By the CyberWire staff
At a glance.
- Law enforcement shutters BreachForums.
- Europol investigates breach of information-sharing portal.
- Black Basta ransomware targets critical infrastructure entities.
- Wichita ransomware attack resulted in data theft.
- Turla uses new backdoors against a European ministry of foreign affairs.
- FCC describes robocall threat actor.
- Malicious GitHub repositories impersonate popular applications.
- Firstmac Limited discloses data breach.
- Phorpiex botnet distributes LockBit ransomware.
Law enforcement shutters BreachForums.
The US Federal Bureau of Investigation (FBI) has seized the BreachForums website and Telegram channel, BleepingComputer reports. The website displays a seizure notice stating, "This website has been taken down by the FBI and DOJ with assistance from international partners. We are reviewing this site's backend data. If you have information to report about cyber criminal activity on BreachForums, please contact us."
The Bureau has also posted a form on its IC3 portal for individuals to share information on BreachForums and its members. The form states, "From June 2023 until May 2024, BreachForums (hosted at breachforums[.]st/.cx/.is/.vc and run by ShinyHunters) was operating as a clear-net marketplace for cybercriminals to buy, sell, and trade contraband, including stolen access devices, means of identification, hacking tools, breached databases, and other illegal services. Previously, a separate version of BreachForums (hosted at breached[.]vc/.to/.co and run by pompompurin) operated a similar hacking forum from March 2022 until March 2023."
BleepingComputer notes that data stolen from a Europol information-sharing portal was leaked on BreachForums last week.
Europol investigates breach of information-sharing portal.
Europol is investigating a breach of its Platform for Experts knowledge-sharing portal, BleepingComputer reports. Europol stated, "Europol is aware of the incident and is assessing the situation. Initial actions have already been taken. The incident concerns a Europol Platform for Experts (EPE) closed user group. No operational information is processed on this EPE application. No core systems of Europol are affected and therefore, no operational data from Europol has been compromised."
The cybercriminal threat actor IntelBroker claims to have stolen documents containing classified data, including "information on alliance employees, FOUO source code, PDFs, and documents for recon and guidelines." Europol hasn't disclosed what type of information was breached.
Has your organization been exposed on the criminal underground?
SpyCloud has the world's largest repository of recaptured dark web data. Simply enter your email and we’ll check your corporate domain against hundreds of billions of recaptured darknet assets, from credentials to PII – for free. See your darknet footprint, including breach exposures and malware-exfiltrated data that puts your business at risk of account takeover and ransomware. Check your exposure now.
Black Basta ransomware targets critical infrastructure entities.
The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have released a joint advisory on the Black Basta ransomware-as-a-service operation, stating that BlackBasta affiliates have breached more than five hundred organizations since the ransomware surfaced in April 2022. The advisory notes that the threat actors "have encrypted and stolen data from at least 12 out of 16 critical infrastructure sectors, including the Healthcare and Public Health (HPH) Sector." The agencies add, "Healthcare organizations are attractive targets for cybercrime actors due to their size, technological dependence, access to personal health information, and unique impacts from patient care disruptions."
CNN cites sources as saying a Black Basta affiliate was responsible for the attack against the Ascension healthcare network last week.
ReliaQuest describes a major social engineering campaign that's distributing the Black Basta ransomware. The researchers explain, "In customer incidents, ReliaQuest observed the attack beginning with a threat actor signing up a specific user’s email for newsletters, mailing lists, and other spam sources, resulting in the user receiving thousands of unwanted emails. The affected users then receive calls from the threat actor, impersonating legitimate IT staff, who persuasively guide the user to download remote access software such as Quick Assist—natively present in Windows 11—or AnyDesk, thus gaining initial access."
Wichita ransomware attack resulted in data theft.
The city of Wichita, Kansas has disclosed that the ransomware attack it sustained earlier this month led to the theft of personal and financial information. The city stated, "As part of our thorough review and assessment of this matter, we identified that certain files were copied from our computer network without permission between May 3 and 4, 2024. These files contained law enforcement incident and traffic information, which include names, Social Security numbers, driver’s license or state identification card numbers, and payment card information."
The city added, "We identified that this matter is related to a recently disclosed security vulnerability that affects organizations throughout the world." SecurityWeek reports that the LockBit ransomware gang has claimed responsibility for the attack.
Establish your brand as a thought leader in cybersecurity.
Launching a new product or service? Looking for alternative ways to recruit cyber talent? Want your company or leadership team members to be seen as an industry thought leader? Be heard by over 350,000 subscribers on the N2K CyberWire network. Whether through sponsored advertising, executive events, or exclusive interviews, we offer off-the-shelf and bespoke packages to help you reach your goals. Let’s work together.
Turla uses new backdoors against a European ministry of foreign affairs.
ESET has published a report on two newly discovered backdoors dubbed "LunarWeb" and "LunarMail" that were used by the Russian threat actor Turla to compromise a European ministry of foreign affairs and three of its diplomatic institutions in the Middle East. ESET notes, "To hide its C&C communications, LunarWeb impersonates legitimate-looking traffic, spoofing HTTP headers with genuine domains and commonly used attributes. It can also receive commands hidden in images."
The researchers add, "We don’t know exactly how initial access was gained in any of the compromises. However, recovered installation-related components and attacker activity suggest possible spearphishing and abuse of misconfigured network and application monitoring software Zabbix. Potential Zabbix abuse is suggested by a LunarWeb installation component imitating Zabbix logs, and a recovered backdoor command used to get the Zabbix agent configuration. Additionally, evidence of spearphishing includes a Word document installing a LunarMail backdoor via a malicious macro."
FCC describes robocall threat actor.
The US Federal Communications Commission (FCC) describes a threat actor dubbed "Royal Tiger" that's launching widespread robocall campaigns impersonated governments, banks, and utility companies in order to defraud consumers, BleepingComputer reports. The group has members in India, the United Kingdom, the United Arab Emirates, and the United States, and uses front companies with "convoluted corporate structures" to conceal its activities.
The FCC stated, "The companies located in the United States are: PZ Telecommunication LLC, Illum Telecommunication Limited, and One Eye LLC, all of which are led by an individual named 'Prince Jashvantlal Anand' and his associate 'Kaushal Bhavsar'....In addition to these U.S. entities, Anand is associated with companies in the United Kingdom and India, and appears to maintain residences in the United Arab Emirates and India. Anand has used the alias 'Frank Murphy' in furtherance of Royal Tiger’s schemes. Bhavsar appears to maintain a residence in India and, according to FCC records, previously maintained a presence in Delaware through One Eye LLC."
Cybersecurity training designed for your organization.
N2K’s Talent Development solutions make it easier for security leaders to get the right cyber training for their teams and enhance performance. Receive tailored, data-driven training roadmaps that are based on your team’s job roles and skills gaps. We’re inclusive of all learning sources–whether from our learning library, external sources, or something you already use– so your team gets the best of what they need. Let’s work together.
US Justice Department charges five individuals for alleged participation in North Korean employment fraud scheme.
The US Justice Department has charged five individuals for their alleged involvement in fraudulent activities designed to fund the North Korean government. The individuals are accused of stealing US citizens' identities in order to secure jobs for North Korean IT workers at US companies. The Justice Department says the scheme generated $6.8 million for the North Korean government from more than 300 American companies.
One of the defendants is a US citizen named Christina Chapman who was arrested in Arizona on Wednesday. Another defendant, Ukrainian national Oleksandr Didenko, was arrested in Poland. The other three individuals are North Korean citizens. The US State Department says the three North Koreans "are linked to the DPRK’s Munitions Industry Department, which oversees the development of the DPRK’s ballistic missiles, weapons production, and research and development programs." With the alleged assistance of Chapman, the three individuals used more than sixty US citizen identities to "obtain work as remote software and applications developers with companies in a range of sectors and industries." Chapman allegedly "received and hosted laptop computers issued to the IT workers by U.S. employers to make it appear that the overseas workers were located in the United States and assisted the workers in connecting remotely to the U.S. companies’ IT networks on a daily basis."
The State Department also announced a $5 million reward "for information that leads to the disruption of financial mechanisms of persons engaged in certain activities that support North Korea (Democratic People’s Republic of Korea, DPRK), including money laundering, exportation of luxury goods to North Korea, specified cyber-activity and actions that support weapons of mass destruction (WMD) proliferation."
Malicious GitHub repositories impersonate popular applications.
Recorded Future's Insikt Group describes a cybercriminal campaign that used malicious GitHub repositories to impersonate legitimate applications, including 1Password, Bartender 5, and Pixelmator Pro. The repositories were designed to deliver several different strains of malware, including Atomic macOS Stealer (AMOS), Vidar, Lumma, and Octo. The malware variants shared a common command-and-control infrastructure. The researchers note, "This shared C2 setup hints at a highly organized group with substantial resources and the ability to launch sustained cyberattacks across different operating systems and devices." Recorded Future believes the operation is run by a Russian-speaking criminal group based in former Soviet countries.
Phorpiex botnet distributes LockBit ransomware.
Proofpoint warns that the Phorpiex botnet has been sending millions of phishing messages distributing the LockBit Black ransomware since April 24th. The emails come from the alias "Jenny Green" with the email address "jenny@gsd[.]com." The phishing messages are brief, simply telling users to open the attached document as soon as possible.
Proofpoint explains, "The emails targeted organizations in multiple verticals across the globe and appeared to be opportunistic versus specifically targeted. While the attack chain for this campaign was not necessarily complex in comparison to what has been observed on the cybercrime landscape so far in 2024, the high-volume nature of the messages and use of ransomware as a first-stage payload is notable....The attack chain requires user interaction and starts when an end user executes the compressed executable in the attached ZIP file. The .exe binary will initiate a network callout to Phorpiex botnet infrastructure. If successful, the LockBit Black sample is downloaded and detonated on the end user’s system where it exhibits data theft behavior and seizes the system, encrypting files and terminating services."
Firstmac Limited discloses data breach.
Firstmac Limited, Australia's largest non-bank lender, has disclosed a breach affecting customers' names, home addresses, email addresses, phone numbers, dates of birth, external bank account information, and driver’s license numbers, SecurityAffairs reports. Firstmac notes that the leaked bank account information can't be used to initiate transactions, but customers should still be on the lookout for suspicious activity. SecurityAffairs notes that the criminal extortion group Embargo last week posted 500 GB of data allegedly stolen from Firstmac.
Patch news.
Apple has issued patches for fifteen vulnerabilities affecting iOS, including a memory corruption flaw (CVE-2024-23296) in RTKit that may have been exploited in the wild, SecurityWeek reports. Apple explained, "An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections."
Apple also released security updates for iPadOS, macOS Sonoma, macOS Ventura, and macOS Monterey.