Risky Bulletin: Secret Ransomware Campaign Targeted DrayTek Routers for a Year

Episode Release Date: December 16, 2024
Host: Claire Aird, Risky.biz

1. Secret Ransomware Campaign on DrayTek Routers

The episode opens with a deep dive into a covert ransomware operation targeting DrayTek routers. For the past year, threat actors have exploited a suspected zero-day vulnerability in these routers, allowing them to deploy ransomware effectively. The group behind this campaign, known as Monstrous Mantis, utilized the vulnerability to extract router passwords and distribute them to collaborators. This information is based on a joint report by Forescout and Prodaft. Notably, Awoka, an initial access broker and longtime affiliate of the Revil Group, was arrested in Russia in November in connection with these activities. Despite extensive investigations, Forescout could not link the vulnerability to a specific CVE. One significant victim of this campaign was the Greater Manchester Police Department in the UK.

"A threat actor has been using a suspected zero day in Draytek routers since last August to deploy ransomware."
— Claire Aird [00:04]

2. Apache Struts Vulnerability Warnings

Authorities from Australia and Belgium have issued urgent warnings to organizations to patch a critical Apache Struts vulnerability. This remote code execution flaw, patched at the end of November, allows attackers to upload and automatically execute malicious files. Claire emphasizes the severity of this vulnerability by recalling its role in past major breaches, including the infamous 2017 Equifax hack. Developers are urged to update their applications promptly to mitigate potential exploitation.

"Bugs in the Apache Struts framework have been behind several major historical breaches, including the 2017 Equifax hack."
— Claire Aird [00:04]

3. Yahoo Lays Off Security Team ("Paranoids")

Yahoo has significantly downsized its internal security operations by laying off approximately 40 members of its security team, affectionately known as the "Paranoids." This move is part of a broader reduction affecting over 1,600 employees, representing about a fifth of its global workforce. Notably, Yahoo has disbanded its entire Red team, opting to outsource all offensive penetration testing activities.

"Yahoo laid off over 1,600 employees throughout the year, representing a fifth of its global workforce."
— Claire Aird [00:04]

4. Amazon Delays Microsoft 365 Rollout Over Security Concerns

Amazon has announced a delay in its migration plan to move approximately 1.5 million staff from on-premises Microsoft tools to the cloud-based Microsoft 365. The postponement, reported by Bloomberg, follows a security incident where Russian hackers accessed Microsoft's internal emails. Initially backed by a billion-dollar contract, the rollout is now rescheduled for next year to address these security concerns.

"Amazon paused the rollout after Russian hackers gained access to Microsoft's internal emails."
— Claire Aird [00:04]

5. Law Enforcement Crackdowns on Cybercrime

Several significant law enforcement actions were highlighted:

• Ridocs Cybercrime Market Take Down: U.S. authorities have dismantled Ridocs, an online marketplace that sold hacking tools, carding data, and personal information. Three administrators were arrested in Kosovo and Albania. Ridocs generated approximately a quarter of a million dollars since its inception in 2016.

• Extradition of Nigerian National for ABK Abiola Campaign: A Nigerian national has been extradited from Ghana to face charges related to a large-scale Business Email Compromise (BEC) campaign named ABK Abiola. This operation, part of the FBI's Cyber Most Wanted list since 2020, involved a six-man group that stole over $6 million. Four members have already been detained and sentenced. Additionally, the U.S. Justice Department has indicted 14 North Korean nationals involved in similar activities, accusing them of generating at least $88 million for the North Korean regime through IT jobs, data theft, and extortion. The State Department has offered a $5 million reward for information on these groups.

"Officials say the workers used false identities and laptop farms to hide their identity from foreign companies, sometimes working for multiple companies at once."
— Claire Aird [00:04]

6. Recent Hacking Incidents

• Rhode Island Public Assistance Portal Breach: Hackers gained unauthorized access to RI Bridges, Rhode Island’s portal for public assistance programs. Following a security alert from a cybersecurity vendor, officials took down the portal. The attackers are suspected of seeking ransom and have stolen personal data of thousands of residents in a state with just over a million people.

"The attackers are believed to have stolen the personal data of thousands of state residents."
— Claire Aird [00:04]

• CSDN Watering Hole Attack: A sophisticated watering hole attack was discovered on CSDN, China's largest IT community portal. An unknown threat actor injected malicious code into one of the site's JavaScript files, targeting users associated with media organizations. The malicious script displayed fake error messages prompting users to download and install malware.

"The malicious code showed a fake error message that prompted users to download and install malware on their systems."
— Claire Aird [00:04]

7. Citrix Warns of Increased Password Spraying Attacks

Citrix has alerted its customers about a surge in password spraying attacks targeting Netscaler appliances. This warning comes shortly after a similar alert from Germany's cybersecurity agency. Despite enabling multi-factor authentication, Citrix advises that users should still anticipate service disruptions due to the heightened attack volume.

"Citrix has warned customers about an increase in password spraying attacks against netscaler appliances."
— Claire Aird [00:04]

8. Record High in Ransomware Victims

November witnessed a record number of ransomware victims, with over 630 posted on leaked sites, surpassing the previous peak of 527 victims in May 2024. The increase is attributed to ransomware groups like Akira and Ransomheart, which were responsible for a quarter of all incidents last month, according to Cyber insurance provider Corvus.

"Ransomware groups posted over 630 victims on their leaked sites in November, making this the most active month on record."
— Claire Aird [00:04]

9. Massive Theft of WordPress Account Credentials via GitHub

A malicious threat actor has stolen nearly 400,000 WordPress account credentials by backdooring GitHub repositories that offer hacking tools such as exploits and account checkers. The targeted victims include academics, security researchers, and other hackers. Datadog's security team indicates that this campaign is still ongoing, highlighting the persistent threat posed by compromised development platforms.

"A threat actor has stolen almost 400,000 WordPress account credentials from other hackers through backdoored GitHub projects."
— Claire Aird [00:04]

10. Filipino Online Scam Gangs Downsize Operations

Filipino government officials have reported that online scam gangs are downsizing their operations to evade detection by local authorities. These groups are moving from large office compounds to smaller, more isolated locations. Estimates suggest that over 15,000 foreign nationals are currently trapped in scam operations within the Philippines.

"Online scam gangs are downsizing operations to avoid detection by local authorities."
— Claire Aird [00:04]

11. Viber Blocked in Russia & Cambodia Bans Crypto Exchanges

• Viber Blocked in Russia: Russia's telecommunications watchdog, Roscom Nadzor, has blocked access to the Viber messaging application. The official reason cited is the app's use in selling drugs and recruiting citizens for terrorist and extremist activities. Viber had over 14.5 million users in Russia, accounting for about a quarter of all secure messenger users in the country.

"Roscom Nadzor claims the Japanese app was being used to sell drugs and recruit Russian citizens for terrorist and extremist purposes."
— Claire Aird [00:04]

• Cambodia Bans Crypto Exchanges: The Cambodian government has prohibited access to 16 cryptocurrency exchanges, including prominent names like Coinbase, Binance, and OkX. This ban, enforced by the country's financial regulator, is part of a broader prohibition of over 100 websites, primarily targeting gambling-related sites that failed to register with local authorities.

"The ban was enforced by the country's financial regulator after the companies failed to register with local authorities."
— Claire Aird [00:04]

12. Google Halts Payments to Russian Play Store Developers

In response to new international sanctions targeting the Russian banking sector, Google has announced it will stop all payments to Play Store app developers with Russian bank accounts. This decision follows the exit of major payment processors like MasterCard and Visa from Russia after the Kremlin's invasion of Ukraine, further isolating Russian developers from global financial systems.

"Google will cease all payments to Play Store app developers with Russian bank accounts."
— Claire Aird [00:04]

Closing Remarks

Claire wraps up the episode by highlighting Risky.biz's new website, where listeners can access all audio, video, and written content. She also announces the rebranding of the Risky Business News podcast to the Risky Bulletin.

"You can check out our new website at Risky Biz."
— Claire Aird [00:04]

This episode of the Risky Bulletin provided a comprehensive overview of significant cybersecurity incidents and developments, offering listeners valuable insights into ongoing threats and the evolving landscape of cybercrime.