Table of Contents
Last week, ransomware operators got creative in hope of extorting more money from their victims, Amazon is being sued for snooping on users with Alexa-connected devices, a Russian intelligence officer was caught trying to infiltrate the International Criminal Court, 1.7 billion records were exposed by a misconfigured Elasticsearch cluster, and more. Let’s find out about everything that happened over the last week in security and privacy.
Last week, I also wrote an article about BGP, the protocol that helps routing Internet traffic. Have a look if you’re curious to learn how it works.
If you regularly read this newsletter, you will notice that the format is a bit different than usual. I’ll be trying various things over the next weeks, and if you feel like it, I’m happy to hear some feedback ( mail, Twitter) about what you want to see more (or less), if lists of links are good, or more summaries are better, etc.
APT, Governments and Espionnage #
Gallium hackers backdoor finance, govt orgs using new PingPull malware (Bleeping Computer)
Gallium, a group believed to originate from China has been using a new malware, ‘PingPull’, against financial institutions in Europe, Africa, and Southeast Asia. The malware is designed to obtain reverse shells on compromised machines.
AIVD disrupts activities of Russian intelligence officer targeting the International Criminal Court (General Intelligence and Security Service)
The AIVD, a Deutch intelligence agency caught a GRU Russian intelligence officer while he was trying to gain an internship at the International Criminal Court in The Hague.
On June 17th, the UK Home Secretary approved the extradition of Wikileak’s funder Julian Assange to the US. He has 14 days to appeal the decision.
Last month, Litecoin released its long-anticipated privacy update, Mimblewimble. Binance announced that it would not support the extension (i.e. it will only deal with non-privacy enabled transactions.) Earlier this month, 5 Korean exchanges (Upbit, Bithumb, Korbit, and Gopax) announced that they would delist Litecoin.
Coinbase Lays Off Around 1,100 Employees (CoinDesk)
Coinbase announced that it would lay off 18% of its workforce. The CEO justified the decision by arguing that the company “grew too quickly” and that it was needed to survive a potential upcoming crypto winter. The company had already rescinded new job offers last month. A good number of companies are also firing people (see more here.)
Wasabi Wallet 2.0 Feature List (Wasabi Blog)
Wasabi 2.0, a wallet software known for its ability to do coinjoin mixing was released. It has been in development since 2020.
More on Cryptocurrencies:
Darknet and Cybercrime #
Cloudflare said it stopped a 26 million requests per second HTTPS DDoS attack (the largest on record) that originated from a botnet of 5,067 (mostly cloud service providers hosted) devices.
A man was sentenced to 24 months in prison for running DownThem.org, a DDoS as a Service, and AmpNode.com, a bulletproof server hosting that had some available pre-configuration available to help with DDoS attacks.
Interpol seizes $50 million, arrests 2000 social engineers (Bleeping Computer)
‘First Light 2022,’ an international law enforcement action led by Interpol and involving law enforcement of 76 countries resulted in the seizure of USD 50 million and the arrest of about 2,000 people involved in social engineering schemes (romance scams, email deception, scamming fraud, …)
A Texas US Mashal was indicted for unlawfully using a law enforcement service to track individuals he had relations with by using their cellphone data (if you’re curious, I wrote an article a while ago explaining how it works.) He is also accused of trying to cover his tracks by making false statements and falsifying records. He is facing decades in prison.
** Russian Botnet Disrupted in International Cyber Operation ** (US DoJ)
The US Department of Justice, in collaboration with German, the Netherland, and the UK law enforcement announced that they disrupted the operation of RSOCKS, a Russian botnet. ROCKS offers proxy services to its customers by using (allegedly) millions of compromised devices (IoT, phones, and computers.)
More on Darknet and Cybercrime
- Dark Web Price Index 2022 (Privacy Affairs)
- Dark web awash with breached credentials, study finds (The Daily Swigg)
Data Breaches #
Yuma, a major hospital in Arizona suffered a ransomware incident in late April. Malicious actors exfiltrated data of more than 700,000 patients including SSNs, health, and insurance data.
Comstar, LLC Provides Notice of Data Breach (PR Newswire)
Comstar, a US ambulance billing service issued a data breach notification on the 14th of June, and said that a security incident took place on April 21st and was detected on March 26th. The breached data of impacted individuals “may have included name, date of birth, medical assessment and medication administration, health insurance information, driver’s license, financial account information, and Social Security number.”
StoreHub, a Malaysia-based company providing point-of-sale software systems for food and beverage establishments as well as retail stores, was found to be exposing over one terabyte of data caused by an Elasticsearch server misconfiguration.
The data contained over 1.7 billions record with names, email, addresses, phone numbers, and orders of customers of businesses using StoreHub, as well as data from the businesses themselves.
Microsoft retired Internext Explorer on June 15th. As a first concrete step, Internet Explorer will be gradually redirecting to Microsoft Edge (“in the coming few months”) and will be properly disabled in a later second phase. Some devices will not be affected, such as those running Windows 7, 8.1, Server, 10 China, and IoT.
The French government started an invite-only bug bounty to test its ‘France Identité’ application which allows French citizens to use online government services.
- Microsoft Defender for Android, Apple iOS and macOS, and Windows now available (GHacks)
- Password policies of most top websites fail to follow best practices (Princeton University)
Privacy and Open-Source #
Starting June 14th, Total Cookie Protection will be enabled for Firefox on all platforms. This update allows confining cookies to the site where they were created, to prevent companies from tracking users.
US Senators introduced a bill aiming to ban the sale of Americans’ location and health data. It says that “it shall be unlawful for a data broker to sell, resell, license, trade, transfer, share, or otherwise provide or make available [health and location] data, whether declared or inferred, of an individual.” The FTC would be tasked with developing rules to implement this ban with the help of USD 1 billion over the next decade.
A lawsuit was filed against Amazon in Seattle and is seeking classification as a class-action. It claims that Amazon is snooping on users’ voice data using smart speakers, and then uses it to target ads at them.
** K-9 Mail app will become Thunderbird’s Android email client ** (GHacks)
Thunderbird’s developers, announced that K-9 Mail, a popular open-source Android application, has come underThunderbird’s umbrella and will be rebranded as Thunderbird email.
More on Privacy
- Familiar faces: Has facial recognition tech gone too far? (Sessions Blog)
- Stop Using the iOS Highlighter to Hide Personal Info in Your Photos (Life Hacker)
- Facial Recognition Is Out of Control in India (Vice)
- How the Federal Government Buys Our Cell Phone Location Data (EFF)
- Why strong security solutions are critical to privacy protection (Microsoft Security Blog)
- Facebook Says Apple is Too Powerful. They’re Right. (EFF)
- SimpleLogin passes an independent security audit (SimpleLogin)
- WFH - Watched from Home: Office 365 and workplace surveillance creep (Privacy International)
Ransomware, Malware, and CVEs #
Ransomware Group Debuts Searchable Victim Data (Krebs on Security)
The ALPHV/BlackCat ransomware group begin publishing on the Internet their victim’s data. While they used to do so on the DarkWeb, they are now creating dedicated websites where one can easily search the data.
A critical code injection vulnerability was found in Ninja Forms, a popular WordPress plugin with more than 1 million active installations. There is evidence that the vulnerability scored 9.8/10 is actively being exploited.