FBI Cracks Down on Genesis Market: 119 Arrested in Cybercrime Crackdown

 A coordinated international law enforcement operation has dismantled Genesis Market, an illegal online marketplace that specialized in the sale of stolen credentials associated with email, bank accounts, and social media platforms.

Coinciding with the infrastructure seizure, the major crackdown, involved authorities from 17 countries, culminating in 119 arrests and 208 property searches in 13 nations. However, the .onion mirror of the market appears to be still up and running.

The "unprecedented" law enforcement exercise has been codenamed Operation Cookie Monster.

Genesis Market, since its inception in March 2018, evolved into a major hub for criminal activities, offering access to data stolen from over 1.5 million compromised computers across the world totaling more than 80 million credentials.

A majority of infections associated with Genesis Market-related malware have been detected in the U.S., Mexico, Germany, Turkey, Sweden, Italy, France, Spain, Poland, Ukraine, Saudi Arabia, India, Pakistan, and Indonesia, among others, per data gathered by Trellix.

Some of the prominent malware families that were leveraged to compromise victims encompass AZORult, Raccoon, RedLine, and DanaBot, which are all capable of stealing sensitive information from users' systems. Also delivered through DanaBot is a rogue Chrome extension designed to siphon browser data.

"Account access credentials advertised for sale on Genesis Market included those connected to the financial sector, critical infrastructure, and federal, state, and local government agencies," the U.S. Department of Justice (DoJ) said in a statement.

The DoJ called Genesis Market one of the "most prolific initial access brokers (IABs) in the cybercrime world." The U.S. Treasury Department, in a coordinated announcement, sanctioned the criminal shop, describing it as a "key resource" used by threat actors to target U.S. government organizations.

Besides credentials, Genesis also peddled device fingerprints – which include unique identifiers and browser cookies – so as to help threat actors circumvent anti-fraud detection systems used by many websites.

"The combination of stolen access credentials, fingerprints, and cookies allowed purchasers to assume the identity of the victim by tricking third-party websites into thinking the Genesis Market user was the actual owner of the account," the DoJ added.

Court documents reveal that the U.S. Federal Bureau of Investigation (FBI) gained access to Genesis Market's backend servers twice in December 2020 and May 2022, enabling the agency to access information pertaining to about 59,000 users of the cybercrime bazaar.

The packages of stolen information harvested from infected computers (aka "bots") were sold for anywhere between $0.70 to several hundreds of dollars depending on the nature of the data, according to Europol and Eurojust.

"The most expensive would contain financial information which would allow access to online banking accounts," Europol noted, stating the criminals purchasing the data were also provided with additional tools to use it without attracting attention.

"Buyers were provided with a custom browser that would mimic one of their victims. This allowed the criminals to access their victim's account without triggering any of the security measures from the platform the account was on."

The proprietary Chromium-based browser, referred to as Genesium, is cross-platform, with the maintainers claiming features such as "anonymous surfing" and other advanced functionalities that permit its users to bypass anti-fraud systems.

Genesis Market, unlike Hydra and other illicit marketplaces, was also accessible over the clarinet, thereby lowering the barrier of entry for lesser-skilled threat actors looking to obtain digital identities in order to breach individual accounts and enterprise systems.

The takedown is expected to have a "ripple effect throughout the underground economy" as threat actors search for alternatives to fill the void left by Genesis Market.

Genesis Market is the latest in a long line of illegitimate services that have been taken down by law enforcement. It also arrives exactly a year after the dismantling of Hydra, which was felled by German authorities in April 2022 and created a "seismic shift in the Russian-language darknet marketplace landscape."

"Almost a year after Hydra's takedown, five markets — Mega, Blacksprut, Solaris, Kraken, and OMG!OMG! Market — have emerged as the biggest players based on the volume of offers and the number of sellers," Flashpoint said in a new report.

The development also follows the launch of a new dark web marketplace known as STYX that's primarily geared toward financial fraud, money laundering, and identity theft. It's said to have opened its doors around January 19, 2023.

"Some examples of the specific service offerings marketed on STYX include cash-out services, data dumps, SIM cards, DDOS, 2FA/SMS bypass, fake and stolen ID documents, banking malware, and much more," Resecurity said in a detailed writeup.

Like Genesis Market, STYX also offers utilities that are designed to get around anti-fraud solutions and access compromised accounts by using granular digital identifiers like stolen cookie files, physical device data, and network settings to spoof legitimate customer logins.

The emergence of STYX as a new platform in the commercial cybercriminal ecosystem is yet another sign that the market for illegal services continues to be a fruitful business, allowing bad actors to profit from credential theft and payment data.

"The majority of STYX Marketplace vendors specialize in fraud and money laundering services targeting popular digital banking platforms, online marketplaces, e-commerce, and other payment applications," Resecurity noted. "The geographies targeted by these threat actors are global, spanning the U.S., E.U., U.K., Canada, Australia, and multiple countries in APAC and the Middle East."

Protect Your Company: Ransomware Prevention Made Easy

 Every year hundreds of millions of malware attacks occur worldwide, and every year businesses deal with the impact of viruses, worms, keyloggers, and ransomware. Malware is a pernicious threat and the biggest driver for businesses to look for cybersecurity solutions.

Naturally, businesses want to find products that will stop malware in its tracks, and so they search for solutions to do that. But malware protection alone is not enough, instead what's needed is a more holistic approach. Businesses need to defend against malware entering the network, and then on top of that have systems and processes in place to restrict the damage that malware can do if it infects a user device.

This approach will not only help stop and mitigate the damage from malware, but defend against other types of threats too, such as credential theft as a result of phishing, insider threats, and supply-chain attacks.

Malware Protection and Web Filtering#

The first and most sensible place to begin is with anti-malware solutions. It's important to look for malware solutions that can confront today's key threats, such as known malware, polymorphic variants, ransomware, zero-day exploits, and Advanced Persistent Threats (APTs). This requires a strong toolkit of virus signature databases, virtual code execution, as well as heuristics and other machine learning techniques.

Ideally, you would also use malware protection for both the network and the endpoint. This requires two different solutions, but a multi-layered approach means less chance of something getting through.

In addition to Malware Protection, Web Filtering keeps your employees away from potential threats by disallowing known malicious sites, questionable sites, and other places online you'd rather not have managed devices visit.

Zero Trust Network Access#

Every security strategy in a modern network environment should embrace the principles of Zero Trust. The most practical implementation of which is Zero Trust Network Access (ZTNA).

Zero Trust itself is a set of ideas about security based on the idea "never trust, always verify." That is, no one should be allowed to just log in to the network and stay as long as they like. Because if you do that, you can never really know whether or not the user logging in is who they claim to be, or if they're a threat actor who obtained a legitimate user's login credentials.

Instead, each user should only be allowed to access resources they need to do their job, and not to every cloud resource or on-prem server in the company. An HR employee, for example, has no practical reason to access a company Git server containing a codebase, or an SQL database containing sensitive customer information. So the network should, by default, group HR employees together into one group and disallow them from accessing that information.

This approach goes for every department. Only the resources they need to do their jobs should be available, while access to everything else is disallowed.

Segmenting access at the application level isn't quite enough to qualify as Zero Trust, however. In fact, this level of restricting access, known as micro-segmentation, is just one part of the Zero Trust approach.

A full ZTNA implementation also embraces context checks that can involve the security status of a managed device, time-based access rules, and geographic requirements.

You might, for example, require that managed devices must be running a specific minimum version of Windows or macOS. You could require that all devices have a specific antivirus solution running, or that a specific security certificate is installed somewhere on the device.

Micro-segmentation, allowing specific people to access specific applications, in conjunction with context-based authentication rules provides a complete Zero Trust approach.

In addition, there should be access rules not only for users on managed devices but also on unmanaged devices. The latter are best handled by Agentless ZTNA solutions where people access individual applications through a web portal that is not discoverable over the open Internet. Here, too, you can apply context rules such as allowing access only during certain times of the day or disallowing access based on location.

With a ZTNA strategy in place, it will be much harder for threat actors to traverse a business network in search of sensitive data. Ransomware will have a much harder time encrypting all of a business' files, and disgruntled employees won't be able to exfiltrate as much data or cause other mayhem within the company.

CryptoClippy: New Clipper Malware Targeting Portuguese Cryptocurrency Users

 Portuguese users are being targeted by a new malware codenamed CryptoClippy that's capable of stealing cryptocurrency as part of a malvertising campaign.

The activity leverages SEO poisoning techniques to entice users searching for "WhatsApp web" to rogue domains hosting the malware, Palo Alto Networks Unit 42 said in a new report published today.

CryptoClippy, a C-based executable, is a type of cryware known as clipper malware that monitors a victim's clipboard for content matching cryptocurrency addresses and substituting them with a wallet address under the threat actor's control.

"The clipper malware uses regular expressions (regexes) to identify what type of cryptocurrency the address pertains to," Unit 42 researchers said.

"It then replaces the clipboard entry with a visually similar but adversary-controlled wallet address for the appropriate cryptocurrency. Later, when the victim pastes the address from the clipboard to conduct a transaction, they actually are sending cryptocurrency directly to the threat actor."

The illicit scheme is estimated to have netted its operators about $983 so far, with victims found across manufacturing, IT services, and real estate industries.

It's worth noting that the use of poisoned search results to deliver malware has been adopted by threat actors associated with the GootLoader malware.

Another approach used to determine suitable targets is a traffic direction system (TDS), which checks if the preferred browser language is Portuguese, and if so, takes the user to a rogue landing page.

Users who do not meet the requisite criteria are redirected to the legitimate WhatsApp Web domain without any further malicious activity, thereby avoiding detection.

The findings arrive days after SecurityScorecard detailed an information stealer called Lumma that's capable of harvesting data from web browsers, cryptocurrency wallets, and a variety of apps such as AnyDesk, FileZilla, KeePass, Steam, and Telegram.

Sorting Through Haystacks to Find CTI Needles

Clouded vision

CTI systems are confronted with some major issues ranging from the size of the collection networks to their diversity, which ultimately influence the degree of confidence they can put on their signals. Are they fresh enough and sufficiently reliable to avoid any false positives or any poisoning? Do I risk acting on outdated data? This difference is major since a piece of information is just a decision helper, whereas a piece of actionable information can directly be weaponized against an aggressor. If raw data are the hayfields, information is the haystacks, and needles are the actionable signal.

To illustrate the collection networks' size & variety point, without naming anyone in particular, let's imagine a large CDN provider. Your role is to deliver, on a massive scale, content over HTTP(s). This attracts a lot of "attention" and signals, but only on the HTTP layer. Also, any smart attacker will probably avoid probing your IP ranges (which are public and known in your AS). Hence, you only receive the indiscriminate "Gatling guns" scanners or direct attacks over an HTTP layer. This is a very narrow focus.

Now if you are a large EDR/XDR or whatever glorified antivirus, you also can argue that you have a huge detection network spanning million of devices… Of wealthy enterprises. Because let's face it, not every non-profit, public hospital or local library can afford to pay for those tools. Hence you potentially only see threats targeted at sophisticated actors, and mostly the ones carried by malware on LAN machines.

On the honeypot front, there is no silver bullet either. The "Gatling guns scanners" represent the background radioactivity of the Internet. A sort of static noise which is constantly present in the surroundings of any Internet-connected device. Here, the problem is rather that no decent cyber criminal group will use any meaningful resources to target a honeypot machine. What's the point of investing some DDoS resources in knocking down a straw dummy? Would you use any meaningful exploit or tool, let alone burn your IP, on a "potential" target? Honeypots collect "intentions", automated exploitation, something along the lines of "this IP wants to know if you're (still) vulnerable to log4j".

It can be interesting to a certain extent but it is limited to low-hanging fruits. Also, your diversity is limited by your capacity to spread in many different places. If all your probes (honeypots) are sitting over ten or worse, just 3 or 4 different clouds, you can't see everything, and you can be "dodged", meaning criminals can voluntarily skip your IP ranges to avoid detection. You also need to organize your deployment system for every platform, and yet you'll only see the IP not dodging GCP, AWS, or whatever cloud you're working with. And since those providers are no NGOs, your network size is also limited by…money. If a fully automated HP running on XYZ cloud costs you $20 monthly, your pocket must be deep to run thousands of them.

Establishing a counter-offensive#

To curb the trajectory of mass cyber criminality, we need to act on a resource that is limited in essence, otherwise, you cannot organize a proper "shortage". The famous Conti-Leaks cast an interesting light upon the actual pain points of a large cybercrime group. Obviously (crypto) money laundering, recruitment, payrolls, the classical ones you'd expect. But interestingly enough, when you read the exchanges on their internal chat system, you can see IP, changing them, borrowing, renting, cleaning them, installing the tools, migrating the ops and C2, etc. is … costly. Both time & money-wise.

There are nearly infinite variations of hashes and SHA1 offers a space of 2^160 possibilities. So collecting them is one thing, but you're almost sure any new malware variation will have a different signature. As we speak, most of the CI/CD procedures of any decent cyber criminal group already include the modification of one byte before sending the payload to a target.

Aiming at domain names is fighting against an infinite space in size as well. You can book domain1, domain2, domain3, etc. There is technically no limit to the number of variations. There are smart systems out there, protecting your brand and checking if any domain names similar to yours have been booked lately. These pre-crime-style systems are very helpful to deal with an upcoming phishing attempt. You start to be proactive with this kind of stance & tools.

It's anyway useful to track & index malevolent binaries based on their Hashes or the C2 they try to contact or even indexing IP trying to auto-exploit known CVE, but doing so is a rather reactive stance. You don't strike back by knowing the position or tactic of the enemy, you do so by crippling its offensive capabilities, and this is where IP addresses are very interesting. The system is decades old and will still be there after us. It's

Now there is a resource that actually is in scarcity: IPV4. The historic IP space is limited to around 4 billion of them. Bringing the fight to this ground is efficient because if the resource is in scarcity, you can actually be proactive and burn IP addresses as fast as you are aware one is used by the enemy. Now, this landscape is an ever-evolving one. VPN providers, Tor, and Residential proxy apps offer a way for cybercriminals to borrow an IP address, let alone the fact that they can leverage some from already compromised servers on the dark web.

So if an IP address is used at é moment in time, it's possible that it isn't anymore the next hour and you then generate a false positive if you block it. The solution is to create a crowdsourcing tool protecting all sizes of businesses, across all types of places, geographies, clouds, homes, private corps DMZ, etc., and on all types of protocols. If the network is big enough, this IP rotation isn't a problem because if the network stops reporting an IP, you can release it, whereas the new one rising in number of reports needs to be integrated into a blocklist. The larger the network, the more real-time it becomes.

You can monitor almost any protocol except UDP-based ones, which must be excluded since it's easy to spoof packets over UDP. So by considering reports on a UDP-based protocol for banning an IP, you could easily be tricked. Other than that, every protocol is good to monitor. As well you can definitely look for CVE but, even better, for behavior. By doing so, you can catch business-oriented aggressions that may not only be CVE based. A simple example, beyond the classical L7 DDoS, scans, credential brute force, or stuffing is scalping. Scalping is the action of auto-buying a product with a bot on a website and reselling it for a benefit on eBay for example. It's a business layer issue, not really a security-related one. The open-source system CrowdSec was designed exactly to enable this strategy.

Finally, for the last two decades, we were told, "IPV6 is coming, be ready". Well… let's say we had time to prepare. But it's really here now and 5G deployment will only accelerate its usage exponentially. IPV6 changes the stage with a new IP addressable pool as big as 2^128. This is still limited in many ways, not the least because all V6 IP ranges are not fully used yet but also because everyone is getting many IPV6 addresses at once, not just one. Still, we speak about a vast amount of them now.

Let's couple AI & Crowdsourcing #

When data start to flow massively from a large crowd-sourced network and the resource you try to shrink is getting larger, AI sounds like a logical alley to explore.

The network effect is already a good start on its own. An example here could be credential stuffing. If an IP uses several login/pass couples at your place, you'd call it a credential bruteforce. Now at the network scale, if you have the same IP knocking at different places using different login/pass, it's credential stuffing, someone trying to reuse stolen credentials in many places to see if they are valid. The fact that you see the same action, leveraging the same credentials from many different angles, gives you an extra indication of the purpose of the behavior itself.

Now, to be honest, you don't need AI to sort out Credential bruteforce from Credential Reuse or Credential stuffing, but there are places where it can excel though, specifically when teamed with a large network to get heaps of data.

Another example could be a massive internet scan, made using 1024 hosts. Each host could scan only one port and that would likely go unnoticed. Except if you see, in many different places, the same IP scanning the same port within a similar timeframe. Again, barely visible at the individual scale, obvious on a large one.

On the other hand, AI algorithms are good at identifying patterns that wouldn't be visible if you look only in one place at a time but blatant at the scale of a large network.

Representing the data into appropriate structures using graphs and embeddings can uncover complex degrees of interaction between IP addresses, ranges, or even AS (Autonomous Systems). This lead to identifying cohorts of machines working in unison toward the same goal. If several IP addresses are sequencing an attack in many steps like scanning, exploiting, installing a backdoor, and then using the target server to join a DDoS effort, those patterns can repeat in logs. So if the 1st IP of the cohort is visible at a given timestamp and the 2nd 10 minutes later and so on, and this pattern repeats with the same IPs in many places, you can safely tell everyone to ban the 4 IP addresses at once.

The synergy between AI and crowd-sourced signals allows us to address each other's limitations effectively. While crowd-sourced signals provide a wealth of real-time data on cyber threats, they might lack precision and context, eventually leading to false positives. AI algorithms, on the other hand, usually only become relevant after absorbing an enormous amount of data. In return, those models can help refine and analyze these signals, eliminating noise and unveiling hidden patterns.

Italian Watchdog Bans OpenAI's ChatGPT Over Data Protection Concerns

 The Italian data protection watchdog, Garante per la Protezione dei Dati Personali (aka Garante), has imposed a temporary ban on OpenAI's ChatGPT service in the country, citing data protection concerns.

To that end, it has ordered the company to stop processing users' data with immediate effect, stating it intends to investigate the company over whether it's unlawfully processing such data in violation of the E.U. General Data Protection Regulation (GDPR) laws.

"No information is provided to users and data subjects whose data are collected by Open AI," the Garante noted. "More importantly, there appears to be no legal basis underpinning the massive collection and processing of personal data in order to 'train' the algorithms on which the platform relies."

ChatGPT, which is estimated to have reached over 100 million monthly active users since its release late last year, has not disclosed what it used to train its latest large language model (LLM), GPT-4, or how it trained it.

That said, its predecessor GPT-3 utilizes text sourced from books, Wikipedia, and Common Crawl, the latter of which maintains an "open repository of web crawl data that can be accessed and analyzed by anyone."

The Garante also pointed to the lack of any age verification system to prevent minors from accessing the service, potentially exposing them to "inappropriate" responses. Google's own chatbot, called Bard, is only open to users over the age of 18.

Additionally, the regulator raised questions about the accuracy of the information surfaced by ChatGPT, while also highlighting a data breach the service suffered earlier this month that exposed some users' chat titles and payment-related information.

In response to the order, OpenAI has blocked its generative AI chatbot from being accessed by users with an Italian IP address. It also said it's issuing refunds to subscribers of ChatGPT Plus, in addition to pausing subscription renewals.

The San Francisco-based company further emphasized that it provides ChatGPT in compliance with GDPR and other privacy laws. ChatGPT is already blocked in China, Iran, North Korea, and Russia.

In a statement shared with Reuters, OpenAI said it actively works to "reduce personal data in training our AI systems like ChatGPT because we want our AI to learn about the world, not about private individuals."

OpenAI has 20 days to notify the Garante of the measures it has taken to bring it in compliance, or risk facing fines of up to €20 million or 4% of the total worldwide annual turnover, whichever is higher.

The ban, however, is not expected to impact applications from other companies that employ OpenAI's technology to augment their services, including Microsoft's Bing search engine and its Copilot offerings.

The development also comes as Europol warned that LLMs like ChatGPT are likely to help generate malicious code, facilitate fraud, and "offer criminals new opportunities, especially for crimes involving social engineering, given its abilities to respond to messages in context and adopt a specific writing style."

This is not the first time AI-focused companies have come under the radar. Last year, controversial facial recognition firm Clearview AI was fined by multiple European regulators for scraping users' publicly available photos without consent to train its identity-matching service.

It has also run afoul of privacy laws in Australia, Canada, and the U.S., with several countries ordering the company to delete all of the data it obtained in such a manner.

Clearview AI told BBC News last week that it has run nearly a million searches for U.S. law enforcement agencies, despite being permanently banned from selling its faceprint database within the country.

Western Digital Hit by Network Security Breach - Critical Services Disrupted

 Data storage devices maker Western Digital on Monday disclosed a "network security incident" that involved unauthorized access to its systems.

The breach is said to have occurred on March 26, 2023, enabling an unnamed third party to gain access to a "number of the company's systems."

Following the discovery of the hack, Western Digital said it has initiated incident response efforts and enlisted the help of cybersecurity and forensic experts to conduct an investigation.

It also said it's coordinating with law enforcement agencies on the matter, adding the probe is in its initial stages.

The company has taken several of its services offline, noting that the threat actor may have obtained "certain data from its systems" and that it's working on estimating the nature and scope of the data accessed.

Chinese RedGolf Group Targeting Windows and Linux Systems with KEYPLUG Backdoor

 A Chinese state-sponsored threat activity group tracked as RedGolf has been attributed to the use of a custom Windows and Linux backdoor called KEYPLUG.

"RedGolf is a particularly prolific Chinese state-sponsored threat actor group that has likely been active for many years against a wide range of industries globally.

"The group has shown the ability to rapidly weaponize newly reported vulnerabilities (e.g. Log4Shell and ProxyLogon) and has a history of developing and using a large range of custom malware families."

The use of KEYPLUG by Chinese threat actors was first disclosed by Google-owned Manidant in March 2022 in attacks targeting multiple U.S. state government networks between May 2021 and February 2022.

Then in October 2022, Malwarebytes detailed a separate set of attacks targeting government entities in Sri Lanka in early August that leveraged a novel implant dubbed DBoxAgent to deploy KEYPLUG.

Both these campaigns were attributed to Winnti (aka APT41, Barium, Bronze Atlas, or Wicked Panda), which Recorded Future said "closely overlaps" with RedGolf.

"We have not observed specific victimology as part of the latest highlighted RedGolf activity," Recorded Future said. "However, we believe this activity is likely being conducted for intelligence purposes rather than financial gain due to the overlaps with previously reported cyber espionage campaigns."

The cybersecurity firm, in addition to detecting a cluster of KEYPLUG samples and operational infrastructure (codenamed GhostWolf) used by the hacking group from at least 2021 to 2023, noted its use of other tools like Cobalt Strike and PlugX.

The GhostWolf infrastructure, for its part, consists of 42 IP addresses that function as KEYPLUG command-and-control. The adversarial collective has also been observed utilizing a mixture of both traditionally registered domains and Dynamic DNS domains, often featuring a technology theme, to act as communication points for Cobalt Strike and PlugX.

"RedGolf will continue to demonstrate a high operational tempo and rapidly weaponize vulnerabilities in external-facing corporate appliances (VPNs, firewalls, mail servers, etc.) to gain initial access to target networks," the company said.

"Additionally, the group will likely continue to adopt new custom malware families to add to existing tooling such as KEYPLUG."

To defend against RedGolf attacks, organizations are recommended to apply patches regularly, monitor access to external facing network devices, track and block identified command-and-control infrastructure, and configure intrusion detection or prevention systems to monitor for malware detections.

The findings come as Trend Micro revealed that it discovered more than 200 victims of Mustang Panda (aka Earth Preta) attacks as part of a far-reaching cyber espionage effort orchestrated by various sub-groups associated with the threat actor since 2022.

A majority of the cyber strikes have been detected in Asia, followed by Africa, Europe, the Middle East, Oceania, North America, and South America.

"There are strong indications of intertwined traditional intelligence tradecraft and cyber collection efforts, indicative of a highly coordinated and sophisticated cyber espionage operation," Trend Micro said.