May 16 2024
Welcome to Gone Phishing, your daily cybersecurity newsletter thatβs got more hacks than a Comedy Central Roast π
Todayβs hottest cybersecurity news stories:
πͺοΈ Tornado Cash co-founder sentenced to 5 years π¨ββοΈ
π₯οΈ 400k Linux servers compromised by Ebury bonet π€
π» Russia-linked Turla deploys LunarWeb, LunarMail π¨βπ»
A Dutch court has delivered a verdict in the case of Alexey Pertsev, co-founder of the infamous Tornado Cash crypto mixer service. Pertsev has been sentenced to 5 years and 4 months in prison for his involvement in money laundering activities.
π Background
The 31-year-old Russian national, Pertsev, was apprehended in Amsterdam back in 2022, shortly after the U.S. Treasury Department had sanctioned Tornado Cash. This move came as a response to the service's facilitation of criminal activities, including aiding groups like the Lazarus Group in laundering illicit proceeds.
βοΈ Court's Ruling
The court's ruling emphasised Tornado Cash's failure to implement adequate measures to prevent its misuse for illegal activities. Despite Pertsev's claim that the service aimed to offer privacy solutions for the crypto community, the court held him accountable for enabling criminal endeavours.
πΌ Consequences
Alongside the prison sentence, Pertsev has been ordered to forfeit cryptocurrency assets worth a staggering β¬1.9 million (~$2.05 million) and a Porsche that was previously seized by authorities.
π£οΈ Debate Ignited
The case has ignited a fierce debate between privacy advocates and regulatory bodies. While some argue for the necessity of anonymity tools like Tornado Cash, others stress the importance of regulating such platforms to prevent exploitation by malicious actors.
π Final Thoughts
The court's decision underscores the pressing need for accountability within the cryptocurrency space. It highlights the delicate balance between safeguarding user privacy and ensuring compliance with anti-money laundering regulations. ππΌ
How do you keep up with the insane pace of AI? Join The Rundown β the worldβs largest AI newsletter that keeps you up-to-date with everything happening in AI with just a 5-minute read per day.
A malicious botnet named Ebury has wreaked havoc, compromising a staggering 400,000 Linux servers since 2009. Shockingly, over 100,000 servers remained under its control as of late 2023.
π Cybersecurity Firm's Report
The findings stem from a report by Slovak cybersecurity firm ESET, which labelled Ebury as one of the most sophisticated server-side malware campaigns primarily focused on financial gains.
π Intricate Operations
Security researcher Marc-Etienne M.LΓ©veillΓ© delved deep into the analysis, revealing that Ebury's operators engaged in various monetization activities, including spam dissemination, web traffic redirections, and credential theft.
π¨ Development and Prosecution
Ebury's history dates back over a decade, documented as part of Operation Windigo. In 2017, Russian national Maxim Senakh was sentenced to nearly four years in a U.S. prison for his involvement in the botnet's development and management.
π» Ebury's Arsenal
The malware employs diverse methods for infiltration, ranging from SSH credential theft to exploiting vulnerabilities like CVE-2021-45467 in Control Web Panel.
π΅οΈββοΈ Stealth Tactics
Ebury's operators employ sophisticated techniques to evade detection, including using fake identities and compromising other perpetrators' infrastructure.
βοΈ Advanced Features
Ebury acts as both a backdoor and a credential stealer, facilitating the deployment of additional payloads like HelimodSteal and HelimodRedirect, among others.
π Enhanced Concealment
Recent versions of Ebury introduce new obfuscation techniques and userland rootkit functionality to better conceal its presence.
π³ Monetization Methods
The compromised servers serve as a hub for various illicit activities, from credit card data theft to cryptocurrency hijacking and spamming.
π Global Impact
Ebury's reach extends across 34 countries, targeting over 200 servers and more than 75 networks between February 2022 and May 2023.
π‘οΈ Countermeasures
Combatting Ebury requires a multi-pronged approach, including regular security updates, robust authentication measures, and vigilant monitoring for suspicious activities.
An unnamed European Ministry of Foreign Affairs and its three diplomatic outposts in the Middle East fell victim to a sophisticated cyberattack orchestrated by previously undocumented backdoors known as LunarWeb and LunarMail.
π‘οΈ Turla Strikes Again
ESET, a cybersecurity firm, linked this activity with medium confidence to Turla, a Russia-aligned cyberespionage group notorious for its advanced tactics and strategic overlaps with past campaigns.
π₯οΈ LunarWeb: Silent Saboteur
LunarWeb lurks on servers, camouflaging its command-and-control communications within HTTP(S) traffic. Its modus operandi involves mimicking legitimate requests, rendering detection a formidable challenge.
π§ LunarMail: Stealthy Infiltrator
On the workstation front, LunarMail manifests as an Outlook add-in, utilising email channels for its command-and-control communications. Its clandestine nature facilitates prolonged stealth operations.
π Long-standing Threat Actor
Turla, affiliated with Russia's Federal Security Service (FSB), has been a persistent menace since at least 1996, targeting diverse sectors such as government, military, and research.
π Intrusion Vectors
While the exact entry point remains elusive, suspicions point towards spear-phishing and potential exploitation of misconfigured Zabbix software, indicative of Turla's multifaceted approach to infiltration.
βοΈ Intricate Attack Chain
ESET's analysis unravelled a complex attack chain, unveiling LunarLoader and LunarWeb's deployment through ASP.NET web pages and malicious Word documents, respectively.
π Operational Insights
LunarWeb conducts reconnaissance and executes commands cleverly embedded within image files, while LunarMail leverages Outlook to maintain stealth and execute malicious actions.
The discovery of LunarWeb and LunarMail underscores the persistent threat posed by Turla, emphasising the critical need for heightened cybersecurity vigilance and robust defence measures.
ποΈ Extra, Extra! Read all about it! ποΈ
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
π‘οΈ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday π
π΅Β Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for π
πΒ Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future πΎ
Let us know what you think.
So long and thanks for reading all the phish!