Week 42: Anonymous Sudan's Times Up, Quantum Risks for Banks, 200 Scammers Arrested, $50 Million Crypto Stolen, UK Cyber Incident Reporting, New York AI Guidance...

Stay informed with our weekly updates, covering the latest in emerging threats and risks, operational & cybersecurity threats, global regulatory changes, critical vulnerabilities & more.

🔥 Key Highlight

Anonymous Sudan, a hacker group known for DDoS attacks, emerged in January 2023. While claiming to champion pro-Islam and anti-Zionist causes, the group's activities and connections suggest a pro-Russian agenda.

Cybersecurity experts suspect a Russian origin for Anonymous Sudan, with possible backing from the Russian government. This suspicion is based on several factors, including:

● The group's first appearance as a Russian-language Telegram channel.

● The nature and timing of their attacks, which often coincide with events where Russia has strategic interests.

● Their collaboration with other pro-Russian hacker groups like Killnet.

Despite claiming to target organizations engaged in "anti-Muslim activities", Anonymous Sudan has attacked entities critical of Russia or those supporting causes that oppose Russian interests. For instance, they launched attacks on:

● Scandinavian Airlines and UK universities - These countries have been critical of Russia.

● The Kenyan government - Kenya supported a faction opposing Russia's ally in the 2023 War in Sudan5.

In addition to these politically motivated attacks, Anonymous Sudan offered DDoS-for-hire services, further muddying the waters of their claimed ideology.

Takedown and Arrests

In March 2024, a coordinated effort between the US Department of Justice, the FBI, and private sector organizations like Akamai, AWS, and CrowdStrike disrupted Anonymous Sudan’s primary attack tool, the Distributed Cloud Attack Tool (DCAT). The operation resulted in the indictment of two Sudanese brothers believed to be key figures in Anonymous Sudan.

These individuals, arrested in March 2024, had distinct roles within the group:

● One brother was responsible for developing and maintaining the DCAT and its infrastructure.

● The other brother handled the execution of attacks and managed the group's social media presence.

They were charged with conspiracy to damage protected computers, with the brother who executed attacks facing additional charges. If convicted, they face potentially lengthy prison sentences.

📢Threat Intel & Info Sharing

• Banks Urged to Act Now to Avoid Future Quantum Catastrophe - Regulators warn the financial industry to start planning against quantum computing risks. A G7 report highlights threats from advanced quantum computers that can break current encryption, urging banks to adopt quantum-resilient technologies promptly as new standards emerge.

• Microsoft Uses Fake Azure Tenants to Trap Phishers - Microsoft is combating phishing by creating realistic honeypot Azure tenants that lure attackers into fake environments. These decoys gather intelligence on phishing methods, infrastructure, and threat actors. The approach, revealed by Ross Bevington at BSides Exeter, helps disrupt campaigns and slow attackers.

• Russian DDoS Attacks on Japan Intensify Amid Military Tensions - Russian-linked hackers launched DDoS attacks on Japanese websites, including major political and business entities, in response to upcoming U.S.-Japan military exercises. The attacks disrupted services for hours, claiming responsibility under the alias "NoName057(16)." Cybersecurity experts report ongoing threats amid rising geopolitical tensions.

• U.S. Charges Members of Anonymous Sudan, Disrupts DDoS Attack Service - The U.S. Justice Department has charged two individuals connected to the hacker group Anonymous Sudan, known for launching DDoS attacks on critical infrastructure and businesses worldwide. The indictment details their roles in developing and executing these disruptive cyberattacks.

💻 Malware and Vulnerabilities

• North Korean Group Exploits Windows Zero-Day to Spread RokRAT Malware - The North Korean hacking group ScarCruft exploited a Windows zero-day vulnerability (CVE-2024-38178) to spread the RokRAT malware via malicious ads. The attack, involving memory corruption in the Scripting Engine, targeted PCs using Internet Explorer in Edge Mode. Victims were infected after interacting with compromised toast notifications, enabling remote access to steal data. The malware uses legitimate cloud services like Dropbox and Google Cloud for command-and-control, blending into regular traffic. The flaw has been patched, but users are urged to update their systems to stay secure.

📰 Breaches, Incidents and Fines

• Cisco Takes DevHub Portal Offline After Data Leak - Cisco temporarily took its DevHub portal offline after a hacker, IntelBroker, leaked non-public data. While Cisco denies a breach of its core systems, the attacker claims access via an exposed API token. The stolen data includes source code and technical files. Investigations are ongoing.

• Nidec Hit by Ransomware Attack, Data Leaked on Dark Web - Nidec Corporation confirmed that hackers leaked stolen data from a ransomware attack after their extortion demands were unmet. The breach, affecting Nidec's Precision division, exposed over 50,000 files. Though no financial damage is expected, employees and partners face heightened phishing risks.

• WhatsApp May Leak OS Information, Increasing Malware Risk - Security researchers at Zengo found that WhatsApp may expose a user's operating system and device setup through its multi-device functionality. Different OS implementations generate distinct message IDs, potentially allowing attackers to identify and target vulnerable devices. While Meta has acknowledged the flaw, no fix has been announced. This could enable cybercriminals to tailor malware attacks based on the user's device. Zengo's researchers are concerned about the lack of response from Meta since their initial report on September 17.

• New ConfusedPilot Attack Method Targets RAG-based AI Systems with Data Poisoning Vulnerabilities - Researchers at the University of Texas at Austin's SPARK Lab have uncovered a new attack method called ConfusedPilot that targets AI systems using Retrieval-Augmented Generation (RAG), such as Microsoft 365 Copilot. The attack works by poisoning the data environment, allowing attackers to manipulate AI-generated responses by inserting malicious content into documents the AI references. This can result in misinformation and flawed decision-making across organizations. Key points of the ConfusedPilot attack:

  • Attackers introduce malicious content into documents used by the AI.

  • The AI retrieves and uses this poisoned data to generate false responses.

  • The attack persists even after the malicious content is removed.

  It can bypass current AI security measures, posing a significant threat to organizations using RAG-based systems.

• $50 Million Cryptocurrency Heist Hits Radiant Capital Amid Developer Account Compromises - Radiant Capital, a decentralized finance platform, reported the theft of over $50 million in cryptocurrency due to a sophisticated cyber attack. Hackers compromised three trusted developer accounts, allowing them to drain user funds. U.S. law enforcement and blockchain security firms are investigating the breach, while the platform remains paused following the inciden

⚖️ Governments , Policy, Regulation

• Sri Lankan Police Arrest Over 200 Chinese Scammers - Sri Lankan authorities have arrested over 200 Chinese nationals for overstaying visas and engaging in financial scams targeting victims across Asia. Raids revealed sophisticated cybercrime operations linked to organized crime syndicates that stole an estimated $64 billion in 2023. The Chinese embassy expressed support for local law enforcement efforts against these scams.

• NY Regulator Issues AI Cybersecurity Guidance for Financial Institutions - New York's financial regulator has released guidelines on mitigating AI-related cybersecurity risks, including data theft and AI-enhanced attacks. Key recommendations include layered defenses, third-party vendor management, and strong data practices.

• Ex-NCSC Chief Supports UK Cyber Incident Reporting Bill - Ciaran Martin, former UK National Cyber Security Centre chief, called the proposed Cyber Security and Resilience Bill a positive step. It mandates reporting cyber incidents within 72 hours and imposes fines. Success depends on effective victim support and collaboration between government and businesses.

📑Trends, Reports, Analysis ​

• Worldwide Ransomware Attacks as of June 2024 - Global ransomware attacks saw a slight uptick in the first half of 2024 compared to the same period in 2023, totaling 2,321 attacks. Although this figure is about half the total number for the entire year 2023, the CTIIC report reveals a concerning trend, particularly in the Healthcare and Emergency Services sector, which experienced a notable surge in attacks. This increase can be attributed to outdated IT systems, weak passwords, and employees falling prey to phishing attacks2. LockBit dominated the ransomware landscape, accounting for 22% of global attacks and 16% in the US, followed by RansomHub globally and Play in the US2. The report's findings are based on open-source research, cybersecurity firm data, and a machine-learning model used to analyze and categorize attacks