Threat Briefing: December 13, 2024

This week, law enforcement agencies worldwide successfully disrupted several cybercriminal groups involved in selling personal identifiable information (PII), offering various illicit cyber services, and perpetrating fraud by impersonating IT professionals.

Throughout 2024, global law enforcement efforts have targeted similar operations, leading to the arrest of numerous cyber threat actors and the dismantling of the infrastructure supporting their criminal activities.

• U.S. Government Indicts 14 North Koreans for Role in Fraudulent IT Worker Scheme – In this operation, North Korean individuals based in China and Russia used stolen and fake identities to secure remote IT jobs with U.S. companies. Over nearly six years, the indicted individuals earned approximately $88 million through this scheme. To facilitate their activities, the North Korean IT workers relied on U.S. citizens to receive and configure equipment provided by their employers and even had these individuals attend job interviews on their behalf. U.S. Department of Justice
• Rydox Marketplace Shutdown by Law Enforcement, Disrupting Sale of PII – As part of the operation, three individuals were arrested for their involvement, with two apprehended in Kosovo and one in Albania. The Rydox marketplace, active since 2016, specialized in selling personal identifiable information (PII), such as names, Social Security numbers, email addresses, and physical addresses. Rydox also provided tools for cybercriminals, including device information and login credentials. In addition, law enforcement seized a server in Malaysia, further dismantling the Rydox platform. The Hacker News
• AWS Credentials for Thousands of Organizations Stolen by Cybercriminal Groups Who Exploited Vulnerabilities in Public Websites – The attacks were carried out by groups identified as ShinyHunters and Nemesis. These threat actors targeted IP ranges associated with AWS, scanning for known application vulnerabilities and attempting to locate endpoints and extract customer credentials. The stolen data was stored in an AWS S3 bucket; however, due to a misconfiguration, the bucket was left exposed to the internet, allowing cybersecurity researchers to discover it. Dark Reading
• International Law Enforcement Operation Disrupts 27 Platforms Used to Facilitate Distributed Denial-of-Service Attacks – The operation, led by EUROPOL, involved 15 law enforcement agencies from North America, Australia, Europe, and Latin America. During the operation, authorities identified 300 users of the targeted platforms and arrested two individuals in Europe. These platforms were used by cyber threat actors to disrupt websites and were accessible even to those with limited technical expertise. The operation was strategically timed to coincide with a period when cyber threat actors have historically launched DDoS attacks. The Record
• Banking Trojan Distributed in Phishing Campaign by Fake Job Recruiters – The trojan, known as AppLite Banker, targets victims through emails sent by a fictitious job recruiter, instructing them to download a malicious app. Once installed, the trojan grants threat actors access to the victim’s device, enabling them to modify phone settings, harvest Google credentials, and block calls. Additional capabilities include call forwarding, stealing text messages, and keylogging. The Hacker News