As always, plenty of things happened this week, but no worries if you had no time to go through all the news. Our weekly news recap will keep you up to date on the latest APTs, Cryptocurrencies, Darknet, General Security, Privacy and Ransomware events.
In addition, we published an article about image forensic, presenting some techniques to use images for OSINT purposes and to determine if an image was photoshopped.
APT#
Ukraine discloses identity of Gamaredon members, links it to Russia’s FSB (The Record)
The Ukrainian Secret Service revealed the identity of five members of the Gamaredon group and linked them to the Russian FSB. The group is suspected to be involved in more than 5,000 cyberattacks against at least 1,500 Ukrainian government systems.
Cryptocurrencies#
‘I Lost Everything’: How Squid Game Token Collapsed (CoinMarketCap)
In late November the Squid token was released with the promise for users to be able to enter a game where they could get rich (a bit like the TV show Squid Game after which it is named .) At some point, the coin’s price rose sharply (44,100% in 72h), holders were unable to sell, and the coin’s creator ran away with the money.
Darknet#
StExo Ordered to Forfeit £490,000 in Bitcoin (Darknetlive)
A Liverpool court ordered White, one of the founders of SilkRoad 2.0, to hand over more than GBP 493,550 in Bitcoin. The man is in prison since 2019 where he was sentenced to 5 years for money laundering, possession of child pornography, and drug related offenses.
General Security#
Phishing emails seemingly coming from a Kaspersky email address (Kaspersky)
Phishing emails designed to steal Office 365 credentials were sent from the sm.kaspersky.com domain using Amazon SES (Simple Email Service) and a valid SES token that was issued to a third-party contractor during the testing of a website.
2021 CWE Most Important Hardware Weaknesses (Mitre)
For the first time, MITRE published a list of the most important hardware weaknesses, in collaboration with the Hardware CWE Special Interest Group.
‘Destructive’ cyberattack hits National Bank of Pakistan (The Record)
The National Bank of Pakistan is said to have suffered a “destructive” cyberattack impacting the bank’s ATM network, mobile apps, and servers used to interlink branches. No funds were reported stolen, and the attack is currently thought to be a sabotage attempt.
Trick & Treat! 🎃 Paying Leets and Sweets for Linux Kernel privescs and k8s escapes (Google Blog)
Google announced that it would raise its bounty from USD 31,337 to USD 50,337 for 0-day Linux kernel vulnerabilities, and exploits that use a new attack or technique. The program complements Android’s VRP rewards, so attacks that are also effective on Android will allow bigger bounties (an addition of up to USD 250,000.)
US Sanctions Could Cut Off NSO From Tech It Relies On (Vice)
The US government added the NSO group to a trade blacklist for providing spyware (Pegasus) to foreign governments that used them to target government officials, journalists, researchers, etc.
Alleged Twitter hacker charged with theft of $784K in crypto via SIM swaps (Bleeping Computer)
A suspected author of the Twitter hack of July 2020 (where multiple high profile accounts such as President Obama’s one were hacked to promote a cryptocurrency scam) was indicted this week by the US department of justice. He is accused of stealing USD 784,000 worth of cryptocurrencies using SIM swap attacks.
Popular ‘coa’ NPM library hijacked to steal user passwords (Bleeping Computer)
coa (9 million weekly downloads) and rc (14 million weekly downloads), two popular npm packages allowing to parse command-line arguments and configuration files, were hijacked to include password-stealing malware.
Privacy#
Search warrant for Signal user data, Santa Clara County (Signal)
A Californian court served a search warrant to Signal asking for various information such as a user’s name, contacts, call records, … Signal was not able to provide anything else than the account’s creation and last connection timestamps.
Facebook deletes 1 billion faceprints in Face Recognition shutdown (Bleeping Computer)
Facebook announced that it will stop using its face recognition systems and will delete more than 1 billion people’s facial recognition profiles. Earlier this year, the company settled a class-action lawsuit for USD 650 million after being accused of collecting and storing users’ biometric data without consent.
Ransomware#
Europol announces “targeting” of 12 suspects in ransomware attacks (Naked Security)
Europol announced on October 29th that it arrested twelve individuals in an operation involving eight countries. These individuals are suspected of being involved in ransomware attacks, affecting more than 1,800 victims in 71 countries. Law enforcement also sized over USD 52,000 in cash and 5 luxury vehicles.
Russian National Extradited to United States to Face Charges for Alleged Role in Cybercriminal Organization (US Department of Justice)
A Russian national residing in both Southeast Asia and Russia appeared for the first time in front of a US court after its extraction from South Korea where he was arrested in February 2020. He is accused of being a member of a malicious group involved in deploying banking trojans and the ransomware Trickbot.
Canadian province health care system disrupted by cyberattack (Bleeping Computer)
The Canadian province of Newfoundland and Labrador suffered a cyberattack on October 30th, causing multiple issues such as disrupting emails and 911 calls, preventing doctors from accessing and uploading medical results or registering new patients. The type of cyberattacks has not been officially announced but sources said it is ransomware.
The FBI published a notification where it assesses that ransomware actors are “very likely using significant financial events, such as mergers and acquisitions, to target and leverage victim companies for ransomware infections.”
BlackMatter ransomware says its shutting down due to pressure from local authorities (The Record)
The BlackMatter ransomware group announced on November 1st that they would be shutting down “due to certain unsolvable circumstances associated with pressure from the authorities.” Many experts expect that this is only part of a rebranding.
The ‘Groove’ Ransomware Gang Was a Hoax (Krebs on Security)
Groove, a union of ransomware gangs aiming to target US interests was announced on a cybercrime forum earlier in August. At this time, some security companies warned about the potential threat which turned out to be nothing else than a hoax designed to troll journalists and security firms.
Reward Offers for Information to Bring DarkSide Ransomware Variant Co-Conspirators to Justice (US Department of Justice)
The US Department of State announced that it would give a reward of up to USD 10 million for any information or location of key leaders of the Darkside ransomware group. In addition, it also offers up to USD 5 million for any information leading to the arrest and/or conviction (in any country) of any group member.
Identification of a new cybercriminal group : Lockean (ANSSI)
The National Cybersecurity Agency of France said it identified Lockean, a group active since at least June 2020 and that has a propensity to target French entities using multiple Ransomware-as-a-Service such as DoppelPaymer.