Threat Intelligence RoundUp: June
July 01, 2024
Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.
1. Police arrest Conti and LockBit ransomware crypter specialist – Bleeping Computer
The Dutch police and the Ukraine cyber police revealed this week that they arrested a man in April, 2024, who worked with both Conti and LockBit ransomware gangs. The man, whose name has not yet been revealed, made ransomware payloads fully undetectable, and sold his skills to both groups. He also directly participated in at least one ransomware attack himself. Full article here.
2. Rockwell’s ICS Directive Comes as Critical Infrastructure Risk Peaks – Dark Reading
With increased geopolitical tensions around the globe and constant connectedness of devices, industrial control system (ICS) experts Rockwell Automation emphasized Cybersecurity and Infrastructure Security Agency’s (CISA) previous warning about water supplies, telecommunications companies, power plants, and more sensitive, daily life services coming under digital attack. Russia, Iran, and China are all leading malicious campaigns to disrupt daily services and stoke fear among civilian populations. Read more.
3. CISA warns of criminals impersonating its employees in phone calls – Bleeping Computer
The Cybersecurity and Infrastructure Security Agency (CISA) publicly warned that threat actors are impersonating CISA employees for financial gain. Actors are calling people and asking for cryptocurrency, gift cards, cash, and other financial resources. CISA provided a hotline for individuals to call, and report attempted impersonation and scam phone calls. This is the second such campaign in a year. Article here.
4. ONNX phishing service targets Microsoft 365 accounts at financial firms – Bleeping Computer
A new Phishing-as-a-service (PhaaS) platform, ONNX Store, is using Microsoft 365 accounts to target employees of the financial sector using malicious QR codes in PDF attachments. The operation uses Telegram bots and can bypass multi-factor authentication (MFA). The main threat is the bots posing as an HR employee, offering “raises” or salary discussion to employees of credit unions, banks, and other financial firms. Read article.
5. Chinese and N. Korean Hackers Target Global Infrastructure with Ransomware – The Hacker News
Governments and critical infrastructure around the globe were heavily targeted between 2021 and 2023 by gangs such as ChamelGang (CamoFei), and a ransomware variant known as CatB. The goal of these attacks, conducted by both Chinese and North Korean actors who have a suspected overlap, was espionage. ChamelGang also uses Cobalt Strike in its operations. Full article here.
6. Microsoft Uncovers ‘Moonstone Sleet’ — New North Korean Hacker Group – The Hacker News
“Moonstone Sleet” recently debuted as one of the newest North Korean hacker groups. Thus far, the group has been observed using fake companies to lure possible job applicants as targets, and then deploys trojans and in some instances, a new custom ransomware. Microsoft states that the new collective also has overlap with Lazarus group, in some instances. However, it has its own unique tactics, techniques, and procedures (TTPs) which occur on completely different infrastructure than Lazarus Group. Code reuse from the Comebacker malware also targets security researchers. Full article.
7. BreachForums Returns Just Weeks After FBI Seizure – Honeypot or Blunder? – The Hacker News
Only two weeks after an international law enforcement operation took the onion website and Telegram channel for BreachForums offline, one of the domains – breachforums[.]st – returned to operation with a user named “ShinyHunters” operating it. This time, however, users are required to establish a user account before viewing the site’s content. Read more.
8. Empire Market owners charged for enabling $430M in dark web transactions – Bleeping Computer
Continuing the global trend of cracking down on online criminal marketplaces and actors, actors “Dopenugget”, real name Thomas Pavey, and “Sydney/Zero Angel”, real name Raheim Hamilton, were charged by the US Department of Justice. While it is suspected they began their activity on AlphaBay, the men eventually went on to facilitate transactions for stolen credit card numbers, narcotics purchases, and other criminal underground material on Empire Market with a value of approximately $430 million dollars. Read here.
9. New V3B phishing kit targets customers of 54 European banks – Bleeping Computer
A new “V3B” phishing kit is on Telegram, used to target financial institutions in the Netherlands, Austria and Germany, Finland, Italy, and several other European countries. The kit runs between $130 – $450 a month and has customization options. The Telegram channel selling it has approximately 1,250 members as of the time of this writing and is expected to grow due to ease of use and availability. Read more.
Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.
