This week’s cybersecurity bulletin covers cybercriminal students getting arrested, Google’s zero-day exploits, a ransomware attack on ACL, the man behind raccoon stealer, LinkedIn’s latest steps to battle malicious actors, and the hive ransomware attack on one of the largest electricity providers.
Student Arrested, Ran Germany’s Largest Dark Web Market
BKA, Germany’s Federal Criminal Police Office, has arrested a student from Bavaria. The 22-year-old is suspected to be the admin of “Deutschland im Deep Web,” one of the country’s largest darknet markets.
The darknet website apparently went offline in March 2022 and had 16,000 users, 28,000 posts, and over 70 high-volume sellers of weapons and drugs. The student could face up to 10 years of imprisonment for operating the illicit platform that has been around since 2013. The platform started as a forum for IT security discussions and had 23,000 users and 6 million monthly hits in 2017, one of its peak years.
BKA announced that the site was utilized to sell weapons and drugs. The sophisticated platform also utilized an escrow service to protect against fraud and was shut down in 2017. However, the site restarted the following year with new operators following a self-imposed motto, “No control, everything allowed.” The platform got a second and third iteration in 2019.
After nearly five years, the BSK has apprehended the mastermind behind the darknet website, clearing it once more to cybercriminals worldwide that the law always catches up.
Google’s Zero-Day Exploits: Seventh Exploit of the Year
Google released an essential and urgent security update for its Chrome browser to remedy the CVE-2022-3723, a high-severity vulnerability.
The CVE-2022-3723 is a confusion bug in Chrome’s V8 Javascript engine that Avast’s analysts discovered. Google has not provided the vulnerability details, providing time for its customers to update the Chrome web browser, so they are protected. The bug was a type of confusion that generally occurs when a program allocates resources or objects using one type but accesses it using a different and incompatible one.
This scenario leads to an out-of-bounds memory access that could allow threat actors to read the sensitive information of other applications and execute code snippets. The CVE-2022-3723 is the seventh zero day vulnerability that Google has fixed in 2022, which combined various attacks. Another significant one was the exploitation of Google by state-sponsored threat actors.
Until the details of the zero day vulnerability are provided, it is recommended that all individuals update their chrome browsers by visiting its settings.
ACL Patient Data Stolen in Ransomware Attack
ACL (Australian Clinical Labs) suffered a data breach in February 2022, exposing the records of nearly 223,000 individuals.
The data breach impacted ACL’s Medlab Pathology business, but ACL has not yet recognized any misuse of the stolen information. ACL was hit by the Quantum ransomware gang that uploaded all stolen data on their Tor website. The ransomware gang leaked nearly 86GB of data, including personal, financial, and healthcare information, opening innocent lives to credit card fraud, impersonation, identity theft, and spear phishing.
ACL was not rapid in its response and took five months to realize that threat actors had exfiltrated its data. The organization is notifying all impacted individuals and has released details of the ransomware attack that led to the leak of 128,608 Medicare numbers and names, 28,286 credit card numbers, 12% including CVVs and 55% being expired cards, and the medical and health records associated with pathology tests of 17,539 customers.
ACL has announced that it will bear the costs of ID replacements and has also offered credit monitoring and identity theft protection services to affected customers free of charge.
LinkedIn’s Response to Fake Profiles and Threat Actors
LinkedIn has introduced excellent features to combat malicious use of its platform and deal with fake profiles.
LinkedIn has suffered heavy scrutiny and was abused by threat actors to carry out malicious activities such as spreading malware, cyber espionage operations, credential theft, and conducting financial fraud, a prime example being Lazarus misusing the platform to approach targets with fake jobs. To combat such cyber criminals, LinkedIn has announced that it will display additional information to verify the legitimacy of accounts and will hunt fake profiles using AI (Artificial Intelligence) software.
Individuals can check when a user created their profile, if they have passed mobile verification, and if the account is linked to an email. Such an approach would rule out threat actors since newly created, unlinked, or poorly connected profiles could mean red flags. The AI will also catch accounts with AI-generated images, and LinkedIn will display warnings if anyone in the chat proposes to switch communications to another platform. Since sophisticated threat actors use such tricks, safer communications and profile pictures would lead to a safer LinkedIn.
The steps taken by LinkedIn are proactive and a step in the right direction. It is still early to answer whether malicious activity on social media will reduce. Nonetheless, LinkedIn’s actions will definitely make it harder for threat actors to utilize the medium as they wish.
The Man Behind Raccoon Stealer Service Arrested
Mark Sokolovsky, a 26-year-old Ukrainian, has been arrested for involvement in the MaaS (Malware as a Service) operation, Racoon Stealer.
Racoon Stealer is a Trojan that threat actors could rent for $75 a week, which allowed them to steal information. The threat actors would also get an admin panel for customizing the malware, producing new builds, and collecting stolen data such as browser credentials, credit card information, crypto wallets, emails, and miscellaneous system data.
Also known as raccoonstealer and black21jack77777, Mark is jailed in the Netherlands and is awaiting extradition to the US. Dutch authorities arrested Mark in March 2022 while working with the FBI and law enforcement from Italy, and the Racoon’s operation was halted and taken offline. However, Racoon Stealer was relaunched in June with a new version featuring new data theft capabilities and a new software architecture.
The US DOJ (Department of Justice) says over 50 million credentials and identifications have been found in the data stolen by Racoon Stealer malware’s cybercriminals and believes more data could appear. By visiting the FBI’s portal, you can check if your data has been found in Racoon Infostealer’s stolen data.
Data Leak: Hive Ransomware Attack on Tata Power
The hive ransomware group has struck once again, this time claiming responsibility for an attack on Tata Power.
Tata Power is India’s largest integrated power enterprise and a subsidiary of the multinational Tata Group. Hive operators were in negotiations with Tata Power and posted the organization’s stolen data on their leak site. The stolen data includes PII (Personally Identifiable Information) of the organization’s employees, Aadhar (National ID) card information, PAN numbers (Tax Account), and salary information.
Hive also leaked financial and banking records, engineering drawings, and client information. Hive attacked and encrypted Tata Power’s systems on 3 October, with the organization disclosing limited details about the cyberattack later. Tata Power has said that it has restored the systems with all critical operations functioning correctly. Furthermore, the organization has restricted access and added preventive checks for employees and customers.
Tata Power has not provided further details about the attack and says more details will be provided in the future.