Jun 17 2024
Welcome to Gone Phishing, your daily cybersecurity newsletter that has cybercriminals on pins and needlesโฆ Like the entire English nation during last nightโs second half ๐ฌโฝ๐ฅ
Todayโs hottest cybersecurity news stories:
๐ท๏ธ UK-based Scattered Spider hacking group kingpin arrested ๐ฎ๐ปโโ๏ธ
๐ Indian govt targeted by Pakistani hackers using DISGOMOJI ๐จ๐พโ๐ป
โ ๏ธ Smishing scams up in Pakistan, Grandoreiro reappears in Brazil ๐๐ฝ
Gif by bgmgmusic on Giphy
Key Arrest in Scattered Spider Case! ๐ธ๏ธ A 22-year-old British man was nabbed in Palma de Mallorca while trying to fly to Italy. This arrest is a joint effort by the FBI and Spanish Police. News broke on June 14, 2024, that this man, known as "Tyler," was linked to high-profile ransomware attacks.
SIM Swapping Scheme ๐ฒ
Tyler, a SIM swapper, hijacked phone numbers to intercept messages and seize control of online accounts. He's believed to be Tyler Buchanan from Scotland, aka "tylerb" on Telegram.
Second Arrest in the Group ๐
Tyler is the second Scattered Spider member arrested, following Noah Michael Urban, who was charged earlier this year for wire fraud and identity theft, stealing $800,000 from multiple victims.
Scattered Spiderโs Tactics ๐ท๏ธ
This group, also known as 0ktapus and UNC3944, uses social engineering to infiltrate organisations. They initially focused on credential theft and SIM swapping, then pivoted to ransomware and extortion. Their methods include phishing for Okta credentials and abusing cloud utilities like Airbyte and Fivetran.
FBI Cracks Down ๐ฎ๐ปโโ๏ธ
The FBI is preparing charges against hackers from Scattered Spider, linked to over 100 attacks since May 2022.
Stay safe online! ๐๐
Cyber Espionage Campaign Revealed! ๐ฏ A suspected Pakistan-based threat actor, tracked as UTA0137, has been linked to a cyber espionage campaign targeting Indian government entities in 2024.
DISGOMOJI Malware ๐ฅ๏ธ๐
Cybersecurity firm Volexity discovered that UTA0137 uses DISGOMOJI, a malware written in Golang, to infect Linux systems. This malware is a modified version of Discord-C2, using Discord for command and control (C2) with emojis!
Emoji Commands ๐พ๐ฒ
DISGOMOJI uses emojis to send and process commands:
๐โโ๏ธ – Execute command
๐ธ – Capture screenshot
๐ – Upload file
๐ – Upload to transfer[.]sh
โ๏ธ – Download file
๐ – Download from oshi[.]at
๐ฅ – Exfiltrate files
๐ฆ – Zip Firefox profiles
๐ – Terminate process
๐ – Command in progress
โ – Command complete
Spear-Phishing Attacks ๐๐ฃ
The campaign starts with spear-phishing emails containing a Golang ELF binary in a ZIP file. This binary downloads a lure document and the DISGOMOJI payload.
Advanced Tactics ๐ ๏ธ
UTA0137 uses tools like Nmap, Chisel, and Ligolo for network scanning and tunnelling. They've also exploited the DirtyPipe flaw (CVE-2022-0847) for privilege escalation.
Social Engineering ๐จ๐
Attackers used Zenity to display fake Firefox update prompts, tricking users into giving up their passwords. DISGOMOJI has evolved, adding persistence, dynamic credential fetching, and analysis evasion.
Ongoing Threat โ ๏ธ
"The attacker successfully managed to infect several victims with DISGOMOJI," Volexity said, noting continuous improvements in the malwareโs capabilities. Stay vigilant!
Stay ahead of the curve with Presspool.ai! ๐ Subscribe to their newsletter for the latest buzz in the information technology space, with a special focus on AI. Their slogan says it all: "Actionable marketing insights for the visionary AI executive." ๐ค๐ก Thatโs us, alright! ๐คต How about you? Visionary AI executive, much? ๐
And if the newsletter gets your motor running then you can take a butchers at their cool AI marketing product too which is sure to help you make the most of our new artificial overlords and put them to work for your business ๐ค๐ฉโ๐ป๐
Rest assured, the process is very straightforward.
You simply:
๐ Sign Up & Create Campaign
๐ Define your audience, budget, and message to captivate your audience.
๐ Launch your campaign, as Presspoolโs AI matches it with ideal newsletter audiences for optimal reach and conversions. ๐ฏ
๐ต๏ธ Finally, you leverage real-time analytics to track performance and refine future strategies. ๐ Elevate your marketing game and stay informed with Presspool.ai! ๐ Simples! ๐ฆฆ
Presspool.aiย ๐ฐ๐๐ค may just have what you need to succeed. And if the product isnโt for you, the newsletter alone is a gamechanger. And we know newsletters ๐
New Target: Pakistan Post ๐ต๐ฐโ๏ธ The Smishing Triad, a notorious cybercrime group, has expanded its reach to Pakistan, targeting mobile carrier customers through iMessage and SMS. Their goal? Steal personal and financial info by posing as Pakistan Post.
Fake Delivery Alerts ๐๐ง
Resecurity reports that these Chinese-speaking threat actors use stolen databases from the dark web. They send fake package delivery messages, luring users to update their addresses via malicious links. Once clicked, users are directed to fake websites that steal their financial details.
Scam Expansion ๐ฆ๐ฐ
Beyond Pakistan Post, the group has also launched scams involving TCS, Leopard, and FedEx, targeting individuals awaiting legitimate packages.
Global Cyber Threats ๐๐
Meanwhile, Google has highlighted other global cyber threats:
PINEAPPLE in Brazil ๐
This group sends tax and finance-themed spam to deploy Astaroth malware. They abuse cloud services like Google Cloud, AWS, and Azure.
UNC5176 and FLUXROOT ๐ฆ๐
UNC5176 targets financial, healthcare, and retail sectors with the URSA backdoor, stealing login credentials.
FLUXROOT distributes Grandoreiro banking trojan, using cloud services like Azure and Dropbox.
Red Akodon in Colombia ๐จ๐ด๐
Active since April 2024, this actor spreads remote access trojans via phishing emails. Targets include government, health, and education sectors.
Stay vigilant and protect your information! ๐ป๐
๐๏ธ Extra, Extra! Read all about it! ๐๏ธ
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
๐ก๏ธ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday ๐
๐ตย Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for ๐
๐ย Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future ๐พ
Let us know what you think.
So long and thanks for reading all the phish!