Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Dutch Police. Show all posts

Redline And Meta Infostealers Targeted in Operation Magnus

 

The Dutch National Police claimed on Monday that they had secured "full access" to all servers employed by the Redline and Meta infostealers, two of the most common cybercrime tools on the internet.

Infostealer malware is a major cybersecurity issue that is frequently sold as a malware-as-a-service tool. It infects users' devices and harvests information such as credit card numbers and autofill password data. 

Cybercriminals who use the infostealer then bundle the information into logs, which are sold on credential marketplaces to fraudsters and other criminals looking to breach any organisations whose login information has been compromised.

Earlier this week on Monday, the Dutch National Police, in collaboration with the FBI and other partner agencies in the United States, Australia, and the United Kingdom, announced the disruption of these two infostealers on a website for "Operation Magnus," which includes a timer promising "more news" counting down to noon on Tuesday, Dutch local time. 

A video on the site that mimics the criminals' own marketing claims that the police have supplied a "final update" for both the Redline and Meta infostealer strains, adding that the multinational operation "gained full access to all Redline and Meta servers." The video shows the depth of this access, including many administrator panels, the malware source code, and what appears to be a large number of usernames for people who use the malware-as-a-service tool. 

“Involved parties will be notified, and legal actions are underway,” reads the site, while the video adds, alongside a graphic of cuffed hands: “Thank you for installing this update. We’re looking forward to seeing you soon.” 

Cybercriminals find ways

In conjunction with the disruption operations, the US Justice Department unsealed charges against Maxim Rudometov, one of RedLine's developers and administrators.

According to the Attorney's Office for the Western District of Texas, Rudometov may face a maximum sentence of 35 years if convicted of access device fraud, conspiracy to commit computer intrusion, and money laundering. This follows a series of operations by law enforcement agencies aimed at disrupting the activities of high-profile cybercrime groups around the world.

In December 2023, US officials seized the leak site of ALPHV/BlackCat, one of the most prolific ransomware collectives in recent years, in what was regarded as a severe blow to the outfit.

Maastricht University Retrieves Ransom Amount Paid in 2019

 

Earlier this month, the southern Maastricht University (UM) in Netherland with more than 22,000 students, revealed that it had retrieved the ransom paid after a ransomware assault that targeted its network in December 2019. 

After a detailed investigation of the incident, Fox-IT researchers attributed the attack to a financially motivated hacker gang tracked as TA505 (or SectorJ04). The hacking group has been active since at least 2014 and has primarily targeted retail and financial organizations. 

The hackers breached the university's systems through phishing e-mails in mid-October and installed Clop ransomware payloads on 267 Windows systems on December 23, after moving laterally via the network. 

After a week, the university decided to accede to the criminal gang's demand and paid a 30 bitcoin ransom (roughly €200,000 at the time) for the ransomware decryptor. This was partly because private data was in danger of being lost and students were unable to take an exam or work on their theses. Secondly, the rebuilding of all compromised systems from scratch or creating a decryptor were not viable options. 

"It is a decision that was not taken lightly by the Executive Board. But it was also a decision that had to be made," University explained in a blog post. "We felt, in consultation with our management and our supervisory bodies, that we could not make any other responsible choice when considering the interests of our students and staff."

However, as UM recently revealed, the local police traced and seized a wallet containing the cryptocurrency paid by the university as ransom in 2019.

"The investigation [..] eventually paved the way for the seizure of the cryptocurrency by the Dutch Public Prosecution Service. As early as February 2020, the investigation team froze a so-called wallet containing part of the paid ransom," UM said. The value of the cryptocurrencies found at that time was €40,000; at the current exchange rate, they are worth approximately €500,000."

Although this might appear like the university made a considerable profit within a relatively short time, the €500,000 seized by Netherlands' Public Prosecution Service represents significantly less than the damage inflicted during the ransomware attack. These seized funds are now in a bank account under the control of the law enforcement agents, and the Ministry of Justice has already initiated legal proceedings to transfer them to the university.

Dutch Police Confiscated 2 Men for Stealing And Selling COVID-19 Patients Data

 

On Friday, 22 January, the Dutch police, and the Public Prosecution Service received warnings from the GGD that personal details from GGD applications are being made available for sale on Telegram. The Central Netherlands Police Cyber Crime Unit soon launched an investigation. This probe led the team to two GGD call center workers. Consequently, both were hunted down by the police. The offenders were both in Amsterdam on Saturday night, where they were detained and taken to jail. This involves a 21-year-old man from Heiloo and a 23-year-old man from Alblasserdam. Men's homes have been searched and their computers have been confiscated. “Stealing and selling or reselling personal data is a serious crime," the Dutch police stated. 

The two are among a wider number of individuals believed to have access to classified information and to have it sold to third parties, and further arrests have not been ruled out, police said in a statement. The selling of personal information through health board networks has been investigated by Broadcaster RTL, and it was disclosed to the association of GGD Health Board earlier this month. RTL states that the offer is not just for names, addresses, and mobile and confidential BSN numbers but much more. 

The arrests followed an investigation by RTL broadcaster, which uncovered online advertisements for Dutch citizen info, marketed on instant messaging apps such as Telegram, Snapchat, and Wickr. The advertising consisted of images of computer screens containing the details of one or more Dutch people. The broadcaster claimed that they had monitored the screengrabs of two IT systems used by the Dutch Municipal Health Service (GGD), namely CoronIT, which includes specifications of Dutch people taking the COVID-19 exam, and HPzone Light, one of the DDG's contact-tracing systems. 

“Some accounts are offering to look for information about a specific person,” RTL said. “That costs between €30 and €50 and will get you someone’s name, email address, phone number, and BSN number.” Other accounts provide wider data sets containing thousands of names or unique characteristics, such as individuals living in Amsterdam or over 50s. 

According to a broadcaster, the two perpetrators operated in DDG contact centers, where they had access to COVID-19 official Dutch government networks and databases. The identities of the two defendants, which were expected to appear before the court on 26th January, have not been released: in compliance with Dutch law. 

"Because people are working from home, they can easily take photos of their screens. This is one of the issues when your administrative staff is working from home," Victor Gevers, Chair of the Dutch Institute for Vulnerability Disclosure stated in an interview.