Components of DOT Security’s Services
Explore each of the core elements that combine to form DOT Security’s complete offering
See how it all comes together
DOT Security’s holistic service- A plan to get back up and running if a problem occurs
- Comply with data security laws and industry regulations
- Expert planning and training to improve overall security
- Protection for a controlled internal environment
- Coverage for individual systems and devices
- Control who can get into your networks
- Improved insight into data and communications
- Extra fortification for your most sensitive data
Risk Assessment
InsightsCybersecurity insights and analyses
Dive into the world of modern cybersecurity with explanations, predictions, and expert opinions
Find blogs, infographics, videos, and more
DOT Security insights- Definitions for industry terms and acronyms
- The complete beginner’s guide to everything cybersecurity
Cybersecurity Consulting
The DOT Report: FBI Seizes BreachForums, Grandoreiro Banking Trojan Reappears
May 30, 2024
7 minute read
The DOT Report recaps some of the largest cybersecurity news headlines each month as a way to discuss the practicality of cybersecurity, the current trends we’re seeing in the space, and how various network defenses function in a live incident. This not only reveals valuable insights into the reality of the industry but can also act as a case study on defense measures and mechanisms.
This month, The DOT Report dives into the second FBI seizure of BreachForums in under a year, discusses the return of the Grandoreiro trojan malware, looks into a long-standing attack on Linux servers, and reviews the device security on GE ultrasound machines.
Sign up for our newsletter!
Join us below to see what lessons we can learn from these recent cybersecurity headlines.
Subscribe to the DOT Security blog for regular updates on everything in cybersecurity from news and analysis to industry trends and best practices, and even the latest technology!
FBI Seizes BreachForums
On May 15th, international law enforcement agencies seized control of all the domains belonging to BreachForums, an infamous online platform for trading stolen data, for the second time in under a year. However, less than two weeks later–BreachForums is back up and running after managing to regain several clearnet domains from the FBI.
While this was the second time in a 12-month span that we saw law enforcement target BreachForums for its role in facilitating international cybercrime, the speed and ferocity of resilience displayed by the threat actors running BreachForums demonstrates the scale and skill involved in cybercrime operations.
As things currently stand, no arrests have been made. Law enforcement agencies have yet to publish a press release on the domain seizure, and are in communication with the web host, NiceNIC, in an attempt to regain control of the illicit BreachForums domain names and to have the law enforcement account unsuspended.
How the FBI and the international law enforcement involved respond to this swift resurrection will be a critical moment in the chess match between cybersecurity practitioners and cyber criminals.
BreachForums originally emerged in March 2022 following the dismantling of RaidForums and the arrest of its owner, known online as "Omnipotent." After its initial shutdown, BreachForums resurfaced when the existing threat actors Baphomet and ShinyHunters collaborated to relaunch the site, who continue running operations today.
Grandoreiro Banking Trojan Targets 1,500 Banks Globally
Since March 2024, threat actors linked to the Grandoreiro banking trojan have initiated a global campaign following a law enforcement takedown earlier in January. The campaign, centered around volume-phishing, targets over 1,500 banks across more than 60 countries worldwide.
While Grandoreiro traditionally focused on Latin America, Spain, and Portugal, the recent global expansion suggests a strategic shift, possibly in response to attempts by Brazilian authorities to dismantle its infrastructure.
Accompanying the broader targeting scope are significant enhancements to the malware itself, indicating ongoing developmental efforts. Security researchers noted major updates within the string decryption and domain generating algorithm (DGA), along with the trojan's newfound ability to leverage Microsoft Outlook clients on infected hosts to distribute additional phishing emails.
Clicking one of these phishing links leads to the download of a ZIP archive containing the Grandoreiro loader executable. This custom loader, intentionally bloated to over 100 MB, bypasses anti-malware scans and conducts checks to ensure the compromised system is not within certain geographical or technological parameters.
Once installed, the trojan establishes persistence within the Windows Registry and employs an updated DGA to establish connections with a command-and-control server.
This allows the threat actors to remotely control the infected system, perform file operations, and activate specialized modes, including the new module mentioned earlier that leverages Microsoft Outlook to gather data and exploit the victim's email account for spamming purposes.
This email account takeover makes the Grandoreiro trojan specifically dangerous and underscores the importance of implementing strict identity access management rules and multi-factor authentication protocols.
400,000 Linux Servers Compromised Over 14 Years
ESET, a Slovak cybersecurity firm, has revealed that the Ebury malware botnet has compromised approximately 400,000 Linux servers since its emergence in 2009, with over 100,000 servers still under its control as of late 2023.
Ebury is deemed one of the most sophisticated server-side malware campaigns focused on financial gain, involving activities such as spam distribution, web traffic redirection, and credential theft. The malware operators are also engaged in cryptocurrency theft and credit card fraud through various means, including network traffic eavesdropping and server-side web skimming.
Initially documented as part of Operation Windigo over a decade ago, Ebury targeted Linux servers, deploying alongside other backdoors and scripts to redirect web traffic and send spam.
ESET's investigation into Ebury's distribution methods has revealed various tactics, including theft of secure shell (SSH) credentials (which allow remote server access), credential stuffing, exploitation of vulnerabilities in control panels, and SSH man-in-the-middle attacks. The threat actors also have fake or stolen identities to evade detection and use other cyber criminals as a smokescreen.
Ebury acts as a backdoor within the OpenSSH daemon, essentially a remote login platform, and as a credential stealer, enabling attackers to deploy additional payloads and expand their network presence. New versions of Ebury introduce advanced obfuscation techniques, a domain generation algorithm, and userland rootkit functionality to better conceal its activities.
The malware's modules facilitate activities ranging from credit card theft and cryptocurrency stealing to traffic redirection, spam sending, and credential harvesting, posing a significant threat to server security worldwide.
11 Vulnerabilities Uncovered in GE Ultrasound Machines
Security researchers have uncovered nearly a dozen cybersecurity vulnerabilities affecting the GE HealthCare Vivid Ultrasound product family, potentially allowing malicious actors to compromise patient data and even deploy ransomware.
Nozomi Networks, an operational technology security vendor, highlighted the severity of these flaws, emphasizing the possibility of ransomware implantation and unauthorized access to patient data. The vulnerabilities impact the Vivid T9 ultrasound system and its associated software, including the EchoPAC program installed on doctors' Windows workstations.
Exploiting these vulnerabilities necessitates physical access to the hospital environment and interaction with the at-risk devices, ultimately enabling arbitrary code execution with administrative privileges.
Among the identified vulnerabilities, the most severe is CVE-2024-27107, involving hardcoded credentials. Other issues include command injection, execution with unnecessary privileges, path traversal, and protection mechanism failures. Nozomi Networks demonstrated an exploit chain leveraging these security flaws to gain local access to the device and execute arbitrary code.
Alternatively, attackers could use stolen VPN credentials to access the hospital network, locate vulnerable EchoPAC installations, and exploit CVE-2024-27107 to compromise patient databases.
GE HealthCare has issued advisories acknowledging the vulnerabilities and asserting that existing mitigations reduce associated risks to acceptable levels. However, the disclosure underscores the critical need for ongoing vigilance and prompt patching to mitigate risks to patient data and healthcare operations.
This revelation comes amid a broader landscape of cybersecurity vulnerabilities affecting healthcare and IoT devices, making it critical for modern organizations to prioritize a proactive cybersecurity strategy that minimizes the overall risk.
Turning Pages on Cybersecurity News from May 2024
These stories demonstrate just how active the cybersecurity space is today and the pace at which the industry moves. While the FBI and other law enforcement agencies—both domestic and international—continue to crack down on cybercrime in a serious way, the burden of everyday security falls on the shoulders of business owners and decision-makers.
By investing in a proactive and layered cybersecurity strategy, organizations put themselves in the best position to defend their networks from cyberattacks while also protecting their people.
If you want to stay up to date on all things cybersecurity, subscribe to the DOT Security blog for news, industry trends, and other major developments!