Threat Briefing: September 20, 2024

One of the major cybersecurity stories this week was the uncovering of a years-long botnet operation involving over 200,000 devices, orchestrated by cyber threat actors linked to the Chinese government and a publicly traded Chinese company. The operation was ultimately disrupted by the U.S. government, leading to the removal of the malicious software.

This case illustrates how cyber threat actors can conduct prolonged campaigns to achieve their objectives, whether it’s for intelligence gathering or financial gain. They often remain undetected for extended periods, posing a significant challenge to network defenders. Although the disruption cleared the malware from thousands of devices, the FBI and Department of Justice received recommendations to better define what constitutes “success” in combating ransomware. This highlights the ongoing difficulties in the ever-evolving cyber threat landscape. Additionally, the attackers managed to exploit a widely-used tool for malware distribution, serving as a reminder that cybercriminals will target the trusted brands and tools we depend on to perform our work.

• Raptor Train Botnet Linked to Chinese Cyber Threat Actor Compromised Over 200,000 Devices – The botnet, consisting of Internet of Things (IoT) and small office/home office (SOHO) routers, was infected with a malware variant called Nodedive, derived from the notorious Mirai botnet. Operated by a group known as Flax Typhoon since May 2020, the botnet received support from a Beijing-based company, Integrity Technology Group. The U.S. government intervened to disrupt the botnet, successfully disabling the malware on compromised devices. Nearly half of the infected devices were located in the United States, with additional infections spread across Australia, Europe, and South Asia. This incident underscores the vulnerability of IoT devices and home routers to sophisticated cyber operations. The Hacker News
• Fake Vendor Scams Tennessee School District, Resulting in $3.4 Million Loss – In March 2024, a Tennessee school district fell victim to a fraud scheme when an employee received an email from what appeared to be a legitimate education vendor, but was actually a spoofed address. The district unknowingly used funds from a state program to pay the fraudulent vendor. The money was transferred to a bank account established by an individual in the U.S., who later claimed to be an unwitting participant in the scheme, acting as a money mule. Fortunately, the school district has managed to recover a portion of the stolen funds. The Record
• North Korean Cyber Actors Target Energy and Aerospace Sectors with New Malware – Cyber actors affiliated with North Korea’s Lazarus Group have launched a phishing campaign against targets in the energy and aerospace industries in the U.S., Australia, and Europe. Victims receive phishing emails disguised as job opportunities and are instructed to open the attachments using a compromised version of a PDF reader, which then installs malware on their systems. This tactic allows the attackers to gain unauthorized access to sensitive information and systems within these critical sectors. The Hacker News
• Lumma Stealer Spread via Fake GitHub “Scanner” – A cyber threat actor has been targeting GitHub users by falsely claiming that their repositories contain security vulnerabilities. Victims are directed to a malicious website to download a “GitHub Scanner” tool, which instead installs the Lumma Stealer malware. Some users have also received phishing emails warning them of a security issue and urging them to visit the same site to download the supposed scanner. This campaign highlights the importance of verifying the authenticity of security alerts and tools before taking action. Bleeping Computer
• Inspector General Calls for Improved Tracking of FBI Ransomware Disruption Efforts – A recent report from the Department of Justice Inspector General suggests that the FBI and DOJ should refine their criteria for measuring success in disrupting ransomware operations. The report points to challenges in case coordination between law enforcement agencies and U.S. Attorney’s offices, recommending better tracking of metrics such as the number of victims who receive decryption keys from the government. Improved deconfliction and more comprehensive data on these efforts could enhance the effectiveness of federal ransomware responses. The Record