Summary:
The Dutch National Police, in coordination with the FBI and other international agencies, have dismantled the network infrastructure supporting the Redline and Meta infostealer malware operations in an effort known as "Operation Magnus." This disruption serves as a direct warning to cybercriminals that their data is now in the hands of law enforcement.

Announced on a dedicated website, Operation Magnus revealed that data gathered from Redline and Meta operations is currently under legal review, with further actions anticipated.

"On October 28, 2024, the Dutch National Police, alongside the FBI and other international law enforcement partners within Operation Magnus, successfully halted the Redline and Meta infostealer operations," reads the statement on the Operation Magnus site, adding that those involved will be notified, and legal proceedings are underway.

The FBI, NCIS, the U.S. Department of Justice, Eurojust, the NCA, and police forces in Portugal and Belgium, managed to disrupt these operations. The agencies have released a video warning cybercriminals that investigators now possess data including account credentials, IP addresses, activity timestamps, registration details, and more clear evidence that could lead to future arrests and prosecutions.

Furthermore, authorities announced they obtained source code components, including license servers, REST-API services, control panels, stealer binaries, and Telegram bots, linking the two malwares to shared infrastructure and likely common operators.

Additional information on Operation Magnus, the infrastructure seizure, and potential arrests is expected to be released tomorrow.

Security Officer Comments:
Redline and Meta are infostealers—types of malware that siphon sensitive data from infected devices, such as credentials, authentication cookies, browsing history, SSH keys, documents, and cryptocurrency wallets. The stolen information is often sold or used to facilitate major cyber incidents, including ransomware attacks, data theft, and espionage. Redline and Meta were marketed through now-deleted Telegram bots. The broader criminal ecosystem supporting these services included tools, infrastructure, financial systems, marketplaces, and forums.

Among the most frequently used infostealers is Redline, launched in 2020, which has enabled extensive theft of passwords, authentication cookies, cryptocurrency wallets, and other sensitive data. A newer malware project, Meta (also known as MetaStealer), emerged in 2022 and was marketed as a refined successor to Redline. From the recent Operation Magnus announcement, it's now suggested that Redline and Meta may share the same developers.

Suggested Corrections:
In recent years, information-stealing malware has become a significant challenge for enterprises, as stolen credentials are often sold on the dark web or shared freely to build reputation within hacking circles.

Malicious campaigns leveraging info-stealing malware have surged, with cybercriminals exploiting zero-day vulnerabilities, fake VPNs, bogus fixes to GitHub issues, and even answers on forums like StackOverflow to target victims.

Here are a few practices that can help prevent attacks from information-stealing malware:

• Require MFA wherever possible to reduce the impact of credential theft.
• Block the installation of unauthorized applications and limit execution to trusted sources.
• Regularly update software to mitigate vulnerabilities that infostealers often exploit, such as those in browsers and VPNs.
• Disable saving credentials and sensitive data in browsers, as infostealers typically target browser-stored information.
• Train employees to recognize phishing attempts and suspicious links, especially in emails, forums, and developer sites like GitHub or StackOverflow.
• Inform employees about the risks of downloading VPNs or "issue fixes" from unverified sources, which are common vectors for infostealers.
• Please consider sharing indicators with other members of the ISAO.

Link(s):
http://www.operation-magnus.com/