The Good | Multimillion Dollar Cryptojacking Scammer Arrested During A Joint Europol Operation
The mastermind behind the illegal scheme has been caught in their native Ukraine after setting up a million virtual servers to mine €1.8 million in stolen cryptocurrency. The 29-year-old man is charged with planning a sophisticated cryptojacking scheme before being apprehended by the Ukrainian National Police with the help of Europol and an unnamed cloud service provider.
When a cloud provider alerted Europol to compromised user accounts in January 2023, the joint investigation got under way. The organization reported that the accused had been using specialized brute force tools to infiltrate 1, 500 accounts while infecting the servers of a well-known e-commerce company with the miner virus since at least 2021. The agency shared this intelligence with Ukrainian authorities, .
The hacker then used the compromised accounts to gain access to the service’s management, setting up more than a million virtual computers to support the cryptojacking scheme. Authorities in Ukraine confirmed that the suspect transferred the illicit funds using TON cryptocurrency wallets.
The illegal use of a victim’s computing resources to mine cryptocurrencies is known as cryptojacking. Attackers frequently gain access to cloud environments by installing miners that use the host’s processing power to mine without permission and using compromised credentials. By abusing free trials or compromising legitimate tenants, the attacker is able to avoid paying the typical fees associated with mining infrastructure.
Maintaining continuous monitoring techniques and regular patch management can help protect systems against external threats because cryptojackers frequently use flaws in cloud platforms for initial compromise. Look for unusual activity, such as irregular spikes in resource usage, and think about implementing role-based access control and zero-trust policies to protect administrative privileges from abuse in order to guard against crypto-centric attacks.
Victims of The Bad | High Profile Plunged Into New Custom COLDRIVER Phishing Malware
The next iteration of a threat actor associated with Russia, COLDRIVER, has been released, delivering its first-ever custom malware coded in Rust to go beyond its typical credential harvesting tradecraft.
PDFs are used as decoy documents by COLDRIVER’s evolution to start the infection sequence in the most recent report on their strategies. The PDFs, which were sent from impersonation accounts, are intended to interact with high-profile targets in the U.K., the United States, other NATO nations, and Russia’s neighbors.
The documents are disguised as op-eds or articles seeking feedback and display encrypted text to the recipient. This is meant to prompt the victim into replying that the document cannot be read, after which the threat actor provides a malicious link to a supposed-decryptor tool called Proton-decrypter.exe
.
The decryption tool, SPICA, is the first custom malware created by COLDRIVER and is actually a backdoor. For command-and-control ( C2 ), SPICA uses JSON over WebSockets. This allows for the execution of commands, cookie theft from web browsers, file uploading and downloading, and file enumeration and exfiltration.
Security researchers point out that because SPICA has only been employed in a small number of targeted attacks, it is currently unknown how many victims have been successfully compromised. All of the victims so far come from important industries like NGOs, defense, academia, think tanks, and energy facilities.
This development comes after two Russian citizens connected to COLDRIVER were recently sanctioned. Since 2015, the threat actors have been active. To develop their spear-phishing attacks, they continue to concentrate on open-source intelligence ( OSINT ) and social engineering abilities. U.S. authorities are offering a$ 10 million reward for information that results in the arrest of COLDRIVER members as of December 2023.
Customers of The Ugly | Citrix Urged to Patch Against Two Exploited Zero-Day Vulnerabilities
Two zero-day vulnerabilities are being actively exploited in the wild, according to a warning issued this week to customers of the Citrix NetScaler ADC and Network Gateway. The first of the two is a code injection flaw that enables authenticated ( low privilege ) remote code execution (RCE ) on the Management Interface. It is tracked as CVE-2023- 6548 and has an overall CVSS score of 5.5. If the appliance is set up as a Gateway, authorization and accounting, or AAA, virtual server, the second flaw, known as CVE-2023-6549 with an 8.2 CVSS score, could be used to launch denial of service ( DoS ) attacks.
According to Citrix’s security notice, users of NetScaler ADC and Network Gateway version 12.1 are urged to upgrade their hardware to a supported version that fixes the problems. Users who are unable to deploy the updates right away are advised to block network traffic to affected instances and remove the management interface’s exposure to the internet to lower the risk of exploitation. Adaptive Authentication managed by Citrix or managed cloud services are unaffected.
Two new Citrix Netscaler zero-day vulnerabilities were exploited in attacks https ://t.co/Q75ll4yjtK in CVE-2023- 6548 &, 6549.
— January 17, 2024, Nicolas Krassas ( @Dinosn )
In light of the significant risk they pose to federal enterprise security, CISA has mandated that U.S. federal agencies secure their systems against both Citrix vulnerabilities. According to the directive, CVE-2023-6548 needs to be patched by January 24 and must be mitigated within three weeks by February7. The CISA advises all organizations, including private companies, to give fixing these listed vulnerabilities top priority even though the directive only applies to federal agencies. Not three months ago,” Citrix Bleed,” another Citrix flaw ( also known as CVE-2023- 4966 ), gained notoriety after being used by infamous LockBit group ransomware affiliates to target high-value tech companies and government organizations around the world.