Dark Marketplace Operators Face Life Sentences for $430 Million in Illicit Transactions
This week, two operators of Empire Market were officially charged. Empire Market is a dark market that generated over $430,000,000 in illicit profits. Thomas Pavey, aka “Dopenugget”, and Raheim Hamilton, aka “Sydney” and “Zero Angel”, allegedly ran the marketplace between February 2018 and August 2020. They facilitated more than 4 million transactions involving malicious software and stolen data. Hard drugs and counterfeit money were also involved.
Before Empire Market went offline in 2020, thousands used it to hide their illegal transactions using a combination cryptocurrency and tumbling service in order to avoid law enforcement. Pavey, Hamilton and their moderators profited from the cryptocurrency transaction by keeping a portion of it. The DoJ’s indictment revealed Pavey and Hamilton were involved in selling counterfeit currencies on another dark market called AlphaBay before operating Empire Market.
The men now face five charges : conspiracy to sell fake currency on AlphaBay; conspiracy to distribute controlled drugs via Empire Market; conspiracy to possess unauthorised access devices; conspiracy to sell false currency on Empire Market and conspiracy laundering money to conceal proceeds of illegal activities. The two operators could face life imprisonment if convicted on all counts, due to the severe penalties associated with drug trafficking.
Stolen data on dark marketplaces could lead to cyberattacks and other fraudulent activities. A comprehensive security solution that focuses on machine-speed detection of threats and advanced analytics will help prevent sensitive information and digital identities from being sold online.
Network Security Zero-Day Flaws Targeted by China-Nexus APT for Cyber Espionage Campaigns
A Chinese-linked threat agent tracked as UNC3886 has been leveraging a combination zero day vulnerabilities found in Fortinet Ivanti and VMware devices to gain access and maintain control over compromised systems. cyber researchers have released new findings that show how this espionage actor uses multiple persistence mechanisms to maintain access to compromised systems, even after initial compromises are detected.
UNC3886 hackers use Linux rootkits to hide on VMware ESXi VMs https://t.co/XkjQA1o3ng
— Nicolas Krassas June 20, 2020 HTML0
UNC3886 has been described as sophisticated and evasive. It leverages zero-day vulnerabilities such as CVE-2022-41328(Fortinet FortiOS), CVE-2022-22948(VMware vCenter), CVE-2023-2086(VMware Tools) in order to secure deeper access credentials and deploy backdoors. They also exploited CVE-2022-42475in Fortinet FortiGate soon after its disclosure.
This series of attacks has so far targeted entities in North America, Southeast Asia and Oceania as well as Europe, Africa and parts of Asia. They have focused on critical sectors such government, telecommunications and technology, aerospace and defence, and energy. The key strategy is to use rootkits that are publicly available, such as “Reptile”, and “Medusa”, in order to remain undetected. Medusa is deployed by the SEAELF installer and logs user credentials. This helps in lateral movement.
UNC3886 uses custom backdoors called MOPSLED and RIFLESPINE to exploit services such as GitHub and Google Drive in order to perform command-and-control (C2) operations. The first is an evolution of Crosswalk, communicating via HTTP with a C2 server at GitHub, while the second operates across platforms by using Google Drive to transfer files and execute commands.
Due to the evolving nature of the threats, it is important that organizations follow the security advisories issued by Fortinet or VMware in order to patch any vulnerabilities. Double-down on deep visibility, persistent tracking, and real-time analytics can help organizations protect themselves from advanced threats.
Suspected Ransomware Attack Shuts Down Thousands of Auto Dealerships Across the U.S.
Fifteen thousand car dealerships across the U.S. were taken out of commission this week due to back-to-back cyberattacks on CDK Global, their SaaS (software-as-a-service) platform. Dealerships rely on CDK Global to handle CRM, payroll, inventory, support and administrative functions.
CDK Global was forced to take down its two data centers after the first attack to prevent it from spreading. This led to widespread outages that affected dealerships’ abilities to track and order parts, conduct sales and offer financing, as well as carry out vehicle repairs. Many employees reported that they were unable to work and had to resort to manual methods, or were sent home. The second breach occurred as the company was restoring systems that were shut down by the first attack.
The latest status report from CDK confirms that the outage is likely to continue for several days. IT firms working with affected dealerships note the cyberattack led CDK advise them to disconnect their always-on VPN in order to prevent potential threats pivoting into dealership network.
The long-lasting disruptions raise questions about whether these attacks were the work of Ransomware operators, who may have impacted CDK backups. Ransomware attacks are typically carried out by threat actors who steal data and encrypt systems. They then demand a ransom to decrypt the system and avoid public data leaks. If confirmed, it could take several weeks to resolve the issue.
The automotive industry continues to be a target for threat actors who are looking to exploit its complex supply-chain-based operations, as well as its role in the economy to gain access to high-value information from millions of customers and employees.