The aggressive fight against ransomware
In a series of sweeping multi-national moves, Europol announced the arrest of seven REvil ransomware affiliates as part of a sprawling law enforcement crackdown on ransomware gangs, who have “operated with relative impunity over the last few years, in part because so many of them are based in Russia and the Kremlin has steadfastly turned a blind eye.”
Dubbed “Operation GoldDust,” the 17-country effort spearheaded by Romania saw two individuals apprehended for their role in facilitating over 5,000 infections, in addition to arrests of four other affiliates across Kuwait, South Korea, and Ukraine since February 2021, marking the latest actions taken to combat ransomware gangs and affiliates.
The developments come as the ransomware cartel shut down its operations for a second time after the U.S. Cyber Command, in partnership with an unnamed foreign government, compromised its infrastructure.
Separately, the U.S. Department of Justice (DoJ) unsealed an indictment charging Yaroslav Vasinskyi, 22, a Ukrainian national, with conducting ransomware attacks against multiple victims, including the intrusion targeting Florida-based Kaseya back in July, alongside announcing the seizure of $6.1 million in ransomware payments traced back to the group.
The roots of Operation GoldDust date back to 2018 when Europol lent its support into a joint investigation into the GandCrab ransomware family. Evidence shows that REvil sprang from the ashes of GandCrab in 2019 after cybercriminals associated with the latter shut shop but not before raking in nearly $2 billion in little over a year. REvil has since emerged as one of the most notorious ransomware groups of 2021, responsible for hundreds of high-profile attacks around the world.
In the meanwhile, German authorities in late October said they have identified a Russian man, known only as Nikolay K., whom they believe to be one of REvil ransomware gang's prominent members, and now posing as a cryptocurrency investor and trader.
But just as the REvil saga is biting the dust, other criminal groups appear to be taking notice, not to mention waiting in the wings to fill the void created in the wake of the arrests. According to Brian Krebs of Krebs on Security, the Conti ransomware gang has updated its victim-shaming blog to indicate that it is now selling access to many of the organizations it has hacked, signalling a shift in its business model potentially in response to aggressive law enforcement actions.
Make no mistake, the arrests and indictments mark a major win for law enforcement authorities, although if history has taught us something, it’s that it’s most likely to be fleeting, enabling these threat actors to leverage the setback to hone their operational security and tradecraft. Cybercriminals always find a way out.
What’s trending in security?
🇭🇰 Google disclosed details of a sophisticated watering hole attack that targeted legitimate websites of “a media outlet and a prominent pro-democracy labor and political group” in Hong Kong. The victims’ devices were inflicted with what was then a zero day, plus another exploit that used a previously patched vulnerability for macOS that was used to install a backdoor on their computers.
What’s notable is the fact that the flaw was patched by Apple for macOS Big Sur in February, but left unaddressed in previous versions, including macOS Catalina, for 234 days until reports of active exploitation prompted the company to issue a fix. [The Hacker News]
🇳🇱 With help from the Dutch intelligence service, AIVD, four Booking.com IT specialists determined a hacker named “Andrew” with ties to American intelligence agencies breached the servers of hotel website Booking.com and stole details of thousands of hotel reservations in countries in the Middle East. [NRC / Ars Technica]
🔍 Threat actors are using advertisements in Google Search to promote fake cryptocurrency wallets and DEX platforms to steal users’ cryptocurrency. [Check Point Research]
🛡️ Government experts, including those at the U.S. Department of Homeland Security and the National Institute of Standards and Technology, are trying to develop and deploy new encryption algorithms to protect encrypted information against an emerging class of quantum computers, which can break prevailing forms of encryption methods. [MIT Technology Review]
🇷🇺 Experts have linked at least four of the companies in Russia’s Federation Tower East (aka Vostok) to money laundering associated with the ransomware industry, which has generated $1.6 billion in ransom payments since 2011. [Bloomberg]
💲 The so-called Groove ransomware gang that was first announced on August 22 on RAMP, a new and relatively exclusive Russian-language darknet cybercrime forum, is a hoax. [Krebs on Security]
❌ NSO Group, the maker of the Pegasus spyware, has been added to an economic blocklist by the U.S. Commerce Department, along with spyware maker Candiru and cybersecurity firm Positive Technologies. [The Hacker News]
🇨🇳 In a rare public statement, China’s Ministry of State Security (MSS) said a foreign intelligence agency hacked several of its airlines in January 2020 and stole troves of passenger records. The hack wasn't attributed to a particular state. [Xinhua Daily Telegraph / The Record]
🔒 While turning on two-factor authentication (2FA) is seen as a method to prevent account takeover attacks, hackers are stepping their social engineering efforts to convince people into giving up their temporary codes (aka one-time passwords or OTPs). Vice’s Joseph Cox highlighted a new scenario where Telegram-powered OTP bots are being employed to place automated calls that are designed to enable threat actors to break into accounts. [Vice / Intel 471]
✉️ Cyber crooks are now using QR codes in email messages — instead of the usual malicious attachment or URL link — to drive users to a phishing website as part of a new quishing campaign to collect Microsoft credentials belonging to nearly 200 email accounts between September 15 and October 13, 2021. [Abnormal Security]
🇪🇺 The European Commission ordered an update to the Radio Equipment Directive with the goal of enacting new cybersecurity guidelines for radio and wireless equipment sold in the market, such as mobile phones, tablets, fitness trackers, and other smart IoT devices, that are aimed at improving network resilience, protecting consumer privacy, and reducing the risk of monetary fraud. [European Commission / The Record]
🔝 MITRE published a list of the most important hardware weaknesses for the first time with an aim to “prevent hardware security issues at the source by educating designers and programmers on how to eliminate important mistakes early in the product development lifecycle.” [MITRE]
🇮🇱 Ex-Israeli soldiers disclosed that the country built a “Facebook for Palestinians” over the last two years as part of a broad surveillance effort to monitor Palestinians through facial recognition technology. [The Washington Post]
⚡ A DJI Mavic 2 drone in July 2020 targeted a power substation in the U.S. state of Pennsylvania in a potential attempted to "disrupt operations by creating a short circuit," marking the first known instance of a modified, unmanned aircraft system being used to strike energy infrastructure. [WIRED]
🇰🇵 The North Korean state-sponsored Lazarus group, also known as Zinc, is attempting to target security researchers with backdoors and remote access trojans using a trojanized pirated version of the popular IDA Pro reverse engineering application. [ESET Research]
🇰🇷 A new spyware campaign has been targeting South Korean residents with Android devices in order to steal confidential data. “PhoneSpy,” as the malware is called, shares many similarities with other known and previously used spyware and stalkerware apps, thanks to the use of off-the-shell code, making it easier for attackers to obscure their identity and cover their tracks. [The Hacker News]
📩 Encrypted email service provider ProtonMail hailed a new Swiss court ruling that declared that email services cannot be considered telecommunications providers in Switzerland, and thus are not subject to the data retention requirements imposed on them. [ProtonMail]
🇮🇳 India’s Supreme Court commissioned a Technical Committee to investigate whether the national government procured the NSO Group's “Pegasus” spyware on its citizens, if it was done so legally, and, in case it was used against citizens, whether there was an appropriate legal framework for such application. [The Register]
⚙️ Nobelium, the attackers behind the SolarWinds intrusion in 2020, targeted at least 140 technology service providers — and successfully compromised 14 — in an ongoing campaign that started in May in yet another supply chain attack designed to infiltrate systems belonging to downstream customers of these companies. The exploitation of these “trusted relationships” between technology providers and their customers has become something of a staple for the persistent adversary, which previously tampered with SolarWinds software updates to infiltrate 100 companies and nine U.S. government entities. [The Hacker News / Bloomberg]
💵 ENISA, the European Union for Agency for Cybersecurity, said that hackers-for-hire emerged as the biggest threat to online security in the last 15 months, with the COVID-19 pandemic and work-at-home creating opportunities for cybercriminals.
The report comes on the heels of a newly discovered group dubbed “Void Balaur” that has been linked to a string of cyberespionage and data theft activities targeting thousands of entities as well as human rights activists, politicians, and government officials around the world at least since 2015 for financial gain. [Reuters / The Hacker News]
🔟 Can we write code that says one thing to humans and another to compilers? “Trojan Source” attack says yes. The technique leverages the manner Unicode’s UTF-8 text encoding handles different languages such as English, Arabic and Hebrew to introduce malicious code that can “reorder source code characters in such a way that the resulting display order also represents syntactically valid source code.” By injecting “invisible” Unicode Bidi override characters into comments and strings, researchers found that it’s possible for threat actor to reorder the source code to change its logic in a way that creates an exploitable vulnerability. [The Hacker News]
🇵🇰 Threat actors likely of Pakistani origin are distributing an Android spyware dubbed GravityRAT under the guise of end-to-end encrypted chat application called SoSafe Chat in an attempt to steal sensitive information from Indian targets. [Cyble]
💎 The Conti ransomware gang, which published thousands of files stolen from the U.K. jewellery store Graff, including information belonging to the U.A.E., Qatar, and Saudi royal families, has now apologized to the families apparently out of fear of violent retaliation. [Vice]
🗂️ The past weeks in attacks, data breaches, leaks, and ransomware: Angling Direct, bZx, Canadian provinces of Newfoundland and Labrador, Centara Hotels & Resorts, Central Depository Services Limited, Costco, Cream Finance, Cyberserve, Missouri’s Department of Elementary and Secondary Education, Papua New Guinea’s Department of Finance, South Australia's Department for Infrastructure and Transport, E.U. Digital Covid certificates, Eberspächer Group, Electronic Warfare, Fullerton Health, HPE, Machon Mor, Medatixx, MediaMarkt, National Bank of Pakistan, National Rifle Association, Phlebotomy Training Specialists, Robinhood, Scoolio, Sunwater, Toronto Transit Commission, U.K. Labour Party, Zales.com, and personal data of 50 million Moscow drivers.
Tips, Comments, Ideas?
Send them my way by writing replying to this email.
Thanks again for reading. See you in the next edition!