AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 08/18/2023

AnonFiles Shuts Down After Massive User Abuse 

A popular anonymous file sharing service used by security researchers and threat actors has decided to close down, citing “extreme volumes” of users abusing it. AnonFiles was a going concern for two years, enabling anyone to share files without fear of being tracked online. It became a popular way for malicious hackers to share stolen data such as logins and personally identifiable information (PII). As first reported by researcher @g0njxa, its administrators are now calling it a day after their proxy provider recently pulled out. They claimed it was “not the kind of work” they imagined when acquiring the domain. 

 

Phishing campaign steals accounts for Zimbra email servers worldwide 

An ongoing phishing campaign has been underway since at least April 2023 that attempts to steal credentials for Zimbra Collaboration email servers worldwide. According to a report by ESET, phishing emails are sent to organizations worldwide, with no specific focus on certain organizations or sectors. The threat actor behind this operation remains unknown at this time. According to the ESET researchers, the attacks start with a phishing email pretending to be from an organization’s admin informing users of an imminent email server update, which will result in temporary account deactivation. 

 

Tech glitch let people with empty bank accounts withdraw hundreds in cash 

People were flocking to ATMs in Ireland last night as the machines seemed to be in a giving mood. Thanks to a technical glitch in Bank of Ireland’s systems, customers could reportedly pull 1,000 euros (about $1,090) from ATMs even if they didn’t have anything in their account. As reported by local media, a technical outage allowed Bank of Ireland app users to move money that they didn’t actually have into a Revolut account (Revolut is a London-headquartered company offering digital banking services). Then, customers could use any ATM to retrieve their windfall. Customers are usually limited to moving 500 euros from their account daily, but Irish publications, including the Irish Independent and The Irish Times, reported that customers claimed to have moved 1,000 euros. 

 

Karma Catches Up to Global Phishing Service 16Shop 

The international police organization INTERPOL said last week it had shuttered the notorious 16Shop, a popular phishing-as-a-service platform launched in 2017 that made it simple for even complete novices to conduct complex and convincing phishing scams. INTERPOL said authorities in Indonesia arrested the 21-year-old proprietor and one of his alleged facilitators, and that a third suspect was apprehended in Japan. The INTERPOL statement says the platform sold hacking tools to compromise more than 70,000 users in 43 countries. Given how long 16Shop has been around and how many paying customers it enjoyed over the years, that number is almost certainly highly conservative. 

 

Add ‘writing malware’ to the list of things generative AI is not very good at doing 

Despite the hype around criminals using ChatGPT and various other large language models to ease the chore of writing malware, it seems this generative AI technology isn’t terribly good at helping with that kind of work. That’s our view having seen research this week that indicates while some crooks are interested in using source-suggesting ML models, the technology isn’t actually being widely used to create malicious code. Presumably that’s because these generative systems are not up to the job, or have sufficient guardrails to make the process tedious enough that cybercriminals give up. 

 

Proxyjacking and Cryptomining Campaign Targets GitLab 

Security researchers have discovered a new financially motivated cyber-threat campaign designed to make money from cryptomining and proxyjacking while staying hidden using a variety of techniques. The Labrat campaign was discovered by a team at Sysdig, who observed the threat actors compromise a targeted container via legacy GitLab remote code execution vulnerability CVE-2021-22205. The end goal is to make money by cryptomining and proxyjacking; the latter being attacks where threat actors rent out a compromised system to a proxy network. To maintain this revenue stream, the threat group are going to extreme lengths to stay hidden from researchers and network defenders, Sysdig claimed. 

Related Posts