Taking aim at cybercrime.
Smashing cybercrime syndicates. CyberVolk goes global. Tech troubles mostly resolved. A malware web weaved by Salt Typhoon targets global sectors. Love at first exploit. Ransomware attack on Blue Yonder brews trouble. Google faces a UK court battle. Lateral moves and lost data. I sit down with Clemence Poirier, Senior Cyberdefense Researcher at the Center for Security Studies (CSS) at ETH Zurich to discuss cybersecurity attacks in space. And finally, a Cybersecurity sales pitch goes rogue.
Today is November 26th, 2024 I’m Maria Varmazis, host of the T-Minus Space Daily podcast, in for Dave Bittner. And this is your CyberWire Intel Briefing.
Bangkok busts SMS Blaster sending 1 million scam texts from a van (Bleeping Computer)
Police bust two Chinese syndicates (Bangkok Post)
Smashing cybercrime syndicates.
Thai authorities dismantled two sophisticated Chinese-operated cybercrime syndicates responsible for extensive fraudulent activities. The first syndicate utilized over 10,000 phone numbers with Bangkok's 02 area code to execute more than 700 million scam calls within three days, promoting fraudulent investment schemes. Investigations revealed connections to three companies linked to Chinese nationals, leading to arrest warrants for 24 suspects, including nine foreigners and 15 Thais, with ten individuals apprehended.
Concurrently, police arrested a 35-year-old Chinese national operating an SMS blaster from a van in Bangkok's Sukhumvit area. Over a three-day period, the device transmitted nearly one million phishing messages, each capable of sending 100,000 texts per hour within a three-kilometer radius. The fraudulent messages, impersonating Advanced Info Service (AIS), urged recipients to redeem expiring points via a provided link, leading to a phishing site designed to harvest credit card information for unauthorized transactions abroad.
'CyberVolk' hacktivists use ransomware in support of Russian interests (The Record)
CyberVolk goes global.
CyberVolk, a hacktivist group with possible Indian origins, has been active since at least March 2024, targeting state and public entities in nations opposing Russian interests. Initially known as Gloriamist India, the group rebranded to CyberVolk and has claimed responsibility for compromising critical infrastructure in Japan, France, and the U.K. Unlike typical hacktivist groups that primarily conduct distributed denial-of-service (DDoS) attacks, CyberVolk employs ransomware and information-stealing malware. Their ransomware, derived from leaked source code of the pro-Russia group AzzaSec, demands $1,000 in cryptocurrency, with victims instructed to pay within five hours. CyberVolk's adaptability in utilizing various ransomware families, including HexaLocker and Parano, underscores the dynamic nature of affiliations among hacktivist groups.
Microsoft says massive Outlook and Teams outage is mostly resolved (CNN)
Tech troubles mostly resolved.
Yesterday on November 25, 2024, Microsoft 365 services, including Outlook and Teams, experienced a significant outage affecting users globally. Reports indicated difficulties accessing emails, loading calendars, and opening applications like PowerPoint. Microsoft acknowledged the issues, attributing them to a recent change impacting Exchange Online and Teams calendar functionalities. By noon ET, the company reported resolving issues in approximately 98% of affected environments, though some recovery efforts faced delays. Microsoft expressed understanding of the event's significant impact on businesses and committed to providing relief as swiftly as possible.
British hospital group declares ‘major incident’ following cyberattack (The Record)
NHS declares major cyber incident for third time this year (The Register)
Cyberstorm strikes NHS.
On November 26, 2024, Wirral University Teaching Hospital NHS Trust in northwest England declared a "major incident" due to a cyberattack affecting its entire network, including Arrowe Park, Clatterbridge, and Wirral Women and Children's Hospitals. This breach led to the cancellation of all outpatient appointments and a directive for the public to use emergency services only for genuine emergencies. This marks the third significant cyber incident targeting NHS units this year, following previous attacks that disrupted services and compromised patient data. The Trust has implemented business continuity processes and is collaborating with cybersecurity experts to investigate and mitigate the breach.
Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions (Trend Micro)
A malware web weaved by Salt Typhoon targets global sectors.
Trend Micro has published a report on a new strain of malware used by the Chinese state-sponsored threat actor Earth Estries (also known as "Salt Typhoon") to target Southeast Asian telecommunications companies. The malware, dubbed "GHOSTSPIDER," is "a sophisticated multi-modular backdoor designed with several layers to load different modules based on specific purposes." The backdoor is used alongside the DEMODEX rootkit for long-term espionage operations.
In addition to telecommunications companies, the group has targeted entities in the technology, consulting, chemical, and transportation sectors, as well as government agencies and NGOs. Trend Micro says the campaign compromised more than twenty organizations across Afghanistan, Brazil, Eswatini, India, Indonesia, Malaysia, Pakistan, the Philippines, South Africa, Taiwan, Thailand, the United States, and Vietnam. The researchers note that most of the victims had been compromised for several years.
RomCom exploits Firefox and Windows zero days in the wild
Love at first exploit.
ESET warns that the RomCom threat actor exploited a critical zero-day affecting Mozilla products to install malware. The vulnerability (CVE-2024-9680) was assigned a CVSS score of 9.8, and "allows vulnerable versions of Firefox, Thunderbird, and the Tor Browser to execute code in the restricted context of the browser." RomCom chained this flaw with a Windows zero-day (CVE-2024-49039) to deliver malware via malicious web pages, with no user interaction required. Both vulnerabilities have since been patched.
RomCom is a Russia-aligned threat actor that conducts espionage alongside cybercrime operations.
Starbucks, Grocery Stores Hit by Blue Yonder Ransomware Attack (SecurityWeek)
Ransomware attack on Blue Yonder brews trouble.
In an update to a story we are following this week: On November 21, 2024, supply chain management software provider Blue Yonder experienced a ransomware attack that disrupted its managed services hosted environment. This incident affected several major clients, including Starbucks and UK supermarket chains Morrisons and Sainsbury's. Starbucks faced challenges in paying baristas and managing employee schedules, while Morrisons and Sainsbury's encountered disruptions in their supply chains. Blue Yonder has engaged a cybersecurity firm to assist in investigating and restoring impacted services but has not provided a specific timeline for full recovery.
Google hit with £7B claim over search engine dominance (The Register)
Google faces a UK court battle.
Google is facing a £7 billion ($8.8 billion) class-action lawsuit in the UK, alleging that the company abused its dominance in the search engine market. The claim, led by consumer rights advocate Nikki Stopford, asserts that Google's practices—such as requiring Android device manufacturers to pre-install Google Search and Chrome, and paying Apple to make Google the default search engine on Safari—have stifled competition. This lack of competition purportedly led to higher advertising costs, which were then passed on to consumers. The UK's Competition Appeal Tribunal has allowed the case to proceed, marking a significant legal challenge for Google in the UK.
CISA Details Red Team Assessment including TTPs & network defense (GB Hackers)
Lateral moves and lost data.
The Cybersecurity and Infrastructure Security Agency (CISA) has released a comprehensive report detailing a red team assessment conducted on a critical infrastructure organization. This assessment aimed to evaluate the organization's cybersecurity posture by simulating real-world attack scenarios. Key findings from the report include:
-
Initial Access: The red team gained access through spear-phishing emails, highlighting the need for robust email security measures.
-
Privilege Escalation: Exploiting misconfigurations, the team escalated privileges, underscoring the importance of proper system configurations.
-
Lateral Movement: The team moved laterally across the network using compromised credentials, emphasizing the necessity for strong access controls.
-
Data Exfiltration: Sensitive data was exfiltrated without detection, indicating gaps in monitoring and data loss prevention strategies.
CISA recommends organizations implement multi-factor authentication, conduct regular security training, and continuously monitor network activity to mitigate such vulnerabilities. This report serves as a critical resource for organizations aiming to strengthen their cybersecurity defenses.
Today, our guest is Clemence Poirier, Senior Cyberdefense Researcher at the Center for Security Studies (CSS) at ETH Zurich. Clemence and I recently spoke about cybersecurity attacks in space. Following the interview, get some tips on how NOT to convince prospective customers they should secure your services. We’ll be right back.
Welcome back. You can find a link to the case study Clemence discussed in our show notes.
Cybersecurity sales pitch gone rogue.
DOJ: Man hacked networks to pitch cybersecurity services (Bleeping Computer)
In a bizarre mix of cybercrime and self-promotion, Kansas City’s Nicholas Kloster faces federal charges for allegedly hacking multiple organizations to pitch his cybersecurity services. The Department of Justice alleges Kloster breached a gym, a nonprofit, and a former employer, leaving behind a trail of audacity and damages. At the gym, Kloster reportedly bypassed security cameras and routers to access systems. He then emailed the owner, offering his services to fix the vulnerabilities he exploited. Not stopping there, he reduced his gym membership fee to $1, deleted his profile, and took a staff name tag—before flaunting the gym’s compromised cameras on social media. Weeks later, he allegedly struck a nonprofit, using a boot disk to bypass authentication, install a VPN, and change account credentials. The breach forced the nonprofit to spend $5,000 on remediation and upgrades. Kloster also reportedly used stolen credit card data from a former employer to buy hacking tools, cementing his status as a rogue "entrepreneur." While his alleged antics sound like a movie plot, Kloster faces up to 15 years in prison. His tale is a stark reminder: real cybersecurity pros don’t exploit systems—they protect them.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
Programming notes:
And that’s the CyberWire.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.