March was certainly an eventful month for cybersecurity professionals and legislation-makers across the world.
- The customer data of around 73 million AT&T customers leaked on the dark web.
- Nation-state hackers continued to actively target Southeast Asian institutions, Hong Kong businesses, and U.S. and UK government organizations.
- Two versions of XZ Utils have been infected, while a new, sophisticated Phishing-as-a-Service (PhaaS) platform is on the rise.
On a more positive note, Nemesis, the darknet marketplace website, was taken down.
- Both the creator of E-Root Marketplace and a Lockbit ransomware affiliate were sentenced.
- CISA released the Secure Software Development Attestation Form.
Read on to discover the latest updates – about the most recent exploited vulnerabilities (including in AI), continuous breaches, and sentencing of nation-state actors – in the cybersecurity space!
Cybercrime Breaking News
Data of 73 million current and former AT&T customers was published on the dark web. In an official statement, the company stated that the “data appears to be from 2019 or earlier and does not contain personal financial information or call history”. Cybersecurity investigators are currently looking into the leak.
A nation-state hacker believed to be connected to the government of China is said to be exploiting vulnerabilities (F5 BIG-IP Configuration Utility Authentication Bypass Vulnerability CVE-2023-46747 and Connectwise ScreenConnect CVE-2024-1709) to target Southeast Asian institutions, Hong Kong businesses, and U.S. and UK government organizations.
The Cybersecurity and Infrastructure Security Agency (CISA) took offline two of its systems, as they saw activity that could be exploiting an Ivanti vulnerability in the agency’s products.
UN report observes cyber activities (between 2017 and 2023) perpetrated by the North Korean “cyberthreat actors subordinate to the Reconnaissance General Bureau (RGB), including Kimsuky, the Lazarus Group, Andariel and BlueNoroff”. The report observed key trends like how the actors continued to target the global defense sector; attack the supply chain; and disseminate malicious mobile apps and phishing emails (written by AI). The UN is also investigating about 58 attacks believed to have been conducted by North Korean hackers that have raked in over $3 billion in six years.
Fujitsu discovered malware on ‘multiple’ employee computers. The IT giant is currently investigating how the malware targeted its systems and whether data breaches have occurred.
IBM X-Force discloses an active phishing campaign that uses fake documents, imitating official government and non-governmental organizations in Europe, the South Caucasus, Central Asia, and North and South America. The campaign is believed to be spread by ITG05, a Russian state-sponsored group.
Cybersecurity researchers:
- disclosed how an active campaign has been using fake Python infrastructures to target the software supply chain. The victims may include the over 170K user community, Top.gg GitHub organization, and individual developers;
- warned about two versions of XZ Utils – a data compression library – which has been infected with a strain of malicious code that allows unauthorized remote access, as noted by Red Hat;
- revealed a brand new Phishing-as-a-Service (PhaaS) platform – darcula – that contains sophisticated branded phishing campaigns. It has so far been used by over 20,000 domains to target organizations in over a hundred countries.
Cyberwar between Russia and Ukraine: Updates
The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned Russian entities and individuals, from the financial and technology sectors, who helped other individuals evade US sanctions. In the words of Under Secretary of the Treasury for Terrorism and Financial Intelligence, Brian E. Nelson, “Russia is increasingly turning to alternative payment mechanisms to circumvent U.S. sanctions and continue to fund its war against Ukraine.”
Cybersecurity and AI
Researchers warned about vulnerability in Ray, an open-source AI framework to develop and deploy large-scale Python applications, used by companies like Uber, Amazon, and OpenAI. The flaw is said to have been actively exploited in the last seven months and could take over the system’s computing powers to leak sensitive data. The vulnerability currently has no patch.
An ex-Google employee is charged by the Department of Justice for his supposed role in trying to steal “proprietary information related to artificial intelligence (AI) technology” from Google, while undercover for China-based technological companies.
Cybersecurity Justice
German police have taken down Nemesis, the darknet marketplace website. Authorities have confiscated the marketplace’s servers; seized user data and around €94,000 ($102,000) in cryptocurrency assets.
Lockbit ransomware affiliate is sentenced by a Canadian court to four years of imprisonment and to pay $860,000 in restitution to his victims, after pleading guilty to eight charges (which includes the likes of cyber extortion, weapons possession, etc.).
The US Department of Justice:
- unsealed an indictment charging seven believed perpetrators for their involvement in a China nation-state hacking group that, in the last 14 years, spied on US and foreign officials;
- sentenced an individual to over three years in federal prison for developing, publishing, and conspiring with others to manage the E-Root Marketplace – websites that sold compromised computer credentials;
- filed a complaint against Apple for monopolizing the market by “violating federal antitrust law”, alleging that the company has used “a strategy that relies on exclusionary, anticompetitive conduct that hurts both consumers and developers”. According to the Department of Justice, “Apple knowingly and deliberately degrades quality, privacy, and security for its users”.
Ukrainian police have arrested three members of a suspected gang, believed to be behind the hijacking of 100 million email and Instagram accounts, belonging to users from all around the world. The said hackers used brute force – trying out different username and password combinations to gain access.
Individual pleads guilty to his involvement in a Business Email Compromise (BEC) scheme. His role supposedly entitles conspiracy to commit wire fraud and money laundering.
FinTech Updates
Blockchain researchers believe the Lazarus Group has resorted to old tactics to launder money – using the Tornado Cash mixer. The researchers have observed that in March, the North Korean hackers attempted to launder $23 million, which is believed to be part of the $112.5 million stolen in November from HTX cryptocurrency exchange.
Cyberattack hits blockchain-based game, Munchables, and security firms believe around $62 million in cryptocurrency was stolen. In an official statement, the platform reached out to the hacker (who turned out to be a Munchables developer) who promised to return the stolen amount “without any conditions”.
Prisma Finance, was targeted by a cyberattack, which stole about $11.6 million from the DeFi platform. The perpetrator turned out to be a “white hacker”, reaching out on forums to the platform to say that it was carried out for research purposes and promising to return the funds.
Paysign, a financial services provider, investigated a data breach, after a hacker put up for sale 1.2 million records, said to belong to the firm’s customers.
Alongside cryptocurrency company, Tether, the U.S. Attorney seized about $1.4 million of Tether (USDT) cryptocurrency, as suspected fraud proceeds, part of a tech support scam. This was the first time the US recovered the currency from an unhosted virtual currency wallet.
The operator of a darknet cryptocurrency “Mixer” was convicted for his supposed part in laundering $400M in cryptocurrency. He said to have run Bitcoin Fog between 2011 and 2021.
Nigeria’s Economic and Financial Crimes Commision (EFCC) requested that the cryptocurrency exchange platform Binance provide it with information on all Nigerian users of the platform. The court order follows the detainment of two Binance employees, who are yet to be charged. These measures have been taken as the nation is trying to tighten its grip on its crypto exchange, and more specifically, decrease the speculations around its currency, the naira.
Cybersecurity News Across The Globe
- Switzerland’s National Cyber Security Centre (NCSC) shared a report to follow up on the cyberattack on Xplain – an IT service provider that supports the countries’ Federal Administration. The cyberattack took place in June 2023 and was carried out by Play ransomware group. The hackers are said to have published on the darknet 1.3 million files, 65,000 of which were relevant to the Federal Administration.
- MediaWorks, a New Zealand-based company, notified roughly 403,000 individuals, whose personal data may have been breached due to a cyber attack. The targeted database is said to have been of participants in a 2016 online competition.
- VNDirect, a Vietnamese security broker, was targeted by a cyberattack. Some of the platform’s services are back online, but local media reported that investors still couldn’t log back in.
- A cyber espionage campaign has been targeting the Indian government and energy sector by spreading an open-source information stealer malware, HackBrowserData. Aiming to gain access to sensitive information, the perpetrators have sometimes been using Slack as command-and-control (C2).
Want to find out more about the Internet of Threats?
Our latest article tackles some of the most common IoT device vulnerabilities and what you could do to stay protected against them.
AMATAS NEWS
Join AMATAS upcoming webinar “Rebound and Recover: The Critical 48 Hours Post-Cyber Attack” to get the essential knowledge, strategies, and actions to navigate the aftermath of a cyber attack.
The session looks into the pivotal first 48 hours following a cyber breach, a crucial period that can significantly influence the long-term impact on an organization’s operations, reputation, and financial stability. The speaker, Boris Goncharov, is the Chief Strategy Officer of AMATAS. Devoting over 18 years to his professional journey, he has earned recognition as a strategic thinker in information security.
AMATAS will continue to monitor this space and deliver salient information regularly.
Stay tuned for our next report and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website www.amatas.com or by e-mailing office@amatas.com.
As always – be vigilant, stay alert, and think twice.