Security News

ShinyHunters, a notorious cybercriminal underground group that's been on a data breach spree since last year, has been observed searching companies' GitHub repository source code for vulnerabilities that can be abused to stage larger scale attacks, an analysis of the hackers' modus operandi has revealed. "As Pokémon players hunt and collect"shiny" characters in the game, ShinyHunters collects and resells user data.

Russia has put forward a draft convention to the United Nations ostensibly to fight cyber-crime. The proposal, titled "United Nations Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes," [PDF] calls for member states to develop domestic laws to punish a far broader set of offenses than current international rules recognize.

Menlo shared the news along with its discovery of an HTML smuggling campaign it named ISOMorph, which uses the same technique the SolarWinds attackers used in their most recent spearphishing campaign. The ISOMorph attack uses HTML smuggling to drop its first stage on a victim's computer.

Two new ransomware-as-service programs have appeared on the threat radar this month, with one group professing to be a successor to DarkSide and REvil, the two infamous ransomware syndicates that went off the grid following major attacks on Colonial Pipeline and Kaseya over the past few months. "The project has incorporated in itself the best features of DarkSide, REvil, and LockBit," the operators behind the new BlackMatter group said in their darknet public blog, making promises to not strike organizations in several industries, including healthcare, critical infrastructure, oil and gas, defense, non-profit, and government sectors.

Law enforcement authorities in the Netherlands have arrested two alleged individuals belonging to a Dutch cybercriminal collective who were involved in developing, selling, and renting sophisticated phishing frameworks to other threat actors in what's known as a "Fraud-as-a-Service" operation. Believed to be active since at least 2020, the cybercriminal syndicate has been codenamed "Fraud Family" by cybersecurity firm Group-IB. The frameworks come with phishing kits, tools designed to steal information, and web panels, which allow the fraudsters to interact with the actual phishing site in real time and retrieve the stolen user data.

Sontiq released the Mid-Year 2021 Cybercrime Report, which highlights five key trends and the 2021 data breaches that pose the highest level of risk to victims. The report's insights were derived from data generated by Sontiq's call center, Identity Restoration Team, and through BreachIQ data breach analysis.

Authorities in the Netherlands have arrested a 24-year-old believed to be a developer of phishing frameworks for a cybercrime ring named "Fraud Family." According to the Dutch National Police, the man worked together with a 15-year-old accomplice to develop and sell phishing panels that allowed cybercriminals to steal banking credentials from unsuspecting users.

BT is looking to cash in on ever-growing global concerns over digital crime, and has confirmed making a multi million pound investment in US-based cyber risk management firm Safe Security. As part of the deal, BT plans to combine Safe Security's "SAFE platform" with its own managed security services to provide added protection for its customers in the UK against cyber threats.

The recent attack against users of the Kaseya VSA platform is yet another example of the increasingly organized dynamic of cybercrime. These attacks demonstrate the fact that an organized cybercrime network is flourishing under the surface.

Presumably conscious of the preceding Colonial Pipeline attack in which a $4.4 million blackmail payoff resulted in a decryptor that, though functional in theory, was worthless in practice because it ran far too slowly, the REvil crew even blithely claimed that their so-called universal decryptor would allow everyone to "Recover from attack [sic] in less than an hour". Account privileges that attackers typically go after include the local SYSTEM account or even Domain Administrator, which puts the attackers on an equal footing with your own sysadmins.