Top stories.
- Researchers blame Iranian government for LA transit authority hack.
- Thousands of domains are impersonating FIFA ahead of the World Cup.
- Dutch police dismantle a botnet.
Researchers blame Iranian government for LA transit authority hack.
Iranian government hackers were likely behind a March cyberattack that disrupted parts of the Los Angeles County Metropolitan Transportation Authority (LACMTA), SecurityWeek reports. The attack was claimed by a threat actor dubbed "Ababil of Minab," which purports to be an independent, pro-Iranian hacktivist group. Israeli cybersecurity firm Gambit Security published a report this week, however, tying the threat actor to Iran's Ministry of Intelligence and Security (MOIS). The researchers also blame this group for data-wiping attacks against the South Florida Regional Transportation Authority, Maryland-based connected-vehicle software company Agnik, and a Saudi Arabian construction company focused on critical infrastructure.
Gambit says Ababil of Minab used command-and-control infrastructure that was previously observed in attacks by Black Shadow, a threat actor attributed by Israel's National Cyber Directorate to Iran's MOIS.
Thousands of domains are impersonating FIFA ahead of the World Cup.
Group-IB has identified more than 4,300 malicious domains impersonating FIFA's online presence ahead of the World Cup next month, the Record reports. The researchers are tracking six distinct fraud campaigns run by four separate threat actors, involving "credential phishing, fake ticket sales, counterfeit merchandise storefronts, fake streaming platforms, fraudulent betting and casino sites, and infostealer-driven credential theft."
One of the campaigns tracked by Group-IB is run by a Chinese-speaking threat actor dubbed "GHOST STADIUM" that's using at least 300 identical clones of FIFA's website to steal credentials and payment details. The researchers state, "GHOST STADIUM has built a pixel-perfect clone of the official FIFA website, complete with a replicated single sign-on (SSO) authentication flow, and multi-language support in 11 languages. A conservative estimate based on the campaign’s observable infrastructure places the potential financial losses from premium ticket fraud alone (account for ~25% of 300+ phishing domains) at between $71 million and $474 million — and the total campaign losses across all tiers could reach into the billions."
Dutch police dismantle a botnet.
Dutch authorities have dismantled a botnet composed of 17 million infected devices, the Register reports. The Netherlands's National Cyber Security Centre stated, "The investigation revealed that the botnet consisted of at least 17 million infected devices and that the 200 servers used to host the infrastructure were located in the Netherlands. The police then seized multiple botnet servers from a hosting provider for investigation. The botnet was taken offline by the provider because it was being used for criminal purposes."
The police didn't name the botnet, but BleepingComputer cites local media reports as saying it was tied to the Asocks residential proxy service.
