Threat Briefing: August 30, 2024

Cyber adversaries are always evolving their tactics, whether by enhancing malware variants, exploiting newly discovered vulnerabilities, employing innovative techniques to breach systems, or altering the speed of their attacks to evade detection. A notable incident from this week involved an employee who intentionally disclosed information about a cyber event to a representative of the Chinese government. This serves as a critical reminder that cyber actors are not only interested in gaining access to systems but are also keen to understand how victims respond to cyber attacks.

• Latvian National Linked to Karakurt Ransomware Indicted in U.S. – Deniss Zolotarjovs, arrested in Georgia in December 2023 and extradited to the U.S. in August 2024, has been connected to ransomware victim negotiations and reconnaissance activities. He was involved in laundering funds for the group and was tied to a cryptocurrency wallet and several communication accounts. Zolotarjovs is notably the first member of the Karakurt group to be arrested and extradited to the United States. The Hacker News
• Chinese Cyber Threat Actor Group Linked to Exploitation of Cisco Nexus Switches – The group known as Velvet Ant exploited a vulnerability in NX-OS, which is used by Nexus switches. They leveraged stolen credentials to gain entry to these switches and then used the vulnerability to reach the NS-OS level. With this level of access, the threat actors could manipulate the system, execute malicious scripts, and deploy malware named Velvet Shell to maintain persistent access to the compromised systems. Security Week
• Former Verizon Employee Pleads Guilty to Providing Inside Information to Chinese Government – The individual used their position to share information on cybersecurity training with the Chinese Ministry of State Security (MSS). In 2021, they provided details to an MSS officer about a cyber incident involving a U.S. company targeted by a Chinese cyber operation. Additionally, the individual used their role to disclose information about Chinese dissidents and pro-democracy activists. CyberScoop
• Apple Users Targeted with Campaign Delivering Cthulhu Stealer – The information stealer has been offered through a subscription model costing $500 per month. Written in Golang, Cthulhu can impersonate various types of software. When a victim installs the Cthulhu stealer, they are prompted to enter their system password, allowing the malware to extract system information and passwords from iCloud Keychain. The Hacker News
• Cyber Threat Actors Increasing Pace of Online Fraud Activity – According to a report from Chainalysis, cyber actors are accelerating their infrastructure refresh rates and shortening the duration of scam campaigns. Recently, 43% of revenue from online scams was directed to wallets that had been active for less than a year, up from nearly 30% in 2022. The average duration of scam campaigns dropped to 42 days in 2024, compared to 271 days in 2020. This shift is likely a result of enhanced attribution capabilities and improved tracking of scam-related infrastructure. CyberScoop