Cyber Threat Report | November 2024

November brought a flurry of activity in the cybersecurity space, with attackers pushing the boundaries of sophistication and defenders responding with decisive action. 

From high-profile espionage campaigns to major ransomware disruptions, this month underscored the evolving complexity of cyber threats and the critical importance of vigilance.

Here’s a glimpse of what’s inside AMATAS’s November Threat Report:

Cybercrime News

  • State-sponsored group Salt Typhoon has launched sophisticated attacks on global telecom providers, using tools like the GhostSpider backdoor. Find out how these breaches are raising international concerns.
  • A ransomware campaign on Blue Yonder has disrupted supply chains for major retailers, leaving companies scrambling to recover.
  • A malicious Python package, “fabrice,” has stealthily compromised thousands of developers’ AWS credentials – what does this mean for the security of open-source ecosystems?

Cybersecurity Justice

  • Europol and law enforcement have dismantled one of the largest illegal IPTV streaming networks, uncovering ties to money laundering and cybercrime.
  • INTERPOL’s Operation Serengeti has taken down a global marketplace for stolen credit card data.
  • Regulators have fined Geico and Travelers millions for lax cybersecurity practices – learn how their data breaches enabled cyber criminals to exploit sensitive customer information.

Read on for the full details on how these developments shape the future of cybersecurity.

Cybercrime Breaking News

The Chinese state-sponsored group Salt Typhoon, also known as Earth Estrie, has launched cyber attacks against both Southeast Asian and U.S. telecommunications firms, employing sophisticated tools like the GhostSpider backdoor. 

  • Since 2023, the Salt Typhoon group has compromised over 20 organizations globally across telecom, technology, and government sectors, targeting sensitive call records and private communications, particularly of individuals in political and governmental roles. 
  • Recent breaches of U.S. providers, including AT&T, Verizon, and Lumen Technologies, granted the hackers access to customer data and, in some cases, the ability to intercept unencrypted communications, raising serious national security concerns and prompting ongoing investigations by U.S. authorities. 
  • In other news, T-Mobile recently attempted intrusions originating from a compromised wireline provider’s network, which it noted may be connected to Salt Typhoon.

A ransomware attack on Blue Yonder, a supply chain technology provider for over 3,000 companies, has disrupted operations for major retailers like Starbucks, BIC, and Morrisons. The attack impacted systems managing inventory, transport, and employee schedules, forcing companies to implement manual workarounds while Blue Yonder works with external cybersecurity firms to restore services. 

A malicious Python package named “fabrice,” typosquatting the popular “fabric” SSH library, has been downloaded over 37,000 times since 2021, silently exfiltrating developers’ Amazon Web Services (AWS) credentials. Researchers urge developers to verify the source of their dependencies and implement defense-in-depth measures, such as MFA and access restrictions, to mitigate risks from such supply chain attacks.

More than 2,000 Palo Alto Networks devices have been compromised through the exploitation of two recently patched vulnerabilities, including an authentication bypass (CVE-2024-0012) granting administrative privileges. Most infections have been reported in the U.S. and India, with Palo Alto Networks urging organizations to patch affected systems immediately and monitor for indicators of compromise.

The FBI and Australian authorities published a joint advisory about the BianLian group, which is said to be based in Russia and to have multiple Russia-based affiliates. The report warns that the group has shifted its efforts from ransomware attacks to exclusive data exfiltration and extortion since January 2024, targeting critical infrastructure and healthcare sectors. 

  • Victims of BianLian include charities like Save the Children and healthcare organizations such as Boston Children’s Health Physicians and a Canadian clinic currently experiencing operational delays. 
  • The group exploits vulnerabilities (some believe those include the likes of ProxyShell) and leverages stolen credentials to breach systems, demanding payment to avoid leaking sensitive data.​

IBM X-Force researchers disclose how cybercriminal group Hive0145 has been targeting victims in Spain, Germany, and Ukraine with Strela Stealer malware, using phishing emails that increasingly rely on stolen messages from legitimate entities. The malware, active since 2022, is said to be designed to extract credentials from Microsoft and Mozilla email clients, with attacks escalating as the group refines its infection techniques.

The hacking group MirrorFace, which is believed to be China-linked, has expanded its operations to target a European Union diplomatic organization, using a Japan-themed lure (a link to a ZIP file called, “The EXPO Exhibition in Japan in 2025.zip”) to deliver malware. Researchers disclosed that despite this new geographic focus, the group remains primarily concentrated on Japanese entities, including political organizations and research institutes, while deploying sophisticated backdoors like ANEL and HiddenFace.

The ransomware group Akira leaked data from 35 victims in a single day, marking a record for their darknet site, which publishes stolen information when extortion attempts fail. Since emerging in March 2023, the group has conducted around 250 attacks, amassing $42 million and drawing attention for its rapid growth and apparent expertise in ransomware operations.

The South Asian threat group Mysterious Elephant, also known as APT-K-47, is targeting Pakistani entities in an espionage campaign using upgraded versions of the Asyncshell payload, likely delivered through phishing emails.

Cisco notified a limited number of customers after discovering that non-public files were inadvertently exposed and downloaded from its DevHub platform due to a configuration error, in an October cyber attack. The company emphasized that no systems were breached and is continuing to assess the incident while offering support to affected customers.

Cybercriminals are exploiting DocuSign’s APIs to send convincing fake invoices through legitimate accounts, effectively bypassing traditional security measures and deceiving recipients with authentic-looking documents.

Schneider Electric is investigating unauthorized access to its internal project execution tracking platform following claims of a ransomware attack.

International Game Technology (IGT) experienced significant operational disruptions due to a cyber attack, forcing some systems offline as the company works to restore functionality and assess potential financial impacts.

​​Bitdefender released a decryptor for ShrinkLocker, a ransomware cybercriminals use to exploit Microsoft BitLocker, encrypt entire drives, and demand ransoms. The strain has been targeting industries worldwide since May 2024.

Cyberwar between Russia and Ukraine: Updates

​​Cybersecurity researchers disclose that Russia’s Social Design Agency (SDA) is conducting “Operation Undercut,” a covert influence campaign targeting Ukraine, Europe, and the U.S., using AI-enhanced videos and fake news sites to erode Western support for Ukraine. It is said that the campaign seeks to discredit Ukraine’s leadership, question Western aid, and exploit geopolitical tensions, including the Israel-Gaza conflict and the 2024 U.S. elections, to deepen societal divisions.

Cybersecurity and AI

AI company iLearningEngines disclosed a cyber attack that resulted in the theft of a $250,000 wire payment and the deletion of email messages, with the breach expected to impact short-term operations but not annual financial results.

Cybersecurity Justice

​​Microsoft, in collaboration with LF Projects, has seized 240 websites linked to the Egyptian phishing-as-a-service operation “ONNX,” which sold DIY phishing kits enabling cybercriminals to bypass security measures and target Microsoft 365 users. The disruption, part of a broader legal effort, aims to protect customers and industries, particularly financial services, from threats such as financial fraud, data theft, and ransomware.

Interpol’s Operation Synergia II led to the dismantling of over 22,000 malicious IP addresses and 59 servers linked to phishing, ransomware, and information stealers, alongside 41 arrests and 43 device seizures. The operation, involving 95 member countries and cybersecurity firms, disrupted global cybercrime infrastructures.

Europol, alongside European law enforcement agencies, dismantled one of the largest illegal IPTV streaming networks, arresting 11 individuals and seizing 29 servers used to distribute pirated content to over 22 million users worldwide. The operation uncovered additional crimes, including money laundering and cybercrime, with the network reportedly earning €250 million monthly while causing €10 billion in annual damages to legitimate streaming services.

Operation Serengeti, a joint effort by Interpol and Afripol, led to the arrest of 1,006 suspected cybercriminals across 19 African countries, dismantling over 134,000 malicious infrastructures linked to nearly $190 million in global financial losses. The operation, which identified more than 35,000 victims, targeted crimes such as ransomware, business email compromise, and online scams, highlighting the growing threat of organized cybercrime in the region.

German authorities shut down Dstat.cc, a DDoS-for-hire platform (Distributed Denial-of-Service), and arrested two men allegedly behind its operation, seizing related infrastructure. The takedown is part of “Operation PowerOff,” a global initiative targeting DDoS-for-hire services that enable cyber attacks by individuals with minimal technical skills.

Five alleged members of the Scattered Spider cybercrime group have been charged with conducting phishing campaigns that stole employee credentials, accessed sensitive data, and took $11 million in cryptocurrency from at least 29 victims. Linked to the high-profile ransomware attack on MGM Resorts, the group targeted employees with fake login pages, enabling data breaches and financial theft across industries.

New York regulators fined Geico and Travelers more than $11 million for data breaches in 2020 that exposed driver’s license numbers of approximately 120,000 residents, enabling hackers to file fraudulent unemployment claims. The companies have agreed to improve cybersecurity measures following the violations, with Geico paying $9.75 million and Travelers $1.55 million.

Meta has removed over 2 million accounts linked to pig butchering scams targeting victims through messaging apps and dating platforms, persuading them to invest in fake cryptocurrency schemes. The company continues to collaborate with law enforcement and industry partners to combat these transnational scams, which often rely on forced labor and exploit unsuspecting users globally.

Google has launched a regularly updated online fraud advisory to raise awareness about evolving scams, highlighting trends such as impersonation campaigns, cryptocurrency scams, app clones, cloaked landing pages, and exploitation of major events.

The Canadian government has ordered TikTok to dissolve its operations in the country following a national security review, citing risks linked to the platform’s activities but stopping short of banning the app outright.

An alleged administrator of the Phobos ransomware-as-a-service operation was extradited from South Korea and is in U.S. custody. The ransomware operation is accused of facilitating over $16 million in ransom payments from more than 1,000 global victims, including schools, healthcare providers, and government contractors. Phobos was sold to affiliates on the dark web, who targeted smaller organizations using “spray and pray” techniques, demanding ransoms. The indictment highlights payments ranged from $2,300 to $300,000, with some victims refusing to pay, as the operation maintained a lower profile compared to more notorious ransomware groups.

A Nigerian national was sentenced to 10 years in U.S. federal prison for orchestrating a business email compromise (BEC) scheme that stole nearly $20 million from over 400 victims, primarily through fraudulent real estate transactions. The scheme involved phishing emails to gain access to accounts, redirecting payments to attacker-controlled accounts, leaving 231 victims unable to recover their funds.

A U.S. citizen was sentenced to four years in prison and fined $250,000 for conspiring to act as an unregistered agent for China, sharing sensitive information with its Ministry of State Security. The individual, employed at major U.S. telecom and IT companies, is said to have cooperated with Chinese intelligence since 2012, providing information of interest to the Chinese government.

Two individuals have been charged with operating 247TVStream, an illegal sports streaming service that generated over $7 million in revenue by relaying content from legitimate accounts to subscribers. The Justice Department estimates the platform caused more than $100 million in losses to copyright owners, with each defendant facing up to 28 years in prison if convicted.

FinTech Updates

​​The Department of Justice has shut down PopeyeTools, a major online marketplace for stolen credit cards and cybercrime tools, seizing its domains and $283,000 in cryptocurrency. Three alleged administrators face charges of fraud and trafficking access devices, with the platform linked to the sale of data from over 227,000 individuals since 2016.

​​Indian police have arrested a suspect in connection with the $230 million hack of WazirX, alleging the individual created a fake account later used in the breach to drain the exchange’s “hot” wallet.

The operator of the cryptocurrency mixer Helix was sentenced to three years in prison and ordered to forfeit over $400 million in assets for facilitating over $300 million in bitcoin laundering, primarily for darknet drug markets. Helix, active from 2014 to 2017, enabled cybercriminals to obscure transaction origins through mixing services, linking it to illegal activities on platforms like the Grams darknet search engine.

A woman (dubbed “The Crocodile of Wall Street”) was sentenced to 18 months in prison for assisting her husband in laundering over 25,000 bitcoin stolen in the 2016 Bitfinex hack, valued at $71 million at the time and now worth over $10 billion.

A Chinese national has pleaded guilty to laundering over $73 million stolen through cryptocurrency “pig-butchering” scams, which deceive victims into making fraudulent investments. The scheme involved 74 shell companies and extensive international money-laundering operations, with the defendant facing up to 20 years in prison.

North Korean hackers are allegedly targeting cryptocurrency businesses with a macOS-focused malware campaign called “Hidden Risk,” using phishing emails with fake crypto news headlines to deliver malicious applications disguised as PDF files. Cybersecurity researchers linked this campaign to the BlueNoroff group, known for sophisticated attacks on the crypto sector, aiming to steal funds and deploy multi-stage malware.

FinTech company, Finastra, is investigating a potential data breach involving its internal file transfer platform, with a dark web actor claiming to have exfiltrated data, though customer operations and services remain unaffected.

Cybersecurity News Across The Globe

  • ​​A suspected DDoS attack on Hyp’s CreditGuard disrupted credit card readers across Israeli supermarkets and gas stations for about an hour, blocking communication between terminals and payment systems. The attack was quickly mitigated, and no data or payments were compromised, with services returning to normal shortly after.
  • A German court has ruled that Facebook users affected by the 2021 data breach can claim €100 in compensation for GDPR violations, even without evidence of financial harm or misuse of their data.

Want to find out more about:

AMATAS will continue to monitor this space and deliver salient information regularly. 

Stay tuned for our next report and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website www.amatas.com or by e-mailing office@amatas.com.

As always – be vigilant, stay alert, and think twice.

Related Articles

Scroll to Top