The Good, the Bad and the Ugly in Cybersecurity – Week 37

The Good

This week, the DoJ, FBI, and Portuguese authorities dismantled WT1SHOP, a prolific cybercrime marketplace known for the sale of over 5.85 million records of personal identifiable information (PII). One of the largest of its kind, the market sold pilfered login credentials for retailers and financial organizations, email and PayPal accounts, as well as identification cards and network credentials.

Across WT1SHOP’s website and four of its domains, a DoJ report noted approximately 106,273 users and 94 sellers operated in the marketplace as of December 2021. The report also alleges that Moldovian national, Nicolai Colesnicov, was the operator and administrator of WT1SHOP. If convicted, Colesnicov faces up to 10 years in federal prison on the charges of conspiracy and unauthorized device tracking.

With WT1SHOP offline, law enforcement teams around the world add another cyber takedown to their books. This year has seen a number successful darknet seizures including Hydra Market – a notorious, long-running black market for drugs offering cryptocurrency mixing and laundering services, RaidForums – a popular cybercrime marketplace for selling high-profile hacked data, and SSNDOB – a series of websites harboring the social security numbers, names and birthdays of approximately 24 million U.S. citizens.

The continued crackdowns on these marketplaces results in a snowball effect – with each successful bust, investigators find additional leads and data on the next target, eventually making strides in disrupting the greater cybercrime infrastructure and economy.

The Bad

While back-to-school garners mixed emotions across students (some parts excitement, some parts dread) and parents (relief), cybercriminals are, unfortunately, feeling opportunistic. CISA, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint cybersecurity advisory earlier this week against the continuing rise of ransomware attacks on the education sector. The advisory named K-12 institutions as particularly attractive targets to threat actors as their systems are seen as a deep trove of sensitive student data.

The FBI, CISA, and the MS-ISAC expect the number of attacks to increase throughout the school year. Just hours prior to the advisory, Los Angeles Unified (LAUSD) disclosed a ransomware attack on its IT systems. LAUSD represents the second largest school district in the U.S. and supports more 640,000 students.

The attack was reported to have affected the district’s server infrastructure, but instruction, transportation, student meals, and safety systems were not interrupted. However, ransomware actors will typically exfiltrate files from the targeted environment allowing them to ransom their victims later on.

Over the years, the impact of ransomware attacks on schools has ranged from restricted access to critical networks and data to the theft of PII leading to identity crime and extortion. With educators continuing to digitize their administrative assets, protecting sensitive data will be a continuing challenge that requires a coordinated effort across federal leadership, edu-tech vendors, school boards, managed security service providers (MSSPs), and the students and educators themselves.

The Ugly

Energy providers headquartered in the United States, Canada, and Japan have found themselves in the crosshairs of Lazarus APT Group, a North Korean-linked cybercrime group. Security researchers reported this week on a cyberattack campaign specifically targeting energy companies and speculated that the “main goal of these attacks was likely to establish long-term access into victim networks to conduct espionage operations in support of North Korean government objectives.”

During the six-month long campaign, Lazarus employed the Log4j vulnerability to compromise internet-facing VMWare Horizon servers and then gain entry into the targeted enterprise networks. After gaining their initial foothold, the APT group deployed an HTTP bot called “VSingle” and “YamaBot”, a backdoor, to establish long-term persistence. Further analysis revealed that the group used known malware families as well as a custom remote access trojan now dubbed “MagicRAT”.

Attributed by CISA to the North Korean government, Lazarus Group gained notoriety for a string of high-profile attacks including the Sony hack in 2014 and the WannaCry 2.0 global ransomware attack in 2017. Efforts of the Lazarus hacking group have long supported the DPRK’s espionage-driven cyber objectives. The campaign targeting major global energy providers highlights the group’s capability of coordinating various TTP and using a wide range of existing and new, bespoke malware to achieve their operational goals.

In July, the US government put a $10 million reward up for offer in return for information on DPRK-linked threat groups and their members. Bounties like this are a part of an ongoing campaign by the U.S. State Department in search of threat intelligence, particularly concerning malicious intentions on critical infrastructure and interference with federal elections.