Cyware Weekly Threat Intelligence - July 15–19

Weekly Threat Briefing • July 19, 2024
Weekly Threat Briefing • July 19, 2024
In a concerted blitz against the shadowy underworld of cryptocurrency phishing scams, law enforcement agencies and crypto exchanges from six nations united under the banner of Operation Spincaster. This initiative has unearthed a staggering 7,000 leads, exposing compromised wallets and a jaw-dropping $162 million in financial hemorrhage. Simultaneously, researchers unleashed a decisive counterstrike against the nefarious Konfety ad fraud scheme. Google Play Protect now identifies and neutralizes these Evil Twin apps.
Law enforcement agencies and crypto exchanges from six countries are collaborating in an effort called Operation Spincaster to combat cryptocurrency approval phishing scams. This initiative, led by blockchain intelligence firm Chainalysis, has identified 7,000 leads related to compromised wallets and $162 million in losses. The operation has resulted in the closure of attacker-controlled accounts, recovery of funds, and preventative actions against future scams.
HUMAN's Satori team disrupted the Konfety scheme involving an advertising SDK called CaramelAds and an "evil twin" evasion method. The actors maintained non-malicious apps on the Google Play Store using the CaramelAds SDK to appear owned by different developers. HUMAN flagged high-confidence traffic from these apps and implemented countermeasures to protect customers, prompting the threat actors to switch targets. Google Play Protect identifies and disables "Evil Twin" apps. Partners with HUMAN for mitigation and detection are fully protected from Konfety's impacts.
Interpol's Operation Jackal III, a three-month global operation, resulted in the arrest of 300 individuals with links to West African cyber fraud. The operation, which involved law enforcement agencies across 21 countries, targeted organized crime groups, particularly the notorious Nigeria-based Black Axe gang, involved in online financial fraud. Authorities were able to seize $3 million in assets and block 720 bank accounts during the operation.
The cybercriminal syndicate known as Revolver Rabbit has unleashed a staggering onslaught, registering over 500,000 domain names through the cunning use of RDGAs. Their sinister aim? To orchestrate sweeping infostealer campaigns that imperil both Windows and macOS systems. Parallel to this digital mayhem, armed with an arsenal of tools, the China-based hacking collective APT41 infiltrated firms across multiple industries and siphoned data with surgical precision. Meanwhile, the cybercrime group Scattered Spider pivoted to employing the RansomHub and Qilin ransomware variants in its nefarious activities.
The Play ransomware syndicate has taken a concerning leap forward, crafting a new Linux variant that ruthlessly targets VMWare ESXi environments. In a separate and alarming revelation, a critical vulnerability has been unearthed in Splunk Enterprise on Windows. This security flaw allows malicious actors to access files outside the designated directory via a cleverly crafted GET request, and it requires no prior authentication. Meanwhile, threat actors have co-opted legitimate tools such as RDPWrapper and Tailscale to stealthily gain unauthorized access and control over victims' systems.