Kraken Crypto Exchange Hit by $3 Million Theft Exploiting Zero-Day Flaw
AMD has launched an investigation after the threat actor IntelBroker announced they were selling sensitive data allegedly belonging to the company.
“We are aware of a cybercriminal organization claiming to be in possession of stolen AMD data,” the chip maker told media outlets. “We are working closely with law enforcement officials and a third-party hosting partner to investigate the claim and the significance of the data.”
Earlier this week IntelBroker announced on the BreachForums cybercrime forum that they were “selling the AMD.com data breach.”
The seller states that the files were stolen in June 2024.
The allegedly stolen data includes information on future products, datasheets, employee and customer databases, property files, firmware, source code, and financial documentation.
The seller claims compromised employee data includes first and last names, job functions, business phone numbers, email addresses, and status.
It’s unclear if the data is authentic and which it the source.
IntelBroker recently made the headlines because he attempted to sell data from Europol and Zscaler.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, AMD)
Researchers at Datadog uncovered a new cryptojacking campaign linked to the attackers behind Spinning YARN campaign.
The threat actors target publicly exposed and unsecured Docker API endpoints for initial access.
The attack begins with the threat actor scanning the internet to find hosts with Docker’s default port 2375 open. After locating a valid host, they perform Docker reconnaissance by querying the Docker host’s version using the docker version
command. Following this confirmation, the attacker starts the exploitation phase by attempting to create an Alpine Linux container and using Docker’s Binds parameter to map the host’s root directory (/) to a directory within the container (/mnt). Below is the command snippet used in the campaign:
"Image": "alpine",
"HostConfig": {
"Binds": ["/:/mnt"]
}
If this step is successful, the attacker gains access to the Docker host’s underlying filesystem through the /mnt directory inside the container, allowing them to escalate their privileges.
In addition to defining the container image and host configuration parameters, the attacker executes a shell command within the container itself to set the root of subsequent processes.
The attackers were observed deploying multiple payloads, including chkstart
) that downloads and executes additional malicious payloads and a tool to perform lateral movement (exeremo
) used to propagate the malware via SSH.
The threat actors used a a shell script named “vurl” to retrieve the malicious payloads from a server under their control. The script includes another shell script called “b.sh” that, in turn, packs a Base64-encoded binary named “vurl” and is also responsible for fetching and launching a third shell script known as “ar.sh” (or “ai.sh”).
“After the attacker gains initial access and achieves execution via cron, the next stage of the campaign is to fetch and execute a new shell script—b.sh
. This script contains a base64-encoded tar archive of a new binary named vurl
. The script decodes and extracts this binary to /usr/bin/vurl, overwriting the existing shell script version, before fetching and executing one of two shell scripts—ar.sh
or ai.sh
.” reads the report published by the researchers.
The attackers use an unusual persistence mechanism by modifying existing systemd services and using the ExecStartPost
configuration option to execute malicious commands.
The shell script “ar.sh” is used for multiple purposes including setting up a working directory, installing tools to scan the internet for vulnerable hosts, remove existing cron entries, weaken the system by disabling firewalls, clearing shell history, and preventing new lines from being added to the history file.
The script is ultimately used to fetch the next-stage payload “chkstart.”
Attackers used Golang binary, such as vurl, to set up a remote access and download additional tools from a remote server. The experts observed attackers downloading “m.tar,” and an XMRig miner called “top,”.
“This update to the Spinning YARN campaign shows a willingness to continue attacking misconfigured Docker hosts for initial access. The threat actor behind this campaign continues to iterate on deployed payloads by porting functionality to Go, which could indicate an attempt to hinder the analysis process, or point to experimentation with multi-architecture builds.” concludes the report.
“Although the likely objective of this campaign is to deploy an XMRig miner to compromised hosts, the attackers also ensured that they maintain access to victim machines via SSH. Maintaining remote code execution to victim hosts could mean that attackers can leverage their access for additional objectives”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Docker)
VMware addressed multiple vCenter Server vulnerabilities that remote attackers can exploit to achieve remote code execution or privilege escalation.
vCenter Server is a centralized management platform developed by VMware for managing virtualized environments.
The vCenter Server contains multiple heap-overflow flaws, tracked as CVE-2024-37079, CVE-2024-37080 (maximum CVSSv3 base score 9.8), in the implementation of the DCERPC protocol.
“A malicious actor with network access to vCenter Server may trigger these vulnerabilities by sending a specially crafted network packet potentially leading to remote code execution.” reads the advisory published by the company.
Customers are recommended to install the released security patches, no workarounds are available.
The vulnerabilities were reported by Hao Zheng (@zhz) and Zibo Li (@zbleet) from TianGong Team of Legendsec at Qi’anxin Group.
VMware also addressed multiple local privilege escalation vulnerabilities, tracked as CVE-2024-37081 (maximum CVSSv3 base score of 7.8), in the vCenter Server.
“The vCenter Server contains multiple local privilege escalation vulnerabilities due to misconfiguration of sudo.” reads the advisory. “An authenticated local user with non-administrative privileges may exploit these issues to elevate privileges to root on vCenter Server Appliance.”
The issue was reported by Matei “Mal” Badanoiu from Deloitte Romania
VMware confirmed that it is not aware of attacks in the wild exploiting these issues.
The following table reports impacted products and fixed versions:
VMware Product | Version | Running On | CVE | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
vCenter Server | 8.0 | Any | CVE-2024-37079, CVE-2024-37080, CVE-2024-37081 | 9.8, 9.8, 7.8 | Critical | 8.0 U2d | None | FAQ |
vCenter Server | 8.0 | Any | CVE-2024-37079, CVE-2024-37080 | 9.8, 9.8 | Critical | 8.0 U1e | None | FAQ |
vCenter Server | 7.0 | Any | CVE-2024-37079, CVE-2024-37080, CVE-2024-37081 | 9.8, 9.8, 7.8 | Critical | 7.0 U3r | None | FAQ |
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, VMware)
Meta announced it is delaying the training of its large language models (LLMs) using public content shared by adults on Facebook and Instagram following the Irish Data Protection Commission (DPC) request.
“The DPC welcomes the decision by Meta to pause its plans to train its large language model using public content shared by adults on Facebook and Instagram across the EU/EEA. This decision followed intensive engagement between the DPC and Meta.” reads the DPC’s request. “The DPC, in co-operation with its fellow EU data protection authorities, will continue to engage with Meta on this issue.”
Meta added it is disappointed by request from the Irish Data Protection Commission (DPC), the social network giant pointed out that this is a step “backwards for European innovation, competition in AI development and further delays bringing the benefits of AI to people in Europe.”
“We’re disappointed by the request from the Irish Data Protection Commission (DPC), our lead regulator, on behalf of the European DPAs, to delay training our large language models (LLMs) using public content shared by adults on Facebook and Instagram — particularly since we incorporated regulatory feedback and the European DPAs have been informed since March.” reads the statement from Meta. “This is a step backwards for European innovation, competition in AI development and further delays bringing the benefits of AI to people in Europe.”
The company explained that its AI, including Llama LLM, is already available in other parts of the world. Meta explained that to provide a better service to its European communities, it needs to train the models on relevant information that reflects the diverse languages, geography and cultural references of the people in Europe. For this reason, the company initially planned to train its large language models using the content that its European users in the EU have publicly stated on its products and services.
Meta intended to implement these changes on June 26, giving users the option to opt out of data usage by submitting a request.
“
“We are committed to bringing Meta AI, along with the models that power it, to more people around the world, including in Europe. But, put simply, without including local information we’d only be able to offer people a second-rate experience. This means we aren’t able to launch Meta AI in Europe at the moment.”
Meta added that the delay will allow it to address requests from the U.K. Information Commissioner’s Office (ICO) before starting the training.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Meta)
Keytronic has confirmed a data breach after a ransomware group leaked allegedly stolen personal information from its systems. The company did not provide any info on the ransomware operation that hit its network, however Black Basta ransomware group leaked over 500 gigabytes of data allegedly stolen from the company. Black Basta ransomware group claims to have stolen ≈530 GB of data, including HR, Finance, Engineering documents, Corporate data, and home users data.
The company was forced to halt domestic and Mexico operations for approximately two weeks.
“The cybersecurity incident caused disruptions, and limitation of access, to portions of the Company’s business applications supporting aspects of the Company’s operations and corporate functions, including financial and operating reporting systems.” reads the FORM 8-K/A filed with SEC. “Since the date of the Original Report, the Company has determined that the threat actor accessed and exfiltrated limited data from the Company’s environment, which includes some personally identifiable information.”
As of the date of the FORM 8-K filing, the company has restored its operations and corporate functions and locked out the unauthorized third party.
Keytronic is notifying potentially affected parties and regulatory agencies.
The company confirmed that it has already incurred $600,000 in expenses related to the cybersecurity incident to date. The bad news is that financial losses are greater due to lost production for approximately two weeks in its domestic and Mexico operations.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Keytronic)
Initially, these attacks involved malicious software that encrypts a victim’s data, rendering it inaccessible until a ransom is paid to the attackers.
Today, this tactic has evolved, where ransomware operators in nearly every case first exfiltrate sensitive data and then threaten to publicly expose it if a ransom demand is not paid.
In some cases, attackers are even leveraging the threat of regulatory actions or causing cyber insurance policies to be rendered moot by reporting lapses in security on the part of the victim to regulators and insurers.
In other cases, they may initiate a Denial of Service (DoS) attack to damage the victim’s public image or try to extort third parties like customers or business partners impacted by the data breach. These tactics are used individually or in unison to increase pressure to twist the victim organization’s arm into paying up.
In all cases, the economic impact from ransomware is profound, affecting businesses, governments, and individuals globally. Understanding the economic factors driving ransomware is crucial for developing effective strategies to fight this growing scourge.
RaaS: Mirroring the Legitimate SaaS Models
In mid-2012, the ransomware ecosystem evolved with the introduction of Reveton, the first Ransomware-as-a-Service (RaaS). This revolutionized the cybercrime landscape, making it easier for people with minimal technical skills to commit ransomware attacks. The RaaS model mirrors the legitimate Software-as-a-Service (SaaS) model, where developers create and maintain the tools and lease them to affiliates in exchange for a share of the profits.
The RaaS ecosystem is made up of specialists like developers, affiliates, access brokers and more, each playing a role. Developers author sophisticated ransomware variants and provide regular updates to ensure their efficacy. Affiliates are the actors who distribute the ransomware through phishing emails, exploit kits, or compromised websites, while access brokers sell access to compromised networks. The top-down hierarchical structures, diversified revenue streams, and businesses functions including customer support have transformed RaaS into highly profitable “organizations.”
The Dark Web is a bustling, underground marketplace for malefactors, where ransomware kits, stolen data, and support services are bought and sold. These marketplaces offer a wide range of tools and services, including customer support for cybercriminals, ensuring that even attackers who are green behind the ears can perpetrate successful ransomware campaigns.
Cybercriminal gangs often operate across borders, leveraging a global network to slip through the nets of law enforcement. They use all possible tools, including compromised servers and anonymizing services, for obfuscation, making it hard for authorities to trace and shut down their operations.
Unfortunately Crime Does Pay
Ransomware attacks are widespread because they promise a maximum reward for minimum effort. Ransom demands range from thousands to millions of dollars, and unfortunately, many victims cough up to regain access to their data and systems quickly. High-profile cases, such as the Colonial Pipeline attack, have seen ransom payments in the multimillion-dollar range.
Carrying out a ransomware attack takes minimal initial investment, particularly when using the RaaS model. Affiliates can start with no upfront cost, paying developers a percentage of the ransom payments they collect. This low barrier to entry adds to the proliferation of these attacks.
Moreover, the ROI for ransomware gangs is exceptionally high. The potential payouts from successful attacks dwarf the costs of developing or renting ransomware. This ROI makes ransomware a compelling business model for criminals, so it is soaring in popularity.
The Digital Currency of Crime
Cryptocurrencies play a central role in ransomware economics by offering anonymity and privacy that traditional payment methods cannot match. Bad actors usually demand payment in cryptocurrencies such as Bitcoin or Monero, which are difficult to trace and keep their identities anonymous.
Transactions with crypto are fast and easy, facilitating rapid payment and verification. This speed and simplicity are great for attackers who want to get their hands on the ransom immediately and for victims who wish to restore their operations as soon as possible.
Furthermore, law enforcement faces significant hurdles in tracking and seizing cryptocurrency used for nefarious purposes. The decentralized nature of cryptocurrencies and the use of anonymizing techniques make it extremely difficult to trace transactions and recover money.
While there have been some successful recovery efforts, such as seizing a portion of the Colonial Pipeline ransom, the money is gone for good in most instances.
Counting the Cost for Companies
Entities hit by ransomware attacks have to pay direct costs, including ransoms and expenses related to recovery and remediation. Even if the ransom is not paid, the costs associated with restoring data from backups and strengthening security can be substantial.
The indirect costs of ransomware attacks are often even more damaging. Downtime and lost productivity during the event and recovery period can severely impact business operations. Additionally, reputational damage and loss of customer trust are immeasurable and have long-term financial consequences that impact the company’s bottom line. In fact, the cost to victims from ransomware attacks is estimated to reach $265 billion (USD) annually by 2031.
The increased frequency and volume of attacks has also seen cybersecurity insurance premiums soar and spending on cybersecurity measures skyrocket. Businesses are investing more in employee training, advanced security tools, and incident response planning to mitigate the risk of future attacks.
Limiting the Financial Fallout
Proactive cybersecurity measures are essential for defending against ransomware. Implementing endpoint and anti-ransomware protection, patch management, and access controls can dramatically reduce the risk of a successful attack. Defenses like data backups can help you limit the impact of ransomware, while resilience and procedure testing can help you effectively recover from an attack and reduce operational disruptions. Finally, employee training and awareness programs are vital in preventing ransomware attacks.
On the other hand, cybersecurity frameworks governing cryptocurrencies and fostering international cooperation are crucial for combating ransomware. Better Anti-Money Laundering (AML) and Know-Your-Customer (KYC) regulations can help reduce the anonymity of cryptocurrency transactions, while international collaboration can help catch and prosecute these gangs across borders.
A Complex and Evolving Threat
Ransomware is a complex and evolving threat that isn’t going anywhere soon – it’s simply too profitable for threat actors. However, understanding the tactics of the top ransomware groups and the economic dynamics behind this menace can help businesses develop more effective strategies to fight it.
A multi-pronged approach, including strengthening cyber defenses, improving regulations, and raising awareness, is crucial to mitigating the risk and impact of ransomware.
About the author
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications. She is also a regular writer at Bora.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, cybercrime)
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-06-10 to 2024-06-17.
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.
Two men, Thomas Pavey (aka “Dopenugget”) and Raheim Hamilton (aka “Sydney” and “Zero Angel”), have been charged in federal court in Chicago for operating the dark web marketplace “Empire Market” from 2018 to 2020.
According to the indictment, the duo was previously involved in selling counterfeit U.S. currency on AlphaBay before starting Empire Market.
The two men are accused of having facilitated over four million transactions for a total value of more than $430 million, involving illegal goods and services. The authorities charged them with various crimes, including drug trafficking, computer fraud, access device fraud, counterfeiting, and money laundering, which carry a maximum sentence of life in federal prison. Pavey and Hamilton are currently in U.S. law enforcement custody, with arraignments yet to be scheduled.
“THOMAS PAVEY, also known as “Dopenugget,” 38, of Ormond Beach, Fla., and RAHEIM HAMILTON, also known as “Sydney” and “Zero Angel,” 28, of Suffolk, Va., owned and operated Empire Market from 2018 to 2020, during which time they facilitated approximately four million transactions between vendors and buyers valued at more than $430 million, according to a superseding indictment returned Thursday in U.S. District Court in Chicago.” reads the press release published by DoJ. “They began operating Empire Market on Feb. 1, 2018, the indictment states.”
The dark web marketplace Empire Market featured multiple categories of illicit goods such as illegal drugs, counterfeit items, Software & Malware, and credit card numbers, it allowed its users to pay using Bitcoin (BTC), Monero (XMR), and Litecoin (LTC).
The dark web marketplace shut down in 2020, leaving users without time to withdraw funds from their escrow accounts, at the time some users blamed a prolonged denial-of-service (DDoS) attack, while others suspected an exit scam.
The two operators used cryptocurrency to conceal the nature and identities involved in the illicit transactions and encouraged users to use “tumbling” services, which mix and exchange cryptocurrencies to obscure their origin and connection to the marketplace.
During the investigation, the feds seized $75 million worth of cryptocurrency at the time of the seizures, as well as cash and precious metals.
Pavey and Hamilton face charges for five counts:
The two men can face a maximum sentence of life in federal prison.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Empire Market)
In late 2023, Sygnia researchers responded to an incident suffered by a large organization that they attributed to a China-linked threat actor tracked as ‘Velvet Ant.’
The cyberspies deployed custom malware on F5 BIG-IP appliances to gain persistent access to the internal network of the target organization and steal sensitive data.
The investigation revealed that the threat actor had been present in the organization’s on-premises network for about three years, aiming to maintain access for espionage purposes. They achieved persistence by establishing multiple footholds within the company’s environment. One method used was exploiting a legacy F5 BIG-IP appliance exposed to the internet, which served as an internal Command and Control (C&C). When one foothold was discovered and remediated, the threat actor quickly adapted and pivoted to another. This demonstrated their agility and deep understanding of the target’s network infrastructure.
The investigation revealed that the Chinese hackers had been present in the organization’s on-premises network for about three years. They achieved persistence by establishing multiple footholds within the company’s environment. One method used was exploiting a legacy internet-facing F5 BIG-IP appliance, which was also used by attackers as an internal Command and Control (C&C). After the researchers discovered and remediated one foothold, the APT group quickly pivoted to another. This demonstrated their agility and deep understanding of the target’s network infrastructure.
“The compromised organization had two F5 BIG-IP appliances which provided services such as firewall, WAF, load balancing and local traffic management. These appliances were directly exposed to the internet, and both of which were compromised. Both F5 appliances were running an outdated, vulnerable, operating system. The threat actor may have leveraged one of the vulnerabilities to gain remote access to the appliances.” reads the analysis published by Sygnia. “As a result, a backdoor hidden within the F5 appliance can evade detection from traditional log monitoring solutions.”
Once the attackers had compromised the F5 BIG-IP appliances, they gained access to internal file servers and deployed the PlugX RAT. The PlugX RAT was used by multiple Chinese APT groups in cyberespionage campaigns over the years.
Forensic analysis of the F5 appliances revealed that the Velvet Ant group also used the following malware in their attacks:
Forensic analysis of the F5 appliances identified four binaries deployed by the threat actor:
Researchers provided the following recommendations for organizations to mitigate attacks of groups like Velvet Ant:
The report also includes indicators of compromise for the attack analyzed by the researchers.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Velvet ANT APT)
The LA County’s Department of Public Health announced that the personal information of more than 200,000 was compromised after a data breach that occurred between February 19 and February 20, 2024.
Threat actors obtained the log-in credentials of 53 Public Health employees through a phishing campaign.
“Between February 19, 2024, and February 20, 2024, the Los Angeles County Department of Public Health experienced a phishing attack in which a hacker was able to gain log-in credentials of 53 Public Health employees through a phishing email, compromising the personal information of more than 200,000 individuals.” reads the notice of data breach published by DPH.
Upon discovering the phishing attack, Public Health disabled the impacted email accounts, and reset and reimaged the user’s device. The organization also blocked websites that was the origin of the attack and quarantined all suspicious incoming emails.
Potentially compromised e-mail accounts may have included DPH clients/employees/other individuals’ first and last name, date of birth, diagnosis, prescription, medical record number/patient ID, Medicare/Med-Cal number, health insurance information, Social Security Number, and other financial information.
“Affected individuals may have been impacted differently and not all of the elements listed were present for each individual.” continues the notice.
LA County’s Department of Public Health is notifying impacted individuals by mail.
The company is informing the U.S. Department of Health & Human Services’ Office for Civil Rights and other relevant agencies.
In response, Public Health has implemented numerous enhancements to reduce exposure to similar e-mail attacks in the future.
At the time of this writing, DPH cannot confirm if any information has been accessed or misused. The company recommends that impacted individuals review the content and accuracy of their medical records with their medical providers.
DPH announced it has implemented several enhancements to reduce exposure to similar email attacks in the future.
The agency is also offering entitled individuals free credit and identity monitoring services.
In April, the Los Angeles County Department of Health Services disclosed a data breach that impacted thousands of patients. Patients’ personal and health information was exposed after a phishing attack impacted over two dozen employees.
Los Angeles County Department of Health Services operates the public hospitals and clinics in Los Angeles County, and is the United States’ second largest municipal health system, after NYC Health + Hospitals.
The phishing attack occurred between February 19, 2024, and February 20, 2024. Attackers obtained the credentials of 23 DHS employees.
“A phishing e-mail tries to trick recipients into giving up important information. In this case, the DHS employees clicked on the link located in the body of the e-mail, thinking that they were accessing a legitimate message from a trustworthy sender.” reads the data breach notification sent to the impacted individuals. “Due to the ongoing investigation by law enforcement, we were advised to delay notifying you of this incident until now, as public notice may have hindered their investigation.”
The compromised information varied for each individual, potentially exposed information included the patient’s first and last name, date of birth, home address, phone number(s), e-mail address, medical record number, client identification number, dates of service, and/or medical information (e.g., diagnosis/condition, treatment, test results, medications), and/or health plan information.
Social Security Numbers (SSN) or financial information was not compromised.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, LA County’s Department of Public Health)
Spanish police arrested a 22-year-old British national who is suspected of being a key member of the cybercrime group known as Scattered Spider (also known as UNC3944, 0ktapus). The man was arrested in Palma de Mallorca while attempting to fly to Italy, during the arrest, police confiscated a laptop and a mobile phone. The arrest resulted from a joint operation conducted by the U.S. Federal Bureau of Investigation (FBI) and the Spanish Police.
“A 22-year-old British man has been arrested in Palma de Mallorca in a joint effort by Spanish police and the FBI on suspicion of being the ringleader of a hacking group which targeted 45 companies and people in the United States.” reported the Murcia Today. “He stands accused of hacking into corporate accounts and stealing critical information, which allegedly enabled the group to access multi-million-dollar funds.”
The cybercrime group Scattered Spider is suspected of hacking into hundreds of organizations over the past two years, including Twilio, LastPass, DoorDash, and Mailchimp.
While Murcia Today did not provide info about the arrested man, vx-underground states that the individual was involved in “several other high-profile ransomware attacks performed by Scattered Spider.”
vx-underground also added that the man arrested is a SIM-swapper known by the alias “Tyler.”
June 14th a 22-year-old British man was arrested in Palma de Mallorca, Spain.
— vx-underground (@vxunderground) June 15, 2024
Per the official report: the currently unidentified male is alleged to be behind a series of large-enterprise 'hacks' which resulted in the theft of corporate information and allowing an unidentified… pic.twitter.com/jygRdfCUpu
Previously on Dragon Ball Z, the Spanish media reported a 'hacker' was arrested via the Spanish Police working in conjunction with the United States Federal Bureau of Investigation.
— vx-underground (@vxunderground) June 15, 2024
The individual arrested as a 22-year-old male from the United Kingdom. He was not immediately…
According to the Spanish police, the man once controlled Bitcoins worth $27 million. According to the malware research team, a judge in Los Angeles, California, has issued a warrant for the arrest of the British citizen. Spanish police tracked the suspect to Mallorca after he entered Spain via Barcelona in late May. The investigation is still ongoing. The police have yet to disclose the suspect’s identity.
The popular journalist Briand Krebs reported that sources familiar with the investigation told KrebsOnSecurity the man is a 22-year-old from Dundee, Scotland named Tyler Buchanan.
“Sources familiar with the investigation told KrebsOnSecurity the accused is a 22-year-old from Dundee, Scotland named Tyler Buchanan, also allegedly known as “tylerb” on Telegram chat channels centered around SIM-swapping.” states KrebsOnSecurity.
In January 2024, U.S. authorities arrested Noah Michael Urban, a 19-year-old from Palm Coast, Florida, suspected of being a member of the Scattered Spider cybercriminal group. He is accused of stealing at least $800,000 from five victims between August 2022 and March 2023. Urban, known online as “Sosa” and “King Bob,” is linked to the same group that hacked Twilio and other companies in 2022.
Scattered Spider members are part of a broader cybercriminal community called “The Com,” where hackers brag about high-profile cyber thefts, typically initiated through social engineering tactics like phone, email, or SMS scams to gain access to corporate networks.
“One of the more popular SIM-swapping channels on Telegram maintains a frequently updated leaderboard of the most accomplished SIM-swappers, indexed by their supposed conquests in stealing cryptocurrency. That leaderboard currently lists Sosa as #24 (out of 100), and Tylerb at #65.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Scattered Spider)
Often, behind these enticing offers are pyramid schemes in which profits are generated through the recruitment of new participants, rather than through actual service, sometimes even causing significant financial losses. Other false offers may require initial investment without ever seeing a significant return or promise job opportunities with hidden fees. t is into this scenario that illicit practices such as moneny mules and reshipping scams can fit.
Money mules
This practice is illegal and encourages money laundering and other criminal activities. The term money mules refers to those individuals who are recruited by criminals to transfer illicit money through their bank accounts in exchange for a commission. Money mules are often unaware that they are committing a crime and think they are doing regular work.
In this regard, the State Police’s latest operation “EMMA 9,” a vast action to combat cyber money laundering coordinated by Europol and conducted in 28 countries, uncovered 2,729 fraudulent transactions, identified 879 money mules and foiled fraud worth more than 6 million euros.
“The phenomenon of money mules certainly represents one of the established and ever-present aspects of online fraud. These individuals constitute the last link in the chain through which criminals monetize the proceeds of crime.” comments the State Police, “In the context of countering FinancialCybercrime, the prevalence of these figures is alarming and is endemic worldwide.”
“Drops for stuff” service
This common practice consisted of receiving high-value products purchased online by criminals and reselling them on the black market by relying on residents (willingly or unwillingly) in those regions under embargo because they were associated with credit card fraud (Eastern Europe, North Africa, and Russia). The SWAT systems breach a criminal service laundering expensive goods purchased with stolen credit cards exposed its operations, structure, and earnings. This provided information on operations, finances and organizational structure, revealing the modus operandi of the redemption scams and the financial strength of the criminals involved.
The service employed more than 1,200 people in the United States who, knowingly or unknowingly, participated in drop-off scams. The structure of this service, also known as “Drops for Stuff,” distinguished “drops,” people who responded to job ads from home to drop off packages, from “stuffers,” individuals in possession of stolen credit card numbers who paid a fee for drop-off to the Swat service.
As Brian Krebs explained, most redelivery scams promised drops a monthly stipend with possible bonuses that were never actually received. In practice, packages arrived with prepaid shipping labels with stolen credit cards. The drops were responsible for inspecting and verifying the contents of the shipments, putting the correct shipping label on each package, and sending it through the appropriate shipping company. Once the stolen parcels were received and successfully returned, the traffickers could proceed to sell them on the local black market, dropping them.
“It’s not hard to see how reshipping can be a profitable venture for card fraudsters,” Krebs explains. “For example, a stuffer buys a stolen payment card on the black market for $10 and uses it to purchase over $1,100 worth of goods. After the reshipping service has taken its cut (about $550) and the stuffer has paid its reshipping label (about $100), the stuffer receives the stolen goods and sells them on the black market in Russia for $1,400. He just turned a $10 investment into more than $700.”
What to do to avoid running into these scams
It is critical to be careful when exploring offers that promise easy earnings. Offers that do not provide clear details about products, earning patterns, or company structure may hide pitfalls. Victims of these scams not only lose money, but can also be charged with receiving stolen goods or aiding and abetting criminal activity. To avoid problems, beware of job offers that are too tempting or require you to make money transfers, check the legitimacy of companies that offer abnormal redelivery opportunities.
About the author: Salvatore Lombardo (Twitter @Slvlombardo)
Electronics engineer and Clusit member, for some time now, espousing the principle of conscious education, he has been writing for several online magazine on information security. He is also the author of the book “La Gestione della Cyber Security nella Pubblica Amministrazione”. “Education improves awareness” is his slogan.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, money laudering)
Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press.
International Press – Newsletter
Cybercrime
BlackBerry Cylance Data Offered for Sale on Dark Web
City of Cleveland Scrambling to Restore Systems Following Cyberattack
Malware
Ransomware Attackers May Have Used Privilege Escalation Vulnerability as Zero-day
Operation Celestial Force employs mobile and desktop malware to target Indian entities
Dissecting SSLoad Malware: A Comprehensive Technical Analysis
DISGOMOJI Malware Used to Target Indian Government
Arid Viper poisons Android apps with AridSpy
Hacking
Bypassing Veeam Authentication CVE-2024-29849
Updates for security issue affecting IntelliJ-based IDEs 2023.1+ and JetBrains GitHub Plugin
Challenges in red teaming AI systems
The mystery of an alleged data broker’s data breach
GPT-4 autonomously hacks zero-day security flaws with 53% success rate
EmailGPT Exposed to Prompt Injection Attacks
Intelligence and Information Warfare
Howling at the Inbox: Sticky Werewolf’s Latest Malicious Aviation Attacks
Two Ukrainians suspected of helping Russia spread propaganda, hack military phones
Insights on Cyber Threats Targeting Users and Enterprises in Brazil
Cybersecurity
Security Alert: CVE-2024-4577 – PHP CGI Argument Injection Vulnerability
What Snowflake isn’t saying about its customer data breaches
Why are hospitals becoming more of a target for ransomware attacks
Arm Warns of Actively Exploited Zero-Day Vulnerability in Mali GPU Drivers
THE JUNE 2024 SECURITY UPDATE REVIEW
Update on cyber incident: Clinical impact in south east London – Friday 14 June 2024
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, newsletter)