This week was busy again, with a lot of news to report on. Hackers managed to get access to the US government elections system, OKEx, a cryptocurrencies exchange, froze withdrawals after one of its keyholders was detained by the police, and law enforcement arrested fourteen members of a large criminal network carrying on money laundering. DeepSea Market is potentially gone in an exit scam, and criminal got their hands on data belonging to Ubisoft and Crytek, and leaked some of their data. Finally, a lot to unroll on the privacy side, such as Google receiving warrants for the list of people searching specific keywords in the search engine.
Learn more about the news worthy events of this week, all summarized in this article, in just a bit more than a thousand words.
The US Cybersecurity and Infrastructure Security Agency (CISA) says that an APT used the recent Windows Zerologon vulnerability as well as several VPN vulnerabilities to target federal and local government networks, elections organizations, and critical infrastructures. The APT managed to get access to some election systems but reportedly did not manage to take advantage of it. Furthermore, the FBI and CISA claim that "it does not appear these targets are being selected because of their proximity to elections information", while acknowledging the threat.
Security researchers claim they linked the Thanos ransomware to an Iranian APT known as MuddyWater. While investigating security incident within big Israeli corporations, the researchers linked the attacks to the APT.
There are two ways the instructions were carried on. Option one: MuddyWater would use phishing emails with malicious PDF/Excel documents which would install a malware downloaded from a server belonging to the attackers. As for option two: the APT would use the CVE-2020-068 on unpatched Microsoft Exchange servers and install the same malware as in option one.
The researchers claim that the malware installed in both cases was a strain seen before, and was used to install the Thanos ransomware earlier in September.
OKEx, a Malta-based cryptocurrency exchange, temporarily froze withdrawals this Friday. This is allegedly due to one of the exchange's key holder being apprehended by the police. The keyholder being unavailable is preventing the exchange from getting appropriate permissions to proceed to withdrawals. The keyholder might be one of the founders, Xu, which hasn't been seen after being taken by the police at least one week ago.
The US District of Pennsylvania charged fourteen members of QQAAZZ (a criminal organization), and more than forty houses in Latvia, Bulgaria, the United Kingdom, Spain and Italy, in an investigation involving 16 countries. Since 2016, the group allegedly laundered (or tried to launder) tens of millions of dollars liked to cybercrime. An extensive Bitcoin mining operation associated with QQAAZZ was also seized in Bulgaria.
The organization network opened and maintained hundred of corporate and personal bank accounts at financial institutions to receive funds from their customers. QQAAZZ would then transfer the funds to other bank accounts under their control, and sometimes, convert them to cryptocurrencies and use tumbling services. The criminals would then take a fee up to 40 to 50 percent, and return the funds to their customers.
Among others, criminals behind significant malware families such as Dridex and Trickbot used QAAZZ to launder their funds.
On October 14, Atlantic, one of the moderators of DeepSea Market, announced that the market was probably gone for good in a possible exit scam. DeepSea went offline two days before that, on October 12, and it seems that nobody heard from the admin since then. A couple of hours before the service went dark, the admin reportedly processed the vendors' withdrawals.
Richard Castro, a.k.a. Chemsusa, an Alphabay and Dream Market fentanyl vendor was sentenced to 17.5 years in prison. He reportedly received at least $1.8 million and been involved in at least 5,000 transactions within a couple of years.
Law enforcement managed to track the vendor by making transactions with him. From there, they found his Bitcoin wallet which was part of a cryptocurrencies exchange and analyzed the video surveillance of the post office from where the order was sent.
Casto reportedly accessed the cryptocurrency exchange as well as the email address he used in relation with his business from his home IP address.
Egregor, a ransomware gang, leaked data allegedly obtained from Ubisoft's and Crytek's internal networks.
The criminals leaked 300 Mb of data belonging to Crytek and claims to have encrypted their data during the attack. The leak contained material regarding the development process of games like Arena of Fate and Warface. Ubisoft, on the other hand, allegedly didn't suffer from any encryption on their infrastructure, and only 20 Mb of data was leaked. The group might have got their hands on Watch Dogs: Legion, a game scheduled for next month.
The criminals claimed not to be in discussion with any of the two companies at the moments and threatened to publish the source code of Watch Dogs, and Ubisoft engine if they are not contacted.
Adobe Flash is in the death row, waiting to be killed at this end of this year. Meanwhile, some critical CVEs are still found and patched by Adobe. This week, the company released a security patch for the CVE-2020-9746, which allows an attacker to perform remote code execution simply by visiting a website. An attacker would only have to insert a malicious string in an HTTP response to exploit this vulnerability.
Zoom, the company making the famous video conference software of the same name, and received some criticism earlier this year related to its security has been working on improving its software. One of these improvements, which is the ability to do end-to-end encrypted calls, will be released next week for both free and paid users. Up to 200 participants will be able to join e2e encrypted meetings.
The US, Japan, Australia, India, the UK, Canada, and New-Zeland issued a joint statement in which they call companies to put backdoors in encryption (specifically end-to-end) so that it is possible to have access to whatever content is shared/accessed. According to them, "particular implementations of encryption technology, however, pose significant challenges to public safety". They then proceed to - as usual - mention child abuse and terrorism as reasons why encrypted information should be accessible by the service provider and law enforcement.
Even if such measures were implemented, one could argue that not only would it not prevent criminals from communicating through encrypted methods, but it would also make the general public less safe.
Clips stolen from more than 50,000 cameras are reportedly being uploaded to pornographic websites and sold online. X-rated footage could be accessed for a $150 fee, and a Discord group with about a thousand member claims that they shared more than 3 TB of footages to at least 70 people.
This is a prime example of why you shouldn't have a camera at home, and if you really need one, why you should take appropriate measures to secure it, and not direct it to living areas.
US law enforcement is reportedly using warrants to get the list of users that googled specific keywords, that are not only raising privacy concerns but also allegedly resulted in wrong arrests.
Google says that these warrants are a rare occurrence and that they fight overly broad or vague requests, and says that these demands represent less than one per cent of those they receive.
For reference, according to their transparency report, Google received more than 50,000 requests for users information last year for the US alone. One could argue that about one percent of this value is not "a rare occurrence".
Researchers reportedly found a backdoor in the X4 smartwatch made by a Chinese company and marketed by a Norway-based company.
If exploited, this backdoor could allow remote capture of video snapshots, voice-call wiretapping, and real-time location tracking.
The backdoor can be exploited by sending SMS, but these would need to be encrypted with a key unique to the device, and sent to the specific number of the phone linked to it.
The FBI obtained 40 Gb of data from Mega in a case related to child pornography. What is interesting is that it seems that the New-Zealand government has some kind of direct access to some users' account information. It also appears that Mega is keeping a copy of the files associated with accounts disabled for beach of terms of service, but we don't know if they do that in all cases (for example if the account is not disabled by Mega, but deleted by the user).