Orb Proxy Evasion, Dark Web Arrest, Chinese Hackers Infiltrate – Cybersecurity News [May 20, 2024]

by Duocircle


We’re back again with the latest cybersecurity news scoop of everything major that happened this past week. Join us as we take a look at state-sponsored threat actors using Orb Proxies, the arrest of the man behind a dark web drug market, Chinese hackers targeting military organizations, the return of Grandoreiro banking malware, and the infiltration of JAVS software. 


State-Sponsored Hackers Use Large Orb Proxy Networks to Avoid Detection

State-sponsored Chinese threat actors are using ORB proxy networks to avoid detection and spy on individuals. 

The hackers use a massive network of hijacked devices and virtual servers to hide their location and activity. The network that makes it really difficult to detect them is ORB (Operational Relay Box). They are similar to botnets, where hijacked devices are controlled by a single attacker, but there’s a twist—they’re a mix of servers and devices rented from online service providers. So, even if you detect one of them, the threat actors can easily switch to a new device without leaving a trace.

Mandiant has been looking closely at these networks and has found two. The ORB3/SPACEHOP—being used by several different hacker groups linked to China and ORB2/FLORAHOX—a more complex network that is used by a broader network of threat actors. 

The best way to defend against ORB networks is to be aware of the latest threats and to keep your devices and software up to date. You should also be careful about what information you share online and be suspicious of any unexpected emails or attachments.


Incognito Dark Web Drug Market Operator Arrested in New York

The operator and alleged owner of Incognito Market was arrested in New York on 18 May

The threat actor, Rui-Siang Lin, has been operating the dark web marketplace for the sale and purchase of illegal narcotics and was arrested at JFK (John F. Kennedy) Airport. Incognito Market is notorious and has been used to sell over $100 million worth of narcotics, including illicit drugs, methamphetamines, cocaine, amphetamines, and MDMA (ecstasy) since it was started in 2020


Dark Drug Market Operator Arrested


The Justice Department shared a press release that details how law enforcement agents executed search warrants to gain access to servers that were used to operate the marketplace. One of these was used to host the DDoS (Distributed Denial of Service) prevention system, another for the back-end marketplace, and the third one was used to process crypto transactions. Law enforcement also found 1,312 vendor accounts, 255,519 customer accounts, and 224,791 transactions for orders. 

Lin will appear in Manhattan federal court before U.S. Magistrate Judge Willis. If found guilty, Rui-Siang will face a mandatory sentence of life in prison for participating in a criminal enterprise. He could also face life in prison for narcotics conspiracy, up to 20 years for money laundering, and up to 5 years for conspiring to sell adulterated and misbranded medication. 


Chinese Hackers Infiltrate Military and Government Networks for Six Years

A new threat actor group that goes by the name of Unfading Sea Haze was discovered this week

The threat actors are linked to China and have remained undetected for almost 6 years, targeting military and government agencies. Bitdefender observed threat actor activity and released a blog this week that highlights the sophisticated techniques the threat actor group uses to gain access to systems and steal sensitive data

They typically start with spear-phishing emails that contain malicious attachments disguised as legitimate documents. These attachments lure you in with topics related to U.S. politics and filenames resembling familiar software updates. If you click on one of these attachments, it downloads malware directly into your computer’s memory without leaving any traces.

The malware is called “SerialPktdoor” and gives the attackers complete control over your system. Once they’re in, the threat actors create scheduled tasks that seem harmless but actually load malicious programs

Unfading Sea Haze is a stealthy and adaptable threat actor that focuses on evading detection and persisting within compromised systems. To protect yourself, you need to implement a layered security strategy by keeping your software up to date, enabling MFA, segmenting your network to limit access, and monitoring network traffic for suspicious activity. Additionally, incorporating phishing protection into your security measures is essential.


Banking Malware Grandoreiro Reemerges Following Police Intervention

Grandoreiro, the infamous banking trojan, made a comeback with a large-scale phishing campaign targeting bank accounts of nearly 1500 customers in 60 different countries. 


Banker Trojans

Image sourced from fastercapital.com


The malware operation was disrupted back in January this year when an international law enforcement operation took the malware down, which had been targeting individuals of Spanish-speaking countries since 2017. The new campaign was recently discovered by the X-Force team at IBM, who reported that Grandoreiro had returned and rented the malware to threat actors. Plus, they have expanded their reach and are targeting individuals in English-speaking countries too.

There are many threat actors, so the phishing lures are also different, but in most of these, the actors impersonate government entities like tax administrations, revenue services, and more. The phishing emails are carefully designed and also contain official logos and formats to make them appear genuine.

When a victim clicks on the email, they are redirected to an image of a PDF file that further downloads a ZIP file on the victim system with a 100MB executable containing the Grandoreiro loader. It has an improved string decryption algorithm, can maintain multiple seeds with the C2 (Command and Control) server, and can disable security alerts on Microsoft Outlook.

The malware also allows the threat actors to target banking applications and crypto wallets and gather information from the victim’s system via keylogging, remote control, and browser manipulation

The best way to stay safe against malware is to learn about the official communications and verify each one you receive to know if it is coming from the real agency or the threat actors and avoid interacting with it. 


JAVS Courtroom Recording Software Compromised in Supply Chain Attack

Threat actors have added a backdoor to the JAVS (Justice AV Solutions) courtroom video recording software that allows them to take over devices.


Supply Chain Attack


JAVS has over 10,000 installations worldwide and has removed the compromised version from its official website. They have also conducted an audit of all systems and reset passwords to make sure there are no future breaches. 

The supply chain attack was investigated by Rapid7, a cybersecurity enterprise that found out that the trojanized JAVS installer was first spotted in early April. The malware is linked to the Rustdoor/Gatedoor malware and sends information to the threat actor’s C2 server once it is installed on the victim device. It also executes obfuscated PowerShell scripts to bypass AMSI (Anti Malware Scan Interface) and ETW (Event Tracing for Windows).

If you are a JAVS user, you need to reimage all endpoints and reset all credentials that you use to log onto these endpoints. Also, upgrade to version 8.3.9 or higher after reimaging the systems. 

Pin It on Pinterest

Share This