In October, the cyber landscape once again proved its volatility, with an uptick in sophisticated cyber campaigns and strong responses from the cybersecurity community.
Here’s a sneak peek at what you’ll find in AMATAS’s October Threat Report:
- Russian SVR hackers escalated spear-phishing attacks targeting government sectors, while Iranian actors launched year-long brute-force campaigns on critical infrastructure across healthcare, government, and energy.
- EMERALDWHALE exploited exposed Git configurations worldwide, compromising thousands of cloud service credentials.
- An alarming CUPS vulnerability surfaced, putting over 58,000 devices at risk of severe DDoS attacks.
On the justice front:
- A key Evil Corp member was charged by U.S. authorities, coinciding with arrests across Europe, including an alleged LockBit developer in France.
- Dutch and FBI authorities took down two major malware services – Redline and Meta – crippling cybercrime activities on the dark web.
- A significant blow to cybercrime networks saw INTERPOL arrest eight individuals in Côte d’Ivoire involved in scams defrauding victims of millions.
Stay tuned for the details and insights on how these developments shape the cybersecurity landscape.
Cybercrime Breaking News
The nonprofit digital library Internet Archive recently suffered a series of cyber attacks, including a distributed denial-of-service DDoS attack, impacting its 31 million users, and defacement, with a hacker claiming ongoing access and urging stronger security. The organization has since restored key services while working on heightened protections.
Microsoft’s cybersecurity team reported that Russian SVR hackers, known as “Midnight Blizzard,” targeted thousands of government workers with spear-phishing emails containing Remote Desktop Protocol (RDP) files, allowing access to compromised devices and potentially sensitive resources.
The EMERALDWHALE campaign has exploited exposed Git configurations globally, leading to the theft of over 15,000 cloud service credentials.
Australian, Canadian, and U.S. cybersecurity agencies warned of year-long brute-force attacks by Iranian cyber actors targeting critical infrastructure sectors like healthcare, government, and energy.
APT34 (Earth Simnavaz or OilRig), a believed Iran-linked threat group, has intensified its cyberespionage in the Gulf, targeting critical infrastructure and government agencies with advanced malware, particularly through Microsoft Exchange vulnerabilities, to establish long-term access for further attacks.
Cybersecurity researchers have identified new tools used by the GoldenJackal hacking group to target government and diplomatic entities in Europe, the Middle East, and South Asia, mainly via air-gapped systems (computer networks, physically isolated from unsecured networks.)
Researchers identified a vulnerability in the Common UNIX Printing System (CUPS) that could allow attackers to launch powerful DDoS attacks, potentially affecting over 58,000 publicly accessible devices.
American Water Works confirmed that a recent cyber attack impacted none of its water facilities, though customer account access remains temporarily offline.
Hackers recently impersonated Royal Mail to distribute Prince ransomware to a limited number of U.S. and U.K. targets.
Home security giant ADT revealed that a hacker accessed encrypted internal employee data by compromising a third-party business partner’s system. ADT is currently cooperating with federal law enforcement in response.
Hackers have stolen data on over 5,000 individuals from insurance giant Globe Life’s subsidiary and are extorting the company.
The RansomHub gang claimed responsibility for a cyber attack on Mexican airport operator Grupo Aeroportuario del Centro Norte, impacting its IT systems and requiring backup operations to continue.
Free, the second largest telecom in France, confirmed a cyber attack compromised customer data, prompting a criminal complaint and cybersecurity agency notification.
Game Freak, the developer of Pokémon, confirmed a cyber attack earlier this year that resulted in a data breach.
Casio revealed it suffered a ransomware attack on October 5, affecting employee, customer, and partner information, and disrupting several internal systems.
Cyberwar between Russia and Ukraine: Updates
A report published by Amazon Web Services (AWS) found Kremlin-linked hackers from APT29 targeted Ukrainian state and military agencies in a phishing campaign aimed at stealing credentials, using fake emails that mimicked Amazon and Microsoft to compromise devices.
Russian state broadcaster VGTRK suffered a cyber attack, temporarily disrupting broadcasts and reportedly erasing data from company servers. An Ukrainian government source said that the attack was caused by a Kyiv hacker.
According to a new report from Ukraine’s computer emergency response team (CERT-UA), hackers are using MeduzaStealer malware, spread through Telegram, to target draft-eligible men in Ukraine by posing as a support bot for a government app.
Russian operation UNC5812 uses a fake Telegram channel to deliver malware targeting the Ukrainian military, undermining Ukraine’s mobilization efforts.
Ukrainian police arrested a hacker who allegedly provided VPN access to restricted Russian sites, potentially compromising user data to Russian intelligence.
Cybersecurity and AI
OpenAI reported it disrupted over 20 malicious campaigns by state actors misusing its technology for cyber threats, including an Iranian group linked to U.S. infrastructure attacks.
Cybersecurity Justice
Western authorities have identified a key member of the Evil Corp cybercrime group and an affiliate of the LockBit ransomware gang, charging him with ransomware attacks on U.S. businesses. This action coincided with arrests across Europe, including a suspected LockBit developer in France and alleged money launderers in the UK. A paper was published by the United Kingdom’s National Crime Agency, the FBI, and the Australian Federal Police, detailing his supposed role in the Evil Corp gang, alongside a former Russian intelligence official.
Dutch and FBI authorities hacked the servers of Redline and Meta infostealers, disrupting two major malware services used to steal and sell personal information on the dark web. The U.S. also charged a Russian national with developing the Redline infostealer, identified partly due to security mistakes linking his hacker alias to personal information.
Two Sudanese brothers were charged in the U.S. for allegedly operating Anonymous Sudan, responsible for cyber attacks on critical infrastructure and government agencies.
Microsoft and the DOJ disrupted the infrastructure of the Russian hacking group COLDRIVER, which has been targeting NGOs and think tanks with spear-phishing attacks.
Four members of the REvil ransomware gang were sentenced to over four years in a Russian penal colony on hacking and money laundering charges.
A Ukrainian national pleaded guilty in U.S. federal court to operating the Raccoon Infostealer malware, a service that stole sensitive data from victims and was offered to cybercriminals for a monthly fee. As part of the plea, the defendant agreed to pay nearly $1 million in restitution and forfeiture.
An international operation led by INTERPOL resulted in the arrest of eight cybercriminals in Côte d’Ivoire involved in phishing scams targeting Swiss citizens, with reported financial losses over $1.4 million. The fraudsters deceived victims with QR codes linked to fake payment websites and impersonated customer service agents to gain their trust.
A global and INTERPOL operation against illegal gambling during the UEFA 2024 European Championship led to over 5,100 arrests, the shutdown of thousands of websites, and recovery of $59 million, exposing links to trafficking and money laundering.
The Irish Data Protection Commission fined LinkedIn €310 million for using personal data to conduct behavioral analysis and targeted advertising without adequate transparency and compliance.
An Alabama man was arrested for allegedly taking over the SEC’s X (formerly Twitter) account, facing charges of aggravated identity theft and access device fraud.
Brazilian authorities arrested a hacker suspected of orchestrating cyber attacks on entities like the FBI and Airbus in “Operation Data Breach.”
Two suspected administrators of the dark web marketplace Bohemia were arrested by Dutch and Irish police, with over €8 million in virtual assets seized. The marketplace, active since 2021, was primarily involved in the sale of drugs and illicit digital services.
Hong Kong police arrested 27 people linked to romance scams using deepfake face-swapping technology to defraud victims of $46 million.
Russia’s Federal Security Service (FSB) detained a man accused of DDoS attacks that disrupted electronic voting infrastructure during regional elections.
FinTech Updates
Crypto platform Radiant Capital lost over $50 million in a breach involving compromised developer accounts through sophisticated malware injections.
MoneyGram confirmed that customer information was stolen during a September 2024 cyber attack, which left customers unable to send funds for about a week. The company reported that unauthorized access to customer data occurred between September 20 and 22, though it has not disclosed the exact nature of the attack.
Peru’s Interbank disclosed a data breach affecting up to 3 million customers after dark web listings offered stolen personal and financial information for sale.
The U.S. Department of Justice charged 18 individuals and entities with cryptocurrency market manipulation, including false trading activities and a “pump and dump” scheme, seizing over $25 million in assets.
A Nigerian court dropped all charges against a Binance executive, detained since February on money laundering charges, allowing him to seek medical treatment abroad.
Cybersecurity News Across The Globe
- Italian police arrested four people and are investigating dozens more in a conspiracy linking officials to illegal dossiers created by hacking government databases, with business figures, politicians, and the Prime Minister among those targeted. Authorities allege a private intelligence firm, Equalize, accessed sensitive databases to build dossiers sold for blackmail, with the probe indicating mafia and possibly foreign intelligence involvement.
- Cyprus’ critical infrastructure faced cyberattacks from pro-Palestine hacker groups, causing temporary disruptions to banks, airports, and government websites.
- Russia and Turkey have blocked access to Discord, citing the platform’s refusal to cooperate with local authorities.
- Australia’s new Cyber Security Bill mandates that companies report any ransomware payments, aiming to reduce damages and improve national cybersecurity amid rising attacks.
- Cambodia arrested and charged a freelance journalist, who was known for investigating cyber scams and human trafficking, for his alleged “incitement to disturb social security.”
- Japan’s ruling Liberal Democratic Party was hit by a DDoS attack disrupting its website just as the election campaign period began, prompting a government-led investigation and response.
- North Korean hacker group APT45, (also known as Andariel and Stonefly) linked to the government’s intelligence agency, attempted intrusions on three U.S. companies in August, one month after the DOJ issued an arrest warrant for one of its members.
- North Korean threat group Jumpy Pisces has collaborated with the Play ransomware network in a shift toward broader ransomware involvement.
Want to find out more about:
- MDR vs MXDR: Decoding the Differences in Cybersecurity Solutions
- What is Mobile Malware – All You Need to Know
- DORA Compliance Checklist: All You Need to Know
AMATAS will continue to monitor this space and deliver salient information regularly.
Stay tuned for our next report and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website www.amatas.com or by e-mailing office@amatas.com.
As always – be vigilant, stay alert, and think twice.