US authorities disrupt FSB-linked ColdRiver hackers’ operations

A US court has seized 107 domain names used by the hacking group ColdRiver (also known as UNC4057, Star Blizzard and Callisto) for cyberattacks worldwide, including in the US The lawsuit was filed by Microsoft and the US Department of Justice (DoJ). 66 domains were seized by Microsoft and 41 by the DoJ.

Investigations revealed that ColdRiver launched phishing attacks targeting Russian, Belarusian, and Western NGOs, politicians, human rights activists, independent journalists, and charitable organizations. The group is allegedly linked to the Federal Security Service (FSB) of Russia. In December, the UK and its Five Eyes allies tied ColdRiver to the FSB.

The hackers targeted a broad range of victims, including US-based companies and current/former employees of US intelligence, defense, and state departments, as well as defense contractors.

In December, the US State Department sanctioned two ColdRiver members, one of whom is an FSB officer, and the DoJ indicted them for their roles in a global hacking campaign. A $10 million reward is now offered for information on other ColdRiver members.

Joint police effort leads to more arrests, sanctions against Lockbit, EvilCorp members

In a new series of actions targeting LockBit ransomware actors and the group’s infrastructure, police arrested four suspects and seized servers critical for LockBit’s infrastructure.

According to Europol, a suspected developer of LockBit was arrested at the request of the French authorities, while the British authorities apprehended two individuals for supporting the activity of a LockBit affiliate.

The Spanish police seized nine servers, part of the ransomware’s infrastructure, and arrested an administrator of a bulletproof hosting service used by the ransomware group. In addition, Australia, the United Kingdom and the United States implemented sanctions against an actor who UK’s National Crime Agency had identified as prolific affiliate of LockBit and strongly linked to the Evil Corp cybercrime syndicate. The UK authorities sanctioned fifteen other Russian citizens for their involvement in Evil Corp’s criminal activities, while the US also sanctioned six citizens and Australia sanctioned two. Additionally, the US authorities have charged Aleksandr Ryzhenkov, a Lockbit affiliate, with using BitPaymer ransomware to target American organizations.

The US accuses three IRGC-linked Iranians of ‘hack-and-leak’ campaigns

The DoJ indicted three Iranian nationals accused of orchestrating a ‘hack and leak’ scheme targeting both the Trump and Biden campaigns as part of an effort to influence the upcoming 2024 US presidential election. The three individuals identified as Masoud Jalili (36), Seyyed Ali Aghamiri (34), and Yaser Balaghi (37) are believed to have been working on behalf of Iran’s Islamic Revolutionary Guard Corps (IRGC), which the US designated as a foreign terrorist organization in 2019.

The hacking campaign was not limited to the presidential candidates but also targeted current and former senior government officials, think tank personnel, journalists, activists, and lobbyists, the DoJ said. The group’s hacking activities reportedly began in 2019 and have continued through this year.

This week, the US and UK authorities issued a warning about ongoing cyber threats from actors working on behalf of IIRGC. The threat actors are leveraging social engineering techniques, such as spear-phishing, to gain access to the online accounts of individuals involved in Middle Eastern affairs, international politics, and human rights advocacy.

Critical Ivanti EPM RCE flaw and recently patched Zimbra bus exploited in the wild

Threat actors are exploiting a critical vulnerability in Ivanti's Endpoint Manager (EPM), tracked as CVE-2024-29824. The issue is an SQL Injection flaw that allows attackers to remotely execute arbitrary SQL queries on vulnerable appliances. Ivanti confirmed that a limited number of customers have been affected. The US Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its catalog of exploited vulnerabilities.

Meanwhile, CVE-2024-45519, a recently patched vulnerability in Synacor's Zimbra Collaboration platform, is also being targeted. First detected by Proofpoint on September 28, 2024, attackers are exploiting this flaw to execute malicious commands through Zimbra's postjournal service.

DrayTek routers are plagued by critical flaws

DrayTek has issued security updates for several router models to fix 14 vulnerabilities, including a critical remote code execution flaw (CVE-2024-41592). Discovered by Forescout Research’s Vedere Labs, the flaws impact both current and end-of-life models, with DrayTek releasing patches for both due to the severity. Researchers identified around 785,000 potentially vulnerable DrayTek routers, with over 704,500 exposing their web interfaces to the internet. At present, there are no reports of exploitation, however, the full technical details have been withheld to give users time to apply the updates.

Rackspace hit with ScienceLogic zero-day attack

Cloud hosting provider Rackspace has confirmed that it suffered a security breach after threat actors exploited a zero-day vulnerability in the ScienceLogic IT operations platform. The breach, which took place on September 24, 2024, occurred when cybercriminals targeted a zero-day remote code execution vulnerability in a utility bundled with ScienceLogic's application (SL1), which Rackspace uses for internal system monitoring and customer dashboards. The flaw allowed the attackers to gain unauthorized access to Rackspace's internal monitoring web servers, which hosted critical performance monitoring tools. Currently, there’s no additional details regarding the exploited vulnerability.

North Korea’s Andariel hackers caught targeting US firms

Symantec’s Threat Hunter Team has discovered new evidence of North Korea's Andariel group (aka Stonefly, APT45, Silent Chollima, Onyx Sleet) launching financially motivated cyberattacks against organizations in the US. In several of the detected intrusions, Stonefly used its custom malware, Backdoor.Preft (also known as Dtrack or Valefor), and a backdoor dubbed Nukebot not previously associated with Stonefly. Nukebot, which can execute commands, take screenshots, and transfer files, was likely obtained by Stonefly after its source code was leaked.

In a separate report, Securonix researchers deep dive into an ongoing campaign they track as “Shrouded Sleep,” attributed to APT37 (aka Reaper or Group123), a threat actor allegedly working on behalf of North Korea’s Ministry of State Security. The campaign involves VeilShell, a stealthy PowerShell-based malware delivered using a series of advanced evasion techniques targeting victims in Southeast Asia.

Also, the North Korean state-backed hacker group Kimsuky (aka APT43) has been observed targeting German defense contractor Diehl Defense, which manufactures the IRIS-T air defense missile system. The attack was aimed at infecting the computers of Diehl employees with spyware.

New China-aligned threat actor CeranaKeeper steals data from Southeast Asian entities

A previously unknown threat actor named CeranaKeeper has been observed carrying out a series of data exfiltration attacks targeting governmental institutions in Southeast Asia. CeranaKeeper, which has been active since 2022, is linked to campaigns in Thailand, Myanmar, the Philippines, Japan, and Taiwan, aligning its activities with Chinese state-sponsored groups.

CeranaKeeper is notable for its evolving backdoor techniques, which allow it to evade detection and facilitate extensive data theft. One of the group's  tactics involve the abuse of legitimate cloud and file-sharing services, including Dropbox and OneDrive, to create custom backdoors and data extraction tools.

FIN7 hackers are using AI to infect victims with info-stealers

The notorious Russian-linked APT hacking group FIN7 has launched a series of fake AI-powered ‘deepnude generator’ websites to infect users with information-stealing malware. Active since 2013, FIN7 is known for financial fraud and cybercrime, and it has ties to ransomware groups like DarkSide, BlackMatter, and BlackCat. According to Silent Push, FIN7 is using two malware-laden honeypot methods: one that requires a direct download and another with a more elaborate “free trial” process. In addition, FIN7 is running a malvertising campaign leveraging NetSupport RAT, targeting popular brands like SAP Concur, Microsoft, and FINVIZ with pop-up lures leading to .MSIX malware.

More than 140,000 phishing websites linked to Sniper Dz' PhaaS platform

More than 140,000 phishing websites have been discovered linked to a phishing-as-a-service (PhaaS) platform known as ‘Sniper Dz.’ Sniper Dz offers free-of-charge model for would-be phishers, allowing cybercriminals to easily launch phishing campaigns. However, Sniper Dz also collects the victim credentials stolen through these campaigns apparently to compensate the costs of running the service.

Cybercriminals hack 5% of Adobe Commerce and Magento stores in CosmicSting attack

Nearly 5% of all Adobe Commerce and Magento stores have fallen victim to a malicious campaign dubbed ‘CosmicSting,’ according to a new report from Dutch cybersecurity firm Sansec. Among the victims are well-known brands such as Ray-Ban, National Geographic, Cisco, Whirlpool, and Segway. The widespread attack, targeting thousands of e-commerce platforms, has compromised sensitive customer data and infected checkout pages with payment skimming malware. Sansec identified seven distinct hacker groups that have been exploiting the CosmicSting XML External Entity injection vulnerability (CVE-2024-34102) to infiltrate 4,275 online stores since June 2024.

Cloudflare thwarts a massive DDoS attack peaking at 3.8Tbps

Cloudflare said it blocked the largest publicly disclosed DDoS attack peaking at 3.8Tbps. The month-long DDoS attack campaign unleashed over 100 hyper-volumetric attacks, overwhelming network infrastructures across various industries, including financial services, internet providers, and telecommunications. The attack targeted both bandwidth saturation and resource exhaustion of in-line applications and devices, predominantly using UDP on a fixed port. The traffic originated globally, with major sources from Vietnam, Russia, Brazil, Spain, and the US. The attackers leveraged compromised devices such as MikroTik routers, DVRs, web servers, and ASUS home routers to coordinate high packet-rate and high bitrate attacks.

FakeUpdate malware campaign is targeting France

Researchers at Gen Threat Labs have warned of a new FakeUpdate malware campaign targeting France that involves the WarmCookie backdoor being distributed as fake Google Chrome, Mozilla Firefox, Microsoft Edge, and Java updates.

Perfctl malware targets Linux systems

A piece of malware called ‘perfctl’ has been stealthily targeting Linux servers and workstations for over three years, largely evading detection by utilizing rootkits and sophisticated evasion techniques. Its primary goal is cryptomining, specifically mining Monero. According to Aqua Nautilus, threat actors behind perfctl exploit server vulnerabilities, such as misconfigurations and exposed secrets, including publicly accessible credential files and unprotected login interfaces, to gain unauthorized access to Linux systems.

JPCERT/CC shares tips on detecting ransomware attacks via Windows event logs

The Japan Computer Emergency Response Center (JPCERT/CC) has issued an advisory detailing methods to detect ransomware attacks early through entries in Windows Event Logs (Application, Security, System, and Setup logs).

In parallel, security agencies from Australia, the US, UK, Canada, and New Zealand released a joint comprehensive advisory detailing the tactics threat actors use to target Microsoft Active Directory (AD) environments.

The Counter Ransomware Initiative (CRI) issued guidance for organizations experiencing a ransomware attack and partner organizations supporting them.

UK national charged in multimillion-dollar hack-to-trade scheme targeting American firms

US authorities have charged a British national, Robert B. Westbrook, with orchestrating a sophisticated hacking scheme that targeted five US companies, enabling him to illicitly trade on the stock market. Westbrook allegedly stole confidential corporate earnings reports and used this insider information to make more than $3.75 million in illegal profits before official announcements were made public.

On the same note, the US government has indicted Benjamin Paley, a 75-year-old co-owner of GEN8 Services, for his role in an international conspiracy to sell counterfeit license keys for networking devices. Along with co-conspirators Wade Huber and David Rosenblatt, Paley allegedly participated in a scheme from 2014 to 2022 to traffic forged software keys for Brocade switches.

In another case, Evan Frederick Light, a hacker from Indiana, has pleaded guilty to conspiracy to commit wire fraud and money laundering after stealing over $37 million in cryptocurrency from nearly 600 victims. Light infiltrated the computer servers of an investment firm to steal customer information, which he then used to siphon digital assets from the firm's clients. To conceal his identity and launder the stolen funds, Light funneled them through crypto mixers and gambling websites. He pleaded guilty on September 30 and faces up to 20 years in prison for each charge.

In a rare move, Russian authorities have apprehended 96 individuals linked to the Cryptex cryptocurrency exchange, the UAPS anonymous money transfer system, and 33 other illegal payment systems.

Last but not least, eight people have been arrested as part of international crackdown on cybercrime, focused on combating cyber-enabled crimes in West Africa. The scam, which caused over $1.4 million in losses, involved fraudsters posing as buyers on small advertising websites. They used QR codes to lead victims to fake payment platforms, where victims entered personal details. The criminals also impersonated customer service agents over the phone to further deceive the victims.