to Russian email domains like mail.ru and inbox.ru. These emails falsely masquerade as communications from financial institutions or internet portals, such as Naver’s MYBOX cloud storage, to deceive recipients. The phishing emails promote urgency, misleading recipients that malicious files are present in their accounts requiring immediate action. The attack vector involves compromised email servers, like that of Evangelia University, using a PHP-based mailer to send deceptive messages. This method of operation allows Kimsuky to bypass traditional security measures by appearing to send emails from legitimate and trusted sources. Genians identified that the ultimate goal of these cyber assaults is credential theft, which could then enable account hijackings and further attacks. The US government has previously flagged Kimsuky for exploiting weak DMARC records to conceal their phishing expeditions.

Stanislav Moiseev, the leader of the Hydra online drugs marketplace, has received a life sentence from a Russian court, along with a fine of four million rubles. Fifteen co-conspirators were sentenced to between eight and 23 years and faced collective fines totaling 16 million rubles. The guilty verdicts handed down by the Moscow Regional Court were for charges related to the production and sale of psychotropic drugs and substances. Evidence leading to their prosecution included nearly a ton of seized drugs during raids in Russia and Belarus, alongside valuable assets like cars and houses. Hydra, operational since 2015 and primarily used as a drug market, was taken down in 2022 by international police after seizing its servers. According to prosecutors, Hydra processed transactions worth approximately one billion rubles ($9,300,000) annually. Aside from the major sentences, it emerged that Hydra members also encouraged internet users to commit terrorist acts for monetary rewards, targeting Russian state power. Dmitry Olegovich Pavlov, identified as Hydra’s IT admin by US authorities, was notably absent from the sentencing but has been in custody since 2022.

A new malware campaign, known as Horns&Hooves, has been targeting individuals and businesses primarily across Russia since March 2023. Over 1,000 victims have been affected by this campaign which leverages phishing attacks delivering NetSupport RAT and BurnsRAT using fake emails and malicious JavaScript. The campaign uses lookalike emails with attachments disguised as business requests or bids in ZIP archives containing JScript scripts. Attackers have been tweaking the JavaScript payload over time, enhancing its effectiveness in initiating RAT infections by mimicking legitimate JavaScript libraries. The delivered malware enables attackers to install additional stealer malware, like Rhadamanthys and Meduza, to escalate access and control over the infected systems. Various versions of the malicious script observed include functionalities like downloading and executing further malicious components through discreet tactics using common Windows tools. The threat actor behind the campaign, identified as TA569, is also linked to other major malware deployments and potentially, ransomware attacks. The intended impact of these infections ranges from data theft, operational disruption, to possible ransomware encryptions, depending on the further exploitation of the compromised systems.

Hundreds of thousands of employee records from major corporations like Xerox, Nokia, Koch, Bank of America, and Morgan Stanley have been leaked online. The data breach is linked to last year’s exploitation of the MOVEit file transfer tool by the Russia-linked Cl0p ransomware group. An entity known as "Nam3L3ss" began leaking personal data of employees from multiple firms, exploiting vulnerabilities in Progress Software's MOVEit product. Leaked data includes sensitive personal information such as names, phone numbers, email addresses, job titles, and even employee badge details. Over 760,000 individual records have been exposed across several major firms, including specific numbers from each corporation. Atlas Privacy, a firm specializing in data breach responses, confirmed the authenticity of the leaked data and highlighted its significant risk for enabling social engineering attacks. None of the affected companies have commented on the breach publically as of the latest updates.

AWS has introduced a new cloud-based security incident response service costing a minimum of $7,000 per month. The service, announced at AWS's re:Invent conference, integrates automation with human expertise to enhance AWS account protection. It functions by analyzing data from Amazon GuardDuty and third-party threat intelligence through AWS Security Hub. Utilizes artificial intelligence and machine learning to detect critical incidents that require immediate action. Features a centralized console for setting security alerts, data transfers, and coordinates remediation efforts. Offers 24/7 access to the AWS Customer Incident Response Team (CIRT) for help with digital intrusions, and includes self-service tools for investigations. Currently available in 12 AWS regions worldwide, including the US, Asia Pacific, Canada, and Europe. The pricing structure, based on customer's AWS spending, has faced criticism from users and industry observers.

South Korean authorities arrested a CEO with five employees for manufacturing satellite receivers capable of initiating DDoS attacks. Over 240,000 units were either pre-loaded or updated later to incorporate DDoS functionality upon a buyer’s special request dating back to November 2018. These satellite receivers, part of 98,000 initial shipments, compromised the purchaser's devices by involuntarily enrolling them in DDoS attacks. The purchases and installations, spanned from January 2019 to September 2024, were initially undetected until Interpol intelligence in July prompted local investigation. The company's operators implicated in these dealings are still at large, with international efforts ongoing to capture and prosecute them. Korean law enforcement has seized 61 billion KRW in assets from the company while continuing their crackdown on cyber-enabled crimes. Recipients of these malicious satellite receivers potentially experienced declined device performance and unknowingly participated in illegal activities.

Russian authorities have sentenced Stanislav Moiseyev, the leader of Hydra Market, to life imprisonment along with a 4 million ruble fine. Hydra Market, a dark web platform, was involved in significant drug trafficking and money laundering, reporting $1.35 billion in turnover in 2020. Alongside Moiseyev, over a dozen accomplices received varying prison terms ranging from 8 to 23 years, with total fines amounting to 16 million rubles. Law enforcement seized nearly a ton of narcotics and dismantled drug production labs across Russia and Belarus, utilized by the criminal group. The darknet platform was dismantled in April 2022 when German and U.S. authorities seized its servers and 543 bitcoins valued over $51 million. U.S. OFAC has also sanctioned Hydra Market and identified over 100 cryptocurrency addresses used in Hydra's illicit transactions. This action is part of a broader crackdown on Russian dark web operations, including arrests related to ransomware and malware affiliations.

The new 'Bootkitty' Linux UEFI bootkit leverages the LogoFAIL flaw, identified as CVE-2023-40238, to infect computers with specific vulnerable firmware. Discovered by firmware security firm Binarly, the vulnerability can be exploited by malicious images in the EFI System Partition to bypass Secure Boot protections. The malware, still under development, specifically targets Linux operated on Ubuntu versions and is not yet a widespread threat. Bootkitty employs shellcode hidden in BMP files to replace legitimate boot management keys with rogue certificates, allowing unauthorized bootloader execution. Currently, Bootkitty specifically affects certain Lenovo, Acer, HP, and Fujitsu devices that use compatible firmware, with Lenovo being particularly vulnerable. Binarly emphasizes the sustained risk as many devices remain unpatched against LogoFAIL, over a year after its initial disclosure. Recommendations include limiting physical access to devices, enabling Secure Boot, using password protections for UEFI/BIOS, avoiding boot from external media, and ensuring firmware updates are only downloaded from official OEM sources.

A new phishing campaign targets users through corrupted Word documents sent as email attachments, exploiting Microsoft Word’s file recovery feature. The attack uses emails that masquerade as coming from payroll or human resources departments, presenting themes around employee benefits and bonuses. These Word attachments are intentionally damaged yet easily recoverable by Word, displaying a message that encourages recipients to scan a QR code. Scanning the QR code leads users to a phishing site designed to look like a Microsoft login page, aiming to steal user credentials. Despite their corrupt state, these documents evade detection by most security software, which fails to analyze the damaged files effectively. Uploaded examples on VirusTotal show almost no detection by antivirus programs, indicating the tactic's ability to bypass security measures. The general advice remains to be vigilant about emails from unknown senders, especially those with attachments, and to verify suspicious emails with network administrators.