This Week in Cyber 27th September 2024

Analyst Insight

This week, we saw hard sanctions on crypto exchanges, which assist with cybercriminal activities from the U.S Department of the Treasury. In other news, the popular messaging app Telegram has changed their privacy policy, with pressures from authorities to be more cooperative with criminal investigations. Additionally, the UK saw the public Wi-Fi of 19 railway stations hacked, with terrorist messaging being displayed on devices. Researchers found transport and logistics firms being targeted by info stealing malware using unique social engineering. This week also saw the emergence of a new malware variant, PondRAT, which has been found within python packages. Lastly, the GeoServer software being actively exploited by a sophisticated threat actor.

Operation Endgame: US Sanctions Crypto Exchanges Used by Ransomware Gangs

On Thursday the U.S. Department of the Treasury has taken actions to sanction money laundering services used by ransomware gangs, in collaboration with Operation Endgame. The Treasury’s Financial Crimes Enforcement Network (FinCEN) sanctioned two prominent crypto exchanges, PM2BTC and Cryptex, which have been linked to laundering cryptocurrencies for ransomware groups and other cybercriminal organisations.

PM2BTC is accused of facilitating currency conversions through U.S.-sanctioned financial institutions for cybercriminals while failing to enforce anti-money laundering protocols. Cryptex has reportedly laundered over $51 million through its platform, with over $720 million in transactions tied to ransomware-related activities and other illicit services, according to the Treasury.

As a result of these sanctions, U.S. citizens are now prohibited from using PM2BTC or Cryptex, and any assets held in accounts associated with these exchanges will be frozen.

Transport and Logistics Firms Targeted with Information Stealing Malware

Researchers at Proofpoint discovered threat actors targeting transport and logistics firms in North America. The group used compromised email accounts from these firms to send malicious links and attachments within ongoing email threads. Between May and July 2024, the attackers primarily deployed Lumma Stealer, StealC, or NetSupport as their payloads, but in August 2024, they shifted tactics, delivering DanaBot and Arechclient2—both designed to steal information from victims' devices.

Extensive research went into crafting targeted lures aimed at the employees of these firms, with at least 15 compromised email accounts identified by the researchers.

“Threat actors are increasingly tailoring lures to be more realistic to entice recipients to click on a link or download attachments” Proofpoint stated.

Telegram Updates Policy to Assist Authorities Criminal Investigations

A popular messaging app with over 950 million monthly active users, Telegram, recently announced changes to its terms of service. While the platform has long advertised its commitment to user privacy and anonymity, Telegram has now stated that users’ IP addresses and phone numbers will be shared with authorities in response to valid legal requests, in an effort to curb criminal activity on the platform.

“If Telegram receives a valid order from the relevant judicial authorities that confirms you’re a suspect in a case involving criminal activities that violate the Telegram Terms of Service, we will perform a legal analysis of the request and may disclose your IP address and phone number to the relevant authorities,” Telegram explains in its updated privacy policy.

Previously, the privacy policy only allowed for sharing user information if they were suspected of terrorism, without addressing other criminal activities.

19 UK Railway Stations Wi-Fi Hacked to Display Terror Messages

According to BBC News, Network Rail has confirmed a cyber-attack targeting public Wi-Fi systems at several train stations. Passengers reported that, when logging onto the stations' public Wi-Fi, they were confronted with screens displaying messages about terror attacks in the UK and Europe. The stations affected include London Euston, Manchester Piccadilly, Liverpool Lime Street, Birmingham New Street, Edinburgh Waverley, and Glasgow Central.

The British Transport Police stated: “We received reports at around 5.03pm yesterday (25th September) of a cyber-attack displaying Islamophobic messaging on some Network Rail Wi-Fi services. We are working alongside Network Rail to investigate the incident at pace.”

Telent, the third-party company managing the stations’ Wi-Fi, explained: "It has been identified that an unauthorised change was made to the Network Rail landing page from a legitimate Global Reach administrator account." Global Reach is another company responsible for providing the internet service.

PondRAT: Lurking in Python Packages

PondRAT, a new malware variant potentially linked to nation-state threat actors, has been discovered lurking in poisoned Python packages. This malware specifically targets software developers. According to Palo Alto Networks, PondRat is a lighter version of the known POOLRAT malware.

These attacks are part of a larger, persistent cyber campaign known as “Operation Dream Job.” This campaign employs job offers as a bait-and-switch tactic to trick individuals into installing malware. The suspected goal of this operation is to infiltrate the supply chain of as many firms as possible.

GeoServer Exploited by Custom Malware

A critical vulnerability in the widely-used GeoServer software is being actively exploited by a sophisticated threat actor with suspected ties to nation-state entities. This actor is likely backed by at least one government body. The exploit targets a range of organisations, including government agencies, critical infrastructure, and telecommunications sectors. The attackers employ spear-phishing tactics, sending malware-laden files disguised as official documents. Once the vulnerability is exploited, they deploy a backdoor known as ‘EAGLEDOOR,’ allowing them to maintain persistent access to the compromised systems.