The rise of artificial intelligence (AI) has introduced new risks in software supply chains, particularly through open-source repositories like Hugging Face and GitHub. Cybercriminals, such as the NullBulge group, have begun targeting these repositories to poison data sets used for AI model training. These poisoned data sets can introduce misinformation or malicious code into AI systems, causing widespread disruption in AI-driven software and forcing companies to retrain models from scratch.
With AI systems relying heavily on vast open-source data sets, attackers have found it easier to infiltrate AI development pipelines. Compromised data sets can result in severe disruptions across AI supply chains, especially for businesses refining open-source models with proprietary data. As AI adoption grows, the challenge of maintaining data integrity, compliance, and security in open-source components becomes crucial for safeguarding AI advancements.
Open-source data sets are vital to AI development, as only large enterprises can afford to train models from scratch. However, these data sets, like LAION 5B, pose risks due to their size, making it difficult to ensure data quality and compliance. Cybercriminals exploit this by poisoning data sets, introducing malicious information that can compromise AI models. This ripple effect forces costly retraining efforts. The popularity of generative AI has further attracted attackers, heightening the risks across the entire AI supply chain.
The article emphasizes the importance of integrating security into all stages of AI development and usage, given the rise of AI-targeted cybercrime. Businesses must ensure traceability and explainability for AI outputs, keeping humans involved in the process. AI shouldn’t be seen solely as a cost-cutting tool, but rather as a technology that needs robust security measures. AI-powered security solutions can help analysts manage threats more effectively but should complement, not replace, human expertise.
For more detailed insights, check the full article here.
The article discusses the increasing financial impact of cybercrime on businesses, with attacks like ransomware and DDoS causing significant losses. Average costs for DDoS attacks have risen to $6,000 per minute, while ransomware payouts have skyrocketed, with a record-breaking $75 million ransom paid in 2024. Third-party vendor breaches and industry-specific vulnerabilities are also contributing to escalating costs.
Companies are facing growing pressure to address these threats, yet many are struggling with cybersecurity talent shortages and burnout. Despite paying ransoms, recovery costs continue to rise, and cyber insurance often doesn’t cover all expenses. Investing in preventive measures and continuous monitoring is critical to mitigate risks.
For more detailed insights, check the full article here.
During the month of Ramadan, Resecurity observed a significant increase in fraudulent activities and scams.
During the month of Ramadan, Resecurity observed a significant increase in fraudulent activities and scams, coinciding with a surge in retail and online transactions. Middle Eastern enterprises, facing this heightened risk, are urged to bolster consumer protection and reinforce their brand security.
Notably, in the Kingdom of Saudi Arabia (KSA), consumer spending topped regional charts, exceeding $16 billion. This spike in e-commerce activity has, unfortunately, drawn the attention of cybercriminals who exploit these platforms to execute scams, leading to substantial financial repercussions for both consumers and businesses. The estimated total financial impact of these activities ranges between $70 and $100 million, accounting for frauds perpetrated against expatriates, residents, and foreign visitors.
Due to continued efforts in brand protection for many clients in the Middle East, Resecurity has effectively blocked over 320 fraudulent resources that were impersonating key logistics providers and e-government services. Cybercriminals are aggressively exploiting platforms such as Sadad, Musaned, Ajeer, Ejar, and well-known logistics services to deceive internet users and draw them into different scams. It is strongly advised to refrain from sharing personal and payment information on questionable sites or with individuals posing as bank or government employees.
The malicious actors utilize cloud-based hosting services like Softr, Netlify, and Vercel, which offer pre-defined templates, to create websites using AI. This method allows them to scale their operations efficiently, saving time and effort while rapidly generating new fraudulent sites at an unprecedented rate.
The full report published by Resecurity is available here:
In 2023, 50% of malware detections for SMBs were keyloggers, spyware and stealers, malware that attackers use to steal data and credentials, according to Sophos.
Attackers subsequently use this stolen information to gain unauthorized remote access, extort victims, deploy ransomware, and more.
Ransomware remains primary cyberthreat for SMBs
The Sophos report also analyses initial access brokers (IABs)âcriminals who specialize in breaking into computer networks. As seen in the report, IABs are using the dark web to advertise their ability and services to break specifically into SMB networks or sell ready-to-go-access to SMBs theyâve already cracked.
âThe value of âdata,â as currency has increased exponentially among cybercriminals, and this is particularly true for SMBs, which tend to use one service or software application, per function, for their entire operation. For example, letâs say attackers deploy an infostealer on their targetâs network to steal credentials and then get hold of the password for the companyâs accounting software. Attackers could then gain access to the targeted companyâs financials and have the ability to funnel funds into their own accounts,â said Christopher Budd, director of Sophos X-Ops research at Sophos.
âThereâs a reason that more than 90% of all cyberattacks reported to Sophos in 2023 involved data or credential theft, whether through ransomware attacks, data extortion, unauthorized remote access, or simply data theft,â added Budd.
While the number of ransomware attacks against SMBs has stabilized, it continues to be the biggest cyberthreat to SMBs. Out of the SMB cases handled by Sophos Incident Response (IR), which helps organizations under active attack, LockBit was the top ransomware gang wreaking havoc. Akira and BlackCat were second and third, respectively. SMBs studied in the report also faced attacks by lingering older and lesser-known ransomware, such as BitLocker and Crytox.
BEC attacks grow in sophistication
Ransomware operators continue to change ransomware tactics, according to the report. This includes leveraging remote encryption and targeting managed service providers (MSPs). Between 2022 and 2023, the number of ransomware attacks that involved remote encryptionâwhen attackers use an unmanaged device on organizationsâ networks to encrypt files on other systems in the networkâincreased by 62%.
In addition, this past year, Sophosâs Managed Detection and Response (MDR) team responded to five cases involving small businesses that were attacked through an exploit in their MSPsâ remote monitoring and management (RMM) software.
Following ransomware, business email compromise (BEC) attacks were the second highest type of attacks that Sophos IR handled in 2023, according to the report.
These BEC attacks and other social engineering campaigns contain an increasing level of sophistication. Rather than simply sending an email with a malicious attachment, attackers are now more likely to engage with their targets by sending a series of conversational emails back and forth or even calling them.
In an attempt to evade detection by traditional spam prevention tools, attackers are now experimenting with new formats for their malicious content, embedding images that contain the malicious code or sending malicious attachments in OneNote or archive formats. In one case Sophos investigated, the attackers sent a PDF document with a blurry, unreadable thumbnail of an âinvoice.â The download button contained a link to a malicious website.
Cybersecurity professionals are increasingly prepared to moonlight as cybercriminals in a bid to top up their salaries, according to new research from the Chartered Institute of Information Security (CIISec).
The institute enlisted the help of a former police officer and covert operative to analyze dark web forum job adverts from June to December 2023.
What he found was a surprising number of what seemed to be cybersecurity professionals at various stages of their career prepared to sell their skills for nefarious ends.
âAfter years of working in the cybersecurity and law enforcement fields, it becomes relatively easy to spot cybercriminals from professionals moonlighting from other industries,â he explained.
âThese adverts might allude to current legitimate professional roles, or be written in the same way as someone advertising their services on platforms like LinkedIn. In an industry that is already struggling to stop adversaries, itâs worrying to see that bright, capable people have been enticed to the criminal side.â
The study revealed three types of professional touting for business on underground sites:
Experienced IT and cybersecurity professionals, including pen testers, AI prompt engineers and web developers. Some claimed to work for a âglobal software agencyâ while others stated they needed a âsecond jobâ
New starters in cybersecurity looking for both work and training. Professional hacking groups also advertise for young talent, with some offering on-the-job training in areas such as OSINT and social media hacking
Professionals from industries outside cybersecurity/IT, including PR, content creation and even one out-of-work voice actor advertising for work on phishing campaigns
CIISec warned that, in many cases, salaries do not reflect the long hours and high-stress environments that many security professionals find themselves in. CIISec CEO, Amanda Finch, cited Gartner research revealing that 25% of security leaders will leave the industry by 2025 due to work-related stress.
âOur analysis shows that highly skilled individuals are turning to cybercrime. And given the number of people projected to leave the industry, many of those will be desperate enough to seek work in an area that promises large rewards for their already-existing skills and knowledge,â she argued.
âPreventing this means ensuring we are doing all we can as an industry to attract and retain talent.â
Finch called on the industry to increase salaries and improve working conditions, or risk as many as 10% of the workforce leaving a profession already experiencing persistent skills shortages.
The U.S. government offers rewards of up to $10 million for information that could lead to the identification or location of ALPHV/Blackcat ransomware gang leaders.
The U.S. Department of State is offering a reward of up to $10 million for information leading to the identification or location of the key figures behind the ALPHV/Blackcat ransomware operation. The US government is also offering a reward offer of up to $5 million for information leading to the arrest and/or conviction in any country of any individual conspiring to participate in or attempting to participate in ALPHV/Blackcat ransomware attacks.
This additional reward aims to target affiliated and initial access brokers involved and that facilitated the attacks of the group.
On December 19, 2023, the FBI seized the Tor leak site of the AlphV/Blackcat ransomware group and replaced the home page with the announcement of the seizure.
On December 7th, BleepingComputer and other prominent experts reported that the ALPHV gangâs websites went offline.
On December 10th, the primary domain of the group went offline and administrators claimed the problem was caused by a hardware failure. At the same time, rumors circulated that the site was taken offline as a result of law enforcementâs operation. The group always denied this circumstance, but today the domain displayed the following message to the visitors.
The seizure is the result of a joint operation conducted by international law enforcement agencies from the US, Denmark, Germany, UK, Netherlands, Germany, Australia, Spain, Austria and Europol.
âThis action has been taken in coordination with the United States Attorneyâs Office for the Southern District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice with substantial assistance from Europol and Zentrale Kriminalinspektion Guttingen.â reads the message published by law enforcement on the seized websites.
âThe Justice Department announced today a disruption campaign against the Blackcat ransomware group â also known as ALPHV or Noberus â that has targeted the computer networks of more than 1,000 victims and caused harm around the world since its inception, including networks that support U.S. critical infrastructure.â reads the press release published by DoJ.
The ALPHV/Blackcat group was the second most prolific ransomware-as-a-service operation, it amassed hundreds of millions of dollars in ransom payments.
The FBI developed a decryption tool that could allow over 500 victims to recover their systems for free.
âFBI identified ALPHV/Blackcat actors as having compromised over 1,000 victim entities in the United States and elsewhere, including prominent government entities (e.g., municipal governments, defense contractors, and critical infrastructure organizations).â reads the press release. âTo date, the FBI has worked with dozens of victims in the United States and internationally to disseminate a decryption tool to restore victim systems and prevent ransom demand payments of approximately $99 million.â
According to the press release published by the U.S. Department of State, ALPHV/Blackcat actors have compromised over 1,000 victim entities in the United States and elsewhere.
People who have information eligible for the reward can access the following Tor website set up by the US Department of State:Â he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad.onion.Â
As-a-service attacks continue to dominate the threat landscape, with Malware-as-a-Service (MaaS) and Ransomware-as-a-Service (RaaS) tools making up the majority of malicious tools in use by attackers, according to Darktrace.
Cybercriminals exploit as-a-Service tools
As-a-Service tools can provide attackers with everything from pre-made malware to templates for phishing emails, payment processing systems and even helplines to enable criminals to mount attacks with limited technical knowledge.
The most common as-a-Service tools Darktrace saw in use from July to December 2023 were:
Malware loaders (77% of investigated threats), which can deliver and execute other forms of malware and enable attackers to repeatedly target affected networks.
Cryptominers (52% of investigated threats), which use an infected device to mine for cryptocurrency.
Botnets (39% of investigated threats) enrol users in wider networks of infected devices, which attackers then leverage in larger-scale attacks on other targets.
Information-stealing malware (36% of investigated threats), malicious software like spyware or worms, designed to secretly access and collect sensitive data from a victimâs computer or network.
Proxy botnets (15% of investigated threats), more sophisticated botnets that use proxies to hide the true source of their activity.
Phishing threats escalate in business communications
Darktrace identified Hive ransomware as one of the major Ransomware-as-a-Service attacks at the beginning of 2023. With the dismantling of Hive by the US government in January 2023, Darktrace observed the rapid growth of a range of threats filling the void, including ScamClub, a malvertising actor notorious for spreading fake virus alerts to notable news sites, and AsyncRAT, responsible for attacking US infrastructure employees in recent months.
As businesses continue to rely on email and collaboration tools for communication, methods such as phishing continue to cause a headache for security teams. Darktrace detected 10.4 million phishing emails across its customer fleet between the 1st September and the 31st December 2023.
But the report also highlights how cybercriminals are embracing more sophisticated tools and tactics designed to evade traditional security parameters. One example is the rise of Microsoft Teams phishing in which attackers contact employees through Teams, posing as a co-worker and tricking them into clicking malicious links.
In one case in September 2023, Darktrace identified a suspected Teams phisher attempting to trick users into clicking a SharePoint link that would download the DarkGate malware and deploy further strains of malware across the network.
Multi-function malware on the rise
Another new trend identified is the growth of malware developed with multiple functions to inflict maximum damage. Often deployed by sophisticated groups like cyber cartels, these Swiss Army knife-style threats combine capabilities.
For example, the recent Black Basta ransomware also spreads the Qbot banking trojan for credential theft. Such multi-tasking malware lets attackers cast a wide net to monetise infections.
âThroughout 2023, we observed significant development and evolution of malware and ransomware threats, as well as changing attacker tactics and techniques resulting from innovation in the tech industry at large, including the rise in generative AI. Against this backdrop, the breadth, scope, and complexity of threats facing organizations has grown significantly,â comments Hanah Darley, Director of Threat Research, Darktrace. âSecurity teams face an up-hill battle to stay ahead of attackers, and need a security stack that keeps them ahead of novel attacks, not chasing yesterdayâs threats.â
2024 is shaping up to be a record-breaking year for data breaches, according to Experian. Despite 2023 being labeled as a âsuccessfulâ year for malicious actors, the upcoming months may bring forth developments that could further disrupt the cybersecurity landscape.
Supply chain vulnerabilities amplified
Thereâs no question third-party data breaches have made headlines. With increased data collection, storage, and movement, there are plenty of partners down the supply chain that could be targeted. We predict attacks on systems four, five or six degrees from the source as vendors outsource data and technology solutions who outsource to another expert and so on.
Digital transformation is expanding threat surfaces. SaaS platforms and public cloud infrastructures, are pushing the perimeter out into the internet itselfâputting users at greater risk.
When trying to achieve a goal, itâs said that taking small steps can lead to big results. Hackers could apply that same rule. Instead of making drastic moves and trying to reap instant reward such as with ransomware, bad actors may manipulate or alter the tiniest bits of data to stay under the radar such as changing a currency rate or adjusting the coordinates for transportation, which can have a major impact.
Itâs widely known who the major players are globally that sponsor attacks and a new country in South Asia may join the international stage with their large population of engineers and programmers. While reportedly having been in the game focusing cyberattacks regionally due to political tensions, this country may broaden their sights in the future.
Plutonium, terbium, silicon wafers â these rare earth materials that are the building blocks for todayâs hardware are rapidly becoming the most sought-after resources on the planet. Any disruption to an strained supply chain could send the industry (and the economy that relies on these materials) spinning.
This presents an intriguing opportunity for threat actors seeking mass disruption or nations looking to corner markets.
âCybercriminals are continually working smarter, not harder,â said Michael Bruemmer, VP, Global Data Breach Resolution at Experian. âThey are leveraging new technologies like artificial intelligence and applying their talents in different ways to be more strategic and stay a step ahead. Organizations should not ignore even the slightest security abnormalities and be more aware of what global interests may make them a target.â
Winning from the inside
Like drug cartels, cybergangs are forming sophisticated organizations as joining like-minded actors can be incredibly advantageous. This spans globally with countries potentially helping each other to advance common goals and interests. Weâll see more hackers for trade, crews looking to expand their monopolies, and cyberwarfare alliances.
In 2024, enterprising threat actors may target more publicly traded companies to gain insights to cheat the stock market or plan their attacks and sell their stash before value nosedives. Rather than breach an organization and play in the underground with stolen data, threat actors could leverage data extraction and their talents in plain sight as everyday investors.
âToday, perpetrators can come from anywhere in the world and bring with them robust resources and expertise,â added Jim Steven, Head of Crisis and Data Response Services at Experian Global Data Breach Resolution in the United Kingdom. âThere are many global crime syndicates and nation-backed operations, so companies need to invest in sophisticated prevention and response methods to protect themselves.â
Written and directed by Kilian Lieb and Max Rainer, Cyberbunker is a Netflix documentary about a group of hackers that enabled the proliferation of dark web forums where illegal materials were bought and sold.
Cyberbunker: The Criminal Underworld
The documentary begins with a special police unit performing a raid in what looks like a military bunker. We are then shown a thin individual with glasses and long, gray hair: Herman Johan Xennt.
The (now) 64-year-old Dutchman, who is currently serving a prison sentence in Germany, is a bunker aficionado, having been fascinated with them since he visited a WWII bunker in Arnhem when he was a kid.
Understanding the possibilities of computer technology and the internet, he first opened a profitable computer store in the early 90s. In 1995, with the money earned from this business, he was able to buy a former NATO bunker in the southern part of the Netherlands, which ended up being the location of the first Cyberbunker â a company that provides internet and web hosting services to questionable operations.
In 2002, a fire broke in the bunker and revealed the existence of an MDMA lab. Xennt claimes that he knew nothing about the lab and that he was simply subletting part of the bunker to another group. For many years after, the companyâs servers were located above ground, in Amsterdam. In 2013, Xennt found and purchased a 5-level underground Cold War-era bunker in Traben-Trarbach, a small town in the South of Germany.
But the townâs mayor soon grew suspicious of the activities going on in the bunker and decided to contact the authorities, which started telephone surveillance in 2015. The group communicated in codes, though, which made crime identification impossible. In 2017, the authories began monitoring the network node to identify illegal data traffic.
This led to the discovery of evidence of criminal activity: Cyberbunker provided hosting for dark web marketplaces, a forum for exchanging illegal drugs, counterfeit money and fake identification, and more.
The undercover operation provided crucial information to the police, helping them to plan and execute a successful raid. Xennt and his criminal colleagues were arrested, and over 280 servers hosting websites for up to 200 customers were shut down.
The idea of âfreedom of the internetâ
Cyberbunker was know among cybercriminals as a âbulletproof hosterâ, which meant that the servers hosting the content stayed online no matter what (i.e., even if the authorities requested sitesâ removal). It also guaranteed privacy, which was very convenient for anyone who wanted to host questionable or illegal content.
Cyberbunker advertised that it would host everything except child pornography and terrorism-related content, but the group later claimed that they didnât really know what the clients were using their servers for.
The group was driven by the idea of âfreedom of the internetâ and, during the interviews with all the members of the group (including Xennt), we can see that they have a twisted idea of what it should be.
They went so far as to declare the Republic of Cyberbunker, with its âadministrationâ and hierarchy, and perpetuated the delusion that what they were doing was good.
Does it strike the right chord?
The documentary is suitable for a wide audience and does not burden the spectator with technical details. Instead, it has a movie-like format thatâs captivating and easy to follow.
The timeline of the events is well presented and clear, complemented with historical data about the main âcharacterâ â Xennt â and original private and police footage.
The authors tried to create a tense and scary atmosphere, though the characters at times act bizarrely and seem out of touch with reality that, on occasion, you might almost feel sorry for them. Itâs hard to believe these individuals thought they were untouchable and that, even after getting arrested, they were still convinced they were making the world a better place.
Cobalt Strike, a legitimate commercial penetration testing tool, has inadvertently become a favored instrument among cybercriminals for its efficacy in infiltrating network security. Initially released in 2012 by Fortra (formerly known as Help Systems), Cobalt Strike was designed to aid red teams in identifying vulnerabilities within organizational infrastructures. Despite stringent customer screening and licensing for lawful use only, malicious actors have successfully obtained and distributed cracked versions of the software, making it a prevalent tool in cyberattacks involving data theft and ransomware.
Cobalt Strike 4.9 is now available. This release sees an overhaul to Cobalt Strikeâs post exploitation capabilities to support user defined reflective loaders (UDRLs), the ability to export Beacon without a reflective loader which adds official support for prepend-style UDRLs, support for callbacks in a number of built-in functions, a new in-Beacon data store and more.
COBALT STRIKE 4.9 FEATURES
The latest release, version 4.9, introduces several significant features and improvements:
User-Defined Reflective Loaders (UDRLs): This feature enhances post-exploitation capabilities by allowing users to define and use their reflective loaders, providing more flexibility and control over the loading process of the Beacon payload.
Export Beacon Without a Loader: Users can now export the Beacon payload without a reflective loader, which officially supports prepend-style UDRLs, allowing for more versatile deployment and execution of the Beacon payload in various environments.
Callback Support: Version 4.9 introduces support for callbacks, enabling users to implement and handle custom callback routines effectively.
Beacon User Data Structures Improvement: These structures have been improved to prevent crashes and provide more stability during operations. They also allow a Reflective Loader to resolve and pass system call information to Beacon, overriding Beaconâs default system call resolver.
Host Profile Support for HTTP(S) Listeners: This feature addresses limitations in HTTP(S) processing by introducing a new Malleable C2 profile group named http-host-profiles.
WinHTTP Support: The update adds support for the WinHTTP library to the Beaconâs HTTP(S) listener.
Beacon Data Store: This feature allows users to store Buffer Overflow Frameworks (BOFs) and .NET assemblies in a structured manner.
CRACKED VERSIONS IN THE WILD
Google researchers have recently identified 34 different cracked versions of the Cobalt Strike hacking toolkit actively being used in the wild. These cracked versions are exploited by cybercriminals for various malicious activities, emphasizing the toolâs popularity and widespread illicit use in the cybercriminal community. The discovery of cracked version 4.9 of Cobalt Strike highlights the significant challenges and risks associated with the illicit use of this powerful toolkit.
THE CRACKDOWN
Microsoft, in collaboration with Fortra and the Health Information Sharing and Analysis Center (Health-ISAC), has initiated a widespread legal crackdown on servers hosting these cracked copies. This concerted effort aims to dismantle the malicious infrastructure and disrupt the operations of threat actors utilizing Cobalt Strike for nefarious purposes.
WHY COBALT STRIKE?
Cobalt Strike has gained notoriety among cybercriminals for its post-exploitation capabilities. Once the beacons are deployed, these provide persistent remote access to compromised devices, allowing for sensitive data harvesting or the dropping of additional malicious payloads.
THE USERS
Cobalt Strikeâs cracked versions are used by unidentified criminal groups, state-backed threat actors, and hacking groups acting on behalf of foreign governments. These actors have been linked to numerous ransomware attacks impacting various industries, causing significant financial and operational damage.
REMEDIATION EFFORTS
To counteract the malicious use of Cobalt Strike, various entities have provided resources to assist network defenders in identifying Cobalt Strike components within their networks. These resources include open-sourced YARA rules and a collection of indicators of compromise (IOCs).
The illicit use of Cobalt Strike poses a significant threat to global cybersecurity. The ongoing crackdown led by Microsoft, Fortra, and Health-ISAC represents a crucial step towards mitigating the risks associated with Cobalt Strike, underscoring the importance of collaborative efforts in the fight against cybercrime.
Analysis of chatter in criminal underground message exchanges, however, reveals that the pieces exist for multi-layered, widespread attacks in the coming years. And given that the automotive industryâs customary development cycles are long, waiting for the more sophisticated cyberattacks on connected cars to appear is not a practical option.
What should the worldâs automotive OEMs and suppliers do now to prepare for the inevitable transition from todayâs manual, car-modding hacks to tomorrowâs user impersonation, account thefts and other possible attacks?
How connectivity is changing car crime
As our vehicles become more connected to the outside world, the attack surface available to cybercriminals is rapidly increasing, and new âsmartâ features on the current generation of vehicles worldwide open the door for new threats.
Our new âsmartphones on wheelsââalways connected to the internet, utilizing many apps and services, collecting tremendous amounts of data from multiple sensors, receiving over-the-air software updates, etc.âstand to be attacked in similar ways to how our computers and handheld devices already are today.
Automotive companies need to think now about those potential future threats. A car that an OEM is planning today will likely reach the market in three to five years. It will need to be already secured against the cyberthreat landscape that might be in existence by then. If the car hits the market without the required cybersecurity capabilities, the job of securing it will become significantly more difficult.
The likelihood of substantially more frequent, devious, and harmful attacks is portended by the complex attacks on connected cars that we have seen devised by industry researchers. Fortunately, the attacks to this point largely have been limited to these theoretical exercises in the automotive industry. Car modding â e.g., unlocking a vehicleâs features or manipulating mileage â is as far as real-world implementation has gotten.
Connectivity limits some of the typical options that are available to criminals specializing in car crime. The trackability of contemporary vehicles makes reselling stolen cars significantly more challenging, and even if a criminal can manage to take a vehicle offline, the associated loss of features renders the car less valuable to potential buyers.
Still, as connectivity across and beyond vehicles grows more pervasive and complicated, so will the threat. How are attacks on tomorrowâs connected cars likely to evolve?
Emerging fronts for next-generation attacks
Because the online features of connected cars are managed via user accounts, attackers may seek access to those accounts to attain control over the vehicle. Takeover of these car-user accounts looms as the emerging front for attack for would-be car cybercriminals and even criminal organizations, creating ripe possibilities for user impersonation and the buying and selling of the accounts.
Stealing online accounts and selling them to rogue collaborators who can act on that knowledge tee up a range of future possible attacks for tomorrowâs automotive cybercriminals:
Selling car user accounts
Impersonating users via phishing, keyloggers or other malware
Remote unlocking, starting and controlling connected cars
Opening cars and looting for valuables or committing other one-off crimes
Stealing cars and selling for parts
Locating cars to pinpoint ownersâ residential addresses and to identify when owners are not home
The crime triangle takes shape
Connected car cybercrime is still in its infancy, but criminal organizations in some nations are beginning to recognize the opportunity to exploit vehicle connectivity. Surveying todayâs underground message forums quickly reveals that the pieces could quickly fall into place for more sophisticated automotive cyberattacks in the years ahead. Discussions on underground crime forums around data that could be leaked and needed/available software tools to enable attacks are already intensifying.
A post from a publicly searchable auto-modders forum about a vehicleâs multi-displacement system (MDS) for adjusting engine performance, is symbolic of the current activity and possibilities.
Another, in which a user on a criminal underground forum offers a data dump from car manufacturer, points to the possible threats that likely are coming to the industry.
Though they still seem to be limited to accessing regular stolen data, compromises and network accesses are for sale in the underground. The crime triangle (as defined by crime analysts) for sophisticated automotive cyberattacks is solidifying:
Target â The connected cars that serious criminals will seek to exploit in the years ahead are becoming more and more prevalent in the global marketplace.
Desire â Criminal organizations will find ample market incentive to monetize stolen car accounts.
Opportunity â Hackers are steeped in inventive methods to hijack peopleâs accounts via phishing, infostealing, keylogging, etc.
Penetrating and exploiting connected cars
The ways for seizing access to the data of users of connected cars are numerous: introducing malicious in-vehicle infotainment (IVI) apps, exploiting unsecure IVI apps and network connections, taking advantage of unsecure browsers to steal private data, and more.
Also, thereâs a risk of exploitation of personally identifiable information (PII) and vehicle telemetric data (on a carâs condition, for example) stored in smart cockpits, to inform extremely personalized and convincing phishing emails.
Hereâs one method by which it could happen:
An attacker identifies vulnerabilities that can be exploited in a browser.
The attacker creates a professional, attractive webpage to offer hard-to-resist promotions to unsuspecting users (fast-food coupons, discounts on vehicle maintenance for the userâs specific model and year, insider stock information, etc.)
The user is lured into visiting the malicious webpage, which bypasses the browserâs security mechanisms
The attacker installs backdoors in the vehicle IVI system, without the userâs knowledge or permission, to obtain various forms of sensitive data (driving history, conversations recorded by manufacturer-installed microphones, videos recorded by built-in cameras, contact lists, text messages, etc.)
The possible crimes enabled by such a process are wide ranging. By creating a fraudulent scheme to steal the userâs identity, for example, the attacker would be able to open accounts on the userâs behalf or even trick an OEM service team into approving verification requestsâat which point the attacker could remotely open the vehicleâs doors and allow a collaborator to steal the car.
Furthermore, the attackers could use the backdoors that they installed to infiltrate the vehicleâs central gateway via the IVI system by sending malicious messages to electronic control units (ECUs). A driver could not only lose control of the carâs IVI system and its geolocation and audio and video data, but also the ability to control speed, steering and other safety-critical functions of the vehicle, as well as the range of vital data stored in its digital clusters.
Positioning today for tomorrowâs threat landscape
Until now there might have been reluctance among OEMs to invest in averting cyberattacks, which havenât yet materialized in the real world. But a 2023 Gartner Research report, âAutomotive Insight: Vehicle Cybersecurity Ecosystem Creates Partnership Opportunities,â is among the industry research documenting a shift in priorities.
Driven by factors such as the significant risk of brand and financial damage from cyberattacks via updatable vehicle functions controlled by software, as well as emerging international regulatory pressures such as the United Nations (UN) regulation 155 (R155) and ISO/SAE 21434, OEMs have begun to emphasize cybersecurity.
And today, they are actively evaluating and, in some cases, even implementing a few powerful capabilities:
Security for IVI privacy and identity
Detection of IVI app vulnerabilities
Monitoring of IVI app performance
Protection of car companion apps
Detection of malicious URLs
24/7 surveillance of personal data
Investing in cybersecurity in the design stage, versus after breaches, will ultimately prove less expensive and more effective in terms of avoiding or mitigating serious crimes involving money, vehicle and identity theft from compromised personal data by the worldâs most savvy and ambitious business criminals.
Kimsuky is an advanced persistent threat (APT) organization that originates in North Korea and has a lengthy history of launching targeted attacks all around the globe. According to what is currently known about the organization, they have been mainly tasked with conducting information gathering and espionage activities in behalf of the North Korean government from at least the year 2012. Throughout the course of history, Kimsuky targets have been spread throughout several nations in North America, Asia, and Europe. In its most recent efforts, the organization has continued their strategy of worldwide targeting, which is centered on a variety of contemporary geopolitical concerns. The most recent Kimsuky ads, for instance, have been centered on nuclear agendas between China and North Korea; these agendas are pertinent to the continuing confrontation between Russia and Ukraine. In 2018, the gang was seen deploying a malware family known as BabyShark, and most recent observations show that the group has developed the malware with an enhanced capacity for reconnaissance. Experts call to this component of BabyShark as ReconShark.
During a recent campaign, Kimsuky targeted the employees of the Korea Risk Group (KRG), which is an information and analysis organization that specializes in subjects that have both direct and indirect effects on the Democratic Peopleâs Republic of Korea (DPRK). Kimsuky continues to employ phishing emails that have been carefully designed by himself for the purpose of deploying ReconShark. Notably, spear-phishing emails are created with a degree of design quality customized for certain persons, which increases the possibility that the target would open the email. This involves using correct formatting, language, and visual signals so that the content seems authentic to readers who are not paying attention. Notably, both the targeted emails, which include links to download harmful papers, as well as the malicious documents themselves, exploit the names of genuine people whose knowledge is relevant to the subject matter of the bait, such as Political Scientists.
Kimsukyâs nefarious emails include a link that, when clicked, will direct the recipient to a file that requires a password in order to access it. Most recently, they started hosting the infected document for download on Microsoft OneDrive, which is a cloud storage service.Exfiltrating information about the infected platform is the primary function of ReconShark. This includes information about current processes, information about the battery that is attached to the device, and information about endpoint threat detection measures that have been implemented.
In a manner similar to those of earlier iterations of BabyShark, ReconShark depends on Windows Management Instrumentation (WMI) to query information on processes and batteries. ReconShark does more than just steal information; it also distributes additional payloads in a multi-stage process. These payloads may be built as scripts (VBS, HTA, and Windows Batch), macro-enabled Microsoft Office templates, or Windows DLL files. The types of detecting mechanism processes that are active on compromised computers are taken into consideration when ReconShark chooses which payloads to send out.
In order to avoid being detected by static analysis methods, some ReconShark sequences are encoded using a pretty simple encryption. Typically, the instructions or scripts that are included inside these strings are for downloading and/or running payloads. All of the infrastructure that has been spotted as part of this campaign is housed on a shared hosting server provided by NameCheap. LiteSpeed Web Server (LSWS) was often used by operators of the Kimsuky malware in order to manage the harmful functionality. The continual attacks by Kimsuky and their use of the innovative reconnaissance tool ReconShark provide insight on the ever-changing nature of the North Korean threat environment. Organizations and people need to be aware of the tactics, techniques, and procedures (TTPs) utilized by North Korea state-sponsored advanced persistent threats (APTs) and take the required steps to defend themselves against attacks of this kind.
Microsoft announced it has taken legal action to disrupt the illegal use of copies of the post-exploitation tool Cobalt Strike by cybercriminals.
Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named âBeaconâ on the victim machine. The Beacon includes a wealth of functionality for the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement.
Microsoft Digital Crimes Unit (DCU) announced that has collaborated with Fortra, the company that develops and maintains the tool, and Health Information Sharing and Analysis Center (Health-ISAC) to curb the abuse of Cobalt Strike by cybercriminals.
The Microsoft DCU secured a court order in the U.S. to remove cracked versions of Cobalt Strike (ârefer to stolen, unlicensed, or otherwise unauthorized versions or copies of the toolâ) so they can no longer be used by cybercriminals.
Threat actors, including ransomware groups and nation-state actors, use Cobalt Strike after obtaining initial access to a target network. The tool is used to conduct multiple malicious activities, including escalating privileges, lateral movements, and deploying additional malicious payloads.
âMore specifically, cracked versions of Cobalt Strike allow Defendants to gain control of their victimâs machine and move laterally through the connected network to find other victims and install malware. This includes installing ransomware like Conti, LockBit, Quantum Locker, Royal, Cuba, BlackBasta, BlackCat and PlayCrypt, to arrest access to the systems. In essence, Defendants are able to leverage cracked versions of Cobalt Strike to brutally force their way into victim machines and deploy malware.â reads the court order. âAdditionally, once the Defendants deploy the malware or ransomware onto computers running Microsoftâs Window operating system, Defendants are able to execute a series of actions involving abuse of Microsoftâs copyrighted declaring code.â
Example of an attack flow by threat actor DEV-0243.
Microsoft observed more than 68 ransomware attacks, involving the use of cracked copies of Cobalt Strike, against healthcare organizations in more than 19 countries around the world.
The attacks caused huge financial damages to the attacked hospitals in recovery and repair costs, plus interruptions to critical patient care services.
Microsoft also observed nation-state actors, including APT groups from Russia, China, Vietnam, and Iran, using cracked copies of Cobalt Strike.
âMicrosoft, Fortra and Health-ISAC remain relentless in our efforts to improve the security of the ecosystem, and we are collaborating with the FBI Cyber Division, National Cyber Investigative Joint Task Force (NCIJTF) and Europolâs European Cybercrime Centre (EC3) on this case. While this action will impact the criminalsâ immediate operations, we fully anticipate they will attempt to revive their efforts. Our action is therefore not one and done.â concludes the report.
In November 2022, Google Cloud researchers announced the discovery of 34 different Cobalt Strike hacked release versions with a total of 275 unique JAR files across these versions.
Google Cloud Threat Intelligence (GCTI) researchers developed a set of YARA rules to detect hacked variants in the wild with a high degree of accuracy. The researchers noticed that each Cobalt Strike version contains approximately 10 to 100 attack template binaries
Europol has dismantled a gang linked to a $40 million CEO scam. Find out more about how this international criminal syndicate was uncovered and who was involved.
The email scam gang behind Franceâs largest-ever CEO scam has been dismantled after a coordinated police operation across multiple countries was successful in arresting six people in France and two in Israel.
The Europe-wide operation to track down the Franco-Israeli criminal organization involved the Croatian National Police, the Croatian Anti Money Laundering Office, the French National Police, the French Gendarmerie, the Hungarian Budapest Metropolitan Police, the Israel Police, the Portuguese Judicial Police, and the Spanish National Police.
In early December 2021, one of the gang members, now arrested as a suspect, impersonated the CEO of a metallurgy company in northeastern France and tricked the accountant into making an urgent and confidential transfer of âŹ500,000 ($530,000) which was subsequently spotted and blocked.
In late December 2021, according to Europolâs press release, Sefri-Cime, a real-estate developer, fell victim to the same group after its members impersonated lawyers working for a well-known French accounting firm. According to Europol, they persuaded the Chief Financial Officer (CFO) to transfer almost âŹ38 million ($40 million) altogether.
The criminal network, consisting of French and Israeli nationals, used a pre-existing money laundering scheme that laundered the funds via European countries, China, and then Israel. An investigation that followed revealed the money mules working for the gang in Croatia, Portugal, and Hungary.
The police were able to seize electronic equipment and vehicles, âŹ3 million from Portuguese bank accounts, âŹ1.1 million from Hungarian bank accounts, âŹ600,000 from Croatian bank accounts, âŹEUR 400,000 from Spanish bank accounts and âŹ350,000 in virtual currencies.
The operation continued for five days between January 2022 and 2023 in France and Israel, leading to eight house searches and eight arrests, including the alleged Israeli gang leader, according to Europol.
11 of the world’s top cyber security experts gather to discuss how to protect ourselves against cybercrime. Includes interviews with Rob Boles, Jesse Castro, Michael Einbinder-Schatz, Rick Jordan, Konrad Martin, Rene Miller, Paul Nebb, Will Nobles, Adam Pittman, Leia Shilobod, and Peter Verlezza.
The number of DDoS attacks we see around the globe is on the rise, and that trend is likely to continue throughout 2023, according to Corero. We expect to see attackers deploy ever higher rate request-based or packets-per-second attacks.
âDDoS attacks have historically focused around sending packets of large sizes with the aim to paralyze and disrupt the internet pipeline by exceeding the available bandwidth. Recent request-based attacks, however, are sending smaller size packets, to target higher transaction processing to overwhelm a target. Those with responsibility for network health and internet service uptime should be taking note of this trend,â explained Corero CTO, Ashley Stephenson.
Legal responsibility
Corero also predicts that 2023 will see more breaches being reported, because of the increasing trend for transparency in data protection regulations. Regulations such as the UK Governmentâs Telecoms Security Bill will compel organizations to disclose more cyber-incidents publicly.
We are also likely to see the legal responsibility for bad corporate behaviour when dealing with breaches being linked to individual executives. Examples such as Joe Sullivan, the former head of security at Uber, who was recently found guilty of hiding a 2016 breach, could set a precedent for linking data protection decisions to the personal legal accountability of senior executives.
Evading DDoS defenses
Attackers will continue to make their mark in 2023 by trying to develop new ways to evade legacy DDoS defenses. We saw Carpet Bomb attacks rearing their head in 2022 by leveraging the aggregate power of multiple small attacks, designed specifically to circumvent legacy detect-and-redirect DDoS protections or neutralize âblack holeâ sacrifice-the-victim mitigation tactics. This kind of cunning will be on display as DDoS attackers look for new ways of wreaking havoc across the internet and attempt to outsmart existing thinking around DDoS protection.
In 2023, the cyberwarfare that we have witnessed with the conflict in Ukraine will undoubtedly continue. DDoS will continue to be a key weapon in the Ukrainian and other conflicts both to paralyse key services and to drive political propaganda objectives. DDoS attack numbers rose significantly after the Russian invasion in February and DDoS continues to be used as an asymmetric weapon in the ongoing struggle.
Earlier this year, in other incidents related to the conflict, DDoS attackers attempted to disrupt the Eurovision song contest in an attempt to frustrate the victory of the Ukrainian contestants. Similarly, when Elon Musk showed support for Ukraine by providing Starlink satellite broadband services, DDoS attackers tried to take the satellite systems offline and deny Ukraine much needed internet services.
âThroughout 2022 we observed DDoS attacks becoming increasingly sophisticated while at the same time the DDoS attack surface is expanding. With the number of recorded attacks on the rise and significant shifts in attackersâ motives and goals, 2023 will require organizations to ensure they have robust DDoS defense in place,â said Lionel Chmilewsky, CEO at Corero Network Security.
As part of the criminal case against a former student of the University of Puerto Rico (UPR), a judge in Puerto Rico sentenced him to serve 13 months in federal prison.
The former student, IvĂĄn Santell-VelĂĄzquez (aka Slay3r_r00t) was accused of hacking over a dozen of the universityâs female classmatesâ email and Snapchat accounts.
On July 13, Ivan pled guilty to being a cyberstalker, admitting that he had targeted over 100 students in his online campaign. He also engaged in other schemes to steal information such as using spoofing and phishing.
He has been accused of harassing women and in some cases, he has published pictures that he has stolen from them in their nudist states between 2019 and 2021.
Apart from hacking student email accounts, he also managed to get access to multiple university email accounts by spoofing and phishing attempts through which he gathered personal information.
Students Data Stolen
The appellant, IvĂĄn Santell-VelĂĄzquez targeted 15 female students in total at the University of Puerto Rico. A victim of cyberstalking may experience a significant amount of emotional distress as a result of it.
âThe prosecution of cyber criminals is a top priority in the Justice Department. Cybercrimes not only cause financial losses to corporate victims but also result in financial and psychological harm to vulnerable victims, oftentimes children or the elderly. This conduct will not be tolerated.â
âThis case also demonstrates the importance of safeguarding personal information and passwords, and the care we must take when responding to suspicious e-mails and text messages.â
As a result of his illicit crimes, Ivån Santell-Velåzquez was sentenced to 13 months of rigorous imprisonment along with 2 years of supervised release for cyberstalking by Silvia Carreño Coll, the U.S. District Court Judge.
Black Lotus is a new, powerful Windows UEFI rootkit advertised on underground criminal forums, researcher warns.
Cybersecurity researcher Scott Scheferman reported that a new Windows UEFI rootkit, dubbed Black Lotus, is advertised on underground criminal forums. The powerful malware is offered for sale at $5,000, with $200 payments per new updates.
The researcher warns that the availability of this rootkit in the threat landscape represents a serious threat for organizations due to its evasion and persistence capabilities.
âConsidering this tradecraft used to be relegated to APTs like the Russian GRU and APT 41 (China nexus), and considering prior criminal discoveries weâve made (e.g. Trickbotâs #Trickboot module), this represents a bit of a âleapâ forward, in terms of ease of use, scalability, accessibility and most importantly, the potential for much more impact in the forms of persistence, evasion and/or destruction.â wrote Scheferman.
Black Lotus is written in assembly and C and is only 80kb in size, the malicious code can be configured to avoid infecting systems in countries in the CIS region.
The malware supports anti-virtualization, anti-debugging, and code obfuscation. Black Lotus is able to disable security solutions, including Hypervisor-protected Code Integrity (HVCI), BitLocker, and Windows Defender. The rootkit is able to bypass security defenses like UAC and Secure Boot, it is able to load unsigned drivers used to perform a broad range of malicious activities.
The threat is very stealth, it can achieve persistence at the UEFI level with Ring 0 agent protection.
Black Lotus supports a full set of backdoor capabilities, it could be also used to potential target IT and OT environments.
Black Lotus is bringing APT capabilities to malicious actors in the threat landscape.
Research from Netacea reveals that as of September 2022, there are over 1,600 professional refund service adverts on hacker forums.
Cybercrimeâs continued shift to a service-driven economy has enabled several new professionalized hacking services with Refund Fraud-as-a-Service being one of the latest to rise in popularity over the last few years. This is according to Netaceaâs latest threat report, which researched rising trends across a multitude of hacking forums.
Refund fraud is the abuse of refund policies for financial gain and costs e-commerce businesses more than $25 billion every year. Those interested in committing refund fraud can outsource the process to professional social engineers offering Refund-as-a-Service. This poses a significant challenge to retailers, as previously legitimate customers can enlist highly experienced fraudsters to perpetrate this fraud on their behalf, making it difficult to identify fraudulent activity. As online shopping continues its upward trend, professional fraudsters will look to cash in on the opportunity.
Over 540 new refund fraud service adverts were identified in the first three quarters of 2022
Refund fraud services increased by almost 150% from 2019 â 2021
Netaceaâs report explores the current structure of the underground Refund-as-a-Service market, the changing tactics and methods used by adversarial groups to perform refund fraud, and how threat intelligence and fraud teams can work collaboratively to effectively combat it.
âAs shown in the rise of ransomware-as-a-service attacks, cybercriminals have shifted to a service-based economy â and refund fraud is no exceptionâ said Cyril Noel-Tagoe, Principal Security Researcher, Netacea. âAs we approach Black Friday and the holiday season, e-commerce stores should take the necessary steps to reduce their risk of refund fraud, including educating employees on the methods and tactics fraudsters take.â
Additional steps include:
Delivery carriers should replace or complement signatures with one-time passwords to prevent refund fraudsters from claiming that packages did not arrive.
E-commerce stores and delivery carriers should work together to look for patterns in their data sets that may indicate fraudulent activity.
Reputation is power in the underground market. In the instance that an e-commerce store identifies the claim to be fraudulent after a refund payment has been made, the store should rebill the customerâs account. An influx of rebill complaints from customers may cause the refund fraud service to drop the retailer from their store list, to avoid negative reviews.
Han Bing allegedly felt undervalued after his security warnings were ignored, and decided to prove his point by trashing four financial servers.
An indignant IT admin, seemingly aiming to prove the lax security his employer had hitherto ignored, proceeded to delete a bunch of vital financial databases, and has subsequently been given seven years in prison as a result. It’s what’s known in the IT trade as ‘cutting your nose off to spite your face,’ or inadvisably hulking out on a server you’re known to have access to and have already complained about.
Han Bing, a database administrator for Lianjia, a Chinese real estate brokerage, previously known as Homelink, was allegedly one of only five people in the security team with access to the company’s financial system databases. So when someone logged in with root access to Lianjia’s financial system and deleted the lot(opens in new tab) (via Bleeping Computer(opens in new tab)), the company already had a handful of suspects.
Four of the five handed over their laptops and passwords immediately, while Bing refused to hand over his password, claiming that it held private information. He agreed to access the device for the company’s investigators while he was present, and no incriminating evidence was found on his machine.Â
The company, however, claimed the attack could be done simply by connecting to the server in a way that would leave no residual trace on the client laptop.
Subsequent electronic forensic analysis of the company’s server logs, alongside the use of CCTV footage, linked records held on the server with the host name of Bing’s MacBook, “Yggdrasil,” as well as certain MAC and IP addresses linked on his computer.
Yeah, Yggdrasil. The tree of life. The roots of which can be seen sprawling across the sky in Valheim, and as that big f-off plant glowing away in Elden Ring. Everything in 2022 always seems to lead back to Elden Ring. This whole case is probably in the game somewhere as lore.
With all the evidence in hand, the Beijing Tongda Fazheng Forensic Identification Centre concluded none of the other potential suspects could be linked to the attack on June 4, 2018, and Han Bing was found guilty of damaging computer information and sentenced to seven years in prison.
Initially that feels a bit harsh on the guy, but he did basically destroy four different servers, salting the earth so nothing could be recovered, and grinding the company’s operation to a halt. It then had to pay some $30,000 as amends for the fact that Lianjia employees were left without pay for an extended amount of time.
Which is also pretty harsh.
Bing’s colleagues have suggested that the reasoning behind his deletion of company records was down to the fact he discovered the security of the financial system was compromised, and his concerns were ignored.
He worked with another database admin to bring the issues to his seniors in the organisation but was apparently dismissed. It’s alleged this led to Bing arguing with other colleagues, and after his office was relocated it is suggested that he no longer felt valued by the company, was “passive and sluggish, often late and early, and there is also the phenomenon of absenteeism.” That’s according to the Edge machine translation, so make of that what you will.
Maybe Bing thought he was going to be rewarded for highlighting the problems more obviously, or maybe he was just a grumpy, vengeful admin by the end of it. Either way going to prison for seven years was most definitely not what he was aiming to get out of this.