Russia arrests Cryptex founder a week after US sanctions

pIn other news DPRK IT workers found at more than a dozen crypto companies US disrupts Star Blizzard APT Russian internet trolls try to blame Ukraine for their own disinfo opppThis newsletter is brought to you by Zero Networks You can subscribe to an audio version of this newsletter as a podcast by searching for Risky Business News in your podcatcher or subscribing via this RSS feed On Apple PodcastsppRussian authorities have arrested 96 individuals linked to the Cryptex cryptocurrency exchange the UAPS anonymous money transfer system and 33 other illegal payment systemsppThe arrests took place following house searches at 148 locations across 14 Russian regions in what Russian media has called one of the countrys largest crackdowns against cybercrime and cryptocurrency gangsppAccording to Russian news agency Interfax one of the detained suspects was identified as Sergey Ivanov the administrator of Cryptex and UAPSppIvanovs arrest comes a week after US authorities charged and sanctioned him for running the same platforms and facilitating a largescale money laundering business for cybercrime operationsppUS officials claimed Ivanovs services were involved in laundering 115 billion in criminal proceeds including for carding groups and ransomware operationsppRussian authorities said they seized more than 15 billion rubles 15 million following the house searches They also seized a smallsized Robinson helicopter boats snowmobiles and a bunch of expensive Porsche Bentley and Rolls Royce carsppAuthorities did not say if they received any information from their US counterparts Based on the icecold relations between the two countries we doubt they will ever admit to acting on a tip from US officialsppAccording to Ivanovs indictment last week hed operated undisturbed for more than 11 years without being bothered by Russian authoritiesppThe detained suspects were charged in Russia with participating in a criminal organization unauthorized access to computer systems and running an unlicensed banking operation They face up to 20 years behind barsppUK Post drops Moneygram after cyberattack The UK Post Office has dropped MoneyGram as a money transfer option after the company suffered a major security breach last week The two companies were in talks for a contract extension when the cyberattack interrupted the negotiations The Post Office has now removed MoneyGram from more than 11500 of its branches Additional coverage in Payment ExpertppState actor suspected behind Dutch police hack Dutch intelligence services believe that a statesponsored group was behind the recent hack of the Dutch national police Officials disclosed last week that hackers stole the work details of more than 65000 Dutch police officers This included names roles and work telephone numbers but no personal datappRed Barrels breach A cyberattack has crippled the activity of French gaming studio Red Barrels The company says it has now contained the attack Red Barrels says the incident will have a significant impact on its production timeline and may lead to delays in future games Red Barrels is primarily known for its horror game series OutlastppBSI endorses passkeys Germanys cybersecurity agency recommended that users adopt passkeys as an upgrade for account passwordsppIXRAY glasses A Harvard academic has modified a pair of Meta Ray Ban 2 smart glasses to include automatic face recognition features for people coming into a wearers view Additional coverage in New AtlasppPayPal TOS update PayPal is updating its ToS to grant itself the right to share user data with merchants starting in November How American privacy tech of them See how you can opt out via TechRadarppGoogle pilot fraud protection program Google is launching a limited fraud protection pilot program in IndiappFirefox 131 Mozilla has released Firefox 131 New features and security fixes are included The biggest features in this release include the ability to set temporary permissions and support for tab previews heres how to disable that garbage because it can be annoying afppuBOL drama Raymond Hill has removed the uBlock Origin Lite addon blocker from the Mozilla Addon Store after the platform incorrectly detected malicious code in the plugin and refused to ship an update to users Hill said he removed the plugin because he did not have time for this nonsenseppThunderbird donations Mozilla says over 300000 users donated 86 million to the Thunderbird email client last yearppWelfare fraud bill Privacy rights groups have urged the current Labour UK government not to resurrect an old Conservative plan to use algorithms to scan the bank accounts of people on welfare programs Additional coverage in The GuardianppCRI guidance The Counter Ransomware Initiative has released official guidance this week to help victims deal with ransomware attacks The guide urges victims to report incidents to authorities instead of rushing to pay ransoms and keeping breaches hidden It also recommends that companies consult with law enforcement or insurance experts before paying a ransom as there might be other avenues for recovering encrypted or stolen datappSchools cybersecurity guide The Federal Communications Commission and the Department of Education with input from the Cybersecurity and Infrastructure Security Agency released a guide to help schools and libraries evaluate their cybersecurity risks and identify the most impactful cybersecurity solutionsppICE signs contract with known spyware maker The US Immigration and Customs Enforcement has signed a oneyear contract with Paragon a known Israeli spyware maker Additional coverage in WIREDppEU petitions YouTube Snapchat and TikTok The European Union has requested that YouTube Snapchat and TikTok share information on how their recommendation algorithms workppSouth Korea criminalizes deepfake porn South Korea has passed a bill that criminalizes the possession and watching of sexually explicit deepfake images and videos The new law criminalizes new actions after the country previously banned the creation and distribution of deepfake porn Now Individuals who buy store or watch such content can be fined up to 22000 and even face up to three years in prison The bill passed last week and was sent for approval to the countrys president Additional coverage in CBSppIn this Risky Business News sponsored interview Tom Uren talks to Benny Lakunishok CEO and cofounder of ZeroNetworks about network microsegmentation why it is important how to do it and what the NSA gets wrong about itppDoorDash wage theft The US government has charged two Texas men for stealing more than 1 million from DoorDash drivers Officials claim Oluwatobi Otukelu and Evan Edwards called DoorDash support impersonated the drivers and hijacked wages to their own accounts At least 138 DoorDash drivers across six US states reported losses to the scheme over the past two years DoorDash told 404 Media it reimbursed some of the affected workers Additional coverage in CourtWatchppQR code phishing gang detained Authorities in Nigeria and the Ivory Coast have arrested eight suspects on cybercrime and online fraud charges The group allegedly posed as sellers on online advertising platforms where they used QR codes to send users to phishing sites mimicking legitimate payment portals The group collected personal data and payment card details and often followed through with phone calls to scam the victims Interpol says the group mainly targeted Swiss citizens and is believed to have stolen more than 14 million from their victimsppBEC scammer sentenced A US judge has sentenced a dual Nigerian and UK national to seven years in prison for a series of BEC attacks across the US Oludayo Kolawole John Adeagbo stole almost 2 million from a North Carolina university His group also attempted to steal 3 million from government agencies a college and a construction firm in Texas He was arrested in 2022 in the UK and sent to the US for trialppCryptothief pleads guilty An Indiana man has pleaded guilty to stealing more than 37 million worth of crypto assets Evan Frederick Light admitted to hacking an investment holdings company in February 2022 and stealing the personal data of hundreds of customers Officials say Light and an accomplice used the stolen data to steal crypto funds from over 600 of the companys customersppSugarLocker case sent to court Russian authorities are going through the prosecution of Aleksandr Ermakov for his involvement in the SugarLocker ransomware operation Ermakov is scheduled for hearings in a Moscow court on October 8 next week Ermakov was detained by Russian authorities earlier this year He is also wanted by Australia for his role in the REvil ransomware gang and the attack on Australian medical insurance company MediBankppOperation Kraken Australias Federal Police claims it deciphered the seed phrase of a cryptocurrency wallet owned by the administrator of Ghost an encrypted phone platform used by criminal organizations Officials say theyve now seized 93 million worth of crypto assets previously owned by Ghost admin Jay Je Yoon Jung The AFP has also announced the arrest of a suspected believed to have worked as a Ghost distributorppNorth Korean IT workers everywhere More than a dozen blockchain companies have inadvertently hired undercover North Korean IT workers According to a CoinDesk investigation this includes wellestablished blockchain projects such as Injective ZeroLend Fantom SushiSwap Yearn Finance and Cosmos Hub The workers passed checks using fake IDs and fake job histories Hiring North Korean workers is against the law in the US and other countries that sanction North Korea Its also a bad idea and a major insider risk since North Korean hackers have constantly targeted crypto companies to steal fundsppDPRK IT worker alert And since were on the topic following similar alerts in the US its now Germanys time to warn local companies about the dangers of inadvertently hiring remote North Korea IT workersppEdge device mitigation guide Australias cybersecurity agency has published guidance on how to secure internetfacing edge devices such as firewalls routers virtual private network VPN gateways internet of things IoT devices and internetfacing serversppMSSQL attacks AhnLab researchers look at recent attacks against MSSQL database servers that dropped the CLR SqlShell web shellppElection cryptoscammers Netcraft researchers are reporting a surge in cryptoscams using the current US presidential election as a lureppFIN7 nude generators A famous cybercrime group known as FIN7 is using at least seven websites advertising AI nude generators as a lure to trick victims into infecting themselves with malware According to security firm Silent Push the gang is offering a free trial of the AI nude generator software that contains a version of the NetSupport RATppTelegram cybercrime assessment Intel471 says that based on current evidence cybercrime operations are likely to continue operating on Telegram going forward most likely due to the platforms huge reachppOctober 7 DDoS wave DDoS mitigation company Radware warns that Israeli and other Western organizations might see a surge of DDoS attacks on October 7 on the oneyear anniversary of the Hamas attack on IsraelppRecord DDoS attacks Cloudflare says it mitigated two huge DDoS attacks one of 38 terabits per second Tbps and a second one of 214 billion packets per second Bpps The company says the two attacks were separate byt targeted the same customerppCyberVolk Rapid7 has published a profile on CyberVolk a proKremlin hacktivist group that shifted in June from DDoS attacks to launching ransomware attacksppMembers Hub Socket Security has identified an underground community named Members Hub that provides Discord server boosting services to artificially inflate server metrics to paying customersppAsyncRAT Forcepoint researchers have published a report on a recent AsyncRAT distribution campaign abusing Cloudflare tunneling servicesppAmnesia Stealer ThreatMon has published a technical report about the new Amnesia Stealer MaaSppStealC LEXFO has published a threepart analysis of the StealC infostealer malware familyppUniShadowTrade GroupIB has discovered a cluster of malicious Android and iOS apps available through the official app stores that were part of a largescale fraud campaign The malicious apps posed as known crypto and trading platforms collected heaps of personal and financial data and stole money users deposited in the apps accounts GroupIB named the new malware UniShadowTrade because all the apps were built using the UniApp frameworkppPrince ransomware Proofpoint has spotted a malspam campaign posing as British postal carrier Royal Mail to deliver a version of the Prince opensource ransomwareppAkira ransomware Qualys has published common IOCs associated with the Akira ransomware gangppBabyLockerKZ ransomware Cisco Talos has published a profile on a threat actor using a version of the MedusaLocker ransomware known as BabyLockerKZ in attacks since at least late 2022ppPerfctl rootkit AquaSec published an analysis of Perfctl a Linux rootkit that has been used in attacks against the customer infrastructure of Chinese web hosting providers over the past year AquaSec confirmed initial reports that the malware might be tied to a cryptomining operationppSkidMap DrWeb researchers have found a new version of the SkidMap backdoor that is currently being deployed on Redis database serversppBulbatureGobRAT Sekoia has published a report on a new IoT botnet that is being used as a proxy system to relay and hide malicious cyber activity The company says the botnet is currently involved in the distribution of malware such as Bulbature and GobRAT Based on current evidence the botnet appears to be managed by a Chinese operatorppFounded in 2019 Zero Networks is a unified zerotrust platform for network segmentation identity segmentation and secure remote access Zero Networks microsegmentation module is automated agentless and segments all network assets to stop lateral movement and block ransomware with a firewall and justintime MFAppStormkiller Russian internet trolls are trying to blame Ukraine for a broad disinformation campaign that the US government has linked to Russia and a troll factory known as the Social Design Agency Experts from the Alethea Group have discovered over 400 Twitter accounts of course that used manufactured comments from prominent counterdisinformation experts to blame Ukraine for SDAs work Alethea says the comments were posted from fresh Twitter accounts that were previously involved in boosting cryptocurrencies and NFTsppIf youre wondering why I put of course in the paragraph above heres a story looking at leaks from Russian troll factory SDA that explains why Russian disinfo ops love Twitter and idolize MuskppThe same leaked SDA documents that are the base of the story above were also used for an article in The Conversation that looks at how Russia has adapted its classic propaganda techniques for the current modernday social media environmentppUS seizes Star Blizzard domains The US government and Microsoft have seized more than 100 domains used by Russian cyberespionage group Star Blizzard ColdRiver for its spearphishing operations The domains were used in phishing campaigns aimed at US government agencies journalists and over 30 civil society organizations The US previously charged and sanctioned members of the group in December of last year Officials linked the group to Russian intelligence agency FSBppCeranaKeeper ESET researchers discovered a new Chinaaligned threat actor named CeranaKeeper that has targeted governmental institutions in Thailand The group appears to share tools with a larger Chinese APT group named Mustang PandappCharmingKitten DomainTools has published a collection of IOCs linked to the CharmingKitten Iranian APTppStonefly Symantec says it uncovered new Stonefly Andariel APT45 Silent Chollima Onyx Sleet attacks after some of the groups members were charged in the US in July for participating in ransomware attacksppSHROUDEDSLEEP Securonix researchers look at VeilShell a new PowerShell backdoor used in attacks by a group the company tracks as SHROUDEDSLEEP APT37 Reaper Group123ppIvanti exploitation Ivanti says threat actors are now exploiting a vulnerability in its Endpoint Manager EPM product Tracked as CVE202429824 the vulnerability is an SQL injection that allows attackers to take over EPM servers The bug was initially patched back in May before attacks were first spotted this week Proof of concept code has been available online since JulyppZimbra exploitation Threat actors are exploiting a recently patched vulnerability to take over Zimbra email servers The attacks started this week four days after researchers published a writeup and proof of concept for the bug Harfang Labs and Proofpoint detected the active exploitation but they did not attribute the attacks to any known threat actor The attacks use malicious code embedded in an emails CC field The Zimbra team patched the bug CVE202445519 in a security update at the start of SeptemberppNew OData Injection Attack Nokod Security CTO Amichai Shulman has published details on a new attack technique named OData InjectionppCUPS for DDoS attacks Akamai researchers have discovered that the Common UNIX Printing System can be abused to launch largescale DDoS attacks An attacker can send a single packet to a CUPS server that will amplify and relay it to a desired targetin what researchers call an amplification and reflection DDoS attack Akamai says that 58000 of the almost 200000 CUPS servers currently exposed on the internet can be exploited to relay DDoS attacks Researchers say they discovered the new DDoS attack vector while analyzing the new CUPS vulnerabilities disclosed at the end of last weekppDrayTek vulnerabilities Forescout researchers have found 14 vulnerabilities impacting a wide range of DrayTek routers The most severe of these is a remote code execution vulnerability CVE202441592 in the routers web management panel that received a severity score of 10 The vulnerabilities impact 24 different DrayTek router models and some are likely to see exploitation More than 700000 DrayTek routers are currently connected to the internet and are often the target of IoT botnets DrayTek patched all reported issues at the end of AugustppJenkins security update The Jenkins project has released a patch with fixes for the core platform and two of its pluginsppCisco security updates Cisco has released 14 updates to fix several security issues The most dangerous one is a 99 bug CVE202420432 in the REST API and web UI of Cisco Nexus Dashboard Fabric Controller NDFCppPixel security Google has published a description of how it secured the cellular modem component of its Pixel smartphoneppArc Browser VDP The Arc web browser has launched a bug bounty programppNew toolBetter Auth Bereket Engida has released Better Auth a comprehensive authentication library for TypeScriptppNew toolSegugio Italian security researcher reecDeep has published Segugio a tool to track the execution of malware payloadsppThreattrend reports ArticoIANS DeloitteNASCIO Elastic IBM XForce Red Canary and Socura have recently published reports and summaries covering various infosec trends and industry threatsppIn this edition of Between Two Nerds Tom Uren and The Grugq talk about various Southeast Asian countries investing in cyber forces the drivers behind these decisions and what kind of actions make senseppIn this podcast Tom Uren and Adam Boileau talk about how the US governments response to Iranian election interference is proceeding at light speed This allows other actors such as Meta to make decisions relating to interference with certaintyppRisky Business is now on YouTube with video versions of our main podcasts Below is our latest weekly show with Pat and Adam at the helmppIn other news Police arrest tech company CEO for building DDoS function hackers steal 17 million from Ugandas central bank Windows Server 2012 zeroday awaits patchppIn other news FTC opens Microsoft antitrust probe US court overturns Tornado Cash sanctions ESET finds first Ubuntu UEFI bootkitppYour weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray Its supported by Lawfare with help from the William and Flora Hewlett Foundation This weeks edition is sponsored by Stairwell

You can hear a podcast discussion of thisppIn other news Geico fined over 2020 security breach a new proKremlin group emerges out of India Russian group behind Firefox and Windows zerodayspp
Risky Business publishes cybersecurity newsletters and podcasts for security professionals
ppp