The good, the bad and the ugly in cybersecurity

Pros | Leader of crypto investment scam arrested and charged in $73 million money laundering scheme

This week, it emerged that two alleged cyber “pig slaughterers” have had their case turned around and could face prison time in an iron cage. The Department of Justice has indicted Darren Li, 41, and Yichen Zhang, 38, for leading an international syndicate that laundered more than $73 million through a cryptocurrency investment scam.Li and Zhang have been charged with conspiracy to commit money laundering and six counts of international money laundering, each of which carries a maximum sentence of 20 years in prison if convicted.

In pig slaughter scams, criminals build trust with targeted victims through social media, messaging and dating platforms to convince them to invest in their fraudulent schemes. Once caught, criminals then steal the victim's cryptocurrency and seize funds from the compromised wallet..

According to court documents, Lee and Zhang transferred millions in victims' cryptocurrency to U.S. bank accounts associated with shell companies. The funds were then moved through various domestic and international accounts and cryptocurrency platforms to conceal their origins. Communications uncovered during the investigation provided details of this operation, including fees, victim information, and interactions with U.S. financial institutions.

In 2023 alone, the U.S. Secret Service recovered more than $1.1 billion from fraudulent activities, and the IC3 reported that investment fraud increased from $3.31 billion in 2022 to $4.57 billion last year. As financial fraud schemes become increasingly common and complex, cyber defenders must be prepared to Learn how to spot predatory behavior online, stay vigilant in protecting your digital assets and identity, verify the legitimacy of any brokerage firm before investing, and report any suspected fraud immediately.

The Bad | New attack campaign sees threat actors exploiting legitimate cloud services to distribute malware

In the new attack campaign, Popular cloud storage services such as Google Drive and Dropbox are being abused to deliver malicious payloads.Dubbed “CLOUD#REVERSER,” security researchers analyzed the attack this week, which uses VBScript and PowerShell to carry out command and control (C2)-like activity within the storage platform to manage file uploads and downloads.

The attack begins with a phishing email containing a ZIP archive file that contains an executable disguised as a Microsoft Excel file. This is done by utilizing a hidden Right-to-Left Override (RLO) Unicode character (U+202E) to reserve the order of characters in the string. In this case, the victim who receives the email will see that the filename is RFQ-101432620247fl*U+202E*xslx.exe As RFQ-101432620247flexe.xlsx They then open what they believe to be a legitimate Excel spreadsheet. This isn't a new technique, but it's something we don't see very often in 2024.

When the file is executed, it drops a total of eight payloads, one of which is a decoy Excel file and .xlsx The files are used to continue the deception. From there, a series of additional scripts allow the threat actor to establish persistence on the system, connect to actor-controlled Google Drive and Dropbox accounts, retrieve files from the storage services, and maintain connectivity to the actor's command and control (C2) servers.

These attacks Highlights the trend of threat actors abusing SaaS platforms to deliver malicious payloads disguised as legitimate network trafficBy embedding multi-stage downloaders that execute code within widely used cloud platforms, threat actors can maintain a low profile while still ensuring persistent access for data exfiltration.

Ugly Truth | Over the last six years, new China-linked threat actors have repeatedly targeted military and government organizations

This week, cybersecurity researchers reported on a series of attacks on countries bordering the South China Sea, revealing previously undocumented details about a threat group dubbed “Unfading Sea Haze.” So far, the attackers' attacks have repeatedly targeted eight high-level organizations in critical sectors over the past six years. In particular, poor credential hygiene and unpatched devices and web services are being exploited..

New APT group “Unfading Sea Haze” attacks military targets in the South China Sea https://t.co/XHNQPc1ccz

— Nicholas Crassus (@Dinosn) May 23, 2024

While Unfading Sea Haze is not currently associated with any known APT groups, it appears to share similar goals, techniques, geopolitical victimology, and tool selection known to be associated with Chinese-speaking threat actors, including the use of Gh0st RAT malware and execution of a tool called SharpJHandler commonly used by China-based APT41.

So far, Unfading Sea Haze has been observed sending spear-phishing emails containing Windows shortcut (LNK) files. Once launched, these files execute commands to retrieve the next stage payload, a backdoor called “SerialPktdoor”, and execute PowerShell scripts to remotely manage files. Unfading Sea Haze attacks are also characterized by the use of Microsoft Build Engine (MSBuild) to execute files file-less to minimize the risk of detection, and the use of scheduled tasks to load malicious DLLs to establish persistence.

Other tools in the group's arsenal include “Ps2dllLoader”, the keylogger “xkeylog”, a web browser data stealer, a portable device presence monitoring tool, and a custom data stealer called “DustyExfilTool”. The variety and complexity of the toolkit indicates a certain level of sophistication.The combination of both custom and commercial tools indicates a cyberespionage campaign aimed at collecting sensitive information from military and government agencies, the researchers said.

Organizations can use the SentinelOne Singularity platform to mitigate the risks posed by threat groups such as Unfading Sea Haze.

Timely security hygiene, etc. Patch management, strong authentication methods, and secure credentials is also highly recommended.