Table of Contents
As always, plenty of things happened this week, but no worries if you had no time to go through all the news. Our weekly news recap will keep you up to date on the latest APTs, Cryptocurrencies, Darknet, General Security, Privacy and Ransomware news.
New activity from Russian actor Nobelium (Microsoft Blog)
Microsoft says that Nobelium, the Russian nation-state actor behind the SolarWind hack in 2020, is still trying to replicate his past approach by targeting the global IT supply chain. Since May 2021, it allegedly targeted more than 140 resellers and technology service providers and managed to compromise 14 of them. Microsoft says it is only a part of a larger wave a activities coming from this APT which also attacked at least 609 customers between July 1st and October 19th this year.
A civilian professor at the Air War College in Alabama pleaded guilty to making false statements to a federal agent after failing to report contacts he had with a Chinese official between December 2021 and January 2017.
North Korean state hackers start targeting the IT supply chain (Bleeping Computer)
Researchers at Kaspersky assessed that Lazarus, a North-Korea backed APT, is building supply-chain attack capabilities. Among other things, the group used an updated version of its BLINDINGCAN malware to breach a Lativian IT vendor in May and used it as a proxy to compromise a South-Korean think-tank the following month.
Gas stations operated by the state-owned National Iranian Oil Products Distribution Company were disrupted on October 27th after screens at gas pumps were hijacked to display various messages, and the employees were not able to charge customers for the fuel that they were buying. The authorities made the assumption that this was the result of a cyber-attack by a hostile foreign state.
The US Federal Communications Commission announced that it terminated China Telecom’s permission to provide communications services in the USA for the sake of national security. The agency said that it has classified information assessing that China Telecom could “access, store, disrupt, and/or misroute US communications, which in turn allow them to engage in espionage and other harmful activities against the United States.”
The Ministry of Justice of North Rhine-Westphalia started auctioning 215 Bitcoins on October 25th. The ministry estimated that one Bitcoin’s market value is EUR 54,000.
Mastercard is preparing to announce that banks and merchants using their payment network will soon be able to integrate cryptocurrencies into their products.
Cream Finance (a decentralized lending protocol) was hacked for the third time this year and lost an estimated USD 130 million in various assets. The hackers used some flaws to carry on price manipulations on flash loan (Cream’s lending system), which allowed them to artificially raise the value of their collateral and to be lent more funds than they should have been able to.
Europol announced that as a result of its new operation Dark HunTOR, police forces from Australia, Bulgaria, France, Germany, Italy, the Netherlands, Switzerland, the United Kingdom, and the United States arrested 150 individuals suspected of selling/buying illegal goods on darknet markets. Furthermore, more than EUR 26.7 million (in cash and cryptocurrencies), 234 kg of drugs, and 45 firearms were seized.
Money launderers for Russian hacking groups arrested in Ukraine (Bleeping Computer)
Ukrainian authorities arrested a group of malicious individuals at the request of some US intelligence services. They are accused of laundering millions of dollars for various hacking groups, and of being involved in cryptocurrency stealing activities.
General Security #
DDoS attacks hit multiple email providers (The Record)
On Friday 22nd thee privacy-focused email providers (Fastmail, Posteo, and Runbox) suffered a massive DDoS attack allegedly carried out by the same malicious actor. Posteo said on a blog post that criminals asked for a ransom in order to stop the attack. The company refused to pay.
A former mobile-carrier employee was sentenced for helping criminals to carry out sim-swapping attacks between 2017 and 2018. He reportedly received USD 2,325 in bribes and helped target at least 19 customers.
Hacker sells the data for millions of Moscow drivers for $800 (Bleeping Computer)
A stolen database containing about 50 million records of Moscow car owners data is being sold on underground forums for USD 800. The source of the data is unknown but it appears to have been collected between 2006 and 2019 and contains various data such as cars information, full names, dates of birth, and phone numbers.
Popular NPM Package Hijacked to Publish Crypto-mining Malware (The Hacker News)
A hacker hijacked the NPM account of UAParser.js, an NMP library with more than six million weekly downloads, and embedded a crypto-mining and password-stealing malware. The versions 0.7.29, 0.8.0, and 1.00 (now patched) were targeted.
NYT Journalist Repeatedly Hacked with Pegasus after Reporting on Saudi Arabia (University of Toronto - Citizen Lab)
The University of Toronto’s Citizen Lab says that the iPhone of the New York Times journalist Ben Hubbard was hacked multiple times using Pegasus (an NSO group’s spyware) between June 2018 and June 2021, while he was writing a book about the Saudi crown prince.
EU investigating leak of private key used to forge Covid passes (Bleeping Computer)
The private key used to sign EU digital covid certificates is reportedly circulating on various messaging apps and online forums. The key is being used by fake certificate sellers to generate “real” certificates and was also used to create a certificate in the name of Adolf Hitler.
In 2020, the Swiss Post and Telecommunications Surveillance Service decided that Proton Mail should be considered a telecommunications provider and therefore retain data necessary for surveillance. A court overruled this decision and said that the company could not be considered as a telecommunications provider, limiting its obligations to monitor traffic and retain users data.
Facebook sued a Ukrainian resident for allegedly scraping more than 178 million users’ personal data using Facebook Messenger’s contact importer between January 2018 and September 2019, and selling them on cybercrime forums.
DarkSide ransomware rushes to cash out $7 million in Bitcoin (Bleeping Computer)
About USD 7 million stored in a Bitcoin wallet controlled by DarkSide’s operators reportedly started moving in what appears to be an attempt to launder the funds. This occurs a few days after REvil announced its retirement due to a hijack of its infrastructure.
Conti Ransom Gang Starts Selling Access to Victims (Krebs on Security)
The Conti ransom gang announced in its victim-shaming blog that it was “looking for a buyer to access the network of [multiple organizations it has hacked] and sell data from their network”. Until now, the group would only ask for ransom from organizations it hacked, and publish their data on its website if they were not willing to pay.
Grief ransomware gang hit US National Rifle Association (NRA) (Security Affairs)
Grief ransomware operators announced on their website that they managed to hack the US NRA, and are threatening to leak the stolen data.
German investigators identify REvil ransomware gang core member (Bleeping Computer)
The German police reportedly identified a Russian man (that is presenting himself as a cryptocurrency trader and investor) as one of the REvil group’s core members. The police managed to link Bitcoin payments with ransoms paid to the GrandGrab ransomware gang.
Interesting Reads #
- NOBELIUM targeting delegated administrative privileges to facilitate broader attacks (Microsoft Blog)
- Wardrivers Can Still Easily Crack 70% of Wi-Fi Passwords (Dark Reading)
- APT trends report Q3 2021 (Secure List)
- Here’s the FBI’s Internal Guide for Getting Data from AT&T, T-Mobile, Verizon (Vice - pdf here)
- How we rolled out security keys at Twitter (Twitter Blog)
- An interview with LockBit: The risk of being hacked ourselves is always present (The Record)