At a glance.
- The takedown of Genesis Market.
- Preventing abuse of the Cobalt Strike pentesting tool.
- Update on the 3CX incident.
- Western Digital discloses cyberattack.
- Threat actor movements observed and reported over the week.
- Latest trends and reports.
- Developments in the cyber phases of Russia's hybrid war against Ukraine.
- Patch news.
- Crime and punishment.
- Courts and torts.
- Policies, procurements, and agency equities.
- Cybersecurity's latest business developments.
- Research developments this week.
The takedown of Genesis Market.
Genesis Market, a popular online cybercriminal shop, was seized by the FBI in an action that resulted in a takedown on Tuesday. The criminal operation, Bleeping Computer reports, has been linked to millions of cyber incidents across the world, with over 80 million stolen credentials and fingerprints present on the site. CNN reports that Operation Cookie Monster was broad in scope, with many international law enforcement agencies participating. It followed a series of law enforcement operations involving coordinated arrests and raids.
Europol Wednesday reported that Tuesday’s seizure of the Genesis Market criminal marketplace was a combined operation involving 17 countries. 119 people were arrested, 208 properties were searched, and a reported 97 “knock and talk measures” took place. This combined effort was spearheaded by the US Federal Bureau of Investigation (FBI) and the Dutch National Police (Politie). A Wednesday US Department of Justice (DoJ) press release discloses that law enforcement seized 11 domain names that were in support of the Genesis Market infrastructure. For more on Operation Cookie Monster, see CyberWire Pro, and for more on the Genesis Market arrests, check out our coverage here.
Preventing abuse of the Cobalt Strike pentesting tool.
Microsoft’s Digital Crimes Unit (DCU), in collaboration with cybersecurity company Fortra and the Health Information Sharing and Analysis Center (Health-ISAC), is taking legal and technical measures to disrupt illicit versions of Cobalt Strike and abused Microsoft software. Microsoft says the cracked software has been used in more than 68 ransomware attacks targeting healthcare institutions around the world, which “have cost hospital systems millions of dollars in recovery and repair costs, plus interruptions to critical patient care services including delayed diagnostic, imaging and laboratory results, canceled medical procedures and delays in delivery of chemotherapy treatments.” For more on Cobalt Strike, see CyberWire Pro.
Update on the 3CX incident.
The 3CXDesktopApp attacks increasingly look like the work of North Korea’s Lazarus Group, the Record reports. CrowdStrike initially disclosed “suspected nation-state involvement” by the Lazarus Group (or “Labyrinth Chollima,” as CrowdStrike tracks it). The outlet reports that Sophos on Friday also linked some evidence from the attacks to Lazarus, reporting that a shellcode loader used had previously been seen only in Lazarus Group operations. Computing reports that the attack likely was ultimately intended to deploy information-stealing malware, with a particular focus on browsing history. Given the likely attackers, espionage makes sense as an ultimate goal. Computing also notes that it’s not yet publicly known how the attacker entered 3CX’s systems, and whether or not they still have access. Fortinet released threat research on Thursday detailing the supply chain attack, which has been assigned the designation CVE-2023-29059. They note that the primary targets have been organizations in Europe and North America, and they provide indicators of compromise.
Western Digital discloses cyberattack.
California-based data storage provider Western Digital has disclosed a breach in which an unauthorized third party gained access to its systems, the Register reports. Computing reports that the company has shut down its My Cloud consumer cloud and backup service while it investigates the incident. The company hasn’t disclosed the nature of the attack, and the investigation is still in its early stages. Western Digital said in a statement that it detected an incident on March 26th, initiated its incident response plans, and began taking steps to remediate the issue. For more on the effects of the attack against Western Digital, see CyberWire Pro.