Cyber Threat Report | December 2024

December has been another active month in the world of cybersecurity, with cybercriminals deploying increasingly sophisticated tactics, while defenders and law enforcement ramp up their efforts to tackle these threats. 

In this report, we explore some of the most pressing cybercrime developments.

Cybercrime News:

  • A China-linked cyber attack compromised a U.S. organization’s data, exploiting a persistent access vulnerability in Exchange Servers.
  • The resurgence of the BadBox botnet, which now affects over 192,000 devices globally, including high-end smart TVs and smartphones.
  • A cyber attack that influenced Romania’s presidential election, revealing Russian interference through cyber attacks and social media manipulation.

Cybersecurity Justice News:

  • Europol’s dismantling of one of the largest illegal IPTV streaming networks, resulting in 11 arrests and the seizure of €250 million in damages.
  • The U.S. sanctioning a Chinese cybersecurity firm and one of its employees for exploiting a vulnerability to compromise thousands of firewalls, including those protecting U.S. critical infrastructure.
  • The United Nations General Assembly’s adoption of the Convention against Cybercrime, despite opposition, marking a significant step forward in global efforts to combat cybercrime.

These updates highlight critical actions taken in the fight against cybercrime and the ongoing evolution of international cybersecurity law.

Cybercrime Breaking News

Researchers from Symantec reported that a large U.S. organization with a significant presence in China was targeted in a cyber attack earlier this year, likely carried out by a China-based threat actor using tools previously associated with Chinese attackers. The attackers gained persistent access to the network, compromising multiple computers and harvesting emails from Exchange Servers while exfiltrating targeted data between April and August 2024.

According to a Microsoft and Lumen Technologies’ Black Lotus Labs report, Russian state-sponsored hackers, known as Secret Blizzard, hijacked the servers of the Pakistani cyber-espionage group Storm-0156 to target government, military, and defense organizations in India and Afghanistan over the past two years. The strategy, previously employed in other campaigns, enables the group to conduct espionage while complicating attribution and utilizing compromised infrastructure from other threat actors.

Romania’s constitutional court has annulled the first round of the country’s presidential election after declassified intelligence revealed Russian interference influenced the result, including a coordinated social media campaign and cyber attacks. The court’s decision, which struck down the surprising victory of a far-right candidate, means the entire electoral process will be repeated, raising concerns over foreign influence on democratic elections.

A new social engineering campaign has exploited Microsoft Teams to deploy DarkGate malware after an attacker impersonated a client and gained remote access to a victim’s system, ultimately delivering multiple malicious payloads. The campaign involved phishing emails, followed by the attacker instructing the victim to install AnyDesk for remote access, which was then used to execute DarkGate and other malicious scripts.

Germany’s cybersecurity agency disrupted a malware operation known as BadBox, which infected at least 30,000 internet-connected devices sold across the country, including digital photo frames and streaming devices. Despite efforts by authorities to block communication between infected devices and the hackers’ control servers, BadBox remains a significant threat, as evidenced by a recent surge in infections, with over 160,000 unique IPs registered in a 24-hour period. The BadBox botnet, which now affects over 192,000 Android-based devices globally, has expanded to compromise high-end smart TVs and smartphones, making detection challenging and enabling malicious activities like ad fraud and account abuse.

  • UK telecoms giant BT Group confirmed an attempted cyber attack on its conferencing platform after the Black Basta ransomware group claimed to have stolen corporate data, though the incident was quickly contained and did not affect other services.
  • Software organization Cleo has urged customers to immediately apply a new patch after researchers discovered that the previously patched vulnerability in its file-sharing products, Cleo Harmony, VLTrader, and LexiCom, was still being exploited by cybercriminals.
  • Juniper Networks has warned that their Session Smart Routers are vulnerable to Mirai malware infections if users fail to change the default passwords, leading to DDoS attacks. The company advises affected customers to immediately set strong, unique passwords and monitor for suspicious network activity, noting that infected devices should be reimaged to stop the threat.
  • Blue Yonder, a Panasonic-owned software company, confirmed that several of its impacted customers had restored their systems following a ransomware attack, while the Termite gang, claiming responsibility, boasted of stealing 680 GB of data. 
  • Japan Airlines has resumed operations after a cyber attack caused delays to more than 40 flights, temporarily disrupting systems for ticket sales, baggage management, and its mobile app, but without impacting flight safety or customer data.
  • Krispy Kreme has disclosed a cyber attack that disrupted its online systems, causing issues with online orders in parts of the U.S. since late November, though physical stores remain unaffected.

A non-password protected database belonging to data broker SL Data Services exposed over 600,000 sensitive files, including full names, addresses, phone numbers, criminal history, and vehicle records. The breach, which was discovered by a cybersecurity researcher, and it is unknown how long the database was exposed or if others accessed it.

The Cybersecurity and Infrastructure Security Agency (CISA) released a 5-page advisory urging senior government officials and politicians to use end-to-end encrypted apps and assume all communications are at risk, following a breach by Chinese hackers that compromised the phone data, messages, and calls of about 150 officials. The Salt Typhoon breach allowed hackers to access private communications, prompting the advisory to guide both Apple and Android users on securing their devices.

CISA has issued a binding directive requiring federal agencies to secure their Microsoft cloud systems following several recent cyber incidents. The directive mandates agencies to implement secure configuration baselines and assessment tools to address vulnerabilities, after misconfigurations were exploited in major breaches by Russian and Chinese hackers.

Cyberwar between Russia and Ukraine: Updates

Reports disclosed how Russian state-backed hacker group Gamaredon, also known as BlueAlpha, has been using Cloudflare Tunnels to conceal its staging infrastructure for deploying GammaDrop malware in an ongoing cyber-espionage campaign targeting Ukrainian entities. The technique, which evades traditional network detection, is part of a broader spear-phishing effort aimed at stealing credentials and maintaining persistent access to compromised networks.

According to a Microsoft report, Kremlin-backed hackers, known as Secret Blizzard, have repurposed tools from Russian cybercriminals to target Ukrainian military devices, deploying custom malware for espionage. By embedding themselves in other threat actors’ operations, the hackers aim to diversify their attack methods and complicate attribution.

A large-scale cyber attack, believed to be carried out by Russian hackers, has disrupted Ukraine’s state registers, halting essential services such as marriage registrations and real estate transactions. 

Cybersecurity Justice

The United Nations General Assembly has adopted the Convention against Cybercrime, a landmark treaty aimed at improving international cooperation to combat cybercrime, despite opposition from tech companies and human rights activists who warn of potential abuses. The treaty, which will open for signature in 2025, addresses issues such as online child abuse, fraud, and money laundering, while also emphasizing the protection of human rights in the digital sphere.

A major Russian money laundering network, linked to drug traffickers, ransomware gangs, and Kremlin operatives, has been uncovered through an investigation into extorted cryptocurrency, with over 80 arrests made in the UK-led Operation Destabilise. This sprawling system, involving Russian businesses Smart and TGR Group, facilitated sanctions evasion by laundering funds through cryptocurrencies and property, prompting international sanctions against key players.

International law enforcement, coordinated by Europol, shut down 27 popular platforms used for distributed denial-of-service (DDoS) attacks, identifying over 300 users and arresting three administrators in France and Germany. The operation, which involved 15 countries, aimed to prevent the peak period of DDoS attacks, which is right before the holiday season.

Europol announced the shutdown of Manson Market, a clearnet marketplace involved in large-scale online fraud, following an operation led by German authorities. The operation resulted in the seizure of over 50 servers, more than 200 terabytes of digital evidence, and the arrest of two key suspects, with over €63,000 in cash and crypto assets confiscated.

Europol announced that French and Dutch law enforcement have dismantled the encrypted messaging service MATRIX, which was used by criminals for international drug trafficking, arms dealing, and money laundering. The operation led to the seizure of cash, cryptocurrencies, and mobile devices, as well as the arrest of three suspects, with over 2.3 million intercepted messages now supporting ongoing investigations.

Europol supported Belgian and Dutch authorities in arresting eight suspects involved in a large-scale “phone phishing” gang that targeted victims across Europe, using phishing and vishing tactics to steal financial data. The operation resulted in the seizure of cash, luxury items, and electronic devices, with the stolen funds used to fund lavish lifestyles.

German police have arrested the suspected administrator of the country’s largest criminal marketplace, Crimenetwork, which facilitated the trade of illegal goods like drugs, stolen data, and forged documents. The operation seized luxury vehicles and digital assets worth approximately €1 million, while the platform’s shutdown, which had over 100,000 users, is expected to lead to more arrests as police analyze the collected data.

Three individuals were arrested for operating the Rydox cybercriminal marketplace, which sold stolen personal information, access devices, and fraud tools, generating over $230,000 in revenue since its creation. The platform facilitated over 7,600 illegal sales, primarily targeting U.S. residents, was shut down, and the suspects were arrested in Kosovo and Albania, with extradition requests filed for the Kosovo nationals.

The U.S. sanctioned the Chinese cybersecurity firm Sichuan Silence Information Technology and one of its employees for compromising thousands of firewalls worldwide, including those protecting U.S. critical infrastructure. The employee is accused of exploiting a zero-day vulnerability (CVE-2020-12271) to install malware on 81,000 firewalls, has been charged with conspiracy to commit computer fraud and wire fraud. The U.S. Federal Bureau of Investigation (FBI) has offered a $10 million reward for information leading to his arrest.

Russian state-run news agencies claimed that the Russian court has sentenced the suspected founder of the dismantled darknet marketplace Hydra to a historic life sentence for drug trafficking and organized crime. Fifteen accomplices also received lengthy sentences, with the court ordering confiscation of their assets and vehicles, while the verdict remains subject to appeal.

A 19-year-old has been charged for his involvement in phishing attacks targeting telecommunications companies and a financial institution, making him the sixth alleged member of the Scattered Spider hacking group to face federal charges. The group, responsible for major cyber attacks on companies like MGM Resorts and Caesars Entertainment, caused over $4 million in losses through social engineering tactics between October 2023 and May 2024.

The U.S. unsealed a criminal complaint against a dual Russian-Israeli national, accusing him of being a software developer for the LockBit ransomware group from 2019 to February 2024. Currently detained in Israel, he faces 40 counts, including computer damage and extortion, with U.S. authorities linking him to a moniker used on a darknet forum and evidence establishing his role in developing critical code for the LockBit operation.

A Romanian affiliate of the NetWalker ransomware operation was sentenced to 20 years in prison after pleading guilty to charges related to cyber attacks and earning up to $21.5 million from ransomware activities. As part of his plea deal, he agreed to forfeit the earnings, including a luxury resort in Bali, and will also pay $15 million in fines and penalties.

Russian authorities have charged a notorious cybercriminal, known as Wazawaka, for creating malware used by various ransomware groups to blackmail organizations. Speaking to a security researcher, Wazawaka, linked to ransomware groups like Babuk, Conti, and LockBit, is said to have confirmed the charges, stating he paid fines and had cryptocurrency seized. He is currently out on bail and awaiting further legal proceedings.

Russia’s Federal Security Service (FSB) claimed to have dismantled the Milton Group, a global scam network said to be linked to a former Georgian defense minister, which allegedly defrauded over 100,000 people and earned $1 million daily through fake investment schemes.

Fourteen North Korean nationals have been indicted for a scam that allowed them to fraudulently obtain U.S. employment using stolen identities, earning at least $88 million over six years. The indictment charges them with wire fraud, money laundering, and identity theft, with the proceeds allegedly funneled back to Pyongyang and used to support North Korean interests.

A Northern California federal judge ruled that NSO Group is liable for the spyware hacks targeting 1,400 WhatsApp user devices, violating the Computer Fraud and Abuse Act and California’s data access laws. The ruling could lead to significant damages for the Israeli company, whose Pegasus spyware has been used to target activists, journalists, and government officials worldwide.

Italy’s data protection authority fined OpenAI €15 million for violating the GDPR by processing personal data without proper legal grounds and failing to notify authorities of a March 2023 data breach. In addition to the fine, OpenAI is required to launch a six-month public campaign to inform users about the data collection practices of ChatGPT and their rights under the GDPR.

The Dutch Data Protection Authority fined Netflix €4.75 million for failing to adequately inform customers about how it used their personal data between 2018 and 2020, violating the GDPR. Although Netflix has since updated its privacy statement, the DPA determined the company had not provided clear enough information regarding data usage, sharing with third parties, and data retention.

Nebraska’s Attorney General filed a lawsuit against Change Healthcare and its parent company UnitedHealth, accusing them of violating state laws and exposing sensitive healthcare data, after the February ransomware attack on Change Healthcare.

FinTech Updates

DMM Bitcoin, a popular Japanese cryptocurrency platform, is shutting down after hackers stole over $308 million worth of Bitcoin in May. The FBI attributed the heist to North Korea’s TraderTraitor group, also known as Lazarus, who compromised a Japan-based wallet software firm before targeting DMM. The cryptocurrency platform is transferring customer accounts and assets to SBI VC Trade, continuing its investigation while restricting withdrawals and purchases.

A data breach has exposed 5 million unique credit and debit card details, with over 44 million screenshots and 5 terabytes of sensitive data leaked on an unsecured Amazon S3 bucket. The breach, which could put shoppers at risk of fraud, identity theft, and financial scams, remains under investigation by AWS and the responsible party has yet to be identified.

A South Korean law enforcement operation, dubbed Operation Midas, has dismantled a large-scale fraud network that extorted $6.3 million from victims through fake online trading platforms designed to steal money. The fraudulent platforms, which mimicked legitimate brokerage firms, used screen capture functions to spy on users and refused to return investments after pushing them to deposit money through various online channels.

A Brazilian citizen has been charged in the United States for extorting $3.2 million in Bitcoin after breaching a company’s network and stealing data from about 300,000 customers. The defendant allegedly demanded the payment in exchange for not releasing the stolen information, and also offered to “consult” on a security flaw for an additional Bitcoin payment.

Cybersecurity News Across The Globe

  • Costa Rica’s state-owned energy company RECOPE was hit by a ransomware attack, prompting a shift to manual operations and the involvement of US experts to address the issue.
  • Japanese media company Kadokawa is said to have paid a nearly $3 million ransom to the Russia-linked BlackSuit ransomware group, according to evidence from emails sent to executives and an investigation by Kyodo News, which uncovered a $2.98 million cryptocurrency transaction in June, the same month the attack occurred.
  • Telecom Namibia confirmed that hackers from the Hunters International group leaked customer data on the dark web after the company refused to negotiate a ransom following a cyber attack.

Want to find out more about:

AMATAS will continue to monitor this space and deliver salient information regularly. 

Stay tuned for our next report and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website www.amatas.com or by e-mailing office@amatas.com.

As always – be vigilant, stay alert, and think twice.

Related Articles

Scroll to Top