Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Investigation. Show all posts

US Think Tank Struck by Cyberattack

 

The Heritage Foundation, a prominent conservative think tank based in Washington, DC, revealed on Friday that it had fallen victim to a cyberattack earlier in the week. The attack, which occurred amid ongoing efforts to mitigate its effects, left the organization grappling with uncertainties regarding potential data breaches. 

Although the exact extent of the breach remained unclear, the foundation took proactive measures by temporarily shutting down its network to prevent further infiltration while launching an investigation into the incident.

Initial reports of the cyberattack surfaced through Politico, citing a Heritage official who speculated that the perpetrators behind the attack could be nation-state hackers. However, no concrete evidence was provided to substantiate this claim. Despite inquiries, Heritage spokesperson Noah Weinrich refrained from offering comments, both on Thursday via email and when approached by TechCrunch on Friday.

Founded in 1973, the Heritage Foundation has emerged as a significant force in conservative advocacy and policymaking, exerting considerable influence within Republican circles. Yet, its prominence also renders it a prime target for cyber threats, with think tanks often serving as lucrative targets for cyber espionage due to their close ties to government entities and policymaking processes. 

This incident marks another instance in which Heritage has faced cyber adversity, reminiscent of a 2015 attack that resulted in the unauthorized access and theft of internal emails and sensitive donor information.

Sensitive Documents Vanish Under Mysterious Circumstances from Europol Headquarters

 

A significant security breach has impacted the European Union's law enforcement agency, Europol, according to a report by Politico. Last summer, a collection of highly confidential documents containing personal information about prominent Europol figures vanished under mysterious circumstances.

The missing files, which included sensitive data concerning top law enforcement officials such as Europol Executive Director Catherine De Bolle, were stored securely at Europol's headquarters in The Hague. An ongoing investigation was launched by European authorities following the discovery of the breach.

An internal communication dated September 18, revealed that Europol's management was alerted to the disappearance of personal paper files belonging to several staff members on September 6, 2023. Subsequent checks uncovered additional missing files, prompting serious concerns regarding data security and privacy.

Europol took immediate steps to notify the individuals affected by the breach, as well as the European Data Protection Supervisor (EDPS). The incident poses significant risks not only to the individuals whose information was compromised but also to the agency's operations and ongoing investigations.

Adding to the gravity of the situation, Politico's report highlighted the unsettling discovery of some of the missing files by a member of the public in a public location in The Hague. However, key details surrounding the duration of the files' absence and the cause of the breach remain unclear.

Among the missing files were those belonging to Europol's top executives, including Catherine De Bolle and three deputy directors. These files contained a wealth of sensitive information, including human resources data.

In response to the breach, Europol took action against the agency's head of Human Resources, Massimiliano Bettin, placing him on administrative leave. Politico suggests that internal conflicts within the agency may have motivated the breach, speculating on potential motives for targeting Bettin specifically.

The security breach at Europol raises serious concerns about data protection and organizational security measures within the agency, prompting an urgent need for further investigation and safeguards to prevent future incidents.

Marna Bay Sands: Data of 665,000 Customers Hacked by Unknown Third Party

 

Singapore is renowned for maintaining stringent cybersecurity and data protection standards in the region. Companies in the country are keenly aware of their responsibility to safeguard cybersecurity, particularly concerning data privacy. In the event of cybersecurity incidents, organizations promptly notify both customers and regulators, implementing swift plans to rectify the situation. 

Recently, Marina Bay Sands (MBS) encountered a data leak involving the personal information of approximately 665,000 members in its shoppers' rewards program, prompting a rapid response from the company.

MBS took immediate action, informing members of its Sands LifeStyle program via email on November 7th about the data leak that occurred between October 19th and 20th. The resort disclosed its awareness of the incident on October 20th and initiated investigations. 

The inquiry revealed that an unidentified third party had accessed the personal data of the affected members. Paul Town, MBS's Chief Operating Officer, reassured members that, as of the investigation's findings, there is no evidence indicating misuse of the data by the unauthorized third party.

The compromised personal data included members' names, email addresses, contact details, country of residence, membership numbers, and tiers. MBS advised affected users to closely monitor their accounts for suspicious activity, change login pins regularly, and stay vigilant against phishing attempts. The company reported the data leak to relevant authorities in Singapore and other applicable countries, collaborating with them in their investigations.

Despite a decline in cybersecurity incidents in Singapore earlier in the year, recent weeks have witnessed an increase in such occurrences. Between the first quarter of 2020 and the first quarter of 2023, data breach statistics in Singapore showed significant fluctuations in the number of exposed records. Besides the MBS data leak, a recent incident involved web service outages in public hospitals and polyclinics due to a distributed denial-of-service (DDoS) attack.

While some might draw parallels between the MBS data leak and recent ransomware attacks on Las Vegas casinos, the situations differ. Unlike the ransomware incidents at Caesars Palace and MGM, MBS did not report any ransom demands. The company asserts that only the personal data of its members was compromised, without any disruption to services. However, the stolen data holds significant value on the dark web. The exact cause of the MBS data leak and whether other data was compromised remains to be determined.

Cyberattack Strikes Australian Energy Software Company Energy One

 

Energy One, an Australian company specializing in software solutions and services for the energy industry, has fallen victim to a cyber assault.

In an announcement made on Monday, the company revealed that the breach was identified on August 18 and had repercussions for certain internal systems both in Australia and the United Kingdom.

“As part of its work to ensure customer security, Energy One has disabled some links between its corporate and customer-facing systems,” Energy One said.

Energy One is actively engaged in an inquiry to ascertain the extent of the impact on customer-related systems and personal data. The organization is also committed to tracing the initial point of intrusion employed by the attacker.

Though detailed specifics about the attack are presently undisclosed, the company's official statement strongly suggests the possibility of a deliberate ransomware attack.

To facilitate the investigation, cybersecurity specialists have been enlisted, and competent authorities in both Australia and the UK have been informed about the incident.

According to a recent report by Searchlight Cyber, a British threat intelligence firm, malevolent actors have been peddling opportunities for initial access into energy sector enterprises globally, with prices ranging from $20 to $2,500.

Perpetrators of cybercrime can exploit various avenues, including Remote Desktop Protocol (RDP) access, compromised login credentials, and vulnerabilities in devices like Fortinet products.

The IRS is Deploying Four Investigators Across the Globe to Combat Cybercrime

 


Starting this summer, the Internal Revenue Service (IRS) intends to dispatch four cybercrime investigators to Australia, Singapore, Colombia, and Germany. These four new jobs indicate a major boost in the IRS's global efforts to combat cybercrime, such as cryptocurrency, decentralized finance, and bitcoin laundering services. 

In recent years, IRS-CI agents have played a key role in investigating crimes on the dark web as part of landmark international operations such as the shutdown of the drug and hacking services marketplace AlphaBay and the arrest of its administrator, the bust of the internet's largest child abuse website, and the takedown of a marketplace for stolen Social Security numbers, among others.

Until now, the IRS has only one cyber investigator abroad, in The Hague, Netherlands, who has been mostly working with Europol since 2021. Guy Ficco, the IRS's executive director for worldwide operations policy and IRS-CI support, initially mentioned the expansion during a panel discussion at the Chainalysis Links conference on April 4.

“Starting really now we’re going to be piloting for additional posts, putting dedicated cyber attaches in Bogota, Colombia, in Frankfurt, Germany, in Singapore, and in Sydney, Australia,” Ficco said. “I think the benefits have been — at least with the Hague and with Europol posts — have been very tangible.”

In an email, IRS spokesperson Carissa Cutrell explained that the four new positions are part of a pilot program that will run for 120 days, from June to September 2023, and are designed "to help combat the use of cryptocurrency, decentralized finance, and mixing services in international financial and tax crimes." Following the 120-day pilot program, the IRS will decide whether to keep the agents in the new countries.

“Success will hinge on the attachĂ©s’ ability to work cooperatively and train our foreign law enforcement counterparts, and build leads for criminal investigations,” Cutrell said.

According to Chris Janczewski, a special agent in the IRS-CI Cyber Crimes Unit, expanding the IRS's presence abroad is crucial to expediting foreign investigations.

“The U.S.-based case agent can’t always travel to coordinate with foreign partners on investigative needs and the cyber attachĂ© has to act as the proxy for the case agent,” Janczewski told TechCrunch in an email. “Their expertise on knowing what questions to ask, what evidence can reasonably be obtained, and the impact of any cultural or legal implications.”

Janczewski handled the investigation of the largest dark web child abuse site, Welcome to Video. He is presently the worldwide investigations director of TRM Labs, a blockchain intelligence firm. He explained that depending on the countries with whom the IRS is dealing, there may be different legal methods to gather evidence, "but often informal information in real-time is needed in fast-moving investigations."

“In these situations, it comes down to professional relationships, knowing who to call and what to say,” he said.

Aside from the five cyber investigators, the IRS maintains 11 attaché locations around the world, including Mexico, Canada, Colombia, Panama, Barbados, China, Germany, the Netherlands, the United Kingdom, Australia, and the UAE.

“These partnerships give CI the ability to develop leads for domestic and international investigations with an international nexus. In addition, attachĂ©s provide support and direction for investigations with international issues, foreign witnesses, foreign evidence, or execution of sensitive investigative activities in collaboration with our international partners,” the IRS-CI wrote in its 2022 annual report. “AttachĂ©s also help uncover emerging schemes perpetrated by promoters, professional enablers, and financial institutions. These entities facilitate tax evasion of federal tax obligations by U.S. taxpayers, as well as other financial crimes.”

A Credential Stuffing Attack Breaches PayPal Accounts

 


In December last year, hackers accessed the PayPal accounts of more than 1.6 million users of the online payment service. As a result, PayPal is now sending out data breach notifications to affected users. 

A large number of customer accounts of the company were compromised in this attack. With the help of credential stuffing, the hackers behind this attack were able to gain access to almost 35,000 accounts of this company. 

PayPal sent out a Warning of Security Incidents to affected customers on December 6th and 8th of last year. This warning stated that the attack took place from December 6th to 8th. When the attack took place, the company was able to detect its occurrence as well as implement the necessary steps to mitigate it. PayPal has also launched an internal investigation, there is a search underway for how the hackers responsible were able to gain access to PayPal customers' accounts in the first place. 

Despite the company's claim that the hackers were unable to carry out any transactions through the breached accounts, a lot of sensitive information about affected customers was stolen, such as their full names, dates of birth, physical addresses, Social Security numbers, and tax identification numbers, along with their full names and dates of birth. 

Based on PayPal's investigation, the hackers behind this attack used credential stuffing to access the accounts of PayPal's customers by gaining access to the credentials of PayPal's employees. A popular method of attacking data can be found on the dark web, but unlike a data breach, it uses accounts already in circulation. 

It is often the case that credential-stuffing attacks are orchestrated by using bots that have been programmed to enter passwords and usernames from data breaches. This is required to crack a user's account. There are several bots that attempt to use the same credentials for multiple online services with the hope that the passwords have not changed recently. 

Using the same password across multiple accounts can be dangerous for a user's security. A hacker can access your password by infiltrating a website or service. This is done by establishing a connection with their servers. This allows them to access the rest of the accounts using that password. 

When your PayPal account is hacked, what should you do next? 

If PayPal has notified you that your account was breached by hackers and you received a message that you must reset your password, the company has already done so. Thus, it is recommended that you create a strong, complex, and distinct password for your account the next time you log in so that your account remains safe. A password manager, such as KeePass, will be able to generate strong passwords for you, which can be incorporated into one of the most trustworthy password managers. In addition, many of these sites also allow their users to generate passwords online for free. 

To protect you from identity theft, PayPal is offering two years of free identity monitoring from Equifax. This is done using your name, birth date, address, and social security number. If, however, you wish to extend your protection even further, you may want to sign up for an identity theft protection service. 

It is also recommended that you enable two-factor authentication for your PayPal account, which will help prevent a hacker from gaining access to your account even if they obtain your login credentials, which can be crucial to the safety and security of your account. 

Despite the many risks involved, password reuse is still one of the biggest problems in the online world but hopefully, this unfortunate incident will get people to use strong, complex, and unique passwords - especially when it comes to their financial accounts. 

Google Receives Sensitive Data From Abortion Pill Websites

 


Several online pharmacies are selling abortion pills online and sharing their customers' personal information, such as their search history and geolocation, with Google and other third parties. ProPublica has learned that by using this information, one can identify the users of these websites, which could be used to track them down. 

In post-Roe America, where there is no abortion, this type of private information could prove to be downright dangerous when law enforcement subpoenas such sensitive information to prosecute women who wish to end their pregnancies, even though data privacy advocates may be concerned about it. It could prove even more dangerous for women who wish to end their pregnancies in this country. 

It is not uncommon for police to not even have to use the courts if they wish to compel businesses to hand over this data. This is because executives often hand it over willingly and without a court order. 

In the aftermath of the Supreme Court's ruling in Dobbs, which overturned Roe v. Wade and ended the right to abortion, there have been more than a dozen states in the country that are now prohibiting surgical and medical abortions - aka abortion pills - across their borders. 

ProPublica analyzed the pharmacies' websites through The Markup's website privacy inspector to find out which types of trackers they are using and why they are using them. There was a report that found a minimum of nine websites selling abortion medication also collected and shared records regarding their customers. This includes other websites they visited, search terms entered, general location, and general device information. 

It is essentially the website's actual visitor data that is shared with online tools that enable websites to track visitor numbers and traffic patterns. These tools enable websites to provide live chat support and do other helpful things with the information. 

According to ProPublica's investigation, nine of the sites are sending Google data that could potentially identify users, including random numbers associated with the browser of each user, which then could be matched with other information acquired through the sites, the investigative non-profit documented.  

In total, there are nine pharmacies available for abortion-related services, including Abortion Ease, BestAbortionPill.com, PrivacyPillRX, PillsOnlineRX, Secure Abortion Pills, AbortionRx, Generic Abortion Pills, Abortion Privacy, and Online Abortion Pill Rx. 

The Register contacted several pharmacies about the issue, but no one responded. Companies dealing with abortion pills must stop sharing data with Google and Facebook immediately, said Cooper Quintin, Senior Staff Technologist at the Electronic Frontier Foundation (EFF).  

As web developers may not have thought that they were placing their users at risk when they used Google Analytics and third-party tracking, they now have to consider the risk of putting their users at risk. In the current political climate, all websites, but especially those that serve at-risk users, must consider whether assisting Google, Facebook, and others in building user profiles could lead to an extremely horrific outcome, Quintin told in a report. They can not continue acting as though Roe's decision is still the law of the land. 

It is worth noting that the EFF has not yet witnessed any instances where law enforcement agencies have used this type of information to prosecute abortion seekers or providers. According to Quintin, he is concerned that someday, the data stored on big tech platforms such as Google, Facebook, and even Facebook themselves may be used as a dragnet tool to search for women seeking abortions or other reproductive care services and prosecute them. 

If a court order is served on a tech company, they will typically turn over their users' private information and messages to the police. This is if served with a court order. It has been revealed that Google received more than 87,000 search warrants and subpoenas in 2021. 

'Purely Hypothetical and Technically Impossible,' States Google

Google does not specify whether any of these requests were related to health information in its report. The major search engine company is not afraid to take action against government demands to turn over customer data to the government. This is according to a spokesperson for the company. 

It is also prohibited for Google Analytics customers to upload any information that might give away a person's identity to Google during the process of analyzing their data. Moreover, Google has strongly disputed the conclusions of the non-profit organization. 

According to Google Analytics Product Director Steve Ganem, the allegations described in ProPublica's latest article regarding Google Analytics are purely hypothetical. They are technically impossible in the real world. 

As Ganem noted, "Google Analytics was designed specifically so that we and other third parties, including law enforcement, would be unable to identify users through Google, possibly under some circumstances." As well as that, Google also has strict policies against advertising to people who provide sensitive information on their website. 

Last year, Google promised to update the system used to track where users are located. This will ensure that trips to medical clinics and other sensitive places are automatically excluded.   

SRF: Investigation Links Qatar to FIFA Hacking and Ex-CIA Operative’s Firm

 

Qatar reveals to have launched a large-scale and long-standing operation against FIFA officials via ex-CIA operatives. With Switzerland serving as a key operator, the highest circles of the Qatari government were as well involved in the espionage operation that was working in secret. 

With the intelligence agents involved planned on swaying the world events in the operation and hackers stealing controversial information and data, the operation was in fact funded by an anonymous client with hundreds of millions of dollars. 

The issue came to light when an investigation by Swiss media SRF’s investigative team ‘SRF Investigativ’ shared details of how the state of Qatar had officials of the world football spied on. Additionally, the investigations showed how the non-FIFA critics of the upcoming World Cup were targeted as well. 

According to the English- version of the report by Tariq Panja from The York Times, The SRF News revealed that Qatar hired an ex-CIA operative Kevin Chalker’s “Global Risk Advisors” firm for “predictive intelligence” on FIFA officials who would attempt on moving the World Cup from the country, via their predictive intelligence efforts allegedly involving computer hacking through intermediaries. 

The ultimate goal of the said efforts is to prevent Qatar from losing the World Cup bid, following the massive criticism that was raised when FIFA awarded the tournament to the authoritarian country in 2010. 

The scope of the covert activities remains considerable, since at least 66 operators were expected to be deployed over the course of one sub-operation alone for over nine years. Moreover, a budget of $387 million was allocated for the operation, with the activities spanning five continents. 

The SRF investigations dig the credentials against the ex-CIA agent Chalker. The investigation deduces that initially, before the World Cup awarding in December 2010, Chalker apparently served as an espionage operator for various bids. But as the criticism raised regarding corruption and human rights violation after the 2010 World Cup was awarded, the target was eventually changed. Now, the goal shifted to preventing FIFA, from taking the World Cup from Qatar, at all costs. 

The investigation showed that Switzerland was the most prominent factor to Qatari intelligence operation. Since, Chalker travelled to Zurich at the demand of Qatar with the intention of bugging the hotel rooms of journalists and members of the Executive Committee. One of the documents revived, included photos taken covertly as a part of surveillance operation. These photographs were reportedly taken at Zurich’s plush Baur au Lac hotel, and showed individuals connected to FIFA meeting with officials and journalists. 

Apparently, FIFA mostly remined oblivious to the spy operation. Sepp Blatter, FIFA’s former President, commented in an interview with SRF, “That there was an organized espionage affair in FIFA, that surprised me. And it's alarming.” Although, several documents indicate that Blatter was of great interest to the spies. The documents mention, for instance, that Blatter’s “plans and intentions” ought to be known in advances. 

Besides, Chalker and Global Risk Advisors are currently dealing with a civil lawsuit, in regard to connection to similar alleged activities. The lawsuit was filed by former US president Donald Trump ally Elliot Broidy. Broidy accused Chalker and his company of a hacking attack on behalf of Qatar, after Broidy’s personal data was leaked to newspapers in 2018. Although, Chalker denies all allegations. The lawsuit is still pending.

A Hospital Chain Cyberattack is Expected to Take Time to Investigate

 


It took security experts up to Friday to prepare for the coming challenge of determining what the full impact of a cyberattack may be on patients and hospitals at one of the largest health systems in the U.S. Security experts warned that it often takes time to assess the full impact of the attack on patients and hospitals.

Common Spirit Health confirmed earlier this week that they have experienced an information security breach. However, they are yet to respond in detail to questions about the incident. This includes how many of the company's 1,000 care sites serving 20 million Americans were affected by this issue. The health system giant, which is the second-largest nonprofit health system in America, has 140 hospitals in 21 states.

"Several things have to be considered when one is attempting to restore all their systems and finding out the scope of the attack," says Allan Liska, an analyst with the cybersecurity firm Recorded Future. In other words, you are trying to get patient care up and running so that patients can receive care; you are trying to get your doctors and nurses back to using the systems they need to continue their work.

In the healthcare industry, cyber attackers are increasingly considering targeting healthcare organizations - especially those who use malware to lock up a victim's files and manipulate the information to profit from their activities. According to the U.S. government, Ransomware has remained a persistent threat to the industry. This is among the 16 categories of critical infrastructure that the U.S. government identifies as critical.

"The actors behind ransomware will probably know that this will cause a lot of disruption," Liska explained.

As a result, the global healthcare system in 2021 has seen an unusually high number of attacks, with 285 publicly reported cases reported worldwide, according to Liska. Since the beginning of the year, Liska has tracked 155 attacks, an average of 20 attacks per month, suggesting a growing problem. Nevertheless, he estimated that only about 10% of ransomware attacks are publicized, and publicized attacks are highly rare.

Several cyber security experts have said that years of work have promoted a sense of trust among healthcare leaders in the FBI and other federal agencies that target cybercrime.

An FBI spokesperson declined to comment on whether they were investigating the cyberattack on CommonSpirit Health as part of their cybercrime investigation.

According to John Riggi, who serves as the American Hospital Association's national advisor for cybersecurity and risk, he was not qualified to discuss CommonSpirit in particular. Although, in general, he said, it can take days, weeks, or even months to figure out how an attacker gained access to the network, determine what damage has been done, as well as prevent any further damage from occurring.

As Riggi, a former FBI agent who worked for nearly 30 years in the field of cyber security, emphasized that a significant cyberattack on a hospital could pose a serious threat to patient safety and that it was taken seriously by the U.S. government. A major goal of their organization is to identify the attacker and disclose their identity and methodology.

"They don't want to show their hands, and they do not want to divulge what they know about the bad guys," the officer said. During the processing of a crime scene, you are working on the scene in real-time."

However, there is a risk that cyberattack victims who fail to communicate their response plan to attackers and their recovery strategies are at increased risk of being targeted by cybercriminals. This is predicted by Mike Hamilton, the chief information security officer at Critical Insights Cybersecurity in Washington state.


Elasticsearch Database Mess Up Exposed Login, Leaked Personal Data of 30K Students

 

The cybersecurity investigation team at SafetyDetectives, led by Anurag Sen, discovered a misconfigured Elasticsearch server that exposed Transact Campus app data. According to their findings, the server was internet-connected and did not require a password to access data. As a result, over 1 million records were compromised, disclosing personally identifiable information for roughly 30,000 to 40,000 students. 

Transact Campus is a payment software supplier based in Phoenix, Arizona. The firm provides technology solutions for combining several payment functions into a single mobile platform. Its software solutions are primarily used to expedite payment procedures for universities and students and to facilitate student purchases at higher education establishments. 

According to the report by SafetyDetectives, the 5GB database released by the server contains information about students who had Transact Campus accounts. The majority of those affected are US citizens. The following details of students among the information were exposed: 

It should be noted that the login information, including the username and password, was saved in plain text format. The credit card information, on the other hand, includes the banking identity number, which consists of the first six and final four digits of the credit card number, bank information, and the card's expiration date. Furthermore, the bought meal plans and meal plan balances of the students were included in the hacked data. 

Transact Campus’ Response

SafetyDetectives notified Transact Campus about the exposed database in December 2021, and the corporation responded in January 2022, more than a month later. However, the incident's specifics were only revealed last week. 

During this time, researchers attempted to contact them multiple times and also alerted US-CERT, after which it was secured. Transact Campus stated that the disclosed server was not under their control and that the data was fictitious. The corrupted Elasticsearch database appeared to belong to Transact Campus, a US-based software solution company. 

Transact Campus stated, “Apparently this was set up by a third party for a demo and was never taken down. We did confirm that the dataset was filled with a fake data set and not using any production data.” 

However, according to SafetyDetectives, the server in issue was constantly being updated even when it was found. They examined the data using freely available technologies and discovered that it belonged to genuine persons. 

Researchers were unable to determine whether or not unauthorised third parties or malicious actors gained access to the database before it was secured. If it was accessible, hackers might target students in a variety of attacks, such as frauds, phishing, spam marketing, or even account takeover, because login credentials were saved on the server in an unencrypted form.

Germany Shuts Down World's Largest Illegal Marketplace on Darknet

 

The German authorities have confiscated the servers of Hydra Market, the most well-known Russian darknet network for drug sales and money laundering. The authorities were also able to seize 543 bitcoins worth a little more than $25 million from the earnings of Hydra. 

The money seized reflects the scale of the Hydra market, which had over 19,000 registered vendor accounts serving at least 17 million clients worldwide. Hydra Market had a turnover of $1.35 billion in 2020, according to the Central Office for Combating Cybercrime (ZIT) and Germany's Federal Criminal Police Office (BKA), making it the world's largest darknet market. 

Elliptic, a blockchain analytics firm, confirmed the authorities' confiscation of digital assets today, charting the action as 88 transactions totalling 543.3 bitcoin. Hydra also provided stolen databases, falsified documents, and hacking for hire services, in addition to the core focus of narcotics and money laundering. 

An investigation into a shady area 

The BKA, operating on behalf of the Attorney General's Office in Frankfurt am Main, confiscated the market's infrastructure following a coordinated international law enforcement action, according to Hydra's homepage. This move was made possible following a lengthy examination of the platform's previously unknown operators and administrators. 

 Hydra Market had a Bitcoin Bank Mixer, which disguised all bitcoin transactions done on the platform, making it difficult for law enforcement organisations to track money gained through illicit activity, according to the BKA announcement. 

According to a BKA spokesperson, no arrests have been made in this operation, and they are unable to give any other information on the evaluation of the confiscated infrastructure owing to ongoing investigations.

Massachusetts is Investigating the Massive T-Mobile Data Breach

 

On Tuesday, Massachusetts Attorney General Maura Healey announced that she will look into the cyberattack on T-Mobile US Inc (TMUS.O), which compromised the personally identifiable information of over 53 million people.

After the third-largest U.S. cellphone carrier reported the hack on Aug. 16, Attorney General Maura Healey announced the investigation. 

The breach exposed names, birthdays, social security numbers, driver's licence information, PIN numbers, and other personal information of an estimated 13.1 million current and 40 million past, and potential T-Mobile users.

It was one of many cyberattacks in recent years that impacted banks, gas pipelines, and hospitals, among other businesses. 

Healey aims to examine whether the Bellevue, Washington-based corporation has sufficient measures in place to secure consumer information and mobile devices. Last month, the Federal Communications Commission in the United States launched an investigation into the matter. 

According to court records, consumers and other private plaintiffs have filed at least 23 lawsuits against T-Mobile as a result of the data leak. 

About the security breach

On August 16, T-Mobile US Inc (TMUS.O) admitted a data breach but said it has yet to determine if any customer information had been compromised, a day after an online forum claimed that the personal data of over 100 million of its users had been compromised. 

In a blog post, the telecom provider stated that it was certain that the entry point used to obtain the data had been shut down. It did not disclose the number of accounts impacted. 

"We are conducting an extensive analysis alongside digital forensic experts to understand the validity of these claims, and we are coordinating with law enforcement," the company stated. 

According to a report in Vice's Motherboard, the forum post does not specify T-Mobile but the attacker informed Vice that they acquired data on over 100 million individuals from T-Mobile servers. 

Following the news, T-stock Mobile's share dropped 2.8 percent in afternoon trade.

Facebook Under Investigation by EU and UK Competition Watchdogs

 

Competition authorities in the United Kingdom and Europe are looking into Facebook's use of advertising data to obtain an unfair edge over competitors. 

The Competition and Markets Authority is investigating whether it exploits data for its own purposes, such as Facebook Marketplace. The European Commission is investigating whether Facebook broke EU regulations by collecting data from advertisers in order to compete with them in providing classified advertisements. 

Facebook stated that it will fully cooperate and show that both the UK and EU inquiries are "without merit." 

Facebook obtains data through its digital advertising service and its single sign-on option, according to the CMA. This allows consumers to use their Facebook login credentials to sign in to other websites, services, and apps. 

The watchdog is investigating whether Facebook has been improperly using data to compete with other businesses through Facebook Marketplace, which allows businesses and users to post classified ads to sell products, as well as Facebook Dating, which was launched in Europe last year. 

The European Commission has launched a formal antitrust investigation "to assess whether Facebook violated EU competition rules by using advertising data gathered in particular from advertisers in order to compete with them in markets where Facebook is active, such as classified ads." 

"The formal investigation will also assess whether Facebook, in breach of EU competition rules, ties its online classified advertisements service "Facebook Marketplace" to its social network," it stated. 

Margrethe Vestager, the EU’s antitrust chief stated, “In today’s digital economy, data should not be used in ways that distort competition.” 

Facebook said its "Marketplace and dating offer people more choices, both products operate in a highly competitive environment with many large incumbents". 

The CMA and the European Commission said they will work closely with each other as their "independent investigations develop". 

Andrea Coscelli, chief executive of the CMA, added: "We intend to thoroughly investigate Facebook's use of data to assess whether its business practices are giving it an unfair advantage in the online dating and classified ad sectors. Any such advantage can make it harder for competing firms to succeed, including new and smaller businesses, and may reduce customer choice." 

The launching of European Competition Commissioner Margrethe Vestager's first competition inquiry into the world's largest social network is the latest battle with US digital powerhouses.

DOJ Charges Latvian National for Helping Develop the Trickbot Malware

 

The US Department of Justice has charged a Latvian woman for her alleged role in developing the Trickbot malware, which was responsible for infecting millions of computers, targeting schools, hospitals, public utilities, and governments. 

After being arrested on February 6 in Miami, Florida, Alla Witte (aka Max) was charged with 19 counts of a 47-count indictment. 

The DOJ said in a press release, Witte created the code used by Trickbot malware to control, launch, and manage ransomware payments. Witte is also said to have given the Trickbot Group the code required to track and monitor approved malware users and the tools and protocols needed to store login credentials obtained from victims' networks. 

The FBI's Cleveland Office and the Department of Justice's Ransomware and Digital Extortion Task Force investigated the case, which was formed to combat the rising number of ransomware and digital extortion attacks. 

FBI special agent Eric B. Smith said. In a statement, "Witte and her associates are accused of infecting tens of millions of computers worldwide, in an effort to steal financial information to ultimately siphon off millions of dollars through compromised computer systems.

Trickbot is a malware variant that was first discovered in October 2016 as a modular banking trojan and has subsequently been updated with new modules and capabilities. 

Microsoft and many partners reported on October 12 that they had taken down certain Trickbot C2s. Before the presidential election, the US Cyber Command apparently tried to destroy the botnet by sending infected devices a configuration file that cut them off from the botnet's C2 servers. Despite these concerted attacks on TrickBot's infrastructure, the TrickBot gang's botnet remains alive, and new malware builds are continually being released. 

The TrickBot gang is renowned for spreading the ransomware Ryuk and Conti onto the networks of valuable business targets. According to Deputy Attorney General Lisa O. Monaco, Trickbot penetrated millions of victim computers throughout the world, harvesting banking information and delivering ransomware. 

"The Trickbot malware was designed to steal the personal and financial information of millions of people around the world, thereby causing extensive financial harm and inflicting significant damage to critical infrastructure within the United States and abroad," Acting US Attorney Bridget M. Brennan of the Northern District of Ohio added.

Poisoned Installers Found in SolarWinds Hackers Toolkit

 

The ongoing multi-vendor investigations into the SolarWinds mega-hack took a new turn this week when additional malware artifacts were discovered that could be leveraged in future supply chain operations. 

The current session of attacks linked to the APT29/Nobelium threat actor contains a custom downloader that is part of a "poisoned update installer" for electronic keys used by the Ukrainian government, according to a recent study from anti-malware firm SentinelOne. 

Juan AndrĂ©s Guerrero-Saade, SentinelOne's principal threat researcher, detailed the latest discovery in a blog post that extends on prior Microsoft and Volexity investigations. “At this time, the means of distribution [for the poisoned update installer] are unknown. It’s possible that these update archives are being used as part of a regionally-specific supply chain attack,” Guerrero-Saade stated. 

According to Guerrero-Saade, the most recent iteration of malware related to Nobelium uses a convoluted multi-stage infection chain with five to six layers. This involves the usage of NativeZone, a booby-trapped update installer for a Ukrainian cryptographic smartkey used in government operations, which uses ‘DLL stageless' downloaders. 

The Cobalt Strike Beacon payload, according to Guerrero-Saade's analysis of the campaign, serves as an "early scout" that allows for the targeted dissemination of unique payloads directly into memory. “After years of burned iterations on custom toolkits, [this APT] has opted for maximizing return on investment by simply lowering their upfront investment.” 

Furthermore, he added, because they don't have visibility into its distribution channels, they won't call it a supply chain attack. The poisoned installer might be supplied to victims who rely on this regional solution directly. Alternatively, the attackers may have found a way to disseminate their malicious ‘update' by abusing an internal resource. 

Background 

A Russia-linked threat group was suspected of being behind the SolarWinds hack seen initiating a new campaign. The attacks involved a genuine bulk mailing service and impersonation of a government entity, and they targeted the United States and other countries.

Microsoft tracked the threat actor as Nobelium, and incident response firm Volexity, which discovered some similarities to APT29, a prominent cyberspy outfit previously linked to Russia, evaluated the recent assault. 

Government agencies, think tanks, NGOs, and consultants were among the target groups. Microsoft stated at least a quarter of the targets are involved in human rights and international development work.