The US has charged two men for allegedly making millions of dollars by selling hundreds of thousands of opioid pills on the darknet.
Costa Rican pharmacist Jose Luis Fung Hou and dual Costa Rican and American citizen David Brian Pate were indicted by a federal grand jury on Tuesday. The pair are accused of trafficking drugs including Oxycontin and morphine and laundering payments in the form of Bitcoin and international wire transfers.
The indictment alleges that 44-year-old Pate illegally purchased pills from 38-year-old Fung, then sold the narcotics on multiple underground websites, including AlphaBay and the notorious marketplace Silk Road.
Using various online monikers including “buyersclub” on darknet markets, online forums, and Bitcoin exchanges, Pate allegedly advertised that he was selling the “old formula” of Oxycontin. This version of the drug does not contain tamper-resistant features such as a crush-proof outside that prevents a user from inhaling or injecting the pills after pulverizing them.
Pate is accused of hiding the pills in tourist souvenirs such as maracas that were sent in bulk from Costa Rica to co-conspirator re-shippers in the United States. Re-shippers were then sent a list of customer orders to fill along with the customers' names, shipping addresses, and how many pills they wanted.
Once the shipments were received by the customers, the darknet market would release funds in Bitcoin, which were held in escrow until the transaction was completed, into Pate’s account on the darknet market. Customers reputedly paid Pate over 23,903 Bitcoin for these darknet market sales.
The seven-count indictment charges Pate and Fung with counts of conspiring with persons to distribute controlled substances, distribution of controlled substances, conspiring with persons to import controlled substances, conspiring to launder money, and laundering of monetary instruments.
“Today’s case is a great example of how the DEA has infiltrated the darknet and, together with our law enforcement partners, proven that every criminal attempting to sell these deadly drugs is within the reach of the law,” said Special Agent in Charge Jesse R. Fong of the US Drug Enforcement Administration’s (DEA) Washington Field Division.
The number of commodity malware campaigns exploiting machine identities doubled between 2018 and 2019, according to new research.
The rapid increase in this particular type of cyber-scourge was unearthed by threat analysts at Venafi, who gathered data on the misuse of machine identities by analyzing security incidents and third-party reports in the public domain.
Among the attacks encountered by Venafi's Threat Intelligence Team were several high-profile campaigns, including TrickBot, Skidmap, Kerberods, and CryptoSink.
Overall, malware attacks utilizing machine identities were found to have grown eightfold during the last 10 years. Within the last five years, the number of attacks was found to have increased more rapidly.
The findings are part of an ongoing threat research program focused on mapping the security risks connected with unprotected machine identities.
Campaigns exploiting machine identities were once the preserve of large-scale cyber-criminal operations but are now being used in off-the-shelf malware, according to Yana Blachman, threat intelligence researcher at Venafi.
“In the past, machine identity capabilities were reserved for high-profile and nation-state actors, but today we’re seeing a ‘trickle-down’ effect,” said Blachman. “Machine identity capabilities have become commoditized and are being added to off-the-shelf malware, making it more sophisticated and harder to detect.”
Blachman said these deceptively simple campaigns are far more dangerous than they appear.
“Massive botnet campaigns abuse machine identities to get an initial foothold into a network and then move laterally to infect further targets,” said Blachman.
“In many recorded cases, bots download crypto-mining malware that hijacks a target’s resources and shuts down services. When successful, these seemingly simple and non-advanced attacks can inflict serious damage on an organization and its reputation.”
The millions of applications and billions of devices that exist in the world use machine identities made from cryptographic keys and digital certificates to authenticate themselves to each other so they can communicate securely.
“To protect our global economy, we need to provide machine identity management at machine speed and cloud scale,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.
“Every organization needs to ensure they have full visibility and comprehensive intelligence over every authorized machine they are using in order to defend themselves against the rising tide of attacks.”
Just under half of businesses have experienced at least one “business impacting cyber-attack” related to COVID-19 as of April 2020.
According to research of 416 security and 425 business executives by Forrester Consulting and Tenable, 41% of respondents reported the statistic related to COVID-19, whilst 94% of executives say their firms have experienced a business-impacting cyber-attack or compromise within the past 12 months. “That is, one resulting in a loss of customer, employee or other confidential data; interruption of day-to-day operations; ransomware payout; financial loss or theft and/or theft of intellectual property,” the research said.
Also, 78% of respondents said they expect an increase in cyber-attacks over the next two years while 47% reported experiencing five or more attacks. In an email to Infosecurity, Bryan Becker, product manager at WhiteHat Security, said: “There is no reason to expect this trend to ever reverse, so we are only likely to see more and more attacks in the future.
“Businesses can and should be investing in application security teams, as well as regular training for all members of the organization. CEOs and executive teams absolutely should be viewing at least quarterly briefs from the security team to understand the outcome of their investment, as well as the current state of affairs.”
On the impact of the COVID-19-related attacks, Tom Pendergast, chief learning officer at MediaPro, said while COVID-19 may have changed the subject and scale of attacks, “the target of most of those attacks hasn’t changed.
“They’re going after employees, who in this time of anxiety and uncertainty are more vulnerable than ever,” he said. “Preparing your employees to defend themselves and the company means teaching them to be highly skeptical and resistant to attempts to obtain information and access. Take, for example, the recent Twitter hack, perpetrated by a criminal who knew enough about an employee to break down their defenses.”
Rod Holmes, director and vCISO at the Crypsis Group, said threat actors always look to capitalize on emotion, disaster and chaos, and individuals, corporate IT systems and ICS systems (OT systems) have all been targeted. In particular, the research found that 65% of attacks involved operational technology assets, and 63% of security leaders admit it’s likely their systems suffered an unknown compromise over the past year.
Holmes said: “Organizations that have that special privilege of protecting our nation's critical infrastructure have an especially important role to play in security as nation states look for opportunities to infiltrate critical systems. Nation state actors are very opportunistic, persistent and patient — they will look for opportunities to strike when organizations are resource-strained and focused on maintaining operations during times of change or difficulty.
“COVID has presented nation states the opportunity to fly under the radar and capitalize on chaotic environments where IT personnel are consumed with increasing remote access capacity — even industrial organizations have had significant office personnel working remotely during the crisis. This is especially an issue with organizations that have ICS infrastructure intermingled with IT infrastructure and that do not have each environment separated as recommended by NIST standards.”
The British Dental Association (BDA) has suffered a data breach causing fears that the bank account numbers of a number of UK dentists have been stolen.
The BBC has reported that the professional association emailed its membership to warn them of the breach, telling them it is currently unsure what information has been accessed. The BDA also urged them to be vigilant about any correspondence purporting to be from a bank.
The BBC stated that while the organization does not store its members’ card details, it does hold their account numbers and sort codes in order to collect direct-debit payments.
In the email to members, the BDA reportedly referred to “logs of correspondence and notes of cases” as being among the data it has assumed stolen; this suggests that hackers may also have access to sensitive patient information.
BDA chief executive Martin Woodrow added in the email memo: “Owing to the sophistication of these criminals, we cannot, as yet, confirm the full extent of information that has been accessed.
“We are devastated and apologise unreservedly for this breach.”
The BDAs website is currently offline due to the “sophisticated cyber-attack,” with the company stating that “our IT experts have been working to rebuild our systems since the incident occurred and this is progressing well.”
Commenting on the incident, Jake Moore, cybersecurity specialist at ESET, said: “It doesn’t seem a week goes by without it being necessary to remind people to be vigilant against this recent influx of hacks. However, it remains more important than ever to be cautious.
“It appears a large spread of personal data has been taken, so it is essential to remain on the lookout for any communication requesting further details which may add pieces to the identity theft jigsaw.
“Although the BDA has been magnanimous in making those affected aware of the breach quickly and reporting themselves to the ICO, the problems are far from over.”
Chris Harris, technical director, EMEA at Thales, added: “While being hacked itself is a worry in the first place, it’s concerning that it’s still unclear what information was taken.
“For any business’ security strategy to be successful, protecting their sensitive data through implementing methods like encryption and multi-factor authentication must be at the heart of it. With this in place, companies can rest safe in the knowledge that even if data is taken, it can’t be accessed – protecting them and their customers from further damage down the line through aspects like phishing attacks.”
Just this week it was revealed that hackers published customer data stolen from Havenly on the dark web.
Tanium has partnered with Google Cloud to integrate threat response and Chronicle’s security analytics platform.
The partnership will unite the Tanium unified endpoint management and security platform with Google Cloud’s security analytics and zero-trust initiatives, which the companies claimed would better detect, investigate,and scope advanced persistent threats.
Also, an integration between Tanium and Google Cloud’s BeyondCorp will allow Tanium to support the ability for customers to use endpoint identity, state and compliance data with BeyondCorp remote access.
The companies said the integration between Chronicle’s security analytics and Tanium's unified endpoint security will allow users to proactively hunt threats both live and across an entire year of endpoint activity using telemetry from Tanium combined with analytics and cloud-scale data capacity from Chronicle.
Also with Chronicle, customers can correlate up to one year of data gathered from the Tanium platform’s sophisticated endpoint telemetry and network activity. This enriched dataset enables incident response teams to completely investigate sustained, long-term attacks and take comprehensive remediative action.
“With Tanium and Google Cloud, customers don’t have to make difficult tradeoffs between the quality, breadth, timeliness or storage cost of their security telemetry,” said Sunil Potti, general manager and vice-president of cloud security at Google Cloud.
“Advanced persistent threats require a sophisticated approach to detection and response. That starts at the endpoint, where most compromise activities begin. With telemetry sourced from Tanium’s comprehensive endpoint security approach, customers have the data they need to detect and investigate post-compromise activity to accelerate remediation and prevent future intrusion.”
“This joint solution with Chronicle gives Tanium customers access to massively scalable analytics and investigation capabilities far beyond that of other endpoint detection and response point tools,” said Orion Hindawi, co-founder and CEO of Tanium. “This integration enables our customers to investigate APTs and other threats from the moment of detection back to the moment of compromise for complete response and remediation.”
Digital asset infrastructure company Copper Technologies has announced the appointment Jake Rogers as its new chief information security officer.
Rogers has joined the London-based firm with immediate effect from Amnesty International, where he held the position of head of information security, responsible for the confidentiality and security of 70 offices and 3500 members of staff working on various human rights issues.
At Copper Technologies, Rogers has been charged with strengthening the company’s security as well as developing a market leading and scalable information security function.
Rogers began his career working in network administration before going into penetration testing and general cybersecurity. Prior to Amnesty, he worked at a number of major organizations including merchant bank Close Brothers, security vendor PhishMe and CrossGroup Security.
Dmitry Tokarev, chief executive officer, Copper, said: “I am very pleased to welcome Jake as the newest member of our team. I believe that his strong security credentials and understanding of the direction in which crypto is moving make him a perfect fit for the role. With Copper continuously evolving our product suite and offering, Jake’s expertise will be crucial as we look to ensure that our security continues to set an industry standard.”
Rogers added: “I am thrilled to join Copper as its chief information security officer. In the past few years, there has been a major, fundamental shift in the public’s attitudes toward free and open systems, especially in banking and finance. Crypto is becoming mainstream and with new technology being developed rapidly in this space, it has demonstrated real potential to replace traditional banking and finance with something far freer, more equal and democratic.”
Cloud breaches are likely to increase in “velocity and scale” due to a prevalence of poor cybersecurity practices in cloud configurations that are creating exposures. This is according to the most recent The State of DevSecOps report by Accurics, which assesses cloud configuration practices that lead to breaches.
The study found that 93% of cloud deployments analyzed contained misconfigured services, while 91% of deployments have at least one network exposure where a security group is left wide open. Accurics noted that “these two practices alone have been at the center of over 200 breaches that exposed 30 billion records in the past two years.”
There were also other emerging practices that were observed to be creating exposures. This included the presence of hardcoded private keys in 72% of deployments. Additionally, half of deployments had unprotected credentials stored in container configuration files. The report added that “these keys and credentials could be used by unauthorized users to gain access to sensitive cloud resources.”
Close to a third (31%) of organizations were shown to have unused resources, with the primary cause being that resources are added to a default virtual private cloud (VPC) upon creation if a scope is not defined.
Commenting on the report, Matt Yonkovit, chief experience officer at Percona, said: “The best approach here is to have an audit to check that your best practices are in place and being followed. This can help show where security steps are missing, and you can then put them in place where needed. Over time, you can check that all your responsibilities around data backup, security and management are done correctly.
“It’s less about the department and more about the situation. Security problems can be caused by people who are underqualified, using complex and powerful tools they don’t fully understand or haven’t enough experience with. Easy access to technology can give users a false sense of security, and a misconception that because it is backed by a big name, it must be tested, trusted, and fail-safe.”
Greg Martin, general manager for security at Sumo Logic added: “Increasingly organizations are experiencing serious data breaches due to basic cloud vulnerabilities such as this study highlights. Developers and security teams need to focus on awareness and training for common cloud security issues and more importantly automation to audit and identify gaps and vulnerabilities as they arise. Cloud security is the new frontier and most organizations are significantly lagging behind.”
Last month it was revealed that 260,000 actors had their personal data exposed due to a cloud misconfiguration error on a server belonging to a New Orleans-based casting agency.
Over four in 10 (42%) organizations take disciplinary action against employees who make cybersecurity errors, which puts them at greater risk of attack, according to a new study by CybSafe.
In a survey of UK businesses, it was found that mistakes such as falling for simulated phishing scams are regularly punished. This includes naming and shaming employees (15%), decreasing access privileges (33%) and locking computers until appropriate training has been completed (17%). Additionally, 63% of organizations will inform the employees’ line manager when cyber-mistakes are made.
As part of the research, CybSafe conducted a lab-based experiment to test the impact of these kinds of punishments. It found that doing so has a “highly detrimental” impact on staff, with punishments increasing anxiety levels and reducing productivity. The findings suggest punishments may have a long-term impact on employees’ mental health and actually reduce their cyber-resilience.
Dr John Blythe, head of behavioural science at CybSafe, commented: “People fall for phishing attacks and other cybersecurity mistakes because they’re human and because they have been trained to click links. Bad habits are difficult to shake, especially when today’s phishing attacks can be highly convincing.”
“Formally punishing staff for making cybersecurity slips is, in the vast majority of instances, a problematic approach. It’s unfair and diminishes productivity. It can cause heightened levels of resentment, stress, and scepticism about cybersecurity.”
Blythe added that this kind of approach may make staff more reluctant to report cybersecurity errors quickly, putting organizations in more danger.
Dr Matthew Francis, executive director at CREST, said: “The findings have highlighted how some well-meaning organizations are negatively impacting their cyber-resilience by ‘outing’ or reprimanding individuals and that cybersecurity errors can serve as positive opportunities to educate people, to trigger long-term and sustained changes in security awareness and behavior.”
Michigan's largest healthcare provider has warned around 6,000 patients that their data may have been exposed following a cyber-attack.
In April, the organization started notifying 112,211 individuals that some of their personal health information (PHI) had been exposed. The warning came after a data breach that occurred in late 2019 resulted in some email accounts' being compromised.
Beaumont responded by improving its multi-factor authentication software, conducting risk analysis, and providing additional employee training on spotting malicious email.
On June 5, Beaumont Health finished investigating a second data breach in which email accounts were accessed by unauthorized individuals between January 3, 2020, and January 29, 2020.
Emails within the compromised accounts contained PHI that included names, dates of birth, diagnoses, diagnosis codes, procedure and treatment information, type of treatment provided, prescription information, patient account numbers, and medical record numbers.
The healthcare provider stated that while the email accounts had been compromised, no evidence had been discovered to suggest that any emails or attachments associated with the accounts had been viewed or copied.
To date, no reports have been received by Beaumont that indicate any of the exposed patient data has been misused.
Beaumont privacy officer Kelly Partin told the Detroit Free Press that a small number of employees had fallen victim to a phishing scam with the result that six email accounts were compromised.
The incident was detected through routine monitoring carried out in January 2020. Beaumont subsequently launched an investigation that concluded on June 5 that one or more of the accessed email accounts contained patient PHI.
“However, out of an abundance of caution, we are issuing notices to anyone whose information may have been contained in the accessed accounts," said a Beaumont spokesperson.
The individuals impacted by the incident represent just 0.3% of Beaumont's 2.3 million patients. Notifications were issued on July 25, and impacted patients were warned to monitor their bank accounts and insurance statements for fraudulent transactions.
Beaumont said that immediately after the latest breach was detected, steps were taken to disable the email accounts involved and perform password resets.
The Federal Bureau of Investigation has issued a warning to online shoppers after a rise in the number of Americans not receiving items purchased on the internet.
In a statement published yesterday, the FBI said that an increasing number of victims are being directed to fraudulent websites via social media platforms and popular online search engines.
Complainants reported that orders placed through these sites didn't turn up or that they only received disposable face masks from China, regardless of what they had purchased.
"Some victims who complained to the vendor about their shipments were offered partial reimbursement and told to keep the face masks as compensation," said the FBI.
All attempts made by the victims to be fully reimbursed, or to get a hold of the actual items they had ordered, were unsuccessful.
The scammers used a private domain registration service to avoid personal information's being published in the Whois Public Internet Directory. Instead of ".com", the malicious sites used the internet top-level domains (TLD) ".club" and ".top".
To appear authentic, the retail websites included content copied from legitimate sites. Many provided valid but unassociated US addresses and telephone numbers under a “Contact Us” link, misleading users to believe the retailer was located within the United States.
Victims were lured with the promise of low prices on items currently in high demand due to lockdown measures introduced to slow the spread of the novel coronavirus. Goods that feature in the complaints received by the FBI include gym equipment, small appliances, tools, and furniture.
The FBI stated: "Victims reported they were led to these websites via ads on social media platforms or while searching for specific items on online search engines’ 'shopping' pages. Victims purchased items from these websites because prices were consistently lower than those offered by other online retail stores."
Reesha Dedhia, security evangelist at PerimeterX, noted: “In addition to ads on social media platforms and search engines, we have also recently seen a scam from browser extensions that involves redirecting a shopper’s browser to a bunch of malicious domains and websites with the goal of stealing a user’s data and displaying malicious ads."
Internet users have named Facebook as the online platform that poses the biggest security risk to their personal data.
A survey conducted by Australia's Edith Cowan University found that 68% of respondents believed their data to be insecure on Facebook. Instagram and Twitter were viewed as risky by 65% and 57% of respondents, respectively.
Social media was seen as far more dangerous in terms of data security than other online platforms. While 28% of respondents believed their data wasn't safe on email and 27% said the same about online health portals, only 14% reckoned online banking poses a risk.
Millennials were the most mistrustful of Facebook, with 73% labeling the platform as insecure. By contrast, baby boomers were most suspicious of Instagram, with around 72% believing use of the image-led platform to be risky.
The study surveyed 1,130 people from Europe, the United States, and Australia "to see how safe people feel in their highly wired lives and what they're doing to keep themselves safe."
More than half of respondents (59%) said that the most dangerous feature to personal privacy was location sharing. Other features that gave users a bad feeling were facial recognition and fingerprint ID.
The most common measures people have taken to protect themselves from hacking were using antivirus protection software (66%), using two-step password authentication (59%), setting up strong security questions (50%), and using unique passwords for different accounts (48%).
Interestingly, the proportion of survey respondents who worried about being hacked was low.
Researchers wrote: "About 25% of Americans voiced concern about the possibility, compared to 26% of Australians and 29% of Europeans participating in our survey. Nevertheless, 70% of respondents still said they believe data privacy is important, and they do believe their devices could be hacked."
Baby boomers were found to be the generation most opposed to government monitoring and the generation most likely to use antivirus protection software (78% of all respondents). The youngest tech users—members of Generation Z—were the least likely, at 57%.
"Instead, they tended to use two-step password authentication the most, although only 64% of Gen Z users have done so," noted researchers.
Ransomware can be better dealt with, if security teams have a better and clear view of suspect behavior on the network.
Speaking to Infosecurity, Sophos chief product officer Dan Schiappa and principal research scientist Chester Wisniewski said a lot of issues can be dealt with if they detect how tools are being used in an unpredictable manner. Wisniewski said: “So if you see Powershell or a scanner running outside of planned maintenance, or IT needs permission to run a sniffer, those are easy to detect and if the SOC knows when maintenance is happening, they know it is bad.
“This requires discipline and while most companies don’t have SOC, and need to be investigated and look into and this is most challenging for companies.”
As Sophos publishes a multi-part research series on the realities of ransomware, Wisniewski said that the state of cybersecurity means we worry less about our parents laptop than we did ten years ago, as there is less Flash and Java use, but if you are targeted with ransomware “it is a bad day and you never find out the truth on how [the attacker] got in and hard to learn from mistakes.”
Schiappa said there is more of a nation state approach being taken by the adversary, where they are more hands on and using existing tools, doing reconnaissance and finding out which data they can ransom. He said the best detection strategy is a combination of AI used in a variety of ways, including running deep learning neural network models coupled with human intelligence.
“Look at endpoint detection and response (EDR) for example, it is learning to look for indicators of compromise and a certain chain of events that allows the analyst to scale quickly,” he said.
Among the new research by Sophos, a detailed look at new detection evasion techniques used by the WastedLocker ransomware reveals the Windows Cache Manager and memory-mapped I/O are leveraged to encrypt files. In particular, it uses memory-mapped I/O to encrypt a file, making it harder for behavior based anti-ransomware solutions to keep track of what is going on.
Wisniewski said the likes of WastedLocker takes evasive tactics to a new level and in finding ways to bypass behavioral anti-ransomware tools. “This is the latest example of attackers getting their hands dirty, using new maneuvers to manually disable software as a precursor to a full blown ransomware attack.
“The longer attackers are in the network, the more damage they can inflict. This is why human intelligence and response are critical security components to detect and neutralize early indicators that an attack is underway. Organizations need to know about escalating trends and harden their perimeter by disabling remote access tools like RDP whenever possible to prevent crooks from gaining access to the network, a common denominator in many ransomware attacks that Sophos analyses.”
Wisniewski called WastedLocker the most sophisticated attack he had seen outside of those used by nation states. “Not only successful as a large dollar game, but WastedLocker is investing in being as silent as possible.”
Google has taken extreme steps to prevent major interference in the 2020 US Presidential election, by blocking ads that contain hacked political content.
The move appears designed to prevent a re-run of the lead-up to the last election, when damaging materials were leaked online by Russian hackers and then published and republished by third-party sites to help scupper Democrat hopes.
Twitter has since 2018 banned the spread of all hacked content on its platform including anything political-related.
The Google Ads Hacked political materials policy will officially be launched on September 1, 2020 and applies first to ads covered by the tech giant’s US election ads policy.
It said the rules apply to the following:
“Ads that directly facilitate or advertise access to hacked material related to political entities within scope of Google's elections ads policies. This applies to all protected material that was obtained through the unauthorized intrusion or access of a computer, computer network, or personal electronic device, even if distributed by a third party.”
However, Google will allow “discussion of or commentary on” any hacked content as long as the ad or landing page doesn’t allow direct access to it.
Any entity violating the policy will be notified seven days before their account is suspended.
Google also announced a policy to ban advertisers that try to conceal their identities whilst promoting social, political and other issues.
This follows an announcement last November that it was restricting political advertising to ban deepfake content and “ads or destinations making demonstrably false claims that could significantly undermine participation or trust in an electoral or democratic process.”
It has also limited targeted advertising to “age, gender, and general location.”
However, reports suggest that even with these new steps, US tech giants are fighting a losing battle against misinformation ahead of the election, which could be the most divisive and hotly contested in living memory.
NGOs and other organizations with limited resources can now build their own Android apps designed to bypass censorship filters in China and beyond, thanks to rights group GreatFire.org.
On Monday, the China-focused anti-censorship group launched its new GreatFire AppMaker tool, allowing any organization that uses it to effectively unblock its content behind the Great Firewall and in other autocratic states.
GreatFire co-founder, Charlie Smith, told Infosecurity that the tool is based on the group’s “Collateral Freedom” approach.
This relies on hosting content on major cloud services like AWS that are too important for censors to block, whilst using encrypted domains so the censors can’t selectively block URLs — in effect meaning they’d have to take down AWS completely for all users inside the Middle Kingdom.
Organizations that want to build their own censorship-busting apps first need to visit the AppMaker website, choose a name for their app and specify the web page that the app will use to gather content from, as well as a file which will serve as the app icon.
“Click ‘Submit’ after adding the information above. GreatFire will then start to compile (create) your Android app based on this information (this process will take no more than five minutes),” the group explained.
“Once the app has been compiled, a download link for the app’s Android Package (APK - or the actual software for the app) will appear. Once downloaded, your app can be installed on any Android device and be made available to others so that they can install the app.”
The Human Rights Foundation (HRF) has already created an app via the tool, which also draws inspiration from GreatFire’s own FreeBrowser app.
“It is time for the Chinese government's Great Firewall to come tumbling down,” said Jenny Wang, strategic advisor at the HRF. “Along with our friends at GreatFire, we stand dedicated to beating Chinese censorship - one phone at a time.”
Ransomware-as-a-service (RaaS) group NetWalker has made $25 million in just a matter of months, according to new research from McAfee.
The ransomware works via an affiliate model, whereby operators build custom versions of the malware then distributors (affiliates) are invited to deploy it, receiving a cut of around 80% of the profits.
By monitoring Bitcoin addresses under the control of NetWalker actors, McAfee was able to spot 2795 BTC flowing to the attackers between March 1 and July 27, 2020.
“Even though we do not have complete visibility into the BTC flow before NetWalker started ramping up, one thing is certain, this quarter alone it has been highly successful at extorting organisations for large amounts of money,” the report noted.
“All this at a time when many sectors are struggling because people are sheltering in place and governments are trying to keep businesses from going bankrupt. NetWalker is making millions off the backs of legitimate companies.”
The success of the group appears to have come from the tactics it has deployed over the past few months.
Although first appearing in August 2019, NetWalker more recently adopted the RaaS model and began recruiting affiliates with strong technical expertise in targeted attacks and data theft of the sort used by Maze, REvil, Ryuk and other groups.
Advertising on the cybercrime underground, especially by a threat actor known as “Bugatti,” shares information on updates to the ransomware and helps to recruit new affiliates capable of compromising whole corporate networks, rather than end users, McAfee said.
Attacks typically start with spear-phishing emails, Tomcat and WebLogic server exploits, and by compromising RDP endpoints protected by weak passwords, it claimed.
As per several of its peers, the group will upload stolen data to a dedicated page and entry for each corporate victim if they refuse to pay the ransom.
A malware author has pleaded guilty to conspiracy for his role in a transnational cybercrime organization responsible for stealing over $568m.
Valerian Chiochiu, a.k.a. “Onassis,” “Flagler,” “Socrate,” and “Eclessiastes,” admitted being involved with one of the largest cyber-fraud enterprises ever created that victimized Americans in all 50 states and millions globally.
The 30-year-old Moldovan national was living in the United States when he conspired with the Infraud Organization. During the course of its seven-year history, Infraud inflicted approximately $2.2bn in intended losses, and more than $568m in actual losses, on a large number of financial institutions, merchants, and private individuals.
Under the slogan “In Fraud We Trust,” this internet-based cyber-criminal enterprise engaged in the large-scale acquisition, sale, and dissemination of stolen identities, compromised debit and credit cards, personally identifiable information, financial and banking information, computer malware, and other contraband.
Infraud directed traffic and potential purchasers to the automated vending sites of its more than 10,000 members. The sites served as online conduits to the traffic of malware, stolen financial and banking information, stolen means of identification, and other illicit goods.
According to the indictment, Chiochiu provided guidance to Infraud members on the development, deployment, and use of malware as a means of harvesting stolen data. As part of his plea agreement, Chiochiu admitted to authoring a strain of malware known to the computer security community as “FastPOS.”
Chiochiu's guilty plea was given on July 31 before US District Court Judge James C. Mahan in the District of Nevada. The admission came just over a month after the Russian co-founder and administrator of Infraud, Sergey Medvedev, separately pleaded guilty on June 26.
According to the indictment, Infraud was created in October 2010 by Medvedev and Svyatoslav Bondarenko, a.k.a. “Obnon,” “Rector,” and “Helkern,” 34, of Ukraine. Bondarenko remains at large.
Sentencing for Chiochiu has been scheduled take place on December 11.
Special Agent in Charge Francisco Burrola for the US Immigration and Customs Enforcement’s Homeland Security Investigations (HSI) Las Vegas Office said: “While criminal operators may continue to grow the reach of their criminal activity, ultimately they do not escape the reach of law enforcement."
Kentucky's unemployment system appears to have suffered its second data breach in four months after a claimant reported being able to view another claimant's personal data.
The reporter of the alleged breach logged on to the Office of Unemployment Insurance's (OUI) online system on July 27 to work on their unemployment application. While trying to enter their own details, the claimant was able to view information about another claimant's former employer and health.
A statement released on July 29 by the Labor Cabinet said that the reporter of the alleged breach was not shown the other claimant's name, Social Security number, or other personally identifying information.
The statement read: "On July 27, 2020, at approximately 4 p.m., the Office of Unemployment Insurance ("OUI") learned that a claimant (Claimant A) had seen information pertaining to another individual (Claimant B) while Claimant A was navigating his own unemployment application in the OUI online system. Specifically, as he was navigating his application, Claimant A saw information about Claimant B's former employer, as well as information pertaining to Claimant B's health."
The cabinet said that OUI was "reporting this potential breach out of an abundance of caution" while the allegations are investigated by the Office of Technology Services.
On July 28, the fired former director of Kentucky’s unemployment office told a panel of lawmakers that officials at the Education and Workforce Development Cabinet took no action for a day following reports that claimants had been able to log in to the OUI system and see other people's sensitive information.
Muncie McNamara was hired to run the unemployment office in December but lost his job in May after months of reported backlogs in the system. McNamara said an email he sent to the IT department on April 22 about a possible breach received no response.
J.T. Henderson, a spokesman at the Cabinet for Education and Workforce Development, said the only “verifiable” claims of a data breach were received on April 23.
Following the April data breach, 53,029 Kentuckians who filed unemployment claims between March 1 and April 23 were notified that their data may have been exposed.
Kentucky's current unemployment rate is 4.3%, with nearly 83,000 Kentuckians registered as unemployed in June 2020.
Cyber-criminals are redirecting their attacks from the travel and hospitality industry to the computer and IT sector.
According to new research by Specops Software, 4 in 5 businesses in the computer and IT industry have seen an increase in cybercrime threats since COVID-19 made working from home the new normal. The percentage of businesses attacked in this sector was higher than that found to exist in any other field.
While cyber-attacks against the travel and hospitality sector have gone up since the global health pandemic began, the increase was the smallest one experienced by any industry.
The findings were the result of a survey that asked 2,043 business owners across 11 different sectors how many cybercrime threats or attempts they had experienced since making the switch to remote working.
Researchers found more than half of all businesses (54%) reported an increase in cyber-attacks while working from home. Despite this, just over half (52%) of businesses, surveyed across all sectors, said that they were mulling over whether to make the switch to remote working for their employees permanent post-COVID.
Asked what type of attack had increased the most, all sectors answered phishing attempts. The attack that almost all businesses reported being most concerned over was ransomware. While 96% of businesses were worried about ransomware, 74% said crypto-jacking was a concern and 67% feared phishing.
Despite 78% of computer and IT businesses reporting that they had experienced an increase in cyber-attacks, 85% of businesses in this sector said that they might introduce permanent remote working. By contrast, just 23% of businesses in the travel and hospitality sector were considering making working from home permanent and 31% reported a rise in the number of cyber-attacks they had experienced.
More than 7 in 10 (73%) businesses in the medical and health sector reported an increase in cybercrime threats since lockdown began, with many experiencing sophisticated malware attacks in recent months.
Researchers wrote: "Although hackers have promised no more healthcare attacks, the sector is still highly vulnerable and concerned about future attacks. This is one of the reasons only 32% of businesses in this sector would consider remote working for employees."
Havenly has become the latest online firm to suffer a serious breach of customer data after hackers published the information for free on the dark web.
Notorious dark web trader ShinyHunters was spotted last week posting the data of nearly 1.4 million accounts online.
They’re said to be part of a much bigger 386 million record trove including data from customers of Dave, Promo and HomeChef, which has been previously disclosed.
According to breach notification site HaveIBeenPwned, the data from Havenly customers includes email addresses, names, phone numbers, geographic locations and passwords stored as SHA-1 hashes.
However, an email to customers from the interior design company last week failed to mention the compromise of personal data at all, instead focusing on the fact that no financial details were disclosed.
“We are working with external security experts to investigate this matter. However, in the meantime, out of an abundance of caution, we are logging all existing customers out of their Havenly accounts and asking our customers to reset their password when they next log in to the Havenly website,” it continued.
“As a best practice, we also encourage all of our customers to use different passwords across all online services and applications, and to update those passwords now and on a regular basis.”
According to HaveIBeenPwned, the breach itself took place over a month ago, on June 25, with the personal customer data “subsequently shared extensively throughout online hacking communities.”
That means, at the very least, those same customers should be informed of potential phishing and identity fraud risks stemming from the incident.
Researchers from the think tank Parliament Street have uncovered a text message scam offering a ‘Free TV License.’
Coinciding with the BBC’s controversial decision to axe the universal free TV license for over-75s, the fraud is designed to steal the personal financial data of victims.
According to the Parliament Street researchers, hundreds of UK consumers have already been targeted by the scam which begins with a text message sent to the receiver’s phone that reads: “Due to COVID-19 we are able to provide one year free of charge TV License service upon application.” The message then prompts the user to visit a fraudulent website that uses official TV license branding.
From there, victims are asked to enter various pieces of personal information including name, date of birth, home address and banking details, which are then stolen.
“This SMS-based phishing attack, otherwise known as a smishing attack, is yet another case of opportunistic cyber-criminals looking to take advantage of unknowing victims during COVID-19,” said cyber-expert Andy Heather, VP, Centrify. “The BBC license fee has been the source of ongoing debate in recent times, and this smishing campaign holds a veneer of legitimacy, just enough to trick some unsuspecting victims into giving away their payment details.”
What’s more, he added, the psychology behind receiving an SMS message is a lot different when compared to receiving an email. “The former is generally considered to be a lot more personable, and thus a smishing attack may catch many individuals off-guard.”
Tim Sadler, CEO at Tessian, commented: “Throughout the pandemic, we’ve seen a spike in phishing attacks whereby hackers impersonate trusted organizations and government agencies, preying on people’s vulnerabilities during these stressful times. In this particular case, hackers are taking advantage of the fact that people are struggling financially in the wake of the pandemic, offering a free TV license, to steal valuable information.”
Sadler explained that awareness of such scams is the first step in defending against them. “Look out for any use of ungrammatical language in the text and if the offer seems too good to be true, then do not click on any links. Visit the official TV licensee website to verify if the offer is real.”