Scattered Spider mastermind arrested in Spain

Jun 17 2024

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that has cybercriminals on pins and needlesโ€ฆ Like the entire English nation during last nightโ€™s second half ๐Ÿ˜ฌโšฝ๐Ÿฅ…

Todayโ€™s hottest cybersecurity news stories:

  • ๐Ÿ•ท๏ธ UK-based Scattered Spider hacking group kingpin arrested ๐Ÿ‘ฎ๐Ÿปโ€โ™‚๏ธ

  • ๐Ÿ•Œ Indian govt targeted by Pakistani hackers using DISGOMOJI ๐Ÿ‘จ๐Ÿพโ€๐Ÿ’ป

  • โš ๏ธ Smishing scams up in Pakistan, Grandoreiro reappears in Brazil ๐Ÿ’ƒ๐Ÿฝ

Our Spidey-sense is tingling ๐Ÿ‘€๐Ÿ•ธ๏ธ๐Ÿ•ท๏ธ

Spider-Man Marvel GIF by Believeinyourgoals

Gif by bgmgmusic on Giphy

๐Ÿšจ Cybercrime Bust! Scattered Spider mastermind arrested in Spain ๐Ÿฅ˜

Key Arrest in Scattered Spider Case! ๐Ÿ•ธ๏ธ A 22-year-old British man was nabbed in Palma de Mallorca while trying to fly to Italy. This arrest is a joint effort by the FBI and Spanish Police. News broke on June 14, 2024, that this man, known as "Tyler," was linked to high-profile ransomware attacks.

SIM Swapping Scheme ๐Ÿ“ฒ

Tyler, a SIM swapper, hijacked phone numbers to intercept messages and seize control of online accounts. He's believed to be Tyler Buchanan from Scotland, aka "tylerb" on Telegram.

Second Arrest in the Group ๐Ÿš”

Tyler is the second Scattered Spider member arrested, following Noah Michael Urban, who was charged earlier this year for wire fraud and identity theft, stealing $800,000 from multiple victims.

Scattered Spiderโ€™s Tactics ๐Ÿ•ท๏ธ

This group, also known as 0ktapus and UNC3944, uses social engineering to infiltrate organisations. They initially focused on credential theft and SIM swapping, then pivoted to ransomware and extortion. Their methods include phishing for Okta credentials and abusing cloud utilities like Airbyte and Fivetran.

FBI Cracks Down ๐Ÿ‘ฎ๐Ÿปโ€โ™‚๏ธ

The FBI is preparing charges against hackers from Scattered Spider, linked to over 100 attacks since May 2022.

Stay safe online! ๐ŸŒ๐Ÿ”’

DISGOMOJI goes BAllistic, Pakistan atrocious ๐Ÿ™ƒ๐Ÿ”ฎ๐Ÿ•บ๐Ÿป

๐Ÿšจ Pakistan-Based Hackers Target India! ๐Ÿ•ต๏ธโ€โ™‚๏ธ

Cyber Espionage Campaign Revealed! ๐ŸŽฏ A suspected Pakistan-based threat actor, tracked as UTA0137, has been linked to a cyber espionage campaign targeting Indian government entities in 2024.

DISGOMOJI Malware ๐Ÿ–ฅ๏ธ๐Ÿ›

Cybersecurity firm Volexity discovered that UTA0137 uses DISGOMOJI, a malware written in Golang, to infect Linux systems. This malware is a modified version of Discord-C2, using Discord for command and control (C2) with emojis!

Emoji Commands ๐Ÿพ๐Ÿ“ฒ

DISGOMOJI uses emojis to send and process commands:

๐Ÿƒโ€โ™‚๏ธ – Execute command

๐Ÿ“ธ – Capture screenshot

๐Ÿ‘‡ – Upload file

๐Ÿ‘ˆ – Upload to transfer[.]sh

โ˜๏ธ – Download file

๐Ÿ‘‰ – Download from oshi[.]at

๐Ÿ”ฅ – Exfiltrate files

๐ŸฆŠ – Zip Firefox profiles

๐Ÿ’€ – Terminate process

๐Ÿ• – Command in progress

โœ… – Command complete

Spear-Phishing Attacks ๐Ÿ’Œ๐ŸŽฃ

The campaign starts with spear-phishing emails containing a Golang ELF binary in a ZIP file. This binary downloads a lure document and the DISGOMOJI payload.

Advanced Tactics ๐Ÿ› ๏ธ

UTA0137 uses tools like Nmap, Chisel, and Ligolo for network scanning and tunnelling. They've also exploited the DirtyPipe flaw (CVE-2022-0847) for privilege escalation.

Social Engineering ๐Ÿšจ๐Ÿ”‘

Attackers used Zenity to display fake Firefox update prompts, tricking users into giving up their passwords. DISGOMOJI has evolved, adding persistence, dynamic credential fetching, and analysis evasion.

Ongoing Threat โš ๏ธ

"The attacker successfully managed to infect several victims with DISGOMOJI," Volexity said, noting continuous improvements in the malwareโ€™s capabilities. Stay vigilant!

๐ŸŽฃ Catch of the Day!! ๐ŸŒŠ๐ŸŸ๐Ÿฆž

Stay ahead of the curve with Presspool.ai! ๐Ÿš€ Subscribe to their newsletter for the latest buzz in the information technology space, with a special focus on AI. Their slogan says it all: "Actionable marketing insights for the visionary AI executive." ๐Ÿค“๐Ÿ’ก Thatโ€™s us, alright! ๐Ÿคต How about you? Visionary AI executive, much? ๐Ÿ‘€

And if the newsletter gets your motor running then you can take a butchers at their cool AI marketing product too which is sure to help you make the most of our new artificial overlords and put them to work for your business ๐Ÿค–๐Ÿ‘ฉโ€๐Ÿ’ป๐ŸŒ

Rest assured, the process is very straightforward.

You simply:

๐Ÿ†• Sign Up & Create Campaign

๐Ÿ“Š Define your audience, budget, and message to captivate your audience.

๐Ÿš€ Launch your campaign, as Presspoolโ€™s AI matches it with ideal newsletter audiences for optimal reach and conversions. ๐ŸŽฏ

๐Ÿ•ต๏ธ Finally, you leverage real-time analytics to track performance and refine future strategies. ๐Ÿ“ˆ Elevate your marketing game and stay informed with Presspool.ai! ๐ŸŒŸ Simples! ๐Ÿฆฆ

Presspool.aiย ๐Ÿ“ฐ๐ŸŠ๐Ÿค– may just have what you need to succeed. And if the product isnโ€™t for you, the newsletter alone is a gamechanger. And we know newsletters ๐Ÿ˜‰

Smish, smash, I was hacking a bank ๐Ÿ’€๐Ÿ’€๐Ÿ’€

๐Ÿšจ Smishing Triad Hits Pakistan! ๐Ÿ“ฆ

New Target: Pakistan Post ๐Ÿ‡ต๐Ÿ‡ฐโœ‰๏ธ The Smishing Triad, a notorious cybercrime group, has expanded its reach to Pakistan, targeting mobile carrier customers through iMessage and SMS. Their goal? Steal personal and financial info by posing as Pakistan Post.

Fake Delivery Alerts ๐Ÿšš๐Ÿ“ง

Resecurity reports that these Chinese-speaking threat actors use stolen databases from the dark web. They send fake package delivery messages, luring users to update their addresses via malicious links. Once clicked, users are directed to fake websites that steal their financial details.

Scam Expansion ๐Ÿ“ฆ๐Ÿ’ฐ

Beyond Pakistan Post, the group has also launched scams involving TCS, Leopard, and FedEx, targeting individuals awaiting legitimate packages.

Global Cyber Threats ๐ŸŒ๐Ÿ”

Meanwhile, Google has highlighted other global cyber threats:

PINEAPPLE in Brazil ๐Ÿ

This group sends tax and finance-themed spam to deploy Astaroth malware. They abuse cloud services like Google Cloud, AWS, and Azure.

UNC5176 and FLUXROOT ๐Ÿฆ๐Ÿ”‘

  • UNC5176 targets financial, healthcare, and retail sectors with the URSA backdoor, stealing login credentials.

  • FLUXROOT distributes Grandoreiro banking trojan, using cloud services like Azure and Dropbox.

Red Akodon in Colombia ๐Ÿ‡จ๐Ÿ‡ด๐Ÿ€

Active since April 2024, this actor spreads remote access trojans via phishing emails. Targets include government, health, and education sectors.

Stay vigilant and protect your information! ๐Ÿ’ป๐Ÿ”

๐Ÿ—ž๏ธ Extra, Extra! Read all about it! ๐Ÿ—ž๏ธ

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • ๐Ÿ›ก๏ธ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday ๐Ÿ“…

  • ๐Ÿ’ตย Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for ๐Ÿ†“

  • ๐Ÿ“ˆย Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future ๐Ÿ‘พ

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Recent articles