At this year’s Sleuthcon, cybersecurity professionals and law enforcement officials provided insights into various malicious actors driving the ongoing surge in cybercrime and offered glimpses into solutions that can thwart the rising tide of attackers.
Based on the range of talks at the event, it’s clear that cybercriminals continue to thrive and diversify, deploying a wide range of new malware and toolsets in their malicious endeavors. However, two themes emerged from the event.
The first is that unlike advanced persistent threat actors, usually associated with state-sponsored military and intelligence operations of significant adversarial nation-states, cybercriminals can operate from any locale, even tiny countries. The second theme is that law enforcement is increasingly becoming creative in shaming and disrupting financially motivated threat actors, particularly ransomware groups.
Morocco as an emerging cybercrime originator
Although cybercrime operations are a global phenomenon, most financially motivated cybercriminals operate from a well-understood list of countries, including China, Russia, Ukraine, the US, Romania, and Nigeria. But at this year’s Sleuthcon, a new nation emerged that threatens to break into the ranks of top cybercrime havens: Morocco.
Microsoft researchers recently uncovered a new, quiet, and productive group it calls Storm-0539, also known as Atlas Lion, operating out of Morocco. The group engages in payment and gift card fraud. But instead of relying on malware or malicious tooling, as might be found in ordinary point-of-sale credit card fraud, Storm-0539 represents an evolution in cybercrime because it exploits cloud identities to target retailers to print their own gift cards, often in hefty amounts.
Using employee directories and schedules, contact lists, and email inboxes, Storm-0539 targets retail employees via smishing or phishing to gain access to the gift card business process, print their own gift cards and then redeem the cards, sell them on black market websites or use mules to cash out the cards.
“They work very hard to gain that access, and we’ve seen them get kicked out of an organization three, four times, but each time, they take a little bit of this information, and they continue to keep driving until they reach that end goal,” said Waymon Ho, senior security research manager on the GHOST team at Microsoft.
Creating custom domains that spoof legitimate ones to phish employees
Storm-0539 will create custom domains to phish employees connected to gift card generation to aid in its efforts. The threat actor will create domains that resemble legitimate platforms or the actual normal websites of the targeted organizations, and they’ll post a phishing kit on there,” Emiel Haeghebaert, Senior Hunt Analyst with Microsoft Threat Intelligence, said.
Storm-0539 also socially engineers cloud companies to sign up for accounts under those false domains, typically created to look like charities or other socially worthy organizations. “They, in some cases, have tried to essentially present themselves as nonprofit organizations to us because they’re sponsorship programs with various cloud providers where if you’re a nonprofit, we’ll give you certain resources for free to support the sector,” Haeghebaert told CSO.
With fake gift cards running at up to $100,000 per piece, Storm-0539’s scheme has raked in substantial revenue, although Haeghebaert couldn’t put a figure on just how much money the group takes in. “We don’t have a total dollar amount,” he told CSO. “We don’t know per retailer how much they took over what period of time. What we do know is that we’ve seen examples or instances of the groups stealing up to a hundred thousand dollars in a day.”
Alex Delamotte, senior threat researcher at SentinelOne, told attendees that another threat actor with likely operations in Morocco is Mr0x01, a hacker who serves as the admin of OB Hacking. This group is related to Gray Hat Hackers and other Telegram hacking groups. Mr0x01 might also be responsible for creating the Predator AI cloud infostealer.
Why Morocco has emerged as an origin for cybercrime
In submitting a bug bounty application for a HackerOne bug bounty, Mr0x01 listed his location as Meknes, Morocco, and his posts on social media are consistently in Arabic, she said. “There’s a Python class within Predator that does translation, and you’ll see that the first listed language is Darija, which is for Moroccan Arabic choice. I think it’s pretty reasonable to assume that we at least have somebody in Morocco here.”
As for why Morocco might be becoming a cybercrime location, Delamotte has few answers. “It certainly has a very low cost of living,” she said. “So, I think they’re incentivized by that money-making opportunity. But there is also an influx of Western money going there because places like Casablanca and Marrakesh are beautiful cities. I think there may be more of an influx of information and technology infrastructure to host people visiting.”
Haeghebaert thinks Morocco is an unusual origin for cybercrime, underscoring how digital theft and scams can be launched from anywhere in the world. “We’re not usually talking about North Africa when it comes to cybercrime,” he told CSO. “So, this is a novel thing and just shows that cyber criminals can be anywhere because it’s becoming easier and easier to be part of that ecosystem.”
Demoralizing and disrupting cyber criminals
With no end to ransomware attacks and other forms of cybercrime in sight, law enforcement organizations are stepping up their efforts and ingenuity to slow down threat group activity. One of the most recent innovations by authorities was the takedown of prolific ransomware group LockBit, led by the UK’s National Crime Agency (NCA).
During that event, the NCA took over LockBit’s leak site and replaced it with a “wall of shame” that featured embarrassing revelations, including the handles of the group’s affiliates, a series of articles exposing LockBit’s capability and operations, and a teaser about the true identity of the group’s admin, who goes by the name LockBitSupp.
“We’ve had to change what we’re delivering,” William Lyne, Head of Cyber Intelligence at NCA, told the Sleuthcon attendees. We’ve also had to change how the structure looks.”
Gavin Webb, detective superintendent at NCA, said Operation Cronos was intended to discredit the group’s brand in a “counter-marketing campaign” posted on LockBit’s slick one-stop shop. “When an affiliate is picked up, arrested, de-anonymized, sanctioned, whatever it is, you can thank LockBit’s infrastructure for us being able to find you. That doesn’t just damage LockBit’s credibility, it reduces their ability to create a resurgence.”
“I remember talking in the office some months ago. We were saying we’ve got to get control of this environment, so what can we do differently? Why, why don’t we start publishing information about them, as opposed to them using it?”
Government agencies worked to damage LockBit’s credibility
The goal was to demoralize LockBit and its affiliates. “The credibility of the platform is damaged because of our presence,” Webb said. “This was us trying to devalue the group.”
Bryan Vorndran, assistant director of the FBI’s Cyber Division, highlighted how his agency tries to think differently about cybercrime while still implementing its time-tested crime disruption methods. “We will always conduct traditional rule of law through investigative activity,” he said.
“That’s what is in our DNA for 115 years. Every operational outcome that we’ve been able to generate, whether that’s search and seizure of a juvenile actor, extradition from a foreign country, search and seizure or cryptocurrency, is generated from good, rigorous investigating work.”
However, with cybercriminals, disruption has become the FBI’s modus operandi. “We’re really, really trying to do more and more disruptive operations at scale. We know that when we disrupt, specifically ransomware actors and ransomware infrastructure, there is going to be a finite time period when they are off the grid. That is what we are trying to do to maximize their downtime.”
“We know that with safe banking status for threat actors, we’re never going to be able to keep them away permanently, but any degradation of their infrastructure means that fewer people will be targeted here during the time that they are down. And that’s extremely important to us.”