Microsoft, Fortra Go After Illicit Cobalt Strike Tools Abused By Cybercriminals
Read also: Crypto exchange GDAC hit with a $14M hack, Ares Leaks fills the void after BreachForums shutdown, and more.
Thursday, April 13, 2023
Microsoft, Fortra crackdown on illicit Cobalt Strike tools
Microsoft’s Digital Crimes Unit (DCU) has teamed up with cybersecurity company Fortra and the Health Information Sharing and Analysis Center (Health-ISAC) to prevent the abuse of a popular adversary simulation tool Cobalt Strike by cybercriminals to distribute malware, including ransomware.
Microsoft said it obtained the legal permission to seize malicious infrastructure used by threat actors to store and share illicit copies of Cobalt Strike and compromised Microsoft software, thus impacting criminal’s immediate operations.
Previously, ransomware groups like Conti and LockBit were seen leveraging cracked copies of Cobalt Strike to deploy ransomware as part of their RaaS (ransomware-as-a-service) business model. Recently, the cracked versions of the tool have been observed in at least 68 ransomware attacks against healthcare organizations in 19 countries. Furthermore, nation-state actors linked to Russia, China, Vietnam, and Iran are also using malicious copies of Cobalt Strike in their operations.
South Korean crypto exchange GDAC hit with a $14M hack
GDAC, a South Korean cryptocurrency exchange, suffered a cyber incident on April 9, 2023, which saw about 23% of its total assets, including Bitcoin, Ethereum, USDT and WEMIX transferred from its hot wallet to an unidentified wallet.
It is estimated that roughly $14 million worth of various cryptocurrencies were stolen.
Following the hack the company halted deposits and withdrawals and reported the incident to the relevant authorities.
Ares Leaks fills the void after BreachForums’ demise
A new cybercriminal forum called Ares Leaks has been gaining traction following the shutdown of the infamous BreachForums platform last month selling and leaking databases stolen from private companies and public authorities.
According to cybersecurity firm Cyfirma, Ares Leaks, run by a cybercrime group known as Ares, was launched at the end of March 2023, and currently offers access to data leaks from 65 countries, including the US, India, Philippines, Mexico, Australia, Ukraine, Thailand, France, Spain, and Italy. Besides stolen data, the group also offers botnet and DDoS services.
Cybercriminals sell Android app trojans for up to $20,000
Although official app stores like Google Play implement rigorous security testing to prevent the installation of harmful programs, malware authors who are creating tools that allow to transform existing Android apps into malicious ones are always looking for new ways to circumvent the vetting process.
An extensive study of nine popular Dark Web cybercriminal forums revealed a thriving Android market offering a variety of services ranging from loaders able to add a malicious or unwanted app to Google Play ($2,000–$20,000) and binding services (about $50–$100 per file) to malware obfuscation and features like user-friendly UI, victim country filters, and easy-to-use control panels.
The researchers found that access to a Google Play developer account (either compromised or newly created by threat actors) can be purchased quite cheaply, with prices ranging from $60 to $200, depending on account features (number of already published apps, number of their downloads, etc.).
Taiwanese hardware maker MSI confirms cyber-attack, cautions against unofficial firmware
Taiwanese gaming hardware giant MSI confirmed it was hit with a cyber-attack after a ransomware gang called “Money Message” named the company as one of its victims.
The hackers claimed that they stole nearly 1.5TB of data from MSI, including source code and BIOS firmware, and threatened to leak the documents if a $4 million ransom is not paid.
The company did not provide any details on the nature of the incident, only saying that it had no “significant” impact on its business operations. At the same time, MSI urged users to download firmware/BIOS updates only from its official website and no other sources.
What’s next:
- Follow ImmuniWeb on Twitter and LinkedIn
- Explore 20 use cases how ImmuniWeb can help
- Browse open positions to join our great Team
- See the benefits of our partner program
- Request a demo, quote or special price
- Subscribe to our newsletter
Cybercrime Prosecution Weekly is a digest of most important events related to cybercrime investigation and prosecution, cyber law, as well as to new data breaches and security incidents that deserve attention of our customers and partners. 
