Daily Brief

A new information stealer named ExelaStealer is the latest entrant in the malware landscape, designed to capture sensitive data from compromised Windows systems. ExelaStealer is an open-source infostealer with paid customizations available. It has capabilities to siphon passwords, Discord tokens, credit cards, cookies and session data, keystrokes, screenshots, and clipboard content. The malware is offered for sale via cybercrime forums and a dedicated Telegram channel. It costs $20 a month, $45 for three months, or $120 for a lifetime license, making it an affordable tool for entry-level hackers. The malware is currently only compiled and packaged on a Windows-based system using a builder Python script. Evidence suggests that it is being distributed via an executable that masquerades as a PDF document. Against, the backdrop of rising cybercrime, U.S. cybersecurity and intelligence agencies recently released a joint advisory outlining the phishing techniques used by malicious actors to obtain login credentials and deploy malware.

The US Department of Justice (DoJ) has announced the seizure of 17 website domains used by North Korean IT workers in a scheme to defraud international businesses, evade sanctions, and fund North Korea's missile program. The DoJ reported that around $1.5 million revenue was confiscated from the scammers between October 2022 and January 2023. According to court documents, these dispatched workers live primarily in China and Russia and deceive foreign companies, including those in the US, into hiring them using fake identities—generating illicit revenues of millions of dollars per year. Authorities have consistently warned about North Korea's reliance on highly-skilled IT workers, who use aliases and front companies to secure jobs in tech and virtual currency sectors. A significant portion of their wages goes back to the sanctioned North Korean state. The seized website domains were falsely presented as legitimate, US-based IT firms. In reality, the accused were working for China-based Yanbian Silverstar Network Technology and Russia-based Volasys Silver Star—both previously sanctioned by the Department of the Treasury. The FBI issued an advisory revealing how these IT workers cheated during coding tests and threatened to release proprietary source codes if not paid adequately. Authorities urged businesses to be cautious when hiring and granting access to their IT systems.

Over 40,000 Cisco devices operating on the IOS XE system have been compromised due to a recently discovered severe vulnerability called CVE-2023-20198. There is currently no patch or workaround for this issue, and Cisco has recommended disabling the HTTP Server feature on all internet-facing systems. Initial estimates of affected devices were at approximately 10,000, with figures growing as further internet scans were conducted. Research teams have located thousands of infected hosts across the United States, the Philippines, and Chile. The compromised devices were found primarily in telecommunication providers such as Comcast, Verizon, Cox Communications, Frontier, AT&T, and Spirit, along with various medical centers, universities, sheriff’s offices, school districts, convenience stores, banks, hospitals, and government entities. A malicious implant used in the attacks does not persist after device reboot, but maintains active high-privilege accounts providing full administrator access to the device. Cisco is actively investigating the issue and will offer additional details and a possible fix in due course.

Sandu Diaconu, operator of E-Root marketplace, has been extradited to the U.S. and is facing a maximum imprisonment sentence of 20 years for selling access to hacked computers. Diaconu was arrested in the U.K. in May 2021 as he attempted to leave the country after authorities had seized E-Root's domains in late 2020. The charges include wire fraud, money laundering, computer fraud, and access device fraud. Along with imprisonment, U.S. law enforcement authorities are suing for the forfeiture of Diaconu's criminal proceeds, the exact amount is yet to be determined. E-Root market was an illegal online marketplace selling access to over 350,000 breached computers worldwide in exchange for cryptocurrency; it was structured for resilience and identity protection of its users. The marketplace also operated a cryptocurrency exchange service, converting between Bitcoin and Perfect Money. Evidence obtained during the investigation linked purchase access from E-Root to numerous cybercrimes, including ransomware attacks and identity tax fraud schemes. Diaconu has not pleaded guilty to the charges and is presumed innocent until proven guilty.

The BlackCat ransomware (also known as ALPHV) has begun to use a new tool dubbed "Munchkin", which leverages virtual machines to deploy encryptions on network devices in a stealthy manner. Cybersecurity firm, Palo Alto Networks' Unit 42, discovered that Munchkin is a customized Alpine OS Linux distribution that works as an ISO file implemented via the VirtualBox software on compromised devices. Munchkin contains scripts and utilities that facilitate network spreading, password dumping, and the execution of BlackCat 'Sphynx' payload and programs on network computers. It can change the root password known only to the attackers, execute a malware binary called 'controller' and starts loading attack scripts. Munchkin provides an attractive proposition for cybercriminals intending to affiliate with ransomware-as-a-service (RaaS) schemes due to its stealth and bypassing capabilities against security solutions. The usage of virtual machines helps to maintain a low digital footprint and isolate activities from the operating system, posing challenges for detection and analysis by security software. The ransomware affiliates are cautioned to erase Munchkin virtual machines and ISOs to prevent the leakage of access tokens. BlackCat, which surfaced in late 2021 as a sophisticated ransomware operation, has introduced advanced functionalities like intermittent encryption, data leak API, and upgrades on the data exfiltration tool, affecting numerous high-profile victims.

The Storm-0558 hacking group, linked to China, breached several Microsoft Exchange and Microsoft 365 corporate and government accounts in July 2021, leading Microsoft to extend the retention of Purview Audit logs. Affected organizations included multiple government departments in the U.S and Western Europe, leading to the theft of 60,000 emails from officials in East Asia, the Pacific, and Europe. The hackers exploited a consumer signing key acquired from a compromised Microsoft engineer's account to gain unauthorized access to Exchange Online and Azure Active Directory accounts. In response to the breaches, Microsoft is rolling out an extension of default retention to 180 days (up from 90 days) for logs generated by Standard licensed Audit customers, aiming to minimize risk by providing increased access to historical audit data. Microsoft has also expanded access to cloud logging data free of charge upon pressure from the Cybersecurity and Infrastructure Security Agency (CISA) to aid network defenders in identifying similar attacks in the future. From December 2023, Standard licensed Purview Audit customers will also have access to additional logs for various applications previously only available to Premium accounts. The revised logging data policy will assist in more effectively deterring and responding to cybersecurity threats and breach incidents.

Japanese electronics giant Casio announced that its ClassPad server was breached, exposing personal information of customers in 149 countries. The breach was discovered on October 11th when an employee identified a database failure while working in the development environment. An estimated 91,921 items belonging to Japanese customers and 35,049 items belonging to customers in 148 other countries were accessed by the intruders. Data included names, email addresses, country of residence, order details, payment methods, and service usage information. Casio clarified that its system does not store customer credit card information, therefore this was not accessible during the breach. The company is currently working with third-party security firms and has reported the incident to relevant authorities including Japan's Personal Information Protection Commission and the PrivacyMark certification organization. Immediate corrective measures have been undertaken with external access to all databases in the development environment being blocked. Casio has pledged to update its count if more customers are found to have been impacted by the breach, and will also reach out to all potentially affected customers.

A Google Ads campaign has been found pushing a fake KeePass download website that uses Punycode to appear as the official KeePass domain and distribute malware. Sponsored ads that appear above search results on Google can be manipulated by threat actors to show the legitimate domain for KeePass, making the threat hard to spot for even the most diligent and security-conscious users. The process involves a series of system-profiling redirections that filter out bot traffic and arrive at the fake KeePass website using a Punycode URL. Malwarebytes, which discovered this campaign, suggested that the use of Punycode in combination with Google Ads abuse is a new disturbing trend in cybercrime. On the fake site, users who click on download links receive a digitally-signed MSI installer that includes a PowerShell script linked with the FakeBat malware loader. While Google removed the initial Punycode advertisement found by Malwarebytes, further ads in the same malware campaign are evident. The final malware payload delivered in the campaign is currently unknown, but previous connections have been made with infostealers like Redline, Ursniff, and Rhadamathys. BleepingComputer identified impersonations of other popular software in this malware campaign, including WinSCP and PyCharm Professional.

India's Central Bureau of Investigation (CBI) conducted raids on 76 locations, aiming to crack down on the operations behind tech support scams and cryptocurrency fraud. This campaign is part of a worldwide cooperative effort named Operation Chakra-II that involved international law enforcement agencies and tech giants like Microsoft and Amazon. CBI confiscated multiple electronic devices, including mobile phones, laptops and SIM cards, and froze numerous bank accounts linked with the fraudulent operations. Emails connected to 15 accounts were seized, providing valuable insights into the scam operations. Two tech support scam ring operations were discovered as an outcome of Operation Chakra-II. These illegal operations had been impersonating customer support agents from Microsoft and Amazon for nearly five years, primarily scamming customers from the U.S., Canada, Germany, Australia, Spain, and the U.K. The fraud rings used numerous international payment channels to facilitate the transfer of funds illegally obtained from foreign victims. FBI reports place tech support scams among the top five reported crime types from 2018 through 2022, causing over $800 million in losses to more than 32,000 victims in the U.S. in the past year. A cryptocurrency fraud operation connected with a sham crypto-mining operation was also discovered during Operation Chakra-II. This scam targeted Indian nationals and led to losses of approximately $12 million. The CBI plans to share details about identified victims, shell companies, money mules and proceeds of crime with the international law enforcement agencies to comprehensively dismantle these cybercrime networks. The collaborative efforts with law enforcement agencies in fighting Tech Support Fraud have so far resulted in over 30 call center raids and more than 100 arrests, according to Amy Hogan-Burney, the General Manager of Microsoft's Digital Crimes Unit.

Iranian hacker group MuddyWater (also known as APT34 or OilRig), reportedly connected to Iran's Ministry of Intelligence and Security (MOIS), breached at least 12 computers within a Middle Eastern government network and retained access for eight months from February to September 2023. The attackers were able to steal passwords and data, and installed the PowerExchange PowerShell backdoor, which they controlled via Microsoft Exchange. Symantec, a part of Broadcom, documented the attacks; initial introduction of a PowerShell script started early February, followed by compromises in more machines in the network using a masqueraded version of Plink for RDP access. Main phase of the attack began in June; hackers deployed multiple malicious codes including Mimikatz for credential scraping and TrojanDirps for gathering information. By August, the hackers performed Nessus scans for Log4j vulnerabilities and by September, more machines were compromised and Wireshark commands were executed to capture network and USB traffic packets. According to Symantec, the hackers were not only active on 12 computers in the victim's network but also had deployed backdoors and keyloggers on dozens more – demonstrating broad-spectrum capabilities across reconnaissance, lateral movement, and data exfiltration or harvesting. Despite MuddyWaters experiencing a major setback in 2019, with their toolset being leaked, it appears from sustained and extensive attacks that the group is as active as ever.

Law enforcement agencies, including Europol, the FBI, and Germany's BKA, took control of the RagnarLocker ransomware group's leak site in a synchronised global takedown. This follows dedicated efforts by these agencies in recent years to shut down ransomware groups that have reached unprecedented success levels. RagnarLocker, notoriously adverse to negotiations and known for bullying critical infrastructure organisations, is particularly notorious for discouraging victims from reaching out to local law enforcement. In January this year, the FBI was successful in targeting the Hive group, providing decryption keys to more than 300 victims and potentially saving an estimated $130 million in ransom fees. The specifics surrounding the latest crackdown on RagnarLocker are not available; Europol stated that it forms part of ongoing actions against this ransomware group, with further details anticipated. Founded in late 2019 or early 2020, the RagnarLocker group has predominantly targeted critical infrastructure, conducting operations in manufacturing, energy, finance, government, and IT. Despite being considered amongst the most dangerous ransomware groups previously, RagnarLocker saw reduced activity in 2023 and was excluded from Microsoft's latest Digital Defense Report.

Cybercriminal using the alias "Golem" has reportedly leaked 4.1 million records from 23andMe, primarily consisting of UK user profiles. This incident follows an earlier leak in October where Golem exposed 1 million records of individuals with Ashkenazi Jewish DNA markers. Many of the leaked records in this recent batch also reportedly contain more Ashkenazi DNA samples. While German users were also affected, the cybercriminal claimed that the batch only included one-third of users of German origin. Golem alleged that the breached data includes samples from hundreds of families, including prominent names like the Rothschilds and Rockefellers, which 23andMe has not confirmed. 23andMe believes the security breach occurred due to a credential stuffing attack. The accounts involved in the leak all opted into the DNA Relatives feature – a service by 23andMe that matches users sharing a portion of their DNA. Only some users had their account accessed directly, with others having their information hijacked because it was shared with a DNA relative whose account was compromised. The data leak has led to a series of class action lawsuits against 23andMe, including five in California, where the company is based. The lawsuits allege 23andMe failed to adequately safeguard user data and detect unauthorized intrusions.

International law enforcement, including agencies from the US, Europe, Germany, France, Italy, Japan, Spain, Netherlands, and Latvia, seized Tor negotiation and data leak sites run by the Ragnar Locker ransomware group. The seizure was confirmed by a Europol spokesperson, who stated that a press release would be provided to further document the action against the long-standing cyber criminal operation. Running its operation since the end of 2019, Ragnar Locker is one of the longest-running ransomware operations which has targeted multiple high-profile entities. The group uses a double-extortion technique, breaching corporate networks, extracting data, and encrypting files. The stolen and encrypted data is then used as leverage to pressure victims into paying a ransom. Unlike the typical Ransomware-as-a-Service model, Ragnar Locker's operation is described as semi-private, not actively recruiting affiliates but working with outside pentesters to breach networks. The operation is also known for conducting pure data theft attacks, rather than deploying encryptors, using its data leak site to further extort its victims. Recent activities suggest that a new ransomware operation, DarkAngels, is using the Ragnar Locker ESXi encryptor in its attacks, although the connection between the two operations is yet to be confirmed.

Former US Navy IT manager, Marquis Hooper, will serve a five and a half year prison sentence for illegally accessing and selling more than 9,000 personal records on the dark web. Hooper and his wife Natasha Chalk, a former Navy reservist, together generated about $160,000 in Bitcoin from the sale of the data. Hooper misrepresented himself to a company running a database, claiming he needed access for background checks Once access was denied after suspicious activities, Hooper tried to open a new account, offering payment to a co-conspirator to do so under the guise of the Navy's need for background check information. Creating fake documents, Hooper tried to convince the company that the secondary account would be used legitimately, however, this was unsuccessful. Hooper faces much less than his maximum sentence, considering his lack of criminal history and willingness to take responsibility. His wife Natasha Chalk is due to be sentenced on November 20, facing the same maximum sentence as Hooper.

An updated version of the backdoor framework called MATA has been used in cyber espionage operations against more than a dozen Eastern European oil and gas companies and defense firms from August 2022 to May 2023. The attackers used spear-phishing emails, with the targeted victims infected with Windows executable malware by downloading files through an internet browser. The cyberattacks involved the memory corruption vulnerability, CVE-2021-26411, in Internet Explorer previously exploited by Lazarus Group in 2021. The revamped MATA framework, initially related to North Korean state-sponsored actors, was involved in a series of attacks across multiple sectors in countries including Poland, Germany, Turkey, Korea, Japan, and India since April 2018. The majority of the malicious Microsoft Word documents featured a Korean font, suggesting the attackers potentially being familiar with Korean or working in a Korean environment. Russian cybersecurity company Positive Technologies, referring to the operators as Dark River, noted that the MataDoor backdoor has a complex system of network transports and flexible communication options. The attackers used stealer malware to capture clipboard content, record keystrokes, take screenshots, and siphon passwords, along with a USB propagation module to infiltrate air-gapped networks. Kaspersky discovered a new MATA variant, labelled MATA generation 5, which uses a wide range of commands enabling it to proxy across various protocols in the victim's environment.