The Good, the Bad and the Ugly in Cybersecurity – Week 25

The Good | Dark Marketplace Operators Face Life Sentences for $430 Million in Illicit Transactions

Two operators of Empire Market, a dark marketplace worth over $430 million in illicit profit, were officially charged this week. Running the marketplace from February 2018 to August 2020, Thomas Pavey (aka “Dopenugget”) and Raheim Hamilton (aka “Sydney” and “Zero Angel”) allegedly facilitated over 4 million transactions involving malware, stolen data, hard drugs, and counterfeit money, using cryptocurrencies like Monero, Litecoin, and Bitcoin.

Before going offline in 2020, thousands of users filtered through Empire Market, their illegal transactions obfuscated through a combination of cryptocurrency and tumbling services in order to evade law enforcement. Pavey and Hamilton profited by retaining portions of the cryptocurrency transactions to compensate themselves and their team of moderators. The DoJ indictment revealed that Pavey and Hamilton had been involved in selling counterfeit currency on another dark marketplace called AlphaBay prior to operating Empire Market.

Now, the men face five charges: conspiracy to sell counterfeit currency on AlphaBay, conspiracy to distribute controlled substances via Empire Market, conspiracy to possess unauthorized access devices, conspiracy to sell counterfeit currency on Empire Market, and conspiracy to launder money to conceal proceeds from illegal activities. Conviction on all counts could result in life imprisonment for the two operators, especially due to the severe penalties linked with drug trafficking.

Stolen data that ends up on dark marketplaces can provide unauthorized access leading to cyberattacks, fraudulent activity, data breaches, and more. Having a comprehensive security solution focused on machine-speed threat detection and advanced analytics can help protect digital identities and sensitive user information from being exfiltrated and sold online.

The Bad | Network Security Zero-Day Flaws Targeted by China-Nexus APT for Cyber Espionage Campaigns

A Chinese-linked threat actor tracked as UNC3886 has been exploiting a combination of zero-day vulnerabilities in Fortinet, Ivanti, and VMware devices to gain and maintain access to compromised systems. Latest findings from cyber researchers detail how this espionage-focused actor employs multiple persistence mechanisms across network devices, hypervisors, and virtual machines (VMs) to ensure continuous access even if initial compromises are detected and removed.

UNC3886 hackers use Linux rootkits to hide on VMware ESXi VMs https://t.co/XkjQA1o3ng

— Nicolas Krassas (@Dinosn) June 20, 2024

UNC3886 is characterized as sophisticated and evasive, leveraging zero-day flaws such as CVE-2022-41328 (Fortinet FortiOS), CVE-2022-22948 (VMware vCenter), and CVE-2023-20867 (VMware Tools) to deploy backdoors and secure deeper access credentials. They have also exploited CVE-2022-42475 in Fortinet FortiGate shortly after its disclosure.

So far, this series of attacks have targeted entities across North America, Southeast Asia, Oceania, Europe, Africa, and parts of Asia, focusing on critical sectors like government, telecommunications, technology, aerospace and defense, and energy. The key tactic here is their use of publicly available rootkits, such as “Reptile” and “Medusa”, to remain undetected. Medusa, deployed via the SEAELF installer, logs user credentials and commands, aiding in lateral movement within networks.

UNC3886 also uses custom backdoors named MOPSLED and RIFLESPINE, to exploit services like GitHub and Google Drive for command and control (C2) operations. The former is an evolution of the Crosswalk malware, communicating over HTTP with a GitHub C2 server, while the latter operates across platforms using Google Drive for file transfer and command execution.

Given the developing nature of the threats, organizations are urged to follow security advisories from Fortinet and VMware to patch the vulnerabilities at hand. Doubling down on establishing deep visibility, persistent monitoring, and real-time analysis can help protect organizations from advanced persistent threats (APTs).

The Ugly | Suspected Ransomware Attack Shuts Down Thousands of Auto Dealerships Across the U.S.

Fifteen thousand car dealerships across the U.S. were taken out of commission this week due to back-to-back cyberattacks on CDK Global, their SaaS (software-as-a-service) platform. Handing CRM, financing, payroll inventory, support, and administrative functions, dealerships rely on CDK Global as a full stack management and operations solution.

The first attack forced CDK Global to take its two data centers offline to prevent further spread of the attack. This caused widespread outages, affecting dealerships’ ability to track and order car parts, conduct sales, offer financing, and carry out vehicle repairs. Many employees reported being unable to work, reverting to manual methods or being sent home. The second additional breach occurred while the company was working to restore systems shut down from the first attack.

The latest status update from CDK at the time of writing confirms that there is no estimated time frame for resolution yet, and that the outage will likely continue for several more days. IT firms working with some affected dealerships note that the cyberattack led CDK to advise them to disconnect the always-on VPN to prevent potential threats from pivoting into dealership networks.

The prolonged disruptions are raising questions as to whether these attacks are the work of ransomware operators who have potentially impacted CDK’s backups. Ransomware attacks typically involve threat actors stealing data and encrypting systems, demanding a ransom for decryption and to avoid public data leaks. If confirmed, the journey towards resolution could take weeks.

Threat actors continue to keep their eye on the automotive industry to exploit its complex supply chain-based operations and its role as a significant economic sector to gain access to the high-value data from millions of clients and employees.

Leave a Comment

Your email address will not be published. Required fields are marked *