The Good, the Bad and the Ugly in Cybersecurity – Week 44

The Good | Police Seize Infostealer Malware Operations & Charge Suspected Administrator

Executing “Operation Magnus”, Dutch National Police this week joined forces with international law enforcement groups to disrupt the network infrastructure for Redline and Meta infostealer malware. Considered popular tools on platforms like Telegram, Redline and Meta are commonly used by attackers to steal credentials, cookies, and cryptocurrency wallets.

The seizure of both malware platforms was closely followed by U.S. officials announcing criminal charges against Maxim Rudometov, a Russian national suspected to be the developer and administrator behind Redline. Charges include access device fraud, conspiracy to commit computer intrusion, and money laundering for a combined maximum penalty of 35 years in prison. Although news of his arrest is not yet confirmed, these charges mark a significant step towards dismantling Redline’s operations base.

Source: DOJ

Investigations reveal that the infostealers’ impact is widespread, with over 1200 servers around the world linked to the central command servers based in the Netherlands. So far, three servers, two domains used for command and control (C2) operations, and Telegram accounts promoting the malware have all been taken down.

Infostealers like Redline and Meta are capable of extracting sensitive data from infected devices, which are later used for identity theft, fraud schemes, and network breaches. The stolen data is also likely to be sold on dark marketplaces, enabling further attacks, ransomware, or cyber espionage campaigns. After seizing the malware’s servers, bots, and source code, Dutch police are now warning cybercriminals that detailed data such as IP addresses and registration data are under close watch by police forces and that involved parties can expect arrests and legal actions as ongoing investigations reveal more.

The Bad | FBI Cautions Public on Election-Themed Fraud Schemes

With the U.S. general election just days away, the FBI has issued a warning about scams exploiting election activities to dupe the public out of personal information and money. Scammers are impersonating electoral candidates and political groups, for example, using their names, photos, and slogans to ask for donations and sell fake merchandise.

According to the FBI, there are four main types of election-related scams. First, investment pool scams lure victims into putting money towards “guaranteed” campaign funds that promise returns should a candidate win. This scam also encourages targeted victims to recruit others to boost the amount of potential earnings. The second type are fake Political Action Committees (PACs), where fraudsters trick victims into making donations that are pocketed instead of being funneled towards real campaigns.

Fake campaign merchandise is also rife during election time. Victims are enticed to buy campaign-themed items from spoofed websites but never receive the products. Finally, bad actors are distributing fake voter registration alerts via malicious links. These prompt victims to re-register to vote, leading to them entering personally identifiable information (PII) that is later used in identity theft attacks. Outside of these main scams, the FBI also cautions against cryptocurrency ‘pump-and-dump’ schemes that reference prominent political figures to push new tokens.

People can protect the lead-up to their voting experience by treating all unsolicited political communications with skepticism. Avoid sharing personal and financial information and confirm any political party affiliations via the Federal Commission (FEC) website. The FBI also reminds the public that political donations are not to be treated as investments with opportunities for return. Suspected scams can be reported here.

The Ugly | DPRK Actors Expand Attack Methods, Collaborating with Play Ransomware

A hacking group backed by North Korea’s Reconnaissance General Bureau known as Andariel (aka Jumpy Pisces, APT45, or Onyx Sleet) is being linked to the Play ransomware operation, either as an affiliate or initial access broker (IAB). Security researchers this week reported the highly-suspected partnership between the two entities, observing that Andariel accessed networks and facilitated Play ransomware deployments to bypass international sanctions. Andariel has previously been sanctioned in 2019 by the U.S. Treasury for various operations that support North Korean interests, including cyber espionage and data theft and destruction.

Researchers discovered that Andariel compromised a network in May by using a hacked user account to extract registry dumps, credential harvesting through Mimikatz before deploying the Sliver adversary emulation tool and DTrack info-stealing malware across the system. Andariel dug deeper into the network via Remote Desktop Protocol (RDP) sessions, and eventually deploying Play ransomware to encrypt devices.

Attackers copied files associated with Sliver and DTrack to various hosts using the compromised account with the above commands (Source: Unit 42, Palo Alto)

Evidence of the Play ransomware deployment suggests Andariel’s involvement in setting up the breach with the same account that was used for initial access, lateral movement, and privilege escalation. All of these helped to continue Sliver C2 communication until the deployment of Play’s toolset, including PsExec and TokenPlayer, to encrypt devices.

The link between Andariel and Play is the first recorded collaboration between the state-sponsored group and an underground ransomware network. Though the nature of the collaboration between these groups is unknown at the time of this writing, researchers conclude that the development itself is a sign that North Korean threat actors are working on staging more widespread ransomware attacks in the future with the goal of evading sanctions and continuing to generate revenue for the DPRK.