Oct 2023 Cybercrime Update | Disinformation, DDoS and Scams as Gangs Look to Exploit Turmoil

In this blog post, we delve into the notable trends that have been shaping the cyber landscape over the past month. With the conflict between Israel and Hamas dominating the news cycle, we look at how this is currently impacting cybersecurity and provide updates on ransomware and other cybercrime activity to help security leaders stay abreast of the latest developments in this ever-evolving battleground.

Disinformation, DDoS and Scams

Since October 7th, events in Israel and Gaza have dominated the world’s attention, and predictably the tragic events unfolding in the region have not been overlooked by cybercriminals. To date, the majority of cyber activity surrounding these events has fallen into the realm of hacktivism and DDoS operations, salted with a heavy helping of disinformation.

Dubious claims relating to purported cyber attacks, website defacements and intrusions can be found littered across the usual cybercrime forums and Telegram channels.

Cyb3r Drag0nz and defacements
Cyb3r Drag0nz and defacements

Besides hacktivism, the current situation is being leveraged by cybercriminals through social engineering tactics and email-based phishing campaigns. These are designed to deceive recipients with references to topics such as Israel, Palestine, and Gaza in order to perpetrate fraud through schemes such as charity and donation scams.

Phishing email with conflict-specific lure (subject)
Phishing email with conflict-specific lure (subject)

Much like the situation on the ground, the broader shape of how this conflict will play out in cyberspace is still emerging. We expect to provide further reporting in the near future.

New Ransomware Actors Emerge as Others Fall

Elsewhere in the cybercrime world, some notable ransomware operations have emerged since last month’s update. Among these is LostTrust ransomware, an evolution of the SFile and MindWare ransomware families. From early October, the LostTrust blog was listing 53 victims on its leaks site.

LuckBit ransomware is another operation that emerged in October 2023. Threat actors behind LuckBit request payment in terms of equivalency to the Malaysian Ringgit (MYR). Their campaigns have been observed requesting up to 20 Million MYR in BTC (Bitcoin), approximately US $4.2 million. Victims are instructed to contact the attacker only after making the payment. The ransom note contains the relevant contact details including an email address and a TOR-based web site/victim portal.

LuckBit ransom note
LuckBit ransom note

October has also seen the fall of prolific ransomware outfit Trigona, which at its peak was posting around 100 victim organizations per month. Trigona’s ransomware operations were first detected in June 2022. Over the course of its existence, Trigona operators have released payloads targeting both Windows and Linux systems. Their initial delivery methods have varied across campaigns, encompassing spear phishing and the exploitation of known vulnerabilities, such as MSSQL.

On October 17, however, a hacktivist group named Ukrainian Cyber Alliance (UCA) announced an attack on Trigona’s primary blog sites, claiming to have disrupted or wiped out accessible infrastructure.

The UCA, formed in 2014, claims to be driven by the goal of disrupting Russian criminal enterprises, both public and private. It describes itself as a community of Ukrainian cyber activists from various backgrounds that emerged from the FalconsFlame, Trinity, RUH8, and CyberHunta groups as a result of Russian aggression in Ukraine.

The UCA followed the attack by defacing Trigona’s TOR-based blog sites, prominently displaying the title “Trigona is Gone” on the blog pages. Additionally, they made several derogatory references to Trigona in their messages, which are still accessible at the time of writing.

Defaced Trigona blog (TOR)
Defaced Trigona blog (TOR)

Dark Markets and Cybercrime Services

While Cobalt Strike is not the only post exploitation and penetration testing toolkit out there anymore, it is still arguably the most popular, and its adoption by threat actors has been well-documented, as have efforts to curtail its illegitimate and unlicensed use.

This brings us to the recent leak of Cobalt Strike 4.9 (released in September 2023). Copies have been distributed in various forums and markets starting in early October 2023. This was tweeted (X’d) on October 9th, 2023 by @darkcoders_mrx.

Meanwhile, the AV/EDR bypass market, which we highlighted in our September update, continues to flourish and expand this October. High-dollar cybercrime vendors are updating their services to meet the market’s demands for bypass and evasion tools.

XDR Bypass updated on October 15, 2023
XDR Bypass updated on October 15, 2023

Crypting and obfuscation tools, like Rain Protector, have also seen updates. These tools are used by malware authors in an attempt to evade static detection technologies by way of obfuscation.

Crypter sale (Rain Protector)
Crypter sale (Rain Protector)

Within the Initial Access Broker market, vendors are preparing to take advantage of recent wide-spread exploits in order to bulk-up supply of readily-breached environments. Notable among these are the vulnerabilities in Confluence Data Center & Server (CVE-2023-22505 and CVE-2023-22508) and Bamboo Data Center (CVE-2023-22506).

Access for sale via Confluence RCE
Access for sale via Confluence RCE

Wider Trends | Generative AI Services and Offerings for Cybercrime

ChatGPT alternatives are potentially attractive to criminals as they claim to remove restrictions and barriers that the more mainstream LLM models impose in order to inhibit malicious use. Automating attacks though generative AI would provide a serious boost to the productivity of cybercrime operations. Earlier in the year WormGPT generated a lot of headlines, with claims to enable malicious AI capabilities such as:

  • Unrestricted creation of malware and phishing/clone page creation
  • No logging or storage of operator use
  • Remote, bulletproof access

As a result of negative press coverage, the service “officially” closed.

Closure of WormGPT
Closure of WormGPT

Nevertheless, we have observed a number of generative AI services and tools appearing to meet the demand for jailbroken AI, and we continue to track the development of this trend. To date, many of the available tools either lack a true context mechanism or are little more than novelty interfaces with canned responses for specific prompts.

In response to the development of WormGPT and similar models, numerous specialized tools have surfaced with the aim of bypassing limitations on generative AI. These tools, often hosted on platforms like “FlowGPT,” facilitate unrestricted prompt generation across various Large Language Models (LLMs) and the subsequent sharing of these creations.

Out of this come tools like “DarkGPT” and “CodeGPT”. Some of these are novelty at best, but some do generate valid code examples, and given time could lead someone down a road to bad things (or learning how to do them).

Quick code-on-demand via DarkGPT
Quick code-on-demand via DarkGPT

The market for unlocked generative AI services could get interesting in the coming year. More sophisticated fraud and cybercrime operations may see value in incorporating AI to increase the overall mass of their malicious output.

Conclusion

October has and will be dominated by developments around the Israel-Hamas conflict, and we will continue to provide updates as the situation evolves. Additionally, there has been some notable new ransomware operations, as well as the fall of Trigona ransomware. Cybercrime markets continue to thrive with an expansion into more private platforms like Telegram and TOX-only channels. We continue to monitor these developments, along with the emergence of potentially harmful versions of generative AI.

In the face of these emerging trends, employing a comprehensive security solution like Singularity XDR, which leverages AI and automated remediation, can serve as a potent weapon in an organization’s cybersecurity arsenal. It’s more crucial than ever to stay ahead of the curve, adopting proactive measures that help detect and mitigate threats before they can inflict significant damage.

To learn more about how SentinelOne can help defend your organization’s endpoint, cloud, and network assets, contact us or request a free demo.