At a glance.
- Law enforcement shutters BreachForums.
- Turla uses new backdoors against a European ministry of foreign affairs.
- Social engineering campaign spreads Black Basta ransomware.
Law enforcement shutters BreachForums.
The US Federal Bureau of Investigation (FBI) has seized the BreachForums website and Telegram channel, BleepingComputer reports. The website displays a seizure notice stating, "This website has been taken down by the FBI and DOJ with assistance from international partners. We are reviewing this site's backend data. If you have information to report about cyber criminal activity on BreachForums, please contact us."
The Bureau has also posted a form on its IC3 portal for individuals to share information on BreachForums and its members. The form states, "From June 2023 until May 2024, BreachForums (hosted at breachforums[.]st/.cx/.is/.vc and run by ShinyHunters) was operating as a clear-net marketplace for cybercriminals to buy, sell, and trade contraband, including stolen access devices, means of identification, hacking tools, breached databases, and other illegal services. Previously, a separate version of BreachForums (hosted at breached[.]vc/.to/.co and run by pompompurin) operated a similar hacking forum from March 2022 until March 2023."
BleepingComputer notes that data stolen from a Europol information-sharing portal was leaked on BreachForums last week.
Turla uses new backdoors against a European ministry of foreign affairs.
ESET has published a report on two newly discovered backdoors dubbed "LunarWeb" and "LunarMail" that were used by the Russian threat actor Turla to compromise a European ministry of foreign affairs and three of its diplomatic institutions in the Middle East. ESET notes, "To hide its C&C communications, LunarWeb impersonates legitimate-looking traffic, spoofing HTTP headers with genuine domains and commonly used attributes. It can also receive commands hidden in images."
The researchers add, "We don’t know exactly how initial access was gained in any of the compromises. However, recovered installation-related components and attacker activity suggest possible spearphishing and abuse of misconfigured network and application monitoring software Zabbix. Potential Zabbix abuse is suggested by a LunarWeb installation component imitating Zabbix logs, and a recovered backdoor command used to get the Zabbix agent configuration. Additionally, evidence of spearphishing includes a Word document installing a LunarMail backdoor via a malicious macro."
Social engineering campaign spreads Black Basta ransomware.
ReliaQuest describes a major social engineering campaign that's distributing the Black Basta ransomware. The researchers explain, "In customer incidents, ReliaQuest observed the attack beginning with a threat actor signing up a specific user’s email for newsletters, mailing lists, and other spam sources, resulting in the user receiving thousands of unwanted emails. The affected users then receive calls from the threat actor, impersonating legitimate IT staff, who persuasively guide the user to download remote access software such as Quick Assist—natively present in Windows 11—or AnyDesk, thus gaining initial access."