Cyber Security Today, April 7, 2023 – Microsoft and Fortra go after Cobalt Strike abusers, a new online criminal marketplace, and more

Microsoft and Fortra go after Cobalt Strike abusers, a new online criminal marketplace, and more.

Welcome to Cyber Security Today. It’s Friday, April 7th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.

Microsoft, Fortra and the Health sector information and sharing analysis centre (Health-ISAC) are going after a big tool used by threat actors: Cracked versions of Fortra’s Cobalt Strike software. Cobalt Strike is sold to legitimate penetration testers. But crooks have been copying and re-selling it so it can be used to orchestrate an attack on a vulnerable network. The three organizations said Thursday they have been granted a court order by an American judge allowing them to disrupt the IT infrastructure threat actors are using with Cobalt Strike. Disrupting cracked legacy copies of Cobalt Strike will hopefully slow its use in cyberattacks and ransomware.

A new online marketplace for buying and selling tools and goods for cybercrooks has emerged. According to researchers at Resecurity, it’s called Styx. It may have quietly been around since last summer but it seems to have officially opened at the beginning of the year. It focuses primarily on financial fraud, money laundering, and identity theft. Crooks can buy and sell cash-out services, data dumps, SIM cards, denial of service tools, multifactor authentication bypasses, fake and stolen IDs and much more. With the closing this week of the Genesis Marketplace, Styx may be where a number of crooks will take their business.

There’s another online place where threat actors are increasingly doing business: The Telegram messaging service. According to researchers at Kaspersky, use of Telegram by crooks has been soaring since the end of 2021. It’s especially popular with those creating phishing emails. They use Telegram for everything from automating their workflows to selling phishing kits to other hackers. In fact, Telegram is a platform for those who want to learn for free how to start sending phishing emails. If they have money they can buy phishing pages with geoblocking functions, stolen bank login credentials or bots that be used to bypass multifactor authentication. One wonders why Telegram doesn’t do more to stop this.

The website of the United Kingdom’s criminal records office, known as ACRO, has been closed following a cyber incident. Instead of being able to apply online for a copy of a criminal record or a police certification, users temporarily have to email their requests. The attack ran between January 17th and March 21st. ACRO has emailed people who made online applications between those dates, because their names, addresses phone numbers and any criminal conviction data may be at risk.

Finally, Ukrainian hackers from the Cyber Resistance Group claim they sent tens of thousands of dollars of sex toys to a pro-Russian blogger. Why? He had raised $25,000 to buy drones to assist Russian troops fighting in Ukraine. Instead they spent it for him. They allegedly spent broke into his account on the AliExpress online shopping market and bought him dildos and strap-ons. According to security reporter Graham Cluley, the blogger admitted his shopping account was hacked.

That’s it for now. But later today the Week in Review podcast will be out. This week guest David Shipley of Beauceron Security and I will talk about the takedown of the criminal Genesis Marketplace, the 3CX supply chain attack and the newest ransomware strain.

Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon