Two individuals have been arrested in Australia and the U.S. in connection with an alleged scheme to develop and distribute a remote access trojan called Hive RAT (previously Firebird).

The U.S. Justice Department (DoJ) said the malware “gave the malware purchasers control over victim computers and enabled them to access victims’ private communications, their login credentials, and other personal information.”

A 24-year-old individual named Edmond Chakhmakhchyan (aka “Corruption”) from Van Nuys in Los Angeles, California, was taken into custody after he was caught selling a license of Hive RAT to an undercover employee of a law enforcement agency.

He has been charged with one count of conspiracy and one count of advertising a device as an interception device, each of which carries a penalty of five years in prison. Chakhmakhchyan pleaded not guilty and was ordered to stand trial on June 4, 2024.

Court documents allege a partnership between the malware’s creator and the defendant under which the latter would post advertisements for the malware on a cybercrime forum called Hack Forums, accept cryptocurrency payments from customers, and offer product support.

Hive RAT comes with capabilities to terminate programs, browse files, record keystrokes, access incoming and outgoing communications, and steal victim passwords and other credentials for bank accounts and cryptocurrency wallets from victims’ machines without their knowledge or consent.

“Chakhmakhchyan exchanged electronic messages with purchasers and explained to one buyer that the malware ‘allowed the Hive RAT user to access another person’s computer without that person knowing about the access,'” the DoJ said.

The Australian Federal Police (AFP), which announced charges of its own against a citizen for their purported involvement in the creation and sale of Hive RAT, said its investigation into the matter began in 2020.

The unnamed suspect faces 12 charges, including one count of producing data with intent to commit a computer offense, one count of controlling data with intent to commit a computer offense, and 10 counts of supplying data with intent to commit a computer offense. The maximum penalty for each of these offenses is three years imprisonment.

“Remote Access Trojans are one of the most harmful cyber threats in the online environment – once installed onto a device, a RAT can provide criminals with full access to, and control of the device,” AFP Acting Commander Cybercrime Sue Evans said.

“This could include anything from committing crimes anonymously, watching victims through camera devices, wiping hard drives, or stealing banking credentials and other sensitive information.”

Nebraska Man Indicted in Cryptojacking Scheme

The development comes as federal prosecutors in the U.S. indicted Charles O. Parks III (aka “CP3O”), 45, for operating a massive illegal cryptojacking operation, defrauding “two well-known providers of cloud computing services” out of more than $3.5 million in computing resources to mine cryptocurrency worth nearly $1 million.

The indictment charges the Parks with wire fraud, money laundering, and engaging in unlawful monetary transactions. He was arrested on April 13, 2024. The wire fraud and money laundering charges carry a maximum sentence of 20 years’ imprisonment. He also faces a 10 years’ imprisonment on the unlawful monetary transactions charges.

While the DoJ does not explicitly state what cloud providers were targeted in the fraudulent operation, it noted that the companies are based in the Washington state cities of Seattle and Redmond – the corporate headquarters for Amazon and Microsoft.

“From in or about January 2021 through August 2021, Parks created and used a variety of names, corporate affiliations and email addresses, including emails with domains from corporate entities he operated […] to register numerous accounts with the cloud providers and to gain access to massive amounts of computing processing power and storage that he did not pay for,” the DoJ said.

The illicitly obtained resources were then used to mine cryptocurrencies such as Ether (ETH), Litecoin (LTC) and Monero (XMR), which were laundered through a network of cryptocurrency exchanges, a non-fungible token (NFT) marketplace, an online payment provider, and traditional bank accounts to conceal digital transaction trail.

The ill-gotten proceeds, prosecutors said, were ultimately converted into dollars, which Parks used to make various extravagant purchases that included a Mercedes Benz luxury car, jewelry, and first-class hotel and travel expenses.

“Parks tricked the providers into approving heightened privileges and benefits, including elevated levels of cloud computing services and deferred billing accommodations, and deflected inquiries from the providers regarding questionable data usage and mounting unpaid subscription balances,” the DoJ said.

Feb 20, 2024NewsroomDark Web / Cybercrime

An international law enforcement operation has led to the seizure of multiple darknet domains operated by LockBit, one of the most prolific ransomware groups, marking the latest in a long list of digital takedowns.

While the full extent of the effort, codenamed Operation Cronos, is presently unknown, visiting the group’s .onion website displays a seizure banner containing the message “The site is now under the control of law enforcement.”

Authorities from 11 countries, Australia, Canada, Finland, France, Germany, Japan, the Netherlands, Sweden, Switzerland, the U.K., and the U.S., alongside Europol participated in the joint exercise.

Malware research group VX-Underground, in a message posted on X (formerly Twitter), said the websites were taken down by exploiting a critical security flaw impacting PHP (CVE-2023-3824, CVSS score: 9.8) that could result in remote code execution.

Law enforcement agencies also left on a note on the affiliate panel, stating they are in possession of the “source code, details of the victims you have attacked, the amount of money extorted, the data stolen, chats, and much, much more,” adding it was made possible due to LockBit’s “flawed infrastructure.”

LockBit, which emerged on September 3, 2019, has been one of the most active and notorious ransomware gangs in history, claiming more than 2,000 victims to date. It’s estimated to have extorted at least $91 million from U.S. organizations alone.

According to data shared by cybersecurity firm ReliaQuest, LockBit listed 275 victims on its data leak portal in the fourth quarter of 2023, dwarfing all its competitors.

There is no word as yet of any arrest or sanctions, but the development is a definite blow to LockBit’s near-term operations and arrives two months after the BlackCat ransomware operation was dismantled by the U.S. government.

The coordinated takedown also coincides with the arrest of a 31-year-old Ukrainian national for gaining unauthorized access to Google and online bank accounts of American and Canadian users by deploying malware and selling access to other threat actors on the dark web for financial gain.

A coalition of dozens of countries, including France, the U.K., and the U.S., along with tech companies such as Google, MDSec, Meta, and Microsoft, have signed a joint agreement to curb the abuse of commercial spyware to commit human rights abuses.

The initiative, dubbed the Pall Mall Process, aims to tackle the proliferation and irresponsible use of commercial cyber intrusion tools by establishing guiding principles and policy options for States, industry, and civil society in relation to the development, facilitation, purchase, and use of such tools.

The declaration stated that “uncontrolled dissemination” of spyware offerings contributes to “unintentional escalation in cyberspace,” noting it poses risks to cyber stability, human rights, national security, and digital security.

“Where these tools are used maliciously, attacks can access victims’ devices, listen to calls, obtain photos and remotely operate a camera and microphone via ‘zero-click’ spyware, meaning no user interaction is needed,” the U.K. government said in a press release.

According to the National Cyber Security Centre (NCSC), thousands of individuals are estimated to have been globally targeted by spyware campaigns every year.

“And as the commercial market for these tools grows, so too will the number and severity of cyber attacks compromising our devices and our digital systems, causing increasingly expensive damage and making it more challenging than ever for our cyber defenses to protect public institutions and services,” Deputy Prime Minister Oliver Dowden said at the U.K.-France Cyber Proliferation conference.

Notably missing from the list of countries that participated in the event is Israel, which is home to a number of private sector offensive actors (PSOAs) or commercial surveillance vendors (CSVs) such as Candiru, Intellexa (Cytrox), NSO Group, and QuaDream.

Recorded Future News reported that Hungary, Mexico, Spain, and Thailand – which have been linked to spyware abuses in the past – did not sign the pledge.

The multi-stakeholder action coincides with an announcement by the U.S. Department of State to deny visas for individuals that it deems to be involved with the misuse of dangerous spyware technology.

One hand, spyware such as Chrysaor and Pegasus are licensed to government customers for use in law enforcement and counterterrorism. On the other hand, they have also been routinely abused by oppressive regimes to target journalists, activists, lawyers, human rights defenders, dissidents, political opponents, and other civil society members.

Such intrusions typically leverage zero-click (or one-click) exploits to surreptitiously deliver the surveillanceware onto the targets’ Google Android and Apple iOS devices with the goal of harvesting sensitive information.

That having said, ongoing efforts to combat and contain the spyware ecosystem have been something of a whack-a-mole, underscoring the challenge of fending off recurring and lesser-known players who provide or come up with similar cyber weapons.

This also extends to the fact that CSVs continue to expend effort developing new exploit chains as companies like Apple, Google, and others discover and plug the zero-day vulnerabilities.

“As long as there is a demand for surveillance capabilities, there will be incentives for CSVs to continue developing and selling tools, perpetrating an industry that harms high risk users and society at large,” Google’s Threat Analysis Group (TAG) said.

An extensive report published by TAG this week revealed that the company is tracking roughly 40 commercial spyware companies that sell their products to government agencies, with 11 of them linked to the exploitation of 74 zero-days in Google Chrome (24), Android (20), iOS (16), Windows (6), Adobe (2), and Mozilla Firefox (1).

Unknown state-sponsored actors, for example, exploited three flaws in iOS (CVE-2023-28205, CVE-2023-28206, and CVE-2023-32409) as a zero-day last year to infect victims with spyware developed by Barcelona-based Variston. The flaws were patched by Apple in April and May 2023.

The campaign, discovered in March 2023, delivered a link via SMS and targeted iPhones located in Indonesia running iOS versions 16.3.0 and 16.3.1 with an aim to deploy the BridgeHead spyware implant via the Heliconia exploitation framework. Weaponization by Variston is a high-severity security shortcoming in Qualcomm chips (CVE-2023-33063) that first came to light in October 2023.

The complete list of zero-day vulnerabilities in Apple iOS and Google Chrome that were discovered in 2023 and have been tied to specific spyware vendors is as follows:

“Private sector firms have been involved in discovering and selling exploits for many years, but the rise of turnkey espionage solutions is a newer phenomena,” the tech giant said.

“CSVs operate with deep technical expertise to offer ‘pay-to-play’ tools that bundle an exploit chain designed to get past the defenses of a selected device, the spyware, and the necessary infrastructure, all to collect the desired data from an individual’s device.”

Feb 02, 2024NewsroomCyber Crime / Malware

An INTERPOL-led collaborative operation targeting phishing, banking malware, and ransomware attacks has led to the identification of 1,300 suspicious IP addresses and URLs.

The law enforcement effort, codenamed Synergia, took place between September and November 2023 in an attempt to blunt the “growth, escalation and professionalization of transnational cybercrime.”

Involving 60 law enforcement agencies spanning 55 member countries, the exercise paved the way for the detection of more than 1,300 malicious servers, 70% of which have already been taken down in Europe. Hong Kong and Singapore authorities took down 153 and 86 servers, respectively.

Servers, as well as electronic devices, were confiscated following over 30 house searches. Seventy suspects have been identified to date, and 31 from Europe, South Sudan, and Zimbabwe have been arrested.

Singapore-headquartered Group-IB, which also contributed to the operation, said it identified “more than 500 IP addresses hosting phishing resources and over 1,900 IP addresses associated with ransomware, Trojans, and banking malware operations.”

The rogue infrastructure was hosted in Australia, Canada, Hong Kong, and Singapore, among others, with the resources distributed across more than 200 web hosting providers around the world.

“The results of this operation, achieved through the collective efforts of multiple countries and partners, show our unwavering commitment to safeguarding the digital space,” Bernardo Pillot, assistant director to INTERPOL Cybercrime Directorate, said.

“By dismantling the infrastructure behind phishing, banking malware, and ransomware attacks, we are one step closer to protecting our digital ecosystems and a safer, more secure online experience for all.”

The development arrives more than a month after another six-month-long international police operation dubbed HAECHI-IV has resulted in the arrests of nearly 3,500 individuals and seizures worth $300 million across 34 countries.

Jan 26, 2024NewsroomThreat Intelligence / Cyber Attack

Microsoft on Thursday said the Russian state-sponsored threat actors responsible for a cyber attack on its systems in late November 2023 have been targeting other organizations and that it’s currently beginning to notify them.

The development comes a day after Hewlett Packard Enterprise (HPE) revealed that it had been the victim of an attack perpetrated by a hacking crew tracked as APT29, which is also known as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium), and The Dukes.

“This threat actor is known to primarily target governments, diplomatic entities, non-governmental organizations (NGOs) and IT service providers, primarily in the U.S. and Europe,” the Microsoft Threat Intelligence team said in a new advisory.

The primary goal of these espionage missions is to gather sensitive information that is of strategic interest to Russia by maintaining footholds for extended periods of time without attracting any attention.

The latest disclosure indicates that the scale of the campaign may have been bigger than previously thought. The tech giant, however, did not reveal which other entities were singled out.

APT29’s operations involve the use of legitimate but compromised accounts to gain and expand access within a target environment and fly under the radar. It’s also known to identify and abuse OAuth applications to move laterally across cloud infrastructures and for post-compromise activity, such as email collection.

“They utilize diverse initial access methods ranging from stolen credentials to supply chain attacks, exploitation of on-premises environments to laterally move to the cloud, and exploitation of service providers’ trust chain to gain access to downstream customers,” Microsoft noted.

Another notable tactic entails the use of breached user accounts to create, modify, and grant high permissions to OAuth applications that they can misuse to hide malicious activity. This enables threat actors to maintain access to applications, even if they lose access to the initially compromised account, the company pointed out.

These malicious OAuth applications are ultimately used to authenticate to Microsoft Exchange Online and target Microsoft corporate email accounts to exfiltrate data of interest.

In the incident targeting Microsoft in November 2023, the threat actor used a password spray attack to successfully infiltrate a legacy, non-production test tenant account that did not have multi-factor authentication (MFA) enabled.

Such attacks are launched from a distributed residential proxy infrastructure to conceal their origins, allowing the threat actor to interact with the compromised tenant and with Exchange Online via a vast network of IP addresses that are also used by legitimate users.

“Midnight Blizzard’s use of residential proxies to obfuscate connections makes traditional indicators of compromise (IoC)-based detection infeasible due to the high changeover rate of IP addresses,” Redmond said, necessitating that organizations take steps to defend against rogue OAuth applications and password spraying.

Jan 16, 2024The Hacker NewsData Security / Privacy Compliance

Explore how an advanced exposure management solution saved a major retail industry client from ending up on the naughty step due to a misconfiguration in its cookie management policy. This wasn’t anything malicious, but with modern web environments being so complex, mistakes can happen, and non-compliance fines can be just an oversight away.
Download the full case study here.

As a child, did you ever get caught with your hand in the cookie jar and earn yourself a telling-off? Well, even if you can still remember being outed as a cookie monster, the punishments for today’s thieving beasts are worse. Millions of dollars worse.

Cookies are an essential part of modern web analytics. A cookie is a small piece of text data that records website visitor preferences along with their behaviors, and its job is to help personalize their browsing experience. Just as you needed parental consent to access the cookie jar all those years ago, your business now needs to obtain user consent before it injects cookies into a user’s browser and then stores or shares information about their browsing habits.

As custodian of the website cookie jar, your business can’t raid it like you did when you were six. You must get permission in both situations, but these days the punishment can be hefty fines from data privacy regulators and expensive lawsuits from users.

A new case study from Reflectiz, a leading website security company, highlights how its advanced exposure management solution saved a major retail industry client from ending up on the naughty step due to a misconfiguration in its cookie management policy. This wasn’t anything malicious like a web skimming or keylogging attack, but with modern web environments being so complex and companies like this one having hundreds of websites to maintain, mistakes can happen, and non-compliance fines can be just an oversight away.

For the full story, you can download the case study here.

A Little About Tracking Cookies

Tracking cookies has been around since the early days of the internet. In 1994, Lou Montulli, a programmer employed by the precursor to Netscape was working on an e-commerce application for MCI, one of its clients, which had requested a virtual shopping cart. He invented cookies as we are verifying whether users visited the site before and remembering their preferences.

Stories began to appear in the news around cookies’ potential to invade privacy, but despite public concern, it wasn’t until 2011 that the European Union enacted legislation to ensure that websites obtain users’ explicit consent before using cookies.

Unauthorized Tracking Without Cookie Consent

In this new case study, a global retail client sought to continuously monitor diverse user journeys on their websites, uncovering that 37 domains were injecting cookies without obtaining proper user consent. The retail company’s conventional security tools remained blind to this issue due to constraints imposed by their organizational VPN, limiting visibility. Furthermore, the rogue and misconfigured cookies were injected into iFrame components, creating challenges for standard security controls like WAF to monitor effectively. Download the full case study here.

The Client’s Problem: Blinded by VPN

Although the retailer’s platform already had other security solutions in place, it was blind to the problem, which was this: on 37 of its websites, cookie tracking was taking place without obtaining explicit consent from visitors. This was happening via iFrames (which are used to embed content from one website inside another) that were obscured by a VPN. This masked their activities and made the cookie consent issue invisible to the other security solutions.

Although this was a damaging oversight, at least the data was not being sent to malicious actors. Instead, Reflectiz discovered that it was going to a legitimate third-party advertising service.

The High Cost of Non-Compliance

For a company with customers in the European Union, GDPR applies, and a violation of its cookie consent rules is classed as a Tier 2 category offense. Under this regulation, businesses that fail to obtain valid cookie consent could be fined up to 4% of their global annual turnover or €20 million ($21.94 million), whichever amount is larger. This is why having the ability to track the behaviors of every asset connected to a website is so important, and why Reflectiz was such a lifesaver in this instance.

The Solution

Reflectiz saw what the other solutions couldn’t. It identified the 37 domains where cookies were being used without consent, discovered where the data was being sent (in this case, a legitimate advertiser), and empowered the retailer to fix the problem before it could escalate.

The Reflectiz platform gives companies in the retail, finance, medical, and other sectors the insights they need to maintain compliance with data protection standards and avoid similar incidents that can result in fines, lawsuits, and reputational damage. It’s remotely executed so there’s virtually no performance impact, and the intuitive interface means that employee onboarding is swift.

Key Takeaways

• Consent Oversight: The platform failed to detect and inform users about certain cookies injected without proper consent, lacking a consent box on the website.
• VPN Secrecy Unveiled: Reflectiz’s monitoring exposed 37 domains injecting cookies without user approval, traced back to a location initially hidden by an Organizational VPN.
• Third-Party Data Compromise: Compromised data reached an external domain through unauthorized cookie injections triggered by a specific user journey.
• Unnoticed iFrame Tracking: Unmonitored iFrame activity contributed to privacy violations by tracking user data without consent.
• Misconfigured Cookie Threat: A misconfigured cookie facilitated the privacy breach, posing a significant threat to user privacy.
• Communication Breakdown Lesson: Improved inter-departmental communication, especially between security and marketing, is crucial to prevent issues related to third-party code implementation.
• Continuous Monitoring Crucial: The case highlights the critical need for continuous monitoring and vigilance in the ever-evolving landscape of online privacy to uphold user trust and comply with data protection regulations.

For more background and an in-depth analysis, you can download the full case study here.

Dec 20, 2023NewsroomFinancial Crime / Cyber Threat

A six-month-long international police operation codenamed HAECHI-IV has resulted in the arrests of nearly 3,500 individuals and seizures worth $300 million across 34 countries.

The exercise, which took place from July through December 2023, took aim at various types of financial crimes such as voice phishing, romance scams, online sextortion, investment fraud, money laundering associated with illegal online gambling, business email compromise fraud, and e-commerce fraud.

In addition, authorities froze associated bank and virtual asset service provider (VASP) accounts in an effort to shut off access to criminal proceeds. In total, authorities blocked 82,112 suspicious bank accounts, confiscating $199 million in hard currency and $101 million in virtual assets.

“Cooperation between Filipino and Korean authorities led to the arrest in Manila of a high-profile online gambling criminal after a two-year manhunt by Korea’s National Police Agency,” Interpol, an international police organization, said.

Investment fraud, business email compromise, and e-commerce fraud accounted for 75% of the cases, the agency added, stating it detected a new scam in South Korea that involved the sale of non-fungible tokens (NFTs) with promises of huge returns, only for the operators to stage a rug pull and abruptly abandon the project.

Another novel trend concerned the use of artificial intelligence (AI) and deepfake technology to elevate the authenticity of scams, enabling criminals to impersonate people known to the targets, as well as deceive, defraud, harass, and extort victims through impersonation scams, online sexual blackmail, and investment fraud.

HAECHI-IV comes more than a year after HAECHI-III, which led to the seizure of $130 million worth of virtual assets in connection with a global crackdown on cyber-enabled financial crimes and money laundering.

“The seizure of $300 million represents a staggering sum and clearly illustrates the incentive behind today’s explosive growth of transnational organized crime,” Interpol’s Stephen Kavanagh said. “This vast accumulation of unlawful wealth is a serious threat to global security and weakens the economic stability of nations worldwide.”

Dec 21, 2023NewsroomDark Web / Cybercrime

German law enforcement has announced the disruption of a dark web platform called Kingdom Market that specialized in the sales of narcotics and malware to “tens of thousands of users.”

The exercise, which involved collaboration from authorities from the U.S., Switzerland, Moldova, and Ukraine, began on December 16, 2023, the Federal Criminal Police Office (BKA) said.

Kingdom Market is said to have been accessible over the TOR and Invisible Internet Project (I2P) anonymization networks since at least March 2021, trafficking in illegal narcotics as well as advertising malware, criminal services, and forged documents.

As many as 42,000 products have been sold via several hundred seller accounts on the English language platform prior to its takedown, with 3,600 of them originating from Germany.

Transactions on the Kingdom Market were facilitated through cryptocurrency payments in the form of Bitcoin, Litecoin, Monero, and Zcash, with the website operators receiving a 3% commission for processing the sales of the illicit goods.

“The operators of ‘Kingdom Market’ are suspected of commercially operating a criminal trading platform on the Internet and of illicit trafficking in narcotics,” the BKA said, adding an investigation into the seized server infrastructure is ongoing.

In addition to the seizure, one person connected to the running of Kingdom Market has been charged in the U.S. with identity theft and money laundering. Alan Bill, who also goes by the aliases Vend0r and KingdomOfficial, has been described as a Slovakian national.

The development comes days after another coordinated law enforcement effort saw the dismantling of the BlackCat ransomware’s dark web infrastructure, prompting the group to respond to the seizure of its data leak site by wresting control of the page, claiming they had “unseized” it.