At a glance.
- Alleged administrator of top cybercrime forum arrested.
- Suspected Chinese cyberespionage campaign targets hypervisors.
- US cracks down on North Korean IT worker fraud.
- Mitel patches critical flaw.
Alleged administrator of top cybercrime forum arrested.
Ukrainian police have arrested the suspected administrator of the Russian-language cybercrime forum XSS[.]is, the Record reports. The individual was arrested in Kyiv earlier this month with the assistance of Europol and French authorities. XSS[.]is has been operational since 2013, offering a wide range of criminal services.
Europol said in a statement, "The forum’s administrator was not only a technical operator but is believed to have played a central role in enabling criminal activity. Acting as a trusted third party, he arbitrated disputes between criminals and guaranteed the security of transactions. He is also believed to have run thesecure.biz, a private messaging service tailored to the needs of the cybercriminal underground. Through these services, the suspect is thought to have made over EUR 7 million in advertising and facilitation fees. Investigators believe he has been active in the cybercrime ecosystem for nearly two decades, and maintained close ties to several major threat actors over the years."
Suspected Chinese cyberespionage campaign targets hypervisors.
Sygnia has published a report on a cyberespionage actor dubbed "Fire Ant" that's targeting VMware ESXi, vCenter, and network appliances for "initial access, lateral movement, and long-term persistence." Sygnia observed the threat actor using the following approach:
- "vCenter Initial Compromise: They exploited CVE-2023-34048 to achieve unauthenticated remote code execution on vCenter, gaining control over the virtualization management layer.
- "Lateral Movement to ESXi hosts and Persistence: From vCenter, they extracted the ‘vpxuser’ service account credentials and used them to access connected ESXi hosts. They deployed multiple persistent backdoors on both ESXi hosts and the vCenter to maintain access across reboots.
- "Guest VM Access and Exploitation: With control over the hypervisor, the attacker interacted directly with guest virtual machines. They manipulated VMX processes and used CVE-2023-20867 to execute commands via PowerCLI without in-guest credentials, tampered with security tools, and extracted credentials from memory snapshots, including domain controllers."
While Sygnia refrains from conclusive attribution, the researchers note that the TTPs "strongly align" with previous activity by the China-nexus threat actor UNC3886. Singapore's OT-ISAC warned this week that UNC3886 was exploiting zero-days in Fortinet, VMware, and Juniper products in order to infiltrate the country's critical infrastructure. Sygnia told the Record that the campaign observed by Singapore "definitely correlate[s]" with Sygnia's research on Fire Ant.
US cracks down on North Korean IT worker fraud.
The US Treasury Department has sanctioned a North Korean company and three North Korean individuals for their alleged roles in supporting Pyongyang's fraudulent IT worker schemes, BleepingComputer reports. Treasury says the sanctioned firm, Korea Sobaeksu Trading Company, "is a DPRK-based trading company that operates as a front company for the U.S.-designated Munitions Industry Department, which oversees the DPRK’s nuclear program and is involved in the development of ballistic missiles."
The US Justice Department also sentenced a 50-year-old Arizona woman to eight years in prison for helping North Korean IT workers obtain remote positions at over 300 US companies, generating more than $17 million in revenue. The DOJ says Christina Marie Chapman "operated a 'laptop farm' where she received and hosted computers from the US companies in her home, so that the companies would believe the workers were in the United States."
The FBI issued guidance on Wednesday to help companies avoid falling for these schemes.
Mitel patches critical flaw.
Mitel has issued a patch for a critical authentication bypass flaw affecting its MiVoice MX-ONE enterprise communications platform, SecurityWeek reports. The vulnerability, which was assigned a CVSS score of 9.4, could "allow an attacker to gain unauthorized access to user or admin accounts in the system." Users are urged to apply patches as soon as possible. Mitel has also outlined mitigations for users who are unable to patch immediately.
