International Police Op Disrupts Criminal Abuse of Cobalt Strike
Read also: “Evil Twin” hacker arrested for stealing the personal data, a former IT-employee indicted for a breach affecting 1M patients, and more.
Thursday, July 4, 2024
Global action takes down hundreds of servers linked to criminal abuse of Cobalt Strike
An international operation led by the UK’s National Crime Agency (NCA) and involving law enforcement agencies from Australia, Canada, Germany, the Netherlands, Poland, and the United States has targeted the illicit use of the Cobalt Strike security tool.
The initiative, codenamed “Operation MORPHEUS”, has resulted in the shutdown of numerous criminal infrastructures exploiting unauthorized copies of Cobalt Strike, a legitimate tool developed by cybersecurity firm Fortra. Despite the measures Fortra put in place to prevent the abuse, criminals have been using cracked older versions of the software to gain unauthorized access to systems and deploy malware. Over the years, unlicensed copies of Cobalt Strike have been connected to several high-profile malware and ransomware campaigns, including RYUK, Trickbot, and Conti.
As part of the operation, law enforcement agencies flagged 690 IP addresses and a range of domain names linked to criminal activities. These details were shared with online service providers in 27 countries, who deactivated the compromised servers. The operation leveraged a combination of server takedowns and abuse notifications to service providers, alerting them to the presence of malicious software on their networks. According to officials, 593 IP addresses had been successfully taken down.
Former IT-employee indicted for a breach affecting 1 million patients
An ex-employee of Microsoft's Nuance Communications division has been indicted in connection with a 2023 data breach affecting over 1 million patients of the Pennsylvania-based healthcare system Geisinger. The US Department of Justice has charged the former Nuance worker, Max Vance, also known as Andre Burk, with an alleged federal computer crime.
The compromised data includes patients' names, birthdates, addresses, admit and discharge or transfer codes, medical record numbers, race, gender, phone numbers, and facility name abbreviations. The breach did not involve claims or insurance information, credit card or bank account numbers, other financial details, or Social Security numbers.
According to the authorities, Max Vance accessed patient information just two days after being terminated, exploiting his access to Geisinger's records that the company failed to remove.
The US Department of Justice indicted Vance, charging him with one count of “obtaining information from a protected computer,” a federal crime under the Computer Fraud and Abuse Act. Vance's trial is scheduled to begin on August 5, 2024, according to court records.
Cybersecurity Compliance
Prevent data breaches and meet regulatory requirements
“Evil Twin” hacker arrested for stealing personal data
The Australian police have arrested a West Australian man who allegedly set up fake free WiFi access points to steal the personal data of victims who connected to them.
The police launched an investigation in April 2024 after an airline reported a suspicious WiFi network discovered by its employees during a domestic flight. The investigation revealed that an unnamed suspect leveraged a portable wireless access device to establish an ‘evil twin’ free WiFi network mimicking legitimate services. Upon connecting to the fake network, victims were redirected to a phishing webpage asking them to enter their login credentials.
It’s unclear, how the police have identified the suspect, but, according to the AFP’s press release, the law enforcement officers searched the man’s baggage when he returned to Perth Airport on a flight from interstate. The police confiscated a portable wireless access device, a laptop and a cellphone from his hand luggage. The man’s home was also searched. Following the searches, the man was arrested and charged.
The alleged perpetrator has been charged with nine offenses, including unauthorized impairment of electronic communication, possession or control of data with the intent to commit a serious offence, and unauthorized access or modification of restricted data. If convicted, he could face years of imprisonment.
A Bulgarian hacker arrested for data theft and extortion
A 21-year-old Bulgarian named Teodor Iliev, who allegedly used the alias “Emil Külev” online, has been arrested by Sofia police. The Bulgarian Prosecutor's Office announced Iliev's arrest on charges related to numerous computer crimes. Iliev is accused of hacking into the information systems of various state institutions, banks, insurance companies, and other organizations. The theft of information took place between March 2020 and January 2024.
According to the prosecution, the hacker infiltrated the computer systems of institutions and companies, copied data and used it to extort money from the victims. In July 2023, a user on BreachForums named “MAGADANS,” who is believed to be Iliev, leaked a database belonging to Bulgaria's largest insurance firm. Iliev has been denied bond and remains in custody.
In separate news, two Romanian nationals, Ion Halmac and Marian Vasilache, were sentenced in the United States to 18 months in federal prison for conspiracy to steal bank card numbers, possession of skimming equipment, and possession of bank card numbers.
They were stopped by the Florida Highway Patrol for speeding on April 17, 2023, and found to be in the US illegally after initially providing false identification. A search of their vehicle uncovered skimming equipment, blank cards, and a laptop with over 3,000 bank card numbers. Further investigation led to the discovery of additional skimming equipment in a New Orleans storage facility. Both men will serve a 1-year supervised release after their prison term, though this is expected to be waived due to deportation.
Police arrest 54 suspects linked to a massive vishing fraud gang
The Spanish National Police (Policía Nacional), the Mossos d’Esquadra, and the Portuguese Judicial Police (Policía Judiciária) have arrested 54 individuals suspected of participating in a massive vishing fraud scheme that has cost victims €2.5m ($2.7m) in losses.
The gang targeted Spanish senior citizens with a combination of vishing and face-to-face social engineering tactics. Police seized computers, laptops, mobile phones, SIM cards, cannabis, and cocaine during the property searches.
In the meantime, Interpol announced the results of a global police effort known as “Operation First Light 2024” that has targeted various scams like phishing, investment fraud, and fake online shopping.
As part of the operation, 3,950 suspects were arrested, and 14,643 potential suspects worldwide were identified. The police seized assets worth $257 million and froze 6,745 bank accounts linked to scams.
What’s next:
- Join our upcoming webinars
- Follow ImmuniWeb on Twitter, LinkedIn and Telegram
- Explore 20 use cases how ImmuniWeb can help
- Browse open positions to join our great Team
- See the benefits of our partner program
- Request a demo, quote or special price
- Subscribe to our newsletter
Key Dutch has been working in information technology and cybersecurity for over 20 years, starting his first job with Windows 95 and dial-up modems. As the Editor-in-Chief of our Cybercrime Prosecution Weekly blog series, he compiles the most interesting news about police operations against cybercrime, as well as about regulatory actions enforcing data protection and privacy law. 
