Information Technology

Chinese law enforcement has made over 1,100 arrests in a nationwide crackdown on telecoms and banking fraud.

The Ministry of Public Security announced the operation on June 9, dubbed “Card Broken,” which aims to destroy criminal gangs that are conducting cybercriminal activities. In particular, Card Broken is focused on telecommunications network fraud, including the sale of phone, payment cards, and money laundering services over China and across borders. The department specifically notes “coin farmers” as being involved, in which accomplices or members of criminal groups facilitate money laundering through cryptocurrency to avoid the scrutiny of law enforcement in the country.  Coin farmers would allegedly sign up for different cryptocurrency exchanges and set up personal accounts. These traders would then buy or sell cryptocurrency based on their handler’s instructions and funds issued to them. The virtual currency would then be sent to wallets controlled by gang members and designated elsewhere.  In return for their activity, coin farmers would receive a commission of between 1.5% and 5%.  “The high illegal income attracts a large number of people to participate, causing serious social harm,” the department says. 

Now in its fifth leg, the operation honed in on the criminal chains of these activities, breaking down at least 170 allegedly criminal groups. Action has been taken by law enforcement in provinces including Beijing, Hebei, and Shanxi.  In total, the Broken Card operation has resulted in the destruction of roughly 15,000 gangs and 311,000 individuals suspected of involvement have been arrested, according to the ministry.  China has taken a tough stance on cryptocurrency, outlawing exchanges and warning that trading disrupts “economic and financial order.”  While individuals are still allowed to own cryptocurrency assets, three state-backed financial authorities recently issued a joint warning reminding citizens that cryptocurrency cannot play a part in Chinese financial activities.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Law enforcement has seized one of the largest marketplaces for selling stolen account credentials. 

The website’s infrastructure has been taken over by the police, according to the US Department of Justice (DoJ). A seizure warrant affidavit unsealed on Thursday outlined Slilpp’s past activities. In operation since at least 2012, the marketplace — with domains on both the clear and dark web — offered stolen credentials for services including PayPal, Wells Fargo, Amazon, Chase, Capital One, and more.  These included usernames and passwords, mobile phone accounts, and e-commerce accounts.  The DoJ says that over 80 million credentials were available for purchase from over 1,400 victim organizations worldwide. Law enforcement from the US, Germany, the Netherlands, and Romania was involved in the confiscation of servers supporting the platform’s infrastructure and various domain names.  Slilpp buyers would allegedly use these credentials to perform banking theft and fraud, such as wire transfers from victims to accounts owned by them. 

“To date, over a dozen individuals have been charged or arrested by US law enforcement in connection with the Slilpp marketplace,” the DoJ says.  According to Acting Assistant Attorney General Nicholas McQuaid, Slilpp allegedly caused “hundreds of millions of dollars in losses to victims worldwide” — and at least $200,000 in losses in the US alone. However, the “full extent” of the marketplace’s role in the credential theft economy is “not known.” “The department will not tolerate an underground economy for stolen identities, and we will continue to collaborate with our law enforcement partners worldwide to disrupt criminal marketplaces wherever they are located,” McQuaid commented.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Farewell, not so sweet prince.
Image: Google
Google has reversed course and ended its experiment to only show Chrome users the domain name of the site they are on. Kicked off in August, the experiment randomly assigned users to test whether it could help users spot phishing sites. “Delete simplified domain experiment,” Google engineer Emily Stark wrote in a Chromium commit. “This experiment didn’t move relevant security metrics, so we’re not going to launch it. :(” Starting with Chrome 90, if a user did not specify the protocol to be used when accessing a site, Chrome would try first using HTTPS, before falling back to HTTP. Earlier this week, Android Police spotted that Google had killed off its augmented reality Measure app. Heading to its listing without being signed into an account that has the app installed returns a “Not Found” error, while users that previously installed it can continue to see its listing page. “This app is no longer supported and will not be updated,” the page states. “Users who previously installed this app can continue to use it on compatible devices.” Related Coverage More

Lawmakers in Beijing have enacted laws banning people from complying with foreign sanctions against China. The new laws were passed against the backdrop of the US and EU continuing to prohibit companies from working with Chinese companies due to issues ranging from human rights, military, and technology. Passage of the new legislation means that multinational companies with any presence in China must now navigate China’s sanctions along with those that have been issued by Western countries. The new laws provide Beijing with powers to target companies involved in implementing foreign sanctions by seizing their assets, prohibiting or restricting transactions, and denying or cancelling visas. The ban extends to company employees as well, and even the spouses and immediate family members of certain individuals who are on the newly created “counter control” list that was enacted as part of the laws. On the same day, China’s lawmakers also passed new data security laws that strengthen the government’s control over digital information. Although the full text of the newly passed laws has not been released yet, the laws will provide a broad framework for future rules on internet services, such as how certain types of data must be stored and handled locally.

Since the new year, Beijing has been cracking down on how tech companies operate, which has led to Alibaba being fined $2.7 billion, Ant Group becoming a financial holding company that is overseen by China’s central bank as part of efforts to appease regulatory concerns, and 33 mobile apps being called out for more user data than it deemed necessary when offering services. China’s internet regulator, the Cyberspace Administration of China (CAC), in March also released regulations that prohibit mobile app developers from refusing to offer basic services to consumers who did not want to provide personal data that were unnecessary for the provision of such services. Related Coverage More

Gaming giant Electronic Arts has been hacked and the cyberattackers are now selling access to the company’s games and servers, according to screenshots of underground hacking forums obtained by Motherboard. Messages found on the hacking forums indicate the attackers took 780 GB of data from the company and have full access to FIFA 21 matchmaking servers, FIFA 22 API keys and some software development kits for Microsoft Xbox and Sony. They also purport to have much more, including the source code and debugging tools for Frostbite, which powers EA’s most popular games like Battlefield, FIFA, and Madden.”You have full capability of exploiting on all EA services,” one attacker’s message said, noting that there are hundreds of million of registered EA users around the world and nearly nine million FIFA users. The messages included samples of what was stolen and indicate that the attackers are selling the batch of data and access for $28 million. In a statement to ZDNet, an EA spokesperson said it was not a ransomware attack and claimed a “limited amount of game source code and related tools were stolen” during the attack. The company said it does not expect any impact to its games or business. “No player data was accessed, and we have no reason to believe there is any risk to player privacy,” the EA spokesperson said. “We are actively working with law enforcement officials and other experts as part of this ongoing criminal investigation.” The cyber research and intelligence team for BlackBerry shared screenshots with ZDNet of the notes from someone behind the attack.
BlackBerry
Eric Milam, vice president of Research and Intelligence at BlackBerry, said EA was probably targeted because “saying you hacked EA is like saying you hacked Blizzard.” With the source code of multiple video games, the attackers could compile and sell a game before it comes out, as well as add their own backdoors to certain games. Something like this would “give them access to a lot of computers.”

“Source code allows for review of everything that’s there without the need to reverse engineer. The source code could also help them understand the type of security around information and payment exchanges,” Milam said. “The source code could contain hardcoded credentials, keys, etc which can be used elsewhere or allow additional remote code capabilities.”EA is far from the first gaming company to be hacked, with both Capcom and CD Projekt suffering from attacks in the last year. CD Projekt disclosed a ransomware attack in February and Capcom announced a hack in November that is now having far-reaching legal consequences for the company. EA itself was hacked in 2011 and had to deal with a slate of vulnerabilities discovered in 2019. Rajiv Pimplaskar, chief risk officer for cybersecurity company Veridium, said that like Capcom, there could be several downstream consequences such as loss of customer account credentials, biographic data, and more on top of the intellectual property losses.”EA makes over $2.7 billion from microtransactions or in-game purchasing. App developers today have a higher responsibility to protect consumers and need to increasingly incorporate digital identity, authentication and privacy measures at a code level for improving cyber defense and mitigating fallout from such forms of theft,” Pimplaskar added. Erich Kron, security awareness advocate at KnowBe4, told ZDNet it was strange that the attackers did not attempt to ransom the data back to EA before selling it on the open market. He noted that the proprietary information found in the leak may be valuable to competitors or may include information or vulnerabilities that could be used in future attacks against EA products or customers with installed EA games. Many experts added that the theft of game source code was particularly damaging for a company like EA, which has popular brands like FIFA, Madden, Battlefield, Star Wars: Jedi Fallen Order, The Sims, and Titanfall. “Game source code is highly proprietary and sensitive intellectual property that is the heartbeat of a company’s service or offering. Exposing this data is like virtually taking its life,” said Saryu Nayyar, CEO of Gurucul. “The heartbeat has been interrupted and there’s no telling how this attack will ultimately impact the life blood of the company’s gaming services down the line.” More

At a time when data loss can be damaging to businesses, and penalties for breaching GDPR, FISMA, FERPA and HIPAA harsh, having a way to keep information safe and secure when on the move is more important than ever. The Aegis Secure Key 3NXC was first introduced in July 2020 and was the only hardware-encrypted flash key that was compatible with USB-C without needing a USB-A to USB-C adapter. It built on Apricorn’s Secure Key 3z and Aegis Secure Key 3NX, taking the same proven form-factor and physical keypad but making it compatible with modern devices.Today, the drive received FIPS 140-2 level 3 validation (certification #3943) by NIST, certifying its use in industries and institutions such as healthcare, finance, and defense, and that it complies with the most stringent data security regulations.The drive really is a one-stop solution. Because there are no drivers to install, the drive is totally OS agnostic and perfectly at home on Windows, Linux, Mac, Android, Chrome, iPadOS on the iPad Pro, and embedded systems, as well as other equipment equipped with a powered USB port and storage file system.Must read: I just found my lost AirTag… you’ll never guess where it went

AEGIS SECURE KEY 3NXC TECH SPECS:No software, which means there’s nothing to hackComplete cross platform compatibilityBuilt-in keypadBrute force attack protectionAll authentication takes place within the deviceAll data, passwords and encryption keys are 256-bit encrypted at restNo host computer is involved in setup, authentication or encryptionNo default PINs IP68 rated against water and dust damage.Separate administrator and user accessRead-only options that can be enforced by the administrator or set by the user if allowed by policyHighly configurable with policy such as time out values, data recovery PINs, and programmable PIN lengthsAbility to automatically configure multiple devices remotely using Apricorn’s Aegis Configurator tool.Prices from $59 for 4GB storage

View Now at Amazon

“Our research has shown that sixty percent of IT professionals agree that remote work conditions have created data security issues within their organizations,” said Kurt Markley, U.S. Managing Director, Apricorn. “One of the fastest, most economical safeguards they could put in place quickly is the 3NXC. Both the NX and NXC were designed to accommodate smaller next-gen devices — like mobile phones, laptops, and tablets — that employees are using more and more to access privileged data while working remotely. It remains the first and only USB-C hardware-encrypted flash drive on the market and is now the only one to carry FIPS validation.”
When I started using Aegis hardware, my main concern was that the unique built-in keypad would wear out over time. However, in my experience, the polymer-coated buttons are incredibly wear-resistant. I have this and other similar drives that have been in regular usage for two years, and the keypads on all of them are still like new.

The 3NXC comes in a broader range of capacities, ranging from 4GB to 128GB. This translates into savings for those who don’t need high-capacity storage drives, and prices range from $59 to $179. More

Researchers from Toshiba have successfully sent quantum information over 600-kilometer-long optical fibers, creating a new distance record and paving the way for large-scale quantum networks that could be used to exchange information securely between cities and even countries. Working from the company’s R&D lab in Cambridge in the UK, the scientists demonstrated that they could transmit quantum bits (or qubits) over hundreds of kilometers of optical fiber without scrambling the fragile quantum data encoded in the particles, thanks to a new technology that stabilizes the environmental fluctuations occurring in the fiber.  This could go a long way in helping to create a next-generation quantum internet that scientists hope will one day span global distances.  The quantum internet, which will take the shape of a global network of quantum devices connected by long-distance quantum communication links, is expected to enable use-cases that are impossible with today’s web applications. They range from generating virtually un-hackable communications, to creating clusters of inter-connected quantum devices that together could surpass the compute power of classical devices. 

Quantum Computing

But in order to communicate, quantum devices need to send and receive qubits – tiny particles that exist in a special, but extremely fragile, quantum state. Finding the best way to transmit qubits without having them fall from their quantum state has got scientists around the world scratching their heads for many years. One approach consists of shooting qubits down optical fibers that connect quantum devices. The method has been successful but is limited in scale: small changes in the environment, such as temperature fluctuations, cause the fibers to expand and contract, and risk messing with the qubits.  This is why experiments with optical fiber, until now, have typically been limited to a range of hundreds of kilometers; in other words, nowhere near enough to create the large-scale, global quantum internet dreamed up by scientists. 

To tackle the instable conditions inside optical fibers, Toshiba’s researchers developed a new technique called “dual band stabilization”. The method sends two signals down the optical fiber at different wavelengths. The first wavelength is used to cancel out rapidly varying fluctuations, while the second wavelength, which is at the same wavelength as the qubits, is used for finer adjustments of the phase. Put simply, the two wavelengths combine to cancel environmental fluctuations inside the fiber in real time, which according to Toshiba’s researchers, enabled qubits to travel safely over 600 kilometers. Already, the company’s team has used the technology to trial one of the most well-known applications of quantum networks: quantum-based encryption. Known as Quantum Key Distribution (QKD), the protocol leverages quantum networks to create security keys that are impossible to hack, meaning that users can securely exchange confidential information, like bank statements or health records, over an untrusted communication channel such as the internet. During a communication, QKD works by having one of the two parties encrypt a piece of data by encoding the cryptography key onto qubits and sending those qubits over to the other person thanks to a quantum network. Because of the laws of quantum mechanics, however, it is impossible for a spy to intercept the qubits without leaving a sign of eavesdropping that can be seen by the users – who, in turn, can take steps to protect the information. Unlike classical cryptography, therefore, QKD does not rely on the mathematical complexity of solving security keys, but rather leverages the laws of physics. This means that even the most powerful computers would be unable to hack the qubits-based keys. It is easy to see why the idea is gathering the attention of players from all parts, ranging from financial institutions to intelligence agencies. Toshiba’s new technique to reduce fluctuations in optical fibers enabled the researchers to carry out QKD over a much larger distance than previously possible. “This is a very exciting result,” said Mirko Pittaluga, research scientist at Toshiba Europe. “With the new techniques we have developed, further extensions of the communication distance for QKD are still possible and our solutions can also be applied to other quantum communications protocols and applications.” When it comes to carrying out QKD using optical fiber, Toshiba’s 600-kilometer mark is a record-breaker, which the company predicts will enable secure links to be created between cities like London, Paris, Brussels, Amsterdam and Dublin.  Other research groups, however, have focused on different methods to transmit qubits, which have enabled QKD to happen over even larger distances. Chinese scientists, for example, are using a mix of satellite-based transmissions communicating with optical fibers on the ground, and recently succeeded in carrying out QKD over a total distance of 4,600 kilometers. Every approach has its pros and cons: using satellite technologies is more costly and could be harder to scale up. But one thing is for certain: research groups in the UK, China and the US are experimenting at pace to make quantum networks become a reality. Toshiba’s research was partially funded by the EU, which is showing a keen interest in developing quantum communications. Meanwhile, China’s latest five-year plan also allocates a special place for quantum networks; and the US recently published a blueprint laying out a step-by-step leading to the establishment of a global quantum internet.  More

A recently-discovered advanced persistent threat (APT) group is targeting diplomats across Africa and the Middle East. 

Revealed on Thursday by ESET researchers, the state-sponsored group, dubbed BackdoorDiplomacy, has been linked to successful attacks against Ministries of Foreign Affairs in numerous African countries, the Middle East, Europe, and Asia — alongside a smaller subset of telecommunications firms in Africa and at least one charity outfit in the Middle East.BackdoorDiplomacy is thought to have been in operation since at least 2017. The cross-platform group targets both Linux and Windows systems and seems to prefer to exploit internet-facing, vulnerable devices as an initial attack vector.  If web servers or network management interfaces are found which have weak points, such as software vulnerabilities or poor file-upload security, the APT will strike. In one case observed by ESET, an F5 bug — CVE-2020-5902 — was used to deploy a Linux backdoor, whereas, in another, BackdoorDiplomacy adopted Microsoft Exchange server bugs to deploy China Chopper, a webshell.  Once they have obtained entry, the threat actors will scan the device for the purposes of lateral movement; install a custom backdoor, and deploy a range of tools to conduct surveillance and data theft.  The backdoor, dubbed Turian, is thought to be based on the Quarian backdoor — malware linked to attacks used against diplomatic targets in Syria and the US back in 2013. The main implant is capable of harvesting and exfiltrating system data, taking screenshots, and also overwriting, moving/deleting, or stealing files. 

Among the tools used is network tunnel software EarthWorm; Mimikatz, NetCat, and software developed by the US National Security Agency (NSA) and dumped by ShadowBrokers, such as EternalBlue, DoublePulsar, and EternalRocks.  VMProtect was used in most cases to try and obfuscate the group’s activities.  Diplomats may have to deal with sensitive information handed over through removable drives and storage. To widen the scope of its cyberespionage activities, BackdoorDiplomacy will scan for flash drives and will attempt to copy all files from them into a password-protected archive which is then whisked off to a command-and-control (C2) center via the backdoor.  While BackdoorDiplomacy has been registered as an APT in its own right, there do appear to be other links, or at least, common threads, with other threat groups.  The network encryption protocol used by the APT is almost identical to that used by the Calypso group’s Whitebird backdoor, and this malware was deployed against diplomatic targets in Kazakhstan and Kyrgyzstan during 2017 – 2020. In addition, ESET believes there are commonalities with CloudComputating/Platinum, which has targeted diplomatic, government, and military organizations across Asia in previous years.  Other coding and mechanism clues are similar to Rehashed Rat and MirageFox/APT15.  In other research this month, Check Point Research discovered a novel backdoor developed by Chinese threat actors over the course of three years. The malware, dubbed VictoryDll_x86.dll, was used to compromise a network belonging to a Southeast Asian government’s Ministry of Foreign Affairs.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More