The Good | Global Police Sanction Spyware Execs, Seize a Criminal Comms Platform, and Charge Hacker for Attacks on NASA
Cybersecurity efforts this week delivered promising results as global authorities cracked down on criminal operations and malicious technologies.
The U.S. Department of the Treasury sanctioned five executives and an entity tied to the Intellexa Consortium, known for developing the controversial Predator spyware. Commonly used by state-backed actors and governments, the spyware allows its customers to monitor their victims and access sensitive information on smartphones including audio records, photos, geolocations, and messages. These sanctions highlight a strong stance against the misuse of technology to target and intimidate government officials, journalists, tech executives, opposing party members, and other high-value targets.
Across the pond, Europol and law enforcement from nine countries seized a communication platform called “Ghost” used by organized crime groups for money laundering and drug trafficking. Featuring several anonymization capabilities, Ghost supported a global network of criminal customers with three layers of encryption and a self-destruction system meant to dispose of evidence. The collaborative task force made a total of 51 arrests, including the platform’s main operators, dismantled an associated drug lab, and seized weapons and over $1 million in cash.
Finally, Chinese national, Song Wu, has been indicted by the FBI for a years-long spear phishing campaign targeting NASA, U.S. military agencies, and research universities. While employed at a Beijing-based aerospace and defense firm, Wu attempted to steal specialized and proprietary engineering and computational fluid dynamics (CFD) software. Currently, Wu faces 14 counts of wire fraud charges and 14 more for aggravated identity theft. As nations further collaborate and share resources, international law enforcement groups can continue to tackle cybercrime, protect critical infrastructure, and hold threat actors accountable.
The Bad | Threat Actors Disseminate Infostealer Malware in Fake GitHub ‘Scanner’ Campaign
Just last month, GitHub users noticed that password stealing malware was being posted in various projects disguised as fixes. In a more recent campaign, GitHub is again being abused to distribute the info-stealing malware Lumma Stealer that is targeting open source project repositories and those subscribed to them. The attack involves malicious GitHub users filing fake issues on open source repositories where they falsely claim a security vulnerability and urge others to visit a counterfeit domain, “github-scanner[.]com”, under the guise of investigating the vulnerability.
Another component of the campaign is the use of legitimate GitHub email notifications to alert subscribers about issues on projects they have contributed to in the past. These messages, marked as “IMPORTANT!”, appear to come from GitHub’s official email, making the phishing attempt seem credible. Once users visit the fake site, they are prompted to solve a CAPTCHA, after which malicious JavaScript code copies harmful commands to the clipboard. Users are then instructed to run these commands via the Windows Run utility, downloading and executing the malware.
Lumma Stealer is considered an advanced infostealer, capable of pilfering login credentials, browsing history, credit card details, and authentication cookies from infected devices. It can also contact multiple suspicious domains, although many were already offline by the time of the discovery.
This attack highlights a growing abuse of GitHub repos to spread malware, with the platform often being exploited for its open, collaborative nature and widespread use across developers globally. Users are advised to be cautious, avoid clicking suspicious links, and continue reporting these issues to GitHub for investigation.
The Ugly | PRC-Backed Botnet Targets U.S. & Taiwanese Critical Infrastructure Via 200k Infected Devices
In a new report, cybersecurity researchers detail a sophisticated botnet dubbed “Raptor Train” that has been operating since May 2020. Primarily targeting critical infrastructure in the U.S., Taiwan, Vietnam, and Hong Kong, it has infected over 200,000 endpoints worldwide, including small office/home office (SOHO) routers, IoT devices, IP cameras, and network-attached storage (NAS) servers. The botnet is attributed to the Chinese state-sponsored group, Flax Typhoon, aka Ethereal Panda or RedJuliett.
The Raptor Train architecture features three tiers: compromised devices in Tier 1, command-and-control (C2) and payload servers in Tier 2, and centralized management nodes in Tier 3. So far, the botnet has exploited numerous zero-day and n-day vulnerabilities, particularly targeting devices from manufacturers like ASUS, Fujitsu, and Panasonic. Though Raptor Train has yet to launch any DDoS attacks, it has been weaponized to execute reconnaissance and exploitation efforts against the military, government, defense industrial base (DIB), telecommunications, and IT sectors in both the U.S. and Taiwan.
At the time of writing, the FBI, in collaboration with other agencies, has successfully dismantled the botnet following a court-authorized operation. This operation involved seizing Raptor Train’s infrastructure and issuing commands to disable the malware from infected devices. Upon investigation, law enforcement confirmed that Flax Typhoon is linked to the Beijing-based and publicly-traded company Integrity Technology Group, which developed tools allowing attackers to manage and exploit compromised devices.
Today, we announced an #FBI led operation to disrupt a botnet used by China-based hackers known as Flax Typhoon, which infected more than 200,000 consumer devices in the U.S. and worldwide. Read more about this court-authorized operation with our partners: https://t.co/ovOiQNnm2c
— FBI (@FBI) September 18, 2024
While the FBI’s operation has removed the malware from thousands of infected devices, the agency cautions that the Chinese government will continue to target organizations in critical sectors in intelligence-gathering campaigns, whether directly or via proxies. Users are advised to regularly update and reboot their routers and replace outdated devices to minimize vulnerability to botnet infections.