Information Technology

US and Brazilian authorities have seized $24 million in cryptocurrency connected to an online scheme that allegedly defrauded “tens of thousands” of investors.
Upon request from the government of Brazil, US law enforcement participated in “Operation Egypto,” a Brazilian federal investigation into the suspected scam, the US Department of Justice (DoJ) said on Wednesday. 
The collaborative effort, made under the Mutual Legal Assistance in Criminal Matters treaty, tracked down suspect Marcos Antonio Fagundes, who is being charged with the operation of a financial institution without legal authorization, fraudulent management of a financial institution, misappropriation, money laundering, and the violation of securities law. 
See also: US unveils enforcement framework to combat terrorist, criminal cryptocurrency activities
Prosecutors allege that between August 2017 and May 2019, Fagundes and co-conspirators used the internet to find and solicit investors — sometimes together with communication over the phone — and convince them to invest in new financial “opportunities.”
The victims of the alleged scam would then part with funds in either Brazilian currency or cryptocurrency, believing that the investment would be poured into companies that Fagundes and his associates controlled. 
These companies, the DoJ says, were meant to then invest in virtual assets. However, only a “very small amount” of the funds were used for this purpose — while the rest went into the pockets of the alleged fraudsters. 

CNET: Election still too close to call: How to spot misinformation while you wait for results
As a result, investors saw close to nothing in return for their cash.
“To carry out the scheme, the conspirators are alleged to have made false and inconsistent promises to investors about the way the funds were invested and exaggerated the rates of return,” the DoJ added. 
Operation Egypto investigators estimate that tens of thousands of investors handed over more than $200 million. 
After the Brazilian court issued a seizure order for any cryptocurrency held by Fagundes in the US, $24 million was recovered with help from the cryptocurrency exchanges holding his wallets. 
TechRepublic: It’s an urgent plea this Election Day: Don’t click on ransomware disguised as political ads
The investigation is ongoing. However, Brazilian authorities, the FBI, and other parties intend to hold the cryptocurrency as part of future forfeiture proceedings to try and compensate the investors involved, at least, to some level. 
This week, the DoJ also announced the seizure of 27 web domains used by Iran’s Islamic Revolutionary Guard Corps (IRGC) to spread propaganda and misinformation under the guise of legitimate news outlets. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Capcom has disclosed a cyberattack that impacted the company’s operations over the weekend. 

The Osaka, Japan-based video game developer said in a notice dated November 4 that two days prior, beginning in the early morning, “some of the Capcom Group networks experienced issues that affected access to certain systems” due to a cyberattack. 
Email and file servers were impacted. 
See also: Marriott fined £18.4 million by UK watchdog over customer data breach
Capcom has described the attack as “unauthorized access” conducted by a third-party. As the security incident took place, the company stopped some operations on its internal networks, likely to prevent the cyberattack from spreading further and potentially compromising additional corporate resources. 
Capcom claims that there is “no indication” that customer information has been accessed or compromised; at least, at this stage. 
“This incident has not affected connections for playing the company’s games online or access to its various websites,” the company said. “Capcom expressed its deepest regret for any inconvenience this may cause to its various stakeholders.”

CNET: Election still too close to call: How to spot misinformation while you wait for results
At the time of writing, Capcom says it is “unable to reply to inquiries and/or to fulfill requests for documents” made through the investor relations contact form.
The game developer is currently working toward restoring its systems and has reported the cyberattack to law enforcement. 
TechRepublic: It’s an urgent plea this Election Day: Don’t click on ransomware disguised as political ads
Capcom has not revealed any further details relating to the attack, but the company is not the only game developer targeted this year. In October, Ubisoft and Crytek were the victims of the Egregor ransomware gang, which attempted to extort a ransomware payment from the firms on the threat of the public release of proprietary data stolen during attacks. 
Egregor is an active ransomware group believed to be responsible for cyberattacks against GEFCO and Barnes & Noble. Researchers from Malwarebytes suspect that past affiliates of the Maze ransomware group — now retired from the scene — are now turning to Egregor as an alternative. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The GEO Group, a company known for running private prisons and illegal immigration detention centers in the US and other countries, says it suffered a ransomware attack over the summer.

Personal data and health information for some inmates and residents was exposed during the incident, which took place on August 19.
This includes data for inmates and employees at the South Bay Correctional and Rehabilitation Facility in Florida, a youth facility in Marienville, Pennsylvania, and a now-closed facility in California, the company told ZDNet.
“GEO implemented several containment and remediation measures to address the incident, restore its systems and reinforce the security of its networks and information technology systems,” the company said.
GEO said it recovered its data but did not say if this meant restoring from backups or paying the ransomware gang to decrypt its files.
In documents filed with the US Securities Exchange Commission on Tuesday, the GEO Group played down the security breach and said its aftermath won’t have any material impact on its business, operations, or financial results.
The company is now sending data breach notification letters to all impacted individuals.

Exposed personal details could include name, address, date of birth, Social Security number, employee ID number, driver’s license number, medical treatment information, and other health-related information.
The incident impacted only a small portion of the GEO Group’s network, which includes 123 private prisons, processing centers, and community reentry centers in the United States, Australia, South Africa, and the United Kingdom.
US government contracts amounted for more than half of the GEO Group’s 2019 revenue, according to the company’s yearly 10-K form filed with the SEC.
The company’s stock price fell 14% from $9.76 at the end of trading on Tuesday to $8.38 the next day, after GEO disclosed the incident. More

Image: Department of Justice
The United States announced on Wednesday it has seized 27 domains that were used by Iran’s Islamic Revolutionary Guard Corps (IRGC) to spread global covert influence campaigns.
According to the Department of Justice (DoJ), four of the 27 domain names — “rpfront.com”, “ahtribune.com”, “awdnews.com”, and “criticalstudies.org” — were seized as they breached the Foreign Agents Registration Act, which requires website holders to submit periodic registration statements containing truthful information about their activities and the income earned from them. 
The four domains purported to be genuine news outlets, but they were controlled by the IRGC and targeted audiences in the United States with pro-Iranian propaganda, the department said in a statement.
Meanwhile, the remaining 23 domains were seized as they targeted audiences in other parts of the world, the department added.
The domains were identified by the DoJ through ongoing collaboration with Google, Facebook, Twitter, and the Federal Bureau of Investigations (FBI).
This follows an earlier crop of similar seizures made by the DoJ last month. For that earlier crop, the DoJ shut down 92 domains that were also used by the IRGC for disinformation campaigns.
“Within the last month we have announced seizures of Iran’s weapons, fuel, and covert influence infrastructure,” said John Demers, assistant attorney general for National Security.  

“As long as Iran’s leaders are trying to destabilise the world through the state-sponsorship of terrorism and the taking of hostages, we will continue to enforce US sanctions and take other legal steps to counter them.”
In the past two months, the United States has made concerted efforts to publicly disclose Iranian foreign interference. In late October, the US Treasury department issued sanctions against five Iranian entities for allegedly attempting to influence the 2020 presidential elections. The five entities were allegedly controlled by the Iranian government and disguised themselves as news organisations or media outlets. 
On the same day of the sanctions being issued, high-ranking government officials accused Iran of being behind a wave of spoofed emails that were sent to US voters. Spoofing the identity of violent extremist group Proud Boys, the emails threatened registered Democrat voters with repercussions if they didn’t vote for Donald Trump in the upcoming US presidential election.  
Meanwhile, Twitter said at the start of October that it removed around 130 Iranian Twitter accounts as they attempted to disrupt the public conversation following the first presidential debate.
Twitter said it learned of the accounts following a tip from the FBI.
“We identified these accounts quickly, removed them from Twitter, and shared full details with our peers, as standard,” the social network said at the time.
RELATED COVERAGE More

Image: D-Keine / Getty Images
Russian authorities have arrested a malware author at the end of September, an action that is extremely rare in a country known to usually be soft on hackers.

According to the Russian Ministry of Internal Affairs, the suspect is a 20-year-old from the region of North Ossetia–Alania.
Russian authorities claim that between November 2017 and March 2018, the suspect created several malware strains, which he later used to infect more than 2,100 computers across Russia.
Authorities said that besides operating the malware himself, the suspect also worked with six other accomplices to distribute the malware, which eventually brought the group more than 4.3 million Russian rubles (~$55,000) in profit.
While Russian law enforcement did not share the malware author’s name, Benoit Ancel, a malware analyst at the CSIS Security Group, said last week and today on Twitter that the suspect is a Russian hacker he and other security researchers have been tracking under the nickname of “1ms0rry.”
Ancel is in the perfect position to identify this malware developer. In April 2018, Ancel worked together with other security researchers to track down 1ms0rry’s online operations and malware arsenal.
According to this report, Ancel linked 1ms0rry to malware strains such as:
1ms0rry-Miner: a trojan that, once installed on a system, starts secretly mining cryptocurrency to generate profit for its author.
N0f1l3: an info-stealer trojan that can extract and steal data from infected computers. Capabilities include the ability to steal browser passwords, cryptocurrency wallet configuration files, Filezilla FTP credentials, and specific files stored on a user’s desktop.
LoaderBot: a trojan that can be used to infect victims in a first stage and then deploy other malware on-demand during a second stage (aka a “loader”).

The French security researcher said 1ms0rry sold his malware strains on Russian-speaking hacker forums and that some of his creations were also eventually used to create even more powerful malware strains, such as Bumblebee (based on the 1ms0rry-Miner), FelixHTTP (based on N0f1l3), and EnlightenedHTTP and the highly popular Evrial (which shared some code with 1ms0rry’s creations).

LoaderBot control panel
Image: Benoit Ancel
The 2018 report also exposed 1ms0rry’s real-world identity as a talented young programmer from the city of Vladikavkaz, who at one point even received praises from local authorities for his involvement in the cyber-security field.
However, the young programmer made a major mistake by allowing his malware to infect Russian users.
It is no mystery by this point that Russian authorities will turn a blind eye to cybercrime operations as long as cybercriminals don’t target Russian citizens and local businesses.
For the past decade, Russian cybercrime groups have gone unpunished for operations carried out outside of Russia’s borders, with Russian officials declining to extradite Russian hackers despite repeated indictments by US authorities.
Today, all major Russian-speaking hacking forums and black market sites make it very clear in their rules that members are forbidden from attacking users in the former Soviet space, knowing that by not attacking Russian citizens, they will be left alone to operate undisturbed.
It’s because of these forum rules that a large number of malware strains today come hard-coded to avoid infecting Russian users.
However, 1ms0rry appears to have either not been aware of this rule or chose to willfully ignore it for additional profits, for which he appears to have paid the price. More

There’s been a massive increase in Emotet attacks and cyber criminals take advantage of machines compromised by the malware as to launch more malware infections as well as ransomware campaigns.
The October 2020 HP-Bromium Threat Insights Report reports a 1,200 per cent increase in Emotet detections from July to September compared to the previous three months in which deployment of the malware appeared to decline.
Since emerging in 2018, Emotet regularly sees surges in actively then seemingly disappears only to come back again, something which researchers suggest is going to continue well into 2021.
Emotet often gains a foothold into networks via phishing emails and those behind it have been seen to use thread hijacking in an effort to make the emails look more legitimate – people are more likely to download an attachment if it looks to come from a colleague or someone else they know.
The attacks and malicious attachments are customised depending on the location of the intended victim with phishing email templates and lures written in English, French, German, Greek, Hindi, Italian, Japanese, Spanish and Vietnamese.
SEE: Security Awareness and Training policy (TechRepublic Premium)
Despite starting life as a banking trojan, the key for Emotet is now simply to compromise as many machines as possible, creating backdoors into networks which its operators can sell onto other malware operators as gateway for their own malicious campaigns. Emotet infections are a popular starting point for ransomware attacks.

“The targeting of enterprises is consistent with the objectives of Emotet’s operators, many of whom are keen to broker access to compromised systems to ransomware actors. Within underground forums and marketplaces, access brokers often advertise characteristics about organisations they have breached – such as size and revenue – to appeal to buyers,” said Alex Holland, senior malware analyst at HP.
“Ransomware operators in particular are becoming increasingly targeted in their approach to maximize potential payments, moving away from their usual spray-and-pray tactics,” he added. “This has contributed to the rise in average ransomware payments, which has increased by 60 per cent.”
To help protect against Emotet and other malware attacks, it’s recommended that organisations implement email content filtering in order to reduce the change of a malicious attachment successfully being delivered.
Organisations should also ensure that their network is patched with the latest security updates as it can go a long way to protecting against cyber attacks exploiting known vulnerabilities.
READ MORE ON CYBERSECURITY More

As the developers of the Maze ransomware announce their exit from the malware scene, clients are now thought to be turning to Egregor as a substitute.

The Maze group has been a devastating force for companies that have fallen victim to the cybercriminals over the past year. 
What has separated Maze in the past from many other threat groups are practices following infection. Maze would attack a corporate resource, encrypt files or just focus on stealing proprietary data, and then demanded payment — often reaching six figures — in cryptocurrency. 
If extortion attempts fail, the group would then create an entry on a dedicated Dark Web portal and release the data they have stolen. Canon, LG, and Xerox are reported to be among organizations previously struck by Maze.
See also: Ransomware operators now outsource network access exploits to speed up attacks
However, on November 1, the Maze group announced its “retirement,” noting that there is no “official successor” and support for the malware would end after one month. 
Malwarebytes noted a drop-off in infections since August and so say that withdrawal from the scene is “not really” an unexpected move. 

However, that doesn’t mean that previous customers of Maze would also quit the market, and the researchers suspect that “many of their affiliates have moved to a new family” known as Egregor, a spin-off of Ransom.Sekhmet. 
According to an analysis conducted by Appgate, Egregor has been active since mid-September this year, and in this time, has been linked to alleged attacks against organizations including GEFCO and Barnes & Noble.
Egregor has also been associated with the Ransomware-as-a-Service (RaaS) model, in which customers can subscribe for access to the malware. According to sample ransom notes, once a victim has been infected and their files encrypted, operators demand that they establish contact over Tor or a dedicated website to organize payment. 
CNET: Election 2020: Your cybersecurity questions answered
Furthermore, the note threatens that if a ransom is not paid within three days, stolen data will be made public. 
Egregor uses a range of anti-obfuscation techniques and payload packing to avoid analysis. The ransomware’s functionality is considered to be similar to Sekhmet. 
“In one of the execution stages, the Egregor payload can only be decrypted if the correct key is provided in the process’ command line, which means that the file cannot be analyzed, either manually or using a sandbox, if the exact same command line that the attackers used to run the ransomware isn’t provided,” the researchers noted. 
TechRepublic: It’s an urgent plea this Election Day: Don’t click on ransomware disguised as political ads
While affiliates transition to Egregor, Malwarebytes warns that this may not be the last time we see Maze as an active threat. 
“History has shown us that when a crime group decides to close its doors, it’s rarely because the criminals have seen the error of their ways and it’s more often due to a new, more powerful threat that the threat actors would prefer to use,” the researchers note. “So, with businesses now being targeted with the next ransomware and no sign of hope for victims of the past we see no reason to be particularly happy about this.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Law enforcement in Jackson, Mississippi has launched a pilot program that allows officers to tap into private surveillance devices during criminal investigations. 

On Monday, the AP reported that the trial, now signed off by the city, will last for 45 days.
The pilot program uses technology provided by Pileum and Fusus, an IT consultancy firm and a provider of a cloud-based video, sensor, and data feed platform for the law enforcement market. 
See also: FBI warned of how Ring doorbell surveillance can be used against police officers
WLBT says that up to five city-owned and five private cameras will be used during the trial. However, if the scheme is considered successful, residents could then be encouraged to submit their own cameras to the pool — drastically expanding the surveillance capabilities of local law enforcement.
Once a crime is reported, police will be able to “access cameras in the area” to examine elements such as potential escape routes or in order to track getaway vehicles by way of a “Real Time Crime Center” system.  
Residents and businesses may be able to voluntarily participate in the future, if the trial continues, as long as they sign a waiver allowing law enforcement to patch into real-time live streams produced by their surveillance cameras — such as the Amazon Ring Doorbell product line, for example — when crimes are occurring.

Jackson Mayor Chokwe Antar Lumumba cited Amazon’s Ring door cameras as an example product.  
According to Lumumba, this permission would allow police to track criminal activity and would “save [us] from having to buy a camera for every place across the city.” 
CNET: Election 2020: Your cybersecurity questions answered
The trial has been made available free of cost to Mississippi’s capital. 
However, the pilot may prompt privacy concerns. As noted by the EFF, handing over control of live streams to law enforcement may not only allow the covert recording of a willing participant’s comings-and-goings but neighbors, too. 
“The footage from your front door includes you coming and going from your house, your neighbors taking out the trash, and the dog walkers and delivery people who do their jobs in your street,” the EFF says. “In Jackson, this footage can now be live-streamed directly onto a dozen monitors scrutinized by police around the clock. Even if you refuse to allow your footage to be used that way, your neighbor’s camera pointed at your house may still be transmitted directly to the police.”
TechRepublic: It’s an urgent plea this Election Day: Don’t click on ransomware disguised as political ads
The pilot’s launch may be a surprise to some, as Jackson city officials voted — only in August — to pre-emptively ban police forces from using facial recognition technology to identify potential suspects on city streets. 
In September, a leaked FBI analysis bulletin highlighted how smart doorbells could also be turned against law enforcement, as live feeds could warn suspected criminals of police presence, alert them to incoming visits from such ‘unwanted’ visitors, and may show suspects where officers are — a safety risk when it comes to property raids. 
Update 15.11pm GMT: Added clarification that Amazon’s Ring product was cited as an example option. A Ring spokesperson told ZDNet:

“This is not a Ring program and Ring is not working with any of the companies or the city in connection with this program.”

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More