Also, ecommerce fraud ring disrupted, another Operation Power Off victory, Sino SOHO botnet spotted, and more
in brief The US Department of Justice has charged six people with two separate schemes to defraud Uncle Sam out of millions of dollars connected to IT product and services contracts.
The two cases, involving three individuals each, were the first time the DoJ issued charges connected to an ongoing investigation involving IT manufacturers, distributors and resellers and their deals with the federal government. The Department of Defense is among the agencies ripped off by the two groups of fraudsters, the DoJ noted, as were unspecified parts of the intelligence community.
"This office and our partners will use all available resources to hold accountable those who would undermine and distort the government's procurement of goods and services, especially those related to our cybersecurity infrastructure," said US Attorney Erek Barron for the District of Maryland.
The first group, led by Maryland resident Victor Marquez, allegedly conspired to rig bids by using insider information "to craft bids at artificially determined, non-competitive and non-independent prices, ensuring Marquez's company would win the procurement," the DoJ said.
Marquez was charged [PDF] in a four-count indictment with wire fraud conspiracy, wire fraud and major fraud, for which he's facing up to 70 years in prison, with his co-conspirators charged with similar offenses.
In the other group, Breal L. Madison Jr. was hit with a 13-count indictment [PDF], and his co-conspirators with lesser charges, "for orchestrating a years-long scheme to defraud his employer and the United States out of over $7 million in connection with the sale of IT products to various government agencies."
Madison reportedly used the stolen funds to purchase luxury items, including a yacht and Lamborghini Huracan, which the government plans to seize if he's convicted. Facing charges of conspiracy, bribery, mail fraud and money laundering, Madison faces up to 185 years in prison if convicted.
"There is no place for fraudsters and crooks scheming to manipulate the government bidding process for personal gain," said FBI special agent in charge of the investigation, William DelBagno.
Human Security's Satori threat research team has disrupted an ecommerce fraud ring they say has been in operation for five years, infecting more than a thousand websites and raking in tens of millions of dollars from hundreds of thousands of victims in the process.
Dubbed "Phish 'n' Ships" by the researchers, the operation reportedly used known vulnerabilities to infect legitimate websites to create fake product listings and metadata used to stuff too-good-to-be-true deals at the top of search result pages.
Victims who buy products are presented with a legitimate payment processor page, so the transaction is technically real - but there's no product, and nothing ever shows up.
Satori said it managed to get the fake listings it discovered pulled from Google SERPs, and victimized payment processors have banned Phish 'n' Ships operators from their platforms, but it's probably not safe yet.
"It's unlikely the threat actors will pull the plug on their work without trying to find a new way to perpetuate their fraud," Satori said.
Rule of thumb: If a deal seems too good to be true, it probably isn't.
Threat actors linked to Iran's Islamic Revolutionary Guard Corps (IRGC) have reportedly adopted some new techniques, including the use of AI, in some of their most recent operations, US cybersecurity officials warned [PDF] this week.
The group, known colloquially as Cotton Sandstorm, has reportedly been spotted masquerading as a legitimate Iranian business called Aria Sepehr Ayandehsazan (ASA) for HR and financial purposes, as well as to set up its own hosting resale service for it and other threat actors' activities.
"These cover hosting providers were set up by ASA to centralize and manage provisioning of operational infrastructure, while providing plausible deniability that malicious infrastructure was being assigned by a legitimate hosting provider," the FBI said.
ASA has also been used to enumerate and spy on IP cameras in Israel in the leadup to the October 7, 2023 attack by Hamas, and has ramped up its use of AI for use in messaging.
The usual mitigation measures apply, the FBI, CISA and Israel National Cyber Directorate said in a joint advisory, so get patching to avoid having your infrastructure hit by this storm.
An international law enforcement operation aimed at disrupting DDoS-as-a-service sites has nabbed another bad actor, this time in Germany, where a pair of unnamed suspects, aged 19 and 28, were apprehended on charges of operating not only an online marketplace for "designer drugs and liquids made of synthetic cannabinoids," but also a website dedicated to showcasing DDoS for hire services.
The Bundeskriminalamt, Germany's equivalent to the American FBI, said Friday it arrested the pair for operating "Flight RCS" and "Dstat.cc," the former the drug market and the latter the DDoS site.
Dstat didn't actually offer any DDoSaaS, but rather it was a platform for criminals to show off the effectiveness of their particular service and for other miscreants to review their experiences using the platforms.
Operation Power Off is an ongoing international law enforcement operation dedicated to disrupting DDoSaaS websites and operators. Earlier this year, the operation also disrupted what the UK's National Crime Agency said was the world's most prolific DDoSaaS operator. The operation has been ongoing for several years, and has disrupted dozens of operations since 2018.
Microsoft said this week that it detected a Chinese threat actor making use of a network of botted SOHO routers to spray passwords and gain initial access to enterprise networks.
To make matters worse, Microsoft said it's still not sure what vulnerability the threat actor, tracked as Storm-0940, is abusing to gain access to routers, and once compromised the threat actor is taking steps not to get caught, too.
The network, dubbed Quad7, uses a set of rotating IPs to launch attacks and only hits a particular target with a fake login attempt once per day, ensuring its attempts aren't noticed.
"Storm-0940 is known to target organizations in North America and Europe, including think tanks, government organizations, non-governmental organizations, law firms, defense industrial base, and others," Microsoft said - and it's not the only group believed to be using the Quad7 botnet, either.
In short, this is a dangerous one, so be sure you're practicing good password hygiene and using MFA. ®