As every week, here is our news summary regarding APTs, Cryptocurrencies, Darknet, General Security, and ransomware. All of that in about a thousand words.
Additionally, we wrote an article on How to Protect Yourself from People Impersonating You via Email using DKIM, SPF, and DMARC.
APT#
Academics discover hidden layer in China’s Great Firewall (The Record)
Researchers at the University of Maryland discovered a previously unknown layer in the Great Firewall of China. This extra layer is believed to allow redundancy to the already existing HTTPS filtering system based on the Server Name Indication, which is an extension of TLS that allows seeing the website to which the client is trying to connect.
Google warns 14,000 Gmail users targeted by Russian hackers (Bleeping Computer)
Google warned about 14,000 Gmail users that they were targeted by state-sponsored phishing attacks from APT28 (also known as Fancy Fear) which is believed to be part of the Russian GRU.
Russian cyberattacks pose greater risk to governments and other insights from our annual report (Microsoft Blog)
Microsoft published its annual digital defence report for 2021. It highlights that 58% of the nation-state attacks they observed were coming from Russia, which is increasingly attacking government agencies (3% of the targets one year ago compared to 53% now) and gaining efficiency (21% of successful compromise last year vs 32% now). The report also explores other APTs and digital threats such as ransomware.
Cryptocurrencies#
Justice Department Sets Up National Cryptocurrency Enforcement Team (Wall Street Journal)
The US Department of Justice announced the creation of a Cryptocurrency Enforcement Team to go after criminals involved with cryptocurrency activity such as money laundering, theft, or ransomware.
Hackers bypass Coinbase 2FA to steal customer funds (The Record)
Coinbase submitted a notification letter to the US state attorney general office stating that intrusions took place this year between March and May. A third party took advantage of Coinbase’s SMS account recovery process to breach 6,000 accounts. The company said it will reimburse the amounts lost during the intrusion.
Darknet#
White House Market to Close Down (Ixonae on Security)
Mr White, the White House Market administrator announced on October 1st that he would retire after fulfilling his goal. He announced that he would give enough time for the market’s users to finish their transactions and withdraw their funds.
Tor2Door was Thought to be Exit Scamming Earlier this Week (Twitter)
After some users of the Tor2Door market encountered issues with funds withdrawing, Paris, one of the Dread forum administrators posted an announcement stating that the market had probably exit scammed. After the Tor2Door administrator reached out, he withdrew his original post and announced that all was probably ok and that the situation was monitored.
General Security#
Symphony Technology Group Announces Bryan Palma Appointment (Business Wire)
The Symphony Technology Group, a private equity firm focused on software, data, and analytics, announced its acquisition of FireEye Products, and FireEye merge with McAffee enterprise. The two combined entities will have more than 40,000 customers, 5,000 employees, and about USD 2 million of revenue.
Actively exploited Apache 0-day also allows remote code execution (Bleeping Computer)
The CVE-2021-41773 taking advantage of a vulnerability in Apache’s CGI mod was found to allow path traversal earlier this month. After some PoC surfaced on the Internet, it became clear that the flaw is more critical than first thought, as it allows remote code execution as well. Among other things, the vulnerability requires an Apache version 2.4.49 to be exploited.
Anonymous leaks Twitch source code and business data on 4chan (The Record)
Individuals claiming to be part of Anonymous leaked source code and various business data (allegedly including streamers payout data) belonging to Twitch (the video streaming platform) on 4chan. The authors claimed that the reason for their actions is in response to the Twitch “community [being] a disgusting toxic cesspool”. The leak is 128 GB large and contains 6,000 internal Git repositories.
Put Your Finger on the Pulse of What’s New with the YubiKey Bio Series (Yubico)
Yubico released the first YubiKey supporting biometric (fingerprint) authentication after it was previewed at Microsoft Ignite in 2019. The key will come in USB-3 and USB-C variants for USD 80.
Botnet abuses TP-Link routers for years in SMS messaging-as-a-service scheme (The Record)
Researchers discovered that a malicious actor was hacking TP-Link routers since at least 2016. The routers were used to send betting tips, confirmation of online payment and donations, and messages whose meaning is still to be understood.
Privacy#
Largest mobile SMS routing firm discloses five-year-long breach (Bleeping Computer)
Syniverse, a company providing “nearly every mobile communications provider, the largest global banks, the world’s biggest tech companies” (including Vodafone, AT&T, T mobile, Verizon, …) with text messaging routing services, announced that hackers had access to its database for over five years, and compromised login credentials belonging to hundreds of customers.
The Telegraph exposes 10 TB database with subscriber info (Bleeping Computer)
A researcher discovered that 10 TB of data belonging to The Telegraph, one of the biggest British newspapers was accessible online and non-protected. It contained the data of at least 1,200 subscribers including their name, email and IP addresses as well as authentication tokens. It took the newspaper two days to reply to the findings and address the issue.
Over 1.5 billion Facebook users’ personal data found for sale on hacker forum (Tech Republic)
The personal data of over 1.5 billion Facebook users are reportedly being sold online. It contains names, email addresses, locations, and phone numbers, but there is no indication that Facebook suffered any kind of breach. The data was likely obtained through scrapping.
Apple says apps must offer a way to delete your account starting in early 2022 (Engaget)
Apple announced that from January 31st, 2022, all the developers who let their iOS and macOS applications users create accounts will have to provide a way to delete these accounts from the application.
Ransomware#
Lawsuit claims ransomware attack caused fatal injury to infant at Alabama hospital (Tech Republic)
An Alabama hospital was hit by ransomware in 2019, which caused some monitoring material to not work properly during a childbirth, inflicting the child brain damages. He died 9 months later in the first alleged death by ransomware. The Wall Street Journal reported that a lawsuit was filed by the mother.
US unites 30 countries to disrupt global ransomware attacks (Bleeping Computer)
US’s president, Joe Biden, announced that the US will “bring together 30 countries to accelerate [their] cooperation in combating cybercrime, improving law enforcement collaboration, stemming the illicit use of cryptocurrency, and engaging on these issues diplomatically”. This comes after ransomware caused major issues, such as during Colonial Pipeline’s attack earlier this year.
Conti gang threatens to dump victim data if ransom negotiations leak to reporters (The Record)
After payment negotiation chats were shared publicly, the Conti ransomware group threatened hacked companies in a public statement. The group said that in case of leaks, they would publish the victims’ data, or someone’s else if it is done after the ransom was paid and the data deleted by the operator.
Ransomware gang arrested in Ukraine with Europol’s support (Europol)
On September 28th, a coordinated strike involving the French National Gendarmerie, the Ukrainian National Police, and the FBI, in collaboration with Europol and Interpol arrested two prolific ransomware operators in Ukraine and sized the equivalent of about USD 2 million of assets. The ransomware group is suspected of having committed attacks against very large industrial groups in Europe and North America from April 2020, demanding ransoms ranging between EUR 5 and EUR 70 million.
Warren & Ross Introduce Bill to Require Disclosures of Ransomware Payments (warren.senate.gov)
US Senator Warren and Representative Ross introduced a bill to help to tackle ransomware. It would require companies to disclose information (such as amount, the currency used, any information about the extortioner …) about ransomware payment within 48 hours after paying. The Department of Homeland Security would also be required to make public the information, excluding identifying information.