#NSBCS.054 - The Takedown of Cybercriminal Mastermind Wazawakka

The Takedown of Cybercriminal Mastermind Wazawakka

This week, the digital crime world was rocked by the arrest of Mikhail Pavlovich Matveev, known online as Wazawakka, in Kaliningrad, Russia. Wazawakka, linked to several high-profile ransomware attacks with groups like Lockbit, Conti, and BABUK, was not your typical cybercriminal. His audacious approach, often revealing his identity and flaunting his criminal activities online, made his capture particularly notable. Various reports detailed his involvement in cyber-espionage and the development of malware, highlighting the significant impact his takedown could have on the cybercrime ecosystem.

The arrest of such a figurehead in the cybercrime community sends ripples through the digital underworld. It not only disrupts the immediate operations of the groups he was associated with but also instills a sense of vulnerability among other cybercriminals.

Benefits of Law Enforcement Actions:

• Deterrence: High-profile arrests like Wazawakka’s can intimidate potential cybercriminals, showcasing the long arm of the law in digital spaces.

• Disruption of Criminal Networks: Removing key players can lead to the temporary or permanent dismantling of cybercrime groups, affecting their ability to operate or recruit new members.

• Victim Recovery and Support: Law enforcement's success in these cases can lead to the return of stolen data or funds, offering some restitution to victims and potentially reducing the financial incentive for such crimes.

• International Collaboration: This arrest underscores the importance and effectiveness of international law enforcement cooperation, vital in an era where cybercrimes know no borders.

• Boost in Public Awareness: Such events increase public consciousness about cyber threats, encouraging better cybersecurity measures and possibly reducing the pool of easy targets through education.

• Intelligence Gathering: Arrests can yield crucial intelligence about cybercriminal operations, methodologies, and networks, aiding in future prevention and arrests.

As we reflect on the year's efforts, the takedown of Wazawakka adds to the list of significant law enforcement achievements in the cyber domain. Operations like the FBI's disruption of the Flax Typhoon botnet, Operation Endgame against malware infrastructures, and now Wazawakka's capture, illustrate a robust and relentless pursuit against cybercrime, demonstrating that the digital frontier is not beyond the reach of justice.

For information on NSB Cyber’s Cyber Threat Intelligence capabilities or to book a meeting with our team, click here.

What we read this week

• Malicious Ads in Search Results Are Driving New Generations of Scams - Malicious digital advertisements, known as "malvertising," have long been a staple in the digital scamming ecosystem, and their prevalence is increasing. These malicious ads often appear in search results through a tactic called "SEO poisoning," which boosts their placement, making them seem more legitimate. Recent data from Malwarebytes indicates a 42% month-over-month increase in malvertising instances in the United States during fall 2023, with a further 41% rise from July to September 2024. Notably, 90% of this fraudulent activity originates from South Asian countries like Pakistan and Vietnam. Malvertising is used to distribute various scams, including phishing, credit card fraud, and malware such as infostealers, and has been incorporated into sophisticated schemes like "pig butchering" investment scams and romance scams.

• Cloudflare’s Developer Domains Increasingly Abused by Threat Actors - Threat actors are increasingly exploiting Cloudflare's 'pages.dev' and 'workers.dev' domains to host malicious content, including phishing pages that impersonate services like Microsoft Office 365. In phishing attacks, victims are directed to these malicious sites via links embedded in fake PDFs or phishing email content, which bypass security detection due to Cloudflare's trusted reputation. Cybersecurity firm Fortra has observed a 100% to 250% increase in such abuses compared to 2023. Attackers are leveraging these domains to enhance the credibility of their campaigns, benefiting from Cloudflare's service reliability, low costs and reverse proxy features, which aid in evading detection. This trend underscores the need for heightened vigilance and robust security measures to counter the misuse of legitimate services for malicious purposes.

• Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console - Veeam has issued security patches to resolve a critical vulnerability in its Service Provider Console (VSPC) that could allow remote code execution (RCE) on affected systems. The flaw, identified as CVE-2024-42448, has a CVSS score of 9.9 and was discovered during internal testing. According to Veeam, the issue permits RCE on the VSPC server when the management agent, authorised on the server, is exploited. Another patched vulnerability, CVE-2024-42449 (CVSS score: 7.1), could enable attackers to extract NTLM hashes from the VSPC server service account and delete files on the server. Veeam has emphasised that there are no workarounds or mitigations, making an upgrade to the latest version essential for protection, particularly as Veeam products are often targeted in ransomware attacks.

• New Rockstar 2FA Phishing Service Targets Microsoft 365 Accounts - A new phishing-as-a-service (PhaaS) platform called 'Rockstar 2FA' has been identified, enabling large-scale adversary-in-the-middle (AiTM) attacks to steal Microsoft 365 credentials. This service allows attackers to bypass multifactor authentication (MFA) by intercepting valid session cookies during the authentication process. Promoted on platforms like Telegram, Rockstar 2FA offers features such as randomised source code, Cloudflare Turnstile Captcha integration, and multiple login page themes to enhance the effectiveness of phishing campaigns. Since May 2024, over 5,000 phishing domains associated with this service have been established, distributing emails that often utilise legitimate services to host malicious links, thereby exploiting the trust in these platforms. This development underscores the evolving sophistication of phishing attacks and the challenges they pose to current security measures.

• Hackers Stole $1.49 Billion in Cryptocurrency to Date in 2024 - In 2024, cryptocurrency losses have totaled nearly $1.49 billion, primarily due to hacking incidents, according to a report by web3 bug bounty platform Immunefi. These losses are lower compared to the $1.75 billion reported during the same period last year, with significant losses of $359 million in May and $282 million in July. All 26 incidents in November this year targeted decentralised finance (DeFi) platforms, with no centralised finance (CeFi) services affected. The BNB Chain was hit hardest, experiencing 14 attacks and accounting for 46.7% of losses, while Ethereum faced 9 incidents, representing 30%. Other blockchains like Solana, Polygon, and Avalanche each recorded one incident, contributing to 3.3% of losses per chain.

References
https://www.wired.com/story/malicious-ads-in-search-results-are-driving-new-generations-of-scams/
https://www.bleepingcomputer.com/news/security/cloudflares-developer-domains-increasingly-abused-by-threat-actors/
https://thehackernews.com/2024/12/veeam-issues-patch-for-critical-rce.html
https://www.bleepingcomputer.com/news/security/new-rockstar-2fa-phishing-service-targets-microsoft-365-accounts/
https://www.securityweek.com/hackers-stole-1-49-billion-in-cryptocurrency-to-date-in-2024/