Caught red-handed.
Interpol arrests eight in an international cybercrime crackdown. A MedusaLocker variant targets financial organizations. Cloudflare mitigates a record DDoS attempt. Insights from the Counter Ransomware Initiative summit. Fin7 uses deepnudes as a lure for malware. Researchers discovered critical vulnerabilities in DrayTek routers. CISA issues urgent alerts for products from Synacor and Ivanti. A former election official gets nine years in prison for a voting system data breach. Microsoft and the DOJ seize domains used by Russia’s ColdRiver hacking group. On our Industry Voices segment, we are joined by Eric Olden, Founder and CEO of Strata Identity. to learn how the modern enterprise can orchestrate the 7 A's of identity security to achieve zero trust. Harvard students demonstrate glasses that can see through your privacy.
Today is Friday October 4th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
Interpol arrests eight in an international cybercrime crackdown.
Interpol announced the arrest of eight suspected cybercriminals in Côte d’Ivoire as part of an international operation targeting cybercrime. The group was involved in large-scale phishing scams that defrauded Swiss citizens of over $1.4 million. They used QR codes to direct victims to fake websites, where they collected sensitive information like login details and card numbers. The investigation, part of Interpol’s ongoing Contender 2.0 operation, led to the arrest of the main suspect, who confessed to making over $1.9 million from the scheme. Five additional suspects were caught at the same location, conducting similar activities. Contender 2.0 targets various cybercrimes, including business email compromise (BEC) and romance scams in West Africa. In a related case, a dual Nigerian-U.K. citizen was sentenced to seven years in U.S. prison for defrauding a North Carolina university and attempting to steal millions from Texas entities through BEC schemes.
A MedusaLocker variant targets financial organizations.
Cisco Talos has observed a financially motivated threat actor using the “BabyLockerKZ” ransomware variant, a version of MedusaLocker, to target global organizations. Active since at least 2022, the group initially focused on European countries but shifted to South America in 2023, doubling the number of victims to about 200 IPs compromised monthly. By early 2024, attack volumes had decreased. The group uses publicly available tools like HRSword and Advanced Port Scanner to disable security measures and map internal networks. They also deploy custom tools like “Checker” to automate credential management and streamline lateral movement. The attackers store tools in common system folders and are believed to be working as an initial access broker or an affiliate of a ransomware cartel. Cisco assesses the group as financially motivated with medium confidence.
Cloudflare mitigates a record DDoS attempt.
Cloudflare successfully mitigated a massive distributed denial-of-service (DDoS) attack that peaked at 3.8 terabits per second (Tbps) and 2.14 billion packets per second (PPS), surpassing the previous records from 2021. The attack, part of a month-long campaign starting in September 2024, involved over 100 volumetric DDoS attacks, many exceeding 3 Tbps, and primarily originated from Vietnam, Russia, Brazil, Spain, and the U.S. The attackers used a botnet of hijacked devices, including Asus routers, exploiting a critical vulnerability. Cloudflare’s advanced traffic analysis and global server network effectively mitigated the attack, ensuring minimal disruption for customers across industries like finance and telecommunications.
Speaking of DDoS, a vulnerability in the Common Unix Printing System (CUPS), identified as CVE-2024-47176, can be exploited for distributed denial-of-service (DDoS) attacks with a 600x amplification factor, according to Akamai researchers. The flaw, found in the cups-browsed daemon, allows attackers to send a single malicious UDP packet, tricking CUPS servers into generating large IPP/HTTP requests that overwhelm both the server and the target. Around 58,000 vulnerable servers could be exploited for DDoS attacks. Admins are urged to patch systems or disable the cups-browsed service.
Insights from the Counter Ransomware Initiative summit.
Earlier this week at the Counter Ransomware Initiative summit, global leaders discussed new strategies to combat ransomware gangs, which are known for quickly regrouping after takedowns. Anne Neuberger, U.S. Deputy National Security Advisor for Cyber and Emerging Technology, emphasized the need for more frequent and broader disruption operations, focusing on dismantling ransomware infrastructure and financial exchanges involved in money laundering. The summit, now involving 68 countries, also highlighted new initiatives such as a counter-ransomware fund led by USAID, enhanced guidance for ransomware victims, and a Canadian advisory panel to foster information sharing.
A key focus of the summit was the intersection of artificial intelligence and cyber defense, with presentations from government agencies and leading AI companies. Laura Galante, Director of the Cyber Threat Intelligence Integration Center, shared that ransomware attacks surged in recent years, but disruption efforts have made it harder for groups like ALPHV/Black Cat to reconstitute. The initiative welcomed 10 new member nations, including Argentina and Hungary.
Fin7 uses deepnudes as a lure for malware.
The FIN7 hacking group has launched a network of fake AI-powered deepnude generator sites to infect users with malware. Known for cybercrime and financial fraud since 2013, FIN7 has ties to ransomware groups like DarkSide and BlackCat. Their latest operation involves websites claiming to create fake nude images using AI. Visitors are tricked into downloading malware like Lumma Stealer and Redline Stealer instead of the promised images. The sites, promoted through black hat SEO, appear legitimate but distribute malicious software that steals browser credentials, cryptocurrency wallets, and other data. The most recent round of FIN7’s fake deepnude sites have been taken down, but users who downloaded files are likely infected. FIN7 also runs parallel campaigns, distributing malware like NetSupport RAT through spoofed websites mimicking popular brands and apps like Zoom, Fortnite, and PuTTY.
Researchers discovered critical vulnerabilities in DrayTek routers.
Forescout researchers discovered 14 vulnerabilities in DrayTek routers, including two critical flaws (CVE-2024-41592 and CVE-2024-41585). These vulnerabilities could allow attackers to take control of devices, leading to risks like cyber espionage, data theft, ransomware, and DoS attacks. Over 704,000 DrayTek routers in 168 countries are exposed online, with 75% used in commercial settings, posing significant business risks. The FBI recently dismantled a botnet exploiting DrayTek vulnerabilities, and DrayTek has since released security updates. However, no active attacks exploiting these flaws have been reported yet.
CISA issues urgent alerts for products from Synacor and Ivanti.
CISA has issued an urgent alert regarding the active exploitation of critical vulnerabilities in Synacor’s Zimbra Collaboration (CVE-2024-45519) and Ivanti’s Endpoint Manager (EPM) (CVE-2024-29824). The Zimbra flaw allows unauthenticated remote command execution, while the Ivanti vulnerability enables SQL injection, allowing attackers to execute arbitrary code on the Core server. Although no ransomware attacks have been linked to these flaws yet, the risk is significant. CISA advises organizations to apply recommended mitigations immediately.
A former election official gets nine years in prison for a voting system data breach.
Tina Peters, former Mesa County Colorado clerk, was sentenced to nine years in prison for her role in a significant data breach of voting system information after the 2020 election. Peters was convicted on seven felony counts related to the breach, which was fueled by false claims of election fraud. The stolen data, later posted online, revealed no evidence of fraud or vote tampering. At her sentencing, Judge Matthew Barrett condemned Peters for her actions and lack of remorse, calling her a “charlatan.” Mesa County officials reported over $1.4 million in costs due to Peters’ actions, including legal fees and disruptions to county operations. Gerald Wood, whose identity was used in the breach, expressed his anger at being deceived by Peters, who he said caused damage to election integrity both locally and nationally.
Microsoft and the DOJ seize domains used by Russia’s ColdRiver hacking group.
Microsoft and the U.S. Department of Justice seized over 100 domains used by the Russian ColdRiver hacking group, linked to Russia’s Federal Security Service (FSB), to target U.S. government employees and nonprofits through spear-phishing attacks. Between January 2023 and August 2024, ColdRiver, also known as Seaborgium or Star Blizzard, attacked U.S. Intelligence, Defense, and Energy personnel, as well as NGOs and journalists, to steal sensitive information. Microsoft and the DOJ dismantled the group’s infrastructure, with Microsoft seizing 66 domains and the DOJ 41. The group has been active since 2017, using social engineering and OSINT for espionage, especially targeting defense and government entities after Russia’s 2022 invasion of Ukraine. The U.S. State Department sanctioned two ColdRiver members and offers rewards for information leading to other operatives.
We’ve got our Industry Voices segment next. Strata Identity’s Founder and CEO Eric Olden joins us to talk about how the modern enterprise can orchestrate the 7 A's of identity security to achieve zero trust. We’ll be right back
Welcome back. You can find links to Strata Identity’s blog on the 7 A’s of IAM in our show notes.
Harvard students demonstrate glasses that can see through your privacy.
And finally, two Harvard students have created smart glasses that do what Big Tech has long avoided: using facial recognition to instantly identify strangers and pull personal information from the web. Their project, called I-XRAY, uses Meta’s Ray-Ban smart glasses, which look like ordinary eyewear. In a demo, the glasses linked to a facial recognition site, finding details like home addresses and phone numbers within minutes. Though the duo claims their aim is to raise awareness of privacy risks, the project highlights the thin line between anonymity and instant doxxing. The glasses startled test subjects, with one person saying, “How do you know my mom’s phone number?” While their code won’t be released, this project shows how easily existing technology can be weaponized for stalking or pranks.
I understand and respect the privacy concerns of this sort of technology, but at the same time, wouldn’t this be a wonderful way to avoid those awkward moments at parties and social events where you cross paths with someone who looks familiar, but you just can’t place their name?
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.
