Risky Bulletin: Authorities seize the Cracked and Nulled cybercrime forums

Host: Claire Aird
Produced by: Catalyn Kim Panu
Release Date: January 31, 2025

Overview

In this episode of Risky Bulletin, host Claire Aird delves into significant developments in the cybersecurity landscape, highlighting major law enforcement actions against cybercrime forums, the misuse of AI by threat actors, geopolitical information operations, and notable cybersecurity incidents worldwide. The episode provides a comprehensive analysis of the current state of cyber threats and the measures being taken to combat them.

Seizure of Cracked and Nulled Cybercrime Forums

Claire Aird begins by reporting a major crackdown on cybercrime forums:

"Law enforcement agencies from Europe and the US have seized the domains of the Cracked and Nulled cybercrime forums and arrested one of the site's operators." [00:04]

Key Points:

Cracked and Nulled Forums: Both platforms, with over a decade of operation and approximately one million users each, were taken offline on Wednesday.
Operations and Arrests: Authorities seized 12 domains and conducted searches across seven EU locations, resulting in two arrests. One of the arrested individuals is Lucas Son, a 29-year-old Argentinian national residing in Spain, alleged to be the Nulled admin.
Marketplace Activities: Despite claims of being ethical hacking and educational portals, both forums facilitated the exchange of hacking services and tools.

Supporting Actions:

Additional Seizures: Domains of smaller cybercrime services, Starc, RDP, and Sellics, were also seized.
Hart Sender Phishing Group: Dutch and US authorities targeted this group, known for selling phishing kits and stolen data, based in Pakistan.

Misuse of Google’s Gemini AI by APTs

The podcast highlights the growing abuse of artificial intelligence by advanced persistent threats (APTs):

"Chinese and Iranian APT and information operations have been using Google's Gemini AI assistant to boost their campaigns." [05:30]

Key Points:

Usage of Gemini AI: The AI tool is leveraged for target reconnaissance, task automation, content translation, and even malware creation.
Scope of Abuse: Chinese and Iranian groups are the primary abusers, with Russian and North Korean groups also engaging but to a lesser extent.
Google’s Response: To counter these abuses, Google has implemented new detections and updates, including banning over 158,000 developer accounts and blocking millions of malicious apps.

Data Exposure and Security Vulnerabilities

Claire discusses significant data breaches and vulnerabilities affecting AI companies and internet infrastructure:

"Chinese AI company Deepseek has exposed an internal database containing sensitive data on the Internet." [10:15]

Key Points:

Deepseek Breach: The internal database included millions of records, such as user queries and secret keys, secured only after a report from cloud security firm Wiz.
Amirai Botnet Attacks: Targeting Zyxel CPE routers exploiting an unpatched vulnerability, allowing attackers to execute arbitrary commands and fully compromise devices.

Geopolitical Information Operations

The episode sheds light on information warfare tactics employed by state actors:

"A Chinese social media influence operation has used recent floods in the city of Valencia to urge Spanish citizens to overthrow their government." [15:45]

Key Points:

Targeted Campaign: Over three months, the operation ran across all major social media platforms, including Blue Sky, impersonating the Spanish nonprofit Safeguard Defenders.
Objective: The campaign aimed to discredit the nonprofit and foment political instability by exploiting a humanitarian crisis.

Cybersecurity Workforce and Infrastructure Concerns

Addressing internal challenges within government cybersecurity:

"The UK National Audit Office says the risk of a major cyber attack against UK government networks is severe and advancing quickly." [20:20]

Key Points:

Legacy Systems: An increasing number of outdated systems pose significant security risks.
Workforce Gaps: One-third of UK government cybersecurity roles are either vacant or held by temporary staff, as reported by NOAA.

Legal and Regulatory Developments

Updates on legal actions and proposed regulations to enhance cybersecurity:

"The Thai government is drafting a law that will hold third parties responsible for online scams." [25:10]

Key Points:

Accountability Measures: Banks, telecom operators, and social media platforms will be required to compensate victims if they fail to implement adequate security measures.
Class Action Settlement: MGM faces a $45 million settlement over data breaches and ransomware attacks, with tiered payouts for affected plaintiffs.

Notable Cyber Incidents

Highlights of recent cyber attacks and vulnerabilities:

"A threat actor has stolen over $10 million worth of crypto tokens after a supply chain attack against the crypto dev community." [30:00]

Key Points:

Crypto Dev Attack: The Dog Whiff Tool compromised developers by injecting a remote access Trojan, enabling the theft of private keys and draining wallets.
NordVPN Innovation: Introduction of the Nordwhisper protocol, a web tunneling technology designed to bypass VPN blocking mechanisms, akin to the Tor project's anti-censorship efforts.

Conclusion

Claire Aird concludes the episode by reinforcing the dynamic and evolving nature of cyber threats. The coordinated efforts by international law enforcement agencies signify a robust response to cybercrime, yet challenges such as workforce shortages and sophisticated AI misuse continue to pose significant risks. Listeners are encouraged to remain vigilant and informed about the latest developments in cybersecurity.

This summary captures the essence of the January 31, 2025 episode of Risky Bulletin, providing key insights and detailed coverage of major cybersecurity events discussed by Claire Aird.

Transcript

Claire Aird (0:04)

Authorities seize the Cracked and Nulled Cybercrime forums APTS are abusing Google's Gemini AI. A Chinese info op calls for the overthrow of Spain's government and Turkey arrests a spyware gang. This is the risky bulletin prepared by Catalyn Kim Panu and read by me, Claire aird. Today is the 31st of January and this podcast episode is brought to you by Asset Inventory and Network Visibility company Runzero. Law enforcement agencies from Europe and the US have seized the domains of the Cracked and Nulled cybercrime forums and arrested one of the site's operators. Both forums are popular and have been around for over a decade. Both sites had around a million users before they were taken offline on Wednesday. While the forums claim to be ethical hacking and educational portals, they also served as marketplaces for the exchange of hacking services and tools. Authorities have seized 12 domains and made two arrests after searches at seven locations across the EU. One of those arrested was the alleged nulled admin Lucas Son, 29, an Argentinian national residing in Spain. Officials also seized the domains of two smaller cybercrime services, Starc, RDP and Sellics. In other news, Chinese AI company Deepseek has exposed an internal database containing sensitive data on the Internet. The database included millions of records such as user queries, secret keys and app logs. Deepseek secured the database after a report from cloud security firm Wiz. Staying with AI and Chinese and Iranian APT and information operations have been using Google's Gemini AI assistant to boost their campaigns. The groups used Gemini for target reconnaissance, task automation and content translation. Some groups also attempted to use Gemini to write malware. They also used Gemini for content generation, like disinformation and phishing emails. Russian and North Korean groups also abused Gemini, but to a lesser degree than the Chinese and Iranians. Google has disrupted these operations with new detections and updates. Google banned over 158,000 developer accounts last year for attempting to publish malicious apps on the official Android app Store. In total, Google says it blocked over 2.36 million apps from being published on the store and another 1.3 million from getting excessive permissions on users devices. It also identified another 13 million malicious apps hosted outside the Play Store. The UK National Audit Office says the risk of a major cyber attack against UK government networks is severe and advancing quickly. The agency cited the rising number of legacy systems and vacant government cybersecurity positions. NOAA says one in three cybersecurity government roles were vacant or filled by temporary staff. Dutch and US authorities have seized domains and servers associated with the Hart Sender Phishing Group, also known as Manipulators Team, and Sayyim Raza. The group sold access to phishing kits, anti bot technologies and stolen data. The group is based in Pakistan. No arrests or charges have been announced. Indonesian Police have detained 20 suspects believed to be part of an online romance scam operation. The group used dating apps to lure victims into investing in cryptocurrency through malicious apps that stole their funds. The group was active on sites like OkCupid, Bumble and Tinder and targeted victims in Southeast Asia. Turkish law enforcement has detained five suspects on charges of spying on local attorneys. Officials say the group developed a software program named Adelette. They advertise to local lawyers. The group allegedly used the software to spy on customers and steal data from their networks. The Thai government is drafting a law that will hold third parties responsible for online scams. The bill will require banks, telecom operators and social media platforms to cope copay victims of online scams if they fail to implement sensible security measures. The current effort is part of a government crackdown against the online scam industry operating in Asia. A Chinese social media influence operation has used recent floods in the city of Valencia to urge Spanish citizens to overthrow their government. The campaign took place over the past three months and is also the first campaign that ran on all major social media sites and for the first time, Blue Sky. The campaign posed as members of a famous Spanish nonprofit nonprofit named Safeguard Defenders. Social media research group Grafika believes Spamouflage posed as the organisation in an effort to discredit its reputation. The non profit was one of the first organisations that exposed China's illegal overseas police stations. Amirai Botnet is behind a wave of attacks targeting Zyxel CPE routers. The attacks are targeting a Zyxel vulnerability that was discovered last July but hasn't been patched by the vendor. The vulnerability can be used to execute arbitrary commands on affected devices, leading to complete compromise. Greynoise says the attack started earlier this month. NordVPN has developed a new protocol the company claims can bypass VPN blocking technologies. Named Nordwhisper, the protocol is a new type of web tunneling technology that mimics regular web traffic. The protocol is similar in design to the Tor project's new webtunnel anti censorship technology, which works in a similar fashion. A judge has approved a preliminary settlement in a class action lawsuit filed against MGM over the company's July 2019 data breach and a September 2023 ransomware attack. The total settlement is $45 million with a tiered payout system. Plaintiffs in the first tier will receive $75, while those in tier two and three will receive 50 and $20 payments respectively. Which is, you know, life changing amounts. And finally, a threat actor has stolen over $10 million worth of crypto tokens after a supply chain attack against the crypto dev community. The attack targeted Dog Whiff Tool, an app used by crypto developers to launch and promote meme coins on the Solana blockchain. Attackers allegedly compromised the app's GitHub account and released malicious versions containing a remote access Trojan. They use the RAT to steal private keys and drain developers wallets. And that is all for this podcast edition. Today's show was brought to you by our sponsor, Run Zero find them@runzero.com thanks for your company.