Iran-linked threat groups target US presidential election
Google recently announced the disruption of a sophisticated hacking campaign conducted by the Iran-linked group APT42 (also known as Calanque or UNC788). This campaign targeted the personal email accounts of people connected to President Biden and former President Trump.
Google detected and blocked multiple attempts by APT42 to access the personal email accounts of these individuals, with successful breaches reported across various email providers, including a high-profile political consultant’s Gmail account.
This breach, first reported by POLITICO, has raised concerns about foreign interference in the 2024 US presidential election in November. The Trump campaign referenced an incident in June where a spear-phishing email, attributed to another Iranian group, Mint Sandstorm, was sent to a high-ranking campaign official.
Newly identified Android malware empties accounts, wipes devices
BingoMod, a newly identified Android malware, can wipe devices after depleting its victims' bank accounts. Spread via text messages, the malware disguises itself as a legitimate mobile security tool and can steal up to €15,000 per transaction.
Distributed via smishing (SMS phishing) campaigns, BingoMod disguises itself as other legitimate mobile security tools, like APP Protection, Antivirus Cleanup, Chrome Update, and others. It sometimes mimics the icons of legitimate apps such as AVG AntiVirus and Security.
Key features and techniques
- Accessibility services exploitation: During installation, BingoMod requests permission to use accessibility services, giving it extensive control over the device.
- On-device fraud (ODF): The malware establishes communication channels (socket-based for receiving commands and HTTP-based for sending screenshots) that enable real-time remote control by threat actors. This method allows the malware to bypass standard anti-fraud systems by initiating fraudulent transactions directly from the victim's device.
- VNC mechanism: BingoMod uses Android's Media Projection application programming interface (API) to capture real-time screen content, which is transmitted to the threat actors. It also allows remote operators to perform actions like clicking, typing, launching apps, and initiating overlay attacks.
- Spread and persistence: The malware can spread via SMS from infected devices and disable or remove security solutions. To evade detection, it uses code obfuscation techniques, including code-flattening and string obfuscation.
- Device wiping: If registered as a device admin app, BingoMod can wipe the device's external storage or perform a complete factory reset via remote commands.
BingoMod is currently in v1.5.1 and appears to be in early development, with ongoing efforts to enhance its evasion capabilities.
Qilin ransomware upgrades, now steals Google Chrome credentials
The Qilin ransomware group first emerged in October 2022. It is believed to be linked to Russia-based threat actors and has targeted a diverse range of industries.
On 3 June 2024, Qilin targeted Synnovis, an outsourced lab service provider for NHS hospitals in south-east London. It claimed to have exfiltrated hospital and patient data and demanded a US$50m ransom. After unsuccessful negotiations, Qilin leaked the entire stolen dataset.
Qilin group is known for these “double extortion” tactics, where data is both encrypted and stolen, with the threat of public exposure if the ransom isn't paid.
However, while investigating the Synnovis breach cyber security researchers made a troubling discovery – Qilin now specifically targets credentials stored in Google Chrome browsers. Chrome commands around 65% of the browser market, so access to the credentials stored in it could allow attackers to infiltrate financial accounts, emails, cloud storage, and business applications.
The evolving tactics of Qilin underscore the critical need for organisations to continuously monitor threats and adapt their security strategies. Key protective measures include:
- implementing multi-factor authentication (MFA) on remote access solutions;
- deploying robust endpoint security to detect and prevent suspicious activities; and
- regularly backing up data.
Additionally, it is essential that all network systems, including operating systems and web browsers, are fully patched.
US prison for Russian who sold logins to nearly 3,000 accounts
Georgy Kavzharadze has been sentenced to prison in the United States for his role in selling stolen credentials on the dark web marketplace Slilpp. He’ll also have to pay back US$1.2m from fraudulent transactions he enabled.
The 27-year-old from Moscow operated from July 2016 until May 2021, when Slilpp was taken down by international law enforcement in a coordinated operation. Authorities arrested Kavzharadze a year later and extradited him to the US, although from which country has not been disclosed.
The Slilpp marketplace, which had been in operation for nearly a decade, facilitated the sale of more than 80m credentials, causing estimated damages exceeding US$200m worldwide.
Kavzharadze’s activities on Slilpp were extensive, with over 297,300 credentials sold and more than 626,000 listed during his five-year involvement. Authorities linked Kavzharadze to over $200,000 in Bitcoin withdrawals from the site between 2016 and 2018, a sum now valued at more than $450,000.
Shortage protocols activated after ransomware attack on US blood bank
A major ransomware attack on OneBlood, a major non-profit blood bank serving hospitals across Florida, Georgia, and the Carolinas in the US, has severely disrupted its operations.
The attack compromised its software systems, leading to a reduction in operational capacity and slowing down processes.
While OneBlood is still functioning, for now it is reliant on manual procedures – apart from being slower and less efficient, this is having an effect on inventory management and blood availability. To ease the burden, the organisation has requested that the more than 250 hospitals it serves activate their critical blood shortage protocols.
OneBlood is actively working with anti-malware experts and various agencies to manage the incident and restore full functionality to its systems. The specific details of the ransomware involved are not yet known.
This incident underscores a troubling trend of ransomware attacks targeting the healthcare sector, exemplified by recent attacks from sophisticated threat actors such as North Korean advanced persistent threat (APT) groups.
TDECU data breach affects half a million people
The Texas Dow Employees Credit Union (TDECU) recently reported a significant data breach that affected the personal information of 500,474 people.
TDECU was founded in the mid-1950s by employees of Dow Chemical Company but has since grown through mergers and acquisitions.
The breach occurred on 29 May 2023, but was not discovered until over a year later. According to TDECU’s notification, the incident was linked to the MOVEit vulnerability.
The credit union provided several recommendations to those who may have been affected, including:
- changing passwords;
- enabling two-factor authentication;
- being alert to phishing scams, and
- avoiding storing card details on websites.
Cyber Risk
We bring the best of our collective experience, energy and creative power to fiercely safeguard our clients and fortify their communities.
Thomas Murray cyber alerts
Subscribe to stay up to date with developing threats in the cyber landscape
Insights
The Digital Operational Resilience Act for private equity: All change for the relationship between firms and vendors
The EU’s Digital Operational Resilience Act (DORA) will apply from 17 January 2025.
Time for PE firms to focus on concentration risk
Ed Starkie and Ben Hawkins reveal why concentration risk poses a growing threat to PE portfolios – and why many firms are dangerously unprepared.
An overview of the TIBER-EU methodology
The TIBER-EU methodology is a comprehensive framework designed to enhance the cyber resilience of financial institutions.
Five minutes with the PE cyber experts
Ed Starkie and Ben Hawkins gave us five minutes of their time to run through the current state of cyber security for private equity.