The Good | International Law Enforcement Agencies Prosecute Crypto Criminals, Crack Down New Infringing Forums
Last week, law enforcement arrested a cryptocurrency thief who stole millions of dollars from the Ethereum blockchain and seized a second version of the notorious hacking platform Breach Forum.
The Department of Justice has charged Anton Perer-Bueno, 24, and James Perer-Bueno, 28, with wire fraud and money laundering conspiracy. The brothers allegedly manipulated the blockchain in 12 seconds and stole $25 million worth of cryptocurrencies in a first-of-its-kind attack..
This was done by tampering with the transaction validation process on the blockchain, altering pending transactions, and denying victims' requests for the return of stolen funds.Before the attack on the blockchain, the brothers Focus on reconnaissance of victims and learning their identity and trading behavior. If convicted, each brother faces up to 20 years in prison on each charge.
It's been over a year since BreachForums owner and administrator Conor Brian Fitzpatrick “Pompompurin” was arrested. The FBI took over a hacking forum for the second time this week. The FBI worked with international law enforcement partners to shut down the Telegram channel of Mr. Fitzpatrick's successor, Baphomet, and the second edition of the Breach Forum website. Authorities are currently examining the site's back-end data and are seeking additional information.
This edition of BreachForum, which ran from June 2023 to May 2024, is a clear net where cybercriminals can buy and sell illegal contraband such as hacking tools, compromised databases, stolen access devices, and various illegal services. It operated as a marketplace. While forums and dark markets have waxed and waned many times, Organizations are reminded to maintain defenses to protect sensitive data.
The Bad | North Korea's APT Kimsuky exploits Facebook Messenger in latest social engineering campaign
Threat actors have discovered new ways to exploit social media to carry out cyberattacks. In their recent series of attacks, North Korea-linked APT known as Kimsuky used fake Facebook accounts to distribute malware via MessengerSecurity researchers noted that the campaign used the identities of real individuals to specifically target North Korean human rights groups and anti-North Korea activists.
Unlike traditional spear phishing attacks, this campaign leverages Facebook Messenger to lure victims into opening private documents shared by a fake persona. The document is hosted on OneDrive and appears to be related to her trilateral summit meeting involving Japan, South Korea, and the United States. The use of his MSC file, an uncommon file type, to carry out the attack indicates that Kimski was attempting to evade detection.
When a victim opens the MSC file, it triggers a connection to an attacker-controlled server and displays a decoy document while running background commands for persistence and data collection. All collected data is ultimately extracted to a command and control (C2) server, which further collects the IP address, user agent string, and HTTP request timestamp before delivering the payload.
Kimsuky's most recent exploits occurred last year, including ReconShark, which targeted specific individuals through spear-phishing emails, file reconnaissance and data exfiltration campaigns using RandomQuery malware, and social engineering campaigns that stole Google Ads subscription credentials for popular news. We are bringing back spring activities. A service focused on North Korea.North Korea-linked APTs continue to work on developing social engineering attacks It highlights the need for organizations to remain vigilant, collaborate with security partners, and invest in solutions that include advanced detection capabilities..
Ugly | New lunar toolset deployed by GRU-linked attackers targets European government agencies
This week, a report surfaced detailing cyber intrusions into various European foreign ministries. This campaign leverages two previously unknown backdoors of his, both of which have been active since at least 2020.
The researchers named the backdoors “LunarWeb” and “LunarMail” and believe with moderate confidence that this campaign is the work of Turla, an APT connected to Russia's Federal Security Service (FSB). There is. Turla (alias Krypton, UNC4210, or Secret Blizzard) Targets high-profile organizations including governments and diplomatic institutions in Europe, Central Asia, and the Middle East.
Initial infections occur through spear phishing emails carrying Microsoft Word files containing malicious macro code to install the LunarMail backdoor. This VBA macro ensures persistence on infected systems by creating an Outlook add-in that is activated when email is started. The researchers also pointed to the possibility of exploiting Zabbix, an open source solution for network and application monitoring, to deploy LunarWeb payloads.
Once activated, the Lunar backdoor allows direct communication with the C2 server, allowing for lateral movement within the network using stolen credentials or compromised domain controllers. These backdoors are tailored for long-term surveillance, data theft, and maintaining control over compromised systems., especially in high-value sectors. A complete list of IoCs can be found here.
Recent research shows that Russian-backed threats currently pose the greatest risk to election infrastructure. Their goals also include expanding interests associated with the GRU and retaliating against perceived adversaries.. In February, SentinelLabs discovered a Russian-aligned influence operation network called Doppelgänger that employed disinformation tactics to influence public opinion in Germany. With major elections on the horizon for both the US and EU member states, malicious activity by state-sponsored actors is expected to increase, further complicating navigating the socio-economic and geopolitical landscape. Become.
