MoneyGram faces a cyberattack that has caused global service disruptions for five days. Customers are unable to send…

MoneyGram faces a cyberattack that has caused global service disruptions for five days. Customers are unable to send or receive payments, as the company works to restore systems and investigate the issue.

MoneyGram, a global leader in money transfer services, has been experiencing widespread service disruptions following a cyberattack that impacted its systems on September 21, 2024. The company has confirmed that its network connectivity and key systems were taken offline to address the security breach.

While it is unclear whether the incident was a DDoS attack or ransomware, the prolonged outage has left many users unable to send or receive payments globally, leading to frustration among customers who depend on the service for their financial transactions.

At the time of writing this article, the MoneyGram website was down and showing this message (Screenshot credit: Hackread.com)

****Timeline of the Outage****

As seen by Hackread.com, the issue first came to light late on September 21, 2024, when MoneyGram acknowledged the network outage in a tweet. In its first tweet, the company announced the following incident:

> _“MoneyGram is experiencing a network outage impacting connectivity to a number of our systems. We are working diligently to better understand the nature and scope of the issue. We recognize the importance and urgency of this matter to our customers.”_
> 
> MoneyGram – 11:19 PM · Sep 21, 2024

At this stage, the extent of the problem was unclear, and customers were left in the dark about when services would resume. It wasn’t until September 23, two days later, that MoneyGram confirmed a cybersecurity incident was behind the outage.

> _“MoneyGram recently identified a cybersecurity issue affecting certain of our systems. Upon detection, we immediately launched an investigation and took protective steps to address it, including proactively taking systems offline which impacted network connectivity. We are working with leading external cybersecurity experts and coordinating with law enforcement.”_
> 
> MoneyGram – 2:06 PM · Sep 23, 2024

The company further explained that they had taken these preventive measures to protect their systems but acknowledged the inconvenience to their customers and partners.

****Customer Frustrations Grow****

By September 24, some key transactional systems were slowly being restored, but users were still facing major disruptions. Many reported being unable to send or receive payments, while others complained of pending transactions being stuck. At 3:38 PM, MoneyGram provided an update, stating:

> _“We continue to make progress in successfully restoring some of our key transactional systems. Our dedicated team is actively working around the clock on resuming normal business operations. Once all systems are fully operational, transactions that are currently pending will be made available to customers.”_
> 
> MoneyGram – 3:38 PM · Sep 24, 2024

Despite the ongoing work, many users expressed their frustration on social media, highlighting how the outage had affected their ability to access funds or complete urgent financial transactions.

****Partial Service Restoration Begins****

By September 25, more services were coming back online, but the company was still working to restore all of its systems fully. MoneyGram reported that many of its agent partners were back online and could send and receive money, providing some relief to customers with stuck payments.

> _“We continue to make progress and are resuming additional services. Many of our agent partners are now available for sending and receiving money, including fulfilling pending transactions. We are continuing to work diligently to resume our remaining services, including http://moneygram.com.”_
> 
> MoneyGram – 9:28 AM · Sep 25, 2024

Although progress was being made, some customers were still unable to use MoneyGram’s website and online services, further fueling frustration among users who rely on the platform for cross-border payments and remittances.

MoneyGram on Twitter (Screenshot credit: Hackread.com)

****Customer Impact and Response****

The outage, which is still ongoing, has left many users questioning MoneyGram’s ability to secure their financial transactions and data at this moment. The delay in service restoration, especially for time-sensitive transactions, has caused considerable inconvenience, particularly for individuals and businesses who rely on MoneyGram for international money transfers.

While MoneyGram has reassured customers that they are working with cybersecurity experts and law enforcement, the prolonged disruption and uncertainty have raised concerns about the company’s preparedness and ability to respond to cyberattacks.

****We will keep you posted****

MoneyGram has committed to keeping customers informed through social media updates, but as of now, the full extent of the data compromise remains unclear. Therefore, users are advised to monitor MoneyGram’s updates for further information about when full services will be restored and when pending transactions will be processed.

Meanwhile, Hackread.com is closely monitoring dark web leak sites associated with prominent ransomware gangs for any claims related to the MoneyGram cyberattack, in case it is confirmed to be a ransomware attack. Stay tuned.

1.  US Microchip Giant Hit by Cyberattack, Disrupting Operations
2.  AT&T Outage Disrupts Service for Millions of Users Across US
3.  Ransomware Attack Disrupts Services in 18 Romanian Hospitals
4.  Disruptions at 70% of Iran’s Gas Stations Blamed on Cyberattack
5.  Android Money Transfer XHelper App was a Money Laundering Network

MoneyGram Cyberattack: Global Service Disruptions Enter Day 5

Mastercard's $2.65 billion deal to acquire the threat intelligence provider will boost the credit-card company's AI-based cybersecurity protection capabilities.

Source: SOPA Images Limited via Alamy Stock Photo

The largest credit-card providers have made sizeable investments in advanced cybersecurity capabilities in recent years, but Mastercard is upping the ante with last week's agreement to buy Recorded Future from Insight Partners for $2.65 billion.

The deal, scheduled to close in the first quarter of 2025, would mark the second-largest acquisition in Mastercard's 58-year history. The price tag also nearly equals the $3 billion Mastercard is estimated to have previously spent on nine cybersecurity-related companies since launching its cybersecurity business unit in 2017, Strategy of Security analyst Cole Grolmus wrote on LinkedIn.

Recorded Future says it has 1,900 customers worldwide, including governments and half of the Fortune 100. According to a recent Frost & Sullivan report, the Recorded Future Intelligence Cloud hosts one of the largest threat repositories in the world. Recorded Future's Collective Insights integrates broadly with governance, risk, and compliance; third-party risk management; attack surface management; and other analytics tools, a May 2024 Forrester Research report noted.

"Combining Recorded Future's threat intelligence capabilities with Mastercard's extensive insight and knowledge of and partnership with merchants and financial institutions should provide greater protection to digital payment transactions," says Forrester principal research analyst Brian Wrozek. "This also gives Mastercard more direct control over a critical cybersecurity capability: threat intelligence."

Last year, Recorded Future added OpenAI's GPT model to the threat intelligence platform to enhance its real-time analytics capabilities. Using the pretrained transformer model, Recorded Future AI includes 10 years of threat analysis from its Insikt Group threat research subsidiary, which is integrated with the Recorded Future Intelligence Graph.

**Expanding Threat Intelligence Capabilities**

Mastercard has been investing in threat and risk intelligence capabilities for over a decade. In 2014, Mastercard launched SafetyNet, a tool to detect risks based on activity throughout its network. SafetyNet thwarted $20 billion in fraud attempts directed at its network in 2023, says Johan Gerber, Mastercard's EVP of security solutions.

"It's our AI-enabled Decision Intelligence \[solution\] that provides a score to banks, helping them identify and stop fraudulent transactions," he says.

Last year, Mastercard added AI-based risk management capabilities by acquiring Baffin Bay Networks, a threat protection provider based in Sweden. Mastercard integrated Baffin Bay's automated threat protection service to prevent attackers from penetrating or disabling cybersecurity systems through ransomware and distributed denial-of-service (DDoS) attacks.

Mastercard is not alone in its focus on threat and risk intelligence. Visa has invested more than $9 billion in cybersecurity over the past few years in new tools and services to help address fraud and account security in its payment services. The credit card company has embedded AI and analytics in more than 60 different services to stop and block payment fraud. The Visa Account Attack Intelligence (VAAI) offering uses generative AI components to identify and score enumeration attacks. The VAAI Score tool assigns each transaction with a risk score in real time to detect and prevent enumeration attacks in card-not-present transactions.

**Building on Mastercard's AI Capabilities**

Gerber says Recorded Future promises to build on Mastercard's AI-enabled Decision Intelligence capability, which gives scores to its member banks.

"Recorded Future has pioneered the use of AI in analyzing and reporting cyber threat intelligence," he says. "The ability to draw these trends from a wide range of sources will allow our customers to quickly access relevant insights and safeguard their critical operations and infrastructure. It allows us to quantify risk more accurately and simulate attacks based on the latest trends."

Gerber also sees the potential for adding Recorded Future's AI capabilities to RiskRecon, the third-party threat scanning and rating provider Mastercard acquired in 2020 that provides enterprise security monitoring and measures third-party and supply chain risk. Similarly, Recorded Future can boost two Mastercard service offerings launched in 2022: Cyber Front, which provides a threat simulation, and Cyber Quant, a service that identifies and prioritizes risks.

"The insights allow us to quantify risk more accurately," Gerber says. "Our customers will see benefits from the real-time threat insights that Recorded Future brings to the table."

Recorded Future will enhance the intelligence and security of all its products, he adds.

"It will help us create smarter models and anticipate emerging threats before cyberattacks can take place — in payments and beyond," Gerber notes.

Forrester's Wrozek says that Recorded Future promises to give Mastercard more direct control over critical threat intelligence, now a critical cybersecurity capability.

"This aligns perfectly with Mastercard's journey towards leading the defense of the global digital economy," he says.

Citing a 2024 Forrester survey, Wrozek notes that improving threat intelligence capabilities is consistently a top tactical security priority for companies, which typically purchase, on average, over half a dozen threat intelligence feeds.

"Companies need more threat intelligence to improve decision-making, expedite incident remediation, and shift from a reactive to a more proactive security posture," he says.

**About the Author**

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Mastercard's Recorded Future Deal Furthers Its AI Security Goals

The FBI, in collaboration with U.S. government agencies, dismantled a Chinese state-backed botnet known as Flax Typhoon, comprising…

The FBI, in collaboration with U.S. government agencies, dismantled a Chinese state-backed botnet known as Flax Typhoon, comprising 260,000 compromised IoT devices. This operation neutralized a major cyber threat to U.S. infrastructure.

In a major blow to state-sponsored cyber malicious activity, the FBI, in cooperation with other U.S. government agencies, has successfully dismantled a massive botnet linked to Chinese government-backed hackers.

Known as **Flax Typhoon or Raptor Train**, the botnet comprised around 260,000 compromised Internet of Things (IoT) devices globally. The network was reportedly designed to steal sensitive information and disrupt critical services in the U.S. and other nations.

The compromised devices included a widespread network of IoT hardware such as cameras, routers, storage units, and video recorders. According to the joint advisory issued by the Federal Bureau of Investigation (FBI), Cyber National Mission Force (CNMF), and National Security Agency (NSA), the operation not only removed malware from these devices but also severed their links to the larger botnet, making the network powerless.

The takedown came just seven months after, **in February 2024**, the agency dismantled the KV Botnet, which was used by Volt Typhoon, another Chinese state-sponsored threat actor group.

**Scope of the Botnet**

The FBI operation reveals the global reach of the botnet. The United States accounted for nearly half of the compromised devices, reflecting the strategic focus on U.S. infrastructure. Other nations, including Vietnam, Germany, and Canada, also faced significant exposure, showing the worldwide threat posed by the botnet.

Country

Node Count

Percentage

United States

126,000

47.9%

Vietnam

21,100

8.0%

Germany

18,900

7.2%

Romania

9,600

3.7%

Hong Kong

9,400

3.6%

Canada

9,200

3.5%

South Africa

9,000

3.4%

United Kingdom

8,500

3.2%

India

5,800

2.2%

France

5,600

2.1%

Bangladesh

4,100

1.6%

Italy

4,000

1.5%

Lithuania

3,300

1.3%

Albania

2,800

1.1%

Netherlands

2,700

1.0%

China

2,600

1.0%

Australia

2,400

0.9%

Poland

2,100

0.8%

Spain

2,000

0.8%

The table shows Botnet Devices per Country

**Global Reach and Architecture**

The botnet’s impact extended across multiple continents, with North America being the most affected region. Europe and Asia also experienced significant infection rates, while Africa and Oceania had smaller shares. This geographical spread shows the **global vulnerability of IoT devices** and the strategic use of botnets in cyber warfare.

Continent

Node Count

Percentage

North America

135,300

51.3%

Europe

65,600

24.9%

Asia

50,400

19.1%

Africa

9,200

3.5%

Oceania

2,400

0.9%

South America

800

0.3%

The table shows Botnet Devices per Continent

The operation also exposed the types of processors used by the infected devices. The majority were based on the x86 architecture, followed by MIPS and ARM systems, highlighting how a wide array of devices, often lacking sufficient security protocols, can be easily hijacked and integrated into malicious networks.

The full list of vulnerabilities exploited by the botnet, Indicators of Compromise (IoC), and compromised vendors is **available here** (PDF).

**Implications for Global Cybersecurity**

The successful dismantling of the botnet not only neutralizes a major threat to U.S. infrastructure but also sends a strong message to other nation-state actors. Additionally, as IoT devices become an integral part of our daily lives, they will increasingly become lucrative targets for cybercriminals. To protect your IoT devices, follow these simple yet vital guidelines:

*   **Change Default Passwords**: Always update default usernames and passwords on IoT devices to strong, unique credentials.
*   **Regularly Update Firmware**: Ensure your IoT devices are running the latest firmware to patch any security vulnerabilities.
*   **Disable Unnecessary Features**: Turn off features or services you don’t need, such as remote access, to reduce potential entry points for attackers.
*   **Use a Separate Network**: Set up a dedicated network for IoT devices to isolate them from more sensitive devices like computers and smartphones.
*   **Enable Encryption**: If available, activate encryption settings to protect data transmitted by your IoT devices from being intercepted.

1.  **Mozi Botnet Takedown: Who Killed the IoT Zombie Botnet?**
2.  **Qakbot Botnet Disrupted, Infected 700,000 Computers Globally**
3.  **4 Arrested as Operation Endgame Disrupts Ransomware Botnets**
4.  **Operator of Proxy Botnet ‘IPStorm’ Arrested, Pleads Guilty in US**
5.  **Google Removes Swing VPN Android App Exposed as DDoS Botnet**

FBI Dismantles Chinese-Linked Botnet of 260,000 IoT Devices

Cybersecurity researchers have uncovered a never-before-seen botnet comprising an army of small office/home office (SOHO) and IoT devices that are likely operated by a Chinese nation-state threat actor called Flax Typhoon (aka Ethereal Panda or RedJuliett).
The sophisticated botnet, dubbed Raptor Train by Lumen's Black Lotus Labs, is believed to have been operational since at least May 2020,

Cybersecurity researchers have uncovered a never-before-seen botnet comprising an army of small office/home office (SOHO) and IoT devices that are likely operated by a Chinese nation-state threat actor called Flax Typhoon (aka Ethereal Panda or RedJuliett).

The sophisticated botnet, dubbed **Raptor Train** by Lumen's Black Lotus Labs, is believed to have been operational since at least May 2020, hitting a peak of 60,000 actively compromised devices in June 2023.

"Since that time, there have been more than 200,000 SOHO routers, NVR/DVR devices, network attached storage (NAS) servers, and IP cameras; all conscripted into the Raptor Train botnet, making it one of the largest Chinese state-sponsored IoT botnets discovered to-date," the cybersecurity company said in a 81-page report shared with The Hacker News.

The infrastructure powering the botnet is estimated to have ensnared hundreds of thousands of devices since its formation, with the network powered by a three-tiered architecture consisting of the following -

*   Tier 1: Compromised SOHO/IoT devices
*   Tier 2: Exploitation servers, payload servers, and command-and-control (C2) servers
*   Tier 3: Centralized management nodes and a cross-platform Electron application front-end referred to as Sparrow (aka Node Comprehensive Control Tool, or NCCT)

The way it works is, that bot tasks are initiated from Tier 3 "Sparrow" management nodes, which are then routed through the appropriate Tier 2 C2 servers, and subsequently sent to the bots themselves in Tier 1, which makes up a huge chunk of the botnet.

Some of the devices targeted include routers, IP cameras, DVRs, and NAS from various manufacturers such as ActionTec, ASUS, DrayTek, Fujitsu, Hikvision, Mikrotik, Mobotix, Panasonic, QNAP, Ruckus Wireless, Shenzhen TVT, Synology, Tenda, TOTOLINK, TP-LINK, and Zyxel.

A majority of the Tier 1 nodes have been geolocated to the U.S., Taiwan, Vietnam, Brazil, Hong Kong, and Turkey. Each of these nodes has an average lifespan of 17.44 days, indicating the threat actor's ability to reinfect the devices at will.

"In most cases, the operators did not build in a persistence mechanism that survives through a reboot," Lumen noted.

"The confidence in re-exploitability comes from the combination of a vast array of exploits available for a wide range of vulnerable SOHO and IoT devices and an enormous number of vulnerable devices on the Internet, giving Raptor Train somewhat of an 'inherent' persistence."

The nodes are infected by an in-memory implant tracked as Nosedive, a custom variant of the Mirai botnet, via Tier 2 payload servers explicitly set up for this purpose. The ELF binary comes with capabilities to execute commands, upload and download files, and mount DDoS attacks.

Tier 2 nodes, on the other hand, are rotated about every 75 days and are primarily based in the U.S., Singapore, the U.K., Japan, and South Korea. The number C2 nodes has increased from approximately 1-5 between 2020 and 2022 to no less than 60 between June 2024 and August 2024.

These nodes are flexible in that they also act as exploitation servers to co-opt new devices into the botnet, payload servers, and even facilitate reconnaissance of targeted entities.

At least four different campaigns have been linked to the ever-evolving Raptor Train botnet since mid-2020, each of which are distinguished by the root domains used and the devices targeted -

*   Crossbill (from May 2020 to April 2022) - use of the C2 root domain k3121.com and associated subdomains
*   Finch (from July 2022 to June 2023) - use of the C2 root domain b2047.com and associated C2 subdomains
*   Canary (from May 2023 to August 2023) - use of the C2 root domain b2047.com and associated C2 subdomains, while relying on multi-stage droppers
*   Oriole (from June 2023 to September 2024) - use of the C2 root domain w8510.com and associated C2 subdomains

The Canary campaign, which heavily targeted ActionTec PK5000 modems, Hikvision IP cameras, Shenzhen TVT NVRs, and ASUS routers, is notable for employing a multi-layered infection chain of its own to download a first-stage bash script, which connects to a Tier 2 payload server to retrieve Nosedive and a second-stage bash script.

The new bash script, in turn, attempts to download and execute a third-stage bash script from the payload server every 60 minutes.

"In fact, the w8510.com C2 domain for \[the Oriole\] campaign became so prominent amongst compromised IoT devices, that by June 3, 2024, it was included in the Cisco Umbrella domain rankings," Lumen said.

"By at least August 7, 2024, it was also included in Cloudflare Radar's top 1 million domains. This is a concerning feat because domains that are in these popularity lists often circumvent security tools via domain whitelisting, enabling them to grow and maintain access and further avoid detection."

No DDoS attacks emanating from the botnet have been detected to date, although evidence shows that it has been weaponized to target U.S. and Taiwanese entities in the military, government, higher education, telecommunications, defense industrial base (DIB) and information technology (IT) sectors.

What's more, bots entangled within Raptor Train have likely carried out possible exploitation attempts against Atlassian Confluence servers and Ivanti Connect Secure (ICS) appliances in the same verticals, suggesting widespread scanning efforts.

The links to Flax Typhoon – a hacking crew with a track record of targeting entities in Taiwan, Southeast Asia, North America, and Africa – stem from overlaps in the victimology footprint, Chinese language use, and other tactical similarities.

"This is a robust, enterprise-grade control system used to manage upwards of 60 C2 servers and their infected nodes at any given time," Lumen said.

"This service enables an entire suite of activities, including scalable exploitation of bots, vulnerability and exploit management, remote management of C2 infrastructure, file uploads and downloads, remote command execution, and the ability to tailor IoT-based distributed denial of service (DDoS) attacks at-scale."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New "Raptor Train" IoT Botnet Compromises Over 200,000 Devices Worldwide

Hacktivists love to target financial services companies, and their attacks are growing both larger and longer.

Source: Daniren via Alamy Stock Photo

Financial services organizations have faced nearly twice as many distributed denial of service (DDoS) attacks this year as any other industry, thanks in part to a rise in hacktivism.

According to a new report from Akamai, between Jan. 1 and June 30, there were nearly 3,000 Layer 3 and 4 DDoS attack events in the financial services sector (Layer 3 and 4 attacks occur at the network and transport layers of Internet communication). The next most-targeted industries — gaming, then high tech, then manufacturing — suffered around 1,000 to 1,500 events each.

A number of factors contribute to the sheer scale of the threat, experts say, including a general rise in DDoS across the board, a surge in hacktivist activity in association with high-profile geopolitical conflicts, emerging threats to application programming interfaces (APIs), and more.

And at the end of the day, it's just easy. "They don't have to find a vulnerability. They don't have to find that gap in your armor. They can just literally sit there and hit a button," says Richard Hummel, director of threat intelligence for Netscout.

**Hacktivism Drives DDoS**

On July 15, beginning at 10:05 a.m. local time, the full weight of a globally distributed botnet was turned against a major financial services company in Israel.

The vectors of attack were numerous: UDP flooding, UDP fragmentation, DNS reflection, PUSH and ACK floods, and more. At its peak, the flood of data registered at 789GB per second — equivalent to millions of documents, or hundreds of thousands of photos, streaming in with each passing moment.

The peak of the event lasted until around 1 p.m. local time, but activity persisted for around 24 hours. "This attack was very exceptional in terms of total duration," Akamai researchers wrote, after helping abate the attack. "This requires significant resources and is an indication of a very sophisticated aggressor."

Remarkably, despite that aggressor dedicating so much power to one attack, a number of other Israeli financial institutions experienced outages that same day, in what researchers assessed was likely a politically motivated campaign.

It wasn't the only politically motivated DDoS campaign that happened around this time, nor was it the worst. Those Israeli companies might have considered themselves lucky compared to a UAE bank, whose website was attacked by the pro-Palestinian group BlackMeta (aka DarkMeta). In a six-day romp, the group sent 10 waves of Web requests lasting between four and 20 hours each, averaging 4.5 million per second and peaking at 14.7 million.

DDoS has surged in correlation with the wars in Gaza and Ukraine, Akamai says, particularly against European banks with connections to Ukraine. Even if a financial institution doesn't consider itself political in any way, they nonetheless serve as a useful punching bag for hackers to achieve their dogmatic goals.

**Why Hacktivists Target Finserv**

Being so central to, and interconnected with, wider society, attacks against finance tend to cause more harm and panic than those against other industries.

Plus, more so than in the US, "in European countries or Asian countries, oftentimes government and finance go hand-in-hand, so you will often see that adversaries will walk the stack of what they perceive as government-affiliated," Hummel explains.

As an example, he points to Moldova, a country with manifold conflicts with Russia. "Moldova has been hammered over and over for the past six, seven months now by NoName057 and various other groups. They started with government targets, but then they started looking at finance, at commercial banking, education, public transportation. It's a natural extension."

And as if DDoS weren't already easy enough, in Europe, it's become easier in recent years thanks to Payment Services Directive 2 (PSD2), which came into effect in January 2016. Among other things, the European Union (EU) directive required that financial services providers offer open APIs to third-party services.

PSD2 was designed to better integrate the EU payments market but, Akamai points out, it also widened the surface through which attackers could attack affected companies. APIs offer yet another opening for more sophisticated, application-layer DDoS attacks, particularly when they're poorly accounted for.

"What we're finding is that many financial institutions don't know the expanse of their API ecosystem," says Cheryl Chiodi, industry strategy manager for financial services at Akamai. "There could be developers that were working on a project and left what we call a 'rogue' API, or 'shadow' APIs that are connected to the network but aren't really doing anything. And the cybercriminal can find those entry points and use them to do their infiltration of the network."

In its report, Akamai noted "sharp increases" in DDoS attacks targeting APIs. For this reason, Chiodi urges financial services companies to perform API discovery. "That then opens up the aperture, the visibility, so that you know what the API ecosystem \[in your organization\] is in the first place," she says.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Ukraine, Gaza Wars Inspire DDoS Surge Against Finservs

While the 2024 election may see various cyber threats, existing security measures and coordination across all levels of government aim to minimize their impact.

Mike Kosak, Senior Principal Intelligence Analyst, LastPass

September 16, 2024

4 Min Read

Source: Saphiens via Alamy Stock Photo

COMMENTARY

As the 2024 US presidential election approaches, cybersecurity is a frequent topic of conversation. From my time in the intelligence community supporting the Department of Defense, I'm familiar with government planning around elections. While the most discussed threats for 2024 are nation-state misinformation and disinformation, this election season, I'm also following cybersecurity threats to municipal election systems. 

The good news is the threat of an actual impactful disruption is low. As the US has funneled significant resources into securing elections over the past decade, US Cybersecurity and Infrastructure Security Agency (CISA) lead Jen Easterly said election infrastructure "has never been more secure." However, that doesn't mean threat actors aren't likely to attempt some sort of attacks, such as website defacements or distributed denial of service (DDoS) attacks against municipal election websites.

Here are the four threats against local election systems we will most likely hear about in 2024:

**Voting Machine Hacking**

The most high-profile threat to US elections is voting machine hacking. However, voting machines are rarely connected directly to the Internet, which aligns with current cybersecurity guidelines. This means the most realistic threat vector would require physical access to the machines, according to F5 Labs, a concern addressed through anti-tampering and physical security guidelines around the country. While cyber vulnerabilities within voting machines exist — as demonstrated annually at the DEFCON Voting Village hacking event — to date, there have been no reports of cyberattacks taking voting machines offline or changing votes, despite the clear value of such a capability to US adversaries.

**DDoS Attacks**

DDoS attacks are a less disruptive but more frequent threat to US elections. Election monitoring and information websites leveraging Google's Project Shield DDoS protection services experienced a 400% increase in weekly attacks during the 2022 midterms. While several companies like Cloudflare offer free DDoS protection services to election-related websites, some sites are still going down. Mississippi's election websites were briefly taken offline in 2022 by a DDoS attack claimed by a pro-Russia hacking group. However, the attack did not impact voting results or availability.

Given the increased profile of the presidential election, we can expect to see DDoS on a larger scale in 2024. However, as CISA and the FBI stated in a July 31 alert, these attacks would not prevent voters from casting their ballots.

**Ransomware**

The FBI and CISA released a similar alert on Aug. 15 related to ransomware disruptions, reassuring the public that any attack along these lines would not compromise the security or accuracy of voting. Ransomware groups will likely target municipalities — already a common target — in the run-up to the elections. 

For instance, a ransomware attack in April forced a Georgia county to temporarily disconnect from the state's voter registration system as a precautionary measure — highlighting disruptions that could occur around access to voter data or other election information. However, the FBI and CISA noted, "Any successful ransomware attack on election infrastructure tracked by FBI and CISA has remained localized and successfully managed with minimal disruption to election operations and no impact on the security and accuracy of ballot casting or tabulation processes or systems." Similar to DDoS attacks, no reporting suggests ransomware attacks have ever prevented a vote from being cast.

**Website Defacement and Email Access**

Website defacements are another common threat, where attackers take over election-related sites to alter data or images. These attacks can either aim to embarrass the site owner or subtly manipulate information, such as polling results or polling station hours.

In 2020, a threat actor briefly took over the campaign website for then President Trump, posting a derogatory message and seeking payment in return for not releasing data they claimed to have stolen. While these attacks may occur and could cause local disruptions, they would not impact the ability to vote or tally votes.

Hybrid cyber-physical threats, such as the increasing use of emails or spoofed phone numbers to deliver fake bomb threats or conduct swatting attacks, also present a concern, where false scenarios are reported to provoke a large police response. In 2018, a months-long campaign targeting US schools and businesses caused evacuations, police responses, and major disruptions. Similar attacks on election day could target polling stations, election offices, or ballot-counting sites.

Finally, threat actors (particularly nation-states) will continue to target email accounts of political operatives and organizations. The US intelligence community has already attributed social engineering attacks targeting both major US political parties to Iran. These attacks aimed to access sensitive or embarrassing information to influence the US election, highlighting the frequency of politically motivated social engineering attacks and the importance of secure, unique passwords and multifactor authentication. 

**Safeguarding the Vote**

While cyberattacks will undoubtedly target US election infrastructure over the next few months, it's important to place these events in the context of the protections put in place. Federal, state, local, and tribal governments, as well as international allies, have all been tracking these threats and implementing mitigations and contingencies to help ensure a secure and smooth election. 

While the 2024 election may see various cyber threats, existing security measures and coordination across all levels of government aim to minimize their impact. Voters should stay informed and rely on official sources to ensure their participation is not disrupted.

**About the Author**

Senior Principal Intelligence Analyst, LastPass

Mike Kosak is a former US Department of Defense (DoD) counterterrorism intelligence officer with more than 20 years of experience as a threat intelligence analyst. While with the DoD, he served in several senior intelligence officer roles, including leading the Pentagon office responsible for providing intelligence updates to the chairman of the Joint Chiefs of Staff, and was deployed to Iraq three times in support of Operation Iraqi Freedom. He also served as the acting senior command representative to the Joint Special Operations Command for the Defense Intelligence Agency. During his deployments, he led intelligence teams in support of both conventional and special forces. Following his government service, Kosak held private sector cyber intelligence positions at Bank of America, where he led the Strategic Cyber Intelligence and Threat Evaluation teams, and TIAA, where he led the Cyber Threat Intelligence team. He currently serves as the senior principal intelligence analyst at LastPass.

Cybersecurity &amp; the 2024 US Elections

Cybersecurity researchers have uncovered a new malware campaign targeting Linux environments to conduct illicit cryptocurrency mining.
The activity, which specifically singles out the Oracle Weblogic server, is designed to deliver malware dubbed Hadooken, according to cloud security firm Aqua.
"When Hadooken is executed, it drops a Tsunami malware and deploys a crypto miner," security researcher

Enterprise Security / Vulnerability

Cybersecurity researchers have uncovered a new malware campaign targeting Linux environments to conduct illicit cryptocurrency mining.

The activity, which specifically singles out the Oracle Weblogic server, is designed to deliver malware dubbed **Hadooken**, according to cloud security firm Aqua.

"When Hadooken is executed, it drops a Tsunami malware and deploys a crypto miner," security researcher Assaf Moran said.

The attack chains exploit known security vulnerabilities and misconfigurations, such as weak credentials, to obtain an initial foothold and execute arbitrary code on susceptible instances.

This is accomplished by launching two nearly-identical payloads, one written in Python and the other, a shell script, both of which are responsible for retrieving the Hadooken malware from a remote server ("89.185.85\[.\]102" or "185.174.136\[.\]204").

"In addition, the shell script version attempts to iterate over various directories containing SSH data (such as user credentials, host information, and secrets) and uses this information to attack known servers," Morag said.

"It then moves laterally across the organization or connected environments to further spread the Hadooken malware. "

Hadooken comes embedded with two components, a cryptocurrency miner and a distributed denial-of-service (DDoS) botnet called Tsunami (aka Kaiten), which has a history of targeting Jenkins and Weblogic services deployed in Kubernetes clusters.

Furthermore, the malware is responsible for establishing persistence on the host by creating cron jobs to run the crypto miner periodically at varying frequencies.

Aqua noted that the IP address 89.185.85\[.\]102 is registered in Germany under the hosting company Aeza International LTD (AS210644), with a previous report from Uptycs in February 2024 linking it to an 8220 Gang cryptocurrency campaign by abusing flaws in Apache Log4j and Atlassian Confluence Server and Data Center.

The second IP address 185.174.136\[.\]204, while currently inactive, is also linked to Aeza Group Ltd. (AS216246). As highlighted by Qurium and EU DisinfoLab in July 2024, Aeza is a bulletproof hosting service provider with a presence in Moscow M9 and in two data centers in Frankfurt.

"The modus operandi of Aeza and its fast growth can be explained by the recruitment of young developers affiliated to bulletproof hosting providers in Russia offering shelter to cybercrime," the researchers said in the report.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Linux Malware Campaign Exploits Oracle Weblogic to Mine Cryptocurrency

An attacker is using the tool to deploy a cryptominer and the Tsunami DDoS bot on compromised systems.

Source: TippaPatt via Shutterstock

A threat actor is dropping a cryptominer and distributed denial-of-service (DDoS) malware on Oracle WebLogic Servers using "Hadooken."

Researchers at Aqua Nautilus spotted the malware when it hit one of their honeypots last month. Their subsequent analysis showed Hadooken to be the main payload in an attack chain that began with the threat actor brute-forcing its way into the administration panel of Aqua's weakly protected WebLogic honeypot. It appears Hadooken's authors named the malware after the iconic Surge Fist move in the Street Fighter series of video games.

Once inside the Aqua system, the attacker downloaded Hadooken to it using two nearly functionally identical scripts — a Python script and a "c" shell script — with one likely acting as a backup for the other. Aqua found both scripts designed to run Hadooken on the compromised honeypot and to then delete the file.

"In addition, the shell script version attempts to iterate over various directories containing SSH data (such as user credentials, host information, and secrets) and uses this information to attack known servers," Aqua's lead researcher, Assaf Morag, said in a report. "It then moves laterally across the organization or connected environments to further spread the Hadooken malware."

**A Valuable Target**

Oracle's WebLogic Server allows customers to build and deploy Java applications. Thousands of organizations — including some of the world's largest banking and financial services companies, professional services firms, healthcare entities, and manufacturing companies — have deployed WebLogic. These deployments include modernizing their Java enterprise application environment, deploying Java apps in the cloud, and building Java microservices. Critical vulnerabilities, including those that have enabled complete takeover of WebLogic Server, have made the technology a frequent target for attacks over the years. Configuration errors, such as weak passwords and Internet-exposed admin consoles, have exacerbated the risks around the platform.

In Aqua's honeypot attack, the threat actor gained initial access to the WebLogic server by brute-forcing past the security vendor's deliberately weak password. Hadooken then dropped two executable files: Tsunami, a malware used in numerous DDoS attacks going back at least a decade; and a cryptominer. In addition, Aqua found the malware creating multiple cron jobs — which schedule commands or scripts to run automatically at specific intervals or times — to maintain persistence on the compromised system.

**Potential for More Trouble**

Aqua's analysis showed no sign of the adversary actually using Tsunami in the attack, but the security vendor didn't rule out the possibility of that happening at a later stage. Equally likely is the possibility that the attacker could tweak Hadooken relatively easily to target other Linux platforms, Morag tells Dark Reading. "At the moment we've only seen indications the attackers are brute-forcing their way to WebLogic Servers," Morag says. "But based on other attacks and campaigns, we assume the attackers won't limit themselves to WebLogic."

It's also likely that the attackers won't limit themselves to cryptocurrency and DDoS malware in future Hadooken campaigns. Aqua's static analysis of the malware showed links in the code to Rhombus and NoEscape ransomware, but no actual use of the code during the attack on its honeypot. Aqua found the threat actor using two IP addresses, one in Germany and the other in Russia, to download Hadooken on compromised systems. The German IP address is one that two other threat groups — TeamTNT and Gang 8220 — have used in previous campaigns, but there is nothing to suggest they are linked to the Hadooken campaign, Aqua said.

The company recommends that organizations consider using mechanisms like infrastructure-as-code scanning tools, cloud security posture management tools, Kubernetes security and configuration tools, runtime security tools, and container security tools to mitigate threats like Hadooken.

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail -- just for doing their pen-testing jobs. Listen now!

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

'Hadooken' Malware Targets Oracle's WebLogic Servers

Red Hat Security Advisory 2024-6536-03 - Red Hat AMQ Streams 2.5.2 is now available from the Red Hat Customer Portal. Issues addressed include bypass, denial of service, information leakage, and memory leak vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6536.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: Red Hat AMQ Streams 2.5.2 release and security update  
Advisory ID:        RHSA-2024:6536-03  
Product:            Streams for Apache Kafka  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:6536  
Issue date:         2024-09-10  
Revision:           03  
CVE Names:            
====================================================================

Summary: 

Red Hat AMQ Streams 2.5.2 is now available from the Red Hat Customer Portal.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. 

This release of Red Hat AMQ Streams 2.5.2 serves as a replacement for Red Hat AMQ Streams 2.5.1, and includes security and bug fixes, and enhancements.

Security Fix(es):  
* Scala: sbt is a build tool for Scala, Java, and others. Given a specially crafted zip or JAR file, `IO.unzip` allows writing of arbitrary file. This would have potential to overwrite `/root/.ssh/authorized_keys`. Within sbt's main code, `IO.unzip` is used in `pullRemoteCache` task and `Resolvers.remote`; however many projects use `IO.unzip(...)` directly to implement custom tasks. This vulnerability has been patched in version 1.9.7.(CVE-2023-46122)

* ZooKeeper: Information disclosure in persistent watcher handling. Users are recommended to upgrade to version 3.9.2, 3.8.4 which fixes the issue.  
(CVE-2024-23944)

* ZooKeeper: Authorization Bypass in Apache ZooKeeper [amq-st-2](CVE-2023-44981)

* Snappy: flaw was found in SnappyInputStream in snappy-java. This issue occurs when decompressing data with a too-large chunk size due to a missing upper bound check on chunk length. An unrecoverable fatal error can occur, resulting in a Denial of Service (DoS) (CVE-2023-43642)

* Kafka: snappy-java: Unchecked chunk length leads to DoS [amq-st-2](CVE-2023-34455), (CVE-2024-27309), (CVE-2024-31141)

* Strimzi Operators: vertx-core: io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support (CVE-2024-1300)

* Strimzi Bridge: flaw was found in SnappyInputStream in snappy-java (CVE-2023-43642)

* Strimzi Bridge: netty-codec-http: Allocation of Resources Without Limits or Throttling (CVE-2024-29025)

* Strimzi Bridge: vertx-core: io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support (CVE-2024-1300)

* Strimzi Bridge: netty-codec-http2: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (CVE-2023-44487)

 * Strimzi Bridge: Bump snappy-java to fix (CVE-2023-43642)

* Strimzi OAuth: In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component. (CVE-2023-52428)

* Cruise Control: flaw was found in SnappyInputStream in snappy-java (CVE-2023-43642)

* Cruise Control: jose4j- denial of service via specially crafted JWE (CVE-2023-51775)

 * Cruise Control: Bump snappy-java to fix (CVE-2023-43642)

* Cruise Control: cruise-control reported a high-sev json vulnerability (CVE-2023-5072)

* Cruise Control: Nimbus JOSE+JWT before 9.37.2 (CVE-2023-52428)

* Strimzi Kafka Kubernetes Config Provider: Bump snappy-java to fix (CVE-2023-43642)

Solution:

CVEs:

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://issues.redhat.com/browse/ENTMQST-5366  
https://issues.redhat.com/browse/ENTMQST-5882  
https://issues.redhat.com/browse/ENTMQST-5885  
https://issues.redhat.com/browse/ENTMQST-5886  
https://issues.redhat.com/browse/ENTMQST-6235

Red Hat Security Advisory 2024-6536-03

Cisco Talos is disclosing a new threat called “DragonRank” that primarily targets countries in Asia and a few in Europe, operating PlugX and BadIIS for search engine optimization (SEO) rank manipulation.

Tag

#ddos