Internet Crime Costs U.S. $12.5B, WordPress Breach Exploits, Cybercriminals Impersonate Government - Cybersecurity News [March 04, 2024]
We’re back with the latest cybersecurity news that will keep you a step ahead of cybercriminals and their new tactics. This week, we’ll examine the findings of the 2023 Internet Crime Report, the new WordPress brute force password attacks, BEC attacks with threat actors impersonating the U.S. Government, the new WogRAT Malware, and how Germany’s Düsseldorf Police took down the country’s largest cybercriminal portal.
FBI Reports U.S. Suffered a Record $12.5 Billion Loss Due to Internet Crime in 2023
The FBI’s IC3 (Internet Crime Complaint Center) released its 2023 Internet Crime Report this week. The report shows that the U.S. suffered a record loss of $12.5 billion.
The amount is a massive 22% increase from the prior year, but the number of relevant complaints submitted to the FBI was also 10% higher this year. Four online crimes caused the most significant financial losses in the U.S. – BEC (Business Email Compromise) resulting in $2.9 billion in losses, ransomware, tech/customer support/government impersonation scams, and investment fraud.
There were 2825 complaints of ransomware in 2023 impacting critical infrastructure and multiple sectors by LockBit (175), ALPHV/BlackCat (100), Akira (95), Royal (63), and Black Basta (41).
IC3 also operates a RAT (Recovery Asset Team) that works with law enforcement to freeze funds transferred under fraud conditions. Since 2018, they’ve had a success rate of 71% and frozen stolen funds of $538.4 million.
Compromised WordPress Websites Exploit Visitor Browsers for Further Hacking Activities
Hackers are conducting widespread attacks on WordPress websites by injecting scripts that force visitors’ browsers to brute-force password stealing.
Researchers from Sucuri spotted the campaign where the threat actors were breaching websites to inject crypto wallet drainers to make away with all cryptocurrency and digital assets of the victims by prompting them to connect their wallets to the site.
Over the past year, they have increased their base by creating fake Web3 sites with wallet drainers, hacking X accounts, taking out Google and X advertisements, and even creating YouTube videos to promote their malicious websites. As per Sucuri’s latest report, the threat actors have been loading scripts to force brute-force password attacks on other websites.
The threat actors compromise WordPress sites to inject code into their HTML templates that contact the threat actor’s server and retrieve a password brute force task. It comes as a JSON file and contains all the parameters for the attack. The web browser stays connected to the malicious server, executing tasks as long as the page remains open.
It is still unclear why the threat actors have shifted to credential stealing, but these scripts have hacked over 1700 sites.
Cybercriminals Mimic U.S. Government Entities in Business Email Compromise Schemes
A group of threat actors have been conducting BEC attacks by impersonating U.S. government entities.
Proofpoint has been tracking the threat actor group as TA4903. The threat actors have impersonated the U.S. Department of Agriculture, the U.S. Department of Transportation, and the U.S. Small Business Administration since 2019.
The threat actors have been using Q.R. codes in PDF document attachments that feature metadata, a Nigerian-origin author name, and Q.R. codes that redirect you to phishing sites impersonating official U.S. government portals. Some victims are also redirected to O365 login pages, where the threat actors steal their credentials. The threat actor group uses ‘EvilProxy’ to bypass MFA and is financially motivated, using multiple tactics for BEC.
TA4903 gains unauthorized access to organization accounts and searches for keywords related to banking information or payments. Then, the threat actors use the information to send fraudulent payments or invoices to compromised email account contacts and partners.
The threat actor group shifted to a higher gear in mid-2023 and has also been using the theme of a cyberattack to trick the financial department staff into updating payment details. They’re a massive threat globally as their attack campaign has multiple steps, but you can use these as opportunities to detect and stay safe.
Cyber attacks by the numbers
Image sourced from linkedin.com
Novel WogRAT Malware Utilizes Web-Based Notepad Services for Malicious Software Distribution
A new malware targeting Windows and Linux users in attacks called the WogRAT malware.
The malware abuses an online platform called “Notepad” – an online channel for storing and retrieving malicious code. The malware was researched by ASEC (AhnLab Security Intelligence Center), who shared that it has been active since late 2022 and has targeted multiple Asian countries. The malware abuses a notepad, which is a free online notepad that can host a base64-encoded .NET binary. It’s an authentic online service that isn’t blocklisted, allowing threat actors to disguise the malware as an Adobe tool.
When a user executes the malware, it isn’t flagged by AntiVirus tools because it does not have any malicious intent or functions at that time. However, it contains encrypted source code that compiles the malware on the go and executes it, downloading another .NET binary tool from a notepad and loading a DLL (the WogRAT backdoor). The malware shares the profile of the victim system with its C2 (Command and Control) server. It has multiple features for running commands, downloading files, uploading data to the server, waiting for specific times, and terminating processes.
On the other hand, the Linux version of the WogRAT malware comes in ELG form and shares all the capabilities with the Windows version. It does not abuse a Notepad but disguises itself by using Tiny Shell for routing operations. Using malware protection solutions along with phishing awareness training is essential for preventing such attacks.
German Authorities Dismantle Online Crime Marketplace, Affecting 180,000+ Users
Germany’s Düsseldorf Police took down a massive illicit trading platform of German speakers with over 180,000 users. The police arrested five individuals and one of the platform’s operators. Known as Crimemarket, it was the largest cybercrime market in Germany and was used by threat actors for cybercrime. It also had tutorials for aspiring threat actors and for selling drugs and narcotics.
Düsseldorf Police released an announcement, sharing how the takedown resulted from years of investigation of the platform’s operators and users. The police executed 102 search warrants simultaneously on the eve of February 29, 2024. The most significant was in North Rhine-Westphalia, where three individuals, including the main suspect, were apprehended. The police have seized cell phones, I.T. devices, data carriers, a kilogram of marijuana, ecstasy tablets, and 600,000 euros ($6,56,763) in cash.
Many users reported that the cybercrime market faced issues this week as people could not log in. The website’s home page remains the same, but clicking on any other link takes you to a police notice that informs you that they have confiscated the data as part of a Europe-wide coordinated operation.