Cyclops Blink and Hydra are taken down
Law enforcement operations seize control of the botnet and the dark web marketplace
German authorities have taken down Hydra, the world’s largest Russian-language darknet marketplace that has facilitated $5 billion in illicit transactions since setting up shop in December 2015, seizing servers and other infrastructure used by the operators sprawling, billion-dollar enterprise, along with a stash of about $25 million in bitcoin.
Hydra specialized in same-day ‘dead drop’ services, where drug dealer vendors hide packages in public places using anonymous couriers before informing customers of the pick-up location. Law enforcement told BBC the operation to take down Hydra “began with a tip-off which pointed to the possibility that the website infrastructure might be hosted in Germany.”
That company turned out to be a provider of bullet-proof hosting services, making them impervious to legal requests for customer information. The news comes during a turbulent time for darknet markets with the most prominent sites closing down in recent months, either voluntarily or as a result of police activity.
In related news, the U.S. government acted to take down Cyclops Blink, an advanced modular botnet attributed to the Russia-based Sandworm group. Cyclops Blink is said to be the successor to VPNFilter, a botnet that was abandoned after it was exposed in May 2018 and subsequently targeted by a U.S. government operation to disrupt its command-and-control servers.
The developments highlight how global law enforcement agencies have intensified their efforts in recent months to tackle these illegal platforms.
What’s trending in security?
🔝 At least six different Russia-aligned actors launched no less than 237 cyberattacks against Ukraine from February 23 to April 8, including 38 discrete destructive attacks that irrevocably destroyed files in hundreds of systems across dozens of organizations in the country. One of the groups actively engaged in pro-Russian cyber-attacks is UAC-0056, which is also known as SaintBear and has been linked to an intrusion set that utilizes a malware framework called Elephant. [The Hacker News / Bitdefender]
☢️ Ukraine’s computer emergency response team (CERT-UA), in collaboration with researchers from ESET and Microsoft, repelled a cyberattack on an unnamed energy company that would have disconnected several high-voltage substations from a section of the country’s electrical grid on April 8.
The attack, attributed to Russia’s Sandworm group, involved the use of a new, more customized version of Industroyer, a sophisticated malware which was first used by the threat actor in 2016 to cause power outages in Ukraine. Details on how the intruders made their way into the company’s systems are not known yet.
In addition, the latest attack also featured destructive disk-wiping tools for the energy company’s Windows, Linux, and Solaris operating system environments. While the initial entry vector remains unclear, Industroyer is designed to allow attackers to gain remote control of switches and circuit breakers in high-voltage substations and to manipulate them in such a way as to trigger disruptions. The analysis also shows that the hackers were planning on covering their tracks after the attack. [The Hacker News / Ars Technica / SSSCIP]
🏭 U.S. intelligence agencies warned of specialized malware developed with an intent to disrupt industrial processes. PIPEDREAM aka INCONTROLLER, as it’s called by Dragos and Mandiant, the toolset enables the threat actors to scan for, compromise, and launch potentially catastrophic attacks against critical systems in industrial settings. Rather than capitalizing on unknown flaws, the malware has been described as having an “exceptionally rare and dangerous” capability and posing a critical risk to organizations that use the targeted equipment. [The Hacker News]
🐝 Starting in March, at least three cybercrime groups were observed delivering a new, sophisticated malware loader called Bumblebee that researchers said could represent “a notable shift in the cybercriminal threat landscape.” Used to download and execute additional payloads, the malware appears to be a replacement to another loader called BazaLoader that’s used to facilitate follow-on attacks. The emergence of Bumblebee dovetails with the disappearance of BazarLoader since February 2022. [The Hacker News / NCC Group]
🚨 Apple, in late March, patched two actively exploited vulnerabilities in macOS Monterey but in a break from its usual practice has left users of older supported versions of its desktop operating system including Big Sur and Catalina unprotected. “Apple is providing a false sense of security by providing inconsistent security updates—and not patching every highly critical (or even every zero-day) vulnerability—for two widely used macOS versions comprising an estimated 35–40% of all Macs in use today,” the researchers said. [Intego]
🔍 Munich-based spyware company FinFisher, which develops FinSpy, declared insolvency last month, amid an ongoing investigation into its business dealings. It’s worth noting that the company’s offices were raided in October 2020 over allegations of illegally exporting the software to abroad without the required authorization. [The Record / Bloomberg]
📶 Ukraine disclosed it neutralized an attack on Ukrtelecom, the country’s leading ISP and fixed line telecommunications company. The Security Service of Ukraine also disclosed that it disrupted five “enemy” bot farms that “tried to inspire panic among Ukrainian citizens and destabilize the socio-political situation in various regions” and spread “distorted news” related to the invasion. [Forbes / SSU]
⚠️ Threat actors are increasingly getting faster at exploiting zero-day vulnerabilities, with average time to known exploitation (TTKE) down from 42 days in 2020 to just 12 days, a 71% decrease. The findings also correlate with a report from Google’s Threat Analysis Group (TAG), which found a “large uptick of in-the-wild 0-day attacks” in 2021. [Rapid7 / Google]
🚀 Threat actors are continuing to exploit the Log4j flaw, aka Log4Shell, that came to light in December 2021 to target VMware Horizon servers to deploy cryptocurrency miners such as JavaX miner, Jin, z0Miner, and XMRig variants as well as backdoors for maintaining persistent access on compromised systems. While there have not been many major publicly known compromises resulting from the Log4Shell flaw in the three months since it was disclosed, the ubiquitous nature of the library means that attackers are likely to continue weaponizing the bug for years to come. [Sophos]
❗ Malicious actors are abusing sensitive user information obtained through fake legal requests to Apple, Twitter, Google’s parent company Alphabet, Discord, Meta, and Snap to harass women and sexually extort minors. “The fraudulently obtained data has been used to target specific women and minors, and in some cases to pressure them into creating and sharing sexually explicit material and to retaliate against them if they refuse,” the report said.
The findings come following a report that hackers are compromising U.S. police and government email accounts to send Emergency Data Requests to ISPs, telecoms, social networks, while “claiming the information being requested can’t wait for a court order because it relates to an urgent matter of life and death.” [Bloomberg / Krebs on Security]
📧 The U.S. Federal Bureau of Investigation (FBI) and its international law enforcement partners announced the arrests of 65 alleged cybercrime gang members specializing in business email compromise schemes targeting over 500 U.S. victims. The coordinated operation, called “Eagle Sweep,” lasted for three months, starting in September 2021, and resulted in the arrest of 65 suspects in the United States, Nigeria, South Africa, Cambodia, and Canada. [FBI]
❌ A new remote access trojan (RAT) has made its appearance on the darknet markets, offering a pathway to conduct DDoS attacks, disable UAC, and deploy ransomware. Called Borat RAT, it comes with the standard requisite of RAT features, enabling threat actors to gain full access and remote control on a user’s system, including mouse and keyboard control, files access, and network resources access. [Cyble]
⚙️ A speed test of different ransomware strains has shown LockBit to be the fastest file encrypting malware, locking over 100,000 files in a median time of just five minutes and 50 seconds, followed by Baby, Avaddon, Ryuk, REvil, and BlackMatter. [Splunk]
🛡️ Researchers disclosed a number of critical remote code execution vulnerabilities in Microsoft Defender for IoT, two of which could be exploited to achieve arbitrary code execution. Microsoft addressed the issues with its December 2021 Patch Tuesday updates. [SentinelOne]
💲 An Android banking Trojan called SharkBot that first surfaced last October has continued to circulate in the wild through the trusted Google Play mobile app store under the cover of antivirus apps. The malware makes use of a technique called Automatic Transfer Systems (ATS) to initiate money transfers from bank accounts belonging to owners of SharkBot-infected Android devices, while triggering the commands remotely. [The Hacker News]
🔒 The leak of Conti ransomware cartel’s source code and thousands of chat messages after the group pledged support for the Russian government government over its invasion of Ukraine has been nothing but a “watershed moment,” a treasure trove that has offered an unparalleled insight into the inner workings of the extortionists’ criminal business and how its development operations mirror corporate tech.
“These groups are set up to conduct crimes as if they were a legitimate business,” Intel 471 researchers noted. “Ransomware-as-a-service groups operate like corporate entities, with payroll, revenue goals and salary bonuses worked into their operations.”
What’s more, the cache reveals that the Conti Team’s activities fall in line with national interests. Secureworks, which is tracking the threat actor under the name Gold Ulrick, said the average Conti ransomware group member earns a salary of $1,800 per month, exceeding the average Russian salary of approximately $540 per month.
In a related development, eSentire’s Threat Research Unit (TRU) disclosed details about a new Conti affiliate it had been tracking since August 2021, with the group notable for using Cobalt Strike to facilitate the ransomware deployment.
The revelations come as a hacking group known as NB65 has been targeting Russian organizations with ransomware attacks using Conti’s leaked source code to create their own ransomware variant. [Intel 471 / Secureworks / eSentire / Bleeping Computer]
🚫 Law enforcement agencies have seized control of RaidForums, a popular website where hackers have advertised data stolen from high-profile companies. The marketplace is said to have had 530,000 members since its inception in 2015. The takedown, while expected to be a temporary blow, is a warning to other hacker marketplaces that they could be next, even as criminal actors are expected to migrate to other communities or underground forums in the dark web. [The Hacker News]
🤖 Microsoft, in collaboration with other cybersecurity firms, disrupted the ZLoader botnet following several months of investigation into the malware’s attack infrastructure. The investigation also tied the ZLoader botnet to directly to Denis Malikov, who lives in Simferopol on the Crimean Peninsula, as one of the creators of a component that the botnet uses to distribute ransomware. But despite the dismantling, the threat actors are expected to make efforts to revive the operations. [The Hacker News]
⚡ The Russian threat actor known as Gamaredon (aka Shuckworm or Armageddon) has linked to a new cyber espionage campaign against organizations in Ukraine to deliver a backdoor known as Pterodo. [Symantec]
💬 A new WhatsApp phishing campaign impersonating WhatsApp’s voice message notifications has been discovered, attempting to spread information-stealing malware to at least 27,655 email addresses. [Armorblox]
⬆️ 2021 marked an explosion in the exploitation of zero-days in the wild. 80 cases of zero-days exploited in the wild were detected, 18 more than 2020 and 2019 combined. China tops the list with eight zero-days used in cyberattacks in 2021, with financially motivated increasingly deploying deploying zero-day exploits. “While zero-day exploitation is expanding, malicious actors also continue to leverage known vulnerabilities, often soon after they have been disclosed,” the researchers said. [Mandiant / The Hacker News / WIRED / MIT Technology Review]
💵 Cybercriminals are increasingly gravitating toward the Web 3.0 space, with users of the emerging technologies falling victim to a variety of social engineering attacks aimed at tricking users into giving their wallet’s seed phrases, request access/modify to the contents of the user’s cryptocurrency wallet, and illicitly transfer funds as well as crafting malicious smart crafts.[Cisco Talos]
⛔ African banks are increasingly targeted by malware distribution campaigns that employ HTML smuggling tricks and typosquatted domains to drop remote access trojans (RATs) such as Remcos, which comes with capabilities to run remote commands, download and upload files, take screenshots, capture keystrokes, and record the user’s webcam and microphone. [HP Wolf Security]
📱 A new study found that the Graphics Processing Unit (GPU) in some Android smartphones could be used to eavesdrop on a user’s credentials as and when the user is typing them out using the smartphone’s on-screen keyboard. [University of Pittsburgh]
🔻 Three months after authentication platform Okta was breached by hacking group Lapsus$, the company wrapped up its internal investigation after finding that the impact was less serious than initially assumed. While prior reports indicated that the maximum period of unauthorized access was no more than five days, the recent forensic report found that the access period was actually just 25 minutes. And where the previous impact assessment capped the maximum number of organizations affected at 366, the new report found that only two Okta customers’ authentication systems had been accessed. [The Hacker News]
🇨🇳 The number of Chinese espionage groups in the threat landscape dropped from at least 244 separate Chinese actor sets, tracked over the last five years, to 36 active groups, pointing to a “more focused, professionalized, and sophisticated attacks conducted by a smaller set of actors,” as the actors evolve their operations to closely align with national-level priorities around economic development and national defense.
What’s more, of the 733 new malware families tracked in 2021, the top five categories were backdoors (31%), downloaders (13%), droppers (13%), ransomware (7%), launchers (5%) and credential stealers (5%). [Mandiant]
↘️ Researchers disclosed a security vulnerability discovered in Samsung’s Android devices (CVE-2022-22292) running Android versions 9, 10, 11, and 12 that could be potentially exploited by a rogue app to gain elevated privileges to factory reset phones, make phone calls, install and uninstall apps at will. The issue was addressed by Samsung in February 2022. [Kryptowire]
🗄️ The past weeks in data breaches, leaks, and ransomware: American Dental Association, Austin Peay State University, Cashio, Christie Business Holdings Company, Deutsche Windtechnik, Elephant Money, Emma Sleep Company, Ermenegildo Zegna, Florida International University, GHT Coeur Grand Est. Hospitals and Health Care, Inverse Finance, Nordex, North Carolina A&T University, Omnicom, Onleihe, Parker Hannifin, Partnership HealthPlan of California, Ronin Network, Snap-on, Shutterfly, SuperCare Health, The Works, and the government of Costa Rica.