The landscape of ransomware attacks has shifted dramatically, with cybercriminals increasingly using AI to automate, accelerate, and scale their operations. These attacks now target sectors like healthcare, manufacturing, and critical infrastructure, exploiting their reliance on uptime and historical underinvestment in cybersecurity. The rise in ransomware attacks—up 67% in 2023—has expanded attack surfaces, making businesses of all sizes vulnerable. Small to medium enterprises are particularly at risk, as many lack adequate cybersecurity resources
AI, while leveraged by attackers, also offers a robust countermeasure for defenders. It enables organizations to automate detection, flag anomalies in administrative activities, and track malware proliferation through advanced techniques like hash-based monitoring. Generative AI tools, such as copilots, can guide IT teams in assessing vulnerabilities, crafting recovery strategies, and implementing tailored protection policies. These innovations reduce manual errors and enhance rapid response to ransomware incidents
Ransomware tactics are evolving, with a growing focus on data theft over traditional encryption methods. Stolen intellectual property, financial records, or customer data provides leverage in negotiations and inflicts lasting reputational damage on victims. Furthermore, attackers are exploiting dual-use tools like remote access software and file-sharing utilities, which blend into legitimate activity. Detecting such misuse requires behavioral analysis and proactive exposure management rather than traditional signature-based defenses
To mitigate these threats, businesses must adopt comprehensive cyber resilience strategies. These include maintaining a 3-2-1 backup model, integrating AI capabilities for automated responses, and regularly rehearsing recovery plans. Such preparation ensures faster containment and recovery, ultimately reducing the operational and financial impact of ransomware incidents
The article discusses the increasing financial impact of cybercrime on businesses, with attacks like ransomware and DDoS causing significant losses. Average costs for DDoS attacks have risen to $6,000 per minute, while ransomware payouts have skyrocketed, with a record-breaking $75 million ransom paid in 2024. Third-party vendor breaches and industry-specific vulnerabilities are also contributing to escalating costs.
Companies are facing growing pressure to address these threats, yet many are struggling with cybersecurity talent shortages and burnout. Despite paying ransoms, recovery costs continue to rise, and cyber insurance often doesn’t cover all expenses. Investing in preventive measures and continuous monitoring is critical to mitigate risks.
For more detailed insights, check the full article here.
Cybersecurity professionals are increasingly prepared to moonlight as cybercriminals in a bid to top up their salaries, according to new research from the Chartered Institute of Information Security (CIISec).
The institute enlisted the help of a former police officer and covert operative to analyze dark web forum job adverts from June to December 2023.
What he found was a surprising number of what seemed to be cybersecurity professionals at various stages of their career prepared to sell their skills for nefarious ends.
“After years of working in the cybersecurity and law enforcement fields, it becomes relatively easy to spot cybercriminals from professionals moonlighting from other industries,” he explained.
“These adverts might allude to current legitimate professional roles, or be written in the same way as someone advertising their services on platforms like LinkedIn. In an industry that is already struggling to stop adversaries, it’s worrying to see that bright, capable people have been enticed to the criminal side.”
The study revealed three types of professional touting for business on underground sites:
Experienced IT and cybersecurity professionals, including pen testers, AI prompt engineers and web developers. Some claimed to work for a “global software agency” while others stated they needed a “second job”
New starters in cybersecurity looking for both work and training. Professional hacking groups also advertise for young talent, with some offering on-the-job training in areas such as OSINT and social media hacking
Professionals from industries outside cybersecurity/IT, including PR, content creation and even one out-of-work voice actor advertising for work on phishing campaigns
CIISec warned that, in many cases, salaries do not reflect the long hours and high-stress environments that many security professionals find themselves in. CIISec CEO, Amanda Finch, cited Gartner research revealing that 25% of security leaders will leave the industry by 2025 due to work-related stress.
“Our analysis shows that highly skilled individuals are turning to cybercrime. And given the number of people projected to leave the industry, many of those will be desperate enough to seek work in an area that promises large rewards for their already-existing skills and knowledge,” she argued.
“Preventing this means ensuring we are doing all we can as an industry to attract and retain talent.”
Finch called on the industry to increase salaries and improve working conditions, or risk as many as 10% of the workforce leaving a profession already experiencing persistent skills shortages.
The U.S. government offers rewards of up to $10 million for information that could lead to the identification or location of ALPHV/Blackcat ransomware gang leaders.
The U.S. Department of State is offering a reward of up to $10 million for information leading to the identification or location of the key figures behind the ALPHV/Blackcat ransomware operation. The US government is also offering a reward offer of up to $5 million for information leading to the arrest and/or conviction in any country of any individual conspiring to participate in or attempting to participate in ALPHV/Blackcat ransomware attacks.
This additional reward aims to target affiliated and initial access brokers involved and that facilitated the attacks of the group.
On December 19, 2023, the FBI seized the Tor leak site of the AlphV/Blackcat ransomware group and replaced the home page with the announcement of the seizure.
On December 7th, BleepingComputer and other prominent experts reported that the ALPHV gang’s websites went offline.
On December 10th, the primary domain of the group went offline and administrators claimed the problem was caused by a hardware failure. At the same time, rumors circulated that the site was taken offline as a result of law enforcement’s operation. The group always denied this circumstance, but today the domain displayed the following message to the visitors.
The seizure is the result of a joint operation conducted by international law enforcement agencies from the US, Denmark, Germany, UK, Netherlands, Germany, Australia, Spain, Austria and Europol.
“This action has been taken in coordination with the United States Attorney’s Office for the Southern District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice with substantial assistance from Europol and Zentrale Kriminalinspektion Guttingen.” reads the message published by law enforcement on the seized websites.
“The Justice Department announced today a disruption campaign against the Blackcat ransomware group — also known as ALPHV or Noberus — that has targeted the computer networks of more than 1,000 victims and caused harm around the world since its inception, including networks that support U.S. critical infrastructure.” reads the press release published by DoJ.
The ALPHV/Blackcat group was the second most prolific ransomware-as-a-service operation, it amassed hundreds of millions of dollars in ransom payments.
The FBI developed a decryption tool that could allow over 500 victims to recover their systems for free.
“FBI identified ALPHV/Blackcat actors as having compromised over 1,000 victim entities in the United States and elsewhere, including prominent government entities (e.g., municipal governments, defense contractors, and critical infrastructure organizations).” reads the press release. “To date, the FBI has worked with dozens of victims in the United States and internationally to disseminate a decryption tool to restore victim systems and prevent ransom demand payments of approximately $99 million.”
According to the press release published by the U.S. Department of State, ALPHV/Blackcat actors have compromised over 1,000 victim entities in the United States and elsewhere.
People who have information eligible for the reward can access the following Tor website set up by the US Department of State: he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad.onion.
2024 is shaping up to be a record-breaking year for data breaches, according to Experian. Despite 2023 being labeled as a ‘successful’ year for malicious actors, the upcoming months may bring forth developments that could further disrupt the cybersecurity landscape.
Supply chain vulnerabilities amplified
There’s no question third-party data breaches have made headlines. With increased data collection, storage, and movement, there are plenty of partners down the supply chain that could be targeted. We predict attacks on systems four, five or six degrees from the source as vendors outsource data and technology solutions who outsource to another expert and so on.
Digital transformation is expanding threat surfaces. SaaS platforms and public cloud infrastructures, are pushing the perimeter out into the internet itself—putting users at greater risk.
When trying to achieve a goal, it’s said that taking small steps can lead to big results. Hackers could apply that same rule. Instead of making drastic moves and trying to reap instant reward such as with ransomware, bad actors may manipulate or alter the tiniest bits of data to stay under the radar such as changing a currency rate or adjusting the coordinates for transportation, which can have a major impact.
It’s widely known who the major players are globally that sponsor attacks and a new country in South Asia may join the international stage with their large population of engineers and programmers. While reportedly having been in the game focusing cyberattacks regionally due to political tensions, this country may broaden their sights in the future.
Plutonium, terbium, silicon wafers — these rare earth materials that are the building blocks for today’s hardware are rapidly becoming the most sought-after resources on the planet. Any disruption to an strained supply chain could send the industry (and the economy that relies on these materials) spinning.
This presents an intriguing opportunity for threat actors seeking mass disruption or nations looking to corner markets.
“Cybercriminals are continually working smarter, not harder,” said Michael Bruemmer, VP, Global Data Breach Resolution at Experian. “They are leveraging new technologies like artificial intelligence and applying their talents in different ways to be more strategic and stay a step ahead. Organizations should not ignore even the slightest security abnormalities and be more aware of what global interests may make them a target.”
Winning from the inside
Like drug cartels, cybergangs are forming sophisticated organizations as joining like-minded actors can be incredibly advantageous. This spans globally with countries potentially helping each other to advance common goals and interests. We’ll see more hackers for trade, crews looking to expand their monopolies, and cyberwarfare alliances.
In 2024, enterprising threat actors may target more publicly traded companies to gain insights to cheat the stock market or plan their attacks and sell their stash before value nosedives. Rather than breach an organization and play in the underground with stolen data, threat actors could leverage data extraction and their talents in plain sight as everyday investors.
“Today, perpetrators can come from anywhere in the world and bring with them robust resources and expertise,” added Jim Steven, Head of Crisis and Data Response Services at Experian Global Data Breach Resolution in the United Kingdom. “There are many global crime syndicates and nation-backed operations, so companies need to invest in sophisticated prevention and response methods to protect themselves.”
Written and directed by Kilian Lieb and Max Rainer, Cyberbunker is a Netflix documentary about a group of hackers that enabled the proliferation of dark web forums where illegal materials were bought and sold.
Cyberbunker: The Criminal Underworld
The documentary begins with a special police unit performing a raid in what looks like a military bunker. We are then shown a thin individual with glasses and long, gray hair: Herman Johan Xennt.
The (now) 64-year-old Dutchman, who is currently serving a prison sentence in Germany, is a bunker aficionado, having been fascinated with them since he visited a WWII bunker in Arnhem when he was a kid.
Understanding the possibilities of computer technology and the internet, he first opened a profitable computer store in the early 90s. In 1995, with the money earned from this business, he was able to buy a former NATO bunker in the southern part of the Netherlands, which ended up being the location of the first Cyberbunker – a company that provides internet and web hosting services to questionable operations.
In 2002, a fire broke in the bunker and revealed the existence of an MDMA lab. Xennt claimes that he knew nothing about the lab and that he was simply subletting part of the bunker to another group. For many years after, the company’s servers were located above ground, in Amsterdam. In 2013, Xennt found and purchased a 5-level underground Cold War-era bunker in Traben-Trarbach, a small town in the South of Germany.
But the town’s mayor soon grew suspicious of the activities going on in the bunker and decided to contact the authorities, which started telephone surveillance in 2015. The group communicated in codes, though, which made crime identification impossible. In 2017, the authories began monitoring the network node to identify illegal data traffic.
This led to the discovery of evidence of criminal activity: Cyberbunker provided hosting for dark web marketplaces, a forum for exchanging illegal drugs, counterfeit money and fake identification, and more.
The undercover operation provided crucial information to the police, helping them to plan and execute a successful raid. Xennt and his criminal colleagues were arrested, and over 280 servers hosting websites for up to 200 customers were shut down.
The idea of “freedom of the internet”
Cyberbunker was know among cybercriminals as a “bulletproof hoster”, which meant that the servers hosting the content stayed online no matter what (i.e., even if the authorities requested sites’ removal). It also guaranteed privacy, which was very convenient for anyone who wanted to host questionable or illegal content.
Cyberbunker advertised that it would host everything except child pornography and terrorism-related content, but the group later claimed that they didn’t really know what the clients were using their servers for.
The group was driven by the idea of “freedom of the internet” and, during the interviews with all the members of the group (including Xennt), we can see that they have a twisted idea of what it should be.
They went so far as to declare the Republic of Cyberbunker, with its “administration” and hierarchy, and perpetuated the delusion that what they were doing was good.
Does it strike the right chord?
The documentary is suitable for a wide audience and does not burden the spectator with technical details. Instead, it has a movie-like format that’s captivating and easy to follow.
The timeline of the events is well presented and clear, complemented with historical data about the main “character” – Xennt – and original private and police footage.
The authors tried to create a tense and scary atmosphere, though the characters at times act bizarrely and seem out of touch with reality that, on occasion, you might almost feel sorry for them. It’s hard to believe these individuals thought they were untouchable and that, even after getting arrested, they were still convinced they were making the world a better place.
An specialist in Russian cybersecurity who was sought by the United States has been arrested by officials in Kazakhstan, according to his employer, who made the announcement on Wednesday. At the same time, authorities in Moscow said that they will also pursue his extradition.
According to a statement released by the business, Nikita Kislitsin, an employee of the Russian cybersecurity firm F.A.C.C.T., was arrested on June 22. The Kazakh authorities are now reviewing an extradition request from the United States of America. Nikita Kislitsin was arrested in 2012 and accused of selling the usernames and passwords of American clients of the social networking firm Formspring. The facts of the arrest and the motivation for it are not clear; nonetheless, the case against Kislitsin was filed. After Group-IB left Russia earlier this year, the spinoff business that was established there and was branded as F.A.C.C.T. had Kislitsin working as the head of network security for both companies.
According to a statement released by Group-IB on Telegram, the arrest of Kislitsin is not connected to his employment there in any way. The F.A.C.C.T. said that the allegations brought against Kislitsin originated from his time “as a journalist and independent researcher,” but they could not disclose any other information. Kislitsin served as the editor-in-chief of the Russian publication “Hacker,” which is primarily concerned with information security and hacking at one point in his career.
In a separate proceeding that took place on Wednesday, a Moscow court issued a warrant for Kislitsin’s arrest on allegations that are associated with the unlawful access of confidential computer information. Russia has indicated that it would demand his extradition from Kazakhstan as well.
Microsoft announced it has taken legal action to disrupt the illegal use of copies of the post-exploitation tool Cobalt Strike by cybercriminals.
Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named ‘Beacon’ on the victim machine. The Beacon includes a wealth of functionality for the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement.
Microsoft Digital Crimes Unit (DCU) announced that has collaborated with Fortra, the company that develops and maintains the tool, and Health Information Sharing and Analysis Center (Health-ISAC) to curb the abuse of Cobalt Strike by cybercriminals.
The Microsoft DCU secured a court order in the U.S. to remove cracked versions of Cobalt Strike (“refer to stolen, unlicensed, or otherwise unauthorized versions or copies of the tool”) so they can no longer be used by cybercriminals.
Threat actors, including ransomware groups and nation-state actors, use Cobalt Strike after obtaining initial access to a target network. The tool is used to conduct multiple malicious activities, including escalating privileges, lateral movements, and deploying additional malicious payloads.
“More specifically, cracked versions of Cobalt Strike allow Defendants to gain control of their victim’s machine and move laterally through the connected network to find other victims and install malware. This includes installing ransomware like Conti, LockBit, Quantum Locker, Royal, Cuba, BlackBasta, BlackCat and PlayCrypt, to arrest access to the systems. In essence, Defendants are able to leverage cracked versions of Cobalt Strike to brutally force their way into victim machines and deploy malware.” reads the court order. “Additionally, once the Defendants deploy the malware or ransomware onto computers running Microsoft’s Window operating system, Defendants are able to execute a series of actions involving abuse of Microsoft’s copyrighted declaring code.”
Example of an attack flow by threat actor DEV-0243.
Microsoft observed more than 68 ransomware attacks, involving the use of cracked copies of Cobalt Strike, against healthcare organizations in more than 19 countries around the world.
The attacks caused huge financial damages to the attacked hospitals in recovery and repair costs, plus interruptions to critical patient care services.
Microsoft also observed nation-state actors, including APT groups from Russia, China, Vietnam, and Iran, using cracked copies of Cobalt Strike.
“Microsoft, Fortra and Health-ISAC remain relentless in our efforts to improve the security of the ecosystem, and we are collaborating with the FBI Cyber Division, National Cyber Investigative Joint Task Force (NCIJTF) and Europol’s European Cybercrime Centre (EC3) on this case. While this action will impact the criminals’ immediate operations, we fully anticipate they will attempt to revive their efforts. Our action is therefore not one and done.” concludes the report.
In November 2022, Google Cloud researchers announced the discovery of 34 different Cobalt Strike hacked release versions with a total of 275 unique JAR files across these versions.
Google Cloud Threat Intelligence (GCTI) researchers developed a set of YARA rules to detect hacked variants in the wild with a high degree of accuracy. The researchers noticed that each Cobalt Strike version contains approximately 10 to 100 attack template binaries
Europol has dismantled a gang linked to a $40 million CEO scam. Find out more about how this international criminal syndicate was uncovered and who was involved.
The email scam gang behind France’s largest-ever CEO scam has been dismantled after a coordinated police operation across multiple countries was successful in arresting six people in France and two in Israel.
The Europe-wide operation to track down the Franco-Israeli criminal organization involved the Croatian National Police, the Croatian Anti Money Laundering Office, the French National Police, the French Gendarmerie, the Hungarian Budapest Metropolitan Police, the Israel Police, the Portuguese Judicial Police, and the Spanish National Police.
In early December 2021, one of the gang members, now arrested as a suspect, impersonated the CEO of a metallurgy company in northeastern France and tricked the accountant into making an urgent and confidential transfer of €500,000 ($530,000) which was subsequently spotted and blocked.
In late December 2021, according to Europol’s press release, Sefri-Cime, a real-estate developer, fell victim to the same group after its members impersonated lawyers working for a well-known French accounting firm. According to Europol, they persuaded the Chief Financial Officer (CFO) to transfer almost €38 million ($40 million) altogether.
The criminal network, consisting of French and Israeli nationals, used a pre-existing money laundering scheme that laundered the funds via European countries, China, and then Israel. An investigation that followed revealed the money mules working for the gang in Croatia, Portugal, and Hungary.
The police were able to seize electronic equipment and vehicles, €3 million from Portuguese bank accounts, €1.1 million from Hungarian bank accounts, €600,000 from Croatian bank accounts, €EUR 400,000 from Spanish bank accounts and €350,000 in virtual currencies.
The operation continued for five days between January 2022 and 2023 in France and Israel, leading to eight house searches and eight arrests, including the alleged Israeli gang leader, according to Europol.
As part of the criminal case against a former student of the University of Puerto Rico (UPR), a judge in Puerto Rico sentenced him to serve 13 months in federal prison.
The former student, Iván Santell-Velázquez (aka Slay3r_r00t) was accused of hacking over a dozen of the university’s female classmates’ email and Snapchat accounts.
On July 13, Ivan pled guilty to being a cyberstalker, admitting that he had targeted over 100 students in his online campaign. He also engaged in other schemes to steal information such as using spoofing and phishing.
He has been accused of harassing women and in some cases, he has published pictures that he has stolen from them in their nudist states between 2019 and 2021.
Apart from hacking student email accounts, he also managed to get access to multiple university email accounts by spoofing and phishing attempts through which he gathered personal information.
Students Data Stolen
The appellant, Iván Santell-Velázquez targeted 15 female students in total at the University of Puerto Rico. A victim of cyberstalking may experience a significant amount of emotional distress as a result of it.
“The prosecution of cyber criminals is a top priority in the Justice Department. Cybercrimes not only cause financial losses to corporate victims but also result in financial and psychological harm to vulnerable victims, oftentimes children or the elderly. This conduct will not be tolerated.”
“This case also demonstrates the importance of safeguarding personal information and passwords, and the care we must take when responding to suspicious e-mails and text messages.”
As a result of his illicit crimes, Iván Santell-Velázquez was sentenced to 13 months of rigorous imprisonment along with 2 years of supervised release for cyberstalking by Silvia Carreño Coll, the U.S. District Court Judge.
In recent weeks, cybercrime and data breaches have become unavoidable topics in Australia. Many citizens have been forced to confront – for the first time – the reality of living in a disrupted digital world, where our personal data has become the most valuable commodity.
Of course, as tech leaders, this is a topic that keeps us awake at night. No part of our economy has proven immune from the impacts of cybercrime and data breaches.. Government agencies at all levels, large organisations, critical infrastructure providers, small-to-medium enterprises, families and individuals have all been targets.
Our customers sleep soundly at night in the knowledge there will be no unauthorised access to their physical digital infrastructure located in our data centres.
The $33 billion question
However, it’s not just CISOs who should be worried, particularly when considering this key question: What is the true cost to our economy of cybercrime?
The cost extends far beyond the financial. Aside from the financial costs there are the non-financial costs to individual companies that are victims of these attacks. This includes reputational damage, remedial distraction, service interruptions and process breakdowns. Cybercrime also poses a major threat to consumer trust, innovation, and growth across the digital economy.
In other words, security risk management is fast becoming every business leader’s problem – not just for CISOs and CSOs.
The four pillars of security risk management
At NEXTDC, we’ve been talking for some time about the importance of an integrated approach to security risk management around digital infrastructure. The conversation so far has been focused on how there must be a ‘mesh’ or integrated approach to physical and cyber security. These are the first two pillars of robust security risk management and, , they have converged to the point where you can’t have one without the other.
However, there are two additional pillars to security risk management. These are less well-known but are no less important – people and processes, and supply chain and business continuity. And responsibility for those extends far beyond the technology department.
The remainder of this article will focus on the people and processes pillar. A subsequent blog will address supply chains and business continuity.
What does converged security mean from a people and process perspective?
Most of us are familiar with the terms converged or integrated security risk management, but what does that really mean from a people and process perspective? For most organisations, it comes down to what it is you’re trying to protect against. In general, that will fall into one of two categories: accidental or deliberate (malicious) human actions.
While it’s usually the malicious actors who get the most airtime (put your hand up if you immediately visualise a shadowy figure in a hoodie hunched over a laptop when you hear the word ‘hacker’!) – the evidence suggests we should be far more worried about accidental actions.
Malicious actors are everywhere, constantly active and becoming increasingly sophisticated, but human error is still the greatest cause of data breaches. Robust physical environments – supported by cutting edge technology, education to create awareness amongst people and the right processes to support them – are still the most important component of holistic security strategy.
Build a ‘ready for anything’ security mesh
As pressure continues to mount around data protection and sovereignty, an enhanced security posture is best achieved by partnering strategically with a trusted provider. A supply chain partner who will take on not only the heavy lifting that gets you to your ideal state, faster and safely, but also without significant capital investment in infrastructure, personnel and meeting compliance.
Your provider’s security risk management must be completely aligned with yours, so ensure you ask the right questions during the evaluation process. Make sure you dig deep into factors such as:
Security awareness programs, policies and procedures for staff and suppliers (including personnel screening, both pre-employment and also right throughout tenure)
Compliance with the certification programs and standards relevant to your organisation and industry
Internal and external audit procedures.
Your customers, regulators, investors and partners are depending on you to get security risk management right and the consequences of falling short in this area can be very expensive and long lasting.
Black Lotus is a new, powerful Windows UEFI rootkit advertised on underground criminal forums, researcher warns.
Cybersecurity researcher Scott Scheferman reported that a new Windows UEFI rootkit, dubbed Black Lotus, is advertised on underground criminal forums. The powerful malware is offered for sale at $5,000, with $200 payments per new updates.
The researcher warns that the availability of this rootkit in the threat landscape represents a serious threat for organizations due to its evasion and persistence capabilities.
“Considering this tradecraft used to be relegated to APTs like the Russian GRU and APT 41 (China nexus), and considering prior criminal discoveries we’ve made (e.g. Trickbot‘s #Trickboot module), this represents a bit of a ‘leap’ forward, in terms of ease of use, scalability, accessibility and most importantly, the potential for much more impact in the forms of persistence, evasion and/or destruction.” wrote Scheferman.
Black Lotus is written in assembly and C and is only 80kb in size, the malicious code can be configured to avoid infecting systems in countries in the CIS region.
The malware supports anti-virtualization, anti-debugging, and code obfuscation. Black Lotus is able to disable security solutions, including Hypervisor-protected Code Integrity (HVCI), BitLocker, and Windows Defender. The rootkit is able to bypass security defenses like UAC and Secure Boot, it is able to load unsigned drivers used to perform a broad range of malicious activities.
The threat is very stealth, it can achieve persistence at the UEFI level with Ring 0 agent protection.
Black Lotus supports a full set of backdoor capabilities, it could be also used to potential target IT and OT environments.
Black Lotus is bringing APT capabilities to malicious actors in the threat landscape.
Research from Netacea reveals that as of September 2022, there are over 1,600 professional refund service adverts on hacker forums.
Cybercrime’s continued shift to a service-driven economy has enabled several new professionalized hacking services with Refund Fraud-as-a-Service being one of the latest to rise in popularity over the last few years. This is according to Netacea’s latest threat report, which researched rising trends across a multitude of hacking forums.
Refund fraud is the abuse of refund policies for financial gain and costs e-commerce businesses more than $25 billion every year. Those interested in committing refund fraud can outsource the process to professional social engineers offering Refund-as-a-Service. This poses a significant challenge to retailers, as previously legitimate customers can enlist highly experienced fraudsters to perpetrate this fraud on their behalf, making it difficult to identify fraudulent activity. As online shopping continues its upward trend, professional fraudsters will look to cash in on the opportunity.
Over 540 new refund fraud service adverts were identified in the first three quarters of 2022
Refund fraud services increased by almost 150% from 2019 – 2021
Netacea’s report explores the current structure of the underground Refund-as-a-Service market, the changing tactics and methods used by adversarial groups to perform refund fraud, and how threat intelligence and fraud teams can work collaboratively to effectively combat it.
“As shown in the rise of ransomware-as-a-service attacks, cybercriminals have shifted to a service-based economy — and refund fraud is no exception” said Cyril Noel-Tagoe, Principal Security Researcher, Netacea. “As we approach Black Friday and the holiday season, e-commerce stores should take the necessary steps to reduce their risk of refund fraud, including educating employees on the methods and tactics fraudsters take.”
Additional steps include:
Delivery carriers should replace or complement signatures with one-time passwords to prevent refund fraudsters from claiming that packages did not arrive.
E-commerce stores and delivery carriers should work together to look for patterns in their data sets that may indicate fraudulent activity.
Reputation is power in the underground market. In the instance that an e-commerce store identifies the claim to be fraudulent after a refund payment has been made, the store should rebill the customer’s account. An influx of rebill complaints from customers may cause the refund fraud service to drop the retailer from their store list, to avoid negative reviews.
Han Bing allegedly felt undervalued after his security warnings were ignored, and decided to prove his point by trashing four financial servers.
An indignant IT admin, seemingly aiming to prove the lax security his employer had hitherto ignored, proceeded to delete a bunch of vital financial databases, and has subsequently been given seven years in prison as a result. It’s what’s known in the IT trade as ‘cutting your nose off to spite your face,’ or inadvisably hulking out on a server you’re known to have access to and have already complained about.
Han Bing, a database administrator for Lianjia, a Chinese real estate brokerage, previously known as Homelink, was allegedly one of only five people in the security team with access to the company’s financial system databases. So when someone logged in with root access to Lianjia’s financial system and deleted the lot(opens in new tab) (via Bleeping Computer(opens in new tab)), the company already had a handful of suspects.
Four of the five handed over their laptops and passwords immediately, while Bing refused to hand over his password, claiming that it held private information. He agreed to access the device for the company’s investigators while he was present, and no incriminating evidence was found on his machine.
The company, however, claimed the attack could be done simply by connecting to the server in a way that would leave no residual trace on the client laptop.
Subsequent electronic forensic analysis of the company’s server logs, alongside the use of CCTV footage, linked records held on the server with the host name of Bing’s MacBook, “Yggdrasil,” as well as certain MAC and IP addresses linked on his computer.
Yeah, Yggdrasil. The tree of life. The roots of which can be seen sprawling across the sky in Valheim, and as that big f-off plant glowing away in Elden Ring. Everything in 2022 always seems to lead back to Elden Ring. This whole case is probably in the game somewhere as lore.
With all the evidence in hand, the Beijing Tongda Fazheng Forensic Identification Centre concluded none of the other potential suspects could be linked to the attack on June 4, 2018, and Han Bing was found guilty of damaging computer information and sentenced to seven years in prison.
Initially that feels a bit harsh on the guy, but he did basically destroy four different servers, salting the earth so nothing could be recovered, and grinding the company’s operation to a halt. It then had to pay some $30,000 as amends for the fact that Lianjia employees were left without pay for an extended amount of time.
Which is also pretty harsh.
Bing’s colleagues have suggested that the reasoning behind his deletion of company records was down to the fact he discovered the security of the financial system was compromised, and his concerns were ignored.
He worked with another database admin to bring the issues to his seniors in the organisation but was apparently dismissed. It’s alleged this led to Bing arguing with other colleagues, and after his office was relocated it is suggested that he no longer felt valued by the company, was “passive and sluggish, often late and early, and there is also the phenomenon of absenteeism.” That’s according to the Edge machine translation, so make of that what you will.
Maybe Bing thought he was going to be rewarded for highlighting the problems more obviously, or maybe he was just a grumpy, vengeful admin by the end of it. Either way going to prison for seven years was most definitely not what he was aiming to get out of this.
The FBI on Monday warned that hundreds of vulnerabilities in widely used medical devices are leaving a door open for cyberattacks.
In a white notice from the FBI’s Internet Crime Complaint Center (IC3), the law enforcement agency said it has identified “an increasing number” of vulnerabilities posed by unpatched medical devices that run on outdated software and devices that lack adequate security features.
The FBI specifically cited vulnerabilities found in insulin pumps, intracardiac defibrillators, mobile cardiac telemetry, pacemakers and intrathecal pain pumps, noting that malicious hackers could take over the devices and change readings, administer drug overdoses, or “otherwise endanger patient health.”
“Cyber threat actors exploiting medical device vulnerabilities adversely impact healthcare facilities’ operational functions, patient safety, data confidentiality, and data integrity,” the alert said.
“Medical device vulnerabilities predominantly stem from device hardware design and device software management. Routine challenges include the use of standardized configurations, specialized configurations, including a substantial number of managed devices on the network, lack of device embedded security features, and the inability to upgrade those features.”
The FBI noted that medical device hardware is often used for more than 30 years at some healthcare facilities, giving cybercriminals and state actors ample time to discover and exploit bugs.
Many legacy devices used by hospitals and clinics contain outdated software because they do not get manufacturer support for patches or updates, the FBI said, adding that many devices are not designed with security in mind.
The white notice then quotes several reports from cybersecurity firms that highlighted the magnitude of the problem, most notably that about 53% of all connected medical devices and other internet of things (IoT) devices in hospitals had known critical vulnerabilities.
One report found an average of 6.2 vulnerabilities per medical device and reported that more than 40% of medical devices are at the end-of-life stage, offering little to no security patches or upgrades.
Last year, German healthcare giant B. Braun updated several faulty IV pumps after McAfee discovered vulnerabilities allowing attackers to change doses.
Healthcare organizations continue to face a barrage of ransomware incidents and cyberattacks. Cybersecurity firm Proofpoint released a report last week that found 89% of healthcare professionals surveyed experienced at least one cyberattack in the last 12 months.
More than 20% of those attacked saw an increase in mortality rates and over half said the attacks caused longer patient stays, delays in procedures and overall decreases in the quality of care.
Built-in Telegram and Discord services are fertile ground for storing stolen data, hosting malware and using bots for nefarious purposes.
Cybercriminals are tapping the built-in services of popular messaging apps like Telegram and Discord as ready-made platforms to help them perform their nefarious activity in persistent campaigns that threaten users, researchers have found.
Threat actors are tapping the multi-feature nature of messaging apps—in particularly their content-creation and program-sharing components—as a foundation for info-stealing, according to new research from Intel 471.
Specifically, they use the apps “to host, distribute, and execute various functions that ultimately allow them to steal credentials or other information from unsuspecting users,” researchers wrote in a blog post published Tuesday.
“While messaging apps like Discord and Telegram are not primarily used for business operations, their popularity coupled with the rise in remote work means a cybercriminal has a bigger attack surface at their disposal than in past years,” researchers wrote.
Intel 471 identified three key ways in which threat actors are leveraging built-in features of popular messaging apps for their own gain: storing stolen data, hosting malware payloads, and using bots that perform their dirty work, they said.
Storing Exfiltrated Data
Having one’s own dedicated and secure network to store data stolen from unsuspecting victims of cybercrime can be costly and time-consuming. Instead, threat actors are using data-storage features of Discord and Telegram as repositories for info-stealers that actually depend upon the apps for this aspect of functionality, researchers have found.
Indeed, novel malware dubbed Ducktail that steals data from Facebook Business users was recently seen storing exfiltrated data in a Telegram channel, and it’s far from the only one.
Researchers from Intel 471 observed a bot known as X-Files that uses bot commands inside Telegram to steal and store data, they said. Once the malware infects a system, threat actors can swipe passwords, session cookies, login credentials and credit-card details from popular browsers– including Google Chrome, Chromium, Opera, Slimjet and Vivaldi–and then deposit that stolen info “into a Telegram channel of their choosing,” researchers said.
Another stealer known as Prynt Stealer functions in a similar fashion, but does not have the built-in Telegram commands, they added.
Other stealers use Discord as their messaging platform of choice for storing stolen data. One stealer observed by Intel 471, known as Blitzed Grabber, uses Discord’s webhooks feature to deposit data lifted by the malware, including autofill data, bookmarks, browser cookies, VPN client credentials, payment card information, cryptocurrency wallets and passwords, researchers said. Webhooks are similar to APIs in that they simplify the transmission of automated messages and data updates from a victim’s machine to a particular messaging channel.
Blitzed Grabber and two other stealers observed using messaging apps for data storage–—Mercurial Grabber and 44Caliber–also target credentials for the Minecraft and Roblox gaming platforms, researchers added.
“Once the malware spits that stolen information back into Discord, actors can then use it to continue their own schemes or move to sell the stolen credentials on the cybercrime underground,” researchers noted.
Editor’s Note: When malware repository vx-underground launched in 2019, it hardly made a splash in the hacking world. “I had no success really,” said its founder, who goes by the online moniker smelly_vx.
But over the last couple of years, the site’s popularity has soared thanks in part to its robust Twitter presence that mixes breaking cybersecurity news with memes. The site now bills itself as “the largest collection of malware source code, samples, and papers on the internet,” with about 35 million samples overall.
vx-undergound operator smelly_vx recently talked to Recorded Future analyst and product manager Dmitry Smilyanets about the site’s goals, finances, and plans for the future. The interview, which was conducted over email in English, has been lightly edited for clarity.
Dmitry Smilyanets: I would like to start from the very beginning — please introduce yourself.
smelly_vx: Hi. I am “smelly__vx“. I am the creator of vx-underground and the guy who runs/maintains a good portion of vx-underground’s website and the vx-underground Twitter account.
I am in my early 30s. I have a wife. I have a dog. I don’t think I can say anything else which is interesting or important.
DS: Tell me about the site’s background — how did it start, how did you build it into what it is today?
VX: About vx-underground — it was created to act as the successor to the legendary vxHeaven (created by the Ukrainian dude herm1t). When I was a teenager I discovered vxHeaven and learned tons from it. It was an invaluable asset. Around 2017 or so, when I was a software engineer, I got tired of writing malware (as a hobbyist) by myself.
I began looking for vxHeaven, or whatever it had become. I was unable to find anything, to my disappointment, and one day on some random IRC server I discovered, I was conveying my disappointment to a guy named Phaith and he said to me, “Well, if you miss it so much, why don’t you make your own?” I thought this was a good idea — why not make my own? And that is precisely what I decided to do. The issue I faced was that my background was in low-level development, I primarily did C/C++ development on the Windows platform. I did not have any skills in web development, web security, system administration, etc. I also did not have any contacts, I had been a “lone wolf” for nearly a decade at this point — I was a “nobody.” However, I decided this shouldn’t be a restraining factor so I bought some random bullshit hosting, purchased the domain name ‘vx-underground’ and got to work.
I officially made vx-underground in May 2019. I had no success really, I did not have a Twitter account or any contacts or any relationships in the information security industry. I made the vx-underground Twitter account in August 2019 and, interestingly, shortly after I made the account I was contacted by a guy named Bane. Bane was a member of a group called ThugCrowd. They had a large follower base on Twitter (20,000+), they had connections, they knew their way around things, blah blah blah. ThugCrowd was very kind to me and supported the idea of a new vxHeaven. They introduced me to some people who also liked the idea of a new vxHeaven.
Unsurprisingly, in October 2019, vx-underground was banned from a lot of web hosts. I had places which housed neo-Nazis, pornography, and gambling, deny my hosting.
Nobody wanted to house malware samples, the only way I was going to get the ability to house malware samples was if I had become a company, and did paperwork and all sorts of bullshit. I did not like this idea. Luckily, and to my surprise, the people over at ThugCrowd introduced me to a group of people behind TCP.DIRECT. They also liked the idea of a new vxHeaven, as the main group of people behind it also had been on the vxHeaven forums ages ago. They assisted me with hosting, handling the web security, etc. This was very beneficial for me because, as TCP.DIRECT will confirm, I am a complete idiot with anything system administrative/web security related.
Following this introduction to TCP.DIRECT, vx-underground had essentially zero restraint. I was able to upload malware samples, malware papers, malware source code, etc. as much as I liked. The only thing I had to do then was add content and be consistent. Along the way I met a guy from the [Commonwealth of Independent States], Neogram, who assisted me with Russian translations and giving me a (metaphorical) tour of the CIS malware scene. This expanded my horizon and gave vx-underground better insight into current malware trends.
All of this happened very quickly, this ‘story’ encapsulates what happened between August 2019 and December 2019.
DS: What are your mission and goals?
VX: I don’t know. vx-underground is a library, our goal is basically to… collect malware samples, papers, and code? It exists and that is it. The closest thing to a ‘goal’ we have is simple: “more papers, more samples, more code.” It is as simple as that.
DS: Are you financially motivated? How do you monetize your work? Is it lucrative?
VX: No, we are not financially motivated. vx-underground is fueled by passion and love for the ‘game.’ In 2021 vx-underground made $13,000 all from donations. Every time I tell people vx-underground does not make money I am always greeted with shock and surprise. It appears people are unable to comprehend someone would do something for passion rather than financial gain. This is disappointing.
Malicious schemas linked to online stores are on the rise in 2022. Criminal gangs from China have been using copies of online stores of popular brands to target users all over the world and thereby trick victims. The targets of this massive campaign are online stores geolocated in different countries, including Portugal, France, Spain, Italy, Chile, Mexico, Columbia, among others. The campaign has been active since late 2020 but gained momentum in early 2022, with thousands of victims affected.
Active domains behind the malicious online stores at the time of analysis (21-03-2022). The shopping platforms are available on servers geolocated in the USA, The Netherlands, and Turkey (ZoomEye).
As observed in Figure 1, 617 active shopping platforms were identified worldwide, 562 created in 2022. The servers are located in three countries: the USA, The Netherlands, and Turkey. However, other servers and online stores were also identified during the research. The complete list of IoCs with more than1k malicious entries is provided at the end of the article.
The high-level diagram of this campaign is presented below, with a graphical representation of the different steps and actions carried out by criminals.
A new campaign typically starts with the authors setting up the malicious domain at the top of Google search through digital ads (Google ads) – as shown above referring to the Lefties clothing store disseminated in Portugal in 2022. After some days, users are hit as the malicious URL appears at the top of searches. In specific cases, social Ads were also found on Instagram and Facebook social media platforms.
The content of the malicious websites – clones of the official stores – are based on a static Content Management System (CMS) and a PHP API that communicates with a MySQL cluster in the background. Some artifacts related to the static CMS can be found on a GitHub repository from criminals. In detail, criminals put some effort into developing a generic platform that could serve a mega operation at a large scale, where small tweaks of images and templates would allow the reuse of code for different online stores. Then, all the observed stores use the same code with different templates according to the target brand. As mentioned, the store is also equipped with an API that communicates with a MySQL database cluster where all the victims’ data is stored, including:
Name (first and last)
Complete address (street, zip-code, city, and country)
Mobile phone
Email
Password
Credit card information (number, date, and CVV); and
Details about the order and tracking code of the package.
Cryptocurrency scammers love social media—especially Meta’s platforms. The Federal Trade Commission says hundreds of millions of dollars were scammed from U.S. consumers in 2021 (and that’s just the scams the FTC knows about).
And the problem’s growing incredibly fast—with no hint of a fix in sight. Meta claims to be “tackling” it, but we’ve probably all experienced scam reports to Facebook and Instagram being ignored or closed with no action. But why expect anything different? Meta makes money from all the scam ads and “engagement.”
Of course, some sayall cryptocurrencies, NFTs and DeFi are scams. In today’s SB Blogwatch, we couldn’t possibly comment.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Nothingverse.
“A large majority … involve cryptocurrency” A growing number of U.S. consumers are getting scammed on social media. … That number has also increased 18 times … the FTC said, as new types of scams involving cryptocurrency and online shopping became more popular. This has also led to many younger consumers getting scammed. … Facebook and Instagram were where most of these social media scams took place. … More than half (54%) of the investment scams in 2021 began with social media platforms, where scammers would promote bogus investment opportunities or connect with people directly to encourage them to invest. … A large majority of the investment scams now involve cryptocurrency.
“Bogus investment sites” Cryptocurrency is an easy target because while it’s surging in popularity, there’s still a lot of confusion about how it works. … One type of crypto scam reported to the agency involves someone bragging about their own success to drive people to bogus investment sites. … “We put significant resources towards tackling this kind of fraud and abuse,” said a spokesperson for … Meta. “We also go beyond suspending and deleting accounts, Pages, and ads. We take legal action against those responsible when we can and always encourage people to report this behavior when they see it.”
“Urgent need for money” Social media is also increasingly where scammers go to con us. More than one in four people who reported losing money to fraud in 2021 said it started on social media with an ad, a post, or a message. … For scammers, there’s a lot to like about social media. It’s a low-cost way to reach billions of people. [It] is a tool for scammers in investment scams, particularly those involving bogus cryptocurrency investments — an area that has seen a massive surge. … People send money, often cryptocurrency, on promises of huge returns, but end up empty handed. … If you get a message from a friend about an opportunity or an urgent need for money, call them. Their account may have been hacked – especially if they ask you to pay by cryptocurrency, gift card, or wire transfer. … To learn more about how to spot, avoid, and report scams—and how to recover money if you’ve paid a scammer—visit ftc.gov/scams.
Who would fall for such scams?King_TJ hates to admit it:
“Facebook is complicit” Hate to admit it, but I fell for one of these scams on Facebook myself. It was probably about a year ago. I ran across a “seller” in one of the ads that scrolled by on my feed. … There were plenty of comments posted ranging from other people interested in one, to claims they got one and liked it. … After a little while … the tracking info showed the package as delivered, but I never received anything at all. … When I started digging around more on Facebook after that, I realized the scammers … were actually running dozens of ads for various products, giving out web URLs that were almost identical except with one letter changed in their name. Reported the original ad … to Facebook, but … got no response. … That’s when it struck me that Facebook is complicit in all of this, in the sense they make a lot of ad revenue off of these scams. … It’s more profitable for them to turn a blind eye and simply take one down when a user complains about it specifically.
Facebook is complicit? Carrie Goldberg—@cagoldberglaw—puts it more bluntly:
Platforms love scams because user engagement is so high from all the accounts they create, posts, and messaging; not to mention the panicked use by victims.
Scam Me If You Can: Simple Strategies to Outsmart Today’s Rip-off Artists
Pegasus spyware was allegedly used by governments to spy upon prominent journalists, politicians and activists.
A Google blog has revealed how the sophisticated software was used to attack iPhone users.
The software used a vulnerability in iMessages to hack into iPhones without the user’s knowledge.
The Pegasus spyware, developed by Israel’s NSO group, made headlines for being used by governments and regimes across the world including India to spy on journalists, activists, opposition leaders, ministers, lawyers and others. The spyware is accused of hacking into the phones of at least 180 journalists around the world, of which 40 are notable Indian personalities.
Now, a Google blog from the Project Zero team called the attacks technically sophisticated exploits and assessed the software to have capabilities rivalling spywares previously thought to be accessible to only a handful of nations.
The company has also faced multiple lawsuits including one in India where the Supreme Court (SC) set up a three-member panel headed by former SC judge RV Raveendran to probe whether the software was used by the government to spy on journalists and other dissidents.
Apart from India, Apple has also sued the Israeli firm after having patched its security exploit. The company was also banned in the United States after the details of the spyware were revealed. Let’s take a look at how this advanced snooping technology discretely worked on iPhones.
According to the Project Zero blog, a sample of the ForcedEntry exploit was worked upon by the team and Apple’s Security Engineering and Architecture (SEAR) group. Pegasus attacks on iPhones were possible due to the ForcedEntry exploit.
Pegasus is a spyware (Trojan/Script) that can be installed remotely on devices running on Apple ‘ s iOS & Google ‘ s Android operating systems. It is developed and marketed by the Israeli technology firm NSO Group. NSO Group sells Pegasus to ” vetted governments ” for ” lawful interception ” , which is understood to mean combating terrorism and organized crime, as the firm claims, but suspicions exist that it is availed for other purposes. Pegasus is a modular malware that can initiate total surveillance on the targeted device, as per a report by digital security company Kaspersky. It installs the necessary modules to read the user’s messages and mail, listen to calls, send back the browser history and more, which basically means taking control of nearly all aspects of your digital life. It can even listen in to encrypted audio and text files on your device that makes all the data on your device up for grabs.