This week, we saw flipside victory for law enforcement versus the evil lurking in the deep, visionless web, or to be increasingly specific, the DeepDotWeb. This past Wednesday, the United States Department of Justice spoken a guilty plea from one Tal Prihar. The Israeli citizen, who is currently residing in Brazil, has been identified as a co-owner and co-operator of the DeepDotWeb website.
The site was arguably the most popular hub for visionless web market news, market statuses, links and more. Operated by Prihar and flipside individual, Michael Phan, the site took nearly $8 million by providing uncontrived and referral links to other sites selling illicit goods.
As a result of the referrals, other highly-successful marketplaces would provide a payment (kickback) to Prihar and Phan. These markets specialized in the peddling of will-less weapons, malware and exploits, withal with pharmaceuticals and nonflexible drugs, and included notorious visionless web sites such as Dream Market, Valhalla, Abraxas, Agora and Alpha Bay. As such sites aren’t indexed by search engines and consequently are difficult to find, DeepDotWeb powerfully provided an entrypoint for internet users to discover sources of illicit trade.
In order to obfuscate the trail of Bitcoin payments received for their referrals, Phan and Prihar laundered the funds through wall finance for shell corporations, as well as crypto wallet anonymizer services.
Both individuals have pleaded guilty to conspiracy to commit money laundering and each faces a maximum sentence of 20 years. This is a significant law enforcement victory, and one of the increasingly significant takedowns in visionless web history!
This week increasingly details emerged of a recent malware wayfarers tabbed BazarCall. By the name, you might guess that BazarLoader will towards somewhere in the infection chain, and you would be correct. However, the very wordage of the desired payload takes a somewhat roundabout trip towards its intended targets and is coordinated via a threat-actor controlled undeniability center.
The BazarCall wayfarers begins with a spray of phishing emails to corporate addresses which entice the recipient to phone a undeniability part-way in order to well-constructed the receipt process for some fictitious subscriptions.
When the victim contacts the number provided, they are asked for a unique ID contained in the phishing email. This ID allows the individual on the other end of the phone to identify if the caller is truly part of the targeted organization. If they are, the user is instructed to visit a specific, malicious web page to proceed with the process.
At this point, the victim will be prompted to download and unshut a maliciously-crafted MS Office document. Under the correct conditions, the opening of this document will remoter lead to the install of BazarLoader malware, which itself may be a precursor to threats like TrickBot, Ryuk, Conti or IcedID.
This shows us (once again) just how much threat actors overdue modern malware are willing to go to remoter their rationalization and maximize their footprint. To fully staff a undeniability center, focused on intake for high-volume phishing attacks, is somewhat impressive for a non-nation state actor. Researchers believe that the undeniability part-way infrastructure may be operating as a distribution-for-hire service to multiple clients, and it’s quite possible that we will see other malware strains take wholesomeness of this novel and theoretically quite constructive distribution method.
The last year has been monumental when it comes to historic data breaches. As of late, names like SolarWinds and Accellion have taken on a much darker connotation than those companies would prefer. In fact, for many people in the security industry, those two incidents are going to fully occupy their time for many months ahead. This week the pain continues as one of the world’s largest corporations, Royal Dutch Shell, has seen its data leaked on the internet by the FIN11 hacking group without stuff unauthentic by the recently discovered vulnerabilities in Accellion’s FTA.
The leaked data reportedly included “passport copies, an evaluation report and a document written in Hungarian” and was found on a visionless net website associated with Clop ransomware leaks.
The attackers were reportedly worldly-wise to wangle “various files during a limited window of time” and that other stolen files could contain personal data and sensitive data from Shell subsidiaries and stakeholders.
Only time will tell what the real ramifications are, but this is yet flipside example of how one small chink in the supply uniting can result in disastrous financing for any enterprise.
We encourage all to review their environments, and ensure that they have full visibility into the various applications and services running and exposed. It may not unchangingly be easy to patch or update resources, but weighing the forfeit between that and disaster recovery, there is unchangingly incentive to patch. This is expressly true in the current threat landscape where criminals are taking wholesomeness of any new vulnerability in nearly no time at all.
For the latest information on these vulnerabilities, please see Accellion’s website and statement.
Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.