Dec 07 2024
Welcome to Gone Phishing, your daily cybersecurity newsletter that can protect you from the cyberstorm, but not Storm Darragh. UK readers beware! ๐ช๏ธโ๏ธ๐จ #RedWarning
Patch of the Week!ย ๐ฉน
First thingโs first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, thatโs itโฆ ๐ณย
Congrats to Veeam, the cybercriminals are no matchโฆ for your patch! ๐ฉน
Check out this freshly hatched patch ๐ฃ
Veeam has patched a critical flaw (CVE-2024-42448, CVSS 9.9) in its Service Provider Console (VSPC) that could enable remote code execution (RCE) on vulnerable instances ๐ฅ.
๐ Key Details:
Exploitation requires an authorized management agent on the server.
A second flaw (CVE-2024-42449, CVSS 7.1) could leak NTLM hashes and delete files โ ๏ธ.
๐ ๏ธ Impacted Versions:
ย VSPC 8.1.0.21377 and all earlier versions of builds 7 and 8.
โ Fixed in:
ย Version 8.1.0.21999
โก Action Required:
There are no mitigations. Update immediately to protect against potential exploits, especially as Veeam products are often targeted by ransomware operators ๐.ย
Stay safe and secure your systems today! ๐โจ
Now, on to this weekโs hottest cybersecurity news stories:ย
๐ฎ๐ปโโ๏ธ UK crypto squad arrests 84, seizes $20M in Operation Destabilise ๐ฅ
๐ฐ Europol takes down the MATRIX invite-only criminal messaging service ๐ฉ๐ปโ๐ป
๐ช Backdoor discovered in Solanaโs popular Web3.js npm library ๐
Gif by snl on Giphy
The U.K. National Crime Agency (NCA) has led a massive global investigation, Operation Destabilise, targeting Russian money laundering networks linked to organized crime across the U.K., the Middle East, Russia, and South America.
๐ Major Wins:
๐ต๏ธ 84 arrests connected to the Smart Group and TGR Group, two Russian-speaking money laundering networks.
๐ฐ Seized ยฃ20 million ($25.4M) in cash and cryptocurrency.
๐ก How They Operated:
๐ข Based in Moscow's Federation Tower, a known hub for money laundering.
๐ณ Provided illicit financial services, including:
Laundering funds for sanctioned Russian elites.
Converting cash to cryptocurrency and vice versa.
ย Facilitating the purchase of property in the U.K. for Russian elites.
๐ฝ U.S. Treasury Steps In:
The U.S. Treasury's OFAC sanctioned five individuals and four entities tied to the TGR Group.
๐ TGRโs Role: Helping Russian elites evade sanctions using cryptocurrency and stablecoins to funnel wealth back to the Kremlin.
๐ฅ Key Player: Ekaterina Zhdanova
Head of the Smart Group.
ย Previously sanctioned for laundering $2.3 million in proceeds for the Ryuk ransomware group.
Allegedly supported Russian espionage operations and cybercrime syndicates.
๐ Broader Implications:
ย For the first time, investigators uncovered:
ย ๐งต A clear link between Russian elites, crypto-funded cybercriminals, and UK street-level drug gangs.
๐ "Smart and TGR acted as a financial bridge, enabling Russian elites to bypass sanctions and access Western economies," the NCA said.
This operation highlights the role of illicit financial networks in sustaining cybercrime, espionage, and organized crime worldwide. ๐ถ๏ธ
AI Tool Report is one of the fastest-growing and most respected newsletters in the world, with over 550,000 readers from companies like OpenAI, Nvidia, Meta, Microsoft, and more.
Our research team spends hundreds of hours a week summarizing the latest news, and finding you the best opportunities to save time and earn more using AI.
ย ๐จ Encrypted Messaging Service MATRIX Dismantled in Europol Operation ๐ฑ
Europol has taken down MATRIX, an encrypted messaging platform built specifically for criminal activities. The operation, codenamed Passionflower, was spearheaded by French and Dutch authorities, marking a major victory against organized crime.
๐ The Takedown:
๐ Global Reach: Over 8,000 users across the world paid $1,360โ$1,700 in cryptocurrency for MATRIX-enabled devices.
๐ฑ Authorities intercepted 2.3 million messages in 33 languages, uncovering crimes like drug trafficking, arms smuggling, and money laundering.
๐ฏ Key Arrests:
ย A 52-year-old Lithuanian identified as MATRIXโs owner and manager.
Two others apprehended in Spain, alongside seizures of โฌ145,000 in cash, โฌ500,000 in cryptocurrency, 970 phones, and more.
๐ต๏ธ Inside MATRIX:
๐ Not to be confused with matrix.org (a legit, open-source app).
๐ฑ Offered video calls, anonymous browsing, and secure transaction tracking via customized Google Pixel phones.
๐ Ran on over 40 servers worldwide, primarily in France and Germany, which have now been seized.
๐ The Bigger Picture:
Europol notes a shift in the encrypted crime landscape after the fall of other platforms like Sky ECC, EncroChat, and Ghost. Criminals are now resorting to less-established or custom-built tools, but the takedown proves authorities are keeping up with these evolving technologies.
๐ Key Takeaway:
These actions show law enforcement's growing capability to disrupt criminal tech. While new, fragmented platforms are harder to track, takedowns like these send a clear message: nowhere is safe for digital criminals.
C$152M YTD revenue.
Expanding global reach.
Zero-debt growth strategy.
A malicious supply chain attack has targeted the widely used @solana/web3.js npm library, compromising developers and crypto wallets. The attack, which exploited versions 1.95.6 and 1.95.7, could steal private keys, putting funds at risk.
๐ The Key Details:
What Happened? Hackers injected malicious code into the library, harvesting private keys to drain cryptocurrency wallets. The compromised versions were available for a short window on December 2, 2024, and have since been removed.
The Malicious Mechanism: Threat actors used a backdoor function (addToQueue) to exfiltrate private keys via Cloudflare headers to a server at sol-rpc[.]xyz (now inactive).
Attack likely stemmed from a phishing attack that compromised a maintainerโs credentials.
Impact: Projects handling private keys directly (e.g., bots) were most affected.
Non-custodial wallets (e.g., traditional crypto wallets) were not vulnerable.
โ ๏ธ Next Steps for Developers:
Update Now: Move to version 1.95.8 or later immediately.
Rotate Keys: If you suspect exposure, regenerate your private keys.
Be Cautious: Avoid opening suspicious emails or links, especially from unknown sources.
๐ Broader Context:
๐ ๏ธ More Attacks on Open-Source Ecosystems
Fake Solana Libraries: Another package, solana-systemprogram-utils, rerouted 2% of transactions to attacker wallets, cleverly masking malicious behavior.
ย Bogus Crypto Libraries: Fake npm packages like crypto-keccak and crypto-jsonwebtoken have siphoned credentials and crypto wallet data.
๐งโ๐ป How It Happened
The phishing campaign used a fake npm website clone to steal login credentials and 2FA codes from a maintainer. Hackers transferred $164,100 (674.86 SOL) to their wallet before detection.
๐ก๏ธ The Bigger Challenge
Security experts emphasize the fragility of trust in open-source ecosystems. Social engineering attacks often target just a few developers but can have significant financial and operational impacts.
๐ Takeaway:
This attack underscores the importance of vigilance in the software development pipeline. Developers must:
Regularly audit dependencies.
Employ robust account security (e.g., hardware-based 2FA).
Stay informed about potential risks in the open-source community.
Protect your code, your keys, and your wallet. ๐ก๏ธ
๐๏ธ Extra, Extra! Read all about it! ๐๏ธ
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
๐ก๏ธ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday ๐
๐ตCrypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for ๐
๐Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future ๐พ
Let us know what you think.
So long and thanks for reading all the phish!