Global law enforcement gains access to RedLine and Meta infostealer networks
In a multi-agency takedown, the Dutch National Police, FBI, and other international law enforcement agencies successfully gained full access to the operations of the RedLine and Meta infostealers. Dubbed Operation Magnus, authorities report they were able to obtain the source code, license servers, REST API servers, panels, stealers, and Telegram bots associated with the infostealers. These infostealers are a type of malware designed to steal stored information from browsers, including credentials, sensitive documents, and cryptocurrency wallets. The stolen data is then sold, fueling large-scale data breaches, data theft, ransomware attacks, and cyber espionage. In a release, the agency noted that involved parties are being notified, and legal action is looming.
(Bleeping Computer), (CyberScoop)
Russian-backed malware poses as Ukrainian anti-recruitment tool
Google’s threat intelligence program reports Russian threat group UNC5812 has been delivering Android and Windows malware through a hybrid espionage campaign targeting Ukrainian military recruits, using the fake Telegram persona “Civil Defense.” The group’s Telegram channel and website claim to provide anti-recruitment tools, but instead deploy malware like the Android-focused SUNSPINNER to those who disable Google Play Protect. This campaign not only spreads malware but also uses influence tactics to disrupt support for Ukraine’s mobilization efforts.
(Security Week), (The Hacker News), (Bleeping Computer)
Massive breach impacts French telecom giant
France’s second-largest telecom provider, Free, has confirmed it suffered a cyberattack that compromised personal data, though it claims that passwords, banking details, and communications content were unaffected. The breach targeted an internal management tool and led to an attempted sale of customer information on BreachForums, with hackers claiming to possess data for over 19 million customers, including certain International Bank Account Numbers (IBANs). The telecom company is currently in the process of informing those affected, which, according to the threat actors who stole the data, could be nearly a third of France’s population.
(Bleeping Computer), (The Record)
Deepfake attack targets cybersecurity software CEO
No one is immune from deepfake attacks—not even those hired to protect others from cyber threats. Speaking at TechCrunch Disrupt, Wiz CEO Assaf Rappaport shared that his employees were recently targeted in a deepfake attack just a couple of weeks ago. The attack involved voice messages that sounded like Rappaport attempting to get credentials from employees. But the red flags popped up quickly: the audio was cloned from a public event where Rappaport was speaking, and since he admits to dealing with public speaking anxiety, it didn’t match his usual day-to-day voice. The company says they’ve traced the origin of the voice but has yet to determine who was behind the attack.
Thanks to today’s episode sponsor, Dropzone AI
Black Basta leverages Microsoft Teams
ReliaQuest researchers report that Black Basta ransomware affiliates have switched tactics, now using Microsoft Teams to gain initial access to target networks by impersonating IT support. By overwhelming employees with spam emails and then posing as help desk personnel on Teams, the attackers attempt to trick users into downloading remote monitoring tools like AnyDesk. In recent incidents, they have also incorporated malicious QR codes into their communications. The report highlights a significant increase in message volume, with one user receiving around 1,000 emails in just under an hour.
QR scams becoming more popular
Speaking of leveraging malicious QR codes, banks and regulators are warning that QR code phishing scams also known as quishing are on the rise. Lenders like Santander, HSBC and the U.S. Federal Trade Commission have noted these scams often involve criminals embedding QR codes in PDFs, which evade traditional corporate security filters that typically flag malicious links but overlook images in attachments. Reports of QR code scams in the UK have more than doubled in the past year, with a McAfee survey indicating that over 20% of online scams in the UK may originate from QR codes.
REvil ransomware members sentenced
Four members of the REvil ransomware group were sentenced to prison by a Russian court, receiving sentences ranging from 4.5 to 6 years for charges related to the illegal use of payment cards and malware distribution. This crackdown came after Russia had initially announced in January 2022 that it would target REvil due to U.S. pressure following a series of cyberattacks. Despite accusations of stealing payment card information from U.S. citizens, the hackers have not faced U.S. charges, and their defense argued that victims did not press charges in Russia, which is why some are questioning as to why the Russian government sent the hackers to prison rather than leverage their skills for cyber espionage.
Texas cyberattacks potentially connected
The personal information of more than 47,000 residents in Wichita County, Texas, was exposed in a ransomware breach in May. It took investigators four months to fully discover what information was compromised and how many people were impacted. The county reported that sensitive data such as Social Security numbers, financial account information, and some medical treatment information was leaked. Interestingly, at the end of May, the Medusa ransomware gang claimed they breached a Wichita rodeo; however, the data they posted seemed to originate from county systems. According to The Record, the county did not respond regarding whether the 1.5 TB of data and the $320,000 ransom from that breach were connected.