February 4th – This Week’s Top Cybersecurity and Dark Web Stories

FBI Seizes Russian Cybercrime Platform RAMP

In a significant operation against the global cybercrime underground, US federal authorities, led by the FBI, have seized the domains of RAMP (Ramp4u.io), a notorious Russian-language forum.

RAMP was a major hub for ransomware affiliates, malware developers, and initial access brokers, uniquely positioning itself as “The Only Place Ransomware Allowed” after other major forums banned the discussion. Both the clear web and dark web domains now display seizure notices from the FBI and the Department of Justice.

On the rival underground forum XSS, a user known as Stallman, believed to be a RAMP insider, confirmed law enforcement’s control and regretted the loss of what he called “the most free forum in the world.”

While the takedown is confirmed by the community, US authorities have not yet released an official statement, and there is no confirmation regarding any arrests of RAMP’s core operators or high-profile users.

ShinyHunters Escalates SaaS Data Theft with Sophisticated Vishing Attacks

A major expansion in extortion operations, tracked by Google Threat Intelligence Group (GTIG) under clusters including UNC6661 and UNC6671, is targeting corporate environments by exfiltrating sensitive data from cloud-based Software-as-a-Service (SaaS) applications.

The threat actors, leveraging tactics consistent with prior ShinyHunters-branded groups, use sophisticated voice phishing (vishing) and victim-branded credential harvesting sites. They impersonate IT staff to trick employees into giving up their Single Sign-On (SSO) credentials and Multi-Factor Authentication (MFA) codes, often registering their own devices for access.

Once inside, groups like UNC6661 move laterally, opportunistically stealing data from various SaaS platforms, often searching for documents containing terms like “confidential,” “internal,” or “salesforce.”

GTIG attributes the subsequent extortion activity to UNC6240, who employ aggressive tactics including harassment and Distributed Denial-of-Service (DDoS) attacks, alongside publishing stolen data samples on a new “SHINYHUNTERS” data leak site.

The attacks rely on social engineering, not security vulnerabilities, underscoring the critical need for organizations to implement phishing-resistant MFA methods like FIDO2 security keys or passkeys.

China Hacked Downing Street Officials’ Phones for Years

The mobile phones of senior officials in Downing Street were reportedly hacked by Chinese state-sponsored actors for several years, exposing their private communications to Beijing.

The compromise is said to have targeted aides to successive Prime Ministers, including Boris Johnson, Liz Truss, and Rishi Sunak, between 2021 and 2024. The breach reportedly reached “right into the heart of Downing Street,” raising concerns that spies could have read texts and listened to calls.

US intelligence sources indicate the Chinese espionage operation, known as Salt Typhoon, remains ongoing. A Deputy US National Security Adviser described the global breach as “one of maybe the more successful campaigns in the history of espionage.”

Salt Typhoon has been identified as a prominent cyber-espionage threat, focusing on telecommunications firms globally to intercept communications. While Britain’s networks are reportedly better protected than those in the US, intelligence agencies describe Beijing as one of the most aggressive foes in cyber warfare.

China’s foreign ministry has dismissed the claims, stating they are “baseless” and lack evidence, and affirmed their stance as a defender and victim of cyberattacks.