Cryptowallet service seized for helping ransomware gangs launder stolen funds

pIn other news DARPA launches program to convert C code to Rust a Chinese APT hacks an ISP to hijack software updates classaction lawsuits filed over massive 29 billion breach at backgroundcheck firmppThis newsletter is brought to you by Material Security the company that secures the cloud office with unified email security user behavior analytics and data loss prevention for Microsoft 365 and Google Workspace You can subscribe to an audio version of this newsletter as a podcast by searching for Risky Business News in your podcatcher or subscribing via this RSS feed On Apple PodcastsppGerman and US authorities have seized a cryptowallet service named Cryptonator on charges of money laundering and operating an unlicensed money service businessppThe service allowed individuals to set up cryptowallet funds that could receive and send funds from and to any type of blockchain service effectively operating as a personal cryptocurrency exchange for each customerppOfficials say Cryptonator failed to implement antimoney laundering protections and knowingly allowed its service to be used for illegal activitiesppAuthorities seized the sites official domain at cryptonatorcom and charged its founder and CEO a Russian national from the city of Perm named Roman PikulevppAccording to court documents the service has been involved in transactions worth around 14 billion According to blockchain tracking company TRM Labs of these more than 306 million have been linked to illegal sources such as ransomware gangs online scams darknet markets cryptoheists and sanctioned entitiesppOfficials say Pikulev who often signed documents as Roman Boss knew the site was involved in illegal activity and never implemented any KnowYourCustomer KYC features allowing customers to register fake or anonymous accountsppHe also allegedly built features to help customers anonymize the source of funds arriving in Cryptonator wallet addressesppPikulev and Cryptonator join a long list of cryptocurrency services seized by US and European authorities for enabling crypto money laundering Several of these were based in Russia or were built by Russian developers and were linked to laundering ransomware profitsppRabbit blames breach on former employee AI startup Rabbit says that a contentious security breach from earlier this year was caused by a nowfired employee In late June a group of security researchers named Rabbitude claimed that Rabbit was exposing API keys that granted access to its source code and past AI agent responses The group claimed that the AI startup did not reply to attempts to disclose the incident and only rotated the API keys after the breach became public Rabbit now says that the incident was caused by one of its employees who leaked the API keys to the group which the company chose to describe as a selfproclaimed hacktivist group Rabbit says it also commissioned a security audit of its infrastructure which now appears to be secureppIllinois voter data leak A security researcher has discovered 13 database servers that were not protected with passwords that contained voter records for Illinois residents According to DataBreachesnet the data leak is different from ones in the past because highly sensitive personal information was also included in the leak This included Social Security numbers drivers license numbers dates of birth and precise physical addressesppMetal Materials incident In SEC documents Metal Materials has blamed a recent IT outage on a former executive who intentionally deactivated the companys domain renewal procedure leading to its official website and email servers going down in late July ht Kevin BeaumontppDate Hot Brunettes hack The data from dating site Date Hot Brunettes was leaked online and is now on HIBP The site has closed down a few months back The leaked data included over 15 million unique email addresses along with IP addresses usernames userentered bios and MD5 password hashesppBangBros leak Adult movie studio and website BangBros has leaked the personal details of more than 37000 users The data leaked via an unsecured Elasticsearch database According to CyberNews the data included details such as usernames IP addresses user agents geolocation data and upvotes and downvotes on model pagesppComprasal leak Hacktivist group Guacamaya claims to have hacked Comprasal the El Salvador governments electronic procurement system The group claims it plans to leak the data of more than 15300 state contractors They havent shared a reason for the leak but the group which now goes under the name of CiberinteligenciaSV has leaked a bunch of El Salvador data in the past and this appears to be some sort of grudge against the country and its current governmentppNPDJerico data breach and CLA Backgroundcheck company Jerico Pictures is being sued in three classaction lawsuits over an alleged data breach that exposed 29 billion personal records The company is known for doing business as National Public Data A threat actor named USDoD claimed to have hacked the company earlier this year in April and advertised its data on an underground hacking forum for a whopping 35 million The plaintiffs claim the company has failed to address the hack rumors The lawsuit also claims the company illegally collected much of the data against the will of many of the affected individuals The leaked data allegedly also includes entire family trees and information on dead people Additional coverage in Bloomberg Law ht DataBreachesnetppICO warns on childrens privacy The UKs privacy watchdog has called on 11 social media and online streaming platforms to improve their childrens privacy practices or face possible fines The ICO says it audited 34 platforms and found that 11 use default settings for childrens accounts that break UK privacy laws Platforms were caught using childrens data for targeted advertising enabling data and geolocation tracking settings and not requiring parental controls for setting up new accounts for children under the age of 13 The ICO did not name the platformsppMeeting on connected car risks The US and key allies from Europe and Asia held a highlevel meeting last week to discuss the new risks emerging from modern internetconnected carsppUS sues TikTok The US Federal Trade Commission and the Department of Justice have sued social media giant TikTok for violating US childrens online privacy The agencies say TikTok failed to notify and obtain parental consent before collecting and using personal information from children under the age of 13 TikTok later allegedly used the data to target kids with advertising The FTC says it learned of TikToks practices from the companys own employees TikTok broke the same rules and was previously subject to a 2019 FTC restraining order which has now fasttracked the current lawsuitppDatarade scandal in Germany A Netzpolitik investigation has found that a German government startup fund was used to support Datarade a data marketplace that facilitates the sale of intrusive mobile app location datappROMHacking shuts down ROMHacking a website for sharing fixes for old games has shut down Game Informer one of the oldest gaming magazines in the US also shut down last week in what appears to be one of the worst weeks for the gaming community in recent years Also see next topicppEU petition against the gaming industry Theres a formal EU petition process taking place in the EU right now to get EU lawmakers to ban gaming companies from shutting down and making games unplayable once theyre out of support The petition has already reached over 10 of the one million signatures it needs in just a few days TLDR Gamers are really mad that gaming studios are intentionally ruining their own games to make you buy their newer ones which is something that seems to have hit a cord with everyoneppImpact of CrowdTangles shutdown A research group named the Coalition for Independent Tech has published a study on the impact the shutdown of Metas CrowdTangle tool will have on the research community studying social media disinfo and influence operationsppCISA Chief AI Officer CISA has named Lisa Einstein as the agencys firstever Chief AI Officer Einstein previously served as Executive Director of CISAs Cybersecurity Advisory Committee The new position will govern CISAs own use of AI and ensure critical infrastructure partners develop and adopt AI in secure waysppPentagon cyber policy chief The Senate on Thursday confirmed Michael Sulmeyer as Assistant Secretary of Defense for Cyber Policy at the Pentagon He becomes the first individual to hold the position Additional coverage in NextGovppGAO EPA cybersecurity report A US government audit body says the Environment Protection Agency EPA is not doing enough to improve the cybersecurity defenses of US water and wastewater management utilities A GAO report found the EPA needs to urgently develop a national strategy for dealing with cybersecurity threats The GAO report comes a month after a US Supreme Court decision on the Chevron doctrine that curtails the powers of federal agencies on matters where Congress has not passed specific laws Additional coverage in CyberScoopppUS National Counterintelligence Strategy The US National Counterintelligence and Security Center NCSC unveiled the US new National Counterintelligence Strategy The document provides a strategic direction for the US federal government and its counterintelligence community to counter foreign intelligence threats and align CI prioritiesppDARPA TRACTOR program DOD research agency DARPA has launched a new program named TRACTOR Translating All C to Rust to translate old C source code to the newer Rust programming language The program will target C code used in DOD legacy apps DARPA says it will look to create an automated solution to translate the old C code to safe and idiomatic Rust codeppUK ACD 20 The UK NCSC says it plans to build a new and improved version of its Active Cyber Defence suite of security toolsppMalaysia establishes NSRC The Malaysian government has established a National Scam Response Centre NSRC The new center will allow the government to receive reports of scams from consumers and quickly mount a coordinated national reply Additional coverage in The Malaysian ReserveppIndonesia blocks DuckDuckGo The Indonesian government has blocked access to the DuckDuckGo search engine because the site allows users to find pornography and gambling sites DuckDuckGo said on Reddit theres no way to fight the block The site is also blocked in China for more than a decade for not complying with Beijings strict censorship rulesppRussia warns against its own browser The Russian National Coordination Center for Computer Incidents NKTsKI has told Russian companies and users to stop using a Russianmade browser known as Sputnik The agency has designated the browser as a security risk after the company behind it went bankrupt in 2023 The NKTsKI says the browsers domain is now owned by American company Global Internet Telemetry Measurement Collective and may be used to deliver malicious updates to RussiansppRussia implies of broader Google block One of the Russian government officials involved in the recent YouTube traffic throttling incident has implied that a broader block of all Google services is also a possibility Additional coverage in RuNews24ppIn this Risky Business News sponsor interview Catalin Cimpanu talks with Rajan Kapoor VP of Customer Experience at Material Security on how threat actors view email inboxes as the targets of their attacks and not just an entry point into organizationsppTech support scammer sentenced US authorities have sentenced an Indian man to seven years in prison for his role in a largescale tech support scam operation Vinoth Ponmaran was the leader of a scam group that used popup windows to trick victims into calling tech support numbers and paying for unneeded IT services According to US officials Ponmarans group earned more than 6 million from over 6500 across the US and Canada Most of the victims were elderly citizensppProject Disrupt arrests Canadian authorities have detained 10 suspects for their roles in a SIMswapping gang The suspects are believed to have stolen more than CAD1 million from more than 1500 individuals by taking over their phone numbers and then emptying financial accounts Most of the gangs members operated out of Toronto Two suspects are also still at large and wanted by policeppPanamorfi AquaSec looks at Panamorfi a threat actor using an opensource Java toolkit to launch DDoS attacks on Minecraft servers by abusing misconfigured Jupyter notebooksppTryCloudflare campaign eSentire has published details of a malware campaign that abuses the TryCloudflare service to create onetime demo tunnels as part of their malware operations See a similar report on the same campaign from ProofpointppDisabling 2G Google has reminded users to disable 2G support in their Android devices as a way to prevent threat actors from using Stingraylike devices to blast SMS spam messages to their phones in crowded spacesppNew npm malware Fifty malicious npm packages were discovered last week Check out GitHubs security advisory portal for additional detailsppRhadamanthys Security researcher Maor Dayan has published an analysis of Rhadamanthys an infostealer recently used in a campaign targeting Israeli organizationsppBlankBot Intel471 has published an overview of BlankBot a new Android banking trojan The malware launched in July this year and currently can only target Turkish banksppCobalt Strike Embee Research looks at how to detect early Cobalt Strike downloader scriptsppNew attacks are harder to spot at greater volumes than your security team can handle The legacy and socalled modern email security market has left you with two extreme options write and maintain your own set of detection rules or trust a black box with no way to customize Either route is a burden on security teams when testing and tuning rules or building and implementing response workflows Watch a demo to see the Material difference for inbound email detection Leverage the combined power of AI behavioral analysis custom detections and collective intelligence to thwart new flavors of email attacks with precision and speedppFighting Ursa Russian cyberespionage group Fighting Ursa APT28 has been seen using ads for the sale of diplomatic cars as phishing lures to infect diplomats across the EU The emails advertised an Audi Q7 Quattro for diplomats looking to be stationed in Romania The lure appears to have been borrowed from fellow Russian espionage group Cloaked Ursa APT29 which used it to target diplomats working in Ukraine in early 2023that time with a BMW ad According to Palo Alto Networks the Fighting Ursa group is known for repurposing successful tacticseven continuously exploiting known vulnerabilities for 20 months after their cover was blownppOlympic infoops DFRLab takes a deep look at all the Russian disinfo efforts targeting the ongoing Paris 2024 OlympicsppPAN nomenclature Palo Alto Networks has published a document detailing how it names APT groups and the names of all groups it is currently trackingppLilacSquid Security firm HackersEye has published an IR report from an intrusion by the LilacSquid APT at a company The intrusion took place through the companys Check Point firewall and resulted in the deployment of a Mesh agent on the compromised systemppStormBamboo compromises an ISP A Chinese APT group named StormBamboo Evasive Panda has compromised the infrastructure of an internet service provider to infect targets with malware The attacks took place earlier this year and targeted both macOS and Windows users Security firm Volexity says StormBamboo modified the ISPs DNS servers to redirect users performing software updates to malicious servers that installed the malware Only software that used cleartext HTTP connections and didnt validate digital signatures was targeted Users were infected with backdoors and in some cases with malicious browser extensionsppFirst Sequence Sync Flatt Securitys RyotaK has published details on First Sequence Sync a combination of a race condition and a single packet attack The technique can be used to send a very large number of packets in a very short period of time RyotaK proved the attacks potential for bypassing ratelimiting on onetime token authenticationppProgress Software disclosure drama According to software engineer Tim Smith Progress Software is dragging its feet on fixing a vulnerability in its DevOps automation project Chef ht ScreamingGoatppSLUBStick attack A team of academics from the Graz University of Technology has discovered a new sidechannel attack named SLUBStick PDF that can elevate privileges in the Linux kernel Researchers say the attack can be used to break out of security containers and works against all modern Linux kernel defenses including SMEP SMAP and KASLR The attack allegedly has a success rate of 99 Additional coverage in Bleeping ComputerppEmail server misconfig warning on shared hosting Some multitenant shared hosting providers are running misconfigured email servers that allow threat actors on the same service to impersonate other hosted domains According to a security advisory by the CERTCC at Carnegie Mellon University the issue resides in how the hosting providers have configured their SPF and DKIM settings The misconfiguration has already been used in the wild this year for a campaign known as EchoSpoofing that abused Proofpoint products and Microsoft customers Two other shared hosting providers have now also confirmed they are vulnerableppUnpatched AVTech vulnerability CISA says that Taiwanese company AVTech has failed to address a major vulnerability in the firmware of its AVM security cameras The vulnerability CVE20247029 was discovered by Akamai researcher Larry Cashdollar and independently confirmed by another third party The issue can allow remote attackers to inject commands in internetconnected AVTech AVM cameras and take over the device without needing to authenticate Public exploits are already available and are trivial to execute CISA says AVTech network video recorders NVRs may also be vulnerableppApache OFBiz exploitation Threat actors have started exploiting a major vulnerability in the Apache OFBiz opensource ERP solution The attacks leverage a vulnerability that was initially patched in May but went under the radar for two months before the attacks started Tracked as CVE202432113 the vulnerability is a simple path traversal that allows threat actors to execute code on unpatched OFBiz systems The exploit is dead simple and works by adding a semicolon after a public URL and then a private URL the attacker wants to access Using carefully selected private URLs attackers can bypass authentication and execute code on the server According to the SANS Internet Storm Center one of the threat actors exploiting the bug is a Mirai botnetppRockwell vulnerability Claroty researchers have found a way to abuse the CIP protocol and bypass security isolations in Rockwell Automation ControlLogix PLCsppElastic security updates Elastic has released security updates for its APM and Kibana serversppKnowBe4 vulnerabilities British pentest shop PenTest Partners has discovered two vulnerabilities in the update mechanism of the KnowBe4 Windows client apps The vulnerabilities could have allowed threat actors with access to a compromised system to elevate their privileges and run malicious code through the security companys app PenTest Partners says the company downgraded the vulnerabilities at the beginning but then accelerated a fix after they contacted its CEOppAtlassian plugin vulnerabilities Cyllective researchers have discovered 53 vulnerabilities across multiple plugins listed in the Atlassian store For now theyve published details on five while the rest are being patchedppAppleTalk PoC Security researcher Wang Tielen has published a PoC for CVE202427878 a vulnerability in the AppleTalk Session Protocol ASP patched last month that allows macOS apps to run arbitrary code with kernel privilegesppNew toolPANIX Elastic security researcher Ruben Groenewoud has released PANIX a customizable Linux persistence toolppNew toolHuntsman Security consultant MLCSec has opensourced Huntsman an email enumerator username generator and context validator providing detailed coverage of the hunterio snovio and skrappio APIsppNew toolsmbtakeover SpecterOps Nick Powers has published smbtakeover a tool to unbind and rebind 445tcp on Windows without loading a driver loading a module into LSASS or rebooting the target machine More in Nicks blog postppTool updateTruffleHog TruffleHog can now detect leaked secrets and tokens inside deleted or private GitHub commits and repos This is thanks to a new technique known as Cross Fork Object ReferenceppThreattrend reports Cloudflare and Wordfence have recently published reports covering infosec industry threats and trendsppNew SentinelOne CISO Security firm SentinelOne has named Alex Stamos as its new Chief Information Security Officer CISO Stamos previously served as CISO for Yahoo and Facebook Stamos joined SentinelOne last year after the security firm acquired the Krebs Stamos Group Hes been SentinelOnes Chief Trust Officer since the acquisitionppACM SIGCOMM 2024 videos Talks from the ACM SIGCOMM 2024 security conference which took place over the weekend are now available on YouTubeppIn this edition of Between Two Nerds Tom Uren and The Grugq discuss what the widespread disruption caused by CrowdStrikes faulty update tells us about how useful cyber operations are for warppIn this podcast Tom Uren and Patrick Gray discuss the Israeli government seizing documents from NSO Group so that they couldnt be shared with opposition counsel in a US lawsuit during discovery Its a terrible lookppThe Risky Business team has recently started publishing video versions of our podcasts Below is the main weekly show with Pat and Adam at the wheelppIn other news Another DPRK laptop farmer detained in the US Trend Micro explores sale soccer club gets BECed for transfer feeppIn other news Windows downgrade attack revealed at Black Hat ICO fines contractor behind NHS ransomware attack SEC drops MOVEit hack investigationppYour weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray Its supported by Lawfare with help from the William and Flora Hewlett Foundation This weeks edition is sponsored by Material Security

You can hear a podcast discussion ofppIn other news CrowdStrike and Microsoft blame Delta for its prolonged outage Las Vegas hotel raids the rooms of DEFCON attendees DPRK hackers shift to construction firmspp
Risky Business publishes cybersecurity newsletters and podcasts for security professionals
ppp