Daily Brief

Microsoft has identified the North Korean hacking group Moonstone Sleet employing Qilin ransomware in their recent activities. This group, previously known as Storm-1789, has shifted from their custom ransomware to utilizing ransomware developed by RaaS operators. Moonstone Sleet targets include financial institutions and espionage with tools like trojanized software, malicious games, and fake software development companies. Attack vectors also include interactions via social platforms such as LinkedIn, freelancing networks, and emails, posing significant social engineering threats. The Qilin ransomware gang, active since 2022, escalated operations in 2023, infecting over 310 entities including high-profile organizations worldwide. Moonstone Sleet's adaptation of Qilin ransomware follows a history of North Korean-linked ransomware attacks by other groups such as Lazarus Group and associations with major ransomware outbreaks like WannaCry. In recent operations, the group has demanded ransoms as high as $6.6 million paid in Bitcoin, underlining the severe financial implications of their attacks.

Introducing Application Security Posture Management (ASPM) as a smarter, unified approach to enhance application security. ASPM combines code insights with real-time runtime data for a comprehensive view of application security. The new strategy shifts focus from reactive to proactive threat prevention, reducing the need for costly fixes. The webinar is led by Amir Kaushansky, Director of Product Management at Palo Alto Networks. Attendees will learn proactive strategies to prevent security threats before they impact business operations. Limited seats available for this exclusive opportunity to advance security handling and gain a competitive edge.

Ransomware gangs are still active and evolving, despite law enforcement success in taking down major groups and their infrastructure. Affiliates of dismantled groups quickly find new groups to join, keeping their tactics and enhancing group potency. Cybercrime groups like Akira and Qilin have become increasingly prominent, with new and lesser-known groups quickly gaining traction. Internal leaks and disruptions within groups such as ALPHV (BlackCat) lead to affiliates joining other emerging groups like Black Basta and Cactus. Despite making arrests and shutting down leak sites, affiliates' skill sets in ransomware operations remain valuable and are swiftly redeployed in new configurations. Negotiations with ransomware groups continue, focusing on reducing ransom payments rather than promoting them; recovery strategies are advised by professionals like Jason Baker. Organizations are increasingly prepared for ransom attacks, with over 70% having viable backups to restore data, shifting focus to data breach containment. Continuous emergence of new ransomware entities requires constant vigilance from cybersecurity teams and ransomware negotiators due to the dynamic realignment of experienced cybercriminal affiliates.

PCI DSS v4 introduces more stringent requirements for third-party scripts and continuous monitoring to protect against emerging browser-based threats. Kevin Heffernan of Abercrombie & Fitch (A&F) shared insights on managing script integrity and unauthorized modifications to maintain compliance. The updated PCI DSS mandates include detailed logging of all scripts, verification of script integrity, and authorized execution on payment pages. Continuous change and tamper detection are required to monitor unauthorized script modifications, with mechanisms like HTTP header monitoring emphasized. A&F identified common compliance errors including over-reliance on CSP, neglecting third-party vendor compliance, and treating PCI compliance as a one-time activity. Even businesses qualifying for SAQ A must secure their entire website and implement real-time monitoring and alerts. A&F's compliance journey underscores the importance of early preparation to avoid security gaps and potential fines, with a critical deadline approaching on March 31, 2025.

The Akira ransomware gang exploited an insecure webcam to bypass endpoint detection and response (EDR) systems in a recent cyberattack. Initially attempting to deploy ransomware through Windows, which was blocked by EDR, Akira pivoted to using a vulnerable webcam running a Linux-based OS without EDR protection. The attackers gained initial access via an exposed remote access solution, deploying AnyDesk and stealing sensitive data for a double extortion scheme. After failing to encrypt files directly through Windows due to EDR blockage, the gang moved laterally across the network, eventually discovering and exploiting the webcam. Utilizing the webcam’s Linux OS, the attackers mounted Windows SMB network shares from other devices and launched a successful encryption attack across the network. This incident highlights significant security vulnerabilities with IoT devices, which are less monitored and updated than conventional IT assets. It underscores the importance of comprehensive security strategies that include regular updates and isolation of less secure devices from critical networks.

A malicious Python package named set-utils was found on PyPI, designed to steal Ethereum private keys. The package imitated popular libraries, deceiving developers into downloading and compromising their systems. It specifically targeted Python-based Ethereum developers and related organizations. Once installed, the package intercepted wallet creation functions to access Ethereum private keys. The stolen keys were sent to the attacker through transactions on the Polygon blockchain, evading typical detection methods. The use of blockchain for exfiltration of keys also complicates tracking and mitigating the attack. As of now, the malicious set-utils package has been removed from PyPI following 1,077 downloads.

The U.S. Secret Service, in collaboration with international law enforcement, has seized the Garantex cryptocurrency exchange website. The seizure follows Garantex's 2022 U.S. Treasury sanctions for supporting transactions from illicit activities and darknet markets. International partners in the operation included Europol, the FBI, and the criminal police and prosecution offices from the Netherlands, Germany, Finland, and Estonia. Additional sanctions in 2023 targeted individuals linked to Garantex, further alleging laundering of ransomware proceeds. Following EU sanctions against Russian banks directly linked with Garantex, Tether blocked the crypto exchange’s wallets, significantly impacting its operations. Garantex announced the suspension of all services, including withdrawals, in response to the wallet blocks and emphasized their determination to resolve the issues. The Garantex response highlights both operational impacts and ongoing efforts to counteract the restrictions placed by international sanctions.

Safe{Wallet} reported that TraderTraitor, a North Korean hacking group, executed a state-sponsored theft of $1.5 billion from Bybit through a sophisticated cyberattack. The hackers compromised a Safe{Wallet} developer's laptop and AWS session tokens, bypassing multi-factor authentication to facilitate the heist. Initial breach occurred on February 4, 2025, through malware embedded in a Docker project disguised as a stock investment simulator, which was likely downloaded via a social engineering tactic. Post-attack analysis showed the threat actors cleared malware traces and command history to obscure their digital footprints and thwart forensic investigations. The malware enabled the attackers to stealthily inspect the company’s AWS environment and manipulate AWS user sessions without detection. The stolen funds comprise predominantly Ethereum, with 83% converted to Bitcoin and distributed across nearly 7,000 wallets. Despite the significant loss, over 77% of the stolen assets remain traceable, with efforts ongoing to freeze and recover the funds. The incident highlights the increasing sophistication and scale of cryptocurrency thefts, illustrating the urgent need for enhanced security measures within the Web3 ecosystem.

Threat actors exploited the CVE-2024-4577, a PHP-CGI RCE flaw in Windows, affecting multiple sectors in Japan. Initial access was achieved by running PowerShell scripts that executed Cobalt Strike's reverse HTTP shellcode payload for persistent remote access. Post-exploitation tactics included use of tools for reconnaissance, privilege escalation, lateral movement, and persistence mechanisms like Registry modifications and scheduled tasks. Attackers maintained stealth by erasing event logs with wevtutil, making detection difficult. Credentials such as passwords and NTLM hashes were exfiltrated using Mimikatz post-compromise. Analysis indicated victim's directory listings on C2 servers and adversarial tools were exposed on the internet. The end goal of the attack, which extends beyond credential theft, suggests preparation for potential future malicious activities.

The Badbox 2.0 botnet has infected nearly a million Android devices, redesploying a vast ad fraud network. Human Security's research team detected malware variants in cheap, off-brand Android hardware and third-party app stores. Infected devices include TVs, phones, car tablets, and projectors, all sourced from China and showing global network traffic. The botnet hides its fraudulent ad activities by mimicking legitimate user behaviors across devices worldwide. Over 200 third-party Android applications were found infected, often mimicking legitimate versions found on Google's Play Store. The scheme appears larger and more sophisticated than previous iterations, potentially involving collaboration across multiple criminal groups. Efforts by Human Security, Google, Trend Micro, and Shadowserver Foundation have reduced the botnet by half by targeting command-and-control servers. Despite some mitigation, there is concern around potential resurgence and adaptation of the botnet by its operators.

An international law enforcement coalition has shut down Garantex, a Russian cryptocurrency exchange favored by criminals for laundering money. This operation involved multiple agencies, including the US Secret Service, DOJ, FBI, Europol, and several European national police forces. The US Attorney's Office for the Eastern District of Virginia facilitated the seizure with a warrant that allowed the takedown of the Garantex website. Garantex was previously sanctioned by the US in April 2022, linking it to over $100 million in illicit transactions. The seizure is part of a broader crackdown impacting operations like the Russian ransomware group Conti and the online drug marketplace Hydra. Additional details from the investigation remain undisclosed, pending further updates from the US Secret Service.

Microsoft threat analysts detected a malvertising campaign using GitHub to distribute malware in early December 2024, affecting nearly 1 million devices globally. Malicious ads were embedded in videos on illegal streaming sites that redirected viewers to GitHub repositories controlled by attackers. The malware performed system discovery, collected extensive system information, and deployed further payloads, including a NetSupport RAT and the Lumma and Doenerium information stealers. A complex multi-stage attack included PowerShell scripts and AutoIt components to establish persistence, enable remote operations, and exfiltrate data. Beyond GitHub, the campaign also utilized Dropbox and Discord to host payloads, reflecting the attackers' use of diverse platforms to implement their strategy. Microsoft named this activity "Storm-0408," a tracking umbrella for threats involving malvertising, phishing, and SEO to propagate malware. This indiscriminate attack impacted a wide range of organizations and industries, highlighting the broad threat to both consumer and enterprise devices.

Akira ransomware gang exploited an unsecured webcam to encrypt a corporate network, bypassing Endpoint Detection and Response (EDR) systems. The initial attack vector was via exposed remote access credentials, followed by the deployment of AnyDesk for data theft. After EDR blocked ransomware deployment on Windows, attackers scanned for alternative devices, opting for a vulnerable webcam. The webcam, operating on a Linux system without EDR protection, was used to remotely encrypt files over the network. Increased malicious SMB traffic from the webcam to servers went unnoticed due to lack of monitoring on the IoT device. The cybersecurity firm S-RM highlighted that patches for the webcam vulnerabilities were available, suggesting that the attack could have been prevented. The incident underscores the limitations of EDR systems and the need for comprehensive security measures including regular updates and isolation of IoT devices from sensitive networks.

President Trump has issued an executive order demanding stringent vetting of foreigners in the U.S., including those already present and seeking immigration benefits. USCIS is set to extend social media monitoring to non-citizens within the U.S., not just new arrivals, impacting those applying for naturalization, legal permanent residence, or refugee or asylum status. The Department of Homeland Security had already mandated in 2019 that incoming non-citizens on work visas provide their social media details for screening against subversion and other security threats. The proposed changes could potentially complicate the application process for immigrants and create confusion among USCIS adjudicators and immigration lawyers due to vague criteria on what triggers adverse actions from social media usage. This initiative aligns with Trump's broader security agenda to safeguard the nation from foreign threats, emphasizing strict adherence to U.S. laws and warning of consequences for law violations. The public has a 60-day comment period to propose any amendments to these new regulations, with a deadline set for May 5. Automation will assist in managing the increased workload of analyzing social media without incurring additional costs, despite the significant time investment required.

The U.S. Secret Service, alongside the DOJ, FBI, and Europol, has seized the domain of the Russian cryptocurrency exchange Garantex. Garantex was sanctioned by the EU and had its digital wallets blocked by Tether, resulting in a temporary suspension of its services. The seizure is part of a broader crackdown on entities facilitating cybercrime, with Garantex linked to over $100 million transactions related to darknet markets and ransomware operations. Garantex had previously lost its license in Estonia due to non-compliance with Anti-Money Laundering and Countering the Financing of Terrorism policies. Multiple global law enforcement agencies collaborated in this action, highlighting the international effort against cybercrime linked to cryptocurrency exchanges. The Treasury’s Office of Foreign Assets Control (OFAC) had earlier sanctioned Garantex and continues to target other exchanges and services involved in laundering funds for cybercriminals.