Risky Bulletin: Germany's BSI sinkhole BADBOX malware traffic

Written by

Catalin Cimpanu

News Editor

This newsletter is brought to you by Proofpoint . You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business" in your podcatcher or subscribing via this RSS feed .

Germany's cybersecurity agency has sinkholed internet traffic originating from Germany and going to the command and control servers of the BADBOX malware group.

The malware was first spotted in October of last year by Human Security, a company specialized in detecting advertising fraud.

The BADBOX group assembled a botnet of over 280,000 systems by hiding its malware in malicious Android and iOS apps and inside the firmware of Android TV streaming boxes.

Human Security said the BADBOX group operated out of China and most likely had access to hardware supply chains where its members could deploy the malicious firmware on streaming boxes.

Researchers said the botnet's purpose was to secretly install apps on the infected devices that would later show and play unwanted ads to the device's owner.

The BSI says all German internet service providers with over 100,000 are now mandated by law to redirect BADBOX traffic to its sinkhole.

So far, the BSI says it's receiving traffic from over 30,000 devices located in Germany. The agency plans to work with ISPs to notify all device owners.

This is the first time the BSI has sinkholed a malware operation on its own—without being part of an international effort targeting cybercrime operations.

Risky Business Podcasts

Risky Business is now on YouTube with video versions of our main podcasts. Below is our latest weekly show with Pat and Adam at the helm!

Breaches, hacks, and security incidents

Krispy Kreme cyberattack: Doughnut chain Krispy Kreme says a cyberattack is disrupting some of its IT systems, including online ordering in parts of the United States. The company says the attack took place on November 29 but declined to provide other details. It said restaurants and other retail activities were not affected.

Lynx group behind Electrica ransomware attack: Romania's cybersecurity agency says the Lynx ransomware is behind the attack on Electrica, the country's largest electricity provider. The group was first spotted in August this year and has taken credit for at least 78 attacks. According to Palo Alto Networks, the Lynx ransomware is just a rebrand of the older INC ransomware group.

Byte Federal breach: Bitcoin ATM operator Byte Federal says a threat actor gained access to one of its servers after exploiting a vulnerability in its GitLab platform. No customer assets were compromised, but the threat actor was able to collect some customer personal information. Byte Federal says the hack took place last month and impacted roughly 58,000 users . [ Official Byte Federal breach disclosure/ PDF ]

Kadokawa ransomware double-cross: A Japanese game and film publisher has paid a $3 million ransom to the BlackSuit ransomware gang but still had employee data leaked online anyway. A payment by the Kadokawa Corporation was allegedly made in June, and the leak occurred months later in September . It is unclear if BlackSuit tried to re-extort the company or if the leak occurred because of a technical glitch in the group's backend infrastructure. [ Additional coverage in The Mainichi ] [ h/t DataBreaches.net ]

Care1 leak: Canadian healthcare AI software provider Care1 has leaked a huge trove of personal data via an unprotected database.

Vestra DAO crypto-heist: The Vestra DAO crypto-project says it lost $500,000 worth of assets after a hacker exploited a vulnerability in one of its smart contracts.

General tech and privacy

WP Engine gets Automattic injunction: The WP Engine team has been granted an injunction to stop Automattic and the WordPress team from blocking its staff access to WordPress websites and resources. [ Additional coverage in 404 Media ]

Photobucket sued over AI shenanigans: A group of plaintiffs has filed a lawsuit against photo-hosting service PhotoBucket over a recent privacy policy update . The plaintiffs are looking for a court injunction to block PhotoBucket from selling user photos to AI companies so they can train their models on users' biometrics data, such as faces and iris scans. The lawsuit cites the privacy laws of several US states and seeks to force PhotoBucket to obtain written consent from users before selling the photos. [ Additional coverage in ArsTechnica ]

New Android security features: Google is updating its security feature that can detect unknown Bluetooth trackers that are in the vicinity of a user's Android device. The company is rolling out an option to allow users to pause location updates from their phones and is updating the Find NearBy service to pinpoint the location of an unregistered tracker.

Six-day TLS certs: Let's Encrypt has announced plans to start issuing TLS certificates with a maximum lifespan of just six days. The new certs are coming next year. Let's Encrypt says existing customers won't have to change anything if they choose to go with the shorter certificates.

Telegram moderation: Telegram has launched a new moderation portal where it provides details in real-time about its moderation practices.

Government, politics, and policy

Trump to split CyberCom-NSA dual-hat: The incoming Trump administration wants to split up the leadership of US Cyber Command and the National Security Agency. According to The Record , Trump's America First Policy Institute think tank is preparing plans for each agency's staff and agenda following the split. The split will allow President-elect Trump to nominate new leaders for each agency. Gen. Timothy Haugh was appointed by Congress last year as the leader of both agencies. CyberCom and the NSA have had the same shared leadership since Cyber Command was established in 2010. [ Additional coverage in The Record ]

SEC cyber reporting stats: The SEC's new cyber incident reporting rules have generated filings for only 71 security incidents over the past year since entering into effect last December. Only a very small part of the filings confirmed that companies suffered a material impact from the incidents. According to BreachRX , less than half of filings provided insights into a company's response procedures, and most filings described an organization's cyber risks and incident response procedures in nearly identical and generic terms. [ Additional coverage in CybersecurityDive ]

FCC threatens 2,400 voice providers: The US Federal Communications Commission says that over 2,400 voice service providers have failed to implement robocall blocking mitigations. The agency says it plans to ban the companies if they don't register with the FCC Robocall Mitigation Database within the next 14 days. Voice providers not on the database will have traffic blocked by the larger and legitimate providers. The registration data cutoff is December 24.

Sponsor section

In this Risky Business News sponsor interview, Catalin Cimpanu talks with Proofpoint senior threat intelligence analyst Selena Larson about the rise of Attacker-in-the-Middle phishing and ClickFix social engineering campaigns.

Arrests, cybercrime, and threat intel

Xmas DDoS takedowns, 2024 edition: Europol and law enforcement agencies from 15 countries have seized and taken down 27 DDoS-for-hire services. The takedown is part of a now-yearly tradition of seizing DDoS infrastructure before the Christmas holiday. The tradition started in the mid-2010s after several DDoS groups launched attacks against gaming services on Christmas and the New Year. Besides the takedown, officials have also arrested and charged two suspects who ran the services. One of them was identified as Ricardo Cesar Colli, a Brazilian national who allegedly ran the SecurityHide booter.

New Myanmar scam center arrests: Myanmar officials have arrested 45 suspects for their alleged role in an online scam operation. The arrests took place on Monday in Myanmar's Shan state, near the Chinese border. Eighteen of the 45 suspects are Chinese nationals. Officials also seized Starlink internet equipment, mobile phones, and weapons. Radio Free Asia reports that many other scam centers and money laundering operations are still up in the region. The report claims that the local military junta is still protecting the gangs, supplying gangs with weapons, and that some of the arrests are "merely for show." [ h/t CyberScamWatch ]

Peru scam call centers taken down: Peruvian and Spanish police have raided three call centers in Peru responsible for vishing campaigns targeting Spanish users. Thirty-five suspects were detained in Spain and another 48 in Peru. The group operated by calling Spanish citizens and posing as employees of various banking institutions. Officials say the group made €3 million from scamming over 10,000 victims over the past two years.

FSB raids scam call center: Russia's FSB security service has raided a call center involved in an online scam operation. Eleven suspects were detained, including the call center's manager, an Israeli-Ukrainian citizen named J. D. Keselman. Officials say the call center defrauded over 100,000 victims in 50 countries and was making $1 million/day. The FSB says the call center had links to former Georgian defense minister David Kezerashvili. [ Additional coverage in The Moscow Times ]

BEC scammer extradited to US: The US Justice Department says it extradited a 43-year-old Nigerian BEC scammer from South Africa.

UI Automation abuse: Akamai researchers have found a way to abuse the Microsoft UI Automation framework to execute malicious operations without being detected by EDR and other security solutions. The technique requires that users run a malicious file, but it is undetected on all Windows versions going back to XP. The technique can be used to execute commands, exfiltrate data, and manipulate internet browsing.

Cryptomus profile: Brian Krebs has published a profile on Cryptomus , a Canadian company that serves as a "payment processor for dozens of Russian cryptocurrency exchanges and websites hawking cybercrime services aimed at Russian-speaking customers," allowing threat actors to turn stolen crypto into cash at Russian banks.

Dubai police scam alert: BforeAI and Resecurity both look at a recent phishing campaign that posed as the Dubai Police to lure victims on fake fine payment sites and collect their personal and financial details. Resecurity linked the campaign to a group it tracks as the Smishing Triad.

Russian fraud: FACCT looks at a recent fraud campaign taking place over Telegram and targeting Russians with fake government handouts.

Most supply-chain malware is on npm: DevSecOps company Sonatype says it has detected over 778,500 malicious libraries since it began tracking open-source repositories in 2019. Most of the detections were on the npm portal, with over 540,000 malicious libraries. Last year alone, malicious npm code accounted for 98% of Sonatype's detections.

Malware technical reports

FK_Undead rootkit loader: G DATA researchers have found a new rootkit loader component used together with FK_Undead , a malware family known for intercepting user network traffic through the manipulation of proxy configurations.

Zloader's new trick: Security firm Zscaler looks at the recent change in the Zloader trojan, the use of DNS tunnels for C2 comms.

TrickBot updates: DomainTools' security team has published a report on the recent updates to TrickBot infrastructure and tactics.

Remcos RAT: A McAfee report looks at recent campaigns delivering the good ol' Remcos RAT.

Snake keylogger fork: ANY.RUN has published an analysis of a new fork of the Snake keylogger.

"The Nova variant of the Snake Keylogger represents a significant evolution of its predecessor, with advanced evasion techniques and a broader array of data exfiltration capabilities."

Cleo attack payload (Malichus): BinaryDefense , Huntress , and Rapid7 have published a technical analysis of the payload (Java webshell/RAT/backdoor) dropped on hacked Cleo file transfer servers. Huntress has named this malware family Malichus. See here for our initial coverage of the attacks. The vendor has also released a patch ( 5.8.0.24 ) on Wednesday. The number of confirmed victims has also gone up to 50 .

Sponsor section

The Proofpoint Voice of the CISO report is drawn from a survey of 1,600 chief information security officers across 16 countries, exploring key challenges, expectations, and priorities. What does the data reveal?

APTs, cyber-espionage, and info-ops

EagleMsgSpy: Security firm Lookout has discovered a new lawful intercept and surveillance tool used by Chinese law enforcement to collect sensitive information from Android devices. The EagleMsgSpy toolkit requires physical access to install and appears to have been in use since 2017. It can collect chat messages, record screens, record audio, and track the device's location and network activity. Lookout says EagleMsgSpy was developed by a company named Wuhan Chinasoft Token Information Technology.

Chinese APT campaign in SE Asia: Broadcom's Symantec division says it uncovered a Chinese APT espionage operation targeting multiple industry sectors across Southeast Asian countries.

"While attribution to a specific threat group cannot be determined, multiple tools used in the campaign have links to several China-based actors (see Tools section for details)."

Careto (The Mask) is back: Russian security firm Kaspersky says it spotted new activity from Careto, one of the oldest known APT groups. Also known as The Mask, the group was first seen in 2007 and is believed to operate from a Spanish-speaking country. Recent campaigns targeted organizations in Latin America. Kaspersky says the group employed extraordinary infection techniques and complex multi-component malware.

SloppyLemming attribution: DomainTools has attributed an APT campaign targeting the Pakistan Navy as described by a recent BlackBerry report to SloppyLemming , an Indian cyber-espionage group.

Cost of Russian info-ops in Bulgaria & Romania: A group of Bulgarian security researchers has estimated that the Russian government spent around €69 million to run influence operations targeting Bulgaria and Romania over the past years. [ Additional coverage in News.ro ]

Gamaredon's BoneSpy and PlainGnome: Security firm Lookout has discovered two Android malware families used by Russian APT group Gamaredon to spy on Russian-speaking users across the former Soviet states.

• BoneSpy has been in use since at least 2021, while PlainGnome first appeared in 2024. Both families are still active at the time of writing.
• PlainGnome acts as a dropper for a surveillance payload, stored within the dropper package, while BoneSpy is deployed as a standalone application.
• These are the first known mobile families to be attributed to Gamaredon. 

Turla piggybacks on cybercrime ops: One of Russia's elite military hacking units has leveraged the infrastructure of a cybercrime group to search and deploy malware targeting the Ukrainian military. The Turla APT searched through the infrastructure of cybercrime group Storm-1919 for systems located in Ukraine and then deployed its own custom backdoor. Microsoft says Turla specifically searched for devices with Starlink IP addresses, a common detail of Ukrainian frontline devices. Turla also appears to have collaborated with another Russian APT group named Storm-1837, which previously carried out campaigns targeting Ukrainian military drone pilots. Microsoft says Turla has hacked at least six other APTs over the past seven years—a list that also includes Iranian and Pakistani groups.

Vulnerabilities, security research, and bug bounty

Apple security updates: Apple has released security updates for all its major products. No zero-days reported this time.

RubyGems security audit: Trail of Bits has conducted a security audit of the RubyGems package repository.

"Three engineers spent five engineer-weeks reviewing code in the rubygems.org and rubygems-terraform repositories. Our assessment covered web application vulnerabilities, infrastructure configuration, authentication mechanisms, and access controls."

Cleo PoC: Security firm watchTowr Labs has released a proof-of-concept exploit for a zero-day (CVE-2024-50623) in Cleo file-transfer servers.

Facebook Messenger DoS: Signal11 has published details on a denial of service vulnerability that impacts the group calling feature on Facebook Messenger for iOS.

Citrix DoS: Assetnote researchers have published an analysis of a denial of service vulnerability (CVE-2024-8534) patched in Citrix NetScaler ADC and Gateway last month.

Microsoft MFA bypass: Oasis Security has published a report on an MFA bypass in Microsoft services they found earlier this year. The bug was patched back in October.

TCC bypass write-up: Jamf has published a write-up on CVE-2024-44131, a TCC bypass impacting macOS and iOS that Apple patched back in September.

Hunk Companion exploitation: Threat actors are exploiting a vulnerability in the Hunk Companion WordPress plugin to install backdoors on WordPress sites. WPScan says the attackers are using malformed POST requests to instruct Hunk Companion to secretly install outdated versions of official WordPress plugins. The threat actors then exploit these older plugins to deploy their backdoors. A patch for the Hunk Companion plugin is available, but attacks are still ongoing against unpatched sites.

Prometheus DoS bug: Approximately 336,000 Prometheus monitoring and alerting servers and "exporter" systems are vulnerable to a denial of service vulnerability that can crash systems and blind IT teams to security events in their infrastructure, per Aqua Security .

PDQ Deploy vulnerability: The CERT/CC team warns that threat actors can steal credentials from systems managed through the PDQ Deploy remote IT management software.

"The run mode 'Deploy User' insecurely creates credentials on the target device. These credentials are deleted from the device following a full deployment of a software file, however, an attacker with access to the target device can compromise these credentials prior to deletion through common password tools such as Mimikatz. These credentials could then be used to gain administrator access on the target device, or to compromise any other device using these credentials that is enrolled through active directory and has previously had software deployed to it by PDQ Deploy."

Skoda vulnerabilities: Security researchers have discovered 12 vulnerabilities in the infotainment systems used in Skoda cars that can allow malicious threat actors to track a vehicle's location in real-time. The bugs also allow attackers to modify the infotainment system screen and even eavesdrop on conversations via the in-car microphone. The vulnerabilities were tested in Skoda Superb models, but the MIB3 infotainment system is also used in other car models manufactured by the Volkswagen Group. The 12 bugs disclosed this week at the Black Hat security conference are part of a set of 21 security flaws discovered by security firm PCAutomotive and reported to Volkswagen in 2022. The carmaker says all issues have now been patched. [ Additional coverage in TechCrunch ]

Infosec industry

New tool—FuzzyAI: Security firm CyberArk has released FuzzyAI , a tool for automated LLM fuzzing.

New tool—DarkFlare: Security researcher Barrett Lyon has released DarkFlare , a command-line tool to create TCP-over-CDN tunnels.

AWS re:Invent 2024 videos: Talks from the AWS re:Invent 2024 security conference, which took place earlier this month, are available on YouTube .

Threat/trend reports: Abnormal Security , BreachRX , CyFirma , MITRE , Namecheap , NCC Group , NetRise , the NZ NCSC , Sophos , and Sonatype have published reports and summaries covering various infosec trends and industry threats.

Risky Business Podcasts

In this edition of Between Two Nerds, Tom Uren and The Grugq talk about how states have very different approaches to controlling cyber operations.

In this podcast, Tom Uren and Adam Boileau talk about the continued importance of hack and leak operations. They didn't really affect the recent US presidential election, but they are still a powerful tool for vested interests to influence public policy.