SAN MATEO, CA, April 10, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- Telegram growing in popularity among cybercriminals, used to set up phishing campaigns
- Growing dark web marketplace STYX deals in financial fraud
- FBI shuts down Genesis Market and arrests 119 in Operation Cookie Monster
- Lazarus Group used 10-year-old Windows flaw in 3CX supply chain hack
- Newly observed Rorschach ransomware features fastest encryption seen
- eFile.com, an IRS-authorized tax filing service, found to be delivering malware
- DDoS attacks have risen astronomically in the last three years
- OpcJacker crypto stealing malware targets victims using fake VPN services
- Newly discovered Money Message ransomware gang targets victims worldwide, demands million-dollar ransoms
Telegram growing in popularity among cybercriminals, used to set up phishing campaigns
Researchers have noted that the popular messaging app Telegram has become increasingly popular among cybercriminals who use it to spread phishing kits and teach other potential fraudsters how to use them. According to researchers at Kaspersky, “to promote their ‘goods,’ phishers create Telegram channels through which they educate their audience about phishing and entertain subscribers with polls like, ‘What type of personal data do you prefer?'” Security professionals warn that the barrier to entry for successfully carrying out cyber crimes has lowered significantly, with content previously confined to dark web forums now readily available on mainstream platforms. Read more.
Growing dark web marketplace STYX deals in financial fraud
Having launched only this year, STYX, a new dark web marketplace, is growing rapidly. Researchers expect STYX to become a significant cybercrime hub due to the dismantling of Genesis Market by the FBI and international authorities. The marketplace focuses mainly on financial fraud crimes such as “money laundering, identity theft, distributed denial-of-service (DDoS), bypassing two-factor authentication (2FA), fake or stolen IDs and other personal data, renting malware, using cash-out services, email and telephone flooding, identity lookup, and much more.” Read more.
FBI shuts down Genesis Market and arrests 119 in “Operation Cookie Monster”
Genesis Market, an illegal marketplace where people buy and sell stolen credentials associated with banking and social media accounts, has been taken offline by international authorities and the FBI. Codenamed “Operation Cookie Monster,” the sting involved law enforcement across 17 countries, resulting in 208 property searches and 119 arrests. Court documents reveal that the FBI “gained access to Genesis Market’s backend servers twice in December 2020 and May 2022, enabling the agency to access information about 59,000 users of the cybercrime bazaar.” While Genesis Market’s main site has been seized, the site’s .onion mirror is still operational and functioning normally. Read more.
Lazarus Group used 10-year-old Windows flaw in 3CX supply chain hack
North Korea’s Lazarus Group is believed responsible for hacking 3CX Windows and macOS apps. Researchers believe the state-sponsored hacker outfit “used a 10-year-old bug to add malicious code to a Microsoft DLL without invalidating the signature.” The hack injected info-stealing malware into the devices of 3CX users on a massive scale. It’s also been discovered that Lazarus installed a backdoor called Gopuram on select devices for cyber espionage. 3CX says that more than 600,000 organizations worldwide use its software. Read more.
Newly observed Rorschach ransomware features fastest encryption seen
Security researchers at Check Point have reported that a new ransomware variant they’re calling “Rorschach” includes “technically new features,” including the fastest encryption in this type of malware. According to Check Point’s findings, “the encryption scheme blends the curve25519 and eSTREAM cipher hc-128 algorithms and follows the intermittent encryption trend, meaning that it encrypts the files only partially, lending it increased processing speed.” A test determined that Rorschach is nearly twice as fast as LockBit, previously believed to be the speediest ransomware. While Rorschach’s creators are unknown, the ransomware is designed to only deploy on devices that are “configured with a language outside the Commonwealth of Independent States.” Read more.
eFile.com, an IRS-authorized tax filing service, found to be delivering malware
BleepingComputer reports that eFile.com, an IRS-authorized website many use to complete their tax returns, has been delivering JavaScript malware. The issue was discovered by Reddit users who began suspecting that the site had been hijacked after it displayed an SSL message that instructed visitors to click a link to update their browser. Hacker gang LockBit claimed to have attacked the site in January 2023, although eFile.com did not respond. Evidence indicates that this compromise was successful and has been allowed to remain intact four months into the new year with the tax filing deadline looming and no statement or comment from eFile.com. The extent of the malware’s spread due to the breach is unknown. Read more.
DDoS attacks have risen astronomically in the last three years
Security vendor Netscout has reported that DDoS attacks have increased by 487% over the last three years. Their findings indicated that the biggest boost took place in the latter half of 2022, bolstered by the increased activity of pro-Russia groups targeting victims believed to be in support of Ukraine. Hacker gang Killnet was responsible for many of these attacks, with Netscout reporting that “the US national security sector experienced a massive 16,815% increase in attacks from Killnet hacktivists.” These attacks rely on botnets of vast numbers of devices infected with malware variants including Mirai, Meris and Dvinis. Read more.
OpcJacker crypto stealing malware targets victims using fake VPN services
A malvertising campaign observed since the second half of last year is spreading OpcJacker, a malware designed to steal crypto. The campaign was spotted by researchers and two others, one spreading NullMixer malware and another, called TACTICAL#OCTOPUS, targeting US users with tax-related lures. While the campaign was initially composed of a network of fraudulent websites advertising mundane products and/or services, researchers have noted that the threat actors have been creating more focused ads that purport to sell VPN services. Thus far, the victims seem to be based in Iran. Read more.
Newly discovered Money Message ransomware gang targets victims worldwide, demands million-dollar ransoms
A new ransomware gang called Money Message has been observed attacking organizations worldwide and demanding million-dollar ransoms. The gang’s extortion website currently lists two victims, one of which is an Asian airline. Researchers say that the methods and malware used by the gang are not advanced or novel, but still effective enough to pose another threat for companies to be wary of. As usual, Money Message threatens to leak stolen data unless their demands are met. Read more.
More cybersecurity news
- Last week’s news
- All cybersecurity news and articles are brought to you by NetworkTigers.