A leading figure in a notorious cybercrime organization has pleaded guilty before a Nevada court to racketeering charges.
Russian national Sergey Medvedev — aka “Stells,” “segmed” and “serjbear” — pleaded guilty to conspiracy charges under the Racketeer Influenced and Corrupt Organizations Act (RICO), according to the Department of Justice (DoJ).
According to the indictment, the InFraud group he was a member of was founded in 2010 by 34-year-old Ukrainian Svyatoslav Bondarenko to be an expert in “carding” — the online trafficking of stolen personal and financial information.
“Under the slogan, ‘In Fraud We Trust,’ the organization directed traffic and potential purchasers to the automated vending sites of its members, which served as online conduits to traffic in stolen means of identification, stolen financial and banking information, malware and other illicit goods,” the DoJ said.
“It also provided an escrow service to facilitate illicit digital currency transactions among its members and employed screening protocols that purported to ensure only high quality vendors of stolen cards, personally identifiable information and other contraband were permitted to advertise to members.”
By March 2017 there were an estimated 10,900 registered members of InFraud. The DoJ claimed that during its seven-year history it made over $568m from its victims — financial institutions, merchants and individuals.
The group was finally taken down in early 2018 after police in Australia, the UK, France, Italy, Kosovo and Serbia swooped on 13 individuals thought to have key roles in InFraud. An indictment was subsequently released charging 36 suspected members.
Medvedev, 33, was extradited from Thailand after being arrested there during the 2018 international police crackdown.
The news comes just days after another Russian national, Aleksei Burkov, was sentenced to nine years behind bars for operating the Cardplanet website, which sold stolen card data.
The US government has said it will suspend export of sensitive defense technologies to Hong Kong after China passed a controversial national security law in the Special Administrative Region (SAR).
In a brief statement on Monday, commerce secretary Wilbur Ross argued that the new law meant that sensitive US tech may find its way into the hands of the People’s Liberation Army (PLA) or the fearsome Ministry of State Security (MSS), both of which are prolific sources of cyber-attacks on foreign targets.
“Commerce Department regulations affording preferential treatment to Hong Kong over China, including the availability of export license exceptions, are suspended,” he continued.
“Further actions to eliminate differential treatment are also being evaluated. We urge Beijing to immediately reverse course and fulfill the promises it has made to the people of Hong Kong and the world.”
The controversial law was passed unanimously today by China’s rubber-stamp parliament, the National People’s Congress.
It seeks to criminalize activities such as secession and collusion with foreign forces, but many see it as an attempt to muzzle political activists and protesters in the region. The law also flies in the face of the binding “one country, two systems” agreement between China and the UK which intended the SAR to retain its autonomy for 50 years after the handover in 1997.
Judging by Ross’s remarks, the ban on exports of sensitive technologies to Hong Kong is likely to presage a wider revocation of the SAR’s special status under US law, by which it is granted certain preferential economic and trading rights over China.
On Friday, the State Department also imposed visa restrictions on Chinese Communist Party officials accused of undermining Hong Kong’s autonomy.
Beijing’s opaque political system is such that no Hong Kongers have yet even been able to see and read for themselves exactly what the legislation entails.
However, reports suggest it will carry a maximum sentence of life.
Fraudsters are continuing to exploit self-employed people with advancements in already-established COVID-related HMRC phishing scams.
Uncovered by Griffin Law, the latest variation of this attack is now targeting the passport details of self-employed people, along with other information including personal and bank details.
According to Griffin Law, the scam begins with a text message purporting to be from HMRC informing the recipient they are due a tax refund which can be applied for online via an official looking site that uses HMRC branding and is entitled “Coronavirus (COVID-19) guidance and support.”
The bogus site then asks for several pieces of the user’s sensitive information before also requesting their passport number as ‘verification’ – a new aspect of the scam previously discovered by Griffin Law.
So far, Griffin Law has ascertained that around 80 self-employed London-based workers have reported receiving this scam to their respective accountant.
Stav Pischits, CEO of Cynance, said: “The COVID-19 crisis has triggered a sharp rise in phishing attacks targeting businesses and individuals with realistic scams promising financial support and purporting to be from HMRC.
“All it takes is a single employee to accidentally hand over confidential company information, such as bank account details, a username or password for a potentially catastrophic data breach to occur.”
It’s therefore vital that all companies invest in improving cybersecurity procedures, particularly with millions of employees working remotely for the foreseeable future, he added.
Chris Ross, SVP, Barracuda Networks, warned that cyber-criminals will continue to exploit any situation to harvest financial data from individuals and see the national emergency as the perfect opportunity to fool vulnerable victims into handing over personal information.
“Security awareness is key within the workforce, and it’s vital that all employees are trained about how these schemes operate as well as how SMS can be exploited as part of a wider phishing scheme.”
More than a third of businesses do not have a ransomware emergency plan in place, or are not aware if one exists within their company.
According to research from Ontrack of 484 organizations, 39% either did not have or were not unaware of a ransomware strategy, while 26% admitted they couldn’t access any working backups after an attack.
“The threat of ransomware has never been greater” said Philip Bridge, president of Ontrack. “The fact that only 39% of respondents to our survey have an emergency plan in place for a ransomware attack is shocking. They are gambling with their and their customers’ data.
“It is imperative, now as ever, to ensure your organization has processes and procedures in place to mitigate the impact of any cyber-attack and protect sensitive data,” added Bridge.
As the third anniversary of the NotPetya attacks were marked at the weekend, David Grout, CTO of EMEA at FireEye, said NotPetya highlighted the need for resiliency, backup and preparation, as well as the importance of being able to track and identify the perpetrators and understand their motives.
“In terms of what can be done to mitigate the effects of these attacks, primarily, it is essential that patches are made available quickly and that they are widely adopted. If a discovered vulnerability can be exploited, it is highly likely that threat groups will use it, and continue to do so until it is fixed, inflicting untold damage,” he said.
“The NotPetya attack could have been mitigated by ensuring updates to software were regularly conducted, as well as thorough assessments of a given organization’s security, especially through simulated cyber-breaches.”
Speaking to Infosecurity, BH Consulting CEO Brian Honan said, with ransomware becoming an increasing concern for many organizations, he is seeing more businesses take steps to tackle the threat.
“However, many of these steps focus very much on the preventive aspect of security controls and in particular on ensuring effective anti-virus software is in place. While this is an important element in protecting against ransomware, organizations do need to take a more holistic approach to protecting their businesses and ensuring they can continue to function and recover from an attack should it happen.”
Honan recommended having robust data backup and data recovery strategies in place. “The key is to ensure business resilience in the event of a ransomware attack,” he said. “To achieve this, organizations should incorporate their incident response processes, for all cyber-attacks and not just for ransomware attacks, with their business continuity plan so they can continue to operate, while looking to recover from secure backups.
“A good backup strategy that is regularly reviewed, secured and tested to ensure the data can be recovered is one of the most effective defenses against ransomware.”
The University Of California San Francisco finally confirmed that it had forked over $1.14m to ransomware thieves last week, less than a month after discovering that critical academic data related to its COVID-19 research had been encrypted.
The university said in a statement on Friday that it had detected a security incident affecting some of its School of Medicine servers on June 1. It had quarantined the affected IT systems at the time. The attackers managed to encrypt some of the university's systems with ransomware and demanded a payment. Although the university believed that no patient's medical records were affected, the data was important enough that it was forced to play ball with the criminals. It said:
"The data that was encrypted is important to some of the academic work we pursue as a university serving the public good. We therefore made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they obtained."
UCSF was one of three higher education establishments to be targeted in a single week at the start of June by the Netwalker ransomware gang.
The BBC received a tip that enabled it to drop in on a chat session between UCSF and the criminal gang on the dark web. According to the chat transcript, Netwalker originally asked for a $3m ransom, but UCSF countered, asking them to accept $780,000. The two parties kept haggling, until they agreed on a final sum of $1,140,895. That equated to 116.4 bitcoins, which the university transferred the following day.
Universities are difficult places to protect because the networks are vast and geared toward open information sharing. In September 2019, the UK's National Cybersecurity Center reported that UK universities were at particular risk from nation-state attacks, although most fail to pay much attention. In May last year, Moody's Investors Service warned that universities have numerous campuses and thousands of students along with budgetary constraints, making their cybersecurity effort especially difficult. Its research, sponsored by IBM Security, revealed 101 confirmed data disclosures at US universities in 2017, up from just 15 in 2014.
Researchers have once again spotted crooks using calendar invitations to mount phishing attacks. The Cofense Phishing Defense Center found the attack in enterprise email environments protected by Proofpoint and Microsoft, it announced last week.
The phishing scam uses iCalendar, which is a media type that lets users store and exchange calendaring and scheduling information, including events and tasks. iCalendar files are usually delivered with an .ics extension. The company found the attackers using this file with the subject "Fault Detection from Message Center," from a sender with the display name Walker. It came from a legitimate account belonging to a school district, indicating that the attackers were using a compromised email. That enabled them to bypass email filters relying on the DKIM and SPF technologies that authenticate sending domains.
When the victim opens the .ics file, it proposes a calendar entry displaying the URL, along with a message saying that it is from a security center. The web page behind the URL is hosted on Microsoft's SharePoint site, and displays another link to a phishing site hosted by Google that appears to show a Wells Fargo login page.
Victims gullible enough to cooperate must submit their login details, PIN and account numbers, along with their email credentials. Doing so hands the attackers the keys to the kingdom. The phishing site will then send them to the legitimate Wells Fargo website to quell any suspicion.
This may be a new campaign, but it is not a new technique. A similar attack cropped up last June, when Kaspersky found attackers using Google's auto-add feature. In that attack, smartphone users would see the invitation as a pop-up invitation, displaying a link to a phishing URL that asked for their credit card data and personal information.
This attack shows that cyber-crooks are still using the same attack vectors to deliver their scam material. Cofense also points out that using legitimate domains designed to host user content is a common tactic, and a perennial problem for the likes of Microsoft and Google. It gives the attackers an air of legitimacy because they get to take advantage of these sites' built-in SSL certificates, which add the reassuring green padlock icon to the side of the URL in a browser's address bar.
ESET is the latest security company to notice a sharp spike in RDP-based hacks over the last few months. The anti-malware company spotted a rise in the number of brute-force attacks using the remote access protocol, and said that cyber-criminals have been using it to distribute ransomware.
The Remote Desktop Protocol is a proprietary Microsoft protocol that allows people to access Windows from outside the network. Companies often leave their RDP ports open without taking proper security measures, ESET warned. That can lead to malware infections.
The company has tied the spike in attacks to the COVID-19 pandemic. With lots of office workers forced to log in from home, RDP has become a common way for them to access machines back at the office, it explained. It distributed a graph showing daily attacks against unique clients rising from just under 30,000 in December to over 100,000 during May.
ESET created a new detection layer that spots repeated login attempts from external environments. It adds offending IP addresses to a blacklist that it uses to protect all of its clients. For that to work, though, companies must enable the Network Level Authentication (NLA) RDP option on their servers. This is something that Microsoft has already recommended in the past as a protection against the BlueKeep worm that emerged last year, which exploited a vulnerability in RDP.
Other things you can do to protect yourself against RDP include disabling it altogether if you don't need it, the company says, or at least creating access control lists that limit the number of users allowed to connect directly over the internet. Use strong, complex passwords for all accounts, along with multi-factor authentication, it advises. If possible, use a VPN gateway to broker all connections from outside your local network. We covered some protection techniques in April.
ESET isn't the only company to have noticed a rise in RDP-based attacks. In March, Shodan noticed an uptick in the number of devices exposing RDP to the internet. A month later, Kaspersky reported the same thing, warning that the number of Bruteforce.Generic.RDP attacks had "rocketed across almost the entire planet" since March.
Exposed RDP problems are so bad that the FBI even warned about it in 2018, and reportedly sent out another warning this month to K–12 schools in the US about an increase in RDP-based ransomware attacks during the pandemic.
Malware incidents fell by 23% in 2019 despite an overall increase in security events, according to Orange Cyberdefense in its inaugural Security Navigator report. The findings suggest that businesses have grown investment in technologies that protect themselves from these kinds of threats, leading cyber-criminals to shift to other types of attack.
Of the security events the cybersecurity company analyzed last year, only 22% were classified as malware-related, which compared to 45% in the previous year.
Despite this, out of 263,109 events Orange Cyberdefense uncovered in 2019 from data obtained from its 10 CyberSOCs and 16 SOCs, 11.17% were identified as verified security incidents, representing a 34.4% rise compared to 2018. This is particularly significant considering the total number of events increased by only 3%. The most common incident cause last year was application anomalies, which grew from 36% to 46%.
“The findings don’t mean that malware is no longer a significant threat; far from it,” said Charl van der Walt, head of security research at Orange Cyberdefense. “What it does suggest is that endpoint-centered prevention can significantly reduce the risk to businesses. What we see here is very likely the immediate result of investment in next-gen endpoint protection. While elaborate malware and APTs used in targeted attacks still do pose a serious threat, the skill level of the common cyber-criminal simply does not match up-to-date endpoint protection anymore. That is good news.”
Malware-related incidents were observed to drop off during peak holiday periods in April, mid-July and early December, indicating that cyber-criminals take breaks in these periods in line with businesses.
The report also revealed there was no change in the frequency of cryptomining attacks despite the value of Monero, Ethereum, Litecoin and Bitcoin reaching a new peak in early summer 2019, suggesting this type of threat is in decline. Worryingly however, the number of attacks deemed business-critical doubled to 0.11% in 2019.
A Washington man has been sentenced to 13 months behind bars for his part in developing, using and selling access to DDoS botnets based on the infamous IoT malware Mirai.
Kenneth Currin Schuchman, 22, of Vancouver, was handed his sentence late last week after pleading guilty last September to one count of fraud and related activity in connection with computers, in violation of the Computer Fraud & Abuse Act.
The botnets, known as Satori, Okiru, Masuta and Tsunami/Fbot, were used to compromise hundreds of thousands of connected devices worldwide, according to the Department of Justice.
Schuchman, who went by online aliases including “Nexus” and “Nexus-Zeta,” worked with co-conspirators “Vamp” and “Drake” to build on the Mirai code with new capabilities. His expertise was apparently in finding new vulnerabilities in IoT devices, which could subsequently be exploited to remotely control them.
After being arrested and charged in August 2018, Schuchman is said to have developed another IoT botnet, Qbot, while on supervised release, and also called in a swatting attack on “Vamp’s” home.
Vamp, Drake and UK national “Viktor” have also been charged for their roles in operating and developing the botnets.
“Cyber-criminals depend on anonymity, but remain visible in the eyes of justice,” said US attorney Brian Schroder. “Today’s sentencing should serve as a reminder that together with our law enforcement and private sector partners, we have the ability and resolve to find and bring to justice those that prey on Alaskans and victims across the United States.”
As part of his sentence, Schuchman will be required to serve 18 months of community confinement following his release from prison, and three years of supervised release.
Organizations doing business in China have been warned that official looking software mandated for download by domestic banks may actually contain backdoor malware.
Trustwave explained in a new report that it discovered several clients had unwittingly installed the GoldenSpy backdoor after agreeing to download the Intelligent Tax software, produced by the Golden Tax Department of Aisino Corporation.
Although it worked as advertised, the software also contained a powerful backdoor that could not be removed, even if Intelligent Tax was uninstalled.
“It installed a hidden backdoor on the system that enabled a remote adversary to execute Windows commands or to upload and execute any binary (to include ransomware, Trojans or other malware),” explained Trustwave VP of cyber-threat detection and response, Brian Hussey.
“Basically, it was a wide-open door into the network with system-level privileges and connected to a command and control server completely separate from the tax software’s network infrastructure.”
He admitted that it remains unclear whether the backdoor was added to the software unbeknownst to the local bank, or if the scheme is one that affects a wide range of businesses across China.
Although the current campaign began in April this year, GoldenSpy variants apparently date back to December 2016, a couple of months after Aisino announced a new ‘big data’ partnership with a company called Chenkuo Network Technology.
That same company digitally signs GoldenSpy using text, “certified software version upgrade service,” designed to legitimize the malware.
Neither Chinese firm had replied to Trustwave at the time of writing.
“We believe that every corporation operating in China or using the Aisino Intelligent Tax Software should consider this incident a potential threat and should engage in threat hunting, containment and remediation countermeasures, as outlined in our technical report,” concluded Hussey.
An open letter has been sent to UK Prime Minister Boris Johnson, asking for an update to the Computer Misuse Act (CMA) as it marks its 30th anniversary of reaching royal assent..
Coordinated by the CyberUp Campaign, a group of cybersecurity organizations are pushing for an update of the Computer Misuse Act to make it fit for the digital age.
“In 1990, when the CMA became law, only 0.5% of the UK population used the internet, and the concept of cybersecurity and threat intelligence research did not yet exist,” the letter read. “Now, 30 years on, the CMA is the central regime governing cybercrime in the UK despite being originally designed to protect telephone exchanges. This means that the CMA inadvertently criminalizes a large proportion of modern cyber-defense practices.”
The letter cited the COVID-19 pandemic, stating that this demonstrates “how reliant modern society is on secure and effective digital technologies.”
It claimed: “The government has committed to investing in the UK’s digital and technology credentials and, as we move beyond the pandemic, we are calling on the government to make putting in place a new cybercrime regime part of this commitment. This will give our cyber-defenders the tools they need to keep Britain safe.”
In the past few years, efforts have been made to bring the CMA up-to-date, with NCC Group admitting that a lot of the work it does “is hampered by the CMA” and with a reform, it wants to make a change so as to make vital threat intelligence commercially and ethically easier.
The CyberUp Campaign includes NCC Group, alongside representatives from vendors Digital Shadows, McAfee and Trend Micro, industry trade bodies techUK and CREST, and a number of prominent lawyers, academics and researchers in the field of cybersecurity.
In an email to Infosecurity, Robert Schifreen, who was one of the two people initially charged with accessing the Duke of Edinburgh’s personal message box after gaining access to BT’s Prestel interactive viewdata service, agreed that the CMA “could do with a polish.” However. he also said it is basically fit for purpose, “and I don't see much evidence that researchers are being dissuaded from researching in case their possession of pen test tools results in them being prosecuted.”
He added: “If anyone wants to criticize a key element of the fight against cybercrime, attacking Action Fraud would be more useful than attacking the CMA.”
Over one million North American students have had their data exposed after a popular online learning platform left it in a publicly accessible cloud database, according to vpnMentor.
Researchers from the firm claimed that the Elasticsearch database belonging to provider OneClass was left completely unsecured.
The trove contained over 27GB of data, amounting to 8.9 million records, including many students’ full names, email addresses, schools/universities, phone numbers, account details and school enrollment details.
Although OneClass secured the database just a few days after being notified on May 20 this year, it subsequently claimed that the exposed information was merely test data, according to vpnMentor.
“However, during our investigation, we had used publicly available information to verify a small sample of records in the database,” the researchers continued.
“Taking the PII data from numerous records, we found the social profiles of lecturers and other users on various platforms that matched the records in OneClass’s database. Based on this, we doubt the veracity of OneClass’s claim and stand by our assessment.”
It goes without saying that hackers could have conducted highly effective follow-on phishing emails with the exposed data, with a view to obtaining financial details from victims, or even spreading malware.
“Furthermore, OneClass users are very young — including minors — and will generally be unaware of most criminal schemes and frauds online. This makes them particularly vulnerable targets. It’s also likely many of them use their parent’s credit cards to sign up, exposing their whole family to risk,” vpnMentor explained.
“With so many students relying on remote learning due to coronavirus, OneClass could be experiencing a surge in new users. Hackers could quickly create fraudulent emails using the pandemic and related uncertainty as a pretext to contact potential victims, posing as OneClass and asking them to divulge sensitive information.”
That’s not to mention the reputational hit to OneClass itself and a potentially significant regulatory compliance burden. Headquartered in Toronto, the firm provides online education resources to millions of students in North America.
US lawmakers have introduced a bill that proposes banning federal law enforcement agencies from using facial recognition and biometric surveillance technology.
The Facial Recognition and Biometric Technology Moratorium Act of 2020 was introduced yesterday by Senators Ed Markey and Jeff Merkley.
If passed into law, the wide-sweeping bill would make federal funding for state and local law enforcement agencies contingent on the implementation of similar tech and surveillance bans.
Markey said the bill would prevent the use of technology that poses a physical threat to minority groups residing in the United States. In the Massachusetts senator's opinion, banning the police from using such tools is the "only responsible thing to do."
“Facial recognition technology doesn’t just pose a grave threat to our privacy, it physically endangers Black Americans and other minority populations in our country,” Markey said in a statement.
“As we work to dismantle the systematic racism that permeates every part of our society, we can’t ignore the harms that these technologies present."
The bill proposes making it unlawful for any federal official or agency to "acquire, possess, access or use” biometric surveillance technology in the United States. It further prohibits the use of federal cash to procure this type of technology.
Use of this type of surveillance technology is not prohibited entirely under the new bill but would only be allowed if exercised with extreme caution and in adherence to a federal law containing a long list of provisions.
Cynics might conclude that the timing of the bill's introduction, in the wake of protests triggered by George Floyd's death and in an election year, was motivated by political gain.
The Pinellas County Sheriff’s Office in Florida has been using FACES (Face Analysis Comparison and Examination System) for two decades. And, according to a 2019 report by the United States Government Accountability Office (GAO), the FBI has logged more than 390,000 facial-recognition searches of federal and local databases since 2011.
Various civil liberties and human rights groups including Amnesty International and the American Civil Liberties Union have been campaigning for surveillance technology to be banned for years on the grounds that it infringes upon people's constitutional freedoms and is marred by racial and gender bias.
A despicable Brit has been jailed after stealing from America's elderly to fund his extravagant millionaire lifestyle.
Fraudster Gareth David Long was sentenced to 70 months in prison for running an elaborate scheme that claimed more 375,000 victims during a six-month period in 2013.
Las Vegas resident Long operated a third-party processing company V Internet Corp from 2008 to 2013 that specialized in the creation and deposit of remotely created checks (RCCs). Through his work, the 41-year-old had access to the personal and financial information of hundreds of thousands of consumers whose accounts he was trusted to debit.
After he stopped acting as a third-party payment processor in January 2013, Long used the data he had acquired over the previous five years to charge purchases to his victims' accounts.
Not content with the data he had acquired legally and then exploited illegally, Long purchased the information of additional consumers in the form of lead lists.
Over the course of his large-scale wire fraud and identify theft scheme, Long deposited more than 750,000 fraudulent RCCs totaling more than $22m. While approximately half of the checks were immediately reversed by victims’ banks, the unscrupulous criminal nevertheless succeeded in stealing approximately $11m.
When victims called to complain about the charges, Long instructed his employees to pass the charges off as payments authorized by the victims in connection with an online payday loan application. Many of the victims were elderly.
Long used the proceeds of his morally derelict scheme to purchase cars, three airplanes, a fire truck, a ranch, and 23 acres of land in Texas and to pay his personal expenses. He also bought construction and farming equipment.
The US Postal Inspection Service seized more than $2.9m from Long’s company bank accounts. Property that Long purchased with the proceeds of his fraudulent activity, including his cars and planes, was also seized by postal inspectors.
Long pleaded guilty to wire fraud and aggravated identity theft charges. As part of the sentencing hearing, the court ordered Long to forfeit $11.2m and the ranch and land he purchased in Texas.
Jody Hunt, assistant attorney general for the Justice Department’s Civil Division, said: “The defendant exploited his access to sensitive personal and financial information to steal millions of dollars from victims throughout the United States."
A newly detected threat group has stolen an estimated minimum of $200m from cryptocurrency exchanges in just two years.
The dastardly deeds of cyber-criminal organization CryptoCore were discovered by security firm ClearSky Cyber Security. Recently published research by the company revealed that the threat group has been active since at least May 2018, primarily targeting victims in the United States and Japan.
CryptoCore appears to have achieved dizzying heights of financial success despite relying on unsophisticated attack techniques.
"This group is not extremely technically advanced, yet it seems to be swift, persistent, and effective, nevertheless," wrote researchers.
"The CryptoCore group is known for having accumulated a sum of approximately 70mil USD from its heists on exchanges. We estimate that the group managed to rake in more than 200mil USD in two years."
CryptoCore almost exclusively targets cryptocurrency exchanges and companies working with them via supply-chain attacks.
The key goal of the group's heists is to gain access to digital wallets associated with cryptocurrency exchanges, including corporate wallets and wallets belonging to the exchanges' employees. Researchers say that access is gained via spear phishing.
"The group’s key infiltration vector to the exchange is usually through spear phishing against the corporate network," wrote researchers, adding that "the executives’ personal email accounts are the first to be targeted."
The spear phishing is typically carried out by impersonating a high-ranking employee either from the target organization or from another organization with connections to the targeted employee.
Contained within the spear phishing email is a malicious Bitly link that appears to go to a Google Drive folder but actually sends the victim to a landing page controlled by the threat group.
After gaining an initial foothold, the group accesses the victim’s password manager account and steals their crypto-wallet keys.
ClearSky has been tracking the threat group for two years, observing a fairly constant stream of activity, though attacks did slow in the first half of 2020, with researchers attributing the lull to the COVID-19 pandemic.
Despite their prolonged tracking of CryptoCore, researchers were unable to conclusively pinpoint the threat group's origin. Researchers would say only that "we assess with medium level of certainty that the threat actor has links to the East European region, Ukraine, Russia or Romania in particular."
Microsoft has warned Exchange customers to patch their servers urgently after reporting a surge in attacks exploiting an Internet Information Service (IIS) vulnerability.
That flaw, CVE-2020-0688, was patched in February, but attackers are still finding victims compromised by such attacks. With access to the targeted server, hackers often deploy a web shell to steal data or perform other malicious actions in the future, explained Hardik Suri of the Microsoft Defender ATP Research Team.
“If compromised, Exchange servers provide a unique environment that could allow attackers to perform various tasks using the same built-in tools or scripts that admins use for maintenance,” Suri added.
“This is exacerbated by the fact that Exchange servers have traditionally lacked anti-virus solutions, network protection, the latest security updates and proper security configuration, often intentionally, due to the misguided notion that these protections interfere with normal Exchange functions. Attackers know this, and they leverage this knowledge to gain a stable foothold on a target organization.”
Following a web shell deployment, attackers may perform reconnaissance, perhaps using EternalBlue to identify vulnerable machines on the network. If the server has been misconfigured, they may have gained privileges that enable them to add a new account for persistence.
Compromised Exchange servers can also enable credential access for some of the “most sensitive users and groups in an organization,” said Suri.
Lateral movement, Exchange Management Shell abuse, remote access and exfiltration typically follow, he added.
Apart from applying the latest security updates, Microsoft recommended Exchange server customers keep anti-virus and other protections on at all times, review highly privileged groups, restrict access and prioritize alerts.
The GDPR has successfully met its main objectives but work still needs to be done to improve cross-border investigations, increase regulator resources and address fragmented approaches across the EU, according to the European Commission.
The review of the data protection legislation two years on highlights several areas for improvement.
One of the most pressing is the need for harmonization across the region. This is because, although the regulation must be applied across the board, it allows for member states to legislate in some areas and provide specificity in others.
This has led to the “extensive use of facultative specification clauses,” which has made for differences in areas such as the age of children’s consent across different countries, the report claimed.
This could create problems for cross-border business and innovation, especially in tech and cybersecurity innovation, the Commission said.
“A specific challenge for national legislation is the reconciliation of the right to the protection of personal data with freedom of expression and information, and the proper balancing of these rights,” it argued.
“Some national legislations lay down the principle of precedence of freedom of expression, whilst others lay down the precedence of the protection of personal data and exempt the application of data protection rules only in specific situations, such as where a person with public status is concerned.”
Other areas that need continued work include the more efficient handling of cross-border cases and the disparity in “human, financial and technical” resources between many regulators.
This echoes a report issued in April by web browser firm Brave, which claimed that regulators are unable to match the financial might of technology giants like Google and Facebook, which puts them at a distinct disadvantage in investigations.
Only five of Europe’s 28 GDPR regulators have over 10 tech specialists, while half have budgets of under €5m. The UK’s ICO, which is the largest and most expensive watchdog to run, has only 3% of its 680 staff focused on tech issues, the report claimed.
Stewart Room, global head of data protection and cybersecurity at DWF, took issue with the Commission’s claim that GDPR has “successfully met its objectives of strengthening the protection of the individual’s right to personal data protection and guaranteeing the free flow of personal data within the EU.”
“A key problem to note is that there is an absence of such evidence on data protection performance levels under the previous legal regime (the 1995 Directive), so, therefore, there isn't a benchmark available to substantiate progress made under the GDPR,” he argued.
“In contrast, reports of personal data security breaches have not run dry, there are still structural problems in the AdTech environment and with the ceaseless progression of developments in technology, such as facial recognition and AI, there have to be doubts about the ability of the law and the regulatory system to keep up speed.”
Thousands of domestic violence victims have had their emergency distress messages exposed after a developer misconfigured a back-end AWS bucket.
Researchers at vpnMentor led by Noam Rotem and Ran Locar found the voice recordings stored on a publicly accessible AWS S3 bucket.
They were traced back to Aspire News, an application built by US non-profit When Georgia Smiled, which features an emergency help section via which domestic abuse victims can send their distress messages. It’s backed by US TV celebrity and clinical psychologist Dr Phil.
In total, the researchers found around 230MB of data, containing around 4000 voice recordings dating back to September 2017. Fortunately, once contacted, AWS informed the non-profit and the issue was shut down the same day.
However, the data exposed in the voice recordings was highly sensitive, including victims’ full names and home addresses, details of their circumstances and their abusers’ names and personal details.
Domestic violence cases are said to have surged dramatically during lockdown, when abusers are often confined at home with their victims for extended periods.
“Had malicious or criminal hackers accessed these recordings, they could be weaponized against both victims and abusers to pursue blackmail and extortion campaigns,” said vpnMentor.
“The potential devastation caused by such an outcome can’t be overstated, risking the health, emotional wellbeing and safety of all those impacted.”
Cloud configuration errors surged by 80% between 2018 and 2019, according to DivvyCloud by Rapid7.
“This particular instance is a critical reminder of the importance of securing data in the cloud,” said the firm’s co-founder, Chris DeRamus.
“By implementing a proactive and holistic approach to detecting risks and misconfigurations in the cloud in the build process, security lapses can be identified and remediated before data ever has a chance to be exposed.”
Police in New Zealand have seized $90m worth of assets belonging to a man wanted for cybercrimes in France and the United States.
Alexander Vinnik allegedly masterminded a Bitcoin laundering ring that handled billions of dollars via a digital currency exchange. He is also wanted for some minor crimes in his native Russia.
Digital cash allegedly laundered by the exchange is believed to have included $4bn in funds stolen from the now defunct Tokyo-based bitcoin exchange Mt. Gox in a cyber-heist.
US authorities assert Vinnik has committed a string of crimes ranging from computer hacking and money laundering to drug trafficking while in control of digital currency exchange BTC-e.
The 38-year-old alleged criminal has declared himself innocent of all the charges made against him, some of which date as far back as 2011. Vinnik maintains that he was merely a technical consultant to BTC-e and was not employed in an operational capacity.
The alleged criminal mastermind was admitted to a French hospital earlier this year after staging a hunger strike to protest his innocence.
Vinnik was arrested in Greece in 2017 on money laundering charges and has since been extradited to France, where he is being held in custody.
French officials charged Vinnik on counts of extortion, aggravated money laundering, conspiracy, and harming automatic data-processing systems.
Zoe Konstantopoulou, a member of Vinnik's defense team, said: "Alexander’s crime is to be Russian and a person with extraordinary technological knowledge that could liberate people economically."
The multi-million-dollar seizure of Vinnik's assets—worth NZ$140m—is the largest restraint of funds in New Zealand Police history.
New Zealand Police Commissioner Andrew Coster said the funds are probably ill-gotten gains pilfered from a slew of victims around the world.
"This restraint demonstrates that New Zealand is not, and will not be, a safe haven for the illicit proceeds generated from crime in other parts of the world," said Coster.
The seizure was a joint effort achieved by close cooperation between the New Zealand Police and the US Internal Revenue Service. New Zealand cops said that it has applied to the High Court seeking forfeiture of the funds.
Minnesota software company HelpSystems has acquired two data classification companies in response to “brisk” demands for its security software.
The company said that the addition of Canadian company Titus and British firm Boldon James to its security portfolio establishes HelpSystems as “the leading platform in data classification and meets customers’ needs for a comprehensive, powerful suite of data security options.”
From its headquarters in Ottawa, Titus provides solutions that enable businesses to accelerate their adoption of data protection. The company’s products enable organizations to discover, classify, protect, analyze, and share information.
Titus has millions of users in over 120 countries. Customers of the company include some of the largest financial institutions and manufacturing companies in the world, government and military organizations across the G7 and Australia, and Fortune 2000 companies.
Boldon James is a 30-year-old company based in the small village of Farnborough, just outside of London. HelpSystem's new acquisition describes itself as an industry specialist in data classification and secure messaging, delivering globally recognized innovation, service excellence, and technology solutions that work.
“Bringing Titus and Boldon James into the HelpSystems family is another step toward our unwavering goal of giving customers the most robust collection of trusted security and automation solutions available, backed by a people-first commitment to long-term customer success,” said Kate Bolseth, CEO, HelpSystems.
“The talent, success, and market-leading solutions that characterize both Titus and Boldon James enrich and expand our ability to help our customers keep their data safe.”
HelpSystems said that the solutions offered by Titus and Boldon James will work in lockstep with its GoAnywhere Managed File Transfer and Clearswift email and web security solutions to ensure sensitive information is classified properly and secured throughout its life cycle.
"Titus fits well with HelpSystems’ security portfolio, and we are thrilled to expand the range of solutions for our customers,” said Jim Barkdoll, CEO, Titus.
“We are confident we have found the right place to continue driving our innovation and business forward.”
CEO of Boldon James Martin Sugden added: “Joining these well-known players in the data security space is the ultimate way to offer global organizations the ability to detect and protect their ever-growing troves of sensitive data.”