Feds find cybercriminal tools used by sextortion group
According to a joint intelligence note from the Joint Regional Intelligence Center and the Central California Intelligence Center seen by CyberScoop, the child sextortion group 764 uses traditional cybercrime techniques in its operations, including SIM swapping, social engineering, and IP grabbing. Much of this comes from a Telegram channel operated by the group 6996, which associates with a broader collective called The Com. This documentation offers resources and tools for committing fraud, grooming minors for self-harm, and forming a cult. Further FBI notes seen by CyberScoop show group 764 operating fake Telegram channels offering suicide prevention support, but ultimately used to doxx and extort victims.
Russian hackers hack hackers
In No Honor Among Thieves News, a new report from Lumen’s Black Lotus Labs details how the Russian cyber-espionage group Turla used the infrastructure of the Pakistani-linked group Storm-0156 to launch their attacks. Researchers had been observing operations by Storm-0156, finding a C2 server on an Indian government network. This server began interacting with three IP addresses known to be linked to Turla. Further research shows Turla has been using the Pakistani group’s infrastructure since 2022, using the servers to launch various backdoors and other malware. Eventually, Turla became more ambitious, moving laterally into Storm-0156’s workstation and gaining direct access to its data and tooling. Researchers at Microsoft contributing to the report said Turla used this access to target Afghan government agencies. This isn’t a new tactic for Turla. Back in 2019, the NSA put out an advisory that it hijacked infrastructure by the Iran-backed group OilRig to carry out attacks.
Amazon’s post-quantum migration plan
AWS published a blog post with an overview of how it will support post-quantum cryptography or PQC. Some features will be enabled by default for all customers, while others will be up to customers to activate. The company won’t re-encrypt data at rest, which is already encrypted using 256-bit symmetric cryptography, but its first PQC rollout will be negotiating shared symmetric keys with public endpoints. It will also add PQC mitigations when offering the ability to create key pairs that act as a root of trust. AWS has also deployed PQC to its open-source AWS-LC cryptographic library, which it uses in its TLS implementation. The blog post also contains recommendations for organizations starting their own PQC migration, so look for the details in our show notes.
(AWS)
Chinese group linked to another long-term intrusion
Researchers at Symantec report that a Chinese-linked threat actor carried out a long-term attack against an unnamed US organization, operating since at least April 11, 2024. The attacks used a DLL side-loading attack, similar to the larger Crimson Palance espionage campaign Sophos discovered in September. The threat actors used their access for credential theft and targeted access around Exchange servers. While we don’t know the name of the victim, researchers said it previously suffered an attack linked back to the Chinese-based group Daggerfly in 2023.
Huge thanks to our sponsor, Vanta
With Vanta Questionnaire Automation, security & compliance teams can complete security reviews up to 5 times faster, giving you time back to focus on running your security & compliance programs.
Over 8,000 global companies like ZoomInfo, SmartRecruiters and Noibu use Vanta to save time on security reviews.
Visit vanta.com to learn more about Questionnaire Automation.
Cisco switches hit with bootloader vulnerability
The flaw impacts over 100 device models across Cisco’s MDS, Nexus, and UCS Fabric Interconnect lines, allowing attackers to bypass the bootloader verification process and load software. The flaw doesn’t require authentication but physical access to the switches. Cisco released several NX-OS updates to patch the flaws and will roll out the updates for all devices by the end of the month, excluding one discontinued Nexus model. It cautioned that no mitigations for this flaw will be provided in the interim other than preventing physical access to the switches.
WeChat bug used to target Uyghurs
Researchers at Trend Micro discovered a Chinese-linked threat group called Earth Minotaur to used the Moonshine exploit kit on WeChat and Chromium-based browsers to install the DarkNimbus backdoor on Android and Windows devices. Researchers described DarkNimbus as “a comprehensive Android surveillance tool.” The attackers used messaging lures tied to government announcements with embedded malicious links to get Moonshine on devices, disguising “ themselves as different characters on chats to increase the success of their social engineering attacks.” Based on the lures used in the messages, these attacks target Tibetan and Uyghur ethnic minorities in China.
Russians put spyware on detainee phone
Russian programmer Kirill Parubets spent two weeks in government custody. Soon after his release, he noticed unusual activity, including atypical notifications. After contacting a Russian legal assistance group, Citizen’s Lab analyzed the device and found authorities loaded the “trojanized application” Cube Call Recorder on his phone while in custody. Code samples show similarities to the Monokle spyware Lookout Mobile Security documented in 2019. The app can access location data, read and send SMS messages, record the screen, and answer phone calls. Parubets said authorities pressured him to become an informant on Ukrainian aid activity and physically beat him while in custody.
GenAI boosting financial fraud
A new alert from the FBI’s Internet Crime Complaint Center details how threat actors use generative AI tools for fraud on a larger scale and with more believability. This includes using tools like ChatGPT to assist with language translation for romance or investment scams, enabling faster and more elaborate lures. Image generation tools allow for believable social media profile photos and other supporting evidence in financial fraud schemes. Deepfakes are increasingly using short audio-only voice clips, bypassing visual verification checks and video calls. Not surprisingly, the FBI recommended creating a secret word or phrase to verify your identity with friends and family.