We have great news to share: Malwarebytes has acquired AzireVPN, a privacy-focused VPN provider.

Today I have great news to share: We’ve acquired AzireVPN, a privacy-focused VPN provider based in Sweden. 

I wanted to share with you our intentions behind this exciting step, and what this means for our existing users and the family of solutions they rely on to keep them private and secure. 

Malwarebytes has long been an advocate for user privacy (think Malwarebytes Privacy VPN and our free web extension Malwarebytes Browser Guard). Now, we’re leaning even more on our mission to reimagine consumer cybersecurity to protect devices and data, no matter where users are located, how they work and play, or the size of their wallet.  

With AzireVPN’s infrastructure and intellectual property, Malwarebytes is poised to develop more advanced VPN technologies and features, offering increased flexibility and enhanced security for our users. 

**Why AzireVPN?** 

AzireVPN is renowned for its robust security standards and privacy-first commitment. Here are two examples of what the company does to support that: 

*   AzireVPN physically owns and controls all of its dedicated and diskless servers—a practice Malwarebytes is committed to continuing.  

*   The company developed Blind Operator, a unique privacy feature implemented to completely disable both remote and local access to its servers. This creates a barrier against unauthorized modifications and traffic interception, making it virtually impossible for anyone to modify or tap the traffic on its servers and share any information about a user.  

**What does this mean for existing Malwarebytes Privacy VPN customers?** 

There are no changes for Malwarebytes Privacy VPN customers at this time. They will continue to enjoy our streamlined, integrated user experience, and our no-log service will never track, store, or share any user network data.  

**What does this mean for existing AzireVPN customers?** 

AzireVPN customers will also continue to enjoy the same privacy-focused VPN service – no logs, no data collection, no bandwidth limitations. There will continue to be no requirement to share any information to sign up for the service.   

**An exciting future is ahead of us** 

We’ll share more details on our future VPN offering in the coming months.  

I’m so excited about our future. This is yet another milestone for Malwarebytes, underscoring our commitment to privacy and a free and open internet.  

Thanks for putting your trust in us to protect you.

 Malwarebytes acquires AzireVPN to fuel additional VPN features and functionalities  

North Korean hackers are targeting cryptocurrency businesses with a sophisticated new malware campaign, dubbed “Hidden Risk.” Learn how…

North Korean hackers are targeting cryptocurrency businesses with a sophisticated new malware campaign, dubbed “Hidden Risk.” Learn how this stealthy attack works, the techniques used, and how to protect yourself from this growing threat.

North Korean state-sponsored APT group ‘**BlueNoroff**‘ is targeting crypto-related businesses in a campaign dubbed ‘Hidden Risk’, according to SentinelOne’s findings shared with Hackread.com. 

SentinelLabs’ threat researchers reportedly discovered that BlueNoroff, a subgroup of the larger North Korean state-backed **Lazarus Group**, is targeting cryptocurrency and DeFi businesses using use email and PDF-based lures with fake news headlines/crypto-related stories in a campaign that began in July 2024.

Examples of fake news, posts and announcements used in the attack (Via SentinelOne)

****Analyzing the Attack****

Researchers noted that attackers have employed unique tactics to evade detection and compromise victim systems. The attack begins with a **well-crafted phishing email** that lures unsuspecting victims into clicking on a malicious link that leads to a seemingly legitimate PDF document, which is actually hiding a malicious Swift-language-based Mac application cleverly disguised as a PDF reader (signed/notarized on 19 October 2024).

“The application is disguised as a link to a PDF document relating to a cryptocurrency topic such as “Hidden Risk Behind New Surge of Bitcoin Price”, “Altcoin Season 2.0-The Hidden Gems to Watch” and “New Era for Stablecoins and DeFi, CeFi”,” researchers **explained**.

Once executed, this application discreetly downloads a decoy PDF (Hidden Risk) and then downloads/executes a malicious x86-64 binary (“growth”) on both Intel and Apple silicon machines. 

Growth installs itself persistently and acts as a backdoor. It gathers sensitive information about the infected system, communicates with a remote server controlled by the attackers, and can potentially receive and execute commands.

****Persistence Mechanism****

To ensure persistence, the attackers have opted for a unique method of modifying the Zsh configuration file (zshenv) by adding malicious code to ensure its continued presence. This is a critical file used by the Zsh shell and is sourced during every Zsh session, allowing the backdoor to automatically execute upon system startup, even after a reboot.

****The BlueNoroff Connection****

SentinelLabs’ researchers have linked this campaign with BlueNoroff because it resembles techniques from their past campaigns, including parsing server commands and saving them in hidden files. The campaign’s network infrastructure analysis also reveals connections to domains used in previous campaigns using services like **NameCheap** and Quickpacket for hosting.

Furthermore, the malware uses a User-Agent string previously linked to BlueNoroff’s “**RustBucket**” malware and exploits a developer account to get their malware notarized by Apple, bypassing security measures like **Gatekeeper**.

****Staying Protected****

BlueNoroff has a history of targeting cryptocurrency exchanges, venture capital firms, and banks and poses a constant threat to the industry. They prefer using PDF-based lures mainly because PDF documents are widely used and trusted, making them ideal for malicious payloads.

Hackread recently **reported** BlueNoroff-linked malware, TodoSwift, disguised as a legitimate PDF viewer and ObjCShellz malware **targeting macOS** to run remote shell commands on Intel and Arm Macs.

Therefore, it is important to double-check email addresses, watch out for emails from anonymous sources, and avoid clicking on links in unknown emails, especially if they ask for downloading applications/PDFs. MacOS users must remain aware of risks given the sudden rise in **macOS-oriented attacks**.

1.  **Fake North Korean IT Workers Infiltrate Western Firms**
2.  **North Korean Hackers Team Up with Play Ransomware**
3.  **N Korean hackers stole $1.7 billion from crypto exchanges**
4.  **North Korean Hackers Drop Linux Malware for ATM Cashouts**
5.  **SnatchCrypto attack hits DeFi, Blockchain Firms with backdoor**

North Korean Hackers Use Fake News to Spread ‘Hidden Risk’ Malware

An ongoing phishing campaign is employing copyright infringement-related themes to trick victims into downloading a newer version of the Rhadamanthys information stealer since July 2024.
Cybersecurity firm Check Point is tracking the large-scale campaign under the name CopyRh(ight)adamantys. Targeted regions include the United States, Europe, East Asia, and South America.
"The campaign

An ongoing phishing campaign is employing copyright infringement-related themes to trick victims into downloading a newer version of the Rhadamanthys information stealer since July 2024.

Cybersecurity firm Check Point is tracking the large-scale campaign under the name **CopyRh(ight)adamantys**. Targeted regions include the United States, Europe, East Asia, and South America.

"The campaign impersonates dozens of companies, while each email is sent to a specific targeted entity from a different Gmail account, adapting the impersonated company and the language per targeted entity," the company said in a technical analysis. "Almost 70% of the impersonated companies are from the Entertainment /Media and Technology/Software sectors."

The attacks are notable for the deployment of version 0.7 of the Rhadamanthys stealer, which, as detailed by Recorded Future's Insikt Group early last month, incorporates artificial intelligence (AI) for optical character recognition (OCR).

The Israeli company said the activity overlaps with a campaign that Cisco Talos disclosed last week as targeting Facebook business and advertising account users in Taiwan to deliver Lumma or Rhadamanthys stealer malware.

The attack chains are characterized by the use of spear-phishing tactics that entail sending email messages claiming purported copyright violations by masquerading as well-known companies.

These emails are sent from Gmail accounts and claim to be from legal representatives of the impersonated companies. The contents of the message accuse the recipients of misusing their brand on social media platforms and request them to remove the concerned images and videos.

"The removal instructions are said to be in a password-protected file. However, the attached file is a download link to appspot.com, linked to the Gmail account, which redirects the user to Dropbox or Discord to download a password-protected archive (with the password provided in the email)," Check Point said.

The RAR archive contains three components, a legitimate executable vulnerable to DLL side-loading, the malicious DLL containing the stealer payload, and a decoy document. Once the binary is run, it sideloads the DLL file, which then paves the way for the deployment of Rhadamanthys.

Check Point, which attributed the campaign to a likely cybercrime group, said that it's possible the threat actors have utilized AI tools given the scale of the campaign and the variety of the lures and sender emails.

"The campaign's widespread and indiscriminate targeting of organizations across multiple regions suggests it was orchestrated by a financially motivated cybercrime group rather than a nation-state actor," it said. "Its global reach, automated phishing tactics, and diverse lures demonstrate how attackers continuously evolve to improve their success rates."

**New SteelFox Malware Exploits Vulnerable Driver**

The findings come as Kaspersky shed light on a new "full-featured crimeware bundle" dubbed SteelFox that's propagated via forums posts, torrent trackers, and blogs, passing off as legitimate utilities like Foxit PDF Editor, JetBrains, and AutoCAD.

The campaign, dating back to February 2023, has claimed victims across the world, particularly those located in Brazil, China, Russia, Mexico, UAE, Egypt, Algeria, Vietnam, India, and Sri Lanka. It has not been attributed to any known threat actor or group.

"Delivered via sophisticated execution chains including shellcoding, this threat abuses Windows services and drivers," security researcher Kirill Korchemny said. "It also uses stealer malware to extract the victim's credit card data as well as details about the infected device."

The starting point is a dropper app that impersonates cracked versions of popular software, which, when executed, asks for administrator access and drops a next-stage loader that, in turn, establishes persistence and launches the SteelFox DLL.

The admin access is subsequently abused to create a service that runs an older version of WinRing0.sys, a hardware access library for Windows that's vulnerable to CVE-2020-14979 and CVE-2021-41285, thereby allowing the threat actor to obtain NT\\SYSTEM privileges.

"This driver is also a component of the XMRig miner, so it is utilized for mining purposes," Korchemny noted. "After initializing the driver, the sample launches the miner. This represents a modified executable of XMRig with junk code fillers. It connects to a mining pool with hardcoded credentials."

The miner, for its part, is downloaded from a GitHub repository, with the malware also initiating contact with a remote server over TLS version 1.3 to exfiltrate sensitive data from web browsers, such as cookies, credit card data, browsing history, and visited places, system metadata, installed software, and timezone, among others.

"Highly sophisticated usage of modern C++ combined with external libraries grant this malware formidable power," Kaspersky said. "Usage of TLSv1.3 and SSL pinning ensures secure communication and harvesting of sensitive data."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

SteelFox and Rhadamanthys Malware Use Copyright Scams, Driver Exploits to Target Victims

The China-aligned threat actor known as MirrorFace has been observed targeting a diplomatic organization in the European Union, marking the first time the hacking crew has targeted an organization in the region.
"During this attack, the threat actor used as a lure the upcoming World Expo, which will be held in 2025 in Osaka, Japan," ESET said in its APT Activity Report for the period April to

Threat Intelligence / Cyber Espionage

The China-aligned threat actor known as MirrorFace has been observed targeting a diplomatic organization in the European Union, marking the first time the hacking crew has targeted an entity in the region.

"During this attack, the threat actor used as a lure the upcoming World Expo, which will be held in 2025 in Osaka, Japan," ESET said in its APT Activity Report for the period April to September 2024.

"This shows that even considering this new geographic targeting, MirrorFace remains focused on Japan and events related to it."

MirrorFace, also tracked as Earth Kasha, is assessed to be part of an umbrella group known as APT10, which also comprises clusters tracked as Earth Tengshe and Bronze Starlight. It's known for its targeting of Japanese organizations at least since 2019, although a new campaign observed in early 2023 expanded its operations to include Taiwan and India.

Over the years, the hacking crew's malware arsenal has evolved to include backdoors such as ANEL (aka UPPERCUT), LODEINFO and NOOPDOOR (aka HiddenFace), as well as a credential stealer referred to as MirrorStealer.

In the latest attack detected by the Slovak cybersecurity company, the victim was sent a spear-phishing email containing a link to a ZIP archive ("The EXPO Exhibition in Japan in 2025.zip") hosted on Microsoft OneDrive.

Image Source: Trend Micro

The archive file included a Windows shortcut file ("The EXPO Exhibition in Japan in 2025.docx.lnk") that, when launched, triggered an infection sequence that ultimately deployed ANEL and NOOPDOOR.

"ANEL disappeared from the scene around the end of 2018 or the start of 2019, and it was believed that LODEINFO had succeeded it, appearing later in 2019," ESET said. "Therefore, it is interesting to see ANEL resurfacing after almost five years."

The development comes as threat actors affiliated with China, like Flax Typhoon, Granite Typhoon, and Webworm, have been found to be increasingly relying on the open-source and multi-platform SoftEther VPN to maintain access to victims' networks.

It also follows a report from Bloomberg that said the China-linked Volt Typhoon breached Singapore Telecommunications (Singtel) as a "test run" as part of a broader campaign targeting telecom companies and other critical infrastructure, citing two people familiar with the matter. The cyber intrusion was discovered in June 2024.

Telecommunication and network service providers in the U.S. like AT&T, Verizon, and Lumen Technologies have also become the target of another Chinese nation-state adversarial collective called Salt Typhoon (aka FamousSparrow and GhostEmperor).

Earlier this week, The Wall Street Journal said the hackers leveraged these attacks to compromise cellphone lines used by various senior national security, policy officials, and politicians in the U.S. The campaign is also alleged to have infiltrated communications providers belonging to another country that "closely shares intelligence with the U.S."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

China-Aligned MirrorFace Hackers Target EU Diplomats with World Expo 2025 Bait

The Canadian government on Wednesday ordered ByteDance-owned TikTok to dissolve its operations in the country, citing national security risks, but stopped short of instituting a ban on the popular video-sharing platform.
"The decision was based on the information and evidence collected over the course of the review and on the advice of Canada's security and intelligence community and other

National Security / Social Media

The Canadian government on Wednesday ordered ByteDance-owned TikTok to dissolve its operations in the country, citing national security risks, but stopped short of instituting a ban on the popular video-sharing platform.

"The decision was based on the information and evidence collected over the course of the review and on the advice of Canada's security and intelligence community and other government partners," François-Philippe Champagne, Minister of Innovation, Science and Industry, said in a statement.

The government said it does not intend to block Canadians' access to the app itself or curtail their ability to create new content, stating the use of a social media application is a "personal choice." The use of the app has already been banned on Canadian government devices since February 2023.

That having said, it urged Canadians to adopt good cyber security practices and assess the possible risks that could arise from using social media platforms, specifically regarding how their information is secured, managed, used, and shared by foreign actors.

Furthermore, the government said the order to wind up TikTok's business was made in accordance with the Investment Canada Act, which "allows for the review of foreign investments that may be injurious to Canada's national security."

In a statement shared with the Associated Press, the company said the shutdown of its Canadian offices would eliminate hundreds of local jobs, and that it intends to challenge the order in court.

TikTok, which is owned by China's ByteDance, has raised concerns in the U.S. that the service could be compelled by Beijing to hand over data of TikTok's U.S. consumers through domestic national security laws that require organizations to assist with intelligence gathering.

These worries prompted the U.S. government to sign a law that gives ByteDance until January 19, 2025, to divest TikTok or risk a ban in the country. TikTok sued in U.S. federal court in May, seeking to block the law.

While the company has long maintained that it doesn't share data with the Chinese government, it has faced a complete blockade in several countries, including Afghanistan, India, Nepal, and Pakistan. The use of the app is also prohibited on government-issued devices across several countries globally.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Canada Orders TikTok to Shut Down Canadian Operations Over Security Concerns

Attackers are triggering victims' deep-seated fear of getting in trouble in order to spread the sophisticated stealer across continents.

Source: Charles Walker Collection via Alamy Stock Photo

Hundreds of companies worldwide have been targeted with spear-phishing emails claiming copyright infringement that actually deliver an infostealer.

Starting in July, Check Point Research began to track the emails as they spread across the Americas, Europe, and Southeast Asia, coming from a new domain each time. Hundreds of its customers have been targeted, indicating that the real reach of the campaign may be far greater still.

The goal of the emails is to bait guilt-riddled victims into downloading Rhadamanthys, a sophisticated infostealer equally capable of pilfering nation-state intelligence or, in this case, cryptocurrency wallet passphrases.

**CopyR(ight)hadamantys**

No two emails in the campaign that researchers have dubbed "CopyR(ight)hadamantys" come from the same address, indicating that there must be some kind of automation behind their distribution. This automation proves awkward in some circumstances — like when an Israeli target receives an email almost entirely in Korean — and limits the emails' ability to realistically impersonate known brands.

Each one is made to seem as if it came from legal representatives of specific, known companies. Nearly 70% of those companies come from either technology — like Check Point itself — or from media and entertainment industries.

The profile of impersonated brands weaves in neatly with the story the attackers peddle: that recipients have posted some sort of content on social media that violated a copyright. "I assume everyone has done it to some degree in his life," says Sergey Shykevich, threat intelligence group manager at Check Point. "It just makes people hesitate and think, 'Oh, did I use some wrong image? Did I copy some text \[by accident\]?' Even if you didn't."

Recipients are asked to remove specific images and videos, the details of which are contained in a password-protected file. The file is actually a link that redirects the user to download an archive from Dropbox or Discord. The archive contains a decoy document, a legitimate executable, and a malicious dynamic link library (DLL) containing the Rhadamanthys stealer.

**What to Know About Rhadamanthys**

Rhadamanthys is a popular and accomplished information stealer. As Shykevich explains, "It's without any doubt the most sophisticated of those infostealers which are sold as commodity malware in the Dark Web. It's more expensive than other infostealers: Mostly you'll rent other infostealers from between $100 to $200. Rhadamanthys is more, around $1,000. It's much more modular, more obfuscated, and more complicated in how it's built: The way it loads itself, hides itself, all this makes detection much more complicated."

Among other features, the newest Rhadamanthys version 0.7 sports a slightly archaic machine-learning-based optical character recognition (OCR) component. It's hardly advanced artificial intelligence (AI) — it struggles with text in mixed colors, can't read handwriting, and only interprets the most popular fonts. Nonetheless, it helps the malware read data from static documents (like PDFs) and images.

In CopyR(ight)hadamantys, the OCR module comes loaded with a dictionary of 2,048 words associated with Bitcoin wallet protection codes. This might suggest that the attackers are after cryptocurrencies, which, if true, would also align with the campaign's broad targeting, characteristic of financially motivated campaigns. In recent months, Rhadamanthys has also been associated with nation-state threat actors like Iran's Void Manticore, and the pro-Palestine group "Handala."

**One Strange Stealth Feature**

Organizations looking to defend against CopyR(ight)hadamantys should start with phishing protections, but there's another quirk of the campaign worth noting as well.

After making landfall, the malicious DLL writes a significantly larger version of itself to the victim computer's Documents folder, which masquerades as a component of Firefox. This version of the file is functionally equivalent to the first. What makes it so much heavier is an "overlay" — useless data that serves two meta-functions. First, it changes the file's hash value, a common means by which antivirus programs identify malware.

Some antivirus programs also avoid scanning extra large files. "For example, they don't want to run files associated with games, with a huge number of gigabytes, because it makes for an intense load," Shykevich explains. By this logic, an otherwise uselessly larger Rhadamanthys file might improve its chances of avoiding detection. Though, he adds, "It's not extremely common because it's also not convenient for the attackers to deal with huge files. With some email solutions, you can't attach files more than 20MB, so you need to send the victim to some external resource. So it's a tactic, but it's not some crazy tactic that always works."

Organizations might want to sniff out at any particularly large files that employees may be downloading from emails. "It's not easy, because there are many reasons why some legitimate files will be big," he says. "But I think it's possible to implement some \[effective\] rules for what you can download."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Fake Copyright Infringement Emails Spread Rhadamanthys

The mobile device maker continues to investigate IntelBroker's claims of another high-profile data breach, with the cybercriminal group posting on BreachForums internal data allegedly stolen from Nokia through a third-party contractor.

Source: Nico El Nino via Alamy Stock Photo

Nokia is investigating an alleged cyberattack in which threat actors claim to have stolen sensitive internal data. However, the company says that so far there is no evidence that either its data or systems were affected by a breach.

Known threat actor IntelBroker on Tuesday posted what it claimed is Nokia's online internal data — including SSH keys, source code, and internal credentials — putting it up for sale on the BreachForums cybercrime site for $20,000, according to a published report on HackRead.

The group claimed to have obtained the data through a breach of a third-party contractor linked to Nokia’s internal tool development, though no customer data seems to have been affected by the breach, according to the report.

"Nokia is aware of reports that an unauthorized actor has alleged to have gained access to certain third-party contractor data and possibly data of Nokia," a Nokia spokesperson tells Dark Reading. "Nokia takes this allegation seriously and we are investigating."

However, at this time, the company's investigation "has found no evidence that any of our systems or data being impacted," though Nokia continues "to closely monitor the situation," the spokesperson says.

**Group Known for High-Profile Data Heists**

Given that IntelBroker is a notorious threat actor that already has pulled off a series of high-profile data heists, the chance that Nokia eventually will find that its data has been stolen seems likely. The Serbian-based entity began operations in 2022 and is linked to data breaches that affected Apple, the US House of Representatives, Europol, General Electric, and DARPA (Defense Advanced Research Projects Agency).

If IntelBroker's claim turns out to be true, data stolen in the heist and then sold to a malicious actor or actors potentially could be used to engage in other cybercriminal activity against Nokia. For example, stolen using credentials to gain unauthorized access to Nokia systems and breach other sensitive data or propagate malware. Depending on the nature of the data, other organizations also could be at risk.

The incident also demonstrates yet another example of how organizations are exposed to security risks through third-parties that contract with the company, observes Jim Routh, chief trust officer at cybersecurity firm Saviynt. However, that the breach itself occurred through a third party is not a huge surprise, he tells Dark Reading via email.

**Mitigating Third-Party Risk**

In fact, numerous high-profile cyberattacks at global multinational organizations have been the result of breaches through third parties, including incidents that occurred at credit card company American Express, Spanish banking institution Santander, and US-based financial organization Bank of America.

However, Routh says that the alleged Nokia breach "represents a bit of a head-scratcher" because it involves the compromise of "third-party credentials for access to the software supply chain."

"The head-scratching comes from why a third party has access to Nokia source code," he notes. However, it's possible that attackers gained access through a software engineer contributing to an internal project, Routh adds, speculating that hackers exploited "credential management for access to the software build process."

One potential way that organizations can protect themselves from a similar incident, he says, is to improve identity management for cloud accounts with access to the software supply chain to avoid inadvertently exposing sensitive data to threat actors.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Nokia: No Evidence So Far That Hackers Breached Company Data

INTERPOL with global law enforcement and Group-IB, successfully dismantled a vast network of malicious IP addresses and servers.…

INTERPOL with global law enforcement and Group-IB, successfully dismantled a vast network of malicious IP addresses and servers. This coordinated effort targeted cybercriminals involved in phishing, ransomware, and information theft.

In a high-profile global operation, INTERPOL, in collaboration with law enforcement agencies from 95 countries and cybersecurity firm Group-IB, has successfully dismantled a vast network of malicious IP addresses and servers. 

This coordinated effort, known as Operation Synergia II, targeted cybercriminals involved in phishing, ransomware, and information-stealing activities. From April to August 2024, law enforcement agencies and cybersecurity experts worked tirelessly to identify and neutralize cyber threats. Hong Kong, Mongolia, Macau, Madagascar, and Estonia played key roles in identifying/disabling malicious servers and arresting suspects.

Officers from the Hong Kong Police Force raided the suspects’ premises, taking over 1,037 servers linked to malicious activities offline. Image credit: INTERPOL and the Hong Kong Police Force (Via Group-IB)

Through this effort, over 22,000 malicious IP addresses and 59 servers were taken down, crippling the infrastructure used by cybercriminals. Authorities seized around 43 electronic devices, including laptops, mobile phones, and hard drives, which could contain crucial evidence. They arrested 41 individuals, and investigations are ongoing for 65 others suspected of involvement in cybercrime.

INTERPOL’s Gateway Partner Group-IB’s advanced threat intelligence and digital forensics capabilities also played a crucial role in tracking/disrupting malicious infrastructure. Group-IB’s analysts discovered over 2,500 IP addresses linked to 5,000 phishing websites and 1,300 IP addresses linked to various malware activities across 84 countries.

The company’s CEO, Dmitry Volkov, appreciated the operation’s success, stating that closer collaboration between the public and private sectors is essential to effectively combat cybercrime and safeguard the information and data of clients and society globally.

For your information, Operation Synergia II, is the successor of Operation Synergia, in which Group-IB’s Threat Intelligence and High-Tech Crime Investigation teams identified over 500 IP addresses hosting phishing sites and 1,900 IP addresses used by ransomware, Trojan, and other malware operators. The malicious resources were found in over 50 countries, with malicious infrastructure distributed across 200+ web hosting providers worldwide.

INTERPOL’s Cybercrime Directorate, led by Neal Jetton, has played a crucial role in dismantling cybercrime networks by sharing intelligence, facilitating cooperation, and providing technical expertise, helping law enforcement agencies globally to address such complex challenges effectively.

Last year, Interpol’s HAECHI IV operation, in collaboration with the South Korean government, blocked 82,112 suspicious bank accounts and seized $199 million in cash and $101 million worth of crypto assets.

The six-month operation targeted seven types of scams, including voice phishing, romance scams, sextortion, investment fraud, and money laundering. Now Operation Synergia II’s success shows the usefulness of international collaboration in combating cybercrime.

“INTERPOL is proud to bring together a diverse team of member countries to fight this ever-evolving threat and make our world a safer place,” Jetton stated.

1.  AI-Powered Scams Fuel Global Cybercrime Surge: INTERPOL
2.  Op Narsil – INTERPOL Busts Decade-Old Child Abuse Network
3.  INTERPOL Dismantles ’16shop’ Phishing-as-a-Service Platform
4.  Interpol arrests Moroccan hacker over phishing, malware scam
5.  Interpol Busts Human Traffickers Luring Victims with Fake Job Ads

INTERPOL Arrests 41, Takes Down 22,000 Malicious IPs and 59 Servers

In a time of increasingly sophisticated cross-domain attacks, relying solely on automated solutions isn't enough.

Adam Meyers, Senior Vice President of Counter Adversary Operations, CrowdStrike

November 6, 2024

5 Min Read

Source: Andrey Khokhlov via Alamy Stock Photo

COMMENTARY

Throughout the past year, we've seen a sharp uptick in cross-domain threats. This activity spans multiple domains within an organization's IT architecture, including identity, cloud, and endpoint. These attacks leave minimal footprints in each domain, like separate puzzle pieces, making them harder to detect. 

While cross-domain intrusions vary in complexity, my team and I are increasingly observing attacks that leverage stolen credentials to breach cloud environments and move laterally across endpoints. This activity is fueled by sophisticated phishing techniques and the proliferation of infostealers. Once adversaries obtain or steal credentials, they can gain direct access to poorly configured cloud environments and bypass heavily defended endpoints. With this access, they often deploy remote monitoring and management (RMM) tools instead of malware, making these attacks particularly hard to detect and disrupt. 

**Scattered Spider: A Master of Cross-Domain Tradecraft**

One of the most proficient adversaries in cross-domain attacks is the prolific e-crime group Scattered Spider. Throughout 2023 and 2024, Scattered Spider demonstrated sophisticated cross-domain tradecraft within targeted cloud environments, frequently using spear-phishing, policy modification, and access to password managers. 

In May 2024, CrowdStrike observed Scattered Spider establish a foothold on a cloud-hosted virtual machine (VM) instance via a cloud service VM management agent. The adversary compromised existing credentials through a phishing campaign to authenticate to the cloud control plane. Once inside, they established persistence.  

This attack spanned three operational domains: email, cloud management, and within the VM itself. As a result, the detectable footprint in any single domain was minimal and difficult to identify with traditional signature-based detection methods. Identifying this attack relied on extensive threat intelligence and prior knowledge of Scattered Spider's tactics. By correlating telemetry from the cloud control plane with detections within the virtual machine, threat hunters were able to recognize and stop the intrusion in progress. 

**A Massive Insider Scheme: DPRK's Famous Chollima**

North Korea-nexus adversary Famous Chollima presented a unique challenge to threat hunters with a highly sophisticated attack campaign expanding beyond technology boundaries. In this massive insider threat scheme, malicious actors obtained contract or full-time positions using falsified or stolen identity documents to bypass background checks. Their résumés often listed employment at prominent companies, with no gaps, making them appear legitimate.  

In April 2024, CrowdStrike responded to the first of several incidents where Famous Chollima targeted more than 30 US-based companies, including those in the aerospace, defense, retail, and technology sectors. Leveraging data from a single incident, threat hunters developed a scalable plan to hunt this emerging insider threat and identified over 30 additional affected customers within two days. 

In many cases, the adversary attempted to exfiltrate data and install RMM tools using company network credentials to facilitate unauthorized access. CrowdStrike threat hunters searched for RMM tools paired with suspicious network connections to uncover additional data and identify suspicious behaviors. By mid-2024, the US Department of Justice indicted several individuals involved in this scheme, which likely enabled North Korean nationals to raise funds for the DPRK government and its weapons programs. CrowdStrike's coordinated efforts with law enforcement and the intelligence community were instrumental in bringing these malicious activities to light and disrupting the massive threat. 

**Putting the Puzzle Pieces Together: Stopping Cross-Domain Attacks**

Countering sophisticated cross-domain threats requires constant awareness of behavioral and operational shifts, making intelligence-driven hunting essential. Stopping these novel attacks takes a multipronged approach involving people, process, and technology. For organizations to protect against these attacks they should adopt the following approaches:  

*   Full visibility: Unified visibility across the enterprise (cloud, endpoints, and identities) is essential to detect and correlate cross-domain attacks. This approach prevents adversaries from moving laterally through environments, improves response time, and reduces the likelihood of incidents escalating into breaches. 
    

*   Integrate cross-domain hunting: 24/7 real-time threat hunters can proactively search across security planes for malicious behavior. By continuously monitoring employee activity, they can detect deviations from normal behavior, such as abnormal use of RMM tools.  
    

*   Focus on identity: Identity is one of the fastest-growing threat vectors. To mitigate risks, businesses must implement advanced identity verification processes, such as multifactor authentication and biometric check. In addition to establishing strong authentication procedures, identity protection should be implemented to catch anomalous authentication events before they turn into a breach. 
    

In a time of increasingly sophisticated cross-domain attacks, relying solely on automated solutions isn't enough. As these stealthy threats operate across identity, cloud, and endpoint, they require a blend of advanced technology, the irreplaceable insights of human expertise, and cutting-edge telemetry to inform proactive decision making. Threat hunters and intelligence analysts, working in tandem with cutting-edge tools, are essential for identifying, understanding, and neutralizing these ever-evolving dangers before they can cause harm. 

Don't miss the latest Dark Reading Confidential podcast, where we talk about NIST's post-quantum cryptography standards and what comes next for cybersecurity practitioners. Guests from General Dynamics Information Technology (GDIT) and Carnegie Mellon University break it all down. Listen now! 

**About the Author**

Senior Vice President of Counter Adversary Operations, CrowdStrike

As CrowdStrike's senior vice president of counter adversary operations, Adam Meyers leads the Threat Intelligence line of business for the company. Meyers directs a geographically dispersed team of cyber threat experts tracking criminal, state-sponsored, and nationalist cyber adversary groups around the globe and producing actionable intelligence to protect customers. He oversees the development and deployment of AI, machine learning, reverse engineering, natural language processing, and other technologies to detect suspicious and malicious cyber behavior and stop increasingly sophisticated adversaries. Meyers’ work in combining human intelligence and intelligence derived from technology continues to transform cybersecurity. 

Meyers works closely with other departments within CrowdStrike to ensure the smooth and speedy integration of intelligence into CrowdStrike’s entire lineup of products and services. His team brings unprecedented insights into the activities of cyber threat actors, providing strategic and technical guidance to Fortune 100 businesses, major financial institutions, key government agencies, and other CrowdStrike customers.

How to Outsmart Stealthy E-Crime and Nation-State Threats

When it comes to landing a job in cybersecurity, what does it take to stand out from the pack? Try playing games.

Source: Ekkaphan via Adobe Stock Photo

While having the right technical chops and certifications matter, having cyber-gaming experience, whether it's participating on a cyber games team or in online competitions, can help you stand out when potential hiring managers are reviewing your resume. It can also give you more confidence after you land the job.

From showing that they can perform well under pressure to demonstrating that they're a good team player, there are many reasons why playing on a cyber team could give a candidate a leg up, says US Cyber Games commissioner Jessica Gulick, who has often asked job candidates what they did in their free time to get a broader understanding of their technology capabilities. Gamers always stood out, and she found it beneficial to hire them, particularly in areas such as penetration testing and forensics. These candidates usually were good at entering unknown environments and figuring things out given limited information, as well as sticking it out to identify solutions if they initially fail, she says.

"They're the kind of people that walk into a room and are constantly looking around and looking beyond what they see," Gulick says. "Is there an Easter egg? They don't need instructions; they'll just figure it out. And to have that kind of employee, it means that it's a faster time to value for your corporation. You're bringing on somebody who doesn't need a lot of hand-holding, \[someone who is\] going to really take the ball and run with it."

**Demonstrate Technical Proficiency**

When it comes to technical skills, cyber games give players the chance to practice the kinds of skills that they'll use on the job but in a safe context — not connected to any active business or infrastructure network that would be harmed by an actual cyberattack. And it gives players exposure to a broader array of cybersecurity experience than they might get in a role with specific responsibilities.

"Players are gaining skills in areas that they may not be particularly focused on right now, and that's a huge thing to give them those extra skill sets to work on the workforce and have on their resume," says US Women's Cyber Team assistant coach Chelsie Cooper, also a senior intelligence analyst at CrowdStrike. "That's a huge boost. Having this skill set specifically is definitely going to help them push forward to stand out in an applicant pool."

Showing technical proficiency in a cyber game, like having experience playing with the National Cyber League (NCL), can help candidates stand out. The NCL, an organization that holds cyber competitions for students, issues report cards to participants that they can use to show how well they performed in subjects like forensics or Web security. That can give them an edge as job candidates.

"If you have two students or two early career professionals that are interviewing and you ask, 'What's your experience doing pen testing with this particular vector of an attack?' the one who doesn't have experience is going to say, 'I don't have experience. Why are you asking me this?' whereas the one who has experience playing a game can say, 'Well, I don't have on the job experience, but I saw something similar when I was playing this game. Here's what I did about it,'" Gulick says.

The person who played the game will likely get the job.

**Develop Soft Skills, Teamwork**

Being on a cyber team can also help you hone nontechnical skills that are valuable in the workplace, like collaboration, mentoring, and working well in groups.

"Cyber games allow us to really cultivate those skills, the situational awareness, the ability to work as a team, to be able to pass off or to ask for help, or to mentor," Gulick says. "These are all critical skills that create high-performing teams."

Sarah Ogden, a 19-year-old student at Northern Kentucky University and a junior member of the US Women's Cyber Team, says she's excited about participating in this year's competition, but it's with a bigger goal in mind: to be competitive when it's her turn on the job market.

"My end goal is to get into a large company as a security engineer and actually get to see how the code and systems are developed, and to make an actual difference in that company's security and see the payoff of that," she says.

**Exposure to Job Opportunities**

Playing on a cyber team can also give competitors exposure to job opportunities with corporate sponsors. According to Gulick, sponsors like Battelle have hired team members.

"Competing as part of the US Cyber Team continually exposes athletes to a wide range of skill sets — such as binary exploitation, reverse engineering, and red-versus-blue activities — that enable them to excel in an increasingly competitive early-career job market. This experience provides them with a distinct credential on their resumes that sets them apart from their peers," says Chase P. Schueler, division manager for Battelle's cyber business.

US Cyber Team athletes also demonstrate "remarkable self-motivation," he adds.

"The selection process demands both skill and dedication, which are critical in a field where formal academic training is still limited when compared to the physical sciences," Schueler says. "This strong display of commitment makes them especially attractive to employers, including here at Battelle, who can see them as known quantities with demonstrated proficiencies."

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

Tag

#intel