The Good, the Bad and the Ugly in Cybersecurity – Week 50

The Good | US Detains Suspects in $80 Million ‘Pig Butchering’ Cryptocurrency Scam

Online financial crime resulted in losses of $3 billion last year, with cryptocurrency investment fraud rising by 183%, according to statistics released by the FBI. Good to hear, then, that the Department of Justice has this week arrested two individuals and charged another four over a cryptocurrency investment scam that allegedly netted the gang over $80 million.

The indictment accuses Lu Zhang, Justin Walker, Joseph Wong, and Hailong Zhu of operating a complex network of shell companies and bank accounts. These were allegedly used to launder money from victims lured into ‘pig butchering’ scams. The criminals built trust with their victims through messaging apps, dating platforms, and social media, before deceitfully draining their cryptocurrency wallets.

Two of the suspects, Zhang and Walker, appeared in a federal court in Los Angeles to face charges including conspiracy to commit money laundering, with potential sentences of up to 20 years if convicted.

According to the Justice Department, the gang’s activities involved at least 284 transactions and resulted in more than $80 million in victim losses. More than $20 million in stolen funds was directly deposited into bank accounts associated with the suspects.

The law enforcement action underscores the growing threat of online investment scams, particularly those involving cryptocurrencies, and highlights the need for vigilance in the ongoing battle against digital financial crimes.

The Bad | Microsoft Accounts Targeted Through Misuse of OAuth Applications

Threat actors are increasingly targeting Microsoft accounts by exploiting OAuth applications for a range of malicious activities, including BEC (Business Email Compromise), phishing, spamming, and cryptocurrency mining, researchers said this week. An investigation uncovered approximately 17,000 malicious multi-tenant OAuth applications created using compromised Microsoft accounts, leading to over 927,000 phishing emails in a campaign running from July to November 2023

Attackers are focusing on Microsoft user accounts with weak authentication, such as those lacking multi-factor authentication (MFA), and employing phishing or password-spraying tactics to gain control. Once access is secured, they create new OAuth applications with high privileges, enabling them to stay under the radar while maintaining persistent access.

In one case, APT actor Storm-1283 used OAuth attacks to deploy virtual machines for cryptocurrency mining, causing financial losses to multiple organizations from $10,000 to $1.5 million.

In another, an attacker exploited OAuth applications for phishing campaigns and BEC reconnaissance, using Microsoft’s Outlook Web Application (OWA) to search for “payment” and “invoice” related information through compromised accounts.

Across several instances, attackers were found to have created multi-tenant OAuth apps for persistence, creating new credentials, and sending phishing emails via the Microsoft Graph API.

Admins are urged to ensure that MFA is required on all accounts and to enforce conditional access policies wherever possible. Accounts should be monitored for unusual or risky behavior and revoked if found to be suspicious.

The Ugly | Ukraine Mobile Network Hit As Russian Tax Service Attacked By Malware

Ukraine’s largest mobile network operator, Kyivstar, suffered a massive cyberattack earlier this week, leaving more than half of the nation’s population without crucial mobile and internet services. The attack disrupted IT infrastructure as well as air raid alert systems across several regions.

Kyivstar’s official website went offline, but the company said on social media that it had been targeted by “a powerful hacker attack”, which it attributed as a direct consequence of the Russian war on Ukraine. Kyivstar CEO Oleksandr Komarov was reported as saying that the attack had significantly damaged the company’s infrastructure, adding that “we could not counter it at the virtual level, so we shut down Kyivstar physically to limit the enemy’s access.”

In the wake of the disruption, it is being suggested that while major services like mobile internet, voice services, and SMS should be restored soon, a full recovery of all services could take several weeks.

Initially, Russian hacktivist group Killnet made unsubstantiated claims to be behind the attack. By Wednesday, another group called Solntsepyok, believed to be linked to Russian military intelligence APT Sandworm, posted screenshots on Telegram purporting to show how it accessed Kyivstar’s servers, stating that “We attacked Kyivstar because the company provides communications to the Ukrainian Armed Forces, as well as state bodies and Ukraine’s security forces”.

“Solntsepek hackers” claim responsibility for the Kyivstar attack

In a worrying sign of how civilian critical infrastructure is increasingly a target in cyber warfare, Ukraine announced on the same day as the Kyivstar attack that its defense intelligence directorate (GUR) had infected thousands of Russian servers used by Russia’s state tax service, destroying databases and backups. The statement said the attack had led to the complete destruction of Russia’s federal tax service (FNS) infrastructure.