Info Security
US Convicts “King of Fraud”
A Russian cyber-criminal has been convicted of running a sophisticated digital advertising scam that defrauded American companies out of millions of dollars.
Aleksandr Zhukov used infrastructure spread around the world to trick companies including the New York Times and Comcast into thinking that they were paying for legitimate digital advertising. In reality, Zhukov and his co-conspirators were using coding and domain spoofing to fraudulently obtain revenue.
Zhukov and his co-perpetrators made it appear as though they ran legitimate companies that placed ads in front of real human internet users browsing genuine internet web pages. However, the evidence at trial established that Zhukov and his accomplices faked both the users and the web pages.
Computers they controlled were programmed to load advertisements on spoofed web pages via an automated program. The con defrauded American brands, ad platforms and others in the US digital advertising industry out of more than $7m.
Victims of the scam included household names the New York Post, Nestle Purina, and Time Warner Cable, and the Texas Scottish Rite Hospital for Children.
Zhukov carried out his digital advertising fraud scheme between September 2014 and December 2016 through a purported advertising network named Media Methane.
Media Methane arranged with advertising networks to receive payments in return for placing ad tags on websites. Instead of placing the tags on real publishers’ websites, Media Methane rented more than 2,000 computer servers housed in commercial datacenters in Texas and the Netherlands and used those datacenter servers to load ads on fabricated websites, spoofing over 6,000 domains.
"The defendants programmed the datacenter servers to simulate the internet activity of human internet users: browsing the internet through a fake browser, using a fake mouse to move around and scroll down a web page, starting and stopping a video player midway, and falsely appearing to be signed into Facebook," said the Department of Justice.
When discussing the scheme with one of his co-conspirators, Zhukov referred to himself as the "king of fraud."
Zhukov was arrested in Bulgaria in November 2018 and extradited to the United States in January 2019. On May 28, 2021, after a three-week trial, a federal jury in Brooklyn convicted Zhukov of wire fraud conspiracy, wire fraud, money laundering conspiracy, and money laundering.
Model Sues Law Firm Over Data Breach
A fashion model is suing Baltimore-based law firm Goldberg Segalla for allegedly exposing her personal data when filing records in a different data breach lawsuit.
Stephanie Hoffman claims the firm leaked her information twice on the Public Access to Court Electronic Records (PACER) service, which provides electronic public access to federal court records.
Goldberg Segalla is representing Hoffman's former modeling agency, Major Model Management Inc (MMMI), in an ongoing proposed class-action lawsuit concerning an alleged data breach.
That suit, which was also brought by Hoffman, accuses MMMI of failing to adhere to state laws, industry standards and best practices when collecting and storing the personal information of the models it contracted with.
MMMI is seeking to dismiss Hoffman's lawsuit. In a filing made on February 4, the agency argued that Hoffman either waived her claims in her contract, or that state law does not apply in this case.
Connecticut resident Hoffman, who won Model of the Year at the International Modeling & Talent Association (IMTA) in New York and has modeled multiple times at New York Fashion Week, claims Goldberg Segalla exposed her data in a December 3 filing relating to the MMMI suit.
The plaintiff alleges that her Social Security number, birth date, passport information, home address, cell number, email address and signature were shared by the law firm without redactions in Manhattan federal court.
The filing was sealed by US District Judge Laura Taylor Swain on December 3, but Hoffman claims that Goldberg Segalla re-filed the exhibit later that day and only partially redacted her Social Security number and birth date.
In an eight-page complaint filed in New York County Supreme Court, Hoffman claims her data was exposed until January 29, when the court was asked to seal the partially redacted filing.
Hoffman claims in the suit that she "has been placed at an imminent, immediate, and continuing increased risk of harm from fraud and identity theft."
The model said that she has been told by prospective employers and third-party credit institutions that her Social Security number "is being used for fraudulent criminal activity."
Microsoft Convenes Asia Pacific Info-Sharing Council
Microsoft has launched a new public-private initiative across south-east Asia designed to improve cyber-threat response and share best practices across the region.
The Asia Pacific Public Sector Cyber Security Executive Council will bring together policymakers from government agencies alongside tech and industry leaders.
As of today, participating governments include Brunei, Indonesia, Korea, Malaysia, the Philippines, Singapore and Thailand.
Microsoft said the council would build on existing efforts to improve cybersecurity partnerships in the region, such as through the Asia-Pacific Economic Cooperation (APEC), the Association of Southeast Asian Nations (ASEAN) and the Global Forum on Cyber Expertise (GFCE).
Government members of the council will join a forum run by Microsoft with other industry advisors.
“The aim of the forum is to share best practices, learn from Microsoft security certification trainings, dedicated workshops, and hands-on lab sessions, with a goal of driving improvements to the digital skills of the workforce to reduce the talent gap in cybersecurity across the participating nations,” Microsoft noted.
“The members of the Asia Pacific Public Sector Cyber Security Executive Council will share experiences and knowledge relating to cyber-threats and will work to drive greater collaboration and cooperation between countries.”
The council will meet virtually every quarter to exchange information on cyber-threats and security solutions continually.
Such efforts have struggled in the past given APAC’s tremendous cultural, religious and economic diversity. Nevertheless, countries such as Singapore and Korea tend to be reasonably advanced in their cybersecurity capabilities.
According to Microsoft, APAC organizations experience 1.6 times more malware and 1.7 times more ransomware than their counterparts in the rest of the world.
However, some pan-regional initiatives have been a success. Interpol announced last week that it managed to seize $83 million headed for the bank accounts of cyber-criminals.
Meat Processing Giant JBS Pulls IT Plug After Cyber-Attack
The world’s largest meat processor has been forced to cut critical servers after an organized cyber-attack on its IT systems.
Sao Paolo-headquartered JBS said in a statement today that its US division detected the attack on Sunday. The attack purportedly affected some of the servers used to power its North American and Australian IT systems.
“The company took immediate action, suspending all affected systems, notifying authorities and activating the company’s global network of IT professionals and third-party experts to resolve the situation,” JBS added.
“The company’s backup servers were not affected, and it is actively working with an incident response firm to restore its systems as soon as possible.”
JBS said that the attackers did not steal any customer, supplier or employee data, but warned that getting systems back on track will take time — which in turn could “delay certain transactions with customers and suppliers.”
Disruption is already occurring in Australia, with reports suggesting that beef and lamb kills across the country were cancelled. Operationally, IT systems play a vital role in managing the continuous movement of cattle from onboarding to slaughter.
It’s unclear exactly what kind of cyber-attack affected the company. Still, ransomware would be a prime suspect, given the need to take servers offline and the possibility of data theft.
With global revenue exceeding $50 billion last year, JBS is a candidate for extortion by the growing group of ransomware-as-a-service (RaaS) affiliates targeting large multi-nationals with sophisticated multi-stage attacks.
Scott Nicholson, co-CEO at cybersecurity consultancy Bridewell Consulting, argued that the cost of disruption to the firm would be significant, even if no data was stolen.
“This should act as a reminder to all companies of the importance of cybersecurity and protecting digital infrastructure,” he added.
“Even the largest corporations are susceptible to attacks, so there’s no room for complacency. All organizations must take steps to protect their systems and ultimately customer data, or risk putting their reputation and customer safety at risk.”
Interpol Seizes $83 Million Headed for Online Scammers
Global police have concluded a months-long campaign in which they seized $83 million in funds headed for the bank accounts of cyber-criminals and scammers.
Interpol said that 40 officers from across APAC participated in the HAECHI-I operation over a six-month period. It focused specifically on investment fraud, romance scams, money laundering associated with illegal online gambling, online sextortion and voice phishing (vishing).
All have become major money-makers for threat actors of late. Romance and investment fraud were the number two and three earners last year, leading to combined losses of nearly $937 million, according to the FBI. Extortion ($71 million) and phishing and its variants ($51 million) were also high-up on the list.
Interpol claimed late last week that nearly two-thirds (64%) of the 1400 cases opened as part of HAECHI-I have been solved, with many others ongoing.
Some 585 individuals were arrested and over 1,600 global bank accounts frozen as part of the operation.
Interpol highlighted two particularly successful investigations: one involving a business email compromise (BEC) attempt when scammers impersonated a Korean company’s trading partner requesting payments amounting to nearly $7 million. Half of these were intercepted and frozen, the policing group said.
In another case, an organized crime gang ran a classic “pump-and-dump” scheme by buying up cheap stocks, promoting them on social media to drive the price up and then selling them. Interpol claimed its rapid response led to the freezing of the fraudulent trading accounts and recovery of most victims’ money.
“The key factors in intercepting illicit money transfers are speed and international cooperation,” said Amur Chandra, brigadier general of the Indonesian National Police and secretary of Indonesia’s Interpol National Central Bureau.
“The faster victims notify law enforcement, the faster we can liaise with Interpol and law enforcement in the relevant countries to recover their funds and put these criminals behind bars.”
HAECHI-I is the first in a three-year project to disrupt online financial crime, backed by the Korean government and featuring the participation of Cambodia, China, Indonesia, Korea, Laos, The Philippines, Singapore, Thailand, and Vietnam.
FBI Issues Fortinet Flash Warning
The United States Federal Bureau of Investigation issued a flash warning Thursday over the exploitation of Fortinet vulnerabilities by advanced persistent threat (APT) groups.
According to the FBI, an APT actor group has "almost certainly" been exploiting a FortiGate appliance since at least May 2021 to access a web server hosting the domain for a US municipal government.
The APT actors may have established new user accounts on domain controllers, servers, workstations, and the active directories to help them carry out malicious activity on the network.
"Some of these accounts appear to have been created to look similar to other existing accounts on the network, so specific account names may vary per organization," said the FBI. However, the Feds warned organizations to be on the lookout for accounts created with the usernames "elie" or “WADGUtilityAccount.”
Once inside a network, the APT actors can conduct data exfiltration, data encryption, or other malicious activity.
The alert comes just one month after the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) warned that APT actors had gained access to devices on ports 4443, 8443, and 10443 for Fortinet FortiOS CVE-2018-13379, and enumerated devices for FortiOS CVE-2020- 12812 and FortiOS CVE-2019-5591.
The cyber-criminal activity appears to be focused on exploiting particular vulnerabilities rather than specific sectors, as the APT actors have been observed actively targeting a broad range of victims across multiple industries.
"The fact that we continue to see these legacy vulnerabilities being exploited in spite of these alerts is a cautionary tale that unpatched flaws remain a valuable tool for APT groups and cyber-criminals in general," commented Satnam Narang, staff research engineer at Tenable.
They added: "Unpatched vulnerabilities, not zero-days, are the biggest threat to most organizations today because it gets attackers to their end goal in the fastest and cheapest way. It is imperative that both public sector and private organizations that use the FortiGate SSL VPN apply these patches immediately to prevent future compromise.”
Narang said that the risk posed by unpatched vulnerabilities was further heightened by the broad shift of the workforce to remote working over the past year.
US Jails Telemarketing Fraudster
A scammer who defrauded elderly American computer users by tricking them into believing that their computers had suffered a cyber-attack will be spending the next three years in federal prison.
Himanshu Asri, of Delhi, India, took part in a five-year telemarketing scheme that conned around 2,000 computer users, most of whom were seniors.
The 34-year-old fraudster operated the call center in India that played an integral part in the Tech Fraud deception.
Under the scheme, Asri arranged for fraudulent pop-up advertisements to appear on computer users’ screens. The ads falsely claimed that malware had been detected on the computer and advised the user to call a phone number for assistance to remove it.
Users who called the number for help spoke to operators at Asri’s call center and at other call centers based in India. Those operators had been coached to reiterate the lie that malware had been found on the callers’ computers.
Users were offered fictitious computer protection services that would remove the non-existent malware for an exorbitant price.
Those who fell prey to the scam paid on average $482 for computer protection service or assistance that they didn't need and didn't receive. In some cases, victims were defrauded of amounts exceeding $1,000.
A spokesperson for the US Attorney's Office for the District of Rhode Island said: "From call data obtained for a three-month period, it was estimated that over five years Asri’s scheme led approximately 6,500 people to view Asri’s deceptive pop-up ads and encounter call center operators who made the Tech Fraud pitch. It is estimated that 1,950 of those people fell prey to the Tech Fraud."
Asri and his co-conspirators tricked their victims into handing over at least $940,995.74. Had all their fraudulent attempts been successful, it's estimated that the fraudsters' illegal activity could have defrauded victims out of approximately $3,133,000.
Asri was arrested at the beginning of 2020. On December 3, he pleaded guilty to wire fraud.
On Thursday, the scammer was sentenced in US District Court in Providence to three years in federal prison followed by a period of supervised release.
SolarWinds Hackers Go Phishing
American multinational technology company Microsoft says that the threat group behind the Microsoft and SolarWinds hack has launched a massive new phishing campaign targeting government agencies, NGOs and think tanks.
Last year, an advanced persistent threat (APT) group exploited vulnerabilities in Microsoft and SolarWinds programs to carry out a supply-chain attack that trojanized SolarWinds' Orion business software updates to distribute malware. Nine US federal agencies and over 100 companies were targeted.
According to Microsoft, Russian-based APT group Nobelium was not only behind that attack but is now running a phishing campaign that has already targeted thousands of email accounts around the world.
"This week we observed cyber-attacks by the threat actor Nobelium targeting government agencies, think tanks, consultants, and non-governmental organizations," wrote Microsoft's vice president of customer security and trust, Tom Burt, in a blog post published on Thursday.
"This wave of attacks targeted approximately 3,000 email accounts at more than 150 different organizations."
Burt said that organizations in at least 24 different countries were impacted, with the majority of victims located in the United States.
At least one in four of the organizations targeted are involved in international development, humanitarian, and human rights work.
"These attacks appear to be a continuation of multiple efforts by Nobelium to target government agencies involved in foreign policy as part of intelligence gathering efforts," wrote Burt.
Nobelium launched the phishing campaign by gaining access to the Constant Contact account of USAID.
"From there, the actor was able to distribute phishing emails that looked authentic but included a link that, when clicked, inserted a malicious file used to distribute a backdoor we call NativeZone," wrote Burt.
"This backdoor could enable a wide range of activities from stealing data to infecting other computers on a network."
Digital Shadows threat researcher Stefano De Blasi said that Nobelium's alleged malicious activity exemplified how targeted phishing campaigns still constitute a serious threat against institutions of any kind.
He added: "This campaign is the latest testament to this group's objective of collecting sensitive and highly valuable information from Western organizations operating in the government and external affairs field."
Cyber Pros to Take Part in Charity Challenge to Help Fight Online Crime
A new charity initiative, which aims to raise money for two organizations that help tackle online child abuse and cybercrime respectively, has been announced by a group of cybersecurity professionals based in the UK and US.
Infostep 2021 will see 25 volunteers from the Infostep Challenge group of cyber pros walk a total of 19,000 miles , equivalent to a mammoth 42,212,000 steps, over the next six months. This will primarily look to raise funds for the Innocent Lives Foundation, which works with law enforcement to identify sexual predators targeting children online and The Cyber Helpline, which offers free, confidential advice and support service for individuals who have fallen victim to cybercrime.
The Infostep volunteers also hope to use some of the money raised to provide resources for people looking to start a career in cybersecurity.
The challenge originated when Tom Quinn, group IT security services manager for National Express, set a personal post-lockdown goal of walking 70,000 steps per week, which he revealed in a post on LinkedIn. Upon seeing the post, an old colleague of his, Amy Stokes-Waters, who is senior account manager for Cognisys, then reached out to try and get involvement from the wider infosec community. She explained: “I think everyone has had a bit of a lethargic few months. The weather is getting warmer, we’re allowed to get out and about a bit more, and if we can raise money while we’re at it, why not? This really is the infosec community at its finest!”
Commenting on the initiative, Innocent Lives Foundation ambassador and CISO of Ramsey Quantitative Systems, Jonathan Younie, said: “Ultimately, the goal of the Innocent Lives Foundation is to make the world safer for kids. Our team of volunteer technology specialists use OSINT (Open Source Intelligence) to identify predators who target children on the Internet, specifically to generate and distribute CSAM (Child Sexual Abuse Material). We work to provide law enforcement with the information they need to bring these predators to justice, so each dollar raised is used to assist law enforcement in unmasking child predators on the internet.”
Nikki Webb, head of marketing for The Cyber Helpline and global channel manager for Custodian 360, outlined: “Our vision is to ensure the UK is a place where cyber-criminals do not win and our mission is to ensure everyone in the UK has immediate access to expert, cybersecurity help when they need it. Infostep 2021 is an amazing initiative and we are so grateful to be chosen as recipients of some of the funds raised.”
Infostep Challenge added that they are welcoming support from any organization which would like to get involved in the endeavor in some capacity, either through funding or resource donation. Additionally, any individuals who would like to join in with their own personal challenge can follow along using the hashtag #infosteps2021.
Further information can be found at www.infosteps.uk or via Infostep Challenge's Twitter account @infostep2021.
As well as Stokes-Waters, Quinn, Webb and Younie, the infosecurity professionals who are taking part in the challenge are the following: Dan Conn, senior software engineer for Mimecast; Scott Winchester, owner of Hax_Shax; Sean Atkinson, director of security assurance at Secarma; Regina Bluman, security analyst at Algolia; Sarah Armstrong-Smith, chief security advisor at Microsoft; Tash Norris, head of cyber security at Moonpig; Paul Taylor, cyber consultancy at ITC Secure; Ryan Surry, director at Intaso; Siân Salmons, trainee cyber security consultant at CAPSLOCK; Cytisus E., senior security engineer at Macys; Lisa Forte, partner at Red Goat Cyber Security; Natasha Harley, co-founder at cyberxperts; Rosie Anderson, head of sales at Honeypot Digital; Rob Croxford, network security consultant; Phillip L., head of sector at ITC Secure; Adrian Tayor, transformation consultant at Deloitte UK; Rob Newby, founder at Procordr; Ste Watts, group head of cyber security operations at Aldermore Bank; Lorna Armitage, co-founder at CAPSLOCK; Dan Komenda, trainee cyber security consultant at CAPSLOCK; Laura Wellstead, co-founder of cyberxperts, Alex Martin, senior business development manager at Cognisys, and Peter Jones, owner at CyberBadger.
NCSC: Act Now to Protect Streaming Accounts
The National Cyber Security Centre (NCSC) has warned British internet users to protect their streaming accounts ahead of a summer of sport.
The GCHQ offshoot warned that such accounts can hold a trove of valuable personal and financial information for threat actors to harvest and use to make fraudulent payments or launch follow-on phishing, smishing and vishing scams.
“The UEFA Champions League final will kick off a great British summer of sport and those enjoying it online should be able to do so securely. If accounts aren't secure, it's really easy for criminals to access them and then proceed to target people with scam texts and emails,” said NCSC director of policy, Nicola Hudson.
“To help stay protected from this, we would urge people to visit cyberaware.gov.uk for advice on securing accounts and devices and the NCSC’s website for dealing with scam emails and texts.”
The NCSC urged internet users to change their passwords to a strong credential in order to mitigate the risk of credential stuffing, and to pay special care to their email log-ins — if these are hijacked, attackers could reset and change their other passwords. On the Cyber Aware site, it's also recommended to switch on two-factor authentication.
It also asked users to switch on automatic updates for all apps to address the risk of streaming software being exploited by cyber-criminals.
The past year has seen a spike in the use of streaming services as employees and students were forced to stay home under government-mandated lockdowns.
However, that’s also presented an opportunity for threat actors: in less than a week last April Mimecast said it detected the registration of over 700 suspicious domains designed to impersonate the Netflix brand.
Alert Overload Distressing 70% of SecOps Teams
Nearly three-quarters of security operations (SecOps) leaders say their home lives are being impacted by the stresses of alert overload, according to a new global study from Trend Micro.
The security vendor polled over 2300 cybersecurity decision-makers that run Security Operations Centers (SOCs) or SecOps from within their IT security function, to compile its report, Security Operations on the Back Foot.
It revealed the inadequacy of current tooling to help them prioritize alerts generated from multiple security controls across the organization.
Over half (51%) said their team is being overwhelmed by the volume of alerts and 55% admitted that they aren’t confident in their ability to prioritize and respond to them. On average, respondents said they’re spending over a quarter (27%) of their time dealing with false positives.
This is taking its toll emotionally: 70% claimed they feel so stressed outside of work that they’re unable to switch off or relax, and are irritable with friends and family.
In the SOC or IT security department, many admitted to turning off alerts (43%), walking away from their computer (43%), hoping another team member will step in (50%), or ignoring alerts entirely (40%).
"We're used to cybersecurity being described in terms of people, process and technology. All too often, though, people are portrayed as a vulnerability rather than an asset, and technical defenses are prioritized over human resilience,” argued cybersecurity researcher Victoria Baines.
“It's high time we renewed our investment in our human security assets. That means looking after our colleagues and teams, and ensuring they have tools that allow them to focus on what humans do best."
The figures chime with research from Sumo Logic last year which revealed that 99% of organizations are experiencing high volumes of alerts which cause issues for SecOps teams. A further 83% admitted this leads to alert fatigue for staff.
Three-Quarters of Infosec Pros Concerned About Next SolarWinds
Nearly three-quarters (72%) of cybersecurity professionals are concerned about supply chain risks to their organization following high-profile incidents like the SolarWinds campaign, according to a new poll.
Run by the Infosecurity Europe trade show, which is owned by the same company as Infosecurity Magazine, the poll received over 2500 responses on Twitter last week.
Nearly two-fifths (38%) said they were “very” concerned about the potential risks from third parties, whilst 34% claimed they were “somewhat” concerned.
They’re right to be: 28% admitted to having no processes in place to control data flows to and from third parties and a fifth (20%) didn’t even know if such measures had been implemented.
Even though more than half (52%) of respondents claimed to have processes in place, only a third (35%) said they actually enforce policy in this area.
Separate research from earlier this month revealed that almost half (44%) of North American organizations have suffered a breach via a third party over the past 12 months.
Even more (51%) said their organization is not assessing the security and privacy practices of suppliers before allowing them to access sensitive data.
Maxine Holt, senior research director at Omdia, argued that discovery must be the first step in assessing supplier risk.
“Which organizations do you have relationships with? What’s the nature of the relationship; do they handle PII on your behalf? Then prioritize accordingly,” she explained.
“Request compliance information, and details of cyber-risk insurance and accreditations. You also need to know where your data is and what it’s doing, and third-parties must be able to ensure that data transfers are consistent with what has been agreed.”
Experts have argued in the past that accurate risk assessments are often out of reach for organizations as there’s too much reliance on trust and manual, spreadsheet-based approaches to provide assurance.
Infosecurity Europe 2021 will run 13-15 July 2021 at London Olympia, with selected talks and discussions to be made available online. The show will also be running a virtual conference from 8-10 June 2021.
Hacker Who Targeted Cops Gets Jail Time
A hacker who launched a long-running cyber-attack against a New Hampshire police department has been sent to prison for a year and a day.
Wayne Kenney Jr. broke into the computer systems of the Farnum Center, the Auburn Police Department (APD) and several department employees in 2015 after receiving a suspended sentence for heroin possession.
The Farnum Center is an addiction treatment center based in Manchester, New Hampshire, and it is where 31-year-old Hooksett resident Kenney was sent for drug treatment in early 2015.
After gaining access to the Center's systems on July 1, Kenney re-routed a drug helpline 1-800 telephone number to an adult entertainment business. He also doctored the Center's portal so that users who logged in were greeted with a link to a video that showed heroin being injected.
"The defendant's reprehensible actions caused significant harm to entities that seek to help the public," said Acting US Attorney John Farley in a statement.
"By disabling access to drug and alcohol treatment information, the defendant cruelly impeded innocent people from getting help for their substance abuse problems. His actions also harmed innocent public servants in Auburn."
After hacking into the APD's computer system, Kenney deleted some files and installed malware that prompted pop-up messages to appear on the department's computers. The messages prayed for the death of Kenney's arresting officer.
He also took over email and social media accounts belonging to APD employees and defaced them with pornography.
The attacks against the APD were carried out from February to July 2015 using a keyboard stroke logger, computer viruses and phishing emails. Kenney's lawyer said that the hacker was going through personal problems when the crimes took place.
On November 18, 2020, Kenney pleaded guilty to unauthorized access to a computer and causing damage to protected computers. He was sentenced on Tuesday in US District Court in Concord.
"You can't hide in the shadows of the internet and hack into computers and impede others from accessing emergency substance abuse treatment services and get away with it," said Joseph Bonavolonta, special agent in charge of the FBI Boston Division.
Feds Warn DarkSide May Not Stay Dark
The cyber-criminal gang DarkSide, which allegedly disbanded after carrying out the Colonial Pipeline ransomware attack, may not stay dark for long, according to a report by CNBC.
Key government cybersecurity and counterintelligence officials told the news source that if the gang has actually stopped operating, it could soon be back to its old and highly lucrative tricks under a different alias.
Research published last week by London-based blockchain analytics firm Elliptic appears to show that DarkSide extorted more than $90m in Bitcoin before supposedly halting its illegal activities.
Federal experts also warned that certain countries were turning a blind eye to the cyber-criminal activity emanating from within their borders.
In an interview with CNBC's Eamon Javers on Wednesday, Assistant Attorney General of the Department of Justice’s National Security Division John Demers said that the Colonial Pipeline attack highlighted the issue of "nation-states serving as safe havens for criminal cyber-actors."
Demers said that "nation-states aren’t doing their part to investigate and root out hacking activity happening within their borders." He went on to suggest that DarkSide, far from going dark, could be "just off renaming themselves."
“Groups like that will come back,” he added. “Probably DarkSide itself, those actors that comprise that group, will be back if they’re not already out there in other forms operating as we’re talking.”
Acting Director of the National Counterintelligence and Security Center Michael Orlando concurred with Demers' viewpoint.
Speaking in the same interview, Orlando said: "We do know that countries like Russia and China, Iran and others certainly create safe havens for criminal hackers as long as they don’t conduct attacks against them.
"But that’s a challenge for us that we’re going to have to work through as we figure out how to counter ransomware attacks."
KnowBe4's James McQuiggan told Infosecurity Magazine: "With the recent DarkSide group going dark after what appears to be a loss of their electronic infrastructure, it seems they are working on regrouping their efforts."
He added: “Individually, cyber-criminals still need to live and make money, so they take their skills and expertise to another group and give themselves a new name and start all over.”
Data Breach at Canada Post
Canada's primary postal operator, Canada Post, confirmed Wednesday that it has suffered a data breach.
The security incident occurred following a cyber-attack on one of the Crown corporation's suppliers, Commport Communications, which provides electronic data interchange solutions.
Commport Communications was hired by the postal service to manage the shipping manifest data of its large parcel business' customers.
Following the cyber-attack, Canada Post has informed 44 of its commercial customers that data belonging to more than 950,000 customers has been compromised.
Commport Communications notified Canada Post that manifest data stored in its systems had been exposed in a malware attack on May 19.
“Shipping manifests are used to fulfill customer orders. They typically include sender and receiver contact information that you would find on shipping labels, such as the names and addresses of the business sending the item and the customer receiving it,” said Canada Post on Wednesday in a press release.
The corporation said that exposed information dates from July 2016 to March 2019 and that most of it (97%) contains the name and address of the receiving customer. The customer's email address and/or phone number were included in 3% of the compromised data.
Canada Post said that a detailed forensic investigation into the data breach had not turned up any evidence of financial information's being compromised.
“We are now working closely with Commport Communications and have engaged external cybersecurity experts to fully investigate and take action,” Canada Post said.
Though the breach hit Canada Post customers via an attack on a supplier, the corporation said they “sincerely regret the inconvenience this will cause our valued customers" and have notified the Office of the Privacy Commissioner.
“Canada Post respects customer privacy and takes matters of cybersecurity very seriously,” said the corporation.
The postal operator added that it will “incorporate any learnings into our efforts, including the involvement of suppliers, to enhance our cybersecurity approach which is becoming an increasingly sophisticated issue."
Last November, Commport Communications notified Innovapost, the IT subsidiary of Canada Post, of a potential ransomware issue. An investigation found no evidence to suggest any customer data had been compromised.
Chinese Phishing Attack Targets High-Profile Uyghurs
Security researchers have discovered a new Chinese phishing campaign targeting the ethnic minority Uyghur group with emails impersonating the United Nations and others.
Check Point and Kaspersky teamed up to lift the lid on the attacks, which spoof not only the UN Human Rights Council (UNHRC) but also a fake human rights organization called TCAHF, targeting Uyghurs applying for grants.
As well as emailed documents from the ‘UNHRC’ designed to trick individuals into installing a Windows backdoor, the researchers discovered a phishing website branded with the details of the fake human rights organization.
This aims to convince victims into downloading a .NET backdoor, by disguising it as a ‘security scanner,’ which is necessary to install due to the sensitive nature of the information needed for a grant application.
Most of the website’s content is apparently copied from a legitimate Open Society Foundations site.
Kaspersky and Check Point have discovered only a handful of victims in Pakistan and China, where around 12 million Uyghurs live in the north-west Xinjiang region. Reports suggest the authorities there have erected concentration camps in a ghoulish state-sanctioned scheme involving forced sterilisations and mass ‘re-education.’
Amidst an international furore and mutterings of countries boycotting the Beijing Winter Olympics in 2022, it has become a serious geopolitical issue for China’s leaders.
The research teams assigned the activity to a Chinese-speaking threat actor with low to medium confidence. They found excerpts of the code in malicious macros used in the attacks which were identical to VBA code appearing in multiple Chinese forums, and which may have been copied direct from there.
“These attacks clearly utilize the theme of the UNHRC to trick its targets into downloading malicious malware. We believe that these cyber-attacks are motivated by espionage, with the end-game of the operation being the installation of a backdoor into the computers of high-profile targets in the Uyghur community,” explained Check Point’s head of threat intelligence, Lotem Finkelsteen.
“The attacks are designed to fingerprint infected devices, including all of its running programs. From what we can tell, these attacks are ongoing, and new infrastructure is being created for what looks like future attacks.”
Number of Breached Records Soars 224% Annually
The volume of compromised records globally has increased on average by 224% each year since 2017, according to new findings shared by Imperva.
In light of the GDPR’s third anniversary this week, the data security firm crunched statistics on thousands of breaches over the past few years to better understand the evolving risk to businesses.
There were more records reported as compromised in January 2021 alone (878 million) than for the whole of 2017 (826 million).
Alongside the increase in this figure over the past four years, there’s been a 34% rise in the number of reported breaches over the period, and a 131% increase in average number of compromised records per incident, said Imperva security researcher, Ofir Shaty.
“We are living in a digitization era in which more services are consumed on a daily basis, with the majority of them online. More businesses are migrating to the cloud which makes them more vulnerable if not done carefully. The amount of data that is out there is enormous, and it is increasing every year,” he said.
“Information security adoption is slower than the adoption of digital services that make profit from the addiction to and consumption of the same online services. The increasing number of breaches every year is a result of this gap.”
Imperva is predicting that this year will see around 1500 data breach incidents and 40 billion records compromised.
These aren’t all the result of malicious third parties stealing information from victim organizations.
Misconfiguration of cloud services has also driven a spike in data leaks. Of the 100 biggest incidents over the past decade, Imperva claimed 42% came from Elasticsearch servers, a quarter (25%) from AWS S3 buckets and 17% from MongoDB deployments.
Tools like Shodan and open source apps like LeakLocker are making the discovery of such leaks increasingly easy, Shaty warned.
“The security of an organization is only as strong as the weakest link in the security chain. Many times, the ‘walls’ that protect databases have cracks that allow attackers to put their hands on sensitive data,” he concluded.
“In many cases, better architecture and cross-organization security practices would do the trick, but those practices are not easy to implement and control. We suggest that organizations implement security for the databases they manage, not just the applications and networks that surround them.”
A Third of #COVID19 Fraud Victims Go Hungry
Most US victims of pandemic-related identity fraud in 2020 still have not had their issues resolved, and a third (33%) claim they didn’t have enough money to buy food or pay for utilities last year as a result, according to a new report.
The Identity Theft Resource Center (ITRC) based its new 2021 Consumer Aftermath Report on interviews with 427 identity crime victims who contacted the non-profit before and during the crisis.
The FTC claimed that it received twice as many identity theft reports last year versus 2019, with those related to unemployment benefits hitting over 390,000 versus just 13,000 in 2019.
Three-quarters (75%) of these and other COVID-related fraud issues have yet to be resolved, according to the ITRC.
The impact has been catastrophic for many households: a quarter (24%) said they were denied unemployment benefits because someone applied using their identity; 40% were unable to pay routine monthly bills; and many went hungry.
Some 14% said they were evicted for non-payment of rent, and 8% have even considered suicide.
The challenges of resolving identity fraud go back long before the pandemic. Nearly two-fifths (37%) of pre-pandemic victims said their issues from 2019 have still not been sorted out as of May 2021.
Overall, while most victims lose less than $500, a fifth (21%) claimed to have been defrauded by over $20,000.
“While we have all adjusted to masks and social distancing during the COVID-19 pandemic, for victims of identity fraud, the pandemic has created an entirely new set of risks,” said John Breyault, National Consumers League vice president of public policy, telecommunications and fraud and an ITRC Board Member.
“It might be tempting to focus only on the considerable harm that identity fraud does to consumers. However, we shouldn’t lose sight of the costs to businesses due to lost productivity and lower morale as employees manage their recovery and to taxpayers as fraudsters raid unemployment insurance funds.”
Influencers Offered Money to Vilify Vaccine
A public relations agency in the UK has allegedly offered social media influencers money to portray the Covid-19 vaccine created by Pfizer-BioNTech as highly dangerous.
Fazze allegedly offered to pay French and German bloggers, influencers and YouTubers to tell their followers that the vaccine had caused hundreds of deaths.
Over 285 million doses of COVID-19 vaccines were administered in the United States from December 14, 2020, through May 24, 2021. During this time, the CDC's Vaccine Adverse Event Reporting System (VAERS) received 4,863 reports of death (0.0017%) among people who received a COVID-19 vaccine.
On its website, Fazze describes itself as a “marketplace that connects bloggers and advertisers.” The Guardian reports that Fazze claimed to be headquartered at 5 Percy Street in London but is not registered at this address.
It is alleged that Fazze contacted several French health and science YouTubers last week, asking them to share the false claim that the Pfizer vaccine is three times more deadly than the COVID-19 vaccine developed by AstraZeneca.
The influencers were instructed to present the lie as their own independent view. They were also told to publish links on Instagram, TikTok or YouTube to reports in French newspaper Le Monde, on Reddit and on the Ethical Hacker website that Fazze said contained data substantiating this claim.
The Reddit and Ethical Hacker articles have been removed from the sites, and the piece in Le Monde contains no information about mortality rates associated with either vaccine.
It is alleged that Fazze told the influencers to tell their followers that the dangers of the Pfizer vaccine were being ignored by mainstream media, and to question the wisdom of governments who purchased it.
Mirko Drotschmann, a German YouTuber and podcaster with 1.5 million subscribers, and Léo Grasset, a French science YouTuber with nearly 1.2 million subscribers, both said that they had been approached and asked to disparage the vaccine.
Both influencers shared screenshots of emails they had received. The missive sent to Drotschmann states: "I am engaged in an information campaign regarding the Covid-19 vaccine. The data leak showed a significant number of deaths after the Pfizer vaccination. We would like to invite you to share this information link..."
Cyber-criminal Gang Targets Texas Unemployment System
A gang of Nigerian cyber-criminals has shared a step-by-step guide detailing how to commit unemployment identity fraud in the Lone Star State, according to CBS News.
Organized cybercrime group Scattered Canary is already suspected of making millions defrauding the states of Hawaii, Florida, Massachusetts, North Carolina, Oklahoma, Rhode Island, Washington and Wyoming.
Now the gang has allegedly circulated a 13-page tutorial explaining how to successfully defraud the Texas Workforce Commission website.
Evidence shared with the news channel's CBS 11 I-Team appears to show this highly detailed guide being shared online in a closed group chat that took place between multiple gang members.
With the help of an insider, private cybersecurity firm Agari managed to obtain a copy of the document from a WhatsApp group chat.
Former FBI agent Crane Hassold, who is now employed as Agari's director of threat research, said: “For these cyber-criminals it’s all about information flow.”
“The tutorial shows how to apply for unemployment benefits and even introduces some of the red flags if you enter things a certain way.”
Texas has lost more than $893m to fraudulent unemployment benefits since the start of the global COVID-19 pandemic. The Texas Workforce Commission said it has been targeted by scammers from all over the world.
Hassold said Scattered Canary are exploiting a feature in Gmail to speed up their fraudulent activity.
Because Google ignores periods in Gmail addresses, slight variations of a single email address can be used to file multiple fraudulent claims without raising the suspicion of state unemployment systems.
For example, three claims filed using the addresses [email protected], [email protected],” and “[email protected]” appear to belong to three separate individuals but are all attached to the same email account.
“Essentially it allows their communication flow to be much more efficient,” said Hassold.
“Instead of having to go to dozens of different email accounts to look at what’s going on, it’s all coming to one centralized location.”
Scattered Canary is suspected of funneling the money it nets through fraudulent claims offshore by using it to purchase prepaid Green Dot cards. The cards are registered using the same identities stolen when committing the unemployment fraud.
Before the cards are delivered via the mail, the gang goes online and drains the money from the account.