Information Technology

The Department of Justice announced the seizure of more than $3.6 billion in cryptocurrency that was stolen during an attack on the Bitfinex cryptocurrency exchange in August 2016. The DOJ also said it arrested 34-year-old Ilya Lichtenstein and his 31-year-old wife Heather Morgan for their role in attempting to launder 119,754 bitcoin that were stolen during the attack on the Hong Kong exchange. Deputy Attorney General Lisa Monaco called the seizure the “department’s largest financial seizure ever.”

In total, about $4.5 billion was stolen from the exchange, and two brothers, Eli and Assaf Gigi, were arrested by Israeli authorities in 2019 for their involvement in the attack. But on Tuesday, the Justice Department said Lichtenstein and Morgan — both of whom were very active on social media — initiated more than 2,000 unauthorized transactions as they tried to launder the 119,754 bitcoin stolen from Bitfinex. “Those unauthorized transactions sent the stolen bitcoin to a digital wallet under Lichtenstein’s control. Over the last five years, approximately 25,000 of those stolen bitcoin were transferred out of Lichtenstein’s wallet via a complicated money laundering process that ended with some of the stolen funds being deposited into financial accounts controlled by Lichtenstein and Morgan,” the DOJ explained. “The remainder of the stolen funds, comprising more than 94,000 bitcoin, remained in the wallet used to receive and store the illegal proceeds from the hack. After the execution of court-authorized search warrants of online accounts controlled by Lichtenstein and Morgan, special agents obtained access to files within an online account controlled by Lichtenstein. Those files contained the private keys required to access the digital wallet that directly received the funds stolen from Bitfinex, and allowed special agents to lawfully seize and recover more than 94,000 bitcoin that had been stolen from Bitfinex. The recovered bitcoin was valued at over $3.6 billion at the time of seizure.”Lawyers for the government went on to accuse Lichtenstein and Morgan of using fake identities to open online accounts and deploying devices to automate transactions — in addition to a spate of other laundering techniques. The stolen funds were also deposited into several different virtual currency exchanges and darknet markets in an attempt to wash the currency, something the DOJ called “chain hopping.”

The bitcoin was converted into other currency that shielded their identity, and US bank accounts were used to make their transactions look legitimate. “In a methodical and calculated scheme, the defendants allegedly laundered and disguised their vast fortune,” said Chief Jim Lee of IRS-Criminal Investigation (IRS-CI).

Authorities added that they found 2,000 crypto wallet addresses and private keys in Lichtenstein’s cloud storage account, almost all of which were connected to the stolen funds.The two were arrested in Manhattan on Tuesday, and they are appearing in court at 3 pm ET to face charges of conspiracy to commit money laundering and conspiracy to defraud the United States. If convicted, the two are facing a maximum sentence of 20 years for the first charge and five years in prison for the second. “Ilya Lichtenstein and his wife Heather Morgan attempted to subvert legitimate commerce for their own nefarious purposes, operating with perceived anonymity,” said Homeland Security Investigations (HSI) acting executive associate director Steve Francis. In a statement, Bitfinex said it has been working with the DOJ since the investigation started and will work with the law enforcement agency “to establish our rights to a return of the stolen bitcoin.””If Bitfinex receives a recovery of the stolen bitcoin, as described in the UNUS SED LEO token white paper, Bitfinex will, within 18 months of the date it receives that recovery, use an amount equal to 80% of the recovered net funds to repurchase and burn outstanding UNUS SED LEO tokens,” the company said. “These token repurchases can be accomplished in open market transactions or by acquiring UNUS SED LEO in over-the-counter trades, including directly trading bitcoin for UNUS SED LEO.”
Elliptic
Blockchain analysis company Elliptic told ZDNet that around 21% of the stolen bitcoin have been moved and laundered over the past five years.Elliptic’s analysts found that a variety of money laundering techniques were used, including sending the funds through darknet markets, like Alphabay and Hydra, as well as the Wasabi Wallet privacy wallet, which was used to hide the blockchain money trail.”Some of the funds were also sent to regulated cryptocurrency exchanges that perform KYC checks on their customers, and it is likely that the suspects were identified by tracing the stolen funds to these services,” Elliptic said.”The remainder of the stolen funds, now worth $4.1 billion, were moved to a new wallet just last week, the first movement of these funds since the 2016 theft. This appears to represent the seizure of the bitcoins from Lichtenstein and Morgan, by law enforcement.”Bitfinix told customers in 2016 that they would all be sharing the loss, with each copping a generalized loss percentage of 36.067%. The loss applied across the board, even to those who did not own bitcoin. More

Vodafone Portugal announced on Tuesday that it was hit with a cyberattack that caused network disruptions across the country.

In a statement, the company said services based on data networks — namely the 4G/5G network, fixed voice, television, SMS and voice/digital answering services — were affected by the attack, which they discovered on Monday night. “Vodafone was the target of a network disruption that began on the night of February 7, 2022, due to a deliberate and malicious cyberattack intended to cause damage and disruption. As soon as the first sign of a problem on the network was detected, Vodafone acted immediately to identify and contain the effects and restore services,” the company said. “We have already recovered mobile voice services and mobile data services are available exclusively on the 3G network in almost the entire country but, unfortunately, the scale and seriousness of the criminal act to which we were subjected implies careful and prolonged work for all other services. recovery process that involves multiple national and international teams and external partners. This recovery will happen progressively throughout this Tuesday.”Law enforcement has been contacted about the attack and the company is conducting its own internal investigation to understand what happened. Reuters and other news outlets noted that two of the country’s biggest news outlets — Impresa and Cofina — were recently hit with ransomware attacks. Vodafone did not respond to requests for comment about whether the cyberattack was a ransomware incident. The company serves more than 7 million customers with mobile service as well as home and business internet.  

An ATM network operated by the country’s biggest banks reported issues due to the cyberattack on Vodafone Portugal, according to the Publico newspaper. A Vodafone spokesperson confirmed that the ATMs were down because of the outage, noting that the ATMs were connected to their 4G service.  More

Microsoft looks to be close to launching a preview of a version of its Microsoft Defender for Windows security product for consumers interested in protecting a ‘family’ group of devices. This version of Defender, codenamed “Gibraltar,” as BleepingComputer.com reported last year, has been in testing inside Microsoft for a number of months. A placeholder for the preview has been in the Microsoft Store for a while, but the actual Defender preview itself is now available in the Microsoft Store for U.S.-based users to download and install. (Thanks to @ALumia_Italia on Twitter for the heads up.)The new Defender app is meant to offer “your personal defense against cyberthreats.” More from the Store description: “Easily manage your online security in one centralized view, with industry-leading cybersecurity for you, your family, and your devices. Stay safer with real-time notifications, security tips, and recommend steps that help keep you ahead of hackers and scammers for your peace of mind.” The Store page notes that no subscription is required for the Microsoft Defender app during preview; users can download and log in using their personal Microsoft account. However, in the future, this version of Defender will require a Microsoft 365 Family or Personal subscription, the page adds. The Defender preview will provide consumers with a centralized view for managing and monitoring their online security status. They’ll be able to see the status of their Windows PC plus up to four additional devices (as long as they are signed in using the same personal Microsoft account), including phones and Macs. Users will be able to add or remove devices and view malware protections on all covered devices. The app will also provide recommendations for ensuring better data, computer and phone protection, delivering security tips, and providing real-time security alerts. I think Microsoft’s addition of a consumer-focused version of Microsoft Defender could play into its MetaOS strategy, about which I’ve written in the past. As part of MetaOS, Microsoft seems to be making sure it has consumer-focused versions of key apps and services, including Teams and Lists, that it will market alongside the existing business versions of those same apps. Also, in case you’re confused about Microsoft branding (and who isn’t?), Microsoft has been rebranding more and more of its security products with Defender as part of the name over the past few years. Products already in the Defender family include Microsoft 365 Defender (previously Microsoft Threat Protection); Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection); Microsoft Defender for Office 365 (previously Office 365 Advanced Threat Protection); Microsoft Defender for Cloud (formerly known as Azure Security Center and Azure Defender); and Microsoft Defender for Identity (previously Azure Advanced Threat Protection).Simultaneously, Microsoft has been rebranding a number of products from Windows-something to Microsoft-something (example: Windows Store is now Microsoft Store). Microsoft Defender is not the rebrand of Windows Security — which, to add further to the confusion, was formerly known as Windows Defender. For now, the Defender antivirus product is part of the Windows Security app that is built into Windows 10 and 11. More

Google has auto enrolled more than 150 million users in 2-step verification after announcing the effort last year, noting in a release that the action has caused “the number of accounts hijacked by password theft decrease by 50%.”The initiative also involved requiring 2 million YouTube users to enable it.  

“This decrease speaks volumes to how effective having a second form of verification can be in protecting your data and personal information. And while we’re proud of these initial results and happy with the response we have received from our users and the community, we’re excited about other ongoing work we’re doing behind the scenes,” Google Chrome safety director Guemmy Kim said. “Today alone, billions of people around the world will use our products to help with things big and small — whether it’s paying for coffee with Google Pay or teaching an online class full of students — and it’s our responsibility to keep your personal information safe and secure. We know that your Gmail is often the link to accessing your non-Google accounts for banking, social media, shopping and more. That’s why the security of Gmail is fundamental to our work to keep you safe online. By making all of our products secure by default, we keep more users safe than anyone else in the world — blocking malware, phishing attempts, spam messages, and potential cyberattacks.”A Google spokesperson added that the company has delivered other solutions that are “secure by default” and helped lead the way in introducing “advanced authentication methods like security keys that enable a simple, more secure sign-in experience for users.””These solutions include the Advanced Protection Program, which protects high-risk users such as journalists, celebrities and other public figures, 37% of whom have had their accounts hacked in the last year, according to a recent Google/YouGov poll,” the spokesperson added.   Google said last year that it would offer additional protection for “over 10,000 high-risk users” through a partnership with organizations that will see them provide free security keys. 

Kim explained that security keys are another form of verification that requires you to plug in and tap your key simply. The company has built security keys into Android phones and the Google Smart Lock app on Apple devices. More than two billion devices now use the technology. Google, Kim added, is ultimately trying to reduce user reliance on passwords because of how often passwords are involved in data breaches and phishing attempts. Kim noted that Google has additionally created a “security checkup” tool that gives you personalized recommendations on things you can do to beef up the security around your Google Account and prepare your account for recovery. They also urge other users to sign up for 2-step verification if they haven’t already and to use Google Password Manager.Google announced in October 2021 that it planned to get 150 million people auto enrolled in 2-step verification by the end of the year.  More

Log4j has dominated recent discussions around cybersecurity vulnerabilities, but the emergence of the Java logging library security flaw has allowed several other major exploits being abused by cyber criminals to fly under the radar, potentially putting many organisations at risk from ransomware and other cyberattacks. The focus on Log4j, described at the time as one of the most serious cybersecurity vulnerabilities to ever emerge, was understandably the key issue for enterprise cybersecurity teams in the final weeks of 2021. 

ZDNet Recommends

But cybersecurity researchers at Digital Shadows have detailed several other vulnerabilities that appeared last year – or that are even older and continue to be left unpatched and exploited – which may have been missed and continue to provide opportunities for cyber criminals. SEE: A winning strategy for cybersecurity (ZDNet special report) Failure to patch these vulnerabilities could have potentially dangerous consequences for businesses as malicious hackers exploit them to launch ransomware attacks, malware campaigns and other cyber-criminal activity. In total, researchers identified 260 vulnerabilities being actively exploited for attacks in the final quarter of 2021 – and a third of them, a total of 87 vulnerabilities, being used in association with ransomware campaigns. One set of vulnerabilities that is particularly popular with ransomware groups is ProxyShell bugs, (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) which were initially discovered in July 2021 and that allow attackers to chain Microsoft Exchange vulnerabilities to remotely execute code on unpatched servers.  

These vulnerabilities are still being exploited by several ransomware groups, including Conti, one of the most active ransomware operations of the past year. That process means that any organisation that hasn’t patched ProxyShell over six months on from disclosure is at risk of falling victim to ransomware and other malware attacks. Another vulnerability that continues to be exploited affects QNAP Network Attached Storage (NAS) devices. The authorisation vulnerability that affects QNAP NAS running HBS 3 (CVE-2021-28799) was identified in April 2021 and was quickly exploited to deliver QLocker ransomware.  Ransomware groups continue to target vulnerable QNAP devices almost a year on, with new forms of ransomware, including DeadBolt ransomware, taking advantage of vulnerable systems. But it isn’t just relatively recent vulnerabilities that are exploited – researchers note that a vulnerability in Microsoft Office, which allows attackers to hijack Microsoft Word or Microsoft Excel to execute malicious code (CVE-2012-0158), is still being used to deliver ransomware attacks – and that’s a decade on from disclosure.  It’s possible that organisations aren’t even aware that some of these vulnerabilities exist and that unawareness could make them a prime target for cyber criminals who are happy to exploit whatever they can to launch attacks. “Cyber criminals are inherently opportunistic. There need not be an exotic zero-day, or similar vulnerability that ‘takes up all the oxygen’ in the room,” Joshua Aagard, research analyst at Digital Shadows told ZDNet: attackers are often more pragmatic, grabbing hold of what works, regardless of visibility.Patch management can be a challenging task, especially for large organisations with vast IT networks, but a coherent and timely patching strategy is one of the most effective ways to help prevent known vulnerabilities being used to launch cyberattacks. “Taking a risk-based approach is the most effective method of targeting vulnerabilities, which will ultimately have the most significant impact on reducing your overall cyber risk,” said Aagard.MORE ON CYBERSECURITY More

An examination of a pay-per-install loader has highlighted its place in the deployment of popular malware strains, including Smokeloader and Vidar.

ZDNet Recommends

On Tuesday, Intel 471 published a report into PrivateLoader that examines cyberattacks making use of the loader since May 2021. The pay-per-install (PPI) malware service has been in the cybercrime field for a while, but it is unknown who is behind the malware’s development.Loaders are used to deploy additional payloads on a target machine. PrivateLoader is a variant that is offered to criminal customers on an installation basis, in which payment is made based on how many victims they manage to secure.  PrivateLoader is controlled through a set of command-and-control (C2) servers and an administrator panel designed with AdminLTE 3.
Intel 471
The front-end panel offers functions including adding new users, configuration options to select a payload to install through the loader, target selection for locations and countries, the setup of payload download links, encryption, and selecting browser extensions for compromising target machines. Also: Google Cloud launches agentless cryptojacking malware scannerDistribution of the loader is primarily through cracked software websites. Cracked versions of popular software, sometimes bundled with key generators, are illegal forms of software tampered with to circumvent licensing or payment. 

Download buttons for cracked software on websites are actually embedded with JavaScript that deploys the payload in a .ZIP archive.  In samples collected by the cybersecurity firm, the package contained a malicious executable. This .exe file triggers a range of malware, including a fake GCleaner load reseller, PrivateLoader, and Redline.  The PrivateLoader module has been used to execute Smokeloader, Redline, and Vidar since at least May 2021. Out of these malware families, Smokeloader is the most popular.  Smokeloader is a separate loader that can also be used for data theft & reconnaissance; Redline specializes in credential theft, whereas Vidar is spyware able to exfiltrate many different data types, including passwords, documents, and digital wallet information.  A distribution link for grabbing Smokeloader also hints at a potential connection to the Qbot banking Trojan. PrivateLoader bots have also been used for the distribution of the Kronos banking Trojan and the Dridex botnet. PrivateLoader isn’t specifically tied to the deployment of ransomware, but a loader linked to this malware, dubbed Discoloader, has been used in attacks designed to spread Conti.  “PPI services have been a pillar of cybercrime for decades. Just like the wider population, criminals are going to flock to software that provides them a wide array of options to easily achieve their goals,” the researchers say. “By highlighting the versatility of this malware, we hope to give defenders the chance to develop unique strategies in thwarting malware attacks empowered by PrivateLoader.” See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A Chinese telecommunications firm has been indicted over an alleged insider operation aimed at stealing trade secrets belonging to Motorola. 

The US Department of Justice (DoJ) said on Monday that Hytera Communications Corp “recruited and hired Motorola Solutions employees and directed them to take proprietary and trade secret information from Motorola without authorization.”According to the indictment, unsealed in the Northern District of Illinois, Motorola and Hytera both moved from the sale of analog mobile radios (walkie-talkies) to digital mobile radios (“DMRs”) after a 2004 announcement by the US Federal Communications Commission (FCC) that vendors must make the shift by 2013. Motorola began working on digital radios in the same year as the FCC’s decree.  “Hundreds of Motorola employees spent years developing the hardware and software solutions to design, manufacture, market, and sell DMRs,” the DoJ says. “By 2007, Motorola marketed and sold DMR products in the United States, and elsewhere, including the Northern District of Illinois.” Three years later, Hytera launched its own commercial shift to DMRs, with sales made by affiliates in the United States.  However, Shenzhen-based Hytera had recruited a number of former Motorola employees between 2008 and 2009. 

“The charges allege that, while still employed at Motorola, some of the employees allegedly accessed the trade secret information from Motorola’s internal database and sent multiple emails describing their intentions to use the technology at Hytera,” US prosecutors say.  The trade secrets included hardware, radio software architecture, benchmarking strategies, connectivity module designs, and DMR source code.  Furthermore, the DoJ claims that up until 2020, former Motorola employees were recruited with high salaries and more benefits than they were offered by their ex-employer, and they were asked to use Motorola’s “proprietary and trade secret information to accelerate the development of Hytera’s DMR products, train Hytera employees, and market and sell Hytera’s DMR products.” As part of the 21-page indictment, Hytera is being charged with conspiracy to commit theft of trade secrets. The names of others allegedly involved in the scheme have been redacted, but they are also charged with individual counts of possession or attempted possession of stolen trade secrets. If Hytera is found to be guilty, the telecoms firm may be required to pay up to “three times the value” of the stolen intellectual property, including the expenses incurred for research.  “A federal district court judge will determine any sentence after considering the US Sentencing Guidelines and other statutory factors,” the DoJ added.  Hytera told Reuters that it is “disappointed” by the charges, commenting that “the indictment purports to describe activities by former Motorola employees that occurred in Malaysia more than a decade ago. Hytera looks forward to pleading not guilty and telling its side of the story in court.”Motorola has issued a number of legal actions against Hytera in previous years. In a statement, Motorola said the company will continue to pursue Hytera “to prevent Hytera’s serial infringement and to collect the hundreds of millions of dollars in damages it owes to Motorola Solutions.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Australia’s parliamentary body that scrutinises Australia’s security agencies has backed the Inspector-General of Intelligence and Security (IGIS) taking on more intelligence oversight responsibilities. The Parliamentary Joint Committee on Intelligence and Security (PJCIS) in an advisory report this week said it supports the passing of new intelligence oversight laws that would extend the IGIS’s oversight role to the Australian Transaction Reports and Analysis Centre (AUSTRAC) and the Australian Criminal Intelligence Commission (ACIC). The IGIS already has existing oversight arrangements with six agencies within Australia’s national intelligence community (NIC), including the Office of National Intelligence, Australian Security Intelligence Organisation, Australian Secret Intelligence Service, Australian Signals Directorate, Australian Geospatial-Intelligence Organisation, and Defence Intelligence Organisation. The intelligence oversight Bill’s passage would also see the PJCIS’ own back be scratched as it would see the committee’s powers be expanded to have oversight functions with ACIC too. The PJCIS believes the Bill should provide even more oversight powers to itself, however, as the committee recommended it should also have oversight responsibilities over AUSTRAC and the Australian Federal Police.”The committee further considers that it is necessary to extend oversight to the specialised intelligence functions of the AFP. Accordingly, the committee considers legislation governing both the PJCIS and the IGIS should be amended to support this,” the PJCIS wrote in its report. The committee explained that further expansion made sense for Australia’s oversight of intelligence agencies, as the committee is already overseeing the administration and expenditure of the intelligence agencies, while the Inspector-General acts as an independent statutory officer who reviews the agencies’ operational activities. The Bill was introduced into Parliament at the end of 2020 based on recommendations from the Richardson review, which examined the effectiveness of the legislative framework which governs the NIC. The review found that the core intelligence functions performed by AUSTRAC and the ACIC were suited to specialised intelligence oversight by the IGIS.

While the committee and IGIS would get new powers if the Bill becomes law, it noted the additional responsibilities could stretch the resources of both entities. In making this point, the committee said it hoped additional funding would be allocated to alleviate these concerns. “Extending oversight to the NIC agencies would place a significantly higher workload onto these bodies, which could have the unintended consequence of diluting oversight rather than strengthening it,” the report said. “As the agencies themselves grow, and their work becomes more complex as technologies and methodologies change, the oversight of that work will also grow more challenging and complex. Staffing for the oversight agencies will need to be considered to ensure that it can be conducted to the standard necessary.” In a separate report that was also released this week, the PJCIS called for the relationship between government and the nation’s telco providers to be formalised as it believes reliance on the current voluntary processes are now insufficient. “The regulatory concept of providers ‘doing their best’ to secure their networks in the national interest has served the Telco Act and the Telecommunications Sector Security Reforms up until now, but the committee can not be assured that a reliance on industry alone to counter threats is sustainable, nor that the Telco Act as a whole can continue to uphold the security requirements for the industry,” the report said. Related Coverage More