Cyber Threat Report | July 2024

July brought a series of impactful events that shaped the global cybersecurity landscape, including what’s being called the “worst cyber event in history” and the emergence of the world’s largest collection of stolen passwords.

In this edition of AMATAS’s Cyber Threat Report, uncover the following critical incidents:

  • The reason behind the worldwide Microsoft Windows system crash (that disrupted critical services).
  • IBM’s report highlights the highest-ever cost of data breaches.
  • The world’s largest collection of stolen passwords, surfacing on a notorious crime marketplace.

In other news, explore:

  • Operation Morpheus, which took down IP addresses hosting illegal versions of the Cobalt Strike software.
  • France’s large-scale malware cleanup effort ahead of the Olympics.
  • The UK’s National Crime Agency dismantling a major distributed denial-of-service- (DDoS)-for-hire service.

Stay informed with our latest newsletter on these evolving cybersecurity threats and more.

Cybercrime Breaking News

On July 19, CrowdStrike’s release of a content update for its Falcon platform caused Microsoft Windows systems to crash worldwide due to a bug in the update validation tool. The issue, which affected systems running sensor version 7.11 and above, was quickly reverted, but not before it disrupted critical services globally, including aviation, healthcare, and emergency services. Microsoft estimates that the global IT outage disabled approximately 8.5 million computers worldwide and is currently being dubbed as the “worst cyber event in history”.  In response, the Subcommittee on Cybersecurity and Infrastructure Protection requested a hearing to address the outage’s impact and discuss necessary improvements in cybersecurity measures.

IBM’s “Cost of a Data Breach Report 2024” disclosed:

  • the global average cost of a data breach has increased by 10% in 2024 – reaching $4.88M. It has reached the highest level ever.
  • one in three breaches involved shadow data, highlighting the growing challenge of managing and protecting increasing volumes of data.
  • organizations that extensively used security AI and automation in prevention saved an average of $2.22 million compared to those that did not.

The world’s largest collection of stolen passwords, nearly 10 billion in total, has been uploaded to a notorious crime marketplace by a hacker named ‘ObamaCare’, according to researchers. 

Researchers have identified a Chinese cybercrime syndicate, dubbed Vigorish Viper, behind a network of illegal online gambling sites advertised at European sporting events. This syndicate, allegedly linked to human trafficking and cyber fraud in Southeast Asia, provides a technology suite for mobile betting applications —”a full cybercrime supply chain”.  The report highlights the syndicate’s role in the $1.7 trillion illegal gambling economy and its exploitation of human trafficking victims in forced labor camps.

Researchers have linked a North Korean hacking group, known as Andariel (or APT45), to cyber operations targeting critical infrastructures (e.g. nuclear facilities) and engaging in financially-motivated cyber operations, including ransomware development. A recent investigation revealed that Andariel, said to be connected to North Korea’s Reconnaissance General Bureau, has expanded its activities from government espionage to ransomware attacks on hospitals, banks, and South Korean defense firms. A reward of up to $10 million has been offered for information, linked to a group member.

Researchers identified that the APT group Void Banshee is exploiting a zero-day vulnerability in Internet Explorer to deploy the Atlantida info-stealer. The vulnerability, CVE-2024-38112, affects various versions of Internet Explorer and Windows, and is used in a multi-stage attack involving malicious URL files disguised as book PDFs. 

​​Researchers disclose that the FIN7 hacking group is now trying to sell its security evasion tool, AvNeutralizer, on darknet forums to other criminal organizations. Initially used by Black Basta, this tool helps hackers bypass threat detection systems and is now employed by various ransomware groups. 

Bassett Furniture Industries, one of the largest furniture companies in the U.S., has halted its manufacturing facilities due to a ransomware attack that encrypted data files and disrupted operations.

Israeli cybersecurity firm Wiz has declined a $23 billion takeover offer from Alphabet, Google’s parent company, in what could have been its “largest-ever acquisition”. 

Cyberwar between Russia and Ukraine: Updates

The U.S. Department of Justice seized two internet domains and searched nearly 1,000 social media accounts allegedly used by Russian threat actors to spread pro-Kremlin disinformation using AI-generated profiles. The Justice Department revealed that the bot farm, developed by Russia’s RT News Network and operated by the Federal Security Service, was “used to promote messages in support of Russian government objectives”. 

Spanish police arrested three suspected members of the pro-Russian hacker group NoName057(16), known for DDoS attacks against public institutions and strategic sectors in Spain and other NATO countries supporting Ukraine.

Several major Russian banks experienced DDoS attacks that caused outages in their online services and mobile apps, with Ukraine claiming responsibility.

​​The pro-Ukrainian hacker group Cyber Anarchy Squad has claimed responsibility for hacking Russian information security firm Avanpost, encrypting over 400 virtual machines and physical workstations, destroying more than 60 terabytes of data, and leaking 390 gigabytes of sensitive information. 

Cybersecurity Justice

An international law enforcement coalition, led by the UK’s National Crime Agency (NCA), has targeted 690 IP addresses across 27 countries hosting illegal instances of the Cobalt Strike software, a penetration testing tool, in Operation Morpheus. Originally developed to simulate network breaches, Cobalt Strike’s unlicensed versions have been widely abused by cybercriminals and state-sponsored hackers for ransomware attacks and network infiltration.

Supported by Europol, France initiated a large-scale “disinfection operation” to remove malware (also known as PlugX) from thousands of computer systems, targeting cyber espionage, just ahead of the Olympics.

Operation Jackal III, an Interpol-led global law enforcement operation targeting West African organized crime, resulted in 300 arrests and $3 million in seized assets, including cryptocurrencies and luxury items. The three-month operation, which spanned 21 countries, targeted online financial fraud and the notorious Black Axe gang, blocking over 720 bank accounts and dismantling several criminal networks.

The UK’s NCA, in collaboration with the Police Service of Northern Ireland, infiltrated and disabled DigitalStress, a major DDoS-for-hire service responsible for tens of thousands of attacks weekly. An individual suspected of running the site was arrested, and the NCA replaced the site’s domain with a warning that user data had been collected by law enforcement. 

​​Two foreign nationals have pleaded guilty in a U.S. court for their roles in the LockBit ransomware group, which extorted millions from victims worldwide. The alleged cybercriminals now face from up to 25 to up to 45 years in prison:

  • One of the perpetrators is said to have extorted $1.9 million from 12 victims. 
  • The other is believed to have caused at least $500,000 in damage and losses to victims. 

A 17-year-old from Walsall, UK, has been arrested in connection with the ransomware attack that disrupted MGM Resorts last year. The arrest was part of a global investigation into a major cybercriminal group, coordinated by the West Midlands Police, the UK’s National Crime Agency, and the FBI. 

The U.S. has sanctioned two key members of the Russian hacktivist group, Cyber Army of Russia Reborn (CARR), for their alleged cyber operations against U.S. critical infrastructure. One is accused of leading the group, while the other (said to be its “primary hacker”) is linked to compromising a U.S. energy company and creating training materials on how to compromise supervisory control and data acquisition (SCADA) systems, used in industrial operations.

An Australian Army private and their spouse were arrested in Brisbane for allegedly attempting to access and pass Australian national security information to Russia. The couple face charges of preparing for an espionage offense, which could result in up to 15 years in prison if convicted.

The Ukrainian police have arrested said cybercriminals accused of stealing approximately $145,000 from major industrial companies by infecting employees’ computers with malware to access financial systems and redirect funds.

Meta has removed 63,000 Instagram accounts linked to the Nigerian cybercrime group Yahoo Boys, which were involved in sextortion scams targeting adult men in the U.S.

A U.S. District Court judge dismissed most of the Securities and Exchange Commission’s (SEC) lawsuit against SolarWinds, which accused the company of defrauding investors by concealing its security vulnerabilities related to the Russia-linked Sunburst cyberattack.

Verizon-owned TracFone will pay a $16 million civil penalty to settle an FCC investigation into its alleged failure to safeguard consumer data, resulting in three data breaches over two years.

FinTech Updates

An international effort, called Operation Spincaster, involving cryptocurrency experts and law enforcement from six countries, has successfully shut down networks responsible for over $1 billion in losses through “approval phishing” scams. The operation, “designed to disrupt and prevent scams through public-private collaboration”, included collaboration with 17 crypto exchanges and 12 public agencies. Key activities involved identifying compromised wallets and tracing stolen funds, ultimately addressing more than $162 million in losses.

Researchers disclose how a Middle Eastern financial institution endured a record-breaking six-day DDoS attack, earlier this year, which featured multiple waves totaling about 100 hours and peaked at 14.7 million requests per second (RPS). The attack, which researchers attributed to the pro-Palestinian hacktivist group SN_BLACKMETA, involved an average of 4.5 million RPS and had a low ratio of legitimate to malicious requests. 

Cryptocurrency company Tether froze over $29 million in stablecoins, which is said to have been connected to the Cambodian online marketplace Huione Guarantee. Researchers believe the marketplace has facilitated cybercriminal operations in Southeast Asia, including pig butchering scams. 

A hacker, known as “Tank”, was sentenced to nine years of imprisonment and ordered to pay $73 million for his involvement in operating the Zeus banking malware and the IcedID infostealer. The cybercriminal, who had been on the FBI’s Most Wanted list for over a decade and was arrested in Switzerland in 2022, pleaded guilty to charges related to conspiracy to commit racketeering and wire fraud.

Patelco Credit Union, one of the largest credit unions on the West Coast with over $9 billion in assets, was targeted by a ransomware attack

$230 million worth of cryptocurrency was stolen from Indian cryptocurrency platform WazirX during a cyberattack.

Cybercriminals are exploiting the popular Hamster Kombat game, targeting players with threats like Android malware through unofficial Telegram channels, fake app stores delivering ads, and GitHub repositories distributing Lumma Stealer malware disguised as game automation tools. 

Cybersecurity News Across The Globe

  • LockBit ransomware gang claimed to have perpetrated a cyberattack against Croatia’s largest hospital, KBC Zagreb, accessing sensitive data and forcing a one-day IT shutdown, with over 100 specialists working to restore systems.
  • The Iranian state hacking group MuddyWater has launched a new campaign targeting Israeli and other Middle Eastern organizations with a custom backdoor malware, researchers have named BugSleep, used to execute commands and transfer files. 
  • Cybercriminals in Iraq have been deploying malicious Python packages on the PyPI repository to steal user data. These packages contain scripts that exfiltrate sensitive information to a Telegram chatbot linked to various criminal activities, including financial theft and social media manipulation.
  • APT41, a China-based hacking group, has been targeting organizations in global shipping, logistics, media, entertainment, technology, and automotive sectors in Italy, Spain, Taiwan, Thailand, Turkey, and the U.K. since 2023. 
  • The Chinese hacking group GhostEmperor, known for its sophisticated supply-chain attacks against telecommunications and government entities in Southeast Asia, has resurfaced. Recent findings by cybersecurity researchers reveal that GhostEmperor used advanced evasion techniques and a variant of the Demodex rootkit. 
  • China-linked hacking group Daggerfly has updated its toolset. Researchers report that Daggerfly introduced new versions of its MgBot malware and a Macma macOS backdoor, deploying them in recent attacks on organizations in Taiwan and a high-profile international NGO in China. 
  • At least five Macau government websites, including those of the security service and police force, were taken offline due to a DDoS attack.

Want to find out more about:

AMATAS will continue to monitor this space and deliver salient information regularly. 

Stay tuned for our next report and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website www.amatas.com or by e-mailing office@amatas.com.

As always – be vigilant, stay alert, and think twice.

Related Articles

Scroll to Top