Operation Endgame: Global Sting Seizes 100 Servers, Arrests 4 in Major Malware Bust
An international law enforcement operation, codenamed 'Operation Endgame', has seized over 100 servers worldwide used by major malware loader operations, including IcedID, Pikabot, Trickbot, Bumblebee, Smokeloader, and SystemBC.
Conducted between 27 and 29 May 2024, the operation involved 16 location searches across Europe and resulted in four arrests—one in Armenia and three in Ukraine. Eight fugitives have been identified and will be added to Europol’s ‘Most Wanted’ list. The seized infrastructure, spread across Europe and North America, hosted over 2,000 domains, now under authorities' control.
Operation Endgame was supported by police forces from Germany, the US, the UK, France, Denmark, and the Netherlands, with intelligence from Bitdefender, Cryptolaemus, Sekoia, Shadowserver, Team Cymru, Prodaft, Proofpoint, NFIR, Computest, Northwave, Fox-IT, HaveIBeenPwned, Spamhaus, and DIVD.
Malware droppers establish initial device access, often using malicious emails or trojanised installers. They evolve from banking trojans, focusing on initial access and employing evasive tactics. Once established, they deploy more dangerous payloads, such as information stealers and ransomware. Europol revealed one suspect earned over €69 million by renting out ransomware deployment infrastructure.
Check Point VPN Zero-Day Exploited Since April: Active Directory Data Stolen, Urgent Updates Required
Threat actors have been exploiting a high-severity Check Point Remote Access VPN zero-day vulnerability since at least 30 April, stealing Active Directory data to move laterally through victims' networks.
Check Point warned customers that attackers are targeting their security gateways using old VPN local accounts with insecure password-only authentication. The vulnerability, tracked as CVE-2024-24919, allows attackers to read information on Internet-connected Gateways with remote access VPN or mobile access enabled. Check Point released hotfixes for vulnerable CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark appliances to block these attacks.
Despite Check Point's announcement of the zero-day exploitation starting around 24 May, cyber security company mnemonic observed exploitation attempts as early as 30 April. The flaw is particularly critical due to its ease of remote exploitation without user interaction. Attackers have been extracting password hashes, including those used to connect to Active Directory, enabling lateral movement within networks.
Check Point advises customers to update systems, remove vulnerable local users, rotate LDAP connection passwords, search logs for signs of compromise, and update the Check Point IPS signature.
Okta warns of credential stuffing attacks on Cross-Origin authentication feature in customer identity cloud
Okta is warning that a cross-origin authentication feature in Customer Identity Cloud (CIC) is susceptible to credential stuffing attacks by threat actors.
Suspicious activity began on 15 April 2024, with the company "proactively" informing customers with the feature enabled. The number of impacted customers was not disclosed.
Credential stuffing involves adversaries using lists of usernames and passwords obtained from previous data breaches or phishing and malware campaigns to sign into online services.
Okta advises users to review tenant logs for unexpected login events—failed cross-origin authentication (fcoa), success cross-origin authentication (scoa), and breached password (pwd_leak). Users should rotate credentials, restrict or disable cross-origin authentication, enable breached password detection or Credential Guard, prohibit weak passwords, and enrol in passwordless, phishing-resistant authentication using new standards such as passkeys.
This warning follows a recent alert about increased credential stuffing attacks facilitated by residential proxy services.
Over 90 malicious Android apps found on Google Play, installed 5.5 million times, spreading Anatsa banking trojan
Over 90 malicious Android apps have been discovered on Google Play, amassing over 5.5 million installations, delivering malware and adware. Notably, the Anatsa banking trojan, also known as "Teabot," has seen a recent surge in activity. Anatsa targets over 650 financial institution applications across Europe, the US, the UK, and Asia, attempting to steal e-banking credentials for fraudulent transactions.
Threat Fabric reported in February 2024 that Anatsa had infected at least 150,000 devices via Google Play since late last year, using decoy productivity apps. Zscaler's analysis revealed that two such apps had already reached 70,000 installations, highlighting the vulnerability of Google's review process.
Anatsa dropper apps evade detection through a multi-stage payload loading mechanism involving four steps: retrieving configuration and strings from the C2 server, downloading and activating a malicious DEX file, fetching a configuration file with the payload URL, and installing the malware APK.
