Media Coverage

Between 27 and 29 May 2024 Operation Endgame, coordinated from Europol’s headquarters, targeted droppers including, IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and Trickbot. The actions focused on disrupting criminal services through arresting High Value Targets, taking down the criminal infrastructures and freezing illegal proceeds. This approach had a global impact on the dropper ecosystem.

This is the largest ever operation against botnets, which play a major role in the deployment of ransomware. The operation, initiated and led by France, Germany and the Netherlands was also supported by Eurojust and involved Denmark, the United Kingdom and the United States. In addition, Armenia, Bulgaria, Lithuania, Portugal, Romania, Switzerland and Ukraine also supported the operation with different actions, such as arrests, interviewing suspects, searches, and seizures or takedowns of servers and domains. The operation was also supported by a number of private partners at national and international level including Bitdefender, Cryptolaemus, Sekoia, Shadowserver, Team Cymru, Prodaft, Proofpoint, NFIR, Computest, Northwave, Fox-IT, HaveIBeenPwned, Spamhaus and DIVD.

A court-authorized international law enforcement operation led by the U.S. Justice Department disrupted a botnet used to commit cyber attacks, large-scale fraud, child exploitation, harassment, bomb threats, and export violations.

“This Justice Department-led operation brought together law enforcement partners from around the globe to disrupt 911 S5, a botnet that facilitated cyber-attacks, large-scale fraud, child exploitation, harassment, bomb threats, and export violations,” said Attorney General Merrick B. Garland.

“Working with our international partners, the FBI conducted a joint, sequenced cyber operation to dismantle the 911 S5 Botnet—likely the world’s largest botnet ever,” said FBI Director Christopher Wray.

The Department appreciates the significant assistance provided by the Attorney-General’s Chambers of Singapore, Singapore Police Force (SPF), Royal Thai Police, and the Office of the Attorney General and the Anti-Money Laundering Office of the Kingdom of Thailand. The Justice Department’s Office of International Affairs and Money Laundering and Asset Recovery Section provided crucial support to this operation. The Treasury Department’s OFAC also provided support to this operation. Additionally, the Department offers its thanks to Chainalysis, the Shadowserver Foundation, and Microsoft for the assistance provided by each during the investigation and the operation.

CREST recently visited the UN to take part in discussions throughout the day as part of the UN’s cyber focus group. The UN’s cyber focused open ended working group is working towards international agreement on key cyber capability development priorities.

CREST President, Rowland Johnson, and CEO, Nick Benson, attended the working group at the UN HQ in NY on 10 May 2024. Rowland presented on the benefits of consistent international standards for high quality cyber service providers and practitioners.

We were also honoured to be referenced by the UK’s representative who sited the valuable contribution of non-profits including CREST, Global Cyber Alliance, Shadowserver and FIRST.

In a recent conversation with Mastercard Newsroom, Rigo Van den Broeck (executive vice president of cybersecurity product innovation at Mastercard) shares what RiskRecon’s research reveals about the current risk landscape for cities and how to better protect critical systems and data.

For cities that scored lower, what are the easiest and most immediate steps they could be taking?

Developing strong cyber hygiene takes time, so it’s always important to evaluate ways to mitigate risks throughout your cybersecurity journey. There are resources that can help cities no matter their size. Cybersecurity agencies at various levels of government and computer emergency response teams have expansive missions that aid in securing the internet. Mastercard also proudly supports several organizations that provide no-cost cybersecurity services, including the CyberPeace Institute, the Global Cyber Alliance, and the Shadowserver Foundation.

Like it or not, you rely on the internet. So here’s a not-so-fun-fact: the functioning and security of the internet we all rely on, relies on non-profit organisations, many of which depend on uncertain funding streams and volunteer networks.

We’re talking here about organisations like the Shadowserver Foundation which scans the entire internet every day and reports vulnerabilities, free of charge, to network owners. Or Quad 9, which provides secure Domain Name Services (or an internet ‘address book’) for individuals and companies. Or MITRE, whose ATT&CK knowledge base is the go-to source for defence against cyber attackers.

We, the companies and individuals who get the benefit, just expect the internet to work. Yet the organisations on which we rely to make it work have very real costs, often in the millions of dollars per month. And all of these vital but little acknowledged organisations are funded through grants, donations and intermittent government-funded projects, and all of them suffer the extremes of perpetual funding uncertainty.

The good news is that this precarious model for sustaining a secure and functioning internet is recognised problem, and increasingly attracting attention and serious thought. At the forefront of this effort are the incredibly special people at the Global Cyber Alliance, who, rather than simply accepting that this frightening dependency is a hard-wired and permanent norm, are pioneering solutions to address this funding conundrum. This is the essence of the Common Good Cyber initiative

A maximum severity vulnerability that allows hackers to hijack GitLab accounts with no user interaction required is now under active exploitation, federal government officials warned as data showed that thousands of users had yet to install a patch released in January. While exploits require no user interaction, hijackings work only against accounts that aren’t configured to use multifactor authentication. Even with MFA, accounts remained vulnerable to password resets, but the attackers ultimately are unable to access the account, allowing the rightful owner to change the reset password. The vulnerability, tracked as CVE-2023-7028, carries a severity rating of 10 out of 10.

According to Internet scans performed by security organization Shadowserver, more than 2,100 IP addresses showed they were hosting one or more vulnerable GitLab instances. The number of IP addresses showing vulnerable instances has fallen over time. Shadowserver shows that there were more than 5,300 addresses on January 22, one week after GitLab issued the patch.

GitLab users should also remember that patching does nothing to secure systems that have already been breached through exploits. GitLab has published incident response guidance here.

A critical vulnerability in 1,400+ exposed CrushFTP servers has sparked major security concerns. Identified as CVE-2024-4040, this flaw (previously exploited as a zero-day) allows unauthenticated attackers to remotely execute code or access files on vulnerable systems.  CrushFTP urgently recommends updates to prevent exploitation that could compromise system files.

Security analysts from Shadowserver have pinpointed 1,401 CrushFTP servers that remain unpatched and exposed online, with the highest numbers located in the United States (725), Germany (115), and Canada (108). Moreover, a total of 5,232 CrushFTP servers are visible on the internet, though it remains unclear how many are susceptible to this vulnerability.

Update your CrushFTP servers promptly to mitigate this critical vulnerability and protect your systems from potential cyber threats. Stay vigilant and ensure your defenses are up to date!

In terms of revenue, 2023 will go down as a record-breaking year for ransomware, with over a billion dollars in payments going to hackers. The FBI reports a record $12.5 billion lost to cyber crime more broadly over the course of that year.

Tech companies often are best positioned to detect cyber threats and anomalies. They routinely issue software patches to preempt illicit cyber activity, and some even resort to civil litigation to disarm it. Commercial actors are also credible voices in internet governance bodies like ICANN and other nongovernmental, multistakeholder groups. These traits make them natural, even indispensable, partners for Western LEAs.

Meanwhile, civil society groups (such as the Shadowserver Foundation, the Institute for Security and Technology, and the Global Cyber Alliance) provide convening power, capability development, and vulnerability monitoring that can help prioritize and drive public awareness to both inform and complement LEA takedowns.

A website used by more than 2,000 criminals to defraud victims worldwide has been infiltrated in the Met’s latest joint operation to tackle large-scale online fraud. ‘LabHost’ is a service which was set up in 2021 by a criminal cyber network. It enabled the creation of “phishing” websites designed to trick victims into revealing personal information such as email addresses, passwords, and bank details.

But LabHost has now been infiltrated and disrupted as the result of a worldwide operation led by the Met.

Work began in June 2022 after detectives received crucial intelligence about LabHost’s activity from the Cyber Defence Alliance. Once the scale of site and the linked fraud became clear the Met’s Cyber Crime Unit joined forces with the National Crime Agency, City of London Police, Europol, Regional Organised Crime Units (ROCUs) across the country and other international police forces to take action.

Partners including Chainalysis, Intel 471, Microsoft, The Shadowserver Foundation and Trend Micro have also been at the centre of our efforts to bring down this platform.

Exploit code is now available for a maximum severity and actively exploited vulnerability in Palo Alto Networks’ PAN-OS firewall software.

Tracked as CVE-2024-3400, this security flaw can let unauthenticated threat actors execute arbitrary code as root via command injection in low-complexity attacks on vulnerable PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls if the device telemetry and GlobalProtect (gateway or portal) feature are enabled.

While Palo Alto Networks has started releasing hotfixes on Monday to secure unpatched firewalls exposed to attacks, the vulnerability has been exploited in the wild as a zero-day since March 26th to backdoor firewalls using Upstyle malware, pivot to internal networks, and steal data by a threat group believed to be state-sponsored and tracked as UTA0218..

Security threat monitoring platform Shadowserver says it sees more than 156,000 PAN-OS firewall instances on the Internet daily; however, it doesn’t provide information on how many are vulnerable.