Table of Contents
As always, plenty of things happened this week, but no worries if you had no time to go through all the news. Our weekly news recap will keep you up to date on APTs, Cryptocurrencies, Darknet, General Security, Privacy and Ransomware news.
Additionally, you might have heard of I2P, a network similar to Tor. It has some interesting characteristics but the official documentation is a bit hard to get through. This week, I wrote an article offering a simple introduction to how it works.
Earlier this year, Google identified a campaign carried out by North Korea where hackers would create accounts claiming to be security researchers, and try to redirect actual security researchers to malicious websites to try and infect their computer with malware. On October 15th, Twitter suspended two accounts that were involved in this scheme.
Russian cybercrime gang targets finance firms with stealthy macros (Bleeping Computer)
Researchers discovered a new phishing campaign named MirrorBlast. It takes advantage of malicious Excel macros which are not detected by VirusTotal, but only impacts the 32-bit version of Office. If an attack succeeds, a malicious MSI package is downloaded and installed. It then contacts a C2 command to retrieve further instruction, whose effects are unknown as of now. The culprit appears to be TA505, a Russia related group.
China’s Minister of Industry and Information technology announced that China investigated 1.83 million apps to make sure they “don’t infringe users’ rights and interests” and required “rectification” from 4,200 of them since 2020. In addition, 73,000 websites were “investigated and dealt with in accordance with the law”.
State-backed hackers breach telcos with custom malware (Bleeping Computer)
Symantec discovered a new APT targeting IT, telecoms, and government entities in South Asia, and named it Harvester. The group uses new malware and is believed to be active since June 2021.
France tests crypto assets in series of government bond deals (Financial Times)
A group made of some of France’s biggest financial market participants used a digital currency issued by the Banque de France as part of a 10-month test in the country’s debt market to test the usefulness of a central bank currency. A deputy chief executive at Euroclear concluded that “[they] have together successfully been able to measure the inherent benefits of this technology, concluding that the central bank digital currencies can settle central bank money safely and securely.”
Two Individuals Sentenced for Providing “Bulletproof Hosting” for Cybercriminals (US Department of Justice)
Two Eastern European men were sentenced to 24 and 48 months of prison by a Michigan court for proving “bulletproof hosting” used to disseminate malware (including Zeus, and SpyEye) used to attack US companies and financial institutions between 2009 and 2015.
General Security #
The fourth edition of the Tianfu hacking contest took place this month and was featuring 16 targets (including Chrome, Safari, Docker, VMware, Domestic Vehicles, …) that researchers could target to find vulnerabilities. 11 of these targets ended up with found vulnerabilities.
The Chromium team removed the support for FTP from Chrome. The change will take effect from the version 95.
A hacker has broken into the Argentinian’s National Registry of Persons (RENAPER) and published ID card photos and personal details of 44 Argentinan celebrities. The Ministry of Interior claims that “the [RENAPER] database did not suffer any data breach or leak,” but that the hacker only queried the database for 19 photos. The hacker however claims that he has a copy of the database, and might publish the data of 1 or 2 million people soon.
U.S. Government Bans Sale of Hacking Tools to Authoritarian Regimes (The Hacker News)
The US Department of Commerce announced new rules that will take effect in 90 days, and establish new controls on “cybersecurity items” (e.g. surveillance tools) exports by requiring a license. An exception would allow exporting to most countries “while retaining a license requirement for exports to countries of national security or weapons of mass destruction concern. In addition, countries subject to a U.S. arms embargo will require a license.”
The Google Threat Analysis Group attributed a two years campaign aiming to take control of YouTube accounts to a group of hackers recruited in a Russian-speaking forum. The hackers would reach to victims via email with business opportunities, ask them to install and test applications, and would them hijack authentication cookies from their browser to access and steal their YouTube accounts. More than 4,000 accounts were reportedly impacted.
A resident of Oxfordshire might be eligible to be compensated with more GBP 100,000 after claiming that one of her neighbours was invaliding her privacy by having security cameras recording (including audio) her gate, garden and car parking spaces.
Bouncing consists of a website using third parties to redirect you somewhere. For example, a website could - in order to track you - have a link to traker.com/?site=example.com to redirect you to example.com instead of a link to example.com directly. Brave Browser implemented protection against this in its version 1.32, where it is getting rid of the intermediary.
Line, a very popular messaging and payment application in Asia where it has more than 700 million users admitted that it had suffered multiple shortcomings and put users’ personal information at risk. Earlier this year, it was revealed that some users’ data was processed in China (potentially putting it at risk) and/or stored in South Korea, while the company promised its users that all the data was stored in Japan.
Australia’s information commissioner found out that 7-Eleven has been collecting without notice the facial images of customers between June 2020 and August 2021 as part of a survey program. 7-Eleven has been ordered to destroy all the collected faceprints and to stop their collection.
Brave announced it would start to use Brave search as a default to help giving users “the privacy and independence of a search/browser alternative to big tech.” It replaces Google in the US, UK, and Canada, Qwant in France, and DuckDuckGo in Germany.
US links $5.2 billion worth of Bitcoin transactions to ransomware (Bleeping Computer)
The U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) calculated that the top 10 more common ransomware variants received about USD 5.2 billion in Bitcoin between July 2018 and Now.
REvil Disappears Again: ‘Something Is Rotten in the State of Ransomware’ (Flashpoint Intel)
On October 17th a REvil operator announced on the XSS hacking forum that the group was shutting down. This happens after someone used their Tor hidden service’s private key to hijack their website (see this article if you need a reminder about Tor hidden services.)
Researchers at Trustwave released a free decryption tool for BlackByte ransomware taking advantage of an odd encryption design where the malware would use the same AES key to encrypt the files, rather than having a unique key in each session.
Evil Corp demands $40 million in new Macaw ransomware attacks (Bleeping Computer)
Evil Corp started using a new ransomware named Macaw Locker in order to try to bypass sanctions that were decided against the group in 2019 and prevent victims from paying. Olympus and Sinclair Broadcast Group were reportedly hit by this new ransomware that demanded USD 28 and 40 Million.
Interesting Reads #
- Ransomware Trends in Bank Secrecy Act Data Between January and June 2021 (FinCEN)
- BlackMatter Ransomware Advisory (Cybersecurity & Infrastructure Security Agency)
- Operation Secondary Infektion Targets Pfizer Vaccine (Recorded Future)
- Russian-speaking cybercrime evolution: What changed from 2016 to 2021 (SecureList by Kaspersky)