General Worldwide activity:

1st: Porsche halts NFT launch, phishing sites fill the void

Overview: Porsche cut its minting of a new NFT collection short after a dismal turnout and backlash from the crypto community, allowing threat actors to fill the void by creating phishing sites that steal digital assets from cryptocurrency wallets. The German automaker launched its first NFT mint last Monday, January 23, 2023, offering a digital replica of the iconic 911 car for 0.911 ETH, valued at about $1,500. However, delays in the rollout of the collection caused frustration in the community, as only about 20% of the promised 7,500 NFTs had been minted after 24 hours and three minting waves. To make matters worse, a flourishing NFT resale market was set up over at OpenSea, where it was cheaper to buy the Porsche collectibles than get the original, which devalued the assets immediately and further infuriated investors and traders. Eventually, on January 24, Porsche announced they would stop the minting process and cut the supply until they figured out how to get the NFT debut right. The actual minting process didn’t stop until January 25 at 6 AM UTC-5, giving scammers plenty of chance to leverage the confusing situation.

Breakdown: The hype cycles continue around crypto currency values bouncing around and NFT’s as digital assets with fluctuating value as well, so there will always be an interest level from the criminal side. This serves as a perfect example of how things can go wrong very quickly, and that scammers will take advantage of any opportunity they see coming up to compromise the process and steal from people. This is also a great example of criminals using current events as triggers for phishing and other scam campaigns.

2nd: Come to the dark side: hunting IT professionals on the dark web

Overview: Just as any other business, cybercrime needs labor. New team members to participate in cyberattacks and other illegal activities are recruited right where the business is done — on the dark web. We reviewed job ads and resumes that were posted on 155 dark web forums from January 2020 through June 2022 and analyzed those containing information about a long-term engagement or a full-time job. This post covers the peculiarities of this kind of employment, terms, candidate selection criteria, and compensation levels. Further information, along with an analysis of the most popular IT jobs on the dark web, can be found in the full version of the report.

Breakdown: The maturity of the processes and the growth of the market for criminal activity online has led to a knowledge gap in skilled labor for IT/InfoSec talent on the “dark side” just as much as everywhere else. This need for skilled technical labor requires criminal groups to offer competitive or better salaries and benefits to keep qualified staff just like a normal organization. Especially considering they are also risking their freedoms depending on which country the employee lives in and the local laws around what constitutes criminal behavior. Very interesting to see this kind of detail from the criminal side of things compared to everyone else on the right side of the law.

3rd: Uncle Sam slaps $10m bounty on Hive while Russia ban-hammers FBI, CIA

Overview: Uncle Sam has put up a $10 million reward for intel on Hive ransomware criminals’ identities and whereabouts, while Russia has blocked the FBI and CIA websites, along with the Rewards for Justice site offering the bounty.…The $10 million bounty is part of the US State Department’s Rewards for Justice program, and in a Thursday tweet the agency sought tips for Hive members “acting under the direction or control of a foreign government.” The notice also referenced the FBI’s Hive website takedown, which the feds announced earlier that day. “If you have information that links Hive or any other malicious cyber actors targeting US critical infrastructure to a foreign government, send us your tip via our Tor tip line. You could be eligible for a reward,” it said.

Breakdown: We received the awesome news, right after it happened, that the Hive network has been taken down from the inside following a seven month long covert operation. Now we see a follow up to that activity with the desire to tie the threat actors back to a country of origin and/or attribute the handles to real-world individuals. We are also seeing Russian response to this activity even though an official acknowledgement that Russia was directly involved has not been made at this time.

4th: Microsoft: Over 100 threat actors deploy ransomware in attacks

Overview: Microsoft revealed today that its security teams are tracking over 100 threat actors deploying ransomware during attacks. Last year was marked by the end of the Conti cybercrime operation and the rise of new ransomware-as-a-service (Raas) operations, including Royal, Play, and BlackBasta. Meanwhile, LockBit, Hive, Cuba, BlackCat, and Ragnar ransomware operators have kept breaching and trying to extort a steady stream of victims throughout 2022. Nevertheless, ransomware gangs saw a massive revenue drop of around 40% last year as they were only able to extort roughly $456.8 million from victims throughout 2022, after a record-breaking $765 million in the previous two years, according to blockchain analytics company Chainalysis. However, this significant decline was not driven by fewer attacks but by their victims’ refusal to pay the attackers’ ransom demands.

Breakdown: This is a great general overview on ransomware attacker activity over the past year. Seeing that we have that many groups consistently running attacks is really no big surprise based on the overall worldwide activity, but it is great to hear the payouts in 2022 dropped over 300 million from the year before and many organizations are refusing to pay at all.

5th: KeePass questions vulnerability that allows stealthy password theft

Overview: The development team behind the open-source password management software KeePass is disputing what is being described as a newly discovered vulnerability that allows attackers to stealthily export the entire database in plain text. KeePass is a very popular open-source password manager that allows you to manage your passwords using a locally stored database, rather than a cloud-hosted one like LastPass or Bitwarden. To protect these local databases, users can encrypt them with a master password so that malware or a threat actor cannot simply steal the database and automatically gain access to the passwords stored in it.

Breakdown: The LastPass breach is still very fresh in all of our minds, and anyone in security has probably already moved away from that password manager and encouraged everyone else they know to do the same. Now we have a dispute over a massive vulnerability in another password manager, with the potential for total compromise. If you or anyone you know is a KeePass user, please stay up to date on this as it evolves and as we saw with LastPass, it may be time to start considering another solution instead.

Contact Us

contact@hunterstrategy.net

Our Website

Top five Cyber Threat Intel stories of the week: 01/30 to 02/03/2023