Jul 26 2024
Welcome to Gone Phishing, your daily cybersecurity newsletter that’s all about that bass 🎣
Patch of the Week! 🩹
First thing’s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it… 😳
Congrats to CrowdStrike (🙈 better late than never!!), the cybercriminals are no match… for your patch! 🩹
Check out this freshly hatched patch 🐣
🚨🚨 CrowdStrike Chaos: Exploited by Cybercriminals! 🔥
CrowdStrike faces backlash for a botched update that caused global IT disruptions. Cybercriminals are exploiting this chaos, distributing the Remcos RAT under the guise of a hotfix to Latin American customers. The attack uses a ZIP file named "crowdstrike-hotfix.zip" with a malicious loader and Spanish instructions, targeting vulnerable systems (World Economic Forum) (World Economic Forum).
💥 Massive Windows Crash
A faulty update to CrowdStrike's Falcon platform triggered a Blue Screen of Death, affecting 8.5 million Windows devices globally. Microsoft and CrowdStrike are collaborating on remediation, but the incident highlights the risks of relying on monocultural supply chains (World Economic Forum).
⚠️ Typosquatting Domains and Scams
Threat actors have quickly set up fake CrowdStrike domains, offering fraudulent services for cryptocurrency payments. Users are urged to only communicate through official channels to avoid falling victim to these scams.
📈 Broader Impact and Recovery
While a significant number of affected devices are back online, the incident's scale emphasizes the interconnected nature of today's tech ecosystem. CrowdStrike and Microsoft continue to provide tools and guidance to affected customers.
Stay vigilant and update securely! 🛡️💻✨
Now, on to this week’s hottest cybersecurity news stories:
🍜 N. Korean indicted by U.S. DoJ for ransomware attacks on hospitals 🏥
🍺 German CrowdStike customers are being targeted by phishing scams 🎣
🗑️ Meta removes 63,000 Nigerian sextortion scam Instagram accounts 🤳
🚨 North Korean Operative Indicted for Ransomware Attacks on U.S. Healthcare 🏥
The U.S. Department of Justice has unsealed an indictment against a North Korean military intelligence operative, Rim Jong Hyok, for ransomware attacks targeting U.S. healthcare facilities. These attacks funnelled payments to support further cyber intrusions into defence, technology, and government entities worldwide.
🕵️♂️ Ransomware and Laundering
Rim Jong Hyok and his associates used ransomware to extort hospitals and health care companies in the U.S., laundering the proceeds to fund North Korea's illicit activities. This dangerous activity placed innocent lives at risk, according to FBI deputy director Paul Abbate.
💰 Reward and Arrests
The U.S. Department of State has announced a reward of up to $10 million for information leading to Hyok's location or the identification of others involved. Hyok, part of the Andariel hacking group, has been linked to cyberattacks using the Maui ransomware against organisations in Japan and the U.S.
🌐 Global Reach
Ransom payments were laundered through Hong Kong-based facilitators, converted into Chinese yuan, and withdrawn from ATMs to procure virtual private servers for further cyber operations. Targets included U.S. Air Force bases, NASA-OIG, and defence contractors in South Korea and Taiwan.
💾 Stolen Data and Seized Assets
A notable attack in November 2022 resulted in the exfiltration of over 30 gigabytes of data from a U.S. defence contractor. The U.S. authorities have seized $114,000 in virtual currency from ransomware attacks and related transactions.
🔓 Sophisticated Techniques
Andariel, part of North Korea's Reconnaissance General Bureau, has a track record of attacking businesses and government entities to steal sensitive information. Their methods include exploiting known security flaws, using custom malware, phishing emails, and leveraging native system tools for reconnaissance and data exfiltration.
🔧 Persistent Threat
Microsoft has described Andariel as a persistent threat with an evolving toolkit, capable of bypassing detection and targeting sectors crucial to North Korean intelligence interests. The group's tools include malware like TigerRAT, SmallTiger, LightHand, ValidAlpha, and Dora RAT.
🛡️ Strategic Cyber Operations
Andariel and other North Korean hacking groups, like Lazarus Group and Kimsuky, blur the lines between intelligence gathering and revenue generation through cybercrime. North Korea's strategic adoption of cyber capabilities supports both illicit revenue generation and intelligence operations.
Ever wonder how your cybersecurity measures stack up against your peers?
With Critical Start's Quick Start Risk Assessments, you're just 15 questions away from discovering how your organization’s security compares with industry standards.
It's a quick, free way to find your strengths and get actionable steps to improve your defenses, so you can set yourself apart as a cybersecurity leader.
Why wait? Take the assessment and up your security game in minutes!
Best for: Organizations with 500+ employees.
CrowdStrike has raised an alarm about an unknown threat actor leveraging the recent Falcon Sensor update mishap to distribute malicious installers targeting German customers in a highly targeted spear-phishing campaign.
🎣 Spear-Phishing Attack
On July 24, 2024, CrowdStrike identified a spear-phishing attempt distributing a fake CrowdStrike Crash Reporter installer via a website impersonating a German entity. This site, created on July 20, exploited the aftermath of an update that crashed nearly 9 million Windows devices globally.
📥 Malicious Installer
The fake website uses JavaScript masquerading as jQuery to download and deobfuscate the installer, which features CrowdStrike branding and German localization. The installer is password-protected, suggesting it targets specific entities with insider knowledge. The final payload remains unrecovered.
🕵️♂️ Operations Security
The threat actor demonstrated high operational security, registering a subdomain under it[.]com to prevent historical domain analysis and encrypting installer contents to hinder further investigation. These anti-forensic techniques complicate attribution.
📧 Broader Phishing Campaign
This incident coincides with other phishing attacks exploiting the Falcon update issue:
Phishing domain crowdstrike-office365[.]com: Hosting rogue archive files with an MSI loader executing Lumma, a commodity information stealer.
ZIP file "CrowdStrike Falcon.zip": Contains Connecio, a Python-based information stealer collecting system data and web browser information, exfiltrated to SMTP accounts via Pastebin.
🛡️ CrowdStrike’s Response
CrowdStrike CEO George Kurtz announced that 97% of affected Windows devices are now operational, apologising for the disruption caused by the outage. "While I can't promise perfection, I can promise a response that is focused, effective, and with a sense of urgency," he said.
Chief security officer Shawn Henry acknowledged the impact: "The confidence we built over the years was lost in hours. We are committed to re-earning your trust."
📊 Traffic Analysis
Bitsight's analysis revealed unusual traffic patterns before and after the outage, suggesting a possible correlation between a traffic spike on July 16 and the outage on July 19. This warrants further investigation to understand the root cause and potential links.
🌐 Stay Vigilant
As cyber threats evolve, it's crucial to remain vigilant. CrowdStrike's ongoing commitment to protecting its users underscores the importance of robust cybersecurity practices and swift responses to emerging threats.
Meta Platforms recently removed around 63,000 Instagram accounts in Nigeria linked to financial sextortion scams. Among these, a coordinated network of 2,500 accounts tied to 20 individuals was identified, primarily targeting adult men in the U.S. with fake accounts. Any accounts attempting to target minors were reported to the National Center for Missing and Exploited Children (NCMEC).
🌐 Additional Actions by Meta
In a separate operation, Meta removed 7,200 assets including 1,300 Facebook accounts, 200 Pages, and 5,700 Groups. These were used to recruit and train new scammers, selling scripts and guides for scamming, and sharing photos for fake accounts. This cluster was linked to the cybercrime group Yahoo Boys, known for sextortion attacks on teenagers in Australia, Canada, and the U.S.
📉 Impact and Measures
Bloomberg reports have highlighted suicides related to sextortion scams, where scammers pose as teenage girls to lure victims into sending explicit photos, which are then used for blackmail. Meta has introduced new methods to identify and prevent sextortion accounts from interacting with teens.
🚔 Global Law Enforcement Operations
INTERPOL's Jackal III operation targeted West African organised crime groups like Black Axe, leading to 300 arrests, identification of over 400 suspects, and the seizure of $3 million in illegal assets. This operation spanned 21 countries and aimed to dismantle syndicates involved in cyber fraud, human trafficking, drug smuggling, and violent crimes.
🔍 Broader Law Enforcement Actions
Recent global efforts to combat cybercrime include:
Vyacheslav Igorevich Penchukov: Sentenced to nine years for his role in the Zeus and IcedID malware operations.
Ukrainian Cyber Police: Arrested two individuals linked to financial theft attacks, causing losses of $145,000.
Spain's La Guardia Civil: Arrested three members of NoName057(16) involved in denial-of-service attacks against public institutions and NATO countries.
U.K. National Crime Agency (NCA): Took down digitalstress[.]su, a DDoS-for-hire service, as part of Operation PowerOFF.
🛡️ Meta’s Commitment
Meta continues to enhance its defences against evolving criminal tactics, aiming to protect its users from the devastating impacts of financial sextortion and other cybercrimes.
That’s all for this week, folks! 🥂
🗞️ Extra, Extra! Read all about it! 🗞️
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅
💵Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓
📈Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾
Let us know what you think.
So long and thanks for reading all the phish!