Friday Five 10/28
Some high-profile threat actors ran into legal trouble this past week, but that isn’t stopping ransomware from running rampant. Catch up on all the latest in this week’s Friday Five.
1. FEDS SAY UKRAINIAN MAN RUNNING MALWARE SERVICE AMASSED 50M UNIQUE CREDENTIALS BY DAN GOODIN
A 26-year-old Ukrainian national, who’s been accused of operating an info-stealing malware known as Raccoon, was indicted by the Department of Justice this past week. He and others associated with Raccoon reportedly provided customers with the malware itself along with the digital infrastructure and technical support required to operate it, successfully stealing information from over 2,000,000 people. According to the released indictment, more than 50 million unique credentials and forms of identification were taken in the operation and there could be more that has yet to be discovered.
2. NOTORIOUS HACKER KNOWN AS 'SPDRMAN' ARRAIGNED FOR ROLE IN REAL DEAL DARK WEB MARKETPLACE BY AJ VICENS
This past week, a threat actor that goes by the handle Spdrman was arraigned on charges related to their involvement in operating a dark web marketplace known as The Real Deal. The indictment, which was unsealed last week, claims the hacker sold access to multiple U.S. government networks, including those belonging to the Postal Service, the National Oceanic and Atmospheric Administration, the Centers for Disease Control, NASA, and the U.S. Navy. Read more about the hacker’s various identities and his other wrongdoings in the full story from CyberScoop.
3. URGENT ALERT WARNS DAIXAN RANSOMWARE GROUP HIT MULTIPLE HEALTHCARE PROVIDERS BY JESSICA DAVIS
According to reports, the Daixin ransomware group has been successfully attacking organizations in the healthcare sector since this past June. This has prompted the release of a joint cybersecurity advisory from CISA, the FBI, and the Department of Health and Human Services that provides organizations with recommendations to prevent such attacks. Top recommendations include ensuring updates have been installed on all operating systems, software, and firmware, using multi-factor authentication “for as many services as possible” but particularly for webmail, and turning “off SSH and other network device management interfaces such as Telnet, Winbox, and HTTP for WANs and secure with strong passwords and encryption when enabled.”
4. RANSOMWARE GANGS RAMP UP INDUSTRIAL ATTACKS IN US BY TARA SEALS
According to a recent Q3 analysis, 36% of globally-reported ransomware cases against industrial organizations occurred in the United States, more than a 10% increase compared to the previous quarter. While LockBit gang was reportedly responsible for more than a third of global cases, research also suggests that different threat groups are targeting different sectors. For example:
- Ragnar Locker has been targeting mainly energy.
- Cl0p Leaks has been targeting only water and wastewater.
- Karakurt has targeted only manufacturing in Q3, while in Q2, it only targeted transportation entities.
- LockBit 3.0 is the only group that targeted chemicals, drilling, industrial supplies, and interior design.
- Stormous has only targeted Vietnam.
- Lorenz has only targeted the United States.
- Sparta Blog has only targeted Spain.
- Black Basta and Hive mainly targeted the transportation sector.
5. CHROME EXTENSIONS WITH 1 MILLION INSTALLS HIJACK TARGETS’ BROWSERS BY BILL TOULAS
According to a recent report, in mid-October 2022, roughly 30 variants of a browser extension were made available on the Chrome and Edge web stores that were capable of hijacking targets’ browsers. These extensions reportedly amassed over 1 million installs. A malvertising campaign behind the extensions, known as ‘Dormant Colors,’ redirected users to various pages that side-load malicious scripts that instruct the extension on how to perform search hijacking and on what sites to insert affiliate links. Read the full story from BleepingComputer to see the malicious extension in action and to learn more about how it could lead to worse issues.