Derailing the Raptor Train botnet.

The US government disrupts China’s Raptor Train botnet. A phishing campaign abuses GitHub repositories to distribute malware.Ransomware group Vanilla Tempest targets U.S. healthcare providers.Hackers demand $6 million for stolen airport data. The FCC opens applications for a $200 million cybersecurity grant program. GreyNoise Intelligence tracks mysterious online “Noise Storms”. Scammers threaten Walmart shoppers with arrest. CISA adds five critical items to its known exploited vulnerabilities list. Craigslist founder will donate $100 million to strengthen US cybersecurity. Our guest today is Victoria Samson, Chief Director at Secure World Foundation, talking about space security and stability. Cybercriminals fall prey to very infostealers they rely on.

Today is Thursday September 19th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The US government disrupts China’s Raptor Train botnet. 

The U.S. government announced the disruption of a massive botnet, “Raptor Train,” created by Chinese state-sponsored hackers, linked to the APT group Flax Typhoon. This botnet, active for four years, compromised 260,000 devices globally, including routers and IP cameras, through various vulnerabilities. At its peak in June 2023, it had over 60,000 active devices, powered by a customized version of the Mirai malware, which enabled DDoS attacks and malware delivery.

The FBI, along with international partners, took control of the botnet’s infrastructure, issuing commands to disable the malware on compromised devices. The hackers attempted to thwart this operation with a DDoS attack, but it failed to stop the takedown. Authorities ensured that legitimate device functions weren’t impacted during the operation. The botnet targeted critical sectors in the U.S. and Taiwan, including government and military. The takedown follows similar actions against other Chinese-linked botnets earlier in the year.

A phishing campaign abuses GitHub repositories to distribute malware.

A phishing campaign is abusing GitHub repositories to distribute malware by exploiting legitimate GitHub notifications. Attackers open false issues on open-source projects, claiming a “security vulnerability” and directing users to a malicious site, “github-scanner[.]com.” This site mimics GitHub but tricks users into installing Windows malware.

Users receive emails from legitimate GitHub servers, making the scam appear more credible. The phishing emails urge recipients to visit the malicious domain, where a fake CAPTCHA prompts them to run malware via a copied command.

The malware, a trojan called ‘l6E.exe,’ is designed to evade detection and maintain persistence on infected systems. It contacts suspicious domains for further activity, many of which are now offline. GitHub users are warned to avoid following links from suspicious “vulnerability” alerts.

Ransomware group Vanilla Tempest targets U.S. healthcare providers.

Ransomware group Vanilla Tempest is targeting U.S. healthcare providers using the INC ransomware service, according to Microsoft. The group gained initial access through a Gootloader infection, passed from threat actor Storm-0494, allowing lateral movement and ransomware deployment. They used tools like the Supper backdoor, AnyDesk for remote access, and MEGASync for data exfiltration. In some cases, Vanilla Tempest may have skipped encryption, opting instead for extortion using stolen data.

Active since 2021, Vanilla Tempest has attacked various sectors, including education and healthcare, using different ransomware like BlackCat and Quantum Locker. Their shift to INC ransomware, which supports double/triple extortion, signals a focus on faster payouts. Microsoft also noted similarities between Vanilla Tempest (also known as Vice Society) and Rhysida, suggesting possible connections between the groups.

Hackers demand $6 million for stolen airport data. 

Hackers behind the cyberattack on Seattle-Tacoma International Airport are demanding 100 bitcoins (around $6 million) in ransom for stolen data. The attack, attributed to the ransomware gang Rhysida, disrupted Sea-Tac’s systems in August. Rhysida has posted eight files on its darknet site and claims to have over 3 terabytes of data. The Port of Seattle, which operates the airport, refuses to pay the ransom and is reviewing the stolen data. Some of the leaked information includes personal details such as passport scans and tax forms. The Port is offering credit monitoring to affected individuals and continues its investigation. Despite the disruptions, which included handwritten boarding passes and delayed luggage, most systems have been restored. Port officials are working to strengthen cybersecurity and are urging federal agencies to improve the sharing of cyber threat information.

The FCC opens applications for a $200 million cybersecurity grant program. 

The U.S. Federal Communications Commission (FCC) has opened applications for its $200 million Schools and Libraries Cybersecurity Pilot Program, part of the “Learn Without Limits” initiative. The three-year program aims to help K-12 schools and libraries cover the costs of cybersecurity services and equipment. It will use general universal service funds to enhance cybersecurity without undermining the success of the E-Rate program, which promotes digital equity.

Schools and libraries can apply until November 1, 2024, by providing basic information about their cybersecurity needs. Selected participants will later submit more detailed plans. FCC Chairwoman Jessica Rosenworcel emphasized the growing cyber threats targeting these institutions and hopes the program will identify effective tools to safeguard their broadband networks. The program will also collect data to explore broader use of universal service funds for cybersecurity.

GreyNoise Intelligence tracks mysterious online “Noise Storms”. 

Since January 2020, GreyNoise Intelligence has tracked mysterious “Noise Storms” — massive waves of spoofed traffic that challenge cybersecurity experts. These sophisticated attacks use advanced techniques like TTL spoofing and OS emulation, complicating detection and blocking efforts. While millions of spoofed IPs target providers like Cogent and Lumen, AWS is notably avoided, suggesting a strategic actor. Though the traffic appears to originate from Brazil, links to Chinese platforms like QQ and WeChat suggest deliberate obfuscation.

Despite years of analysis, experts remain uncertain about the true intent behind these events, which may involve covert communication, DDoS attacks, or misconfigurations. Recent storms feature the ASCII string “LOVE” in ICMP packets, further deepening the mystery. GreyNoise urges security leaders to use adaptive tools and actionable intelligence to address such evolving threats and stay proactive in a rapidly shifting cybersecurity landscape. And if you have any insights on these noise storms, GreyNoise would love to hear from you. 

Scammers threaten Walmart shoppers with arrest. 

A recent scam targets Walmart customers by embedding fake customer service numbers into shared shopping lists on the Walmart website. Victims are tricked into calling a fraudulent call center, where scammers claim their accounts were involved in illegal activity and threaten arrest unless money is transferred to a Bitcoin wallet. The scam escalates with demands for personal and financial information. Walmart has been informed of the scam, and users are urged to avoid clicking on suspicious ads and be cautious when engaging with unfamiliar customer service numbers.

CISA adds five critical items to its known exploited vulnerabilities list. 

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about five critical vulnerabilities in widely used software, urging organizations to apply patches or discontinue affected products by October 9, 2024. Key vulnerabilities include flaws in Apache HugeGraph-Server, Microsoft SQL Server Reporting Services, Windows Task Scheduler, Oracle JDeveloper, and Oracle WebLogic Server, all of which could allow remote attackers to execute arbitrary code or escalate privileges. Immediate action is recommended to mitigate these serious security risks.

Craigslist founder will donate $100 million to strengthen US cybersecurity. 

Craig Newmark, founder of Craigslist, plans to donate $100 million to strengthen U.S. cybersecurity, targeting infrastructure protection and public education on basic cybersecurity measures like password management and software updates. Newmark believes the U.S. is vulnerable to foreign cyberattacks, especially on critical infrastructure, and aims to support those defending it. Part of his donation will fund initiatives like training cybersecurity volunteers and supporting child internet safety. This pledge is part of his broader philanthropic efforts to give away most of his wealth, which has surpassed $400 million since 2015.

We’ve got a guest from our sister podcast T-Minus Space Daily today. Host Maria Varmazis speaks with Victoria Samson, Chief Director, Space Security and Stability for Secure World Foundation. We’ll be right back.

Welcome back. You can learn more about space sustainability in our show notes. Please check out T-Minus Space Daily wherever you get your podcasts.  

Cybercriminals fall prey to very infostealers they rely on. 

And finally, Cybercriminals might want to rethink downloading cracked software, as they’re unknowingly exposing themselves to researchers and law enforcement through infostealer malware. Joseph Cox at 404 Media looks at a  recent case where researchers at  Hudson Rock uncovered key information on Mujtaba and Mohsin Raza, two fugitives from the FBI’s Most Wanted list, using data harvested by infostealers. These malware infections, likely caused by running cracked versions of popular software, capture everything from passwords to browsing histories and even screenshots. The Razas allegedly ran an illegal business selling fake IDs, and the malware logs revealed credentials linked to their operations. Ironically, the criminals are victims of their own trade, falling prey to the very malware they rely on to exploit others. Researchers are leveraging this data flood to unmask identities, proving that sometimes, even hackers can’t escape their own tactics. Hudson Rock also identified other associates involved, further expanding the case. It’s clear: when criminals play with malware, they risk exposing themselves just as much as their targets!

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

Programming notes: 

Hey CyberWire listeners, as we near the end of the year, it’s the perfect time to reflect on your company’s achievements and set new goals to boost your brand across the industry next year. We’d love to help you achieve those goals. We’ve got some unique end-of-year opportunities, complete with special incentives to launch 2024. So tell your marketing team to reach out! Send us a message to sales@thecyberwire.com or visit our website so we can connect about building a program to meet your goals.

 

And that’s the CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.