This week, the Taproot Bitcoin update went live, an Iran based APT is targetting the US and Australia’s critical infrastructures, the US DoJ announced that it will sell some cryptocurrencies seized from the Bitconnect scam, and authorities arrested the CEO of an exchange accused to help the Ryuk ransomware gang to launder its profits. Read our 15th weekly news recap to find more.
This week’s recap covers a shorter period than usual as it only goes up to Thursday news.
APT#
Taking Action Against Hackers in Pakistan and Syria (Facebook Blog)
Facebook announced that it disabled accounts and blocked domain names related to four malicious groups (in August and October). One of them originating from Pakistan (SideCopy) is said to be targeting people connected with the previous Afghan government, military and law enforcement in Kaboul. The three other groups are allegedly originating from Syria (linked to the Syrian governmental Air Force Intelligence) and are targeting journalists, humanitarian organizations, and anti-regime forces. Facebook said it warned the owners of the accounts targetted by the attacks.
Mandiant assessed that UNC1151, an APT involved in cyber-espionage, provided support to the (pro-Russia/anti-NATO) Ghostwriter influence campaign and has some links to the Belarusian government (and possibly its military). The company also said that Russian involvement can’t be ruled out, even if there is no direct evidence that they are involved at the moment.
The US Cybersecurity & Infrastructure Agency issued an advisory stating that an Iran-related APT is actively exploiting Fortinet and Microsoft exchange ProxyShell vulnerabilities since at least March and October this year. US and Australian critical infrastructure sectors (including transportation and health care) are said to be targeted.
FBI: An APT abused a zero-day in FatPipe VPNs for six months (The Record)
The FBI discovered that an APT has been exploiting a 0-day vulnerability affecting FatPipe VPN devices since at least May 2021. The vulnerability allows to “gain access to an unrestricted file upload function to drop a web shell for exploitation activity with root access”, the FBI said.
Cryptocurrencies#
Taproot Soft-Fork: What Does it Bring to Bitcoin? (Ixonae on Security)
The Taproot soft fork was enabled on Sunday 14th. It is the first major update to Bitcoin since SegWit in 2017 and ships three Bitcoin Improvement Proposals (BIP340, BIP341, and BIP342) including Schnorr signatures, MAST, and Tapscript.
Sweden Demands the EU Ban Proof of Work Crypto Mining (Darknet Live)
Sweden’s General Directors of the Financial Supervisory Authority and of the Environmental Protection Agency asked for proof of work-based cryptocurrencies to be banned from the EU. They argue that “the consumer risks are significant, and crypto-assets are commonly used for criminal purposes [and] have a significant negative impact on the climate as mining leads to both large emissions of greenhouse gases."
Victims of $2 billion BitConnect fraud to get back $57 million (Bleeping Computer)
US authorities announced that they would start liquidating about USD 67 millions worth of cryptocurrencies seized from the BitConnect scam, and it will use the funds to refund victims. Between 2016 and 2018, BitConnect admins received about USD 2 billion.
Darknet#
An investigation into SS7 Exploitation Services on the Dark Web (SOS Intelligence)
The Signaling System 7 is a telecommunications protocol used to define how the various elements of the telephone network exchange information. The protocol is not very secure, and it is possible to intercept and spoof calls and SMS. Researchers found out there are 4 services that are said to offer this kind of service on the dark web but are assessed to be fake. Altogether these websites are estimated to have gained at least a few hundred dollars.
Misc#
Hoax Email Blast Abused Poor Coding in FBI Website (Krebs on Security)
Taking advantage of flaws in an FBI related website, a hacker managed to send hoax email messages from the FBI’s servers and with their domain name fbi.gov. The emails sent claimed that the receivers were subject to a “sophisticated chain attack [… which could] cause server damage to [their] infrastructure.”
Intel confirms two local security issues that affect many Intel processor generations (GHacks)
Intel published securities advisories related to two critical CVEs which might allow escalation of privileges via local access. Both can be addressed with a BIOS update.
Emotet botnet returns after law enforcement mass-uninstall operation (The Record)
Emotet, a botnet used as a Crime-as-a-Service platform by various cyber criminals came back to life recently; ten-month after a big international police operation shat it down.
Secure development: New and improved Linux Random Number Generator ready for testing (The Daily Swig)
After five years of development, the Linux Random Number Generator is ready to be tested as a replacement for /dev/urandom. It offers a 130% performance improvement compared to the existing function and uses several computing functions as a source of entropy.
UK government publishes guidance on security rules for tech takeovers (The Register)
The UK government published new guidelines on what technologies might fall within the National Security and Investment act (passed in January 2021) which gives ministers the power to halt mergers and acquisitions when they present a security risk to the country. There are 17 listed technologies such as advanced materials, AI, computer hardware, or transport.
Privacy#
Surveillance firm pays $1 million fine after ‘spy van’ scandal (Bleeping Computer)
WiSpear, an intelligence company, paid about USD 1 million in fines to the Cyprus authorities. In 2019, the company used a “spy van” to collect MAC addresses and IMSIs of nearby devices.
Adult cam site StripChat exposes the data of millions of users and cam models (The Record)
A researcher discovered a data leak coming from StripChat (one of the Internet’s top 5 adult cam sites). Between the 4th and the 7th of November, an unprotected Elastic Search cluster exposed 64 million users data, 410,000 models data, and 134 million transaction information.
7 million Robinhood user email addresses for sale on hacker forum (Bleeping Computer)
Robinhood - a trading service - announced last week that it suffered unauthorized access to its systems. About 7 million users personal data (email, full name, date of birth, and zip code) are now on sale for a minimum of “5 figures” (more than USD 10,000). The seller also claims to have more sensitive information for 310 customers, including some identification cards. This wasn’t announced by Robinhood when they made the breach public. The same threat actor is also reportedly behind this week’s FBI hack.
Ransomware#
US detains crypto-exchange exec for helping Ryuk ransomware gang launder profits (The Record)
A Russian national and co-founder of two cryptocurrencies exchanges was arrested in the Netherland by the FBI’s request after being accused of money laundering. Allegedly, USD 400,000 worth of cryptocurrencies assets passed through one of his accounts in 2018.
Interesting Reads#
- Instagram, tricked into thinking its boss was dead, locked him out of his own account (Bitdefender)
- HTML smuggling surges: Highly evasive loader technique increasingly used in banking malware, targeted attacks (Microsoft Security Blog)
- Catching Transparent Phish: Analyzing and Detecting MITM Phishing Toolkits
- Uncovering MosesStaff techniques: Ideology over Money (Checkpoint)
- SharkBot: a new generation of Android Trojans is targeting banks in Europe (Cleafy)
- Evolving trends in Iranian threat actor activity - MSTIC presentation at CyberWarCon 2021 (Microsoft)