Information Technology

Cybersecurity experts have told Reuters that law enforcement officials from multiple countries were involved in the disruption of the REvil ransomware gang, which went dark for the second time on Sunday.Rumors and questions about the group’s most recent disappearance dominated conversation this week after Recorded Future security expert Dmitry Smilyanets shared multiple messages on Twitter from ‘0_neday’ — a known REvil operator — discussing what happened on the cybercriminal forum XSS. He claimed someone took control of the group’s Tor payment portal and data leak website.In the messages, 0_neday explains that he and “Unknown” — a leading representative of the group — were the only two members of the gang who had REvil’s domain keys. “Unknown” disappeared in July, leaving the other members of the group to assume he died. The group resumed operations in September, but this weekend, 0_neday wrote that the REvil domain had been accessed using the keys of “Unknown.” In another message, 0_neday said, “The server was compromised, and they were looking for me. To be precise, they deleted the path to my hidden service in the torrc file and raised their own so that I would go there. I checked on others — this was not. Good luck, everyone; I’m off.”Now Reuters has confirmed that law enforcement officials from the US and other countries, alongside a number of cybersecurity experts, were behind the actions 0_neday described on Sunday. VMWare head of cybersecurity strategy Tom Kellerman and other sources told Reuters that the governments hacked REvil’s infrastructure and forced it offline. 

The FBI and White House did not respond to requests for comment. Jake Williams, CTO of BreachQuest, told ZDNet that REvil being compromised has been talked about in closed CTI groups since at least October 17. “It was known no later than the 17th that core group members behind REvil were almost certainly compromised. By standing up the Tor hidden services, someone demonstrated they had the private keys required to do so. This was effectively the end of REvil, which was already having trouble attracting affiliates after its infrastructure went offline in July following the Kaseya attack,” Williams said. “To attract affiliates, REvil had been offering up to 90% profit shares, but were still finding few takers. After the Tor hidden service was turned on, demonstrating possession of the private keys, it was obvious that the group had been breached and they would be unable to attract new affiliates for operations. A big open question in my mind is whether re-enabling the Tor hidden services was a counterintelligence mistake by law enforcement or was an intentional act to send a message. There are certainly arguments for either case.”The FBI has faced backlash in recent weeks because they recently revealed that they managed to obtain a universal decryption key for the hundreds of victims affected by the ransomware attack on Kaseya.But FBI officials told Congress that they held off providing the keys to victims for weeks because they were planning a multi-country effort to take down REvil’s infrastructure. REvil ended up closing shop before the operation could be undertaken, and the FBI eventually handed out the keys to victims and helped a company create a universal decryptor. Reuters reported that when the group resurfaced in September, they actually restarted the servers that had been taken over by law enforcement officials. This led to the most recent law enforcement action, according to Reuters, which added that the operation is still ongoing. Williams noted that it appears likely that at least some arrests were involved, pointing back to the original messages from 0_neday.”The launch of the hidden service indicates someone else possesses the private keys for their hidden services. While the keys could potentially have been acquired purely through hacking back, it’s hard to imagine that’s the case given Unknown’s disappearance as well. The obvious conclusion is that it’s likely Unknown (or a close coconspirator) was arrested, though the arrest may have been enabled via hacking back operations,” Williams said. For those hit with ransomware after the group’s return, Williams said it was unlikely that the government had decryption keys or that the remaining gang members would release them.”After the July disruptions, it’s believed that REvil reset the campaign keys used by each affiliate. Core REvil user 0_neday announced that campaign keys would be given to REvil affiliates so they could continue negotiating with their victims. It seems unlikely at this point that the US government has a master key for REvil,” Williams explained. “After the backlash over not releasing the campaign key used in the Kaseya attack, it’s hard to believe the government would risk more negative publicity. Individual affiliates may release their campaign keys, but it seems doubtful at this time that the core REvil group will.”Williams added that REvil affiliates regularly used double extortion — the exfiltration of data from victim networks with the threat of release — to compel payment. He noted that typically, these affiliates stay in line and don’t release data because doing so would remove them from future work with the core group. But now that work from REvil will be drying up, affiliates will need new sources of revenue. “It won’t be surprising to see stolen sold on the dark web. I anticipate that some organizations who believed their data was safe because they paid an REvil ransom are in for a rude awakening,” Williams told ZDNet.  More

Republican leaders in the US Senate have come out harshly against new cybersecurity regulations designed to protect US railroad and airport systems. The new rules were handed down earlier this month by Homeland Security Secretary Alejandro Mayorkas and will be managed by the Transportation Security Administration (TSA). The regulations were prompted in part by an April attack on New York City’s Metropolitan Transportation Authority — one of the largest transportation systems in the world — and a 2020 attack on the Southeastern Pennsylvania Transportation Authority. But in a letter to David Pekoske, administrator of the Transportation Security Administration, five senior US Senators criticized the new rules and how they were rolled out.Senators Roger Wicker, John Thune, Cynthia Lummis, Todd Young, Deb Fischer — all part of the Committee on Commerce, Science and Transportation — slammed the use of emergency authority to push the rules out, questioning whether they were “appropriate absent an immediate threat.”The senators urged Pekoske to “reconsider” the rules, arguing that “the very importance of effective cybersecurity for critical infrastructure, such as the rail, rail transit, and aviation systems, counsels against acting rashly in the absence of a genuine emergency.”The letter says the “prescriptive requirements” rolled out by TSA “may be out of step with current practices” and may “limit affected industries’ ability to respond to evolving threats, thereby lessening security.” They also claimed the rules will impose “unnecessary operation delays at a time of unprecedented congestion in the nation’s supply chain.”The Republican leaders argued that the country is not in an emergency situation because it has been five months since the ransomware attack that shut down Colonial Pipeline and left significant parts of the East Coast in a week-long scramble for gasoline. 

They added that the TSA erred in forcing the rules onto the industry and not adopting “a more collaborative approach” with industry experts before issuing them. “Rather than prescriptive requirements that may not enhance capabilities to address future threats, TSA should consider performance standards that set goals for cybersecurity while enabling businesses to meet those goals,” the senators wrote. “If a determination is made to proceed with specific mandates, the notice and comment process would at least allow for thoughtful consideration of industry practices and concerns.”The senators additionally claimed that current practices are “working well.”Chinese state-backed hackers were implicated in the April attack on New York City’s Metropolitan Transportation Authority, which alarmed city officials and federal authorities. The attackers did not get far enough into the system to cause damage but easily could have, effectively pulling out on their own accord, according to sources who spoke to The New York Times at the time. City officials are still concerned that the hackers may have left any number of backdoors in the system that would allow them to regain entry easily. Those backing the TSA regulations also noted a ransomware attack on ferry services to Cape Cod earlier this year.Responses to the letter ranged from those who tacitly agreed that the new rules were pushed out in a heavy-handed way to others who thought the country’s cybersecurity protections for critical industries continue to be dangerously lax. US Rep. Jim Langevin — co-founder of the Congressional Cybersecurity Caucus and a commissioner of Congress’ Cyberspace Solarium Commission — slammed the letter, taking particular issue with the idea that the country’s repeated cybersecurity failings are not an immediate threat.”My Republican colleagues need to get their heads out of the sand if they think ransomware and other cyber intrusions do not represent an ‘immediate threat,'” Langevin told ZDNet. “These new TSA regulations will require rail and airport operators to create incident response plans, which they already should be doing. The American people rely on these operators, so CISA needs to know when they’ve been hit by a cyber incident. These are the bare minimum regulations and are long overdue.”Industry experts like BreachQuest CTO Jake Williams noted that every cybersecurity regulation carries with it the possibility of creating operational issues, particularly when drafted by those without experience in the operational domain. “We don’t know what the guidance will dictate yet, so it’s hard to critique the guidance itself. However, the specific criticism levied by Sen Wicker and others is very valid,” Williams said. “The TSA is using emergency measures to enact new regulations while bypassing the normal feedback process. It is reasonably likely that without the feedback process in use that TSA will inadvertently introduce operational issues with their new regulations.” More

The NTT Corporation, which provided wide-ranging telecommunications services and network security for the Olympic & Paralympic Games in Tokyo this summer, said there were more than 450 million attempted cyberattacks during the event in July. NTT officials said none of the attacks were successful and added that the games went on without a hitch. But the number of attacks was 2.5x the number seen during the 2012 London Summer Olympics.NTT’s Andrea MacLean compared the cybersecurity struggle to Harry Potter’s final fight against Voldemort, calling the effort to protect the event “Herculean.””Cybercriminals certainly saw the Games — and its related supply chain — as a high-value target with low downtime tolerance. After all, crime follows opportunity. And with connected stadiums, fan engagement platforms and complete digital replicas of sporting venues and the events themselves becoming the norm, there’s plenty of IT infrastructure and data to target — and via a multitude of components,” MacLean said. She explained that NTT’s approach to protecting the event included “ongoing threat intelligence monitoring and analysis, SOC services, a complete security solutions package and an expert team of over 200 cybersecurity specialists.”MacLean said among the 450 million attacks, NTT saw the Emotet malware, email spoofing and phishing as well as fake websites made to look like they were associated with the Olympics.”Sporting events like the Olympic Games, the Tour de France, and the Indy 500, for example, are the definition of real-time environments,” MacLean said. “Once begun, there is no room for down-time. And with a highly distributed team and limited physical presence, agile technologies that can respond to any threats are critical.”

NTT provided a full report on the games, noting that it provided both communication services for operating the Games and a broadcasting network to connect Games venues with the Tokyo Big Sight that served as an International Broadcast Centre. “NTT built LAN for the venues, including the 43 Games venues, IBC, the Main Press Center and the Olympic Village, providing various communication services including distributing videos and land lines to associates. All Games venues were turned to 5G mobile networks, whose commercial services had started in 2020 in Japan, to offer mobile phone services,” NTT said, adding that they had a total of 10,000 employees supporting the event. “During the Games, unauthorized communications targeting vulnerabilities in terminals were observed, but NTT responded by blocking the communications.”NTT said it held multiple cybersecurity training programs and ran simulations ahead of the event to prepare their cybersecurity team. In its advance report released before the Games, NTT predicted that it would face nation-state cyberattacks, ransomware attacks and disinformation attacks, some of which may come from Russian, North Korean and Chinese state-sponsored threat actors. They noted that cybercriminals were likely to deploy Distributed Denial of Service (DDoS) attacks, ransomware attacks or attacks against critical infrastructure.The FBI released a private industry alert before the Games, urging organizations working with the Tokyo 2020 Summer Olympics to prepare for a wave of “DDoS attacks, ransomware, social engineering, phishing campaigns, or insider threats to block or disrupt live broadcasts of the event, steal and possibly hack and leak or hold hostage sensitive data, or impact public or private digital infrastructure supporting the Olympics.”The notice went on to reference the Pyeongchang cyberattack that took place during the previous Olympics in February 2018, where Russian hackers deployed the OlympicDestroyer malware and damaged web servers during the opening ceremony.The hackers “obfuscated the true source of the malware by emulating code used by a North Korean group, creating the potential for misattribution,” according to the notice. In October 2020, the Justice Department indicted six Russian intelligence operatives for the attack on the Pyeongchang Games.  More

The US Commerce Department has released new rules designed to stop companies from selling hacking tools to China, Russia and other countries that may use them for nefarious purposes.The new rules, which come into effect in 90 days and were pushed by the department’s Bureau of Industry and Security (BIS), govern the “export, reexport, or transfer (in-country) of certain items that can be used for malicious cyber activities.”Companies would be barred from selling some technology to certain countries without a specific license from BIS.US Secretary of Commerce Gina Raimondo said in a statement that the US is “committed to working with our multilateral partners to deter the spread of certain technologies that can be used for malicious activities that threaten cybersecurity and human rights.” “The Commerce Department’s interim final rule imposing export controls on certain cybersecurity items is an appropriately tailored approach that protects America’s national security against malicious cyber actors while ensuring legitimate cybersecurity activities,” Raimondo said. The rule additionally certifies a new License Exception Authorized Cybersecurity Exports (ACE) which the department is now looking for public comment on. The Commerce Department is looking for outside experts to let them know about how the rule will impact US companies and the wider cybersecurity community.The department explained in a statement that the exception would “allow the export, reexport and transfer (in-country) of ‘cybersecurity items’ to most destinations, while retaining a license requirement for exports to countries of national security or weapons of mass destruction concern.”

Any country currently under a US arms embargo will need a license to receive certain technology”Furthermore, the License Exception ACE would impose an end-use restriction in circumstances where the exporter, re-exporter, or transferor knows or has reason to know at the time of export, reexport, or transfer (in-country), including a deemed export or reexport, that the ‘cybersecurity item’ will be used to affect the confidentiality, integrity or availability of information or information systems, without authorization by the owner, operator or administrator of the information system (including the information and processes within such systems),” the Commerce Department explained. The department noted that the rule is in line with the Wassenaar Arrangement — which voluntarily governs the export policies of 42 different countries around “military and dual-use technologies.”The US is one of the last countries that is part of the Wassenaar Arrangement to pass rules like this. China and Israel are not members of the Wassenaar Arrangement but Russia is. The rules come after international outcry over a series of revelations about US experts and technology being used by repressive dictatorships. The US heavily fined three former NSA officials last month for providing the UAE with a slate of powerful hacking tools.The three former US intelligence officials were part of Project Raven, an effort by the UAE to spy on human rights activists, politicians and dissidents opposed to the government. The three even hacked into US companies, creating two exploits that were used to break into smartphones.Israeli officials continue to face backlash due to the tools provided by the NSO Group, a private company selling powerful spyware to dictatorships and cybercriminal groups. The Washington Post was the first to report on the new rules from the Commerce Department, noting that the rules were specifically targeting companies that sell to Russia and China. The rule is complicated because of specific carve outs meant to appease cybersecurity researchers who long complained about how the potential rules would make it difficult for them to share defensive information with others abroad. One of the thorniest issues holding up the rule for years was the sale of penetration testing tools, which will be allowed without a license for certain countries but not allowed for others. Jonathan Reiber, who previously served as the chief strategy officer for cyber policy in the Office of the US Secretary of Defense during the Obama administration, said it took a lengthy amount of time to put the rules in place because the government had to weigh the potential costs and benefits for any export control. “It’s not just time for deliberation within US government agencies and with Congress, but between the government, private industry and the research community. If you take a look at the rule itself and imagine the number of lawyers in various agencies that have to agree to the language before a rule can emerge publicly, you can begin to get a sense for why export control reform is a slow process,” Reiber said. “The Wassenaar Arrangement has been in place for decades, and as it matured over the last eleven years through the export control reform process, informing states’ adoption of the controls within it, there were legitimate questions raised about how a potential export control could negatively impact the development and use of testing software intended to improve cybersecurity.”Reiber said this question was a hard one to solve because the export control reform process has to keep two principles in balance: to refrain from negatively impacting industry innovation while also controlling for potential negative scenarios that may arise from the proliferation of a potentially dangerous weapon or dual-use technology. “Recent disclosures made crystal clear the risks that the proliferation of such software can pose, particularly for targeted individuals, dissident groups, and vulnerable populations that live at the mercy of oppressive regimes,” Reiber added. “These events certainly may have accelerated the rules’ development.”Chris Clements, vice president of solutions architecture at Cerberus Sentinel, said he does not foresee these rules having significant impact on the overall offensive capabilities of many countries for several reasons. Some of the biggest purveyors of such software are based outside the US where the regulation may not affect them, he explained, adding that many of the most commonly used tools are open source in nature. The open source nature of certain tools makes it unclear how these rules will impact their distribution.  “Even if common open-source hosting organizations such as GitHub or Gitlab were to enact GeoIP restrictions on the download of such designated intrusion software, it would seem trivial for a banned nation to simply VPN through a common VPN provider to bypass such restrictions,” Clements said.  “Finally, it is often the case that actors in these jurisdictions make use of pirated versions of commercial tools, bypassing the need to acquire the software legitimately altogether.” More

Microsoft unveiled a new suite of tools on Thursday built to protect nonprofits as threats against philanthropic organizations globally have skyrocketed, particularly from nation-states. The Microsoft Security Program for Nonprofits has three different components, including free access to the AccountGuard program, free security assessments and free training pathways for IT administrators and end-users.Justin Spelhaug, vice president of Microsoft Tech for Social Impact, and Flora Muglia, business strategy manager for Microsoft Tech for Social Impact, told ZDNet that the company’s goal is to sign up 10,000 nonprofit organizations in the next year and 50,000 organizations over the next three years.Spelhaug said the company was interested in creating the program because nonprofits have become the second most targeted industry by nation-state attacks.”31% of all nation-state notifications that we send out to organizations go to nonprofits. These are organizations that are human rights organizations, think-tanks, organizations with sensitive information that nation-states want to get their hands on,” Spelhaug said.”Cybersecurity threats are on the rise, and most nonprofit organizations do not have the same advanced network security protocols or resources or security models that a well-funded private corporation might have. 70% of nonprofit organizations haven’t conducted a vulnerability assessment, 80%, based on our research, don’t have a cybersecurity strategy in place. And that just makes cybersecurity threats more of a reality each and every day. The attacks are becoming more sophisticated.”He specifically mentioned Microsoft’s warning in May that Russian-backed group Nobelium was conducting a wide-ranging phishing campaign after the Russian-backed group managed to take control of the account used by USAID on the email marketing platform Constant Contact. 

The attack targeted roughly 3,000 accounts at more than 150 organizations. At least a quarter of those involved work in international development, human rights and humanitarian work. “The sector is at a critical junction because we’ve all gone digital. The pandemic has made us all go even more digital, and threat vectors are increasing. Unfortunately, nonprofits are being targeted, and we need to do something about it. And that’s why we built this program,” Spelhaug said. Data from Microsoft shows that NGOs received 23% of all notifications from 2018 to 2021. These organizations are typically considered attractive targets for nation-state actors because they carry information about political views and loyalty to parties or individual political candidates. In a recent survey, 21% of North American foundations reported a security breach in the preceding two years, with ransomware attacks as the largest single cause (38%), Microsoft said, adding that the average cost of a security incident in the nonprofit sector is $77,000, with the current average cost of a data breach overall being $4.24 million, 10% higher than the average cost in 2019. Muglia said the program will also help organizations that need to comply with certain rules for cybersecurity insurance and assist in finding where their gaps might be. Muglia explained that the free security assessments will help organizations better understand their risk profiles, their vulnerabilities in their existing endpoints, identity access, infrastructure, network, and data with the objective of “supporting and prioritizing an immediate action and remediation plan to better protect their environment from any imminent risk with support from its partner ecosystem.”The AccountGuard tool identifies when an Office 365 organizational domains or Outlook and Hotmail personal domains are targeted or compromised by nation-state actors, letting organizations know before it’s too late. “Microsoft has cultivated training pathways to streamline the top-recommended training for nonprofits, regardless of role. Employees from any background will be able to learn the latest strategies to protect themselves from online scams and attacks and work from home more securely,” Spelhaug noted. Muglia added that ahead of the announcement on Thursday, a few hundred organizations signed up for the AccountGuard part of the program when it went live in many organizations’ Microsoft portals on September 26. “Most nonprofit organizations do not have large IT teams. They do not have in-depth security specialists, and they do not have consulting firms guiding their every action to protect their data and they often are federated, meaning they have disparate IT systems and different environments under the same organization,” Spelhaug said. “There’s a lot of work to be done in this industry. Every online NGO has donors, funders and beneficiaries. They have important information to protect, and our technology and the offers that we’re providing scale down to small organizations.”As an example, Spelhaug shared the story of the International Rescue Committee groups working in Afghanistan. He said they are one of the few organizations that stayed behind to help with the humanitarian situation caused by government change. As an organization working with dozens of different ethnic groups and vulnerable populations, they needed to protect their data. “It was critical for the IRC to get the right information security technology in place to protect the data of their staff members so that it did not fall into Taliban hands and be used for purposes of persecution, effectively allowing them to identify different ethnic and religious groups to do bad things,” Spelhaug said. “We mobilized immediately, and we’ve deployed our endpoint protection capabilities as well as some advanced security capabilities with IRC in an effort to protect the staff. But just as importantly, to protect the beneficiaries, they serve in Afghanistan.” More

Business email compromise (BEC) continues to cost victims thousands — and sometimes millions — of dollars, according to a new report from Palo Alto Networks’ threat research group Unit 42.The security team pored through hundreds of BEC cases, finding the average wire fraud attempted was $567,000, and the highest was $6 million. Among the hundreds of BEC cases Unit 42 tackled since the beginning of last year, researchers found that 89% of victims failed to turn on multi-factor authentication or follow best practices for its implementation.The FBI often cites BEC as one of the most lucrative cybercrimes, and the law enforcement agency reported last year that it led to $1.87 billion in losses. According to Palo Alto researchers, victims typically want to avoid reputational harm and often don’t go public, which has made BEC a relatively silent threat.Unit 42 said its security consultants spend thousands of hours on BEC investigations, “combing through logs to identify unauthorized activity, determine how unauthorized access occurred and find security gaps that need to be addressed.””Attackers targeted hundreds of employees at an insurance company with phishing emails. These emails led to an attempt to get login credentials through spoofed Microsoft 365 email login pages that looked identical to legitimate ones set up by that firm. The attackers succeeded in gaining access to a few of those accounts, which belonged to employees who hadn’t set up MFA, which led in turn to gaining access to sensitive data on an internal Sharepoint site,” wrote Unit 42 researchers Jenna Garbett and Sama Manchanda. “Attackers gained access to the email accounts of two employees at one client organization that failed to disable legacy authentication for synchronizing email boxes via IMAP4 and POP3. That gave the threat actors access to everything in both mailboxes for over a month, enabling them to collect personally identifiable information (PII) from the victims’ contacts. This is one of the most common ways of bypassing MFA, especially in hybrid environments that have legitimate use for legacy protocols.”The researchers provided other examples, including one involving threat actors who “compromised multiple users at a job placement agency, then used those accounts to circulate job postings that asked recipients to provide personal data.” 

The two researchers added, they set up rules that moved all responses to hidden folders and forwarded them to an external account. They noted in the blog that most of the top email platforms — including Microsoft’s 365 and Exchange, as well as Google Workspace — offer multiple options for implementing MFA, making it difficult to understand why so many BEC victims fail to enable it. But sometimes, even MFA isn’t enough. Unit 42 shared the story of one executive with a US financial services firm that relies on a widely used MFA mobile app for the protection of his email, customer files and other sensitive data. “His iPhone kept pinging him with MFA requests to access his email, interrupting him on a day packed with customer meetings. He was annoyed by the intrusion, figuring it was some kind of system error, and rejected each request so he could focus on work. He thought it was over when the requests stopped,” Garbett and Manchanda wrote. “Months later, however, he learned he had mistakenly authorized one of those many requests, unknowingly granting an attacker unfettered access to his email. He learned about the compromise when his bank flagged suspicious wire transfers totalling nearly $1 million, and our investigation uncovered the exposure of data belonging to the company, its employees and clients.” The blog post notes that the company was able to recover the stolen funds but that in many cases, incidents like this are costly from a reputational standpoint and from the time and resources needed to rectify the situation. Deputy director of threat intelligence for Unit 42 Jen Miller-Osborn told ZDNet that they initially decided to look into ransomware to see how much that has grown and that effort led them to look deeper into their BEC work because of the amount of money lost is “orders of magnitude higher than ransomware.””It’s something that is little understood and tends to not get as much press. Everyone talks about ransomware now, there’s a lot more awareness around it. But BEC is still flying under the radar even though it is the type of attack that costs businesses the most amount of money, bar none. It’s the highest,” Miller-Osborn said.”Similar to ransomware, we’re seeing an increasing number of attackers getting into BEC, and we’re also seeing it mature into — like Ransomware-as-a-service — BEC-as-a-service. They’re becoming more tech-savvy. They’ve been in the commodity space and are starting to include publicly disclosed vulnerabilities. They’re becoming more professional.”BEC scammers are now prolific at mining LinkedIn and other sites for information that can help further their scams. She explained that education, more stringent MFA, legacy authentication controls, network protections, account permissions, audit logging and event monitoring are some of the ways organizations and people can protect themselves from BEC. “With everyone working remotely, there are people who may not have gotten into BEC before who now, just like ransomware, they decided to shift into to make money. And I think the issues that we see with how difficult it is to stop these ransomware campaigns effectively also points to how difficult it is for BEC, or even harder because BEC involves a lot of social engineering components that you don’t typically see with other attacks,” she said.”They’ll actually get on the phone and call people and try to get them to do things. They have money mules in other countries to help them move the money around. It’s a lot more people-based, and in many cases, a lot of BEC scams don’t involve any malware, so there’s nothing that you could have seen. Nothing malicious attached to phishing emails. There was nothing a firewall or endpoint could have detected.” More

Google has blocked 1.6 million phishing emails since May 2021 that were part of a malware campaign to hijack YouTube accounts and promote cryptocurrency scams. According to Google’s Threat Analysis Group (TAG), since late 2019 it’s been disrupting phishing campaigns run by a network of Russian hacker subcontractors who’ve been targeting YouTubers with “highly customized” phishing emails and cookie-stealing malware. 

ZDNet Recommends

The main goal of the group has been to hijack YouTube accounts to live-stream scams that offer free cryptocurrency in exchange for an initial contribution. The group’s other main revenue source was selling hijacked YouTube channels from $3 to $4,000 depending on how many subscribers a channel has. SEE: This new ransomware encrypts your data and makes some nasty threats, tooAs of May this year, Google says it has blocked 1.6 million messages to targets, displayed 62,000 Safe Browsing phishing alerts, and restored around 4,000 hijacked accounts.   The phishing emails delivered malware designed to steal session cookies from browsers. Though the “pass-the-cookie” attack is not new, it’s nifty: it doesn’t bypass multi-factor authentication (MFA), but works even when users enable MFA on an account because the session cookie is stolen after the user has already authenticated with two factors, such as a password and a smartphone. Once the malware executes, the cookie is uploaded to the attacker’s servers for account hijacking.”Its resurgence as a top security risk could be due to a wider adoption of multi-factor authentication (MFA) making it difficult to conduct abuse, and shifting attacker focus to social engineering tactics,” TAG analyst Ashley Shen explains. 

Google attributed the campaign to a group of “hack-for-hire” actors “recruited in a Russian-speaking forum”. The contractors then trick targets with fake business opportunities, such as the chance to monetize a demo for antivirus software, VPN, music players, photo-editing software or online games. But then the attackers hijack the YouTube channel and either sell or use it to live-stream cryptocurrency scams. 

It’s easy for the hackers to acquire a target’s email since YouTubers often post them on their channel hoping for business opportunities just like ones the phishing attackers offer.   SEE: This is how Formula 1 teams fight off cyberattacks”Once the target agreed to the deal, a malware landing page disguised as a software download URL was sent via email or a PDF on Google Drive, and in a few cases, Google documents containing the phishing links. Around 15,000 actor accounts were identified, most of which were created for this campaign specifically,” notes Shen. Google has also identified 1,011 domains that were created for malware delivery. The domains impersonated well-known tech sites, including Luminar, Cisco VPN, games on Steam. Shen notes these contractors are running the cookie-stealing malware in non-persistent mode to lower the chance of security products alerting the user of a past compromise.  More

A US judge has sentenced two Eastern European men for operating a bulletproof hosting service leveraged by cybercriminals to deploy malware.

On Wednesday, the US Department of Justice (DoJ) said that Pavel Stassi and Aleksandr Skorodumov, of Estonia and Lithuania, have now been jailed for 24 months and 48 months, respectively. The 30 and 33-year-old duo were accused of providing online hosting services that are known as bulletproof — a popular option for cybercriminals who need a host that will turn a blind eye to criminal activity.  Bulletproof hosting providers, often found on the Dark Web, may host malware, explicit abuse material, or e-commerce platforms offering illegal wares such as criminal hacking tools, drugs, and weaponry.  In this case, the bulletproof host was used to store malware payloads including Zeus, SpyEye, Citadel, and the Blackhole exploit kit.  The DoJ says that between 2009 and 2015, Stassi and Skorodumov, together with co-defendants Aleksandr Grichishkin and Andrei Skvortsov from Russia, rented servers and domains to threat actors.  The infrastructure was used to host malware utilized in campaigns against financial institutions and other victims, leading to the theft and attempted theft of “millions of dollars” in the United States alone. In addition, the bulletproof host was also used in the creation of botnets. 

Skorodumov acted as a lead system administrator who also provided technical support to customers. Stassi was involved in general admin tasks, marketing, and would use either stolen or false information to register web hosts and to open financial accounts for the scheme.  Grichishkin and Skvortsov were founding members and day-to-day managers.  “The defendants also helped their clients evade detection by law enforcement and continue their crimes uninterrupted by monitoring sites used to blocklist technical infrastructure used for crime, moving “flagged” content to new infrastructure, and registering all such infrastructure under false or stolen identities,” the DoJ says.  All four suspects pleaded guilty to one count of Racketeer Influenced and Corrupt Organizations (RICO) conspiracy at the US District Court in the Eastern District of Michigan. Grichishkin and Skvortsov are awaiting their sentence, although they may face far higher penalties of up to 20 years behind bars each.  “Over the course of many years, the defendants facilitated the transnational criminal activity of a vast network of cybercriminals throughout the world by providing them a safe haven to anonymize their criminal activity,” commented Special Agent in Charge Timothy Waters of the FBI’s Detroit Field Office. “Cybercriminals may believe they are beyond the reach of the FBI and our international partners, but today’s proceeding proves that anyone who facilitates or profits from criminal cyber activity will be brought to justice.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More