Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.
The Dutch police and the Ukraine cyber police revealed this week that they arrested a man in April, 2024, who worked with both Conti and LockBit ransomware gangs. The man, whose name has not yet been revealed, made ransomware payloads fully undetectable, and sold his skills to both groups. He also directly participated in at least one ransomware attack himself. Full article here.
With increased geopolitical tensions around the globe and constant connectedness of devices, industrial control system (ICS) experts Rockwell Automation emphasized Cybersecurity and Infrastructure Security Agency’s (CISA) previous warning about water supplies, telecommunications companies, power plants, and more sensitive, daily life services coming under digital attack. Russia, Iran, and China are all leading malicious campaigns to disrupt daily services and stoke fear among civilian populations. Read more.
The Cybersecurity and Infrastructure Security Agency (CISA) publicly warned that threat actors are impersonating CISA employees for financial gain. Actors are calling people and asking for cryptocurrency, gift cards, cash, and other financial resources. CISA provided a hotline for individuals to call, and report attempted impersonation and scam phone calls. This is the second such campaign in a year. Article here.
A new Phishing-as-a-service (PhaaS) platform, ONNX Store, is using Microsoft 365 accounts to target employees of the financial sector using malicious QR codes in PDF attachments. The operation uses Telegram bots and can bypass multi-factor authentication (MFA). The main threat is the bots posing as an HR employee, offering “raises” or salary discussion to employees of credit unions, banks, and other financial firms. Read article.
Governments and critical infrastructure around the globe were heavily targeted between 2021 and 2023 by gangs such as ChamelGang (CamoFei), and a ransomware variant known as CatB. The goal of these attacks, conducted by both Chinese and North Korean actors who have a suspected overlap, was espionage. ChamelGang also uses Cobalt Strike in its operations. Full article here.
“Moonstone Sleet” recently debuted as one of the newest North Korean hacker groups. Thus far, the group has been observed using fake companies to lure possible job applicants as targets, and then deploys trojans and in some instances, a new custom ransomware. Microsoft states that the new collective also has overlap with Lazarus group, in some instances. However, it has its own unique tactics, techniques, and procedures (TTPs) which occur on completely different infrastructure than Lazarus Group. Code reuse from the Comebacker malware also targets security researchers. Full article.
Only two weeks after an international law enforcement operation took the onion website and Telegram channel for BreachForums offline, one of the domains – breachforums[.]st – returned to operation with a user named “ShinyHunters” operating it. This time, however, users are required to establish a user account before viewing the site’s content. Read more.
Continuing the global trend of cracking down on online criminal marketplaces and actors, actors “Dopenugget”, real name Thomas Pavey, and “Sydney/Zero Angel”, real name Raheim Hamilton, were charged by the US Department of Justice. While it is suspected they began their activity on AlphaBay, the men eventually went on to facilitate transactions for stolen credit card numbers, narcotics purchases, and other criminal underground material on Empire Market with a value of approximately $430 million dollars. Read here.
A new “V3B” phishing kit is on Telegram, used to target financial institutions in the Netherlands, Austria and Germany, Finland, Italy, and several other European countries. The kit runs between $130 – $450 a month and has customization options. The Telegram channel selling it has approximately 1,250 members as of the time of this writing and is expected to grow due to ease of use and availability. Read more.
Products
Services
Use Cases