News

Weekly News Recap 15

This week, the Taproot Bitcoin update went live, an Iran based APT is targetting the US and Australia's critical infrastructures, the US DoJ announced that it will sell some cryptocurrencies seized from the Bitconnect scam, and authorities arrested the CEO of an exchange accused to help the Ryuk ransomware gang to launder its profits. Read our 15th weekly news recap to find more.

This week's recap covers a shorter period than usual as it only goes up to Thursday news.

APT

Taking Action Against Hackers in Pakistan and Syria (Facebook Blog)

Facebook announced that it disabled accounts and blocked domain names related to four malicious groups (in August and October). One of them originating from Pakistan (SideCopy) is said to be targeting people connected with the previous Afghan government, military and law enforcement in Kaboul. The three other groups are allegedly originating from Syria (linked to the Syrian governmental Air Force Intelligence) and are targeting journalists, humanitarian organizations, and anti-regime forces.  Facebook said it warned the owners of the accounts targetted by the attacks.

UNC1151 Assessed with High Confidence to have Links to Belarus, Ghostwriter Campaign Aligned with Belarusian Government Interests (Mandiant)

Mandiant assessed that UNC1151, an APT involved in cyber-espionage, provided support to the (pro-Russia/anti-NATO) Ghostwriter influence campaign and has some links to the Belarusian government (and possibly its military). The company also said that Russian involvement can't be ruled out, even if there is no direct evidence that they are involved at the moment.

Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities (CISA)

The US Cybersecurity & Infrastructure Agency issued an advisory stating that an Iran related APT is actively exploiting Fortinet and Microsoft exchange ProxyShell vulnerabilities since at least March and October this year. US and Australian critical infrastructure sectors (including transportation and health care) are said to be targeted.

FBI: An APT abused a zero-day in FatPipe VPNs for six months (The Record)

The FBI discovered that an APT has been exploiting a 0-day vulnerability affecting FatPipe VPN devices since at least May 2021. The vulnerability allows to "gain access to an unrestricted file upload function to drop a web shell for exploitation activity with root access", the FBI said.

Cryptocurrencies

Taproot Soft-Fork: What Does it Bring to Bitcoin? (Ixonae on Security)

The Taproot soft fork was enabled on Sunday 14th. It is the first major update to Bitcoin since SegWit in 2017 and ships three Bitcoin Improvement Proposals (BIP340, BIP341, and BIP342) including Schnorr signatures, MAST, and Tapscript.

Sweden Demands the EU Ban Proof of Work Crypto Mining (Darknet Live)

Sweden's General Directors of the Financial Supervisory Authority and of the Environmental Protection Agency asked for proof of work-based cryptocurrencies to be banned from the EU. They argue that “the consumer risks are significant, and crypto-assets are commonly used for criminal purposes [and] have a significant negative impact on the climate as mining leads to both large emissions of greenhouse gases."

Victims of $2 billion BitConnect fraud to get back $57 million (Bleeping Computer)

US authorities announced that they would start liquidating about USD 67 millions worth of cryptocurrencies seized from the BitConnect scam, and it will use the funds to refund victims. Between 2016 and 2018, BitConnect admins received about USD 2 billion.

Darknet

An investigation into SS7 Exploitation Services on the Dark Web (SOS Intelligence)

The Signaling System 7 is a telecommunications protocol used to define how the various elements of the telephone network exchange information. The protocol is not very secure, and it is possible to intercept and spoof calls and SMS. Researchers found out there are 4 services that are said to offer this kind of service on the dark web but are assessed to be fake. Altogether these websites are estimated to have gained at least a few hundred dollars.

Misc

Hoax Email Blast Abused Poor Coding in FBI Website (Krebs on Security)

Taking advantage of flaws in an FBI related website, a hacker managed to send hoax email messages from the FBI's servers and with their domain name fbi.gov. The emails sent claimed that the receivers were subject to a "sophisticated chain attack [... which could] cause server damage to [their] infrastructure."

Intel confirms two local security issues that affect many Intel processor generations (GHacks)

Intel published securities advisories related to two critical CVEs which might allow escalation of privileges via local access. Both can be addressed with a BIOS update.

Emotet botnet returns after law enforcement mass-uninstall operation (The Record)

Emotet, a botnet used as a Crime-as-a-Service platform by various cyber criminals came back to life recently; ten-month after a big international police operation shat it down.

Secure development: New and improved Linux Random Number Generator ready for testing (The Daily Swig)

After five years of development, the Linux Random Number Generator is ready to be tested as a replacement for /dev/urandom. It offers a 130% performance improvement compared to the existing function and uses several computing functions as a source of entropy.

UK government publishes guidance on security rules for tech takeovers (The Register)

The UK government published new guidelines on what technologies might fall within the National Security and Investment act (passed in January 2021) which gives ministers the power to halt mergers and acquisitions when they present a security risk to the country. There are 17 listed technologies such as advanced materials, AI, computer hardware, or transport.

Privacy

Surveillance firm pays $1 million fine after 'spy van' scandal (Bleeping Computer)

WiSpear, an intelligence company, paid about USD 1 million in fines to the Cyprus authorities. In 2019, the company used a "spy van" to collect MAC addresses and IMSIs of nearby devices.

Adult cam site StripChat exposes the data of millions of users and cam models (The Record)

A researcher discovered a data leak coming from StripChat (one of the Internet's top 5 adult cam sites). Between the 4th and the 7th of November, an unprotected Elastic Search cluster exposed 64 million users data, 410,000 models data, and 134 million transactions information.

7 million Robinhood user email addresses for sale on hacker forum (Bleeping Computer)

Robinhood - a trading service - announced last week that it suffered unauthorized access to its systems. About 7 million users personal data (email, full name, date of birth, and zip code) are now on sale for a minimum of "5 figures" (more than USD 10,000). The seller also claims to have more sensitive information for 310 customers, including some identification cards. This wasn't announced by Robinhood when they made the breach public. The same threat actor is also reportedly behind this week's FBI hack.

Ransomware

US detains crypto-exchange exec for helping Ryuk ransomware gang launder profits (The Record)

A Russian national and co-founder of two cryptocurrencies exchanges was arrested in the Netherland by the FBI's request after being accused of money laundering. Allegedly, USD 400,000 worth of cryptocurrencies assets passed through one of his accounts in 2018.

Interesting Reads


If you want to see this recap in your mailbox every week, you can signup for the newsletter for free.

Author image

About Ixonae

You've successfully subscribed to Ixonae on Security
Great! Next, complete checkout for full access to Ixonae on Security
Welcome back! You've successfully signed in.
Unable to sign you in. Please try again.
Success! Your account is fully activated, you now have access to all content.
Error! Stripe checkout failed.
Success! Your billing info is updated.
Error! Billing info update failed.