Windows SmartScreen Exploited, Ransomware Leader Arrested, Russian Hacker Sentenced – Cybersecurity News [August 12, 2024]
Here we are with cybersecurity latest with our news bulletin. This week, we’ll share all the info on the Windows SmartScreen flaw, the arrest of the Reveton ransomware cartel’s operator, the sentencing of a Russian cybercriminal who stole 300,000 login credentials, the details of the 3AM ransomware breach of Kootenai Health patient data, and fake alerts on X being used as clickbait. Let’s take a look!
Windows SmartScreen Flaw Exploited as Zero-Day Since March
Microsoft shared that threat actors were using a MotW (Mark of the Web) security bypass vulnerability to exploit its SmartScreen protection security feature.
The vulnerability (CVE-2024-38213) could be exploited by threat actors remotely and needed interaction at the user’s end. Redmond shared details of the exploit, highlighting that there was increased difficulty for the threat actors since they would need to send malicious files to users and convince them to open it. Microsoft has now released a patch to fix the issue, but it was being exploited by threat actors since March of this year. The vulnerability was due to file results in a WebDAV that were being copied locally without the MotW protections.
There were also other attacks in March where the attackers leveraged another vulnerability (CVE-2024-21412), to deploy malicious payloads that were disguised as Apple iTunes, NVIDIA, and Notion installers.
Ransom Cartel and Reveton Ransomware Operator Arrested and Charged in the US
Maksim Silnikau, a Belarusian-Ukrainian national, was arrested and extradited to the US this week on charges of creating the Ransom Cartel operation and running malvertising operations.
The threat actor has been known by many aliases like Lansky, xxx, and J.P. Morgan on different hacking forums. Along with Maksim, the US also charged his co-conspirators–Volodymyr Kadariya and Andrei Tarasov, who distributed malware for many years to innocent individuals around the world and employed malvertising to trick victims. The Ransom Cartel operation has been around since December 2021 and was created and administrated by Maksim, who offered it as a RaaS (Ransomware as a Service) model to threat actors and recruited attackers from Russian-speaking forums to participate in attacks with him. All the ransomware payments were transferred via crypto mixers to avoid a money trail. But that’s not all. Maksim was also the creator of the Reveton trojan, which locked Windows users out of their systems until they paid ransoms via MoneyPak, PaySafeCard, or other digital payment methods.
The threat actor is potentially facing a sentence of over 100 years if he is convicted on all charges, which include wire and computer fraud, computer abuse, access device fraud, and aggravated identity theft.
Russian Cybercriminal Sentenced to 40 Months for Selling 300,000 Stolen Credentials
In other news, a Russian national named Georgy Kavzharadze was sentenced to 40 months in prison for selling credentials of over 300,000 Slilpp accounts.
Slilpp was the largest online marketplace of stolen credentials before it was seized by law enforcement in June 2021. The US DoJ (Department of Justice) shared how Kavzharadze sold tons of PII (Personally Identifiable Information) and financial data on Slilpp. Kavzharadze worked on the portal from July 2016 to May 2021, where he listed over 626,100 stolen credentials for sale, many of which were linked to $1.2 million in fraud transactions. Kavzharadze’s Slilpp account also listed over 240,000 credentials for sale that other threat actors could purchase and use to steal funds from the victim’s online bank portals.
The DoJ charged Kavzharadze on 24 August 2021 for bank fraud, access device fraud, and conspiracy to commit bank and wire fraud. He was extradited to the US and pleaded guilty.
3AM Ransomware Breach Exposes Data of 464,000 Kootenai Health Patients
Kootenai Health disclosed a data breach this week where the personal data of 464,000 patients was stolen by 3AM ransomware.
Kootenai Health is based in Idaho and is the largest hospital in the region. The organization suffered a cyberattack back in March, which disrupted some IT systems. There was an ongoing investigation following the attack that revealed that threat actors were able to gain access to organizational systems in the last week of February 2024 and roamed the network for about ten days, making away with sensitive patient data. Much patient data was stolen during the breach, including full names, birth dates, SSNs (Social Security Numbers), government ID numbers, driver’s licenses, and medical records, including numbers, treatments, conditions, diagnoses, and health insurance data. Kootenai has made it clear that they are unaware of any misuse of the data that was stolen but would offer 1-2 years of identity protection services to its victims, depending on the data that was exposed.
The 3AM ransomware gang claimed responsibility for the cyber attack and used its darknet portal to leak the stolen data. The data consists of a 22 GB archive that’s free, likely meaning that the hospital did not pay the ransom.
Fake X Alerts on Ukraine War and Earthquakes Used as Clickbait
X (formerly Twitter) has had tons of scams throughout the years, especially in recent months, but the scammers have started using the war in Ukraine to entice innocent users into clicking fake content warnings that take them to malicious extensions and adult websites.
They are also using posts about earthquake warnings in Japan. X is full of posts that are flagged with content warnings containing new information about the Ukrainian forces or warnings in Nankai Trough in Japan. When users click on these posts to view the content, they are redirected through multiple websites, landing on scam or malicious websites at the end. Many of these scam websites are adult sites, but plenty more lead to tech support scams, affiliate scams, or malicious browser extensions. X is displaying such warnings because it analyzes the content at the posted URL (Uniform Resource Locator) when the post is created.
Much news shared on social media is false or misinterpreted, but scam artists have taken a liking to exploit the curiosity of innocent individuals and lead them to malicious websites/extensions. The best way to stay safe from such scams is to avoid clicking on such posts.