In September, the cyber landscape continued to evolve, presenting alarming incidents alongside encouraging responses.
Here’s a sneak peek at what you’ll find in AMATAS’s September Threat Report:
- A Mandiant report reveals how IT workers compromised Fortune 100 companies, generating revenue for the DPRK and conducting cyber intrusions.
- Kawasaki Motors Europe demonstrates resilience after a cyberattack, restoring over 90% of server functionality within a week.
- UNC1860, an Iranian cyber operation, is identified as a sophisticated threat to telecommunications and government systems in the Middle East.
On the justice side, discover:
- Europol dismantles Ghost, a platform used for cybercrime coordination, resulting in 51 arrests across nine countries.
- The Justice Department charges a Chinese national for spear phishing U.S. aviation agencies (including NASA) in a significant cybersecurity breach.
- The U.S. Department of Justice seized 32 domains linked to a pro-Russian operation aiming to influence U.S. politics.
Cybercrime Breaking News
Mandiant report observed how IT workers, posing as non-North Korean nationals to gain employment in various industries, generated revenue for the Democratic People’s Republic of Korea (DPRK) and funded its weapons programs, while also leveraging their privileged access to conduct malicious cyber intrusions. The report revealed that numerous Fortune 100 companies have unknowingly hired these North Korean IT workers, who often gain elevated access to modify code and administer network systems, posing significant risks for further cyberattacks.
Chinese state-backed hackers, identified by Microsoft as Salt Typhoon (also known as FamousSparrow and GhostEmperor), breached several U.S. internet service providers in a cyber espionage campaign to access sensitive information, with investigators probing potential access to Cisco routers.
Mandiant report disclosed how an Iranian cyber operation known as UNC1860 has established itself as a sophisticated initial access broker, gaining persistent entry into telecommunications and government systems across the Middle East. The operation, said to be likely linked to Iran’s Ministry of Intelligence and Security (MOIS), utilizes specialized tools and passive backdoors to support other Iranian hacking efforts, including potential involvement in disruptive operations targeting Israel and Albania.
Research discloses how Iraqi government networks have been targeted by a sophisticated cyberattack campaign allegedly linked to the Iranian state-sponsored threat group OilRig, also known as APT34. The attack, which targeted entities like the Prime Minister’s Office, involved the use of custom malware called Veaty and Spearal, utilizing DNS tunneling and compromised email accounts for command-and-control operations.
Russian actors have shifted their disinformation efforts to target Vice President Kamala Harris, releasing fake videos that have gained millions of views to harm her campaign. According to a Microsoft report, the Russian groups used social media platforms like X and Telegram, along with fake news sites, to spread these fabricated videos, including one falsely depicting Harris involved in a hit-and-run accident.
Sweden’s domestic intelligence agency revealed that hackers working for the Iranian government carried out a cyberattack last year to create division in the country after a far-right politician burned a Quran. The hackers targeted a Swedish SMS service and sent about 15,000 messages urging people to take revenge against those involved in the incident.
Researchers disclose that the Marko Polo cybercrime group has compromised tens of thousands of devices worldwide through cryptocurrency and gaming-related scams, primarily targeting online gaming personalities, cryptocurrency influencers, and technology professionals.
The cybercriminal group DragonForce has been targeting global industries like manufacturing, real estate, and transportation using modified versions of the LockBit and Conti ransomware. Researchers found that DragonForce employs advanced tactics, including double extortion and customizable ransomware, to carry out their attacks effectively.
Cybercriminals are targeting North American transportation companies with a campaign that delivers various strains of info-stealing malware through compromised email accounts, using malicious links and attachments to gain access to sensitive information.
The world’s third-largest cybersecurity company, Fortinet, reported a security incident in which a hacker accessed a limited number of customer files on a third-party cloud-based shared file drive.
Kawasaki Motors Europe recovered from a cyberattack claimed by the Ransomhub group, with over 90% of server functionality restored within a week. The attack prompted precautionary server isolation and cleansing, but the company has resumed normal operations for dealers and suppliers.
Agence France-Presse (AFP) announced that hackers targeted its IT systems, disrupting some services for clients.
North Korean hackers are using LinkedIn to target cryptocurrency users by posing as recruiters from legitimate decentralized exchanges, deploying the RustDoor malware to infiltrate networks and steal information.
CISA has ordered federal agencies to upgrade or remove Ivanti’s end-of-life Cloud Service Appliance (CSA) 4.6 by October 4, after vulnerabilities (CVE-2024-8190) were exploited in multiple attacks. Ivanti confirmed the breaches and urged customers to upgrade to CSA 5.0, which is free from this vulnerability.
The Cybersecurity and Infrastructure Security Agency (CISA) has warned that a vulnerability (CVE-2024-40766) in SonicWall devices is being actively exploited, urging immediate patching to prevent potential ransomware attacks.
Cyberwar between Russia and Ukraine: Updates
The U.S. government unsealed an indictment against individuals involved in Russian military intelligence, accusing them of using WhisperGate malware to target Ukrainian government systems and critical infrastructure before the 2022 invasion. A reward of up to $10 million is offered for information that could aid in prosecuting those responsible for these destructive cyberattacks.
Pro-Ukraine hackers claimed responsibility for a cyberattack on Russia’s digital signature certification agency, disrupting its services and defacing its websites with a message stating that proceeds from the sale of compromised data would support the Ukrainian armed forces.
Cybersecurity Justice
Europol announced the takedown of Ghost, an encrypted communication platform used by criminal organizations, with the Australian Federal Police arresting its alleged mastermind. The global operation spanned nine countries and targeted criminals using Ghost for drug trafficking, money laundering, and coordinating violent crimes, with 51 arrests made so far.
The U.S. Department of Justice announced the seizure of 32 internet domains used by a pro-Russian propaganda operation called Doppelganger, aimed at spreading Russian government narratives and influencing the 2024 U.S. Presidential Election. The operation, directed by Russian companies and state actors, covertly promoted disinformation to reduce international support for Ukraine and bolster pro-Russian policies.
The Justice Department has indicated a Chinese national for spear phishing U.S. aviation agencies, including NASA, in an attempt to steal proprietary software and code related to aerospace engineering. The individual allegedly impersonated U.S.-based researchers and engineers over several years, targeting government agencies, research universities, and aerospace companies.
The FBI recently dismantled a China-linked botnet called Flax Typhoon, which infected hundreds of thousands of devices worldwide in an operation to exfiltrate data from organizations.
Europol announced that an international phishing operation, which victimized 483,000 people primarily in Spanish-speaking countries, was dismantled, resulting in 17 arrests across Spain and Latin America. The phishing-as-a-service platform, iServer, was run by an Argentinian national and used by over 2,000 criminals to unlock stolen phones.
The U.S. Department of Treasury has imposed sanctions on five executives and one entity linked to the Intellexa Consortium for their alleged involvement in the development and distribution of the Predator spyware.
The Singapore Police Force arrested five Chinese nationals and one Singaporean man for their alleged involvement in a global cybercrime syndicate. The operation, involving 160 law enforcement officers, resulted in the seizure of electronic devices, cash, and cryptocurrency valued at over USD$850,000.
The Irish Data Protection Commission (DPC) has fined Meta €91 million ($101.56 million) for a security lapse in March 2019, when the company disclosed that it had mistakenly stored users’ passwords in plaintext, violating multiple articles of the EU’s General Data Protection Regulation. The DPC criticized Meta for not promptly notifying them of the breach, failing to document the incident, and lacking adequate technical measures to protect user passwords, although Meta stated there was no evidence of internal abuse of the exposed passwords.
AT&T has agreed to pay $13 million to settle an FCC investigation into a January 2023 data breach where hackers accessed customer information through a vendor’s cloud environment. As part of the settlement, AT&T will strengthen its data governance practices and improve supply chain security to prevent future breaches.
The Federal Trade Commission (FTC) will fine security camera company Verkada $2.95 million for poor security practices that led to a data breach and for violating the CAN-SPAM Act by sending over 30 million unsolicited emails.
Two individuals were indicted for managing a Russian dark web marketplace known for selling stolen credit card data and offering cybercrime courses. If convicted, they face up to 20 years in federal prison, with their vehicles subject to forfeiture as part of the charges.
U.S. federal prosecutors have unsealed charges against three Iranian nationals linked to the Islamic Revolutionary Guard Corps (IRGC) for hacking U.S. officials and media members as part of a conspiracy to undermine the U.S. electoral process.
The U.S. State Department is offering a $1 million reward for information leading to the arrest of a Russian hacker, charged with multiple cyber crimes, including wire fraud and identity theft. The hacker is accused of conspiring to traffic stolen payment card information from U.S. businesses between 2014 and 2016.
In a major policy shift, Telegram has announced it will share users’ IP addresses and phone numbers with authorities in response to valid legal requests to combat criminal activity on the platform.
The U.S. Department of Commerce has proposed a ban on the import or sale of connected vehicles using software and hardware from foreign adversaries, particularly China and Russia, to safeguard national security and protect against potential cyber threats.
FinTech Updates
German law enforcement has shut down 47 cryptocurrency exchange services, utilized by ransomware gangs and other cybercriminals for money laundering. These unregulated platforms, which allowed users to exchange cryptocurrencies anonymously without registration or identity verification, were designed to obscure the origins of funds and were identified as critical components of the cybercrime industry.
U.S. and Dutch law enforcement took coordinated actions against several cryptocurrency exchanges linked to Russian cybercrime, including sanctions and website seizures. The operation targets exchanges accused of facilitating money laundering and ransomware activities.
Twelve individuals involved in a series of armed cryptocurrency robberies have been sentenced, including a Florida man who received 47 years in prison for leading violent home invasions. The group initially engaged in SIM-swapping to steal cryptocurrency, but later escalated to physical robberies, resulting in over $3.5 million stolen from victims.
The FBI arrested two individuals accused of stealing over $230 million in cryptocurrency from a victim and laundering the proceeds through various exchanges and mixing services. The indictment alleges that they gained unauthorized access to cryptocurrency accounts and transferred funds to wallets they controlled (using VPNs and other tools to conceal their identities) while spending the stolen funds on luxury items and vacations.
Binance warned users about “Clipper” malware, a global malware campaign that alters cryptocurrency withdrawal addresses, leading to significant financial losses.
Singaporean crypto platform BingX reported that over $44 million was stolen in a cyberattack that prompted an emergency shutdown and temporary suspension of withdrawals after abnormal network access was detected in their hot wallet.
Hackers stole over $27 million worth of Ethereum from the Penpie DeFi protocol, leading the platform to shut down withdrawals and deposits. Penpie has filed reports with both the FBI and Singapore police, while also reaching out to the hacker, offering a bounty payment for the return of the funds.
MoneyGram announced that a recent cybersecurity incident caused network outages, affecting users attempting to send money.
Slim CD, a payment-processing company, reported that a mid-June data breach potentially affected nearly 1.7 million individuals, exposing sensitive information such as names, addresses, and credit card details.
Indodax, Indonesia’s largest cryptocurrency exchange, temporarily halted operations and pledged to reimburse users following a theft of $22 million, citing a security issue on its platform.
Cybersecurity News Across The Globe
- A teenager was arrested by the National Crime Agency (NCA) in connection with a cyberattack on Transport for London (TfL), which confirmed that the data of around 5,000 customers was accessed during the incident.
- Polish security services dismantled a cyber sabotage group linked to Russia and Belarus that targeted local government agencies and state companies, intending to disrupt critical infrastructure. The group was allegedly involved in cyberattacks, including an operation that compromised Poland’s anti-doping agency, POLADA, leaking sensitive athlete data.
- Several well-known French retailers, including Boulanger and Cultura, confirmed that hackers stole customer data in a recent cyberattack.
- Japanese media giant Kadokawa is still investigating a June ransomware attack after the BlackSuit gang reportedly leaked new stolen data earlier this week on the dark web.
- The U.S. Treasury Department sanctioned a Cambodian tycoon and his conglomerate for allegedly trafficking people into forced labor at online scam centers.
Want to find out more about:
- Cybersecurity Challenges in 2024: Key Issues and Solutions
- What is Phishing in Cybersecurity – A Complete Explanation
- What is Managed Detection and Response: An Expert Guide
- Uniting Advanced Security Solutions and Expert MDR for Holistic Cyber Defense
AMATAS will continue to monitor this space and deliver salient information regularly.
Stay tuned for our next report and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website www.amatas.com or by e-mailing office@amatas.com.
As always – be vigilant, stay alert, and think twice.