Germany’s Federal Office for Information Security (BSI) has disrupted the BadBox malware operation pre-loaded in over 30,000 Android IoT devices sold in the country.

The types of impacted devices include digital picture frames, media players and streamers, and potentially smartphones and tablets.

BadBox is an Android malware that comes pre-installed in an internet-connected device’s firmware that is used to steal data, install additional malware, or for the threat actors to remotely gain access to the network where the device is located.

When an infected device is first connected to the internet, the malware will attempt to contact a remote command and control server run by the threat actors. This remote server will tell the BadBox malware what malicious services should be run on the device and will also receive data stolen from the network.

BSI says the malware can steal two-factor authentication codes, install further malware, and create email and messaging platform accounts to spread fake news. It can also engage in ad fraud by loading and clicking on ads in the background, generating revenue for fraud rings.

Finally, BadBox can be set up to act as a proxy, allowing other people to use the device’s internet bandwidth and hardware to route their own traffic. This tactic, known as residential proxying, often involves illegal operations that implicate the user’s IP address.

Germany’s cybersecurity agency says it blocked communication between the BadBox malware devices and their command and control (C2) infrastructure by sinkholing DNS queries so that the malware communicates with police-controlled servers rather than the attacker’s command and control servers. 

Sinkholing prevents the malware from sending stolen data to the attackers and receiving new commands to execute on the infected device, effectively preventing the malware from working.

“The BSI is currently redirecting the communication of affected devices to the perpetrators’ control servers as part of a sinkholing measure pursuant to Section 7c of the BSI Act ( BSIG ),” reads BSI’s announcement.

“This affects providers who have over 100,000 customers (More about sinkholing). There is no acute danger for these devices as long as the BSI maintains the sinkholing measure.”

Infected device owners to be notified

Device owners who are impacted by this sinkholing operation will be notified by their internet service providers based on their IP address.

The agency says that anyone who receives a notification should immediately disconnect the device from their network or stop using it. Unfortunately, as the malware came pre-installed with firmware, other firmware from the device’s manufacturer should not be trusted and the device should be returned or discarded.

BSI notes that all of the impacted devices were running outdated Android versions and old firmware, so even if they were secured against BadBox, they remain vulnerable to other botnet malware for as long as they are exposed online.

“Malware on internet-enabled products is unfortunately not a rare phenomenon. Outdated firmware versions in particular pose a huge risk,” warned BSI President Claudia Plattner. “We all have a duty here: manufacturers and retailers have a responsibility to ensure that such devices do not come onto the market. But consumers can also do something: cyber security should be an important criterion when purchasing!”

Moreover, the announcement mentions that, due to the vast variance in Android IoT manufacturers and device iterations, it’s very likely that many more devices infected by BadBox or similar malware exist in the country, which BSI could not pinpoint this time.

This may include smartphones and tablets, smart speakers, security cameras, smart TVs, streaming boxes, and various internet-connected appliances that follow an obscure route from manufacturing to resell networks.

Signs that your device is infected by botnet malware include overheating when seemingly idle, random performance drops, unexpected settings changes, atypical activity, and connections to unknown external servers.

To mitigate the risk of outdated Android IoTs, install a firmware image from a trustworthy vendor, turn off unnecessary connectivity features, and keep the device isolated from critical networks.

Generally, it is recommended that you buy smart devices only from reputable manufacturers and look for products offering long-term security support.

Dec 13, 2024The Hacker NewsIoT Security / Operational Technology

Iran-affiliated threat actors have been linked to a new custom malware that’s geared toward IoT and operational technology (OT) environments in Israel and the United States.

The malware has been codenamed IOCONTROL by OT cybersecurity company Claroty, highlighting its ability to attack IoT and supervisory control and data acquisition (SCADA) devices such as IP cameras, routers, programmable logic controllers (PLCs), human-machine interfaces (HMIs), firewalls, and other Linux-based IoT/OT platforms.

“While the malware is believed to be custom-built by the threat actor, it seems that the malware is generic enough that it is able to run on a variety of platforms from different vendors due to its modular configuration,” the company said.

The development makes IOCONTROL the tenth malware family to specifically single out Industrial Control Systems (ICS) after Stuxnet, Havex, Industroyer (aka CrashOverride), Triton (aka Trisis), BlackEnergy2, Industroyer2, PIPEDREAM (aka INCONTROLLER), COSMICENERGY, and FrostyGoop (aka BUSTLEBERM) to date.

Claroty said it analyzed a malware sample extracted from a Gasboy fuel management system that was previously compromised by the hacking group called Cyber Av3ngers, which has been linked to cyber attacks exploiting Unitronics PLCs to breach water systems. The malware was embedded within Gasboy’s Payment Terminal, otherwise called OrPT.

This also means that the threat actors, given their ability to control the payment terminal, also had the means to shut down fuel services and potentially steal credit card information from customers.

“The malware is essentially a cyberweapon used by a nation-state to attack civilian critical infrastructure; at least one of the victims were the Orpak and Gasboy fuel management systems,” Claroty said.

The end goal of the infection chain is to deploy a backdoor that’s automatically executed every time the device restarts. A notable aspect of IOCONTROL is its use of MQTT, a messaging protocol widely used in IoT devices, for communications, thereby allowing the threat actors to disguise malicious traffic.

What’s more, command-and-control (C2) domains are resolved using Cloudflare’s DNS-over-HTTPS (DoH) service. This approach, already adopted by Chinese and Russian nation-state groups, is significant, as it allows the malware to evade detection when sending DNS requests in cleartext.

Once a successful C2 connection is established, the malware transmits information about the device, namely hostname, current user, device name and model, timezone, firmware version, and location, to the server, after it awaits further commands for execution.

This includes checks to ensure the malware is installed in the designated directory, execute arbitrary operating system commands, terminate the malware, and scan an IP range in a specific port.

“The malware communicates with a C2 over a secure MQTT channel and supports basic commands including arbitrary code execution, self-delete, port scan, and more,” Claroty said. “This functionality is enough to control remote IoT devices and perform lateral movement if needed.”

Federal prosecutors in Los Angeles this week unsealed criminal charges against five men alleged to be members of a hacking group responsible for dozens of cyber intrusions at major U.S. technology companies between 2021 and 2023, including LastPass, MailChimp, Okta, T-Mobile and Twilio.

A visual depiction of the attacks by the SMS phishing group known as Scattered Spider, and Oktapus. Image: Amitai Cohen twitter.com/amitaico.

The five men, aged 20 to 25, are allegedly members of a hacking conspiracy dubbed “Scattered Spider” and “Oktapus,” which specialized in SMS-based phishing attacks that tricked employees at tech firms into entering their credentials and one-time passcodes at phishing websites.

The targeted SMS scams asked employees to click a link and log in at a website that mimicked their employer’s Okta authentication page. Some SMS phishing messages told employees their VPN credentials were expiring and needed to be changed; other phishing messages advised employees about changes to their upcoming work schedule.

These attacks leveraged newly-registered domains that often included the name of the targeted company, such as twilio-help[.]com and ouryahoo-okta[.]com. The phishing websites were normally kept online for just one or two hours at a time, meaning they were often yanked offline before they could be flagged by anti-phishing and security services.

The phishing kits used for these campaigns featured a hidden Telegram instant message bot that forwarded any submitted credentials in real-time. The bot allowed the attackers to use the phished username, password and one-time code to log in as that employee at the real employer website.

In August 2022, multiple security firms gained access to the server that was receiving data from that Telegram bot, which on several occasions leaked the Telegram ID and handle of its developer, who used the nickname “Joeleoli.”

The Telegram username “Joeleoli” can be seen sandwiched between data submitted by people who knew it was a phish, and data phished from actual victims. Click to enlarge.

That Joeleoli moniker registered on the cybercrime forum OGusers in 2018 with the email address joelebruh@gmail.com, which also was used to register accounts at several websites for a Joel Evans from North Carolina. Indeed, prosecutors say Joeleoli’s real name is Joel Martin Evans, and he is a 25-year-old from Jacksonville, North Carolina.

One of Scattered Spider’s first big victims in its 2022 SMS phishing spree was Twilio, a company that provides services for making and receiving text messages and phone calls. The group then used their access to Twilio to attack at least 163 of its customers. According to prosecutors, the group mainly sought to steal cryptocurrency from victim companies and their employees.

“The defendants allegedly preyed on unsuspecting victims in this phishing scheme and used their personal information as a gateway to steal millions in their cryptocurrency accounts,” said Akil Davis, the assistant director in charge of the FBI’s Los Angeles field office.

Many of the hacking group’s phishing domains were registered through the registrar NameCheap, and FBI investigators said records obtained from NameCheap showed the person who managed those phishing websites did so from an Internet address in Scotland. The feds then obtained records from Virgin Media, which showed the address was leased for several months to Tyler Buchanan, a 22-year-old from Dundee, Scotland.

A Scattered Spider phishing lure sent to Twilio employees.

As first reported here in June, Buchanan was arrested in Spain as he tried to board a flight bound for Italy. The Spanish police told local media that Buchanan, who allegedly went by the alias “Tylerb,” at one time possessed Bitcoins worth $27 million.

The government says much of Tylerb’s cryptocurrency wealth was the result of successful SIM-swapping attacks, wherein crooks transfer the target’s phone number to a device they control and intercept any text messages or phone calls sent to the victim — including one-time passcodes for authentication, or password reset links sent via SMS.

According to several SIM-swapping channels on Telegram where Tylerb was known to frequent, rival SIM-swappers hired thugs to invade his home in February 2023. Those accounts state that the intruders assaulted Tylerb’s mother in the home invasion, and that they threatened to burn him with a blowtorch if he didn’t give up the keys to his cryptocurrency wallets. Tylerb was reputed to have fled the United Kingdom after that assault.

A still frame from a video released by the Spanish national police, showing Tyler Buchanan being taken into custody at the airport.

Prosecutors allege Tylerb worked closely on SIM-swapping attacks with Noah Michael Urban, another alleged Scattered Spider member from Palm Coast, Fla. who went by the handles “Sosa,” “Elijah,” and “Kingbob.”

Sosa was known to be a top member of the broader cybercriminal community online known as “The Com,” wherein hackers boast loudly about high-profile exploits and hacks that almost invariably begin with social engineering — tricking people over the phone, email or SMS into giving away credentials that allow remote access to corporate networks.

In January 2024, KrebsOnSecurity broke the news that Urban had been arrested in Florida in connection with multiple SIM-swapping attacks. That story noted that Sosa’s alter ego Kingbob routinely targeted people in the recording industry to steal and share “grails,” a slang term used to describe unreleased music recordings from popular artists.

FBI investigators identified a fourth alleged member of the conspiracy – Ahmed Hossam Eldin Elbadawy, 23, of College Station, Texas — after he used a portion of cryptocurrency funds stolen from a victim company to pay for an account used to register phishing domains.

The indictment unsealed Wednesday alleges Elbadawy controlled a number of cryptocurrency accounts used to receive stolen funds, along with another Texas man — Evans Onyeaka Osiebo, 20, of Dallas.

Members of Scattered Spider are reputed to have been involved in a September 2023 ransomware attack against the MGM Resorts hotel chain that quickly brought multiple MGM casinos to a standstill. In September 2024, KrebsOnSecurity reported that a 17-year-old from the United Kingdom was arrested last year by U.K. police as part of an FBI investigation into the MGM hack.

Evans, Elbadawy, Osiebo and Urban were all charged with one count of conspiracy to commit wire fraud, one count of conspiracy, and one count of aggravated identity theft. Buchanan, who is named as an indicted co-conspirator, was charged with conspiracy to commit wire fraud, conspiracy, wire fraud, and aggravated identity theft.

A Justice Department press release states that if convicted, each defendant would face a statutory maximum sentence of 20 years in federal prison for conspiracy to commit wire fraud, up to five years in federal prison for the conspiracy count, and a mandatory two-year consecutive prison sentence for aggravated identity theft. Buchanan would face up to 20 years in prison for the wire fraud count as well.

Further reading:

The redacted complaint against Buchanan (PDF)

Charges against Urban and the other defendants (PDF).

Everyone’s favorite Linux component has hit a milestone, while a fresh contender comes of age – with a touch of Lisp.

In news that is sure to delight the Linux world, version 257 of systemd has arrived. Just a day before its release, a major new version of another Linux init system came out, GNU Shepherd version 1.0. They’re very different ways of doing the same basic task, and we’re happy to see more options in this particularly controversial role.

The last version of systemd, back in June, merited special attention from The Register – it received two separate articles. The first highlighted an impressively tone-deaf attempt at a joke, when the Fediverse announcement proclaimed that Version 256 of systemd boasts “42 percent less Unix philosophy.” A week later, a point-release followed: systemd 256.1: Now slightly less likely to delete /home.

To recap that fun little feature, if you run the systemd command to clear up temporary files, and you don’t get it exactly right, it totally wipes the entire tree of user home directories. The headline feature of version 257 indicates to us that the repercussions of that hilarious incident are still being felt:

In summary, the developers have made a backwards-incompatible change to the format of one of its config files, which they’re reluctant to do. The change in the file-format makes it less likely that unwary use of the command systemd-tmpfiles --purge will remove all data for all users on the computer. So that’s good.

The gist is that the systemd-tmpfiles tool was named so because originally it was designed to manage temporary files. Since then, it’s grown to do much more. It manages many kinds of files that are created and removed in normal operation of a Linux computer. Its config file, which is called tmpfiles.d (and that link will tell you everything you could ever want to know about what files it can manage) now has a new specifier:

In other words, you have to specifically mark lines that describe the files that the purge sub-command will remove. It’s a small enough change, but it means that if that config file doesn’t tell it to, the command systemd-tmpfiles --purge now will not delete everything in every folder created since the first user was added. So that’s good.

It is an absolutely minimal sort of fix, though. The fact is that the name systemd-tmpfiles is not remotely accurate any more. The tool no longer just manages temporary files. The developers could have made a deeper, more generally helpful change, such as renaming the command – but that would cause more breakage. (We suspect this probably is not function that is used often or by many people, but that’s a separate consideration.) Whether this minimal config-file-format change, which does make things safer, is a better course of action than a more drastic, breaking one such as renaming a command is a judgement call.

It’s fair to say that making the minimum possible form of change is a typical Unix sort of attitude. On the other hand, Apple’s macOS is still a certified UNIX™ and it’s made many far more sweeping changes than this – and yet it’s by far the most successful commercial Unix in history.

The other changes are mostly far underneath the covers, so to speak, and will likely be invisible to anyone who isn’t maintaining a Linux distribution. The tooling around the new Unified Kernel Image format is improved, cgroups version 1 and System V service scripts inch close to being deprecated, it now understands volume button presses on mobile phones – showing how mainstream Linux is moving into more pockets – and it’s offloaded some old keyboard handling code to X.org. The feature that made us smile is that during shutdown, systemd hands responding to the classic “three finger salute” back to the kernel. So if systemd crashes during shutdown, with any luck Ctrl+Alt+Delete will still reboot your computer. That one sounds handy.

(The Reg FOSS desk’s top tip for rebooting balky systemd-controlled boxes is that if you press Ctrl+Alt+Del seven times within two seconds, it tells systemd to reboot immediately whatever is going on. Only try this if the machine’s not shutting down normally as it might do bad things if it’s not an emergency. It’s also worth remembering the REISUB keystroke exists too.)

Shepherding services for Guix

The other new init system in the news this week is from the GNU Project, and it’s called Shepherd. Shepherd itself isn’t new. In fact, development started in 2003, so it’s old enough to drink in the US. What is new is that the development team has released version 1.0. To go with this milestone in maturity, it also has a new logo and website.

The main distinctive thing about Shepherd is that it’s implemented in GNU Guile. Guile is the GNU implementation of the Scheme programming language, and it was intended to be the GNU Project’s standard extension language. Indeed, its original name was GEL, short for GNU Extension Language.

Its use of GNU Guile makes Shepherd something of a flag-bearer for the Guile language and project. Additionally, Shepherd is the default init system of the GNU Guix distribution.

Guix is both a packaging tool and a distro built with that tool. Guix has closely comparable goals to Nix, and to the NixOS distro built with it. It aims to automate away manual package management. The key difference is that while Nix has its own, unique language for writing config files, Guix uses standard Guile Scheme, and so in theory it’s more accessible to more people. We say “in theory” because Nix itself is really pretty niche even in the Linux world, and we hear far more about Nix than Guix.

Shepherd defines services in a restricted subset of Scheme. That is probably enough to immediately either win over, or forever put off, many people. Scheme uses Lisp-style prefix notation (yes, with lots of parentheses), which tends to polarize techies. If you like Lisp and Lisp-based systems, you might enjoy Enzuru’s Lisp-centric Linux distro, which is still under construction.

We doubt that Shepherd is going to transform the Linux init system landscape, but it’s good to see one of the alternative init systems taking a step towards greater maturity. ®

Bootnote

If the rather obscure pun in our subheading isn’t clear, “Guix” is pronounced like geeks. So, no, Nix and Guix do not rhyme. They just look like they should.

A federal court has indicted 14 more North Korean IT workers as part of an ongoing U.S. government campaign to crack down on Pyongyang’s use of tech professionals to swindle American companies and nonprofits.

The Justice Department said the 14 indicted workers generated at least $88 million throughout a conspiracy that stretched over approximately six years, ending in March 2023. North Korea-controlled companies in China and Russia — Yanbian Silverstar and Volasys Silverstar, respectively — used the so-called “IT Warriors” to obtain false U.S. identities, pose as employees doing remote IT work in the United States and transfer funds from their employers to eventually end up in the hands of the North Korean government, according to the indictment. 

“When the defendants gained access to a U.S. employer’s sensitive business information, the defendants in some instances extorted payments from the employer by threatening to release, and in some cases releasing, that sensitive information online,” per the indictment, which the DOJ publicized Thursday.

The U.S. District Court of the Eastern Division of Missouri handed down the indictment. In addition to the indictment, the State Department announced rewards of up to $5 million for individuals and companies involved in the scheme.

“Yesterday’s indictment is the latest in a series of actions under a National Security Division initiative launched earlier this year to disrupt North Korea’s efforts to generate revenue by duping American companies into hiring its citizens for remote work,” said Assistant Attorney General Matthew Olsen of the Justice Department’s National Security Division. “This indictment and associated disruptions highlight the cybersecurity dangers associated with this threat, including theft of sensitive business information for the purposes of extortion.”

The Justice Department has repeatedly targeted this specific group of alleged conspirators in an attempt to disrupt them, including court-authorized seizures of a collective $764,800 via two orders unsealed Thursday, in addition to seizures of more money and internet domains the DOJ said the group used to appeal to prospective employers.

But it’s also sought to combat the broader trend of North Korea using its IT workers for nefarious purposes, including via arrests and alerts with other federal agencies.

The charged workers’ names are Jong Song Hwa, Ri Kyong Sik, Kim Ryu Song, Rim Un Chol, Kim Mu Rim, Cho Chung Pom, Hyon Chol Song, Son Un Chol, Sok Kwang Hyok, Choe Jong Yong, Ko Chung Sok, Kim Ye Won, Jong Kyong Chol and Jang Chol Myong.

Michael Barnhart, who leads Mandiant’s North Korea threat hunting team, told CyberScoop after the indictment was announced that threat actors have recently become more dangerous since gaining employment at Western organizations.

“For the first time, we’re seeing IT workers follow through on releasing sensitive data of organizations they’ve infiltrated to pressure victims into paying exorbitant ransoms,” he said.  “They’re also demanding more cryptocurrency than they ever have before. We assess that the heightened media attention and ongoing government disruptions targeting their cyber operations this past year are forcing an escalation in their tactics.”

You can read the full indictment here. 

The Dubai Police are the latest victims of impersonation by fraudsters in the United Arab Emirates (UAE), who are sending thousands of text messages out to unwitting mobile users while purporting to represent the law enforcement agency.

Researchers at BforeAI observed a recent surge in phishing attacks leveraging alleged police communications, which encourage text recipients to click on a malicious URL to respond to supposed legal trouble or to register with an “official” online portal. The included links redirect victims to fake websites designed to harvest sensitive information, including bank details or personal identification details.

The campaign uses well-crafted lures with official branding, suggesting a moderate level of sophistication, according to BforeAI. But while the lures are tailored to UAE citizens, the phishing methodology resembles a ‘spray-and-pray’ model in its broad reach.

“The campaign targets individuals likely to respond to law enforcement-related communications, of which legitimate comms of this nature are not uncommon in the UAE — targeting particularly those with a limited understanding of digital threats,” Abu Qureshi, lead for threat intelligence and mitigation at BforeAI, tells Dark Reading.

“The most striking aspect of this campaign is the calculated misuse of Dubai Police branding to establish credibility and deceive victims,” he adds. “This demonstrates a sophisticated understanding of social engineering techniques and reliance on psychological manipulation, exploiting fear and trust in law enforcement — which for citizens of the UAE is of utmost importance.”

Related:Governments, Telcos Ward Off China’s Hacking Typhoons

Cybercriminals Increasingly Target UAE, Middle East

Cybercrime campaigns targeting organizations and individuals in Dubai and other parts of the UAE are noticeably on the rise. According to research from Kaspersky earlier this year, 87% of companies in UAE have faced some form of cyber incident in the past two years.

“The UAE is a high-value target due to its affluent population, high Internet penetration, and reliance on digital services,” Qureshi says. “Cybercriminals exploit these factors alongside vulnerabilities in newly adopted technologies.”

The cybercrime spree is part of a larger trend in the targeting of individuals and organizations in some areas of the Middle East in general, he notes.

“There’s a focus on wealthy regions and individuals to maximize financial gain,” he says. “There are also regional geopolitical interests and an increased focus on Middle Eastern entities due to economic and political dynamics.”

Related:African Law Enforcement Nabs 1,000+ Cybercrime Suspects

To boot, because the area has embraced digital transformation and IT modernization with gusto, cybercriminals are targeting digital adoption vulnerabilities that come from the rapid implementation of advanced technologies without adequate protections, according to Qureshi.

Anchoring a UAE Cybercrime Campaign in Singapore

The cyberattackers behind the Dubai Police offensive appear to have used an automated domain generation algorithm (DGA) or bulk registration to quickly cycle through different domains to host malicious Web pages bent on financial fraud. Each domain is short-lived, in order to better avoid detection.

Most of those domains originated from Tencent servers based in Singapore, according to BforeAI researchers, who noted the company’s servers have hosted malicious activity before, including spam, phishing, and botnets.

“Tencent, a Chinese-based technology giant, maintains a significant hub in Singapore, leveraging the city-state’s strategic location and robust digital infrastructure,” says Qureshi. “Despite Singapore’s strong cyber-resilience and rigorous policies to address malicious activity, its status as a global tech hub makes it a prime location for abuse of legitimate platforms by cybercriminals.”

Related:Yakuza Victim Data Leaked in Japanese Agency Attack

Qureshi adds that the presence of malicious activity on Tencent servers could be due to the exploitation of legitimate services.

“High-traffic servers can be abused to host or relay malicious content without the company’s direct knowledge,” he explains, adding that jurisdictional complexity could also be at play: “Singapore’s law enforcement may face challenges in coordinating with foreign entities and differentiating criminal use from legitimate operations. While Tencent is based in Singapore — they are a Chinese firm.”

Two of the registrants were found to be from India and Dubai itself, with suspicious names suggesting that they originate from a legitimate company, according to the research. For the most part though, the cyberattackers have managed to keep their identity anonymous.

Tencent did not immediately return a request for comment.

How Organizations in the Middle East Can Protect Against Cyber Fraud

For organizations in the region, campaigns like this should prompt changes in risk management, Qureshi advises. Although the phishing messages are broad-based, in the age of the mobile office, even campaigns designed to hit individuals can end up affecting companies.

Common-sense security hygiene includes the basics, like double-checking the official domain of the Dubai government and the payment portal before proceeding with any payment, as well as looking for red flags like missing HTTPs protocol, broken links, out-of-place Web designs, or suspicious phrasing or grammar.

Qureshi advises organizations to take several additional steps to mitigate their risk, including:

And finally, “this Dubai Police campaign highlights the globalized nature of cybercrime, where local targets are exploited using international infrastructure,” Qureshi warns. “The importance of cross-border cooperation and leveraging threat intelligence to stay ahead of evolving tactics cannot be overstated.”

Albanian law enforcement has seized the Rydox cybercrime marketplace and arrested three administrators in collaboration with international partners.

Kosovo nationals Ardit Kutleshi, Jetmir Kutleshi, and Shpend Sokoli were arrested on Thursday by Kosovo law enforcement and Albania’s Special Anti-Corruption Body (SPAK). The U.S. Justice Department indicted the first two for involvement in Rydox’s operations, and they’re awaiting extradition to the United States.

Ardit Kutleshi and Jetmir Kutleshi face multiple charges related to their Rydox admin roles, including two counts of identity theft, conspiracy to commit identity theft, aggravated identity theft, access device fraud, and money laundering. If convicted, each could receive five years for each charge, 10 years for access device fraud, and up to 20 years for money laundering.

Since February 2016, Rydox marketplace sellers have been involved in over 7,600 sales of credit card information, login credentials, and personal information such as social security numbers, names, and addresses stolen from thousands of U.S. citizens and various cybercrime tools and devices.

Rydox also offered for sale over 321,000 other “cybercrime products” to more than 18,000 users, including tools and materials for committing cyber crimes, such as tutorials and spam tools.

According to the indictment, registered users had to deposit a sum of cryptocurrency into their accounts before making a purchase via Perfect Money, Ethereum, Litecoin, Bitcoin (“BTC”), Monero, Ripple, Tron, or Verge payments deposited into a cryptocurrency wallet controlled by Rydox.

They could use the funds to purchase illicit products, services, tools, and programs from Rydox sellers. However, once the funds were deposited, they were under the defendants’ control, who controlled the Rydox cryptocurrency wallets.

Rydox also charged registered users a one-time fee (that fluctuated between the equivalent of $200 to $500) to become authorized sellers on the marketplace. Rydox authorized sellers received 60% of the sale proceeds, while the market retained 40% from every sale.

The United States obtained judicial authorization to seize the Rydox[.]cc domain, used to access the cybercrime marketplace’s website, and the FBI seized servers in Kuala Lumpur that hosted the Rydox illicit marketplace with the help of the Royal Malaysian Police and took the website offline.

The Unites States also received court authorization to seize about $225,000 in cryptocurrency from the defendants’ accounts.

The operation was carried out with the help of the FBI’s Pittsburgh Office, Albania’s National Bureau of Investigation (BKH), the Albanian Directorate of Cybercrime Investigation, the Kosovo Special Prosecutor’s Office, the Kosovo Police, and the Malaysian Royal Police.

“The Rydox marketplace was a one-stop shop where upwards of 18,000 of its cybercriminal customers could choose from more than 300,000 cybercrime tools,” said U.S. Attorney Eric G. Olshan on Thursday.

“While cybercrime often involves conduct occurring overseas and the actions of foreign nationals, its harms can be devastatingly local, with residents in our own communities suffering financial ruin as a result of the theft and misuse of their sensitive personal information.”

Earlier this month, eight members of an international cybercrime network who set up fraud centers in rented Airbnb properties to steal millions of Euros from victims were arrested in Belgium and the Netherlands.

German law enforcement also shut down the country’s largest online cybercrime marketplace and the Manson cybercrime market, arresting key suspects.

Dec 13, 2024Ravie LakshmananLinux / Threat Analysis

Cybersecurity researchers have uncovered a new Linux rootkit called PUMAKIT that comes with capabilities to escalate privileges, hide files and directories, and conceal itself from system tools, while simultaneously evading detection.

“PUMAKIT is a sophisticated loadable kernel module (LKM) rootkit that employs advanced stealth mechanisms to hide its presence and maintain communication with command-and-control servers,” Elastic Security Lab researchers Remco Sprooten and Ruben Groenewoud said in a technical report published Thursday.

The company’s analysis comes from artifacts uploaded to the VirusTotal malware scanning platform earlier this September.

The internals of the malware is based on a multi-stage architecture that comprises a dropper component named “cron,” two memory-resident executables (“/memfd:tgt” and “/memfd:wpn”), an LKM rootkit (“puma.ko”), and a shared object (SO) userland rootkit called Kitsune (“lib64/libs.so”).

It also uses the internal Linux function tracer (ftrace) to hook into as many as 18 different system calls and various kernel functions such as “prepare_creds,” and “commit_creds” to alter core system behaviors and accomplish its goals.

“Unique methods are used to interact with PUMA, including using the rmdir() syscall for privilege escalation and specialized commands for extracting configuration and runtime information,” the researchers said.

“Through its staged deployment, the LKM rootkit ensures it only activates when specific conditions, such as secure boot checks or kernel symbol availability, are met. These conditions are verified by scanning the Linux kernel, and all necessary files are embedded as ELF binaries within the dropper.”

The executable “/memfd:tgt” is the default Ubuntu Linux Cron binary sans any modifications, whereas “/memfd:wpn” is a loader for the rootkit assuming the conditions are satisfied. The LKM rootkit, for its part, contains an embedded SO file that’s used to interact with the rookie from userspace.

Elastic noted that every stage of the infection chain is designed to hide the malware’s presence and take advantage of memory-resident files and specific checks prior to unleashing the rootkit. PUMAKIT has not been attributed to any known threat actor or group.

“PUMAKIT is a complex and stealthy threat that uses advanced techniques like syscall hooking, memory-resident execution, and unique privilege escalation methods. Its multi-architectural design highlights the growing sophistication of malware targeting Linux systems,” the researchers concluded.

Two men have been arrested for allegedly stealing data from and extorting dozens of companies that used the cloud data storage company Snowflake, but a third suspect — a prolific hacker known as Kiberphant0m — remains at large and continues to publicly extort victims. However, this person’s identity may not remain a secret for long: A careful review of Kiberphant0m’s daily chats across multiple cybercrime personas suggests they are a U.S. Army soldier who is or was recently stationed in South Korea.

Kiberphant0m’s identities on cybercrime forums and on Telegram and Discord chat channels have been selling data stolen from customers of the cloud data storage company Snowflake. At the end of 2023, malicious hackers discovered that many companies had uploaded huge volumes of sensitive customer data to Snowflake accounts that were protected with nothing more than a username and password (no multi-factor authentication required).

After scouring darknet markets for stolen Snowflake account credentials, the hackers began raiding the data storage repositories for some of the world’s largest corporations. Among those was AT&T, which disclosed in July that cybercriminals had stolen personal information, phone and text message records for roughly 110 million people.  Wired.com reported in July that AT&T paid a hacker $370,000 to delete stolen phone records.

On October 30, Canadian authorities arrested Alexander Moucka, a.k.a. Connor Riley Moucka of Kitchener, Ontario, on a provisional arrest warrant from the United States, which has since indicted him on 20 criminal counts connected to the Snowflake breaches. Another suspect in the Snowflake hacks, John Erin Binns, is an American who is currently incarcerated in Turkey.

A surveillance photo of Connor Riley Moucka, a.k.a. “Judische” and “Waifu,” dated Oct 21, 2024, 9 days before Moucka’s arrest. This image was included in an affidavit filed by an investigator with the Royal Canadian Mounted Police (RCMP).

Investigators say Moucka, who went by the handles Judische and Waifu, had tasked Kiberphant0m with selling data stolen from Snowflake customers who refused to pay a ransom to have their information deleted. Immediately after news broke of Moucka’s arrest, Kiberphant0m was clearly furious, and posted on the hacker community BreachForums what they claimed were the AT&T call logs for President-elect Donald J. Trump and for Vice President Kamala Harris.

“In the event you do not reach out to us @ATNT all presidential government call logs will be leaked,” Kiberphant0m threatened, signing their post with multiple “#FREEWAIFU” tags. “You don’t think we don’t have plans in the event of an arrest? Think again.”

On the same day, Kiberphant0m posted what they claimed was the “data schema” from the U.S. National Security Agency.

“This was obtained from the ATNT Snowflake hack which is why ATNT paid an extortion,” Kiberphant0m wrote in a thread on BreachForums. “Why would ATNT pay Waifu for the data when they wouldn’t even pay an extortion for over 20M+ SSNs?”

Kiberphant0m posting what he claimed was a “data schema” stolen from the NSA via AT&T.

Also on Nov. 5, Kiberphant0m offered call logs stolen from Verizon’s push-to-talk (PTT) customers — mainly U.S. government agencies and emergency first responders. On Nov. 9, Kiberphant0m posted a sales thread on BreachForums offering a “SIM-swapping” service targeting Verizon PTT customers. In a SIM-swap, fraudsters use credentials that are phished or stolen from mobile phone company employees to divert a target’s phone calls and text messages to a device they control.

MEET ‘BUTTHOLIO’

Kiberphant0m joined BreachForums in January 2024, but their public utterances on Discord and Telegram channels date back to at least early 2022. On their first post to BreachForums, Kiberphant0m said they could be reached at the Telegram handle @cyb3rph4nt0m.

A review of @cyb3rph4nt0m shows this user has posted more than 4,200 messages since January 2024. Many of these messages were attempts to recruit people who could be hired to deploy a piece of malware that enslaved host machines in an Internet of Things (IoT) botnet.

On BreachForums, Kiberphant0m has sold the source code to “Shi-Bot,” a custom Linux DDoS botnet based on the Mirai malware. Kiberphant0m had few sales threads on BreachForums prior to the Snowflake attacks becoming public in May, and many of those involved databases stolen from companies in South Korea.

On June 5, 2024, a Telegram user by the name “Buttholio” joined the fraud-focused Telegram channel “Comgirl” and claimed to be Kiberphant0m. Buttholio made the claim after being taunted as a nobody by another denizen of Comgirl, referring to their @cyb3rph4nt0m account on Telegram and the Kiberphant0m user on cybercrime forums.

“Type ‘kiberphant0m’ on google with the quotes,” Buttholio told another user. “I’ll wait. Go ahead. Over 50 articles. 15+ telecoms breached. I got the IMSI number to every single person that’s ever registered in Verizon, Tmobile, ATNT and Verifone.”

On Sept. 17, 2023, Buttholio posted in a Discord chat room dedicated to players of the video game Escape from Tarkov. “Come to Korea, servers there is pretty much no extract camper or cheater,” Buttholio advised.

In another message that same day in the gaming Discord, Buttholio told others they bought the game in the United States, but that they were playing it in Asia.

“USA is where the game was purchased from, server location is actual in game servers u play on. I am a u.s. soldier so i bought it in the states but got on rotation so i have to use asian servers,” they shared.

‘REVERSESHELL’

The account @Kiberphant0m was assigned the Telegram ID number 6953392511. A review of this ID at the cyber intelligence platform Flashpoint shows that on January 4, 2024 Kibertphant0m posted to the Telegram channel “Dstat,” which is populated by cybercriminals involved in launching distributed denial-of-service (DDoS) attacks and selling DDoS-for-hire services [Full disclosure: Flashpoint is currently an advertiser on this website].

Immediately after Kiberphant0m logged on to the Dstat channel, another user wrote “hi buttholio,” to which Kiberphant0m replied with an affirmative greeting “wsg,” or “what’s good.” On Nov. 1, Dstat’s website dstat[.]cc was seized as part of “Operation PowerOFF,” an international law enforcement action against DDoS services.

Flashpoint’s data shows that @kiberphant0m told a fellow member of Dstat on April 10, 2024 that their alternate Telegram username was “@reverseshell,” and did the same two weeks later in the Telegram chat The Jacuzzi. The Telegram ID for this account is 5408575119.

Way back on Nov. 15, 2022, @reverseshell told a fellow member of a Telegram channel called Cecilio Chat that they were a soldier in the U.S. Army. This user also shared the following image of someone pictured waist-down in military fatigues, with a camouflaged backpack at their feet:

Kiberphant0m’s apparent alias ReverseShell posted this image on a Telegram channel Cecilio Chat, on Nov. 15, 2022. Image: Flashpoint.

In September 2022, Reverseshell was embroiled in an argument with another member who had threatened to launch a DDoS attack against Reverseshell’s Internet address. After the promised attack materialized, Reverseshell responded, “Yall just hit military base contracted wifi.”

In a chat from October 2022, Reverseshell was bragging about the speed of the servers they were using, and in reply to another member’s question said that they were accessing the Internet via South Korea Telecom.

Telegram chat logs archived by Flashpoint show that on Aug. 23, 2022, Reverseshell bragged they’d been using automated tools to find valid logins for Internet servers that they resold to others.

“I’ve hit US gov servers with default creds,” Reverseshell wrote, referring to systems with easy-to-guess usernames and/or passwords. “Telecom control servers, machinery shops, Russian ISP servers, etc. I sold a few big companies for like $2-3k a piece. You can sell the access when you get a big SSH into corporation.”

On July 29, 2023, Reverseshell posted a screenshot of a login page for a major U.S. defense contractor, claiming they had an aerospace company’s credentials to sell.

PROMAN AND VARS_SECC

Flashpoint finds the Telegram ID 5408575119 has used several aliases since 2022, including Reverseshell and Proman557.

A search on the username Proman557 at the cyber intelligence platform Intel 471 shows that a hacker by the name “Proman554” registered on Hackforums in September 2022, and in messages to other users Proman554 said they can be reached at the Telegram account Buttholio.

Intel 471 also finds the Proman557 moniker is one of many used by a person on the Russian-language hacking forum Exploit in 2022 who sold a variety of Linux-based botnet malware.

Proman557 was eventually banned — allegedly for scamming a fellow member out of $350 — and the Exploit moderator warned forum users that Proman557 had previously registered under several other nicknames, including an account called “Vars_Secc.”

Vars_Secc’s thousands of comments on Telegram over two years show this user divided their time between online gaming, maintaining a DDoS botnet, and promoting the sale or renting of their botnets to other users.

“I use ddos for many things not just to be a skid,” Vars_Secc pronounced. “Why do you think I haven’t sold my net?” They then proceeded to list the most useful qualities of their botnet:

-I use it to hit off servers that ban me or piss me off
-I used to ddos certain games to get my items back since the data reverts to when u joined
-I use it for server side desync RCE vulnerabilities
-I use it to sometimes ransom
-I use it when bored as a source of entertainment

Flashpoint shows that in June 2023, Vars_Secc responded to taunting from a fellow member in the Telegram channel SecHub who had threatened to reveal their personal details to the federal government for a reward.

“Man I’ve been doing this shit for 4 years,” Vars_Secc replied nonchalantly. “I highly doubt the government is going to pay millions of dollars for data on some random dude operating a pointless ddos botnet and finding a few vulnerabilities here and there.”

For several months in 2023, Vars_Secc also was an active member of the Russian-language crime forum XSS, where they sold access to a U.S. government server for $2,000. However, Vars_Secc would be banned from XSS after attempting to sell access to the Russian telecommunications giant Rostelecom. [In this, Vars_Secc violated the Number One Rule for operating on a Russia-based crime forum: Never offer to hack or sell data stolen from Russian entities or citizens].

On June 20, 2023, Vars_Secc posted a sales thread on the cybercrime forum Ramp 2.0 titled, “Selling US Gov Financial Access.”

“Server within the network, possible to pivot,” Vars_Secc’s sparse sales post read. “Has 3-5 subroutes connected to it. Price $1,250. Telegram: Vars_Secc.”

Vars_Secc also used Ramp in June 2023 to sell access to a “Vietnam government Internet Network Information Center.”

“Selling access server allocated within the network,” Vars_Secc wrote. “Has some data on it. $500.”

BUG BOUNTIES

The Vars_Secc identity claimed on Telegram in May 2023 that they made money by submitting reports about software flaws to HackerOne, a company that helps technology firms field reports about security vulnerabilities in their products and services. Specifically, Vars_Secc said they had earned financial rewards or “bug bounties” from reddit.com, the U.S. Department of Defense, and Coinbase, among 30 others.

“I make money off bug bounties, it’s quite simple,” Vars_Secc said when asked what they do for a living. “That’s why I have over 30 bug bounty reports on HackerOne.”

A month before that, Vars_Secc said they’d found a vulnerability in reddit.com.

“I poisoned Reddit’s cache,” they explained. “I’m going to exploit it further, then report it to reddit.”

KrebsOnSecurity sought comment from HackerOne, which said it would investigate the claims. This story will be updated if they respond.

The Vars_Secc telegram handle also has claimed ownership of the BreachForums member “Boxfan,” and Intel 471 shows Boxfan’s early posts on the forum had the Vars_Secc Telegram account in their signature. In their most recent post to BreachForums in January 2024, Boxfan disclosed a security vulnerability they found in Naver, the most popular search engine in South Korea (according to statista.com). Boxfan’s comments suggest they have strong negative feelings about South Korean culture.

“Have fun exploiting this vulnerability,” Boxfan wrote on BreachForums, after pasting a long string of computer code intended to demonstrate the flaw. “Fuck you South Korea and your discriminatory views. Nobody likes ur shit kpop you evil fucks. Whoever can dump this DB [database] congrats. I don’t feel like doing it so I’ll post it to the forum.”

The many identities tied to Kiberphant0m strongly suggest they are or until recently were a U.S. Army soldier stationed in South Korea. Kiberphant0m’s alter egos never mentioned their military rank, regiment, or specialization.

However, it is likely that Kiberphant0m’s facility with computers and networking was noticed by the Army. According to the U.S. Army’s website, the bulk of its forces in South Korea reside within the Eighth Army, which has a dedicated cyber operations unit focused on defending against cyber threats.

On April 1, 2023, Vars_Secc posted to a public Telegram chat channel a screenshot of the National Security Agency’s website. The image indicated the visitor had just applied for some type of job at the NSA.

A screenshot posted by Vars_Secc on Telegram on April 1, 2023, suggesting they just applied for a job at the National Security Agency.

The NSA has not yet responded to requests for comment.

Reached via Telegram, Kiberphant0m acknowledged that KrebsOnSecurity managed to unearth their old handles.

“I see you found the IP behind it no way,” Kiberphant0m replied. “I see you managed to find my old aliases LOL.”

Kiberphant0m denied being in the U.S. Army or ever being in South Korea, and said all of that was a lengthy ruse designed to create a fictitious persona. “Epic opsec troll,” they claimed.

Asked if they were at all concerned about getting busted, Kiberphant0m called that an impossibility.

“I literally can’t get caught,” Kiberphant0m said, declining an invitation to explain why. “I don’t even live in the USA Mr. Krebs.”

Below is a mind map that hopefully helps illustrate some of the connections between and among Kiberphant0m’s apparent alter egos.

A mind map of the connections between and among the identities apparently used by Kiberphant0m. Click to enlarge.

KrebsOnSecurity would like to extend a special note of thanks to the New York City based security intelligence firm Unit 221B for their assistance in helping to piece together key elements of Kiberphant0m’s different identities.

Broadcom has told investors its integration of VMware is all but done, ahead of schedule, and that it has turned the virtualization giant into an even more prolific money machine than it hoped it would be possibke.

Speaking on the giant conglomerate’s Q4 2024 earnings call today, Broadcom CEO Hock Tan told investors VMware’s quarterly costs have fallen from an average $2.4 billion to $1.2 billion in this quarter, and margins have gone from below 30 percent to 70 percent. He didn’t break out Virtzilla’s revenue, and said Broadcom won’t do so again. But he did use two other metrics to describe VMware’s progress: processor cores covered by new subscription sales and annual booking value (ABV).

The latter, which measures the value of future revenue from subscriptions, saw $2.7 billion worth of deals done in the quarter – up $200 million from Q3. Tan revealed VMware sold subs for 21 million processor cores in the quarter – up from 19 million in Q3.

The CEO also told investors that 17 million of those newly-sold cores will be used to run the flagship private cloud suite VMware Cloud Foundation (VCF), and that 4,500 of Broadcom’s top 10,000 VMware customers have signed up for VCF since the acquisition.

Full-year revenue for Broadcom’s software division hit $21.5 billion, up from $7.6 billion for FY 2023 – an increase of $13.8 billion. VMware’s last full year of revenue as an independent company was $13.4 billion, and Broadcom did not own the virty giant for a few weeks of its FY 2024 and therefore can’t count a few hundred million dollars of revenue. The Register also feels safe in assuming that the other parts of Broadcom’s software biz – CA and Symantec – are not growing fast, if at all.

It therefore looks a lot like VMware revenue is growing and Broadcom’s strategy is working.

Tan’s remarks about margin improvement suggest as much. He followed them with a prediction that Broadcom’s planned $8.5 billion EBITDA growth for VMware would be achieved in a tighter time frame than the three years initially forecast – and that further improvements are achievable.

With that kind of prediction on record during an earnings call – wherein execs are encouraged to be conservative in forward statements – VMware customers surely have a clear signal Broadcom won’t need to change its plans, which bring increased costs to most customers.

Chipping away at hyperscalers

Tan offered investors two other forecasts for Broadcom’s silicon business, which he noted now needs to be discussed in AI-adjacent and non-AI segments.

The CEO told investors Broadcom see huge growth ahead from hyperscale customers of its XPU accelerators and associated networking gear. Three existing hyperscale customers intend to use Broadcom kit to build million-XPU clusters – an addressable opportunity worth between $60 and $90 billion in 2027. Tan asserted that Broadcom is “very well positioned to achieve leading market share in this opportunity.”

He also revealed Broadcom is talking to another pair of hyperscalers about custom accelerators that will use its IP – meaning more big opportunities lie ahead. The CEO celebrated hyperscalers’ interest in Broadcom’s wares as a sign that Ethernet is in favor – an important observation given Nvidia’s fondness for InfiniBand.

Tan also pledged that Broadcom’s next-generation XPUs, built on a 3nm process, will debut in the second half of 2025. Tan claimed they’ll be the first products in the field built at 3nm.

AI silicon is powering growth for Broadcom’s chip division, which earned $8.2 billion – up 12 percent year on year. AI-related sales grew 150 percent year on year to $3.7 billion, while other products were down 23 percent to $4.5 billion. Tan noted that non-AI chips have come out of a slump and will recover.

Which brings us to those two forecasts: Tan predicted non-AI silicon sales will slip by “mid-teens” in Q1 of 2025, while AI chips grow by 65 percent.

Broadcom remains in rude health. Quarterly revenue of $14 billion represented a 51 percent year-on-year leap, and annual revenue of $51.5 billion was up an impressive 44 percent. Net income for the full year was $5.9 billion – a drop of $8.2 billion – but free cashflow is strong, and Tan declared Broadcom will use it to pay down the debt it used to acquire VMware.

He also revealed that Broadcom is quietly looking for other software acquisitions, but has strict demands for target prey. He did not suggest any purchases are imminent.

Investors liked what they heard: Broadcom’s share price jumped 15 percent in after hours trading. ®