February 9, 2024 at 10:39PM
Over 70,000 legitimate websites have been compromised to form VexTrio, a network utilized by cybercriminals for distributing malware and conducting phishing activities. The operation has been growing in sophistication since its establishment in 2017. Check Point and Infoblox have both flagged VexTrio as a significant security threat, emphasizing its impact and far-reaching capabilities.
Summary of meeting notes:
– More than 70,000 legitimate websites have been hijacked and used in a network called VexTrio to distribute malware, serve phishing pages, and engage in cybercrime. The network has been operating since 2017 or earlier.
– VexTrio redirects visitors of compromised websites to harmful pages and takes a fee for directing web traffic to fraudulent sites.
– Check Point and Infoblox have identified VexTrio as a significant security risk and the most pervasive threat, with one strain of malware, SocGholish, being especially prevalent.
– SocGholish is a JavaScript-based downloader targeting Windows machines and has been observed bringing various malware onto victims’ machines, believed to be orchestrated by a financially-motivated crew tracked as TA569 by Proofpoint and UNC1543 by Mandiant.
– ClearFake malware, as documented by Infoblox, is also pushed via VexTrio.
– Ransomware crews, including LockBit3, 8Base, and Akira, have been responsible for a significant number of claimed attacks in 2024, according to Check Point’s metrics, though the reliability of these figures is cautioned due to the nature of ransomware groups’ leak sites.
– The meeting discussed the commercially-minded nature of cybercrime and the need for vigilance in IT environments to identify signs of compromise related to VexTrio and associated threats.