Information Technology

Robinhood announced that it’s popular app has suffered a breach, exposing millions of email addresses, names and more.In a statement released on Monday, Robinhood said it discovered the incident on the evening of November 3, explaining that an “unauthorized third party” managed to obtain personal information of their customers. The company was quick to say that no Social Security numbers, bank account numbers, or debit card numbers were exposed. But they admitted that about 7 million people had some amount of information leaked in the attack. The customers affected have been emailed. “The unauthorized party socially engineered a customer support employee by phone and obtained access to certain customer support systems. At this time, we understand that the unauthorized party obtained a list of email addresses for approximately five million people, and full names for a different group of approximately two million people,” the company said. “We also believe that for a more limited number of people — approximately 310 in total — additional personal information, including name, date of birth, and zip code, was exposed, with a subset of approximately 10 customers having more extensive account details revealed. We are in the process of making appropriate disclosures to affected people.”Robinhood said the cybercriminal threatened them and demanded “an extortion payment.” They did not say if they paid the sum but noted that they contacted law enforcement and hired cybersecurity firm Mandiant. 

“As a Safety First company, we owe it to our customers to be transparent and act with integrity,” said Robinhood chief security officer Caleb Sima. “Following a diligent review, putting the entire Robinhood community on notice of this incident now is the right thing to do.”Mandiant Chief Technology Officer Charles Carmakal told Bloomberg that they believe the people behind the attack will “continue to target and extort other organizations over the next several months.”Robinhood was fined $70 million in July by the US Financial Industry Regulatory Authority for causing “significant harm” to “millions of customers” for a number of systematic failures including major outages in March 2020, as well as “false or misleading information” sent to customers from the company. For Robinhood customers interested in learning more about how their accounts are kept safe, the company suggested heading to the app and looking through the “Account Security” section. Bob Rudis, chief data scientist at Rapid7, told ZDNet that RobinHood was a victim of an attack back in 2020 and he noted that once a company has been a target, they tend to remain on hit lists. This is particularly true for wildly successful financial services startups like Robinhood, he added. While many organizations have affixed their gazes on ransomware, traditional cybercriminal enterprises continue to pilfer coveted identify information from individuals who likely have — or aspire to have — significant financial assets. This core information — name, email address, and other metadata — are used in highly targeted (and, far too often successful) phishing campaigns and identity theft campaigns, making all exposed potential extended victims of the core attack,” Rudis said. “Anyone who is a RobinHood customer should be extra vigilant and ensure they have unique passwords across their cloud application portfolio and MFA enabled on all of them (anyone who uses any non-trivial internet service that doesn’t support MFA should cease using said service(s) and strive to be as safe as possible as they can online). These attacks persist against all financial services firms, and it only takes one misstep to fall prey to clever, targeted campaigns.” More

VoIP giant Bandwidth.com reported its third quarter earnings on Monday, bringing in a revenue of $131 million. But the company noted in another release that a recent DDoS attack will end up costing them “between $9 million and $12 million” for the full fiscal year. While the company still beat expectations for Q3, the financial cost of the attack — which was first reported by The Record — illustrates how much damage DDoS incidents can cause. 

The company filed a document with the SEC on October 26 explaining that the attack caused a “decrease of approximately $700,000 in third quarter 2021 revenue from lost transaction volume and customer credits.” “Based on preliminary usage data and currently known information, the company estimates that the impact of the DDoS attack may reduce CPaaS revenue for the full year of 2021 by an amount between $9 million and $12 million, inclusive of the aforementioned $0.7 million revenue impact in the third quarter,” the company said in a filing. On an earnings call on Monday, Bandwidth said many of the customers who left the company after the attack have already indicated they may return, and executives noted that they did not pay a ransom to address the attack. In September, Bandwidth CEO David Morken confirmed that it was suffering from outages after reports emerged that the service was dealing with a DDoS attack.Other VoIP vendors like Accent, RingCentral, Twilio, DialPad, and Phone.com were experiencing outages and telling customers that the problems were with an “upstream provider.” 

A source, who asked to have their name withheld, told ZDNet that their customers were having major problems with their ported phone numbers and that they could not make any changes like forwarding phones. The company is a downstream reseller of products hosted by Bandwidth and said they knew of a major telecommunications company that “was in emergency mode” due to the situation with Bandwidth.While the attack caused outages for days and the company reported its expected losses, Morken said it had little impact on the company’s successful quarter. “I am proud of our team’s performance to combat a series of sophisticated DDoS attacks aimed at Bandwidth and our industry. Despite the impact from the DDoS attack at the end of September, our revenue results for the third quarter exceeded our guidance,” Morken said.”Consistent with our ethos to do the right thing for our customers, we helped some of our customers divert traffic from our platform during the attack to mitigate impacts to their businesses. While that traffic is beginning to come back, we believe we will see a top-line impact of that lost volume primarily in the fourth quarter. We believe we are now stronger than ever, and are focused on serving our customers.” Multiple VoIP companies reported DDoS attacks over the last few months, and Cloudflare researchers said they saw several “record-setting HTTP DDoS attacks,” noting the emergence of ransom DDoS attacks on VoIP service providers.Canada-based VoIP provider VoIP.ms said it battled a week-long, massive ransom DDoS attack earlier this year. The REvil ransomware group demanded a $4.5 million ransom to end the attack.  More

US officials from the Justice Department, Treasury, and FBI announced a slate of actions taken against some of the leaders of the REvil ransomware group as well as sanctions against organizations helping groups launder illicit funds.

At a press conference on Monday, US attorney general Merrick Garland announced indictments of 22-year-old Ukrainian Yaroslav Vasinskyi and Russian Yevgeniy Polyanin for their involvement in REvil’s operations. Vasinskyi was arrested in Poland last month and is now facing charges for the attack on Kaseya that infected more than 1,000 companies with ransomware this summer. Garland said that Vasinskyi — who went by the name “Robotnik” online — was one of the masterminds behind the REvil ransomware and is facing extradition after being arrested by Polish authorities on October 8. Garland added that while Polyanin has not been arrested, he was also hit with a litany of hacking-related charges and had $6.1 million in ransom payments seized by law enforcement agencies. According to the DOJ, in addition to the headlining attacks on Kaseya and JBS, REvil is responsible for deploying its ransomware on more than 175,000 computers. The group has allegedly brought in at least $200 million from ransoms. Garland noted that Polyanin has been tied to at least 3,000 ransomware attacks. “Polyanin’s ransomware attacks affected numerous companies and entities across the United States, including law enforcement agencies and municipalities throughout the state of Texas. Polyanin ultimately extorted approximately $13 million dollars from his victims,” Garland said while unveiling the indictments of both men. “For the second time in five months, we announced the seizure of digital proceeds of ransomware deployed by a transnational criminal group. This will not be the last time. The US government will continue to aggressively pursue the entire ransomware ecosystem and increase our nation’s resilience to cyber threats.”Garland, deputy attorney general Lisa Monaco, and FBI director Christopher Wray, repeatedly thanked Kaseya for coming forward to law enforcement agencies almost immediately after discovering the REvil attack. 

All three noted that the company’s quick decision went a long way in helping the FBI and others track down the payments and help other victims. Alongside the indictments, the Treasury Department announced sanctions against the Chatex virtual currency exchange and its associated support network for allegedly facilitating financial transactions for ransomware actors.IZIBITS OU, Chatextech SIA, and Hightrade Finance Ltd were also sanctioned for providing support to Chatex.The Treasury Department also unveiled a $10 million bounty for any information about anyone who holds a key leadership position in the Sodinokibi/REvil ransomware variant transnational organized crime group. There is another $5 million reward for information leading to the arrest or conviction in any country of any individual conspiring to participate in or attempting to participate in a Sodinokibi variant ransomware incident.Recorded Future ransomware expert Allan Liska said the slate of actions on Monday dispelled the notion that law enforcement action was largely ineffective against ransomware groups. “We’re not going to pop corks and say ransomware is over yet, but I do think that we’re starting to see an impact. I’m excited that there are more sanctions against cryptocurrency exchanges that are known for laundering money. I also like that the Treasury Department called out some smaller countries, like Estonia and Romania, for their assistance in this, because I think it starts to show that Russia really is isolated in this, more so than they had been in the past,” Liska said.”The seizing of those assets from a Russian citizen kind of shows that even if you’re based in Russia, you’re not safe. They may not be able to arrest you, but they can impact you in ways that you probably haven’t thought of yet.” More

Annke makes solid external security cameras — but the CZ400 PTZ security camera I reviewed at the start of 2021 was really difficult to set up. Now the latest cameras in Annke’s line-up show that the brand has listened to feedback and has made some changes — but has it gone far enough?The recently released Annke NC400 and NC800 bullet camera models use a feature that Annke calls NightChroma. This feature adds colour to night vision images improving the colour in its video image. There are a lot of other features added to these cameras too. Annke NC800Made from heavy-duty aluminium,
the Annke NC800 is a 4K security camera

 with a 2.8mm lens, horizontal field of view of 102 degrees and a vertical field of view of 52 degrees. It will capture human and vehicle motion and will detect movement if someone crosses a pre-defined line. It uses a 1/1.2 inch STARVIS progressive scan CMOS and will record an image of up to 2688 x 1520 at up to 30fps. It will detect objects at up to 0.0005 Lux and will detect objects up to 130ft. It also has an LED spotlight that invokes when something crosses into its field of view.

Likewell constructedcolour night vision

Don’t Likepoor documentation in the boxdifficult to find correct desktop softwaremanagement software needs updating

The Annke NC800 bullet security camera is a fairly compact camera at 78.8 x 78.6 x 215.2 mm. It’s well-built and weighs 860g. It has impressive image enhancement techniques, using WDR (Wide Dynamic Range), BLC (Back Light Compensation), HLC (Headlight light correction) and DNR (Digital Noise Reduction). Annke does not explain any of these acronyms on its website — but assumes that everyone who wishes to purchase one of its cameras already knows what the acronyms mean. That may be annoying for first-time buyers.

It uses a MicroSD card up to 256GB for local storage, or you can connect it using a NAS or 4K PoE (Power over Ethernet) NVR (Network Video Recorder). It is rated at IP67, so it’s waterproof and dustproof and can be used outside or inside. Inside the box is the NC800, a pack of waterproof connectors and a screw fixing kit. A camera quick start guide and a user guide explain which cables are which and show how to attach the camera to the network video recorder (NVR). There is also a mini-CD — presumably with documentation — but I could not confirm this as none of my current PCs have a CD slot.You need to download the ‘SADP’ — whatever that is — software from Annke’s download centre. The user guide does not explain what the SADP software is. I took a punt and downloaded the ‘Annke sight’ software. This did not work due to a missing DLL file. I then tried to install the Guarding Vision software – and also installed the Annke vision app onto my Android phone. This was all guesswork on my part, as the documentation did not mention any of this.I finally searched the support site for mention of SADP and got to an article that linked to the download of the SADP tool. This is a very clunky process, and setting up the management app is nowhere near as simple as most other security systems I have reviewed. The install process uses Internet Explorer, which hangs and needs to be stopped using taskmaster.The Guarding Vision software added the client, storage server and streaming media software onto my PC. The software quickly picked up my network connected camera and allowed me to add other devices to the group.
Eileen Brown
The Android phone software quickly connected the camera to the app and gave a live view of the camera. You can add up to 16 cameras in the group and monitor them simultaneously. You can configure various settings, such as the local time zone, microphone, image encryption, and other formats. You can also link cameras together in zones. You can customize voice alerts and other parameters such as alarms and Wi-Fi settings. There are several other features you can tweak too, depending on your setup. You can digitally zoom the image up to 8.0x, and the image is fairly crisp and clear – even at low light.It picks up sound from up to 20 feet away and has noise cancelling features to pick up clear and distinct voices. Annke NC400The 
Annke NC400 bullet security camera

 is a well-built camera with an aluminium body. It is smaller than the NC800 with dimensions of 68.4 x 65.2 x 161.q, and it weighs 430g. Like the NC800, it is rated at IP67, so it is dustproof and waterproof.Its image sensor is a 2.8mm lens 1/2.7 inch CMOS sensor, and it will detect movement in light levels down to 0.001 Lux. It has an LED spotlight. Its resolution is 4MP 2560 x 1440px at up to 20fps. Like the NC800, it has a horizontal field of view of 102 and a slightly larger vertical field of view of 54 inches. It will detect objects up to 100 feet away. The NC400 also has 4MP QHD colour night vision.Inside the box, there is the NC400, a pack of waterproof connectors and a screw fixing kit. There is also a screw fixing template and a quick start guide explaining how to connect the NC400 to the NVR (sold separately). You can connect the camera as an analogue system and connect the NVR to a router so you can access the NVR through your mobile phone. There is no option in the NC400 to add a memory card to the camera.The NC400 does not have a QR code to add the camera to the app easily. However, scanning the bar code does cause the app to beep — however, the camera fails to connect. Only after using the SADP device manager and adding the camera password and security details did the camera appear in the list of cameras. It is a really clunky process and not something that I want to do often. The Reolink range of security cameras are far simpler to set up.Other features are common to the app — like the 8.0x digital zoom — and not specifically the camera itself. All in all, these are well-built cameras that are sturdy and strong with great image features. The SDAP software needs to be refreshed and updated as it looks outdated, and Annke could spend time making the user guide far more comprehensive.The
NC800 is offered for sale at $350

and the
NC400 at $130

— good mid-range prices for the camera build and quality. Be aware of the desktop app limitations and the extra security hoops you need to add to make the product secure, and you could get a great security camera system for your business or home. More

Black Friday Deals

An investor group has acquired cybersecurity giant McAfee Corporation for more than $14 billion.Led by Advent International Corporation, Permira Advisers, Crosspoint Capital Partners, Canada Pension Plan Investment Board, GIC Private, and a wholly-owned subsidiary of the Abu Dhabi Investment Authority, the investment group bought all outstanding shares of McAfee common stock for $26 per share in an all-cash transaction. The price was based on McAfee’s closing share price of $21.21 on November 4. McAfee shareholders will receive $26 in cash for each share of common stock they own, and the deal will close at some point in the first half of 2022. Once the deal is completed, McAfee common stock will no longer be listed on any public securities exchange.McAfee sold its enterprise security business to a consortium led by Symphony Technology Group in a deal worth $4 billion in March. Since its split from Intel in early 2017, McAfee has pivoted to cloud services and worked to build out its platform with a focus on its enterprise product portfolio. However, the company is now narrowing its focus and directing its resources to the consumer side of the business in a bid for long-term growth.McAfee CEO Peter Leav said at the time that the transaction would allow McAfee to singularly focus on their consumer business and accelerate their strategy to be a leader in personal security for consumers. The enterprise security business was merged with FireEye in a $1.2 billion all-cash transaction that closed in October.

Leav said the deal on Monday was a “testament to McAfee’s market-leading online protection solutions, our talented employees, and outstanding customers and partners.””We want to thank our employees for their continued hard work and commitment to McAfee. We are thrilled to be partnering with premier firms who truly understand the cybersecurity landscape and have a proven track record of success,” Leav said.McAfee completed its initial public offering last year. TPG and Intel are still shareholders in the company. The investor group said in a statement that it would provide McAfee with financial support as well as operational resources to help the company meet rising demand for cybersecurity services. The company added that McAfee’s Board and advisors now have a 45-day shopping period where they can look for better acquisition proposals. Jon Winkelried, CEO of TPG and chair of the McAfee Board, said the deal signals continued growth and opportunity for McAfee, noting that over the last four years, the company has expanded its product portfolio, enhanced its go-to-market strategy, and pursued strategic M&A efforts. “The risks that consumers face from all aspects of their digital lives is immense, and these risks are unprecedented and rapidly increasing,” said Greg Clark, managing partner at Crosspoint Capital and former CEO of Symantec  “Consumers buy from brands they trust, and with the globally recognized brand of McAfee, we see the long term opportunity to deliver products and services to address these risks in all aspects of their digital presence.”

Tech Earnings More

Romanian authorities have arrested two individuals suspected of cyber-attacks using the Sodinokibi/REvil ransomware. They are allegedly responsible for 5,000 infections, accounting for €500,000 in ransom payments, according to European law enforcement agency Europol.REvil has been one of the most notorious ransomware groups of 2021, responsible for hundreds of high-profile attacks around the world.A further suspected GandGrab affiliate was arrested by Kuwaiti authorities on the same day.In addition to these arrests, GoldDust, which is a 17-nation law enforcement operation, saw three additional arrests in February and April by authorities in South Korea against affiliates involved with REvil ransomware. Another affiliate, a Ukrainian national, was arrested at the Polish border in October following an international arrest warrant from the US. The Ukrainian suspect was arrested on suspicion of involvement in the Kaseya ransomware attack, which affected around 1,500 companies across the world. In total, the operation has resulted in seven arrests, and it’s the first time they’ve been disclosed publicly by law enforcement.SEE: A winning strategy for cybersecurity (ZDNet special report)    The operation involved police from countries around the world and international law enforcement agencies Europol, Eurojust, and Interpol. The arrests follow a joint operation which was able to intercept communications and seize infrastructure used during campaigns.

Operation GoldDust also received support from the cybersecurity industry from companies including Bitdefender, KPN, and McAfee. Researchers at Bitdefender provided technical insights throughout the investigation, along with decryption tools to help victims of ransomware attacks recover their files without having to pay the ransom.Decryption tools for several versions of GandCrab and REvil ransomware are available for free via the No More Ransom project. According to Europol, the REvil decryption tools have helped more than 1,400 companies decrypt their networks following ransomware attacks, saving over €475 million ($550 million) from being paid to cyber criminals.Europol supported the operation by providing analytical support, as well analysis into malware and cryptocurrency. The 17 countries participating in Operation GoldDust are Australia, Belgium, Canada, France, Germany, the Netherlands, Luxembourg, Norway, Philippines, Poland, Romania, South Korea, Sweden, Switzerland, Kuwait, the United Kingdom, and the United States.”These arrests illustrate what can be achieved when the public and private sectors pool their resources to fight cybercrime. This operation was an around-the-clock global effort to hunt down those responsible for the most devastating ransomware attacks in recent history leaving no stone unturned,” Alexandru Catalin Cosoi, senior director of the investigation and forensics unit at Bitdefender which aided investigations, told ZDNet.”The success of this operation is a wake-up call for cybercriminals. They should understand if they are caught in the crosshairs of an international effort to find them, they can’t hide,” he added.The arrests are the latest in a string of operations by law enforcement targeting ransomware operations. Last month saw a Europol-led operation target 12 suspects in Ukraine and Switzerland believed to be behind LockerGoga, MegaCortex, Dharma, and other ransomware attacks. It was also recently reported that law enforcement from multiple countries helped take down key elements of REvil.MORE ON CYBERSECURITY More

[embedded content]

Further details have been revealed concerning a 30-month investigation designed to disrupt the operations of the Clop ransomware group. 

In June, Ukrainian police arrested six suspects in 20 raids across Kyiv and other towns, seizing computers, technology, cars, and roughly $185,000. The Ukrainian National Police worked with law enforcement in South Korea on the raid, now known as Operation Cyclone.  Interpol, an inter-governmental organization focused on facilitating coordinated activities between police agencies worldwide, said last week that the operation was managed by Interpol’s Cyber Fusion Centre in Singapore. Trend Micro, CDI, Kaspersky Lab, Palo Alto Networks, Fortinet, and Group-IB contributed threat intelligence through the Interpol Gateway project, together with police from Ukraine, South Korea, and the United States.  South Korean firms S2W LAB and KFSI also contributed Dark Web activity analysis.  South Korea was particularly interested in the arrests due to Clop’s reported involvement in a ransomware attack against E-Land. The ransomware’s operators told Bleeping Computer that point-of-sale (PoS) malware was implanted on the Korean retail giant’s systems for roughly a year, leading to the theft of millions of credit cards. 

Clop is one of many ransomware gangs that operate leak sites on the Dark Web. The groups will claim responsibility for a ransomware attack and will use these platforms for dual purposes: to facilitate communication with a victim to negotiate a blackmail payment in return for a decryption key — as well as to conduct further extortion by threatening to leak stolen, sensitive data on the portal if they do not pay up.  Clop has previously exploited zero-day vulnerabilities in the Accellion File Transfer Appliance (FTA) software, alongside other attack vectors, to claim high-profile victims including The Reserve Bank of New Zealand, Washington State Auditor, Qualys, and Stanford Medical School.  The six suspects are also accused of money laundering, as Clop overall is believed to have laundered at least $500 million obtained from ransomware activities. If convicted as part of the notorious group, the defendants face up to eight years behind bars.  “Despite spiraling global ransomware attacks, this police-private sector coalition saw one of global law enforcement’s first online criminal gang arrests, which sends a powerful message to ransomware criminals, that no matter where they hide in cyberspace, we will pursue them relentlessly,” commented Craig Jones, Interpol’s Director of Cybercrime. However, it should be noted that the six arrests in Ukraine have not stopped the Clop ransomware group’s activities or disrupted its leak site. It is believed the main operators of the ransomware are based in Russia.  Interpol added that Operation Cyclone “continues to supply evidence that is feeding into further cybercrime investigations and enabling the international police community to disrupt numerous channels used by cybercriminals to launder cryptocurrency.” In recent ransomware news, the US State Department has offered a bounty worth $10 million for information “leading to the identification or location of any individuals holding key leadership positions” in the DarkSide ransomware group.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The Labor Party has vowed to set up a hub for monitoring and preventing scams if it is voted into Parliament at the next election to address the rising number of scams in Australia.The hub, labelled as an anti-scam centre, would look to make existing regulators, law enforcement officers, banks, telcos, and social media platforms all work together under the same umbrella to address scams. “AU$33 billion a year is being lost to criminals … We’ve got to do more. We’ve got to crack down on the illegal activity and we’ve got to do what we can to get the vectors of illegal activity, ensuring that they’re doing their bit as well,” Shadow Assistant Treasurer Stephen Jones said. In a scam report published by Microsoft in July, the company said 68% of Australians encountered some form of tech support scam, which was nine percentage points higher than the global average. In another scam report, Australia and New Zealand Group said it has seen a 73% increase in scams being detected or reported by customers, compared to the same time last year.  The Labor party also wants to create a new code of practice for fighting against scams and allocate AU$3 million over three years to community organisations that support those who have experienced ID theft, Jones said. In proposing this plan, Jones said Australia has been slow to address scams, pointing to how similar hubs have been established in Canada and the UK. “We should be treating [scams] like any other criminal activity. But we’re not, because Scott Morrison is asleep on the job. Of course, we want to stop this, but we know that some of it will get through. So we’ve got to do our bit to ensure that we are supporting the victims of illegal scamming,” he said.

The federal government has so far focused primarily on addressing scams through working with the telco sector. Last month, the government launched a new initiative with telcos to block scam text messages posing as legitimate government sender IDs, such as Centrelink, myGov, and the Australian Taxation Office. Prior to that initiative, the federal government rolled out a Reducing Scam Calls Code, which is a telco sector-specific code for blocking spam. Since it was adopted in December, telcos have blocked over 214 million scam calls. By comparison, telcos had blocked 30 million scam calls in the year prior to the code’s rollout.   During Senate Estimates, Home Affairs secretary Mike Pezzullo also said his department was looking to provide telcos more powers to block spam and malicious content under the Telecommunications Act. Related Coverage More