The Good, the Bad and the Ugly in Cybersecurity – Week 31

The Good | Criminals Jailed for $88 Million Software Pirating Scheme & Major Caller ID Scammer Platform Seized

In the U.S., three men, Raymond Bradley “Brad” Pearce, Dusti O. Pearce, and Jason M. Hines, have been officially sentenced to prison for orchestrating a massive software pirating and wire fraud scheme involving Avaya’s business telephone system software licenses. The operation, which generated over $88 million in unauthorized sales, involved creating and selling Avaya Direct International (ADI) licenses used to unlock features in the IP Office system.

Brad Pearce, abusing his position as a customer service agent at Avaya and hacking into the accounts of former employees, generated these licenses, while Dusti O. Pearce managed the operation’s finances. Hines, a former Avaya reseller, resold the licenses globally at significantly reduced prices. All three are ordered to pay large restitution fees and face multi-year sentences.

In the U.K., the National Crime Agency (NCA) has successfully taken down Russian Coms, a major caller ID spoofing platform, as part of “Operation Henhouse”. Used by criminals to make over 1.8 million scam calls and targeting victims in 107 countries, the platform is linked to tens of millions in financial losses affecting approximately 170,000 victims in the U.K. alone, with average losses of over £9,400 per victim.

Source: NCA

Russian Coms allowed criminals to pay for six-month contracts to use their services, which included voice-changing, encrypted calls, and spoofing bank phone numbers. Services offered by Russian Coms were promoted via social media platforms like Snapchat, Instagram, and Telegram. Leveraging social engineering scams, criminals were able to gain the trust of their victims before gleaning personal and banking details. Three individuals have been arrested as well and are believed to be the platform’s developers.

The Bad | Cyber Gang Reaps Record-Breaking $75 Million Ransom From Fortune 50 Company

A new security report released this week revealed a record-breaking $75 million ransom paid by a single victim to the Dark Angels ransomware gang earlier this year. The payment surpasses the previous highest known ransom of $40 million paid by insurance giant CNA to Evil Corp. At the time of this writing, the specific company involved has not been disclosed though there are speculations that, pharmaceutical giant Cencora, ranked #10 on the Fortune 50 list, experienced a cyberattack in February 2024 and may have been the victim.

Active since May 2022, Dark Angels specializes in targeting large corporations using an attack strategy referred to as “big game hunting.” This approach focuses on a few high-value targets, aiming for substantial ransom payments rather than numerous smaller ones. After breaching corporate networks, Dark Angels has been observed moving laterally to gain administrative access before making away with sensitive data. Finally, they deploy ransomware, encrypting all devices on the network. Initially, the gange used Windows and VMware ESXi encryptors based on the leaked Babuk ransomware source code but later switched to a Linux encryptor, similar to that used by Ragnar Locker, which was disrupted in 2023.

The group currently operates a data leak site called Dunghill Leaks (nsalewdnfclsowcal6kn5csm4ryqmfpijznxwictukhrgvz2vbmjjjyd[.]onion) and routinely threatens to release stolen data if ransoms are not paid. Unlike most ransomware groups, which outsource attacks to affiliate networks, Dark Angels conducts highly targeted attacks on individual large companies. This method has become a prominent trend among ransomware gangs as financially-motivated outfits aim for bigger payoffs using RaaS models, zero-days on legacy environments, and the emergence of AI-powered attacks.

The Ugly | DPRK Malware Campaign Expands to Target Windows, Linux & MacOS Developers

A threat campaign linked to DPRK-backed actors is back again, this time targeting software developers using updated malware and advanced social engineering tactics. The campaign, dubbed DEV#POPPER, has expanded to Windows, Linux, and macOS systems and works by tricking victims into downloading malicious software from GitHub – all under the guise of a job interview process. Research published this week details how the actors are impersonating interviewers and instructing candidates to download a ZIP file containing a compromised npm module.

Once the module is installed, it executes obfuscated JavaScript, known as BeaverTail, which determines the victim’s operating system and connects to a remote server to exfiltrate data. This attack also includes the ability to download additional payloads, such as a Python backdoor named InvisibleFerret. InvisibleFerret can collect detailed system information, access browser cookies, execute commands, transfer files, and log both keystrokes and clipboard content.

Source: Palo Alto (Unit 42)

The latest samples uncovered show a ramp-up in complexity, including enhanced obfuscation, the use of AnyDesk remote monitoring and management (RMM) software for persistence, and improvements in FTP mechanisms for data exfiltration. According to the researchers, the malware can also steal sensitive information from web browsers like Google Chrome, Opera, and Brave across different operating systems, making the attacks a sophisticated and multi-stage extension of previous DEV#POPPER activity.

Despite international sanctions, North Korean state-backed attackers continue to access the internet using foreign technology and social media platforms. They employ virtual private networks (VPNs), proxies, and antivirus software to evade censorship and surveillance. This suggests that North Korea is becoming more technologically adept and improving its operational security measures, often stemming from their trade relationships with China and Russia.

Leave a Comment

Your email address will not be published. Required fields are marked *