Risky Bulletin: Secret ransomware campaign targeted DrayTek routers for a year - Risky Bulletin

Summary7 min read

Risky Bulletin: Secret Ransomware Campaign Targeted DrayTek Routers for a Year

Episode Release Date: December 16, 2024
Host: Claire Aird, Risky.biz

1. Secret Ransomware Campaign on DrayTek Routers

The episode opens with a deep dive into a covert ransomware operation targeting DrayTek routers. For the past year, threat actors have exploited a suspected zero-day vulnerability in these routers, allowing them to deploy ransomware effectively. The group behind this campaign, known as Monstrous Mantis, utilized the vulnerability to extract router passwords and distribute them to collaborators. This information is based on a joint report by Forescout and Prodaft. Notably, Awoka, an initial access broker and longtime affiliate of the Revil Group, was arrested in Russia in November in connection with these activities. Despite extensive investigations, Forescout could not link the vulnerability to a specific CVE. One significant victim of this campaign was the Greater Manchester Police Department in the UK.

"A threat actor has been using a suspected zero day in Draytek routers since last August to deploy ransomware."
— Claire Aird [00:04]

2. Apache Struts Vulnerability Warnings

Authorities from Australia and Belgium have issued urgent warnings to organizations to patch a critical Apache Struts vulnerability. This remote code execution flaw, patched at the end of November, allows attackers to upload and automatically execute malicious files. Claire emphasizes the severity of this vulnerability by recalling its role in past major breaches, including the infamous 2017 Equifax hack. Developers are urged to update their applications promptly to mitigate potential exploitation.

"Bugs in the Apache Struts framework have been behind several major historical breaches, including the 2017 Equifax hack."
— Claire Aird [00:04]

3. Yahoo Lays Off Security Team ("Paranoids")

Yahoo has significantly downsized its internal security operations by laying off approximately 40 members of its security team, affectionately known as the "Paranoids." This move is part of a broader reduction affecting over 1,600 employees, representing about a fifth of its global workforce. Notably, Yahoo has disbanded its entire Red team, opting to outsource all offensive penetration testing activities.

"Yahoo laid off over 1,600 employees throughout the year, representing a fifth of its global workforce."
— Claire Aird [00:04]

4. Amazon Delays Microsoft 365 Rollout Over Security Concerns

Amazon has announced a delay in its migration plan to move approximately 1.5 million staff from on-premises Microsoft tools to the cloud-based Microsoft 365. The postponement, reported by Bloomberg, follows a security incident where Russian hackers accessed Microsoft's internal emails. Initially backed by a billion-dollar contract, the rollout is now rescheduled for next year to address these security concerns.

"Amazon paused the rollout after Russian hackers gained access to Microsoft's internal emails."
— Claire Aird [00:04]

5. Law Enforcement Crackdowns on Cybercrime

Several significant law enforcement actions were highlighted:

Ridocs Cybercrime Market Take Down: U.S. authorities have dismantled Ridocs, an online marketplace that sold hacking tools, carding data, and personal information. Three administrators were arrested in Kosovo and Albania. Ridocs generated approximately a quarter of a million dollars since its inception in 2016.
Extradition of Nigerian National for ABK Abiola Campaign: A Nigerian national has been extradited from Ghana to face charges related to a large-scale Business Email Compromise (BEC) campaign named ABK Abiola. This operation, part of the FBI's Cyber Most Wanted list since 2020, involved a six-man group that stole over $6 million. Four members have already been detained and sentenced. Additionally, the U.S. Justice Department has indicted 14 North Korean nationals involved in similar activities, accusing them of generating at least $88 million for the North Korean regime through IT jobs, data theft, and extortion. The State Department has offered a $5 million reward for information on these groups.

"Officials say the workers used false identities and laptop farms to hide their identity from foreign companies, sometimes working for multiple companies at once."
— Claire Aird [00:04]

6. Recent Hacking Incidents

Rhode Island Public Assistance Portal Breach: Hackers gained unauthorized access to RI Bridges, Rhode Island’s portal for public assistance programs. Following a security alert from a cybersecurity vendor, officials took down the portal. The attackers are suspected of seeking ransom and have stolen personal data of thousands of residents in a state with just over a million people.

"The attackers are believed to have stolen the personal data of thousands of state residents."
— Claire Aird [00:04]

CSDN Watering Hole Attack: A sophisticated watering hole attack was discovered on CSDN, China's largest IT community portal. An unknown threat actor injected malicious code into one of the site's JavaScript files, targeting users associated with media organizations. The malicious script displayed fake error messages prompting users to download and install malware.

"The malicious code showed a fake error message that prompted users to download and install malware on their systems."
— Claire Aird [00:04]

7. Citrix Warns of Increased Password Spraying Attacks

Citrix has alerted its customers about a surge in password spraying attacks targeting Netscaler appliances. This warning comes shortly after a similar alert from Germany's cybersecurity agency. Despite enabling multi-factor authentication, Citrix advises that users should still anticipate service disruptions due to the heightened attack volume.

"Citrix has warned customers about an increase in password spraying attacks against netscaler appliances."
— Claire Aird [00:04]

8. Record High in Ransomware Victims

November witnessed a record number of ransomware victims, with over 630 posted on leaked sites, surpassing the previous peak of 527 victims in May 2024. The increase is attributed to ransomware groups like Akira and Ransomheart, which were responsible for a quarter of all incidents last month, according to Cyber insurance provider Corvus.

"Ransomware groups posted over 630 victims on their leaked sites in November, making this the most active month on record."
— Claire Aird [00:04]

9. Massive Theft of WordPress Account Credentials via GitHub

A malicious threat actor has stolen nearly 400,000 WordPress account credentials by backdooring GitHub repositories that offer hacking tools such as exploits and account checkers. The targeted victims include academics, security researchers, and other hackers. Datadog's security team indicates that this campaign is still ongoing, highlighting the persistent threat posed by compromised development platforms.

"A threat actor has stolen almost 400,000 WordPress account credentials from other hackers through backdoored GitHub projects."
— Claire Aird [00:04]

10. Filipino Online Scam Gangs Downsize Operations

Filipino government officials have reported that online scam gangs are downsizing their operations to evade detection by local authorities. These groups are moving from large office compounds to smaller, more isolated locations. Estimates suggest that over 15,000 foreign nationals are currently trapped in scam operations within the Philippines.

"Online scam gangs are downsizing operations to avoid detection by local authorities."
— Claire Aird [00:04]

11. Viber Blocked in Russia & Cambodia Bans Crypto Exchanges

Viber Blocked in Russia: Russia's telecommunications watchdog, Roscom Nadzor, has blocked access to the Viber messaging application. The official reason cited is the app's use in selling drugs and recruiting citizens for terrorist and extremist activities. Viber had over 14.5 million users in Russia, accounting for about a quarter of all secure messenger users in the country.

"Roscom Nadzor claims the Japanese app was being used to sell drugs and recruit Russian citizens for terrorist and extremist purposes."
— Claire Aird [00:04]

Cambodia Bans Crypto Exchanges: The Cambodian government has prohibited access to 16 cryptocurrency exchanges, including prominent names like Coinbase, Binance, and OkX. This ban, enforced by the country's financial regulator, is part of a broader prohibition of over 100 websites, primarily targeting gambling-related sites that failed to register with local authorities.

"The ban was enforced by the country's financial regulator after the companies failed to register with local authorities."
— Claire Aird [00:04]

12. Google Halts Payments to Russian Play Store Developers

In response to new international sanctions targeting the Russian banking sector, Google has announced it will stop all payments to Play Store app developers with Russian bank accounts. This decision follows the exit of major payment processors like MasterCard and Visa from Russia after the Kremlin's invasion of Ukraine, further isolating Russian developers from global financial systems.

"Google will cease all payments to Play Store app developers with Russian bank accounts."
— Claire Aird [00:04]

Closing Remarks

Claire wraps up the episode by highlighting Risky.biz's new website, where listeners can access all audio, video, and written content. She also announces the rebranding of the Risky Business News podcast to the Risky Bulletin.

"You can check out our new website at Risky Biz."
— Claire Aird [00:04]

This episode of the Risky Bulletin provided a comprehensive overview of significant cybersecurity incidents and developments, offering listeners valuable insights into ongoing threats and the evolving landscape of cybercrime.

Loading summary

Transcript1 lines

[00:04]
Claire Aird
A secret ransomware campaign has targeted Draytek routers for a year, Yahoo lays off a quarter of its security team, US authorities take down the Ridocs cybercrime market, and Amazon pauses the Microsoft365 rollout over security concerns. This is the Risky Bulletin, prepared by Catalyn Kimpanu and read by me, Claire aird. Today is the 16th of September and before we dive in, some news from us. We launched a new website. You can find all our audio, video and written content at Risky Biz. And yes, the Risky Business News podcast is now called the Risky Bulletin, which begins now. Threat actors have been using a suspected zero day in Draytek routers since last August to deploy ransomware. A group called Monstrous Mantis used the bug to extract Draytek router passwords and hand them off to collaborators, according to a joint report from Forescout and Prodaft. The partners included a longtime affiliate of the the Revil Group, and the initial access broker was Awoka, who was arrested in Russia in November. Four scouts says it was unable to link the vulnerability to a specific cve. One of the victims of this Draytek hacking spree was identified as the Greater Manchester Police Department in the uk. In other news, authorities from Australia and Belgium have warned organizations to patch an Apache Struts vulnerability. The remote code exec was patched at the end of November, but requires developers to update their applications. The vulnerability allows attackers to upload a file that gets automatically executed. Bugs in the Apache Struts framework have been behind several major historical breaches, including the 2017 Equifax hack. Yahoo has laid off a quarter of its internal security team, known as the Paranoids, according to a TechCrunch report. More than 40 employees were let go this year. The company has laid off its entire Red team and is now outsourcing all offensive pen testing. Yahoo laid off over 1,600 employees throughout the year, representing a fifth of its global workforce. Amazon has delayed its migration to Microsoft Office 365, according to a Bloomberg report. Amazon paused the rollout after Russian hackers gained access to Microsoft's internal emails. The retail giant signed a billion dollar contract last year to move its roughly 1.5 million staff from on premise Microsoft tool to the cloud version of Office. The move is now scheduled for next year. Law enforcement authorities have seized infrastructure associated with Ridocs, an online marketplace that sold hacking tools, carding data and personal information. Three of the site's administrators were also arrested in Kosovo and Albania, officials say. Ridox made a quarter of a million dollars since its launch in 2016. That's over eight years though, so you'd be better flipping burgers. US authorities have extradited a Nigerian national from Ghana to face charges for a large scale BEC campaign known as ABK Abiola. Coyote has been on the FBI's Cyber Most Wanted list since 2020. Coyote was part of a six man group that stole over $6 million. Four of the six members have already been detained and sentenced to lengthy prison terms. The US Justice Department has indicted 14 North Korean nationals who worked in IT jobs at Western. Officials say the workers used false identities and laptop farms to hide their identity from foreign companies, sometimes working for multiple companies at once. They generated money through the salaries they earned, data theft and extortion. The men are believed to have generated at least $88 million over the past six years for the North Korean regime. Now that is better than flipping burgers. The State Department has posted a $5 million reward for further information on this group and others engaged in similar activities. Hackers gained access to RI Bridges, Rhode Island's portal for applying for public assistance programs. Officials have taken down the portal after receiving a security alert from one of its cybersecurity vendors. According to reports in local media, the hackers are seeking a ransom. The attackers are believed to have stolen the personal data of thousands of state residents. Rhode island has just over a million residents. A watering hole attack has been discovered on csdn, China's largest IT community portal. An unknown threat actor added malicious code to one of the site's JavaScript files to target users linked to media organisations, according to Chinese security firm Xianxin. The malicious code showed a fake error message that prompted users to download and install malware on their systems. Citrix has warned customers about an increase in password spraying attacks against netscaler appliances. The warning comes days after a similar alert was issued by Germany's cybersecurity agency. The company has told customers that even if they enable multi factor authentication, they should still expect service disruption from the extra workload. Ransomware groups posted over 630 victims on their leaked sites in November, making this the most active month on record. The number surpasses the previous peak of 527 victims in May 2024, according to Cyber insurance provider Corvus. Akira and Ransomheart, responsible for a quarter of all of last month's incidents. A threat actor has stolen almost 400,000 WordPress account credentials from other hackers through backdoored GitHub projects. The threat actor used multiple malicious repos offering hacking tools such as exploits and account checkers. Victims included academics and security researchers, as well as other hackers, according to Datadog's security team. The campaign is still ongoing. Filipino government officials said last week that online scam gangs are downsizing operations to avoid detection by local authorities. Several groups have abandoned larger office compounds for smaller buildings in isolated locations. Foreign observers estimate that over 15,000 foreign nationals are trapped in scam compounds in the Philippines. Russia's telecommunications watchdog has blocked access to the Viber secure messaging application as part of its latest crackdown against Western services. Roscom Nadzor claims claims the Japanese app was being used to sell drugs and recruit Russian citizens for terrorist and extremist purposes. According to reports, Viber had over 14.5 million users in the country, around a quarter of all Russians who use a secure messenger. The Cambodian government has blocked access to 16 crypto exchanges, including Coinbase, Binance and OkX. The ban was enforced by the country's financial regulator after the companies failed to register with local authorities. The sites are part of a larger ban on of over 100 websites. Most of the banned sites are gambling related and finally, Google will cease all payments to Play Store app developers with Russian bank accounts. The decision comes in response to new international sanctions on the Russian banking sector. Major payment processes like MasterCard and Visa left the country after the Kremlin's invasion of Ukraine. And that is all for this podcast edition. A reminder, you can check out our new website at Risky Biz thanks for your company.