Microsoft, Fortra, and Health-ISAC take legal action to disrupt cracked versions of Cobalt Strike
Microsoft’s Digital Crimes Unit (DCU) together with cybersecurity software company Fortra and Health Information Sharing and Analysis Center (Health-ISAC) announced they are taking legal action to disrupt the use of cracked copies of Cobalt Strike, Fortra’s legitimate and popular post-exploitation tool used for adversary simulation abused by cybercriminals to distribute malware, including ransomware.
Microsoft says that the crackdown on illegal legacy copies of Cobalt Strike will significantly hinder the monetization of these tools and slow their use in cyberattacks, forcing criminals to re-evaluate and change their tactics.
On March 31, the US District Court for the Eastern District of New York issued a court order allowing Microsoft and Fortra to seize the domain names and take down the IP addresses of servers hosting cracked versions of Cobalt Strike.
Using “detection, analysis, telemetry, and reverse engineering,” Microsoft and partners have tracked infrastructure worldwide, including in China, the United States and Russia, and they have observed nation-state groups in Russia, China, Vietnam and Iran using cracked copies of Cobalt Strike.
Stolen credentials shop Genesis Market disrupted, 119 suspects arrested in “Operation Cookie Monster”
Several domain names linked to Genesis Market, one of the most significant cyber fraud platforms, were seized as a result of an international law enforcement operation. Named “Operation Cookie Monster,” it involved the FBI, Europol, and law enforcement agencies from the UK, Poland, Canada, Norway, Spain and Sweden.
The underground market specialized in the sale of login credentials and authentication cookies, it’s main commodity was digital identities. As part of the operation the law enforcement agents arrested 119 suspects (users who sold and bought the data on Genesis), conducted 208 property searches and 97 knock and talk measures. The platform’s administrators are still on the loose.
Users can check if their data was traded on Genesis here and here.
New dark web marketplace STYX focused on financial fraud
Security researchers spotted a new dark web marketplace called “STYX,” which focuses primarily on financial fraud, money laundering, and identity theft. Some of its offerings include cash-out services, data dumps, SIM cards, DDOS, 2FA/SMS bypass, fake and stolen ID documents, and banking malware. The marketplace opened sometime around January 19, 2023, but earlier mentions of its launch were noted by Resecurity analysts on the Dark Web in early 2022. More detailed analysis of the platform is available here.
Spain’s police arrest “dangerous” hacker Alcasec accused of multiple high-profile hacks
Spanish authorities arrested José Luis Huertas (aka Alcasec), a 19-year-old hacker regarded as one of the most dangerous hackers in the country and a “serious threat to national security.”
Huertas is allegedly responsible for multiple high-profile cyberattacks against government agencies, including the country's tax administration and judiciary service. The teen is also believed to be behind a search engine called Udyat (“the Eye of Horus”) that allows threat actors to obtain personal and sensitive data. In his YouTube videos Alcasec boasted that the platform contained data on 90% of Spain's population.
German police shut down criminal DDoS-for-Hire service FlyHosting
German authorities seized servers of FlyHosting, a dark web service catering to cybercriminals and threat actors operating DDoS-for-Hire services. The police issued eight search warrants on March 30, and identified five individuals aged 16-24 suspected of operating “an internet service” since mid-2021.
Europe, North America, and Australia most impacted in 3CX supply chain hack
Organizations in Europe, North America, and Australia account for the highest percentage of victims impacted by the high-profile 3CX supply chain attack that came to light last week.
According to Fortinet's data, Italy is the country with the highest percentage of victims (16.26%), followed by Germany (13.79%), Austria (11.88%), the United States (11.41%), South Africa (6.69%), Australia (6.21%), Switzerland (5.36%), the Netherlands (4.04%), Canada (3.95%), and the United Kingdom (2.92%). In terms of regional data, Europe is at the top with 60%, followed by North America with 16%.
Hackers exploit flaws in Cacti, Realtek to deploy Moobot and ShellBot malware
Various threat actors are exploiting vulnerabilities in Cacti servers and Realtek devices to infect the unpatched systems with Moobot (Perlbot) and ShellBot malware used for DDoS attacks.
The warning comes from researchers at Fortinet’s FortiGuard Labs who observed the attacks exploiting CVE-2021-35394 (Realtek) and CVE-2022-46169 (Cacti) in January and March 2023.
Due to the severity of the above mentioned flaws, the cybersecurity recommends that users applied relevant patches and updates as soon as possible to protects their systems from attacks.
Z2U data leak exposes 600K highly sensitive customer records
Z2U, a Chinese online gaming marketplace where users can trade and sell in-game items, games currency and gaming accounts, has leaked over 600,000 highly sensitive customer records, including images of individuals holding their credit card or passport.
According to vpnMentor researcher Jeremiah Fowler, who discovered Z2U’s non-password protected database, it appears that customers were selling much more than game-related accounts and services on the site. While analyzing the database, Fowler found seller ads for social media accounts, streaming services, Windows operating system and antivirus software licenses, as well as records of sale for malware.
ChatGPT linked to alleged leak of Samsung’s corporate data
Samsung Electronics workers reportedly leaked confidential corporate data on at least three occasions while interacting with ChatGPT AI-powered chatbot developed by US AI research and deployment company OpenAI.
The two leaks occurred when Samsung employees entered sensitive information, such as semiconductor equipment measurement data and source code, into ChatGPT, thus making it a part of the AI’s learning database, accessible not only to Samsung but to anyone using the chatbot.
The third leak happened when a Samsung employee sent ChatGPT an excerpt from a corporate meeting and asked to create meeting minutes.
Samsung has taken measures to prevent further leaks, including warning employees about the information they provide to ChatGPT and limiting the capacity of each entry to 1024 bytes per question.
Italy temporarily blocks ChatGPT over security concerns
Italy’s data protection authority temporarily banned OpenAI’s ChatGPT chatbot and launched a probe over the AI tool's suspected breach of privacy laws. The watchdog alleges that ChatGPT has been illegally collecting user data and failing to protect minors. The regulator claims there's no “legal basis” for OpenAI's mass collection and storage of data for training ChatGPT's model and that the app is not always processing the information correctly.
The Italian watchdog gave OpenAI 20 days to address the data protection issues or pay a fine of €20 million or up to 4% of annual revenues.
Western Digital says data stolen in “network security incident”
Data storage devices maker Western Digital Corp suffered a network security breach that affected some of its systems and the company’s business operations. The company said unidentified hackers gained access to some of its internal systems on March 26. It’s unclear who was behind the attack. The incident does not appear to have yet been claimed by any major ransomware group.
Google shares details on Archipelago, a subset of North Korean APT43 hacking group
Google’s Threat Analysis Group (TAG) released a report detailing cyber activities of a North Korean state-backed threat actor it tracks as Archipelago that has been targeting government and military personnel, think tanks, policy makers, academics, and researchers in South Korea and the United States since at least 2012.
The TAG team believes Archipelago is a subset of another North Korea-linked cyber-espionage group APT43, which, according to a recent Mandiant’s report, is a moderately-sophisticated threat actor that uses cybercrime to fund its espionage efforts. In past public reports some of this group's operations have been referred to as Kimsuky and Thallium.
Archipelago’s attack chains involve the use of phishing emails with malicious links that, when clicked, redirect the recipient to a fake login prompt designed to steal credentials.
