Researchers from ReliaQuest have reported that the ‘Russian Market’ cybercrime marketplace has emerged as one of the most popular platforms for selling credentials stolen by infostealer malware.
“The rise of the Russian Market as a post-Genesis powerhouse for credential sales is no surprise. It underscores a growing trend where info-stealer logs are the new currency of access in the cybercrime ecosystem. These logs are often harvested at scale via malware like Raccoon, RedLine, and Vidar, then sold in semi-curated bundles for as little as $2. For threat actors, it’s a low-cost, high-reward model that enables everything from account takeovers to full-blown ransomware deployment.”
“What makes this surge concerning is not just the affordability and volume of stolen credentials, but the quality and contextual richness of the logs—browser session cookies, saved passwords, crypto wallets, VPN configs, and even MFA tokens can be included. The Russian Market has also benefitted from the void left by Genesis Market’s takedown, which previously offered a slick user interface and session replay capabilities. While the Russian Market lacks that level of polish, its availability, persistence, and pricing are drawing in a new wave of threat actors, especially low-skilled affiliates and initial access brokers.”
“The cybersecurity industry needs to stop thinking of stealer logs as a footnote. They are a first-stage breach vector and increasingly weaponized in the earliest stages of intrusions. Organizations must monitor the dark web and infostealer marketplaces to understand whether their attack surface has already been compromised. At SOCRadar, we’ve observed a 30% uptick in stealer log exposure among enterprise assets across our monitored datasets, especially credentials linked to VPNs and SaaS platforms.”
“This also ties back to the larger issue of password reuse and unmanaged credentials. It’s not just about detecting breaches after the fact, but reducing the exploitability of leaked credentials through password managers, device-based authentication, and routine credential rotation. The Russian Market is just one shop in a growing underground mall and unfortunately, business is booming.”
My $0.02 worth on this is to not to be a victim. And the best way to avoid being a victim of phished or stolen credentials is to use some form of 2FA or even migrate to a passwordless solution. The former will make it harder for stolen credentials to be used. The latter will make stolen or phished credentials a non-issue as there’s nothing to steal.
From what I can tell, things went down just after 1PM EST. And there’s nothing posted from the company on their Twitter account. So your guess is as good as mine as to what’s going on, and when things might come back online. So I’ll be keeping an eye on this as I might be personally affected by this as I have a Garmin bike computer and I planned on going on a ride later today. And I want to upload that ride to places like Apple Health and Strava.
Posted in Commentary with tags ESET on June 2, 2025 by itnerd
ESET has participated in a major infrastructure disruption of the notorious infostealer, Danabot, by the US Department of Justice, the FBI, and US Department of Defense’s Defense Criminal Investigative Service. U.S. agencies were working closely with Germany’s Bundeskriminalamt, the Netherlands’ National Police, and the Australian Federal Police . ESET took part in the effort alongside Amazon, CrowdStrike, Flashpoint, Google, Intel471, PayPal, Proofpoint, Team Cymru and Zscaler. ESET Research, which has been tracking Danabot since 2018, contributed assistance that included providing technical analysis of the malware and its backend infrastructure, as well as identifying Danabot’s C&C servers. During that period, ESET analyzed various Danabot campaigns all over the world, with Poland, Italy, Spain and Turkey historically being one of the most targeted countries. The joint takedown effort also led to the identification of individuals responsible for Danabot development, sales, administration, and more.
These law enforcement operations were conducted under Operation Endgame — an ongoing global initiative aimed at identifying, dismantling, and prosecuting cybercriminal networks. Coordinated by Europol and Eurojust, the operation successfully took down critical infrastructure used to deploy ransomware through malicious software.
The authors of Danabot operate as a single group, offering their tool for rental to potential affiliates, who subsequently employ it for their malicious purposes by establishing and managing their own botnets. Danabot’s authors have developed a vast variety of features to assist customers with their malevolent motives. The most prominent features offered by Danabot include: the ability to steal various data from browsers, mail clients, FTP clients, and other popular software; keylogging and screen recording; real-time remote control of the victims’ systems; file grabbing (commonly used for stealing cryptocurrency wallets); support for Zeus-like webinjects and form grabbing; and arbitrary payload upload and execution. Besides utilizing its stealing capabilities, ESET Research has observed a variety of payloads being distributed via Danabot over the years. Furthermore, ESET has encountered instances of Danabot being used to download ransomware onto already compromised systems.
In addition to typical cybercrime, Danabot has also been used in less conventional activities such as utilizing compromised machines for launching DDoS attacks… for example, a DDoS attack against Ukraine’s Ministry of Defense soon after the Russian invasion of Ukraine.
Throughout its existence, according to ESET monitoring, Danabot has been a tool of choice for many cybercriminals and each of them has used different means of distribution. Danabot’s developers even partnered with the authors of several malware cryptors and loaders, and offered special pricing for a distribution bundle to their customers, helping them with the process. Recently, out of all distribution mechanisms ESET observed, the misuse of Google Ads to display seemingly relevant, but actually malicious, websites among the sponsored links in Google search results stands out as one of the most prominent methods to lure victims into downloading Danabot. The most popular ploy is packing the malware with legitimate software and offering such a package through bogus software sites or websites falsely promising users to help them find unclaimed funds. The latest addition to these social engineering techniques are deceptive websites offering solutions for fabricated computer issues, whose only purpose is to lure victims into execution of a malicious command secretly inserted into the user’s clipboard.
The typical toolset provided by Danabot’s authors to their affiliates includes an administration panel application, a backconnect tool for real-time control of bots, and a proxy server application that relays the communications between the bots and the actual C&C server. Affiliates can choose from various options to generate new Danabot builds, and it’s their responsibility to distribute these builds through their own campaigns.
For technical overview of Danabot and insight into its operation, check out ESET Research blogpost: “Danabot: Analyzing a fallen empire” on WeLiveSecurity.com.
Next Step Healthcare in Massachusetts over the weekend confirmedit notified thousands of patients of a June 2024 data breach that compromised SSNs, medical records, financial account details, drivers’ licenses, and credit and debit card numbers
So far, 10,041 residents in Massachusetts and 1,697 in New Hampshire are known to be compromised.
In a blog post reporting this news, Paul Bischoff, Consumer Privacy Advocate at Comparitech, wrote:
“Comparitech researchers logged 162 confirmed ransomware attacks on US hospitals, clinics, and other direct care providers in 2024, compromising 27.2 million records. Another 125 claims remain unconfirmed. In 2025 so far, we recorded 26 confirmed attacks affecting 1.8 million records, plus 90 unconfirmed attacks. On average, it takes hospitals and other healthcare businesses 3.7 months to notify victims of a data breach.”
“Ransomware attacks on US hospitals, clinics, and other care providers can cripple key systems and endanger the health, privacy, and security of patients. Hospitals must pay a ransom or face extended downtime, data loss, and putting patients and staff at increased risk of fraud. Hospitals and clinics might have to resort to pen and paper, cancel appointments, and divert patients elsewhere until systems are restored.”
“Elderly people are at a higher risk of identity theft. The data breached in the attack on Next Step could lead to financial exploitation of victims. More than 6 in 100 elderly people in the United States have been victims of elder fraud.”
Health care as frequent readers of this blog will know is a prime target for threat actors. This sector is not as well resourced to defend itself from a cyberattack, thus a threat actor can really go to town on most in this sector. Rapid change is required to address this as the status quo isn’t acceptable.
On June 30th, Rogers will shut down their 3G network. And if you still have a 3G device connected to Rogers, you will pay big. As in a one-time $75 fee on top of an existing $3 monthly charge.
Ouch.
This is detailed in this document put out by Rogers. Here’s the relevant text:
This document also says the following:
Rogers customers can avoid these charges by upgrading their phone or SIM card, or updating settings to enable VoLTE if supported.
Those who don’t transition by November 2, 2025, risk losing their number, plan, and stored voicemails permanently.
Now many people who are reading this are wondering who would still have a 3G device. The answer is seniors and those on fixed or low incomes. I’ve personally have come across several seniors who have either ignored or have been unaware of this because their existing phones still work. Thus I’ve not only needed to explain to them what this means, but in some cases help them to transition to phones that support 4G. Such as this one because an iPhone or a Android phone might be too much of a jump for them. Thus I encourage you to reach out to your friends, parents, grandparents, etc. who might have a 3G phone and help them to make the jump to 4G and a more modern phone if required before they get dinged for not getting off a network that is going away soon.
Nokia and Andorix, a provider of digital infrastructure and smart building solutions for real estate properties, announced a partnership to accelerate the adoption of private 5G networks and Neutral Host Networks in the real estate market across the United States and Canada.
Real estate owners are looking for a 5G private cellular platform to connect their Operational Technology (OT) use cases, including energy management and efficiency, building operations and optimization, as well as physical and cybersecurity on a resilient infrastructure. Additionally, real estate companies want a converged and future proof smart 5G platform that can expand indoor cellular coverage to improve their tenant’s experience with connectivity and value-added edge applications.
This collaboration brings together Nokia’s global leadership in private 5G wireless solutions with Nokia Digital Automation Cloud (DAC) and MX Industrial Edge (MXIE), as well as Andorix’s deep expertise in designing and deploying scalable in-building converged networks within real estate environments. The companies are working to bring fast, reliable 5G indoor for commercial, retail, residential and industrial property, making it easier to enable new technologies like VR and indoor navigation, facilitate IoT deployments, and solve common issues like unreliable connectivity and stronger security needs.
Nokia has deployed private wireless networks for 890 customers globally, with 24 percent of those customers in North America. Andorix brings hands-on experience managing converged network infrastructure deployments in Class A commercial, residential and mixed-use developments—where reliable indoor connectivity is critical for efficient building operations and tenant satisfaction.
LuminX announced today the closure of its $5.5 million seed funding round. This initial funding will accelerate the development and deployment of its solutions for the logistics and warehousing industry.
The seed round was supported by a multitude of investors, including 1Sharpe, GTMFund, 9Yards, Chingona Ventures, and the Bond Fund.
LuminX addresses critical inefficiencies in supply chain and warehouse management that lead to significant operational costs and errors. The company is at the forefront of solving these issues by developing and deploying its Vision Language Models (VLMs) directly onto low-cost mobile hardware within the warehouse – an approach that makes advanced AI accessible and practical for a wider range of operations.
LuminX systems uniquely integrate sophisticated visual understanding with powerful generative AI capabilities, enabling its cameras to ‘see’ and interpret complex, dynamic warehouse environments in real-time—recognizing products, varied labels, assessing package conditions, and tracking movement. These versatile devices can be deployed anywhere in the warehouse, including docks, conveyors, on forklifts, or as handheld units. LuminX’s system intelligently processes this visual information to automate intricate operational tasks, eliminate manual work, and provide actionable data for drastically reducing discrepancies and optimizing overall workflow.
LuminX is led by founder and CEO Alex Kaveh Senemar, a seasoned entrepreneur with a proven track record of building and scaling successful AI companies across several industries. He previously founded and led Voxel (voxelai.com), a pioneering AI company in warehouse safety and operations, and prior to that, founded Sherbit, which was successfully acquired by Huma (huma.com) in 2019. He is joined by co-founder & CTO Reza (Mamrez) Javanmardi, Ph.D. in Computer Science and former Head of AI Research at Voxel, whose career spans impactful R&D in machine learning and computer vision across startups and research institutions.
The LuminX team brings a wealth of knowledge and deep expertise in AI, specifically in Vision Language Models, computer vision, and robotics, with many members having ties to leading research institutions like Carnegie Mellon University. The team’s established track record and vision have garnered strong support. Significant participation in the funding round also came from previous investors in Voxel and customers, underscoring deep confidence in LuminX’s advanced technological approach.
The newly acquired funds will be strategically invested in advancing LuminX’s core research and development in Vision Language Models for logistics, further optimizing them for edge deployment, expanding its specialized engineering talent, and scaling go-to-market activities.
Posted in Security with tags Asus on June 2, 2025 by itnerd
Shortly after this story dropped about ASUS routers being pwned right, left and centre, I got a number of emails asking me to detail how one can check their routers to see if they’e been pwned. To that end, I am going to put forward two options for you to make sure you’re not affected by this.
Option 1: Factory reset your router.
If you’re really paranoid about this, taking the nuclear approach and resetting your router may not be a bad idea. While this vulnerability can survive reboots and firmware updates, it cannot survive a factory reset. ASUS has a document that tells you how to do that. And after you do that, you should set it up again from scratch. Meaning that you should not use a backup to set it up. That way you don’t import the vulnerability back into the router. That means that you should make a note of your settings before you factory reset it.
Option 2: Checking to see if you have been pwned.
Given that about 10,000 routers have been affected by this worldwide, your odds of being affected by this are low. But it’s not zero so checking to if you have been pwned is a good idea. Here’s how you do it. I am using the RT-BE86U in this example so your ASUS router may have this in a different location:
Log into your router
Click on Administration on the left.
Click on System on the top. That will take you to this screen:
See if Enable SSH is enabled. If it isn’t, you’re likely not affected. But it never hurts to dig deeper. Choose LAN and WAN to get to this screen:
If you see anything in the SSH Port section and the Authorized Keys section that you did not put there, chances are that you’ve been pwned. Specifically, you’ve been pwned if you see these values:
I’ve only put in part of the key to stop people from self pwning their router. But if you see both of these, you’ve been pwned and you should immediately reset your router as per option 1 and ensure that the firmware in the router is up to date.
4. Do not save any of the settings and simply log out of your router if you find nothing there.
Now the threat actors have been exploiting a number of vulnerabilities that ASUS has either patched or will patch. Thus even if you are clear when you have a look at these settings, I would strongly recommend watching the ASUS website for other firmware updates and install them when they become available. Or use the ASUS Router app to check for firmware updates. As an aside, you should always ensure that your router always has the latest firmware installed on it.
Finally, there is no practical reason why anyone needs remote access to their router via any means. Be it a vendor supplied method, or via SSH or anything like that. I say that because all it does is give threat actors a means to pwn you. Thus if you value your security, never, ever enable remote access in any way shape or form on your router and be happy. It won’t make you 100% safe, but it will make you a whole lot safer.
‘Russian Market’ emerges as a go-to shop for stolen credentials
Posted in Commentary with tags Hacked on June 2, 2025 by itnerdResearchers from ReliaQuest have reported that the ‘Russian Market’ cybercrime marketplace has emerged as one of the most popular platforms for selling credentials stolen by infostealer malware.
Ensar Seker, CISO at SOCRadar, commented:
“The rise of the Russian Market as a post-Genesis powerhouse for credential sales is no surprise. It underscores a growing trend where info-stealer logs are the new currency of access in the cybercrime ecosystem. These logs are often harvested at scale via malware like Raccoon, RedLine, and Vidar, then sold in semi-curated bundles for as little as $2. For threat actors, it’s a low-cost, high-reward model that enables everything from account takeovers to full-blown ransomware deployment.”
“What makes this surge concerning is not just the affordability and volume of stolen credentials, but the quality and contextual richness of the logs—browser session cookies, saved passwords, crypto wallets, VPN configs, and even MFA tokens can be included. The Russian Market has also benefitted from the void left by Genesis Market’s takedown, which previously offered a slick user interface and session replay capabilities. While the Russian Market lacks that level of polish, its availability, persistence, and pricing are drawing in a new wave of threat actors, especially low-skilled affiliates and initial access brokers.”
“The cybersecurity industry needs to stop thinking of stealer logs as a footnote. They are a first-stage breach vector and increasingly weaponized in the earliest stages of intrusions. Organizations must monitor the dark web and infostealer marketplaces to understand whether their attack surface has already been compromised. At SOCRadar, we’ve observed a 30% uptick in stealer log exposure among enterprise assets across our monitored datasets, especially credentials linked to VPNs and SaaS platforms.”
“This also ties back to the larger issue of password reuse and unmanaged credentials. It’s not just about detecting breaches after the fact, but reducing the exploitability of leaked credentials through password managers, device-based authentication, and routine credential rotation. The Russian Market is just one shop in a growing underground mall and unfortunately, business is booming.”
Additionally, SOCRadar recently published an analysis on the prevalence of stealer logs. Here it is in full: https://socradar.io/stealer-logs-everything-you-need-to-know/
My $0.02 worth on this is to not to be a victim. And the best way to avoid being a victim of phished or stolen credentials is to use some form of 2FA or even migrate to a passwordless solution. The former will make it harder for stolen credentials to be used. The latter will make stolen or phished credentials a non-issue as there’s nothing to steal.
Leave a comment »