Law enforcement agencies in the United States and Europe today announced Operation Endgame, a coordinated action against some of the most popular cybercrime platforms for delivering ransomware and data-stealing malware. Dubbed “the largest ever operation against botnets,” the international effort is being billed as the opening salvo in an ongoing campaign targeting advanced malware “droppers” or “loaders” like IcedID, Smokeloader and Trickbot.

Operation Endgame targets the cybercrime ecosystem supporting droppers/loaders, slang terms used to describe tiny, custom-made programs designed to surreptitiously install malware onto a target system. Droppers are typically used in the initial stages of a breach, and they allow cybercriminals to bypass security measures and deploy additional harmful programs, including viruses, ransomware, or spyware.

Droppers like IcedID are most often deployed through email attachments, hacked websites, or bundled with legitimate software. For example, cybercriminals have long used paid ads on Google to trick people into installing malware disguised as popular free software, such as Microsoft Teams, Adobe Reader and Discord. In those cases, the dropper is the hidden component bundled with the legitimate software that quietly loads malware onto the user’s system.

Droppers remain such a critical, human-intensive component of nearly all major cybercrime enterprises that the most popular have turned into full-fledged cybercrime services of their own. By targeting the individuals who develop and maintain dropper services and their supporting infrastructure, authorities are hoping to disrupt multiple cybercriminal operations simultaneously.

According to a statement from the European police agency Europol, between May 27 and May 29, 2024 authorities arrested four suspects (one in Armenia and three in Ukraine), and disrupted or took down more than 100 Internet servers in Bulgaria, Canada, Germany, Lithuania, the Netherlands, Romania, Switzerland, the United Kingdom, United States and Ukraine. Authorities say they also seized more than 2,000 domain names that supported dropper infrastructure online.

In addition, Europol released information on eight fugitives suspected of involvement in dropper services and who are wanted by Germany; their names and photos were added to Europol’s “Most Wanted” list on 30 May 2024.

“It has been discovered through the investigations so far that one of the main suspects has earned at least EUR 69 million in cryptocurrency by renting out criminal infrastructure sites to deploy ransomware,” Europol wrote. “The suspect’s transactions are constantly being monitored and legal permission to seize these assets upon future actions has already been obtained.”

There have been numerous such coordinated malware takedown efforts in the past, and yet often the substantial amount of coordination required between law enforcement agencies and cybersecurity firms involved is not sustained after the initial disruption and/or arrests.

But a new website erected to detail today’s action — operation-endgame.com — makes the case that this time is different, and that more takedowns and arrests are coming. “Operation Endgame does not end today,” the site promises. “New actions will be announced on this website.”

Perhaps in recognition that many of today’s top cybercriminals reside in countries that are effectively beyond the reach of international law enforcement, actions like Operation Endgame seem increasingly focused on mind games — i.e., trolling the hackers.

Writing in this month’s issue of Wired, Matt Burgess makes the case that Western law enforcement officials have turned to psychological measures as an added way to slow down Russian hackers and cut to the heart of the sweeping cybercrime ecosystem.

“These nascent psyops include efforts to erode the limited trust the criminals have in each other, driving subtle wedges between fragile hacker egos, and sending offenders personalized messages showing they’re being watched,” Burgess wrote.

When authorities in the U.S. and U.K. announced in February 2024 that they’d infiltrated and seized the infrastructure used by the infamous LockBit ransomware gang, they borrowed the existing design of LockBit’s victim shaming website to link instead to press releases about the takedown, and included a countdown timer that was eventually replaced with the personal details of LockBit’s alleged leader.

The Operation Endgame website also includes a countdown timer, which serves to tease the release of several animated videos that mimic the same sort of flashy, short advertisements that established cybercriminals often produce to promote their services online. At least two of the videos include a substantial amount of text written in Russian.

The coordinated takedown comes on the heels of another law enforcement action this week against what the director of the FBI called “likely the world’s largest botnet ever.” On Wednesday U.S. Department of Justice (DOJ) announced the arrest of YunHe Wang, the alleged operator of the ten-year-old online anonymity service 911 S5. The government also seized 911 S5’s domains and online infrastructure, which allegedly turned computers running various “free VPN” products into Internet traffic relays that facilitated billions of dollars in online fraud and cybercrime.

A previously undocumented cyber espionage-focused threat actor named LilacSquid has been linked to targeted attacks spanning various sectors in the United States (U.S.), Europe, and Asia as part of a data theft campaign since at least 2021. "The campaign is geared toward establishing long-term access to compromised victim organizations to enable LilacSquid to siphon data of interest to

The threat actors behind the RedTail cryptocurrency mining malware have added a recently disclosed security flaw impacting Palo Alto Networks firewalls to its exploit arsenal. The addition of the PAN-OS vulnerability to its toolkit has been complemented by updates to the malware, which now incorporates new anti-analysis techniques, according to findings from web infrastructure and security

Cybersecurity researchers have warned that multiple high-severity security vulnerabilities in WordPress plugins are being actively exploited by threat actors to create rogue administrator accounts for follow-on exploitation. "These vulnerabilities are found in various WordPress plugins and are prone to unauthenticated stored cross-site scripting (XSS) attacks due to inadequate input sanitization

Security leaders are in a tricky position trying to discern how much new AI-driven cybersecurity tools could actually benefit a security operations center (SOC). The hype about generative AI is still everywhere, but security teams have to live in reality. They face constantly incoming alerts from endpoint security platforms, SIEM tools, and phishing emails reported by internal users. Security

Europol on Thursday said it shut down the infrastructure associated with several malware loader operations such as IcedID, SystemBC, PikaBot, SmokeLoader, Bumblebee, and TrickBot as part of a coordinated law enforcement effort codenamed Operation Endgame. "The actions focused on disrupting criminal services through arresting High Value Targets, taking down the criminal infrastructures and

An international law enforcement operation, called Operation Endgame targeted multiple botnets and their operators.

Between 27 and 29 May 2024, an international law enforcement operation coordinated by Europol, codenamed Operation Endgame, targeted malware droppers like IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee, and Trickbot.

The joint actions were carried out by authorities in the Netherlands, Germany, France, Denmark, United States, and the United Kingdom with support from Europol and Eurojust. In addition, with the cooperation of the aforementioned authorities, there have also been police actions in Ukraine, Switzerland, Armenia, Portugal, Romania, Canada, Lithuania and Bulgaria for the arrest or interrogation of suspects, searches or the seizure and downing of servers.

It is the largest operation ever against botnets, crucial in deploying ransomware.

These malicious codes are essential in the attack chain, they act as loaders for additional payloads and some of them are also used to perform post-exploitation activities, including privilege escalation, reconnaissance, and credential theft. 

The operation aimed to disrupt criminal services by arresting key individuals, dismantling infrastructures, and freezing illegal proceeds. Europol states that this operation had a global impact on the dropper ecosystem, which facilitated ransomware and other malicious attacks. Following the operation, eight fugitives linked to these activities will be added to Europe’s Most Wanted list on 30 May 2024. This large-scale operation, led by France, Germany, and the Netherlands, and supported by Eurojust, involved multiple countries and private partners.

“The coordinated actions led to:

• 4 arrests (1 in Armenia and 3 in Ukraine)
• 16 location searches (1 in Armenia, 1 in the Netherlands, 3 in Portugal and 11 in Ukraine)
• Over 100 servers taken down or disrupted in Bulgaria, Canada, Germany, Lithuania, the Netherlands, Romania, Switzerland, the United Kingdom, the United States and Ukraine 
• Over 2 000 domains under the control of law enforcement

Furthermore, it has been discovered through the investigations so far that one of the main suspects has earned at least EUR 69 million in cryptocurrency by renting out criminal infrastructure sites to deploy ransomware.” reads the press release published by EUROPOL. “The suspect’s transactions are constantly being monitored and legal permission to seize these assets upon future actions has already been obtained.

Droppers are used to install other malware into target systems. They serve as the first stage of a malware attack, enabling attackers to deploy harmful programs like viruses, ransomware, or spyware.

Below are the descriptions for the botnets targeted by the operation:

• SystemBC: Facilitates anonymous communication between infected systems and command-and-control servers.
• Bumblebee: Distributed via phishing campaigns or compromised websites, it enables the delivery and execution of further payloads.
• SmokeLoader: Used primarily as a downloader to install additional malicious software.
• IcedID (BokBot): Initially a banking trojan, now used for various cybercrimes, including financial data theft.
• Pikabot: A trojan that provides initial access to infected computers, enabling ransomware deployments, remote takeovers, and data theft.

“Operation Endgame does not end today. New actions will be announced on the website Operation Endgame. In addition, suspects involved in these and other botnets, who have not yet been arrested, will be directly called to account for their actions. Suspects and witnesses will find information on how to reach out via this website.” concludes the announcement.

However, the criminal activity behind the targeted botnets is still continuing, a malware researcher Rohit Bansal that goes online with the handle “R.” warns of a still active server spreading the SystemBC malware.

Found Another 𝗔𝗰𝘁𝗶𝘃𝗲 #SystemBC #Malware spreading from ON-LINE-DATA server in Netherlands (AS204601).

C2 IP:
cobusabobus[.]cam:4001 / 212.162.153.199

Malware Hash:
0dd1f6c2b9bf477115701a1340d8d9a2

81 Victims Confirmed
Stay vigilant! #threatintel pic.twitter.com/cYUkt3csP1

— R. (@0xrb) May 30, 2024

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Operation Endgame)

The U.S. Department of Justice (DoJ) on Wednesday said it dismantled what it described as "likely the world's largest botnet ever," which consisted of an army of 19 million infected devices that was leased to other threat actors to commit a wide array of offenses. The botnet, which has a global footprint spanning more than 190 countries, functioned as a residential proxy service known as 911 S5.

An international law enforcement operation led by the U.S. DoJ disrupted the 911 S5 botnet and led to the arrest of its administrator.

The U.S. Justice Department led an international law enforcement operation that dismantled the 911 S5 proxy botnet. The law enforcement also arrested its administrator, the 35-year-old Chinese national YunHe Wang, in Singapore. The authorities sanctioned Wang and his co-conspirators. Since 2011, Wang and his co-conspirators had been distributing malware through malicious VPN applications, including MaskVPN, DewVPN, PaladinVPN, ProxyGate, ShieldVPN, and ShineVPN. The compromised devices were recruited in the 911 S5 residential proxy service.

“According to an indictment unsealed on May 24, from 2014 through July 2022, Wang and others are alleged to have created and disseminated malware to compromise and amass a network of millions of residential Windows computers worldwide.” reads the press release published by DoJ. “These devices were associated with more than 19 million unique IP addresses, including 613,841 IP addresses located in the United States. Wang then generated millions of dollars by offering cybercriminals access to these infected IP addresses for a fee.”

According to court documents, the gang bundled the malware with other program files, including pirated versions of licensed software or copyrighted materials. Wang operated approximately 150 dedicated servers worldwide, approximately 76 of which he leased from U.S. based online service providers.

Wang utilized dedicated servers to deploy and manage applications, control infected devices, operate the 911 S5 service, and offer paying customers access to proxied IP addresses associated with these compromised devices.

“As alleged in the indictment, Wang created malware that compromised millions of residential computers around the world and then sold access to the infected computers to cybercriminals,” said Principal Deputy Assistant Attorney General Nicole M. Argentieri, head of the Justice Department’s Criminal Division. “These criminals used the hijacked computers to conceal their identities and commit a host of crimes, from fraud to cyberstalking. Cybercriminals should take note. Today’s announcement sends a clear message that the Criminal Division and its law enforcement partners are firm in their resolve to disrupt the most technologically sophisticated criminal tools and hold wrongdoers to account.”

The FBI has published information at fbi.gov/911S5 to help identify and remove 911 S5’s VPN applications from your devices or machines.

The FBI shared instructions on how to identify and remove VPN Applications containing the 911 S5 bot.

Cybercriminals used 911 S5 to hide their real IP addresses and locations while committing various crimes, including financial fraud, stalking, bomb threats, illegal exportation of goods, and child exploitation. Since 2014, 911 S5 has allegedly helped cybercriminals bypass financial fraud detection systems, leading to billions of dollars in theft from financial institutions, credit card issuers, and federal lending programs.

During the pandemic, crooks used the botnet to target relief programs, resulting in significant fraud. The U.S. estimates that 560,000 fraudulent unemployment claims, amounting to over $5.9 billion, originated from compromised IP addresses. Additionally, over 47,000 Economic Injury Disaster Loan (EIDL) applications were linked to these IP addresses, causing millions in losses for financial institutions.

The 911 S5 client software, hosted on U.S. servers, allowed cybercriminals outside the U.S. to purchase goods with stolen credit cards and illegally export them, violating U.S. export laws. The software may also contain encryption or features subject to export controls under the Export Administration Regulations (EAR), potentially leading to further legal violations by foreign nationals downloading it without a license.

“The indictment further alleges that from 2018 until July 2022, Wang received approximately $99 million from his sales of the hijacked proxied IP addresses through his 911 S5 operation, either in cryptocurrency or fiat currency.” continues DoJ. “Wang used the illicitly gained proceeds to purchase real property in the United States, St. Kitts and Nevis, China, Singapore, Thailand, and the United Arab Emirates. The indictment identifies dozens of assets and properties subject to forfeiture, including a 2022 Ferrari F8 Spider S-A, a BMW i8, a BMW X7 M50d, a Rolls Royce, more than a dozen domestic and international bank accounts, over two dozen cryptocurrency wallets, several luxury wristwatches, 21 residential or investment properties (across Thailand, Singapore, the U.A.E., St. Kitts and Nevis, and the United States), and 20 domains.“

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued sanctions against Yunhe Wang, and other two Chinese nationals, Jingping Liu and Yanni Zheng, for their role in criminal activities associated with the 911 S5 botnet. Additionally, OFAC sanctioned three entities—Spicy Code Company Limited, Tulip Biz Pattaya Group Company Limited, and Lily Suites Company Limited—due to their ownership or control by Yunhe Wang.

Yunhe Wang faces a maximum penalty of 65 years in prison if convicted on all counts. These charges include conspiracy to commit computer fraud, substantive computer fraud, conspiracy to commit wire fraud, and conspiracy to commit money laundering.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, 911 S5 botnet)

Identity and access management firm Okta warns of credential stuffing attacks targeting the Customer Identity Cloud (CIC) feature.

Okta warns of credential stuffing attacks targeting its Customer Identity Cloud (CIC) feature since April.

A credential stuffing attack is a type of cyber attack where hackers use large sets of username and password combinations, typically obtained from previous data breaches, phishing campaigns, or info-stealer infections, to gain unauthorized access to user accounts on various online services. Credential stuffing attacks exploit the widespread practice of using the same login credentials across multiple online accounts. Attackers automate the process of trying these credentials on various websites until they find a match, granting them unauthorized access to compromised accounts. This method poses a risk of exposing sensitive data or enabling fraudulent activities.

The identity and access management firm observed suspicious activity that started on April 15. 

The advisory published by the company states that the attacks targeted the endpoints supporting the cross-origin authentication feature, the attacks hit several customers.

“Okta has determined that the cross-origin authentication feature in Customer Identity Cloud (CIC) is prone to being targeted by threat actors orchestrating credential-stuffing attacks.” reads advisory. “For context, we observed that the endpoints used to support the cross-origin authentication feature being attacked via credential stuffing for a number of our customers.”

Cross-Origin Resource Sharing (CORS) (opens new window)is a mechanism that allows a web page to make an AJAX call using XMLHttpRequest (XHR) (opens new window). Use XHR to call a domain that is different than the domain where the script was loaded. Such cross-domain requests would otherwise be forbidden by web browsers as indicated by the same origin security policy (opens new window). CORS defines a standardized (opens new window)way in which the browser and the server can interact to determine whether to allow the cross-origin request.

The company notified the targeted customers that have this feature enabled, it also recommends disabling targeted URLs if they are not in use.

Okta recommends reviewing suspicious activity from April 15 forward, it suggests reviewing the following log events:

• fcoa – Failed cross-origin authentication
• scoa – Successful cross-origin authentication
• pwd_leak – Someone attempted to login with a leaked password

At the end of April, Okta observed a surge in credential stuffing attacks against online services, aided by the widespread availability of residential proxy services, lists of previously compromised credentials (“combo lists”), and automation tools.

From April 19, 2024 through to April 26, 2024, the Okta Identity Threat Research team observed a spike in credential stuffing activity against user accounts from what appears to be similar infrastructure.

The latest advisory includes recommendations to mitigate these attacks.

The company also shared recommendations on how to best protect customers from credential-stuffing attacks.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Okta)

Okta is warning that a cross-origin authentication feature in Customer Identity Cloud (CIC) is susceptible to credential stuffing attacks orchestrated by threat actors. "We observed that the endpoints used to support the cross-origin authentication feature being attacked via credential stuffing for a number of our customers," the Identity and access management (IAM) services provider said. The

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-05-13 to 2024-05-29.

News

• Stark Industries Solutions: An Iron Hammer in the Cloud - How Stark Industries Solutions emerged as a significant facilitator of cyberattacks by hosting proxy and VPN services used to conceal and carry out disruptive activities, including massive DDoS attacks targeting Ukraine and Europe, with ties to Russian hacking groups and cybercriminal activities.
• Black Basta ransomware is targeting critical infrastructure sectors - Black Basta ransomware, operated as a Ransomware-as-a-Service, has targeted over 500 organizations globally, significantly impacting 12 critical infrastructure sectors in the U.S., including healthcare, leading to disruptions like ambulance diversions and compromised electronic health records.

Techniques and Write-ups

• Beyond the Basics: Exploring Uncommon NTLM Relay Attack Techniques - This blog outlines five NTLM relay attack vectors that aren't talked about enough.
• Injecting code into PPL processes without vulnerable drivers on Windows 11 - Discovering and utilizing a syscall, NtSystemDebugControl, to inject code into Protected Process Light (PPL) processes.
• Getting XXE in Web Browsers using ChatGPT - Exploiting XML and XSL functionalities in web browsers to test and demonstrate XXE vulnerabilities.
• Kerbhammer: Detecting Kerberos attacks with Suricata - Detecting Kerberos protocol attacks using the Suricata, highlighting methods to identify abnormal AS-REQ and AS-REP Roasting activities as potential security threats.
• The risk in malicious AI models: Wiz Research discovers critical vulnerability in AI-as-a-Service provider, Replicate - "...In the course of that work, we have discovered critical vulnerabilities that could have led to the leakage of millions of private AI models and apps. "
• Phish Sticks; Hate the Smell, Love the Taste -
• The 'Invisibility Cloak' - Slash-Proc Magic - This blog discusses on utilizing bind mounts to hide processes from the process list, examining how it's done, its forensic detectability.
• Offensive IoT for Red Team Implants (Part 2) - Use your Raspberry Pi Pico as a physical implant device for Red Team operations!
• JS-Tap Mark II: Now with C2 Shenanigans - This blog details updates to JS-Tap. It explains setting up JS-Tap with Gunicorn and nginx to handle more clients and introduces features for automated and repeated JavaScript payload deployment, improving usability.
• QNAP QTS - QNAPping At The Wheel (CVE-2024-27130 and friends) - CVE-2024-27130, an unauthenticated stack overflow bug allowing remote code execution. The team details their investigation and exploitation process, highlighting the NAS device's role in multi-user environments and its security implications.
• New Hires, Lost Keys & Lessons Learned (Passwordless Authentication Series, #3) - Palantir discusses their implementation of FIDO2 authentication via YubiKeys, focusing on the challenges and solutions for new hire onboarding and handling lost or broken authenticators. Nice to see these lessons learned shared amongst the community.
• Exploiting CVE-2024-32002: RCE via git clone - Technical write-up of git CVE-2024-32002. This one is triggered by cloning repositories with specially crafted submodules.
• Introducing BadDNS - Blog on a new tool released by Black Lantern. Used for subdomain takeover detection tool but covers other DNS related issues like zone transfers and NSEC walking as well.
• Foxit PDF “Flawed Design” Exploitation - Tradecraft against the biggest Adobe competitor, FOXIT.

Tools and Exploits

• nmap-did-what - Nmap Dashboard Mini Project. Don't sleep on what you can do with open-source and a little bit of glue!
• no-defender - A slightly more fun way to disable windows defender. (through the WSC api).
• DoubleDrive - A fully-undetectable ransomware that utilizes OneDrive & Google Drive to encrypt target local files.
• RWX_MEMEORY_HUNT_AND_INJECTION_DV - Abusing Windows fork API and OneDrive.exe process to inject the malicious shellcode without allocating new RWX memory region.
• CVE-2024-27804 - POC for CVE-2024-27804.
• graphqlMaker - Finds graphql queries in javascript files.
• mystique-self-injection - An improvement and a different approach to Mockingjay Self-Injection.
• ETWInspector - An Event Tracing for Windows (ETW) tool that allows you to enumerate Manifest & MOF providers, as well as collect events from desired providers.
• OdinLdr - Cobaltstrike UDRL with memory evasion.
• SharpPersistSD - SharpPersistSD is focused on backdooring the remote machine so that persistency or code execution can be established later.
• baddns - Check subdomains for subdomain takeovers and other DNS tomfoolery.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• Assumed Breach: The Evolution of Offensive Security Testing - This blog sparked another X/Twitter debate on whether assumed breach is still the "way to go".
• Keylogging in the Windows Kernel with undocumented data structures - Accessing the gafAsyncKeyState structure directly in kernel memory without using system APIs as a keylogger.
• Cloud Threat Landscape - New/cool resource by Wiz. The tools can come in clutch.
• Open Source Security Index - Cool initiative! Thoughts on how they calculate index scores?
• ruff - An extremely fast Python linter and code formatter, written in Rust.
• nimfilt - A collection of modules and scripts to help with analyzing Nim binaries.
• squeegee - A collection of tools using OCR to extract potential usernames from RDP screenshots.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.

Check Point released hotfixes for a VPN zero-day vulnerability, tracked as CVE-2024-24919, which is actively exploited in attacks in the wild.

Check Point released hotfixes to address a VPN zero-day vulnerability, tracked as CVE-2024-24919, which is actively being exploited in attacks in the wild.

The vulnerability CVE-2024-24919 is a Quantum Gateway information disclosure issue. Threat actors exploited the flaw to gain remote firewall access and breach corporate networks.

The issue impacts CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, Quantum Spark Appliances. Impacted versions are R80.20.x, R80.20SP (EOL), R80.40 (EOL), R81, R81.10, R81.10.x, and R81.20.

Early this week, the security firm warned of a surge in attacks aimed at VPN solutions.

“We have recently witnessed compromised VPN solutions, including various cyber security vendors. In light of these events, we have been monitoring attempts to gain unauthorized access to VPNs of Check Point’s customers. By May 24, 2024 we identified a small number of login attempts using old VPN local-accounts relying on unrecommended password-only authentication method,” the company said.

“We have recently witnessed compromised VPN solutions, including various cyber security vendors. In light of these events, we have been monitoring attempts to gain unauthorized access to VPNs of Check Point’s customers.” reads the initial advisory published by the vendor.

“By May 24, 2024 we identified a small number of login attempts using old VPN local-accounts relying on unrecommended password-only authentication method.”

The company started investigating the attacks by assembling special teams of Incident Response, Research, Technical Services and Products professionals. The experts found within 24 hours a few potential customers which were attacked.

On May 28, the experts discovered how attackers were targeing its customers and released a fix for Check Point Network Security gateways.

“The vulnerability potentially allows an attacker to read certain information on Internet-connected Gateways with remote access VPN or mobile access enabled. The attempts we’ve seen so far, as previously alerted on May 27, focus on remote access scenarios with old local accounts with unrecommended password-only authentication.” reads an update to the initial advisory. “Within a few hours of this development, Check Point released an easy to implement solution that prevents attempts to exploit this vulnerability. To stay secure, customers should follow these simple instructions to deploy the provided solution.”

The company also released hotfixes that address the flaw in end-of-life (EOL) versions.

Check Point set up FAQ page to provide information about CVE-2024-24919, such as what customers should do if they suspect unauthorized access attempts.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Check Point VPN zero-day)

The U.S. Department of Justice (DOJ) today said they arrested the alleged operator of 911 S5, a ten-year-old online anonymity service that was powered by what the director of the FBI called “likely the world’s largest botnet ever.” The arrest coincided with the seizure of the 911 S5 website and supporting infrastructure, which the government says turned computers running various “free VPN” products into Internet traffic relays that facilitated billions of dollars in online fraud and cybercrime.

On May 24, authorities in Singapore arrested the alleged creator and operator of 911 S5, a 35-year-old Chinese national named YunHe Wang. In a statement on his arrest today, the DOJ said 911 S5 enabled cybercriminals to bypass financial fraud detection systems and steal billions of dollars from financial institutions, credit card issuers, and federal lending programs.

For example, the government estimates that 560,000 fraudulent unemployment insurance claims originated from compromised Internet addresses, resulting in a confirmed fraudulent loss exceeding $5.9 billion.

“Additionally, in evaluating suspected fraud loss to the Economic Injury Disaster Loan (EIDL) program, the United States estimates that more than 47,000 EIDL applications originated from IP addresses compromised by 911 S5,” the DOJ wrote. “Millions of dollars more were similarly identified by financial institutions in the United States as loss originating from IP addresses compromised by 911 S5.”

From 2015 to July 2022, 911 S5 sold access to hundreds of thousands of Microsoft Windows computers daily, as “proxies” that allowed customers to route their Internet traffic through PCs in virtually any country or city around the globe — but predominantly in the United States.

911 S5 built its proxy network mainly by offering “free” virtual private networking (VPN) services. 911’s VPN performed largely as advertised for the user — allowing them to surf the web anonymously — but it also quietly turned the user’s computer into a traffic relay for paying 911 S5 customers.

911 S5’s reliability and extremely low prices quickly made it one of the most popular services among denizens of the cybercrime underground, and the service became almost shorthand for connecting to that “last mile” of cybercrime. Namely, the ability to route one’s malicious traffic through a computer that is geographically close to the consumer whose stolen credit card is about to be used, or whose bank account is about to be emptied.

KrebsOnSecurity first identified Mr. Wang as the proprietor of the popular service in a deep dive on 911 S5 published in July 2022. That story showed that 911 S5 had a history of paying people to install its software by secretly bundling it with other software — including fake security updates for common programs like Flash Player, and “cracked” or pirated commercial software distributed on file-sharing networks.

Ten days later, 911 S5 closed up shop, claiming it had been hacked. But experts soon tracked the reemergence of the proxy network by another name: Cloud Router.

The announcement of Wang’s arrest came less than 24 hours after the U.S. Department of the Treasury sanctioned Wang and two associates, as well as several companies the men allegedly used to launder the nearly $100 million in proceeds from 911 S5 and Cloud Router customers.

Cloud Router’s homepage now features a notice saying the domain has been seized by the U.S. government. In addition, the DOJ says it worked with authorities in Singapore, Thailand and Germany to search residences tied to the defendant, and seized approximately $30 million in assets.

Those assets included a 2022 Ferrari F8 Spider S-A, a BMW i8, a BMW X7 M50d, a Rolls Royce, more than a dozen domestic and international bank accounts, over two dozen cryptocurrency wallets, several luxury wristwatches, and 21 residential or investment properties.

The government says Wang is charged with conspiracy to commit computer fraud, substantive computer fraud, conspiracy to commit wire fraud, and conspiracy to commit money laundering. If convicted on all counts, he faces a maximum penalty of 65 years in prison.

Brett Leatherman, deputy assistant director of the FBI’s Cyber Division, said the DOJ is working with the Singaporean government on extraditing Wang to face charges in the United States.

Leatherman encouraged Internet users to visit a new FBI webpage that can help people determine whether their computers may be part of the 911 S5 botnet, which the government says spanned more than 19 million individual computers in at least 190 countries.

Leatherman said 911 S5 and Cloud Router used several “free VPN” brands to lure consumers into installing the proxy service, including MaskVPN, DewVPN, PaladinVPN, Proxygate, Shield VPN, and ShineVPN.

“American citizens who didn’t know that their IP space was being utilized to attack US businesses or defraud the U.S. government, they were unaware,” Leatherman said. “But these kind of operations breed that awareness.”

Cybersecurity researchers have warned of a new malicious Python package that has been discovered in the Python Package Index (PyPI) repository to facilitate cryptocurrency theft as part of a broader campaign. The package in question is pytoileur, which has been downloaded 316 times as of writing. Interestingly, the package author, who goes by the name PhilipsPY, has uploaded a new version of the

Check Point is warning of a zero-day vulnerability in its Network Security gateway products that threat actors have exploited in the wild. Tracked as CVE-2024-24919 (CVSS score: 7.5), the issue impacts CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark appliances. "The vulnerability potentially allows an attacker to read certain

Brazilian banking institutions are the target of a new campaign that distributes a custom variant of the Windows-based AllaKore remote access trojan (RAT) called AllaSenha. The malware is "specifically aimed at stealing credentials that are required to access Brazilian bank accounts, [and] leverages Azure cloud as command-and-control (C2) infrastructure," French cybersecurity company HarfangLab

The cybercrime forum BreachForums has been resurrected two weeks after a law enforcement operation that seized its infrastructure.

The cybercrime forum BreachForums is online again, recently a US law enforcement operation seized its infrastructure and took down the platform.

#BREAKINGRegistration to BreachForums is now open.. however be extremely cautious!#DarkWeb #Cybersecurity #Cyberattack #Cybercrime #Malware #Privacy #Infosec pic.twitter.com/NKUsGeEGmk

— Dark Web Informer (@DarkWebInformer) May 28, 2024

The platform is now reachable at breachforums[.]st, which was one of the domains used in the past by the cybercrime forum.

The admin, who is using the moniker ShinyHunters, announced the return:

It is unclear if the current administrator is the notorious ShinyHunters hacker who operated from the platform before the law enforcement operation.

Yay. #breachforums pic.twitter.com/Osiv8CA3MI

— Brett Callow (@BrettCallow) May 27, 2024

ShinyHunters claimed the hack of Ticketmaster and offered for sale 1.3 TB of data, including full details of 560 million customers, for $500,000. Stolen data includes names, emails, addresses, phone numbers, ticket sales, and order details.

CyberKnown researchers speculate the Ticketmaster data breach claim has provided BreachForums with the quick attention they need to boost their user numbers and reputation.

Thoughts on the alleged Ticketmaster Data Breach

TLDR: Alert not Alarmed

The Ticketmaster data breach claim has provided BreachForums with the quick attention they need to boost their user numbers and reputation.

The claim has possibly been over-stated to boost… pic.twitter.com/WJsFkBfQbw

— CyberKnow (@Cyberknow20) May 29, 2024

Hackread.com reported that ShinyHunters regained control of domains despite the FBI’s efforts, exposing notable operational setbacks and security lapses. However, we cannot exclude that the site is a honeypot set up by the feds.

From June 2023 until May 2024, BreachForums (hosted at breachforums.st/.cx/.is/.vc) was run by the notorious actor ShinyHunters.

From March 2022 until March 2023, a separate version of BreachForums (hosted at breached.vc/.to/.co) was run by the threat actor Pompompurin. In July 2023, the owner of the BreachForums Conor Brian Fitzpatrick, aka Pompompurin, pleaded guilty to hacking charges.

In March 2023, U.S. law enforcement arrested Pompompurin, the agents spent hours inside and outside the suspect’s home and were seen removing several bags of evidence from the house.

The man has been charged with soliciting individuals with the purpose of selling unauthorized access devices. Fitzpatrick was released on a $300,000 bond signed by his parents.

The BreachForums hacking forum was launched in 2022 after the law enforcement authorities seized RaidForums as a result of Operation TOURNIQUET. pompompurin always declared that he was ‘not affiliated with RaidForums in any capacity,’

Raidforums (hosted at raidforums.com and run by Omnipotent) was the predecessor hacking forum to both version of BreachForums and ran from early 2015 until February 2022.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

(SecurityAffairs – hacking, malware)

The U.S. Department of Justice (DoJ) has sentenced a 31-year-old man to 10 years in prison for laundering more than $4.5 million through business email compromise (BEC) schemes and romance scams. Malachi Mullings, 31, of Sandy Springs, Georgia pleaded guilty to the money laundering offenses in January 2023. According to court documents, Mullings is said to have opened 20 bank accounts in the

A recent study by Wing Security found that 63% of businesses may have former employees with access to organizational data, and that automating SaaS Security can help mitigate offboarding risks.  Employee offboarding is typically seen as a routine administrative task, but it can pose substantial security risks, if not handled correctly. Failing to quickly and thoroughly remove access for

A never-before-seen North Korean threat actor codenamed Moonstone Sleet has been attributed as behind cyber attacks targeting individuals and organizations in the software and information technology, education, and defense industrial base sectors with ransomware and bespoke malware previously associated with the infamous Lazarus Group. "Moonstone Sleet is observed to set up fake companies and

Dutch bank ABN Amro discloses data breach following a ransomware attack hit the third-party services provider AddComm.

Dutch bank ABN Amro disclosed a data breach after third-party services provider AddComm suffered a ransomware attack. AddComm distributes documents and tokens physically and digitally to clients and employees.

The ransomware attack occurred last week and unauthorized parties may have obtained access to data of a limited number of ABN AMRO clients. ABN AMRO is going to contact the impacted clients and notified the Dutch Data Protection Authority and regulators.

At the time of this writing, AddComm has contained the incident, the impacted systems have been restored, and the company has locked out the attackers. AddComm has yet to determine what type of data may have been stolen during the attack. However, the company is investigating the incident with the help of external security experts working for AddComm.

The Dutch bank has stopped using services provided by AddComm.

At the moment, there are no indications that attackers have used the data of ABN AMRO clients. The bank also warns clients to stay alert to phishing messages.

The bank added that its systems have not been affected by the ransomware attack.

“External cybersecurity experts are currently investigating exactly what data has been stolen at AddComm. We are writing to customers whose data may be involved in this attack.” states the bank.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

The online criminal bazaar BreachForums has been resurrected merely two weeks after a U.S.-led coordinated law enforcement action dismantled and seized control of its infrastructure. Cybersecurity researchers and dark web trackers Brett Callow, Dark Web Informer, and FalconFeeds revealed the site's online return at breachforums[.]st – one of the dismantled sites – by a user named ShinyHunters,

Auction house Christie disclosed a data breach following a RansomHub cyber attack that occurred this month.

Auction house Christie’s disclosed a data breach after the ransomware group RansomHub threatened to leak stolen data. The security breach occurred earlier this month.

The website of the auction house was unreachable after the attack.

According to BBC, Christie had problems in selling art and other high-value items worth an estimated $840 million due to a cyberattack. The spring auctions include a Vincent van Gogh painting valued at $35 million and rare wine, among other lots.

Some sales have been delayed due to the cyber attack.

RansomHub claimed responsibility for the attack and added the company to its Tor leak site. The extortion group said they had stolen 2GB of sensitive information, including personal information belonging to at least 500,000 Christie’s clients.

“While utilizing access to Christies network we were able to gain access to their customers sensitive personal information including [BirthPlace MRZFull DocumentNumber BirthDate ExpiryDate FirstName LastName IssueDate IssuingAuthority Sex DocumentCategory DocumentType NationalityName] as well as address, hieght, race and much more sensitive information for at least 500,000 of their private clients from all over the world.” states the group.

The group is threatening to leak the stolen data if the victim will not pay the ransom by Sunday, June 2,024.

The gang said it has attempted to negotiate the payment with the auction house without success. The gang added that after they will post stolen data, Christie will incur heavy fines from GDPR.

“Earlier this month Christie’s experienced a technology security incident. We took swift action to protect our systems, including taking our website offline” “Our investigations determined there was unauthorized access by a third party to parts of Christie’s network.” a company spokesman told BleepingComputer. “They also determined that the group behind the incident took some limited amount of personal data relating to some of our clients.”

The auction house is notifying privacy regulators and law enforcement, it is also going to inform impacted clients.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

The U.S. Department of the Treasury today unveiled sanctions against three Chinese nationals for allegedly operating 911 S5, an online anonymity service that for many years was the easiest and cheapest way to route one’s Web traffic through malware-infected computers around the globe. KrebsOnSecurity identified one of the three men in a July 2022 investigation into 911 S5, which was massively hacked and then closed ten days later.

From 2015 to July 2022, 911 S5 sold access to hundreds of thousands of Microsoft Windows computers daily, as “proxies” that allowed customers to route their Internet traffic through PCs in virtually any country or city around the globe — but predominantly in the United States.

911 built its proxy network mainly by offering “free” virtual private networking (VPN) services. 911’s VPN performed largely as advertised for the user — allowing them to surf the web anonymously — but it also quietly turned the user’s computer into a traffic relay for paying 911 S5 customers.

911 S5’s reliability and extremely low prices quickly made it one of the most popular services among denizens of the cybercrime underground, and the service became almost shorthand for connecting to that “last mile” of cybercrime. Namely, the ability to route one’s malicious traffic through a computer that is geographically close to the consumer whose stolen credit card is about to be used, or whose bank account is about to be emptied.

In July 2022, KrebsOnSecurity published a deep dive into 911 S5, which found the people operating this business had a history of encouraging the installation of their proxy malware by any means available. That included paying affiliates to distribute their proxy software by secretly bundling it with other software.

That story named Yunhe Wang from Beijing as the apparent owner or manager of the 911 S5 proxy service. In today’s Treasury action, Mr. Wang was named as the primary administrator of the botnet that powered 911 S5.

“A review of records from network infrastructure service providers known to be utilized by 911 S5 and two Virtual Private Networks (VPNs) specific to the botnet operation (MaskVPN and DewVPN) showed Yunhe Wang as the registered subscriber to those providers’ services,” reads the Treasury announcement.

Update, May 29, 12:26 p.m. ET: The U.S. Department of Justice (DOJ) just announced they have arrested Wang in connection with the 911 S5 botnet. The DOJ says 911 S5 customers have stolen billions of dollars from financial institutions, credit card issuers, and federal lending programs.

“911 S5 customers allegedly targeted certain pandemic relief programs,” a DOJ statement on the arrest reads. “For example, the United States estimates that 560,000 fraudulent unemployment insurance claims originated from compromised IP addresses, resulting in a confirmed fraudulent loss exceeding $5.9 billion. Additionally, in evaluating suspected fraud loss to the Economic Injury Disaster Loan (EIDL) program, the United States estimates that more than 47,000 EIDL applications originated from IP addresses compromised by 911 S5. Millions of dollars more were similarly identified by financial institutions in the United States as loss originating from IP addresses compromised by 911 S5.”

The sanctions say Jingping Liu was Yunhe Wang’s co-conspirator in the laundering of criminally derived proceeds generated from 911 S5, mainly virtual currency. The government alleges the virtual currencies paid by 911 S5 users were converted into U.S. dollars using over-the-counter vendors who wired and deposited funds into bank accounts held by Liu.

“Jingping Liu assisted Yunhe Wang by laundering criminally derived proceeds through bank accounts held in her name that were then utilized to purchase luxury real estate properties for Yunhe Wang,” the document continues. “These individuals leveraged their malicious botnet technology to compromise personal devices, enabling cybercriminals to fraudulently secure economic assistance intended for those in need and to terrorize our citizens with bomb threats.”

The third man sanctioned is Yanni Zheng, a Chinese national the U.S. Treasury says acted as an attorney for Wang and his firm — Spicy Code Company Limited — and helped to launder proceeds from the business into real estate holdings. Spicy Code Company was also sanctioned, as well as Wang-controlled properties Tulip Biz Pattaya Group Company Limited, and Lily Suites Company Limited.

Ten days after the July 2022 story here on 911 S5, the proxy network abruptly closed up shop, citing a data breach that destroyed key components of its business operations.

In the months that followed, however, 911 S5 would resurrect itself under a different name: Cloud Router. That’s according to spur.us, a U.S.-based startup that tracks proxy and VPN services. In February 2024, Spur published research showing the Cloud Router operators reused many of the same components from 911 S5, making it relatively simple to draw a connection between the two.

Spur found that Cloud Router was being powered by a new VPN service called PaladinVPN, which made it much more explicit to users that their Internet connections were going to be used to relay traffic for others. At the time, Spur found Cloud Router had more than 140,000 Internet addresses for rent.

Spur co-founder Riley Kilmer said Cloud Router appears to have suspended or ceased operations sometime this past weekend. Kilmer said the number of proxies advertised by the service had been trending downwards quite recently before the website suddenly went offline.

Cloud Router’s homepage is currently populated by a message from Cloudflare saying the site’s domain name servers are pointing to a “prohibited IP.”

Researchers released a proof-of-concept (PoC) exploit for remote code execution flaw CVE-2024-23108 in Fortinet SIEM solution.

Security researchers at Horizon3’s Attack Team released a proof-of-concept (PoC) exploit for a remote code execution issue, tracked as CVE-2024-23108, in Fortinet’s SIEM solution. The PoC exploit allows executing commands as root on Internet-facing FortiSIEM appliances.

In February, cybersecurity vendor Fortinet warned of two critical vulnerabilities in FortiSIEM, tracked as CVE-2024-23108 and CVE-2024-23109 (CVSS score 10), which could lead to remote code execution.

“Multiple improper neutralization of special elements used in an OS Command vulnerability [CWE-78] in FortiSIEM supervisor may allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests.” reads the advisory published by Fortinet.

The affected products are:

• FortiSIEM version 7.1.0 through 7.1.1
• FortiSIEM version 7.0.0 through 7.0.2
• FortiSIEM version 6.7.0 through 6.7.8
• FortiSIEM version 6.6.0 through 6.6.3
• FortiSIEM version 6.5.0 through 6.5.2
• FortiSIEM version 6.4.0 through 6.4.2

The CERT-EU also published an advisory for the above vulnerabilities:

“In February 2024, Fortinet quietly updated a 2023 advisory, joining two critical flows to the list of OS Command vulnerabilities affecting its FortiSIEM product. If exploited, these vulnerabilities could allow a remote unauthenticated attacker to execute commands on the system.” reads the advisory published by CERT-EU. “Updating is recommended as soon as possible.”

This week, Horizon3’s Attack Team also published a technical analysis of the vulnerability.

“While the patches for the original PSIRT issue, FG-IR-23-130, attempted to escape user-controlled inputs at this layer by adding the wrapShellToken() utility, there exists a second order command injection when certain parameters to datastore.py are sent. There” reads the analysis.

The researchers noticed that the logs for the phMonitor service, located at /opt/phoenix/logs/phoenix.log, provide detailed records of received messages. Any exploitation attempt of CVE-2024-23108 will generate log entries indicating a failed command with “datastore.py nfs test.” These lines should be used as indicators of compromise to detect exploitation attempts.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, SIEM)

An Indian national has pleaded guilty in the U.S. over charges of stealing more than $37 million by setting up a website that impersonated the Coinbase cryptocurrency exchange platform. Chirag Tomar, 30, pleaded guilty to wire fraud conspiracy, which carries a maximum sentence of 20 years in prison and a $250,000 fine. He was arrested on December 20, 2023, upon entering the country. "Tomar and

You’re probably familiar with the term “critical assets”. These are the technology assets within your company's IT infrastructure that are essential to the functioning of your organization. If anything happens to these assets, such as application servers, databases, or privileged identities, the ramifications to your security posture can be severe.  But is every technology asset considered

The threat actors behind the CatDDoS malware botnet have exploited over 80 known security flaws in various software over the past three months to infiltrate vulnerable devices and co-opt them into a botnet for conducting distributed denial-of-service (DDoS) attacks. "CatDDoS-related gangs' samples have used a large number of known vulnerabilities to deliver samples," the QiAnXin XLab team