Internet threat news

The Dark Web is not only the stomping ground of hackers and ransomware operators but several other criminal activities including drug dealing. It was estimated by the United Nations that the Dark Web drug market is now over 315 million USD annually and in 2022 it was estimated that annual sales on this illicit drug market came in at over 470 million USD. To say that using the Dark Web to sell drugs is profitable might be an understatement.

While many of us were enjoying the time spent with family and friends over the festive season, two cryptocurrency platforms were dealing with cyberattacks. In the first incident, BTC.com lost approximately 3 million USD belonging to both customers and the company, following a theft instigated by a cyberattack. In the second incident, crypto platform 3Commas admitted to having their API keys stolen by hackers. For 3Commas this appears to be yet another security incident on top of a list of previously poorly handled incidents, as will be seen later in this article.

Android users now have another cyber security worry to add to the growing pile. According to a report published by Threat Fabric, a malware-as-a-service platform advertised on the Darknet can bind malware to legitimate Android apps. This effectively results in victims infecting themselves and evading any suspicion the infection may cause. The platform dubbed “Zombinder” was discovered been spread via malicious Windows and Android campaigns.

For many security firms, the dangers posed by nation-state threat actors plot the course for the dangers they face from financially motivated threat actors shortly. One such course has been potentially plotted with the discovery that a newly discovered Windows malware that acts like a backdoor is being used by North Korean state-sponsored hackers in a highly targeted campaign to steal files and send them to Google Drive storage. What’s more, is that data can also be stolen from any mobile device connected to the Windows machine.

In much the same way that GitHub has been used by malicious threat actors to distribute malware, it would not be long until Docker Hub would be abused for similar purposes. In a recent report published by Sysdig over 1,600 publicly available Docker Hub images are been used to hide malicious behavior, including cryptocurrency miners, embedded secret keys and other authenticators that can be used as backdoors, DNS hijackers, as well as website redirectors.

According to the Federal Bureau of Investigation (FBI), the Hive gang has successfully extorted over 100 million USD from approximately 1300 victims dating back to July 2021. Unfortunately, those that refuse to pay are likely to experience further ransomware payloads down the line, which is in line with recent Hive tactics and can be seen as an escalation in the famed double extortion tactic prominent in the ransomware space.

Robin Banks, the popular phishing-as-a-service (PaaS) platform amongst the cybercriminal underground, has resurfaced after previously having its backend and frontend rendered useless by Cloudflare. Now the platform has found a new hosting partner based in Russia that boasts distributed-denial-of-service (DDoS) protection for customers. The hosting partner, DDOS-GUARD, has also been linked to hosting QAnon, 8Chan, and Hamas web assets.

A sophisticated threat group designated as Cranefly by security firm Symantec is using new techniques and tools to bolster an already comprehensive threat package. Not only is Cranefly using new techniques to further attack campaigns but also a previously undiscovered malware dropper given the name Geppei by researchers.

Ransomware continues to be one of, if not the primary, threat faced by organizations, particularly large corporations. On October 21, UK car dealer Pendragon released a statement to the press saying,

Security researchers have recently discovered possible links between the relatively new Ransom Cartel and an old foe of many a researcher, Sodinokibi. The latter is also tracked as REvil, a pioneer in how ransomware gangs changed tactics to target large corporations and demand millions in ransom payments.

Based on research conducted by Team Cymru, threat actors distributing the IceID malware are experimenting with different delivery methods to find out which works best against different targets. Since Microsoft blocked Macros by default threat actors and malware developers have been forced to find new delivery methods for their malware and it seems IceID is no exception.

Lazarus Group, North Korea’s elite state-sponsored hacking group, has never been shy from adopting new techniques and tactics. In the past, the group has dabbled with ransomware blurring the lines between what was considered the realm of financially motivated hackers rather than their state-sponsored cousins. Now, according to a new report published by ESET, the group has adopted the Bring Your Own Vulnerable Driver (BYOVD) attack tactic to install Window’s based rootkits.

Security firm, Sentinel Labs, has discovered a new threat group that is intent on targeting telecommunications, internet service providers (ISP), and universities, primarily in Africa and the Middle East. Based on a report published the advanced threat group has been active for two years and focuses on long-term persistence for cyber espionage.

In an article published by Bleeping Computer, the cyber security news platform repealed that video games publisher 2K had their gaming support system hacked to spread malware to gamers. This follows news that Steam users were being targeted by unique Browser-in-the-Browser attacks looking to phish online credentials. Gamers across the globe need to be aware that they are now favored targets for specific financially motivated hackers and known threat actor groups.