7 teens arrested in LAPSUS$ bust
The arrests cap off weeks of frenzied hacking activity by the criminal cartel
Law enforcement officials in the city of London said they arrested seven people between the ages 16 and 21 for suspected connections to the notorious LAPSUS$ extortion gang, who have come under the radar for their headline-grabbing attacks on some of the world’s largest companies.
“The City of London Police has been conducting an investigation with its partners into members of a hacking group,” Detective Inspector, Michael O’Sullivan, said in a statement. “Seven people between the ages of 16 and 21 have been arrested in connection with this investigation and have all been released under investigation. Our enquiries remain ongoing.”
The bust followed merely hours after Bloomberg published a report about a 16-year-old boy living at his mother’s house near Oxford, England who’s suspected of being the LASPSUS$ mastermind. It’s not clear if the minor is one among those arrested.
The development comes as Microsoft and Okta this week confirmed they were breached by the hacking crew, granting it access to their internal systems and stealing sensitive data in the process.
LAPSUS$, a relative newcomer to the space has been on a hacking spree off late, targeting a series of high-profile corporations like Impresa, NVIDIA, Samsung, Mercado Libre, Vodafone, and Ubisoft. Unlike other typical ransomware gangs, the group neither deploys ransomware nor encrypts files or data, instead exfiltrating data and using that to blackmail the target.
Microsoft said LAPSUS$ is responsible for a “large-scale social engineering and extortion campaign,” and engages in a “unique blend of tradecraft,“ adding it’s “also known to take over individual user accounts at cryptocurrency exchanges to drain cryptocurrency holdings.“ The group is said to operate on its own, without ties to other cybercriminal/ransomware syndicates or nation-state sponsorship.
It’s too early to say what impact the crackdown will have on the group. While the arrests may leave the future of LAPSUS$ uncertain, it’s certainly possible that other threat could emulate their approach.
At the same time, the law enforcement actions may not necessarily put a stop to their operations when the cartel is believed to be based in South America. They may go underground to temper the buzz surrounding them and reorganize under a different brand to continue from where they left off.
What’s trending in security?
⛔ Two Pyongyang-backed hacking crews exploited a now-patched zero-day flaw (CVE-2022-0609) in Chrome browser to target over 335 people in U.S. based organizations spanning news media, IT, cryptocurrency, and fintech industries. “North Korea has taken a page out of China’s cyber playbook to reorganize and consolidate its threat groups within the government - making them ‘extremely mobile now that they’ve consolidated,’” Mandiant said. [The Hacker News]
❌ Yet another data wiper targeting Ukrainian organizations was identified, making it the third destructive malware identified since Russia began its invasion of the country. Dubbed CaddyWiper, the wiper targeted “a few dozen systems in a limited number of organizations” and appears to have been compiled on March 14, the same day it was deployed and executed. The malware has not been attributed to a known threat actor. [The Hacker News]
⚠️ Software supply chain security fears escalated again with the discovery of what’s being described as “deliberate sabotage” of code pertaining to the popular NPM library node-ipc by its own developer that “targets users with IP located in Russia or Belarus, and overwrites their files with a heart emoji.”
Brandon Nozaki Miller aka RIAEvangelist, the developer of the open-source networking tool, sabotaged its functionality to wipe files on systems that use the library and geolocated in Russia and Belarus as a sign of protest against the invasion of Ukraine. The wiper component was later removed, only to incorporate another dependency called “peacenotwar” that displayed war-related messaging on developers' desktops.
The deliberate act, part of a new trend called protestware, has once again brought the focus back on security issues tied to code dependencies in software and the larger supply chain. The Open Source Initiative called the “weaponization of open source” an act of cyber vandalism that “outweigh[s] any possible benefit.” [The Hacker News / Open Source Initiative]
🛡️ Apple released updates to iOS, macOS, tvOS, watchOS, and Safari web browser to address a number of security issues, including a flaw in the Mail app that could leak a user’s IP address when downloading remote content. [Apple]
💵 Maksim Berezan of Estonia man has been sentenced to 66 months in federal prison for participating in at least 13 ransomware attacks which caused more than $53 million in losses. “Berezan was an active member of an exclusive online forum designed for Russian-speaking cybercriminals to gather safely and exchange their criminal knowledge, tools, and services,” the U.S. Justice Department (DoJ) said. “From 2009 through 2015, Berezan not only furthered the criminal aims of the forum, but he also worked closely with forum members and other cybercriminals for purposes of obtaining and exploiting stolen financial account information.” [DoJ / Krebs on Security]
🛰️ The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) warned of “possible threats” to U.S. and international satellite communication (SATCOM) networks in the wake of a cyber attack targeting Viasat KA-SAT network, used extensively by the Ukrainian military, roughly around the time when the Russian army invaded Ukraine on February 24. “Successful intrusions into SATCOM networks could create risk in SATCOM network providers' customer environments,” the agencies said. [CISA]
🚨 Google removed an app with over 1000,000 downloads from its Play Store after security researchers warned that the app was able to harvest the Facebook credentials of smartphone users. Called “Craftsart Cartoon Photo Tools,” the app was found to embed the Android trojan malware known as Facestealer. The development also comes as an Android banking Trojan named Aberebot has staged a return as Escobar with capabilities to stealing sensitive information such as login credentials using phishing overlays. [Pradeo / Cyble]
🪟 The operators of the BitRAT backdoor have launched a new campaign targeting users who try to activate pirated versions of Windows operating systems for free through unofficial license activators. The criminals behind the campaign distribute the payloads in the guise of Windows 10 Pro license activators and push them on webhards, online storage services popular in South Korea. [ASEC / Bitdefender]
🌩️ Thousands of mobile apps – some of which have been downloaded tens of millions of times – are exposing sensitive data from open cloud-based databases due to misconfigured cloud implementations. Out of all the Firebase applications uploaded to VirusTotal, 2,113 apps were left with their databases open, leaving victims unprotected and easily accessible for threat actors to exploit. Exposed information includes: chat messages in popular gaming apps, personal family photos, token IDs on a healthcare application, data from cryptocurrency exchange platforms and more. [Check Point / Dark Reading]
🗯️ Trojanized WhatsApp apps, i.e., unofficial modifications of the messaging application including GBWhatsApp, OBWhatsApp, and WhatsApp Plus that were distributed through rogue websites, were found to spread a new Android trojan in January 2022 called Android.Spy.4498 that “steals the contents of other apps’ notifications, […] download apps and offer users to install them, and can also display various dialog boxes.” [Dr.Web]
👻 Threat actors are targeting poorly secured Microsoft SQL and MySQL database servers with vulnerable account credentials to deploy the Gh0stCringe (aka CirenegRAT) remote access trojans on vulnerable devices. “Gh0stCringe RAT is a RAT malware that connects to the C&C server and performs various malicious behaviors by receiving commands from the attacker,” the researchers said. [ASEC]
🦝 A backdoor by the name of Raccoon Stealer, which is capable of stealing passwords, cookies, data from browser plugins and download arbitrary payloads, has been found abusing the Telegram messaging app for command-and-control communications. Most prominent malware distributed included clipboard crypto stealers and WhiteBlackCrypt ransomware. On a related note, the operators of the malware have announced that they are suspending work after claiming that one of its developers died in Russia’s invasion of Ukraine. [Avast / Bleeping Computer]
🌷 Google has blown the lid off Exotic Lily, a full-time cybercriminal initial-access group that uses phishing to infiltrate organizations’ networks for further malicious activity. The group is believed to have links to high-profile ransomware crews Conti and Diavol, working as an internet access broker (IAB) for a Russia-linked cybercriminal gang called Wizard Spider (aka FIN12), a threat actor known for operating TrickBot, BazarBackdoor, and Anchor malware.
The “resourceful” group mirrors tactics and techniques associated with APT-style targeted attacks. Exotic Lily is part of the emerging crop of initial access brokers, which refer to groups that specialize in compromising organizations and then sell that access to other threat actors for financial gain.
In a rather unique move, the adversary sets up fake personas and new domains that spoof legitimate companies, and then send proposal-themed lures and establish communications with people inside the organization to build credibility before eventually sending malware-laden documents using file-sharing services to the victims and gaining access to the network without being detected. [The Hacker News]
🤖 The modular botnet known as Cyclops Blink, linked to Sandworm – the Russian advanced persistent threat (APT) behind the NotPetya wiper attacks – has been observed striking ASUS routers. The attacks currently appear focused on establishing an infrastructure, the expansion to its device targeting is seen as a bid to cast a wide net and indiscriminately spread the infection to enslave the routers to a huge botnet for mounting further attacks on high-value targets.
“The purpose of this botnet is still unclear: Whether it is intended to be used for DDoS attacks, espionage or proxy networks remains to be seen,” the researchers said. “But what is evident is that Cyclops Blink is an advanced piece of malware that focuses on persistence and the ability to survive domain sinkhole attempts and the takedown of its infrastructure.” [The Hacker News]
⚡ A large-scale phishing activity using hundreds of domains to steal credentials for Naver, a Google-like online platform in South Korea, has been observed sharing infrastructure overlaps linked to the Wizard Spider group. That said, this commonality may not be indicative of an operation by the Russian cybercrime group, but may instead be indicative of multiple actors reusing the same network infrastructure.
“A large cache of valid credentials for Naver is potentially very valuable: it can provide access to the personal Naver accounts of a wide variety of victims while also providing access to several other enterprise logins as a result of password reuse,” the researchers said. [Prevailion]
🏢 An unknown and likely advanced threat actor has been spotted using distinctive, novel methods to backdoor French entities in the construction, real estate, and government industries. The ultimate motives behind the campaign have not been ascertained so far, but one particularly significant aspect of the attack chain is how it uses legitimate tools to deploy the backdoor.
The attack starts with a well-known technique – emails containing a macro-enabled Microsoft Word document masquerading as information relating to the EU GDPR regulations – and ends up with an attempt to install a backdoor known as Serpent on target systems.
What happens in between the infection sequence, though, is what makes these attacks stand out. This includes the use of the Chocolatey Windows package manager as a first-stage payload as well as leveraging PowerShell and Python scripts steganographically hidden in seemingly harmless images. The campaign marks the first known case where Chocolatey has been abused in the wild by a threat actor. [The Hacker News]
💲 The U.S. Federal Bureau of Investigation (FBI) is warning that attackers are targeting U.S. critical infrastructure with the AvosLocker ransomware-as-a-service (RaaS). AvosLocker is known to follow what’s called triple extortion, in which the operators mount distributed denial-of-service (DDoS) attacks to put pressure on victims during negotiations, in addition to exfiltrating, encrypting and leaking their data. “AvosLocker claims to directly handle ransom negotiations, as well as the publishing and hosting of exfiltrated victim data after their affiliates infect targets,” the FBI’s Internet Crime Center (IC3) reported.
The development comes as “franchise” deals and new partnerships have emerged in the Ransomware-as-a-Service (RaaS) industry, with cybercriminal groups increasingly licensing ransomware strains and using them under their own brand names. [IC3]
⚔️ Malicious actors are targeting hackers with clipboard stealing malware (dubbed "ClipBanker") that are disguised as cracked versions of BitRAT and Quasar RAT with the goal of siphoning money from cryptocurrency wallets. [ASEC]
❓ Microsoft Compiled HTML Help (CHM) files are being weaponized to deliver the Vidar infostealer malware on target machines as part of a new phishing attack. In a related email-based campaign mounted by a threat actor tracked as FIN7 (aka Carbanak), malicious Microsoft Excel add-in files (XLL) have been used distribute the JSSLoader remote access trojan. [Trustwave / Morphisec]
🌐 Researchers have discovered that thousands of JavaScript websites are vulnerable to what’s called prototype pollution, which “allows attackers to modify, or ‘pollute,’ a prototype, which is a built-in property of a JavaScript object. An attacker who manages to alter a JavaScript object prototype can execute a variety of malicious actions,” including cross-site scripting (XSS), cookie manipulation, and URL manipulation. [JHU]
🏛️ Chinese cybersecurity company Qihoo 360 alleged that a hacking group backed by the U.S. National Security Agency (NSA) called APT-C-40 has behind a long-standing campaign aimed at leading companies, governments, research institutes and infrastructures over the past decade. “The group has stolen massive amounts of critical data, and the potential risk it poses is immeasurable,” the research noted. [South China Morning Post]
🗄️ The last two weeks in data breaches, leaks, and ransomware: Denso, ELTA, Fantasm Finance, Hubspot, JDC Healthcare Management, Miratorg Agribusiness Holding, Morgan Stanley, Paraluni, Rosneft, Scottish Association for Mental Health, South Denver Cardiology Associates, Transneft, TransUnion, and Viasat.
Tips, Comments, Ideas?
Send them my way by writing replying to this email.
Thanks again for reading. See you in the next edition!