Login
On April 9, Twitter/X began automatically modifying links that mention “twitter.com” to read “x.com” instead. But over the past 48 hours, dozens of new domain names have been registered that demonstrate how this change could be used to craft convincing phishing links — such as fedetwitter[.]com, which until very recently rendered as fedex.com in tweets.
The message displayed when one visits goodrtwitter.com, which Twitter/X displayed as goodrx.com in tweets and messages.
A search at DomainTools.com shows at least 60 domain names have been registered over the past two days for domains ending in “twitter.com,” although research so far shows the majority of these domains have been registered “defensively” by private individuals to prevent the domains from being purchased by scammers.
Those include carfatwitter.com, which Twitter/X truncated to carfax.com when the domain appeared in user messages or tweets. Visiting this domain currently displays a message that begins, “Are you serious, X Corp?”
Update: It appears Twitter/X has corrected its mistake, and no longer truncates any domain ending in “twitter.com” to “x.com.”
Original story:
The same message is on other newly registered domains, including goodrtwitter.com (goodrx.com), neobutwitter.com (neobux.com), roblotwitter.com (roblox.com), square-enitwitter.com (square-enix.com) and yandetwitter.com (yandex.com). The message left on these domains indicates they were defensively registered by a user on Mastodon whose bio says they are a systems admin/engineer. That profile has not responded to requests for comment.
A number of these new domains including “twitter.com” appear to be registered defensively by Twitter/X users in Japan. The domain netflitwitter.com (netflix.com, to Twitter/X users) now displays a message saying it was “acquired to prevent its use for malicious purposes,” along with a Twitter/X username.
The domain mentioned at the beginning of this story — fedetwitter.com — redirects users to the blog of a Japanese technology enthusiast. A user with the handle “amplest0e” appears to have registered space-twitter.com, which Twitter/X users would see as the CEO’s “space-x.com.” The domain “ametwitter.com” already redirects to the real americanexpress.com.
Some of the domains registered recently and ending in “twitter.com” currently do not resolve and contain no useful contact information in their registration records. Those include firefotwitter[.]com (firefox.com), ngintwitter[.]com (nginx.com), and webetwitter[.]com (webex.com).
The domain setwitter.com, which Twitter/X until very recently rendered as “sex.com,” redirects to this blog post warning about the recent changes and their potential use for phishing.
Sean McNee, vice president of research and data at DomainTools, told KrebsOnSecurity it appears Twitter/X did not properly limit its redirection efforts.
“Bad actors could register domains as a way to divert traffic from legitimate sites or brands given the opportunity — many such brands in the top million domains end in x, such as webex, hbomax, xerox, xbox, and more,” McNee said. “It is also notable that several other globally popular brands, such as Rolex and Linux, were also on the list of registered domains.”
The apparent oversight by Twitter/X was cause for amusement and amazement from many former users who have migrated to other social media platforms since the new CEO took over. Matthew Garrett, a lecturer at U.C. Berkeley’s School of Information, summed up the Schadenfreude thusly:
“Twitter just doing a ‘redirect links in tweets that go to x.com to twitter.com instead but accidentally do so for all domains that end x.com like eg spacex.com going to spacetwitter.com’ is not absolutely the funniest thing I could imagine but it’s high up there.”
KrebsOnSecurity celebrates its 14th year of existence today! I promised myself this post wouldn’t devolve into yet another Cybersecurity Year in Review. Nor do I wish to hold forth about whatever cyber horrors may await us in 2024. But I do want to thank you all for your continued readership, encouragement and support, without which I could not do what I do.
As of this birthday, I’ve officially been an independent investigative journalist for longer than I was a reporter for The Washington Post (1995-2009). Of course, not if you count the many years I worked as a paperboy schlepping The Washington Post to dozens of homes in Springfield, Va. (as a young teen, I inherited a largish paper route handed down from my elder siblings).
True story: At the time I was hired as a lowly copy aide by The Washington Post, all new hires — everyone from the mailroom and janitors on up to the executives — were invited to a formal dinner in the Executive Suite with the publisher Don Graham. On the evening of my new hires dinner, I was feeling underdressed, undershowered and out of place. After wolfing down some food, I tried to slink away to the elevator with another copy aide, but was pulled aside by the guy who hired me. “Hey Brian, not so fast! Come over and meet Don!”
I was 23 years old, and I had no clue what to say except to tell him that paper route story, and that I’d already been working for him for half my life. Mr. Graham laughed and told me that was the best thing he’d heard all day. Which of course made my week, and made me feel more at ease among the suits.
I remain grateful to WaPo for instilling many skills, such as how to distill technobabble into plain English for a general audience. And how to make people the focus of highly technical stories. Because people — and their eternal struggles — are imminently relatable, regardless of whether one has a full grasp of the technical details.
Words fail me when trying to describe how grateful I am that this whole independent reporter thing still works, financially and otherwise. I mostly just keep my head down researching stuff and sharing what I find, and somehow loads of people keep coming back to the site. As I like to say, I hope they let me keep doing this, because I’m certainly unqualified to do much else!
Another milestone of sorts: We’ve now amassed more than 52,000 subscribers to our email newsletter, which is a fancy term for a plain text email that goes out immediately whenever a new story is published here. Subscribing is free, we never share anyone’s email address, and we don’t send emails other than new story notifications (2-3 per week).
A friendly reminder that while you may see ads (or spaces where ads otherwise would be) at the top of this website, all two-dozen or so ad creatives we run are vetted by me and served in-house. Nor does this website host any third-party content. If you regularly browse the web with an ad blocker turned on, please consider adding an exception for KrebsOnSecurity.com. Our advertising partners are how we keep the lights on over here.
And in case you missed any of them, here are some of the most-read stories published by KrebsOnSecurity in 2023. Happy 2024 everyone!
Ten Years Later, New Clues in the Target Breach
It’s Still Easy for Anyone to Become You at Experian
Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach
Why is .US Being Used to Phish So Many of US?
Few Fortune 100 Firms List Security Pros in Their Executive Ranks
Who’s Behind the Domain Networks Snail Mail Scam?
Phishing Domains Tanked After Meta Sued Freenom
Many Public Salesforce Sites are Leaking Private Data
Hackers Claim They Breached T-Mobile More Than 100 Times in 2022
Identity Thieves Bypassed Experian Security to View Credit Reports
The U.S. Federal Bureau of Investigation (FBI) disclosed today that it infiltrated the world’s second most prolific ransomware gang, a Russia-based criminal group known as ALPHV and BlackCat. The FBI said it seized the gang’s darknet website, and released a decryption tool that hundreds of victim companies can use to recover systems. Meanwhile, BlackCat responded by briefly “unseizing” its darknet site with a message promising 90 percent commissions for affiliates who continue to work with the crime group, and open season on everything from hospitals to nuclear power plants.
A slightly modified version of the FBI seizure notice on the BlackCat darknet site (Santa caps added).
Whispers of a possible law enforcement action against BlackCat came in the first week of December, after the ransomware group’s darknet site went offline and remained unavailable for roughly five days. BlackCat eventually managed to bring its site back online, blaming the outage on equipment malfunctions.
But earlier today, the BlackCat website was replaced with an FBI seizure notice, while federal prosecutors in Florida released a search warrant explaining how FBI agents were able to gain access to and disrupt the group’s operations.
A statement on the operation from the U.S. Department of Justice says the FBI developed a decryption tool that allowed agency field offices and partners globally to offer more than 500 affected victims the ability to restore their systems.
“With a decryption tool provided by the FBI to hundreds of ransomware victims worldwide, businesses and schools were able to reopen, and health care and emergency services were able to come back online,” Deputy Attorney General Lisa O. Monaco said. “We will continue to prioritize disruptions and place victims at the center of our strategy to dismantle the ecosystem fueling cybercrime.”
The DOJ reports that since BlackCat’s formation roughly 18 months ago, the crime group has targeted the computer networks of more than 1,000 victim organizations. BlackCat attacks usually involve encryption and theft of data; if victims refuse to pay a ransom, the attackers typically publish the stolen data on a BlackCat-linked darknet site.
BlackCat formed by recruiting operators from several competing or disbanded ransomware organizations — including REvil, BlackMatter and DarkSide. The latter group was responsible for the Colonial Pipeline attack in May 2021 that caused nationwide fuel shortages and price spikes.
Like many other ransomware operations, BlackCat operates under the “ransomware-as-a-service” model, where teams of developers maintain and update the ransomware code, as well as all of its supporting infrastructure. Affiliates are incentivized to attack high-value targets because they generally reap 60-80 percent of any payouts, with the remainder going to the crooks running the ransomware operation.
BlackCat was able to briefly regain control over their darknet server today. Not long after the FBI’s seizure notice went live the homepage was “unseized” and retrofitted with a statement about the incident from the ransomware group’s perspective.
The message that was briefly on the homepage of the BlackCat ransomware group this morning. Image: @GossiTheDog.
BlackCat claimed that the FBI’s operation only touched a portion of its operations, and that as a result of the FBI’s actions an additional 3,000 victims will no longer have the option of receiving decryption keys. The group also said it was formally removing any restrictions or discouragement against targeting hospitals or other critical infrastructure.
“Because of their actions, we are introducing new rules, or rather, we are removing ALL rules except one, you cannot touch the CIS [a common restriction against attacking organizations in Russia or the Commonwealth of Independent States]. You can now block hospitals, nuclear power plants, anything, anywhere.”
The crime group also said it was setting affiliate commissions at 90 percent, presumably to attract interest from potential affiliates who might otherwise be spooked by the FBI’s recent infiltration. BlackCat also promised that all “advertisers” under this new scheme would manage their affiliate accounts from data centers that are completely isolated from each other.
BlackCat’s darknet site currently displays the FBI seizure notice. But as BleepingComputer founder Lawrence Abrams explained on Mastodon, both the FBI and BlackCat have the private keys associated with the Tor hidden service URL for BlackCat’s victim shaming and data leak site.
“Whoever is the latest to publish the hidden service on Tor (in this case the BlackCat data leak site), will resume control over the URL,” Abrams said. “Expect to see this type of back and forth over the next couple of days.”
The DOJ says anyone with information about BlackCat affiliates or their activities may be eligible for up to a $10 million reward through the State Department’s “Rewards for Justice” program, which accepts submissions through a Tor-based tip line (visiting the site is only possible using the Tor browser).
Further reading: CISA StopRansomware Alert on the tools, techniques and procedures used by ALPHV/BlackCat.
Prosecutors in Finland this week commenced their criminal trial against Julius Kivimäki, a 26-year-old Finnish man charged with extorting a once popular and now-bankrupt online psychotherapy practice and thousands of its patients. In a 2,200-page report, Finnish authorities laid out how they connected the extortion spree to Kivimäki, a notorious hacker who was convicted in 2015 of perpetrating tens of thousands of cybercrimes, including data breaches, payment fraud, operating a botnet and calling in bomb threats.
In November 2022, Kivimäki was charged with attempting to extort money from the Vastaamo Psychotherapy Center. In that breach, which occurred in October 2020, a hacker using the handle “Ransom Man” threatened to publish patient psychotherapy notes if Vastaamo did not pay a six-figure ransom demand.
Vastaamo refused, so Ransom Man shifted to extorting individual patients — sending them targeted emails threatening to publish their therapy notes unless paid a 500-euro ransom. When Ransom Man found little success extorting patients directly, they uploaded to the dark web a large compressed file containing all of the stolen Vastaamo patient records.
Security experts soon discovered Ransom Man had mistakenly included an entire copy of their home folder, where investigators found many clues pointing to Kivimäki’s involvement. By that time, Kivimäki was no longer in Finland, but the Finnish government nevertheless charged Kivimäki in absentia with the Vastaamo hack. The 2,200-page evidence document against Kivimäki suggests he enjoyed a lavish lifestyle while on the lam, frequenting luxury resorts and renting fabulously expensive cars and living quarters.
But in February 2023, Kivimäki was arrested in France after authorities there responded to a domestic disturbance call and found the defendant sleeping off a hangover on the couch of a woman he’d met the night before. The French police grew suspicious when the 6′ 3″ blonde, green-eyed man presented an ID that stated he was of Romanian nationality.
A redacted copy of an ID Kivimaki gave to French authorities claiming he was from Romania.
Finnish prosecutors showed that Kivimäki’s credit card had been used to pay for the virtual server that hosted the stolen Vastaamo patient notes. What’s more, the home folder included in the Vastaamo patient data archive also allowed investigators to peer into other cybercrime projects of the accused, including domains that Ransom Man had access to as well as a lengthy history of commands he’d executed on the rented virtual server.
Some of those domains allegedly administered by Kivimäki were set up to smear the reputations of different companies and individuals. One of those was a website that claimed to have been authored by a person who headed up IT infrastructure for a major bank in Norway which discussed the idea of legalizing child sexual abuse.
Another domain hosted a fake blog that besmirched the reputation of a Tulsa, Okla. man whose name was attached to blog posts about supporting the “white pride” movement and calling for a pardon of the Oklahoma City bomber Timothy McVeigh.
Kivimäki appears to have sought to sully the name of this reporter as well. The 2,200-page document shows that Kivimäki owned and operated the domain krebsonsecurity[.]org, which hosted various hacking tools that Kivimäki allegedly used, including programs for mass-scanning the Internet for systems vulnerable to known security flaws, as well as scripts for cracking database server usernames and passwords, and downloading databases.
Ransom Man inadvertently included a copy of his home directory in the leaked Vastaamo patient data. A lengthy history of the commands run by that user show they used krebsonsecurity-dot-org to host hacking and scanning tools.
Mikko Hyppönen, chief research officer at WithSecure (formerly F-Secure), said the Finnish authorities have done “amazing work,” and that “it’s rare to have this much evidence for a cybercrime case.”
Petteri Järvinen is a respected IT expert and author who has been following the trial, and he said the prosecution’s case so far has been strong.
“The National Bureau of Investigation has done a good job and Mr Kivimäki for his part some elementary mistakes,” Järvinen wrote on LinkedIn. “This sends an important message: online crime does not pay. Traces are left in the digital world too, even if it is very tedious for the police to collect them from servers all around the world.”
Antti Kurittu is an information security specialist and a former criminal investigator. In 2013, Kurittu worked on an investigation involving Kivimäki’s use of the Zbot botnet, among other activities Kivimäki engaged in as a member of the hacker group Hack the Planet (HTP). Kurittu said it remains to be seen if the prosecution can make their case, and if the defense has any answers to all of the evidence presented.
“Based on the public pretrial investigation report, it looks like the case has a lot of details that seem very improbable to be coincidental,” Kurittu told KrebsOnSecurity. “For example, a full copy of the Vastaamo patient database was found on a server that belonged to Scanifi, a company with no reasonable business that Kivimäki was affiliated with. The leaked home folder contents were also connected to Kivimäki and were found on servers that were under his control.”
The Finnish daily yle.fi reports that Kivimäki’s lawyers sought to have their client released from confinement for the remainder of his trial, noting that the defendant has already been detained for eight months.
The court denied that request, saying the defendant was still a flight risk. Kivimäki’s trial is expected to continue until February 2024, in part to accommodate testimony from a large number of victims. Prosecutors are seeking a seven-year sentence for Kivimäki.
Julius “Zeekill” Kivimäki, a 25-year-old Finnish man charged with extorting a local online psychotherapy practice and leaking therapy notes for more than 22,000 patients online, was arrested this week in France. A notorious hacker convicted of perpetrating tens of thousands of cybercrimes, Kivimäki had been in hiding since October 2022, when he failed to show up in court and Finland issued an international warrant for his arrest.
In late October 2022, Kivimäki was charged (and “arrested in absentia,” according to the Finns) with attempting to extort money from the Vastaamo Psychotherapy Center. In that breach, which occurred in October 2020, a hacker using the handle “Ransom Man” threatened to publish patient psychotherapy notes if Vastaamo did not pay a six-figure ransom demand.
Vastaamo refused, so Ransom Man shifted to extorting individual patients — sending them targeted emails threatening to publish their therapy notes unless paid a 500-euro ransom.
When Ransom Man found little success extorting patients directly, they uploaded to the dark web a large compressed file containing all of the stolen Vastaamo patient records.
But as documented by KrebsOnSecurity in November 2022, security experts soon discovered Ransom Man had mistakenly included an entire copy of their home folder, where investigators found many clues pointing to Kivimäki’s involvement. From that story:
“Among those who grabbed a copy of the database was Antti Kurittu, a team lead at Nixu Corporation and a former criminal investigator. In 2013, Kurittu worked on an investigation involving Kivimäki’s use of the Zbot botnet, among other activities Kivimäki engaged in as a member of the hacker group Hack the Planet (HTP).”
“It was a huge opsec [operational security] fail, because they had a lot of stuff in there — including the user’s private SSH folder, and a lot of known hosts that we could take a very good look at,” Kurittu told KrebsOnSecurity, declining to discuss specifics of the evidence investigators seized. “There were also other projects and databases.”
According to the French news site actu.fr, Kivimäki was arrested around 7 a.m. on Feb. 3, after authorities in Courbevoie responded to a domestic violence report. Kivimäki had been out earlier with a woman at a local nightclub, and later the two returned to her home but reportedly got into a heated argument.
Police responding to the scene were admitted by another woman — possibly a roommate — and found the man inside still sleeping off a long night. When they roused him and asked for identification, the 6′ 3″ blonde, green-eyed man presented an ID that stated he was of Romanian nationality.
The French police were doubtful. After consulting records on most-wanted criminals, they quickly identified the man as Kivimäki and took him into custody.
Kivimäki initially gained notoriety as a self-professed member of the Lizard Squad, a mainly low-skilled hacker group that specialized in DDoS attacks. But American and Finnish investigators say Kivimäki’s involvement in cybercrime dates back to at least 2008, when he was introduced to a founding member of what would soon become HTP.
Finnish police said Kivimäki also used the nicknames “Ryan”, “RyanC” and “Ryan Cleary” (Ryan Cleary was actually a member of a rival hacker group — LulzSec — who was sentenced to prison for hacking).
Kivimaki and other HTP members were involved in mass-compromising web servers using known vulnerabilities, and by 2012 Kivimäki’s alias Ryan Cleary was selling access to those servers in the form of a DDoS-for-hire service. Kivimäki was 15 years old at the time.
The DDoS-for-hire service allegedly operated by Kivimäki in 2012.
In 2013, investigators going through devices seized from Kivimäki found computer code that had been used to crack more than 60,000 web servers using a previously unknown vulnerability in Adobe’s ColdFusion software.
KrebsOnSecurity detailed the work of HTP in September 2013, after the group compromised servers inside data brokers LexisNexis, Kroll, and Dun & Bradstreet.
The group used the same ColdFusion flaws to break into the National White Collar Crime Center (NWC3), a non-profit that provides research and investigative support to the U.S. Federal Bureau of Investigation (FBI).
As KrebsOnSecurity reported at the time, this small ColdFusion botnet of data broker servers was being controlled by the same cybercriminals who’d assumed control over ssndob[.]ms, which operated one of the underground’s most reliable services for obtaining Social Security Number, dates of birth and credit file information on U.S. residents.
Multiple law enforcement sources told KrebsOnSecurity that Kivimäki was responsible for making an August 2014 bomb threat against former Sony Online Entertainment President John Smedley that grounded an American Airlines plane. That incident was widely reported to have started with a tweet from the Lizard Squad, but Smedley and others said it started with a call from Kivimäki.
Kivimäki also was involved in calling in multiple fake bomb threats and “swatting” incidents — reporting fake hostage situations at an address to prompt a heavily armed police response to that location.
Kivimäki’s apparent indifference to hiding his tracks drew the interest of Finnish and American cybercrime investigators, and soon Finnish prosecutors charged him with an array of cybercrime violations. At trial, prosecutors presented evidence showing he’d used stolen credit cards to buy luxury goods and shop vouchers, and participated in a money laundering scheme that he used to fund a trip to Mexico.
Kivimäki was ultimately convicted of orchestrating more than 50,000 cybercrimes. But largely because he was still a minor at the time (17) , he was given a 2-year suspended sentence and ordered to forfeit EUR 6,558.
As I wrote in 2015 following Kivimäki’s trial:
“The danger in such a decision is that it emboldens young malicious hackers by reinforcing the already popular notion that there are no consequences for cybercrimes committed by individuals under the age of 18.
Kivimäki is now crowing about the sentence; He’s changed the description on his Twitter profile to “Untouchable hacker god.” The Twitter account for the Lizard Squad tweeted the news of Kivimäki’s non-sentencing triumphantly: “All the people that said we would rot in prison don’t want to comprehend what we’ve been saying since the beginning, we have free passes.”
Something tells me Kivimäki won’t get off so easily this time, assuming he is successfully extradited back to Finland. A statement by the Finnish police says they are seeking Kivimäki’s extradition and that they expect the process to go smoothly.
Kivimäki could not be reached for comment. But he has been discussing his case on Reddit using his legal first name — Aleksanteri (he stopped using his middle name Julius when he moved abroad several years ago). In a post dated Jan. 31, 2022, Kivimäki responded to another Finnish-speaking Reddit user who said they were a fugitive from justice.
“Same thing,” Kivimäki replied. “Shall we start some kind of club? A support organization for wanted persons?”
KrebsOnSecurity turns 13 years old today. That’s a crazy long time for an independent media outlet these days, but then again I’m bound to keep doing this as long as they keep letting me. Heck, I’ve been doing this so long I briefly forgot which birthday this was!
Thanks to your readership and support, I was able to spend more time in 2022 on some deep, meaty investigative stories — the really satisfying kind with the potential to effect positive change. Some of that work is highlighted in the 2022 Year in Review review below.
Until recently, I was fairly active on Twitter, regularly tweeting to more than 350,000 followers about important security news and stories here. For a variety of reasons, I will no longer be sharing these updates on Twitter. I seem to be doing most of that activity now on Mastodon, which appears to have absorbed most of the infosec refugees from Twitter, and in any case is proving to be a far more useful, civil and constructive place to post such things. I will also continue to post on LinkedIn about new stories in 2023.
Here’s a look at some of the more notable cybercrime stories from the past year, as covered by KrebsOnSecurity and elsewhere. Several strong themes emerged from 2022’s crop of breaches, including the targeting or impersonating of employees to gain access to internal company tools; multiple intrusions at the same victim company; and less-than-forthcoming statements from victim firms about what actually transpired.
JANUARY
You just knew 2022 was going to be The Year of Crypto Grift when two of the world’s most popular antivirus makers — Norton and Avira — kicked things off by installing cryptocurrency mining programs on customer computers. This bold about-face dumbfounded many longtime Norton users because antivirus firms had spent years broadly classifying all cryptomining programs as malware.
Suddenly, hundreds of millions of users — many of them old enough to have bought antivirus from Peter Norton himself back in the day — were being encouraged to start caring about and investing in crypto. Big Yellow and Avira weren’t the only established brands cashing in on crypto hype as a way to appeal to a broader audience: The venerable electronics retailer RadioShack wasted no time in announcing plans to launch a cryptocurrency exchange.
By the second week of January, Russia had amassed more than 100,000 troops along its southern border with Ukraine. The Kremlin breaks with all tradition and announces that — at the request of the United States — it has arrested 14 people suspected of working for REvil, one of the more ruthless and profitable Russian ransomware groups.
Security and Russia experts dismiss the low-level arrests as a kind of “ransomware diplomacy,” a signal to the United States that if it doesn’t enact severe sanctions against Russia for invading Ukraine, Russia will continue to cooperate on ransomware investigations.
The Jan. 19th story IRS Will Soon Require Selfies For Online Access goes immediately viral for pointing out something that apparently nobody has noticed on the U.S. Internal Revenue Service website for months: Anyone seeking to create an account to view their tax records online would soon be required to provide biometric data to a private company in Virginia — ID.me.
Facing a backlash from lawmakers and the public, the IRS soon reverses course, saying video selfies will be optional and that any biometric data collected will be destroyed after verification.
FEBRUARY
Super Bowl Sunday watchers are treated to no fewer than a half-dozen commercials for cryptocurrency investing. Matt Damon sells his soul to Crypto.com, telling viewers that “fortune favors the brave” — basically, “only cowards would fail to buy cryptocurrency at this point.” Meanwhile, Crypto.com is trying to put space between it and recent headlines that a breach led to $30 million being stolen from hundreds of customer accounts. A single bitcoin is trading at around $45,000.
Larry David, the comedian who brought us years of awkward hilarity with hits like Seinfeld and Curb Your Enthusiasm, plays the part of the “doofus, crypto skeptic” in a lengthy Super Bowl ad for FTX, a cryptocurrency exchange then valued at over $20 billion that is pitched as a “safe and easy way to get into crypto.” [Last month, FTX imploded and filed for bankruptcy; the company’s founder now faces civil and criminal charges from three different U.S. agencies].
On Feb. 24, Russia invades Ukraine, and fault lines quickly begin to appear in the cybercrime underground. Cybercriminal syndicates that previously straddled Russia and Ukraine with ease are forced to reevaluate many comrades who are suddenly working for The Other Side.
Many cybercriminals who operated with impunity from Russia and Ukraine prior to the war chose to flee those countries following the invasion, presenting international law enforcement agencies with rare opportunities to catch most-wanted cybercrooks. One of those is Mark Sokolovsky, a 26-year-old Ukrainian man who operated the popular “Raccoon” malware-as-a-service offering; Sokolovsky was busted in March after fleeing Ukraine’s mandatory military service orders.
Also nabbed on the lam is Vyacheslav “Tank” Penchukov, a senior Ukrainian member of a transnational cybercrime group that stole tens of millions of dollars over nearly a decade from countless hacked businesses. Penchukov was arrested after leaving Ukraine to meet up with his wife in Switzerland.
Tank, seen here performing as a DJ in Ukraine in an undated photo from social media.
Ransomware group Conti chimes in shortly after the invasion, vowing to attack anyone who tries to stand in Mother Russia’s way. Within hours of that declaration several years worth of internal chat logs stolen from Conti were leaked online. The candid employee conversations provide a rare glimpse into the challenges of running a sprawling criminal enterprise with more than 100 salaried employees. The records also reveal how Conti dealt with its own internal breaches and attacks from private security firms and foreign governments.
Faced with an increasing brain drain of smart people fleeing the country, Russia floats a new strategy to address a worsening shortage of qualified information technology experts: Forcing tech-savvy people within the nation’s prison population to perform low-cost IT work for domestic companies.
Chipmaker NVIDIA says a cyberattack led to theft of information on more than 71,000 employees. Credit for that intrusion is quickly claimed by LAPSUS$, a group of 14-18 year-old cyber hooligans mostly from the United Kingdom who specialized in low-tech but highly successful methods of breaking into companies: Targeting employees directly over their mobile phones.
LAPSUS$ soon employs these skills to siphon source code and other data from some of the world’s biggest technology firms, including Microsoft, Okta, Samsung, T-Mobile and Uber, among many others.
MARCH
We learn that criminal hackers are compromising email accounts and websites for police departments worldwide, so that they can impersonate police and send legal requests to obtain sensitive customer data from mobile providers, ISPs and social media companies. That story prompts revelations that several companies — including Apple, Discord and Meta/Facebook — have complied with the fake requests, and draws the attention of Congress to the problem.
APRIL
It emerges that email marketing giant Mailchimp got hacked. The unknown intruders gained access to internal Mailchimp tools and customer data by social engineering employees at the company, and then started sending targeted phishing attacks to owners of Trezor hardware cryptocurrency wallets.
The FBI warns about a massive surge in victims from “pig butchering” scams, in which flirtatious strangers online lure people into investing in cryptocurrency scams. Investigative reports reveal pig butchering’s link to organized crime gangs in Asia that attract young job seekers with the promise of customer service jobs. Instead, those who show up at the appointed time and place are kidnapped, trafficked across the border into neighboring countries like Cambodia, and pressed into a life of indentured servitude scamming others online.
The now-defunct and always phony cryptocurrency trading platform xtb-market[.]com, which was fed by pig butchering scams.
KrebsOnSecurity reports that hackers who specialize in filing fake police requests for subscriber data gained access to a U.S. Drug Enforcement Administration (DEA) portal that taps into 16 different federal law enforcement databases.
The government of Costa Rica is forced to declare a state of emergency after a ransomware attack by Conti cripples government systems. Conti publishes nearly 700 GB worth of government records after the country’s leaders decline to pay a $20 million ransom demand.
JUNE
KrebsOnSecurity identifies Russian national Denis Emelyantsev as the likely owner of the RSOCKS botnet, a collection of millions of hacked devices that were sold as “proxies” to cybercriminals looking for ways to route their malicious traffic through someone else’s computer. Emelyantsev was arrested that same month at a resort in Bulgaria, where he requested and was granted extradition to the United States — reportedly telling the judge, “America is looking for me because I have enormous information and they need it.”
The employees who kept things running for RSOCKS, circa 2016. Notice that nobody seems to be wearing shoes.
JULY
Big-three consumer credit bureau Experian comes under scrutiny after KrebsOnSecurity reveals identity thieves are reliably seizing control over consumer credit files by simply re-registering using the target’s personal information and an email address tied to the crooks. Two months later, Experian would be hit with a class-action lawsuit over these security and privacy failures.
Twitter acknowledges that it was relieved of phone numbers and email addresses for 5.4 million users. The security weakness that allowed the data to be collected was patched in January 2022.
AUGUST
Messaging behemoth Twilio confirms that data on 125 customers was accessed by intruders, who tricked employees into handing over their login credentials by posing as employees of the company’s IT department.
Among the Twilio customers targeted was encrypted messaging service Signal, which relied on Twilio to provide phone number verification services. Signal said that with their access to Twilio’s internal tools, the attackers were able to re-register those users’ phone numbers to another device.
Food delivery service DoorDash discloses that a “sophisticated phishing attack” on a third-party vendor allowed attackers to gain access to some of DoorDash’s internal company tools. Thanks to data left exposed online by the intruders, it becomes clear that DoorDash was victimized by the same group that snookered employees at Twilio, Mailchimp, CloudFlare, and dozens of other major companies throughout 2022.
Mailchimp discloses another intrusion involving targeted phishing attacks against employees, wherein hackers stole data on more than 200 Mailchimp customers. Web hosting giant DigitalOcean discloses it was one of the victims, and that the intruders used their access to send password reset emails to a number of DigitalOcean customers involved in cryptocurrency and blockchain technologies. DigitalOcean severs ties with Mailchimp after that incident, which briefly prevented the hosting firm from communicating with its customers or processing password reset requests.
Password manager service LastPass discloses that its software development environment was breached, and that intruders made off with source code and some proprietary LastPass data. LastPass emphasizes the intruders weren’t able to access any customer data or encrypted password vaults, and that “there is no evidence of any threat actor activity beyond the established timeline,” and “no evidence that this incident involved any access to customer data or encrypted password vaults.”
SEPTEMBER
Uber discloses another breach, forcing the company to take several of its internal communications and engineering systems offline as it investigates. The intrusion only comes to light when the hacker uses the company’s internal Slack channel to boast about their access, listing several internal databases they claimed had been compromised. The intruder told The New York Times they got in by sending a text message to an employee while posing as an employee from Uber’s IT department. Uber blames LAPSUS$ for the intrusion.
Australian telecommunications giant Optus suffers a data breach involving nearly 10 million customers, including passport or license numbers on almost three million people. The incident dominates headlines and politics in Australia for weeks, as the hacker demands a million dollars in cryptocurrency not to publish the information online. Optus’s CEO calls the intrusion a “sophisticated attack,” but interviews with the hacker reveal they simply enumerated and scraped the data from the Optus website without authentication. After briefly posting 10,000 records from the intrusion, the hacker announces they made a mistake, and deletes the auction.
OCTOBER
A report commissioned by Sen. Elizabeth Warren (D-Mass.) reveals that most big U.S. banks are stiffing account takeover victims. Even though U.S. financial institutions are legally obligated to reverse any unauthorized transactions as long as the victim reports the fraud in a timely manner, the report cited figures showing that four of the nation’s largest banks collectively reimbursed only 47 percent of the dollar amount of claims they received.
Joe Sullivan, the former chief security officer for Uber, is found guilty of two felonies after a four-week trial. In 2016, while the U.S. Federal Trade Commission was already investigating a 2014 breach at Uber, another security breach affected 57 million Uber account holders and drivers. The intruders demand $100,000, but Sullivan and his team paid the ransom under the company’s bug bounty program, made the hackers sign a non-disclosure agreement, and concealed the incident from users and investors. The two hackers involved pleaded guilty in 2019; by this time, it has become a nearly everyday occurrence for victim companies to pay to keep a ransomware attack quiet.
NOVEMBER
A ransomware group with ties to REvil begins publishing names, birth dates, passport numbers and information on medical claims on nearly 10 million current and former customers of Australian health insurer Medibank. The data is published after Medibank reportedly declines to pay a US$10 million ransom demand.
DECEMBER
KrebsOnSecurity breaks the news that InfraGard, a program run by the U.S. Federal Bureau of Investigation (FBI) to build cyber and physical threat information sharing partnerships with the private sector, saw its database of contact information on more than 80,000 members put up for sale on an English-language cybercrime forum. Meanwhile, the hackers responsible were communicating directly with members through the InfraGard portal online — using a new account under the assumed identity of a financial industry CEO that was vetted by the FBI itself.
A cybercriminal starts selling account data scraped from 400 million Twitter users, including email addresses and in many cases phone numbers. The seller claims their data was scraped in late December 2021 using the same vulnerability that Twitter patched in January 2022, and that led Twitter to acknowledge the data scraping of 5.4 million user accounts earlier this year. Twitter no longer has a press office, and the company’s Chief Twit has remained silent about the 400 million claim so far, despite many indications that the data is legitimate.
Two days before Christmas, LastPass posted an update on its investigation into the August data breach, saying the intruder was able to use data stolen in the August breach to come back and copy a backup of customer vault data from the encrypted storage container. LastPass’s lackadaisical disclosure timeline and failure to answer follow-up questions has done little to assuage the fears of many users, leaving Wired.com to recommend users abandon the platform in favor of the password managers 1Password and Bitwarden.
Also two days before Christmas, KrebsOnSecurity notifies Experian that anyone can bypass security questions in their application for a free credit report, meaning identity thieves can access your full credit file with just your name, address, date of birth and Social Security number. Unfortunately, this static data on most Americans has been for sale in the cybercrime underground for years. Experian has yet to say whether it has fixed the problem, but expect to see a full report about this early in the New Year.
Millions of people likely just received an email or snail mail notice saying they’re eligible to claim a class action payment in connection with the 2017 megabreach at consumer credit bureau Equifax. Given the high volume of reader inquiries about this, it seemed worth pointing out that while this particular offer is legit (if paltry), scammers are likely to soon capitalize on public attention to the settlement money.
One reader’s copy of their Equifax Breach Settlement letter. They received a check for $6.97.
In 2017, Equifax disclosed a massive, extended data breach that led to the theft of Social Security Numbers, dates of birth, addresses and other personal information on nearly 150 million people. Following a public breach response perhaps best described as a giant dumpster fire, the big-three consumer credit reporting bureau was quickly hit with nearly two dozen class-action lawsuits.
In exchange for resolving all outstanding class action claims against it, Equifax in 2019 agreed to a settlement that includes up to $425 million to help people affected by the breach.
Affected consumers were eligible to apply for at least three years of credit monitoring via all three major bureaus simultaneously, including Equifax, Experian and TransUnion. Or, if you didn’t want to take advantage of the credit monitoring offers, you could opt for a cash payment of up to $125.
The settlement also offered reimbursement for the time you may have spent remedying identity theft or misuse of your personal information caused by the breach, or purchasing credit monitoring or credit reports. This was capped at 20 total hours at $25 per hour ($500), with total cash reimbursement payments not to exceed $20,000 per consumer.
Those who did file a claim probably started receiving emails or other communications earlier this year from the Equifax Breach Settlement Fund, which has been messaging class participants about methods of collecting their payments.
How much each recipient receives appears to vary quite a bit, but probably most people will have earned a payment on the smaller end of that $125 scale — like less than $10. Those who received higher amounts likely spent more time documenting actual losses and/or explaining how the breach affected them personally.
So far this week, KrebsOnSecurity has received at least 20 messages from readers seeking more information about these notices. Some readers shared copies of letters they got in the mail along with a paper check from the Equifax Breach Settlement Fund (see screenshot above).
Others said they got emails from the Equifax Breach Settlement domain that looked like an animated greeting card offering instructions on how to redeem a virtual prepaid card.
If you received one of these settlement emails and are wary about clicking the included links (good for you, by the way), copy the redemption code and paste it into the search box at myprepaidcenter.com/redeem. Successfully completing the card application requires accepting a prepaid MasterCard agreement (PDF).
The website for the settlement — equifaxbreachsettlement.com — also includes a lookup tool that lets visitors check whether they were affected by the breach; it requires your last name and the last six digits of your Social Security Number.
But be aware that phishers and other scammers are likely to take advantage of increased public awareness of the payouts to snooker people. Tim Helming, security evangelist at DomainTools.com, today flagged several new domains that mimic the name of the real Equifax Breach Settlement website and do not appear to be defensively registered by Equifax, including equifaxbreechsettlement[.]com, equifaxbreachsettlementbreach[.]com, and equifaxsettlements[.]co.
In February 2020, the U.S. Justice Department indicted four Chinese officers of the People’s Liberation Army (PLA) for perpetrating the 2017 Equifax hack. DOJ officials said the four men were responsible for carrying out the largest theft of sensitive personal information by state-sponsored hackers ever recorded.
Equifax surpassed Wall Street’s expectations in its most recent quarterly earnings: The company reported revenues of $1.24 billion for the quarter ending September 2022.
Of course, most of those earnings come from Equifax’s continued legal ability to buy and sell eye-popping amounts of financial and personal data on U.S. consumers. As one of the three major credit bureaus, Equifax collects and packages information about your credit, salary, and employment history. It tracks how many credit cards you have, how much money you owe, and how you pay your bills. Each company creates a credit report about you, and then sells this report to businesses who are deciding whether to give you credit.
Americans currently have no legal right to opt out of this data collection and trade. But you can and also should freeze your credit, which by the way can make your credit profile less profitable for companies like Equifax — because they make money every time some potential creditor wants a peek inside your financial life. Also, it’s probably a good idea to freeze the credit of your children and/or dependents as well. It’s free on both counts.
Last year, I posted a series of articles about a purported “breach” at Ubiquiti. My sole source for that reporting was the person who has since been indicted by federal prosecutors for his alleged wrongdoing – which includes providing false information to the press.
As a result of the new information that has been provided to me, I no longer have faith in the veracity of my source or the information he provided to me. I always endeavor to ensure that my articles are properly sourced and factual.
This time, I missed the mark and, as a result, I would like to extend my sincerest apologies to Ubiquiti, and I have decided to remove those articles from my website.
McAfee Labs have been observing a spike in phishing campaigns that utilize Microsoft office macro capabilities. These malicious documents reach victims via mass spam E-mail campaigns and generally invoke urgency, fear, or similar emotions, leading unsuspecting users to promptly open them. The purpose of these spam operations is to deliver malicious payloads to as many people as possible.
A recent spam campaign was using malicious word document to download and execute the Ursnif trojan. Ursnif is a high-risk trojan designed to record various sensitive information. It typically archives this sensitive data and sends it back to a command-and-control server.
This blog describes how attackers use document properties and a few other techniques to download and execute the Ursnif trojan.
Threat Summary
Infection Chain
The malware arrives through a phishing email containing a Microsoft Word document as an attachment. When the document is opened and macros are enabled, Word downloads a DLL (Ursnif payload). The Ursnif payload is then executed using rundll32.exe
Figure-1: flowchart of infection chain
Word Analysis
Macros are disabled by default and the malware authors are aware of this and hence present an image to entice the victims into enabling them.
Figure-2: Image of what the user sees upon opening the document
VBA Macro Analysis of Word Document
Analyzing the sample statically with ‘oleId’ and ‘olevba’ indicates the suspicious vectors..
Figure-3: Oleid output
Figure-4: Olevba output
The VBA Macro is compatible with x32 and x64 architectures and is highly obfuscated as seen in Figure-5
Figure-5: Obfuscated VBA macro
To get a better understanding of the functionality, we have de-obfuscated the contents in the 2 figures shown below.
Figure-6: De-obfuscated VBA macro (stage 1)
Figure-7: De-obfuscated VBA macro (stage 2)
An interesting characteristic of this sample is that some of the strings like CLSID, URL for downloading Ursnif, and environment variables names are stored in custom document properties in reverse. As shown in Figure-7, VBA function “ActiveDocument.CustomDocumentProperties()” is used to retrieve the properties and uses “StrReverse” to reverse the contents.
We can see the document properties in Figure-8
Figure-8: Document properties
Payload Download and Execution:
The malicious macro retrieves hidden shellcode from a custom property named “Company” using the “cdec” function that converts the shellcode from string to decimal/hex value and executes it. The shellcode is shown below.
Figure-9: Raw Company property
The shellcode is written to memory and the access protection is changed to PAGE_EXECUTE_READWRITE.
Figure-10: Code of VirtualProtect
Figure-11: Shellcode’s memory and protection after calling VirtualProtect()
After adding the shellcode in memory, the environment variable containing the malicious URL of Ursnif payload is created. This Environment variable will be later used by the shellcode.
Figure-12: Environment variable set in Winword.exe space
The shellcode is executed with the use of the SetTimer API. SetTimer creates a timer with the specified time-out value mentioned and notifies a function when the time is elapsed. The 4th parameter used to call SetTimer is the pointer to the shellcode in memory which will be invoked when the mentioned time is elapsed.
Figure-13: SetTimer function (Execution of shellCode)
The shellcode downloads the file from the URL stored in the environmental variable and stores it as ” y9C4A.tmp.dll ” and executes it with rundll32.exe.
| URL | hxxp://docmasterpassb.top/kdv/x7t1QUUADWPEIQyxM6DT3vtrornV4uJcP4GvD9vM/ |
| CMD | rundll32 “C:\Users\user\AppData\Local\Temp\y9C4A.tmp.dll”,DllRegisterServer |
Figure-14: Exports of Downloaded DLL
After successful execution of the shellcode, the environment variable is removed.
Figure-15: Removal of Environment Variable
IOC
| TYPE | VALUE | PRODUCT | DETECTION NAME |
| Main Word Document | 6cf97570d317b42ef8bfd4ee4df21d217d5f27b73ff236049d70c37c5337909f | McAfee LiveSafe and Total Protection | X97M/Downloader.CJG |
| Downloaded dll | 41ae907a2bb73794bb2cff40b429e62305847a3e1a95f188b596f1cf925c4547 | McAfee LiveSafe and Total Protection | Ursnif-FULJ |
| URL to download dll | hxxp://docmasterpassb.top/kdv/x7t1QUUADWPEIQyxM6DT3vtrornV4uJcP4GvD9vM/ | WebAdvisor | Blocked |
MITRE Attack Framework
| Technique ID | Tactic | Technique Details | Description |
| T1566.001 | Initial Access | Spear phishing Attachment | Manual execution by user |
| T1059.005 | Execution | Visual Basic | Malicious VBA macros |
| T1218.011 | Defense Evasion | Signed binary abuse | Rundll32.exe is used |
| T1027 | Defense Evasion | Obfuscation techniques | VBA and powershell base64 executions |
| T1086 | Execution | Powershell execution | PowerShell command abuse |
Conclusion
Macros are disabled by default in Microsoft Office applications, we suggest keeping it that way unless the document is received from a trusted source. The infection chain discussed in the blog is not limited to Word or Excel. Further threats may use other live-off-the-land tools to download its payloads.
McAfee customers are protected against the malicious files and sites detailed in this blog with McAfee LiveSafe/Total Protection and McAfee Web Advisor.
The post Test Post appeared first on McAfee Blog.
It’s easy to imagine where we would be without women in technology.
We’d be poorer for it.
With Mother’s Day upon us, I couldn’t help but think once more about the stark employment figures I shared in my International Women’s Day blog just a few weeks ago. Millions of women have involuntarily left the workforce at a much higher rate than men during the pandemic—with roughly one third of women in the U.S. aged 25-44 citing that childcare was the reason for that unemployment.
Reflecting on this further, I thought about the women in technology who’ve left their positions during this past year. It’s a loss of talent and capability that’s set back decades of advances by trailblazing women who not only shine in their field yet also do so in male-dominated realms of study, research, and employment.
So as we look ahead to recovery, we should also look back. By celebrating just a few of the women in technology who shaped our world today, women who truly are “mothers of invention,” perhaps we can remember just how vital women are in our field—and how we should double down on our efforts to welcome them back.
Imagine a time when the term “software engineering” wasn’t recognized, even though it was crucial to us landing on the moon.
Such were the days when Margaret Hamilton began her work at Massachusetts Institute of Technology (MIT) as a job to support her family while her husband went to law school at Harvard. This was in 1959 and would introduce her to Edward Lorenz, the father of chaos theory, and put her on the path to help humanity set its first footsteps on the moon.
It was her work and her code that developed a software-driven system that warned astronauts of in-flight emergencies, an advance she credits her young daughter for inspiring, as recounted in this interview:
Often in the evening or at weekends I would bring my young daughter, Lauren, into work with me. One day, she was with me when I was doing a simulation of a mission to the moon. She liked to imitate me – playing astronaut. She started hitting keys and all of a sudden, the simulation started. Then she pressed other keys and the simulation crashed … I thought: my God – this could inadvertently happen in a real mission.
I suggested a program change to prevent a prelaunch program being selected during flight. But the higher-ups at MIT and NASA said the astronauts were too well trained to make such a mistake. Midcourse on the very next mission, Apollo 8, one of the astronauts on board accidentally did exactly what Lauren had done. The Lauren bug! It created much havoc and required the mission to be reconfigured. After that, they let me put the program change in, all right.
When you search online, you have this woman to thank.
A true pioneer, Karen Spärck Jones worked at Cambridge, during which time she developed the algorithm for deriving a statistic known as “term frequency–inverse document frequency” (TFIDF). In lay terms, TFIDF determines how important a word is relative to the document or collection of terms in which it is found. Sound familiar? It should, as her work forms the basis of practically every search engine today.
Spärck Jones remained outspoken with regards to what she referred to as “professionalism” in technology. This had two layers: the first being the technical efficacy of a solution, the second being the rationale for even doing it in the first place. In her words,
“[T]o be a proper professional you need to think about the context and motivation and justifications of what you’re doing … You don’t need a fundamental philosophical discussion every time you put finger to keyboard, but as computing is spreading so far into people’s lives you need to think about these things.”
Her vision for computing and her hands-on work led to development of COBOL, a programming language still in use today. Driving that vision was the belief that human language could be used as the basis for a programming language, making it more accessible, particularly for business use. The result was the FLOW-MATIC programming language, which was later developed into COBOL, a language that is estimated to be used in 95% of ATM card swipes.
During her time as a naval officer, she helped transform centralized Defense Department systems into smaller, distributed networks akin to the internet we now know and use. At her retirement near the age of 80, she went to work in the private sector where she held the role of full-time senior consultant until her passing at age 85. This 1983 profile of her, aired when she was 76, is certainly worth a watch.
Quite plainly, Perlman’s work paved the way for the routing protocols that underpin the modern internet.
Prior to Perlman’s work, as networks grew and accordingly became more complex, data would often flow into loops that prevented them from reaching their intended destination. Enter her creation of the Spanning Tree Protocol (STP), which can handle large clouds of computers and network devices. While its since evolved, the concept of an adaptive network remains squarely in place.
Another advance of hers was introducing computer programming to young children aged 3 to 5 back in the 1970s. While working at MIT’s LOGO Lab, she created TORTIS (Toddler’s Own Recursive Turtle Interpreter System), which used buttons from programming and allowed for experimentation with a robotic turtle that would follow a toddler’s commands. In the abstract for her paper that documented the work, she emphasized what she felt was a vital point, “Most important of all, it should teach that learning is fun.”
These women have led and inspired, and likewise it’s on all of us in technology to build on the advances they made possible through both our work and the workplace cultures we foster—particularly as we begin our recovery from this pandemic.
One of the many reasons I’m proud to be a part of McAfee is our Women in Security (WISE) community. It’s truly a forward-thinking program, which we introduced to enrich and support women in the tech sector through mentorship programs and professional development conferences. It’s one of the several, tangible ways we actively strive for a vibrant and diverse culture at McAfee.
Another powerful voice for women in tech is AnitaB.org, which supports women in technical fields, as well as the organizations that employ them and the academic institutions training the next generation. A full roster of programs help women grow, learn, and develop their highest potential.
And for looking forward yet further, there’s Girls Who Code, which is building the next generation of female engineers and technologists. Their data shows why this is so vital. They found that 66 percent of girls aged six to 12 show interest in computing, but that drops to 32 percent for girls aged 13 to 17, and then plummets to only 4 percent for college freshmen. Accordingly, they support several programs for school-aged girls from third grade up through senior year of high school, help educators and communities launch clubs, and advocate for women in their field through their work in public policy and research.
And that’s just for starters. For an overview of yet more organizations where you can get involved, check out this list of 16 organizations for women in tech—all of which help us realize a better world with women in technology.
The post The Mothers of Invention: Women Who Blazed the Trail in Technology appeared first on McAfee Blogs.
FreshRSS 