Also: Lax German Federal Cybersecurity, Spanish Mobile Account Theft

Every week, ISMG rounds up cybersecurity incidents and breaches around the world. This week, a shuttered Kosovar illicit online marketplace, Patch Tuesday, auditors uncovered lax security in a German government network. Spanish authorities investigated the theft of billions of mobile user accounts and Operation PowerOFF shuttered booter sites ahead of the holidays. Google issued a Chrome patch and European police uncovered scammers using AirBnB rentals. A Peruvian university investigated the theft of student data and an incident at a U.S. medical device maker disrupted order processing, shipping and corporate operations. Researchers detailed Android spyware deployed by Chinese police.

See Also: 57 Tips to Secure Your Organization

An international police operation lead by the United States shuttered a criminal marketplace operated by a ring of alleged Kosovar cybercriminals.

The U.S. Department unsealed Thursday a six count indictment against Ardit Kutleshi, 26, and Jetmir Kutleshi, 28, for allegedly running the "Rydox" marketplace along with a third Kosovar national named Shpend Sokoli. Kosovo police arrested both Kutleshis and they await extradition to the United States. Albanian police arrested Sokoli; he is expected to be charged and prosecuted there. The Royal Malaysian Police seized servers in Kuala Lumpur that hosted the Rydox marketplace.

Rydox offered for sale "at least 321,372 cybercrime products to over 18,000 users" including personally identifying data, stolen account credentials and payment data, as well as cybercrime tools such as scam pages, spamming logs and tutorials, prosecutors said.

The indictment dates the start of Rydox to the first months of 2016. Prosecutors say the site generated at least $230,000 in revenue since inception. Administrators charged users a one-time fee ranging from $200 to $500 in cryptocurrency to become a user. The U.S. case against the alleged administrators is being prosecuted in the U.S. District for the District of Western Pennsylvania, where six known victims had information such as debit card and Social Security number traded on the illicit marketplace.

A grand jury indicted the Kutleshis on two counts of identity theft, one count of conspiracy to commit identity theft, one count of aggravated identity theft, one count of access device fraud, and one count of money laundering. If convicted on all counts, they face the prospect of up to 55 years in prison.

Microsoft addressed 71 security vulnerabilities Tuesday including one actively exploited zero-day flaw. That vulnerability, identified as CVE-2024-49138, affects the Windows Common Log File System driver and was publicly disclosed and exploited by attackers before the patch's release. By manipulating memory management routines within the CLFS driver, hackers can gain system-level privileges, potentially allowing them to execute arbitrary code at the highest privilege level.

The December patch featured 16 critical vulnerabilities, all of which involve remote code execution risks. The complete breakdown of the vulnerabilities includes 30 remote code execution flaws, 27 elevation of privilege vulnerabilities, 7 information disclosure vulnerabilities, 5 denial-of-service issues and 2 spoofing vulnerabilities.

Security lapses within the German Interior Ministry could expose multiple federal organizations to cyberattacks, a new report by the country's audit agency found.

Analysis by Bundesrechnungshof, the federal audit authority, found that 52 organizations connected to the Interior Ministry federal communication network failed to meet security requirements.

The federal encrypted network facilitates secure information exchange up to the level of restricted classified information. Approximately 106 German government organizations, employing 300,000 staff are connected to the network currently.

Of the 52 organizations failing to meet security requirements, 45 failed to deploy transport layer security proxy, an encryption measure introduced by the Interior Ministry in 2019 to allow organizations with lower communications confidentiality needs to access the network.

The proxy security decrypts encrypted network traffic and analyzes it with a malware detection system, and encrypts it again.

The findings from the audit agency come after a report from the federal information security agency warned Germany faces increased cyberthreats from nation-state and ransomware hackers.

"In view of the threat situation, the BMI [German Interior Ministry] should work together with the other federal ministries to identify and eliminate the reasons for the low use of the TLS proxy. In addition, the BMI and the federal ministries should stipulate which users must use the TLS proxy and when," the German audit agency said

Spanish authorities are investigating the theft of two billion mobile phone account holder records from the national market competition authority. The National Court said hackers stole 240 gigabytes worth of account holder records from the National Commission of Markets.

The number of accounts held by the markets authority far exceeds the country's 59.5 million active mobile lines. The markets authority reportedly has direct access to the Operational Association for Mobile Portability, which houses a database of telephone numbers whose account holders decided to change carriers.

Law enforcement agencies worldwide dismantled 27 online platforms enabling distributed denial-of-service attacks, Europol announced Wednesday. The operation, dubbed "Operation PowerOFF," spanned 15 countries including the United States, the United Kingdom and Australia. Police identified 300 platform users and arrested three administrators in France and Germany.

Timed for action before the holiday season - a peak period for DDoS attacks - the takedowns targeted booter and stresser sites such as zdstresser.net and orbitalstress.net.

Google released a Chrome update to address three high-severity vulnerabilities. The update is rolling out gradually and should reach all users soon.

The vulnerabilities include a type confusion flaw in Chrome's V8 JavaScript engine that could enable arbitrary code execution or system crashes. Another issue in the browser's translation feature could lead to memory corruption and exploitation. Details of a third high-severity flaw remain undisclosed to prevent misuse before users apply the update.

Authorities in Belgium and the Netherlands dismantled an international cybercrime ring responsible for stealing millions of euros and using Airbnb rentals as fraud centers. Europol coordinated the operation, which included 17 searches across the two countries on Dec. 3 and culminated in the arrest of eight suspects.

The group, active since 2022, engaged in phishing, online fraud, bank helpdesk scams and money laundering. Dutch police arrested four suspects, aged 23 to 66, and confiscated phones, cash, luxury items, and data carriers tied to the crimes.

The fraudsters used rented Airbnb properties as temporary call centers to launch phishing campaigns. They posed as bank representatives, tricking victims into entering sensitive data on fake banking websites, which allowed the criminals to drain accounts. Some victims were verbally harassed during the process, leaving them traumatized.

Proceeds from the scams funded extravagant lifestyles, including luxury cars, designer goods and lavish parties, which the suspects flaunted on social media.

The Peruvian University of Applied Sciences is investigating a data breach it divulged through social media on Tuesday, stating that hackers stole student data including names, emails and copies of university IDs.

A hacker with the handle "ExKase20" on Monday posted onto Breach Forums link to a dataset the hacker said contained more than 25 gigabytes worth of stolen university data.

U.S. cardiac and vascular implantable devices maker Artivion disclosed a cybersecurity incident involving data encryption and theft. The breach, discovered on Nov. 21, disrupted order processing, shipping and corporate operations, though these issues have largely been resolved.

Artivion said that the incident has not significantly affected its financial condition or operations but acknowledged ongoing expenses related to its response. While the company believes it has adequate insurance, it expects some costs will not be covered.

The company, which generated $354 million in revenue in 2023 and employs more than 1,250 staff globally, said it continues to assess the situation but did not respond to requests for further details.

A Chinese surveillance program for Android devices is using malware techniques to covertly gather extensive user data under the guise of government operations. Cybersecurity firm Lookout identified the program as EagleMsgSpy, developed by Wuhan Chinasoft Token Information Technology Co. The program reveals a connection between the Chinese Communist Party's law enforcement agencies and its hacking operations.

The Android tool EagleMsgSpy's activity can be traced back to 2017, with it appearing on the VirusTotal malware scanning platform as recently as Sept. 25.

The surveillance tool operates in two parts: an installer Android application package and a surveillance client that runs silently in the background after installation. The tool gathers data from the device, including messages from third-party chat apps including WhatsApp, QQ, WeChat and Telegram. It takes screenshots, makes screen recordings, records audio and copies call logs, contacts, SMS messages, GPS location and network activity.

Lookout discovered that the malware has an administrative panel, which allows law enforcement agencies to remotely trigger and control data collection from the infected devices in real-time.