Hacktivists leak US police data.
A leak site known as "Distributed Denial of Secrets" (DDoSecrets) has published nearly 270 gigabytes of data stolen from US police departments, fusion centers, and other law enforcement support entities, KrebsOnSecurity reports. The files in the leak were compiled between August 1996 and June 19th, 2020. Krebs cites an internal alert from the National Fusion Center Association (NFCA) which states, "Our initial analysis revealed that some of these files contain highly sensitive information such as ACH routing numbers, international bank account numbers (IBANs), and other financial data as well as personally identifiable information (PII) and images of suspects listed in Requests for Information (RFIs) and other law enforcement and government agency reports."
The files were apparently leaked after a hacker gained access to a user account at Netsential, a web development contractor widely used by state fusion centers and other government agencies. According to the NFCA, "Netsential confirmed that this compromise was likely the result of a threat actor who leveraged a compromised Netsential customer user account and the web platform’s upload feature to introduce malicious content, allowing for the exfiltration of other Netsential customer data." This seems to indicate that the attacker exploited a vulnerability in Netsential's platform, although the company hasn't commented.
Twitter told ZDNet that the social network has permanently banned DDoSecrets' account for violating Twitter's policy against distribution of hacked material. According to Wired, the leakers' intent was to expose "legal but controversial" police conduct, but some observers point out that the data trove probably contains a great deal that will be of interest to organized crime, including information about witnesses, suspects, and victims. DDoSecrets' co-founder Emma Best told Wired that they spent a week redacting sensitive information about crime victims and children, but she admitted, "Due to the size of the dataset, we probably missed things."
Ethiopian government websites defaced.
Another case of apparent hacktivism took place in Ethiopia, where Addis Ababa's Information Network Security Agency (INSA) announced it had thwarted cyberattacks by Egypt-based hackers intent on pressuring the Ethiopian government over the filling of the Grand Ethiopian Renaissance Dam, Borkena reports. The targets included thirteen government websites and four non-governmental sites. The hacker groups responsible call themselves "Cyber Horus Group," "AnuBis.Haker," and "Security _By _Passed."
EG24 News says the hackers defaced the sites with a quote inscribed in the Temple of Horus at Edfu ("If the river level drops, let all the Pharaoh’s soldiers hurry and return only after the liberation of the Nile, which restricts its flowing"). The construction of the Grand Ethiopian Renaissance Dam, located on the Blue Nile in Western Ethiopia, has been the source of intense international disagreement between Ethiopia, Sudan, and Egypt over water usage. Ethiopia plans to begin filling the dam's reservoir in July, with or without reaching agreements with its downstream neighbors, according to the Associated Press.
GoldenSpy malware comes bundled with Chinese tax software.
Trustwave has found a new malware family dubbed "GoldenSpy," which is embedded in tax-paying software that companies doing business in China are required to install. The tax software, produced by the Golden Tax Department of Aisino Corporation, functions as expected, but it also installs a backdoor "with SYSTEM level privileges and connected to a command and control server completely separate from the tax software’s network infrastructure." The malware installs two copies of itself, with one lying dormant unless the other stops running. If either version is deleted, another will be downloaded. Uninstalling the tax software will not remove the malware.
Trustwave identified GoldenSpy while working for a client organization which had recently opened offices in China. The researchers aren't sure if this instance "was targeted because of their access to vital data, or if this campaign impacts every company doing business in China."
Fxmsp commodified access to breached networks.
Group-IB has published a report on "Fxmsp," a financially motivated hacker known for selling access to compromised networks. Fxmsp has breached at least 135 organizations around the world over the course of three years, and Group-IB estimates the hacker has made more than $1.5 million through this method. The researchers believe they've traced Fxmsp's identity to a specific man living in Kazakhstan.
Fxmsp gained access to networks by scanning for open RDP ports and brute-forcing their credentials. He then disabled antivirus products and firewalls before establishing persistence with a backdoor. Next, he moved throughout the network seeking to gain access to accounts with administrative privileges. He also placed backdoors on backup servers to ensure persistence even if the victim restored from backup. At this point, the hacker would sell access to the compromised network on underground forums.
Fxmsp doesn't seem to be publicly active anymore, and Group-IB isn't sure what's become of him. BleepingComputer reports that the individual named in Group-IB's report may have been approached or detained by Kazakhstan law enforcement, but this remains unconfirmed.
New ransomware from Evil Corp.
Fox-IT has been tracking a new ransomware strain called "WastedLocker" that's been active since May 2020. The researchers say the malware was developed by Evil Corp, a criminal group best known for creating the Dridex banking Trojan and the BitPaymer ransomware. WastedLocker's emergence appears to be part of Evil Corp's efforts to switch out its tactics, techniques, and procedures following the indictment of two of the group's leaders by the US Justice Department in December 2019. Interestingly, Evil Corp doesn't seem to engage in the type of data theft and extortion that's become a common feature of other targeted ransomware operations. Fox-IT suspects this is due to the group's desire to avoid attracting needless attention from law enforcement and others.
For more, see the CyberWire Pro Research Briefing.
REvil gang still threatening to leak celebrity data.
The Register reports that the REvil ransomware operators are now threatening to auction off "contracts, agreements, NDA, confidential information, [and] court conflicts" pertaining to Nicki Minaj, Mariah Carey, and Lebron James. The information is part of the data trove stolen from celebrity law firm Grubman Shire Meiselas & Sacks. The criminals are demanding $600,000 for their starting bid, and they've offered to refrain from selling the data if the victims pay them $42 million.
It's not clear how sensitive the information actually is. Emsisoft researcher Brett Callow told the Register, "The crims likely do have at least some of the information they claim, but it may or may not be as salaciously juicy as they say....Let’s face it, you wouldn’t be able to ask for your money back were it to turn out that REvil had misrepresented the goods." It's worth noting that the group did seem to misrepresent the data it claimed to have on President Trump, who has never been a customer of the law firm.
Massive DDoS attack hits European bank.
Akamai says it mitigated a record-setting distributed denial-of-service attack against an unnamed European bank on Sunday. The attack "generated 809 million packets per second," making it the largest packet-per-second DDoS attack Akamai has ever seen. Notably, 96.2% of the source IP addresses hadn't been associated with DDoS attacks in the past, and most of them appear to belong to compromised end-user machines. The attacker's motivation is unclear.
Web tracking data exposed.
TechCrunch reports that data collected on behalf of clients by Oracle's BlueKai unit, which uses cookies and "other tracking tech" to follow users as they browse the web, the better to develop profiles for marketing purposes, were exposed in unsecured servers. Security researcher Anurag Sen found the exposed data and shared it with TechCrunch, which confirmed that in addition to browsing activity (including such actions as purchases and requests to unsubscribe from newsletters) the information included names, home addresses, email addresses, and a range of other data that could identify individual users.
Oracle told TechCrunch that it was a misconfiguration issue on the part of two of its customers: "While the initial information provided by the researcher did not contain enough information to identify an affected system, Oracle’s investigation has subsequently determined that two companies did not properly configure their services. Oracle has taken additional measures to avoid a reoccurrence of this issue."
For more, see the CyberWire Pro Privacy Briefing.
Patch news.
Microsoft continues to warn users of its Exchange email servers to patch their systems, particularly against CVE-2020-0688, which has been under exploitation by state-sponsored actors since at least April. A patch has been available since February. Microsoft stresses, "Any threat or vulnerability impacting Exchange servers should be treated with the highest priority because these servers contain critical business data, as well as highly privileged accounts that attackers attempt to compromise to gain admin rights to the server and, consequently, complete control of the network."
Crime and punishment.
The US Department of Justice on Wednesday issued a second superseding indictment of WikiLeaks founder Julian Assange. The indictment doesn't add any new charges to the eighteen counts Mr. Assange already faces, but it does "broaden the scope of the conspiracy surrounding alleged computer intrusions with which Assange was previously charged." The new indictment alleges, "In 2012, Assange communicated directly with a leader of the hacking group LulzSec (who by then was cooperating with the FBI), and provided a list of targets for LulzSec to hack. With respect to one target, Assange asked the LulzSec leader to look for (and provide to WikiLeaks) mail and documents, databases and pdfs. In another communication, Assange told the LulzSec leader that the most impactful release of hacked materials would be from the CIA, NSA, or the New York Times. WikiLeaks obtained and published emails from a data breach committed against an American intelligence consulting company by an 'Anonymous' and LulzSec-affiliated hacker. According to that hacker, Assange indirectly asked him to spam that victim company again."
The New Zealand Police seized US$90 million (NZ$140 million) from a company owned by Alexander Vinnik, a Russian citizen alleged to have operated the now-defunct cryptocurrency exchange BTC-e, CyberScoop reports. The exchange was widely used by criminals for money laundering before it was shut down by the US government in 2017. Vinnik himself is now jailed in France and faces various charges from US, French, and Russian authorities. The New Zealand Police notes that this seizure of funds is the largest in the service's history.
Kenneth Schuchman, a 22-year-old man from Washington has been sentenced to thirteen months in Federal prison for developing botnets based on Mirai source code, KrebsOnSecurity reports. These IoT botnets were known as "Satori," "Okiru," "Masuta," and "Tsunami"/"Fbot." Schuchman and his two associates primarily focused on renting out their botnets for use in DDoS attacks, but they occasionally used them to launch their own attacks.
Naked Security has an account of how the FBI tracked down an alleged arsonist using almost entirely open-source information, starting with only a brief aerial news clip.
Courts and torts.
Facebook lost an appeal in its antitrust case in Germany, and has been ordered to restrain its data collection methods, Business Insider reports. The Federal Court stated, "The Kartellsenat quashed the decision of the Düsseldorf Higher Regional Court and rejected the application for an order suspending the suspensive effect of the appeal. There are no serious doubts about Facebook's dominant position in the German social networking market, nor any doubts that Facebook is abusing this dominant position under the terms of use prohibited by the Kartellsenat."
Policies, procurements, and agency equities.
The US State Department has named China Central Television, China News Service, the People’s Daily, and the Global Times as "foreign missions," or Chinese government propaganda outlets. The designation doesn't restrict what the news outlets can publish in the US, but does make them subject to "certain administrative requirements that also apply to foreign embassies and consulates in the United States." Those requirements include reporting all their personnel to the State Department as well as registering any property they hold.
The US Department of Defense has designated Huawei, Hikvision, and eighteen other Chinese firms as companies owned or controlled by China's military, Reuters reports. The designation itself doesn't trigger sanctions, but President Trump has the power to impose more restrictions on the listed companies. Axios has the full list of designated companies.
Major General Maria Barrett, commanding general of the Army's Network Enterprise Technology Command, told C4ISRNET that the Army plans to roll out a new capability that "will allow remote users to access non-classified but sensitive information as well as classified information up to the secret level from remote locations, including at home." The Army intends to onboard the first five-hundred users of this system over the next thirty days.
For more, see the CyberWire Pro Policy Briefing.
Fortunes of commerce.
Dell Technologies is considering selling its 81% stake in VMware, which is valued at $50 billion, in order to increase its market share, the Wall Street Journal reports.
PlayStation has launched a public bug bounty program through HackerOne, with bounties for critical vulnerabilities in PS4 starting at $50,000.
Mergers and acquisitions.
Microsoft has acquired Massachusetts-based IoT/OT security company CyberX. The financial terms of the deal weren't disclosed, but TechCrunch says the sum is somewhere around $165 million (up from a rumored $150 million when reports of the planned deal began circulating earlier this year).
Apple has acquired San Francisco-based Apple device management company Fleetsmith, SecurityWeek reports.
Minnesota-based IT management company HelpSystems has acquired Canadian data protection firm Titus and UK-based data classification and secure messaging company Boldon James. ShareCast says HelpSystems purchased Boldon James from QinetiQ for £30 million (US$37 million).
France-headquartered IT consulting company Atos will acquire Virginia-based managed security services provider Paladion for an undisclosed amount.
Siemens has agreed to acquire UK-based system-on-chip (SoC) cybersecurity company UltraSoC for an undisclosed amount.
Investments and exits.
Palantir has received $500 million (approximately ¥54 billion) in funding from Japanese insurance company Sompo Holdings, Crunchbase News reports. Bloomberg notes that this will be one of the last investments in Palantir before the company's stock goes public.
Salesforce's venture capital arm has invested approximately $100 million into Emeryville, California-based endpoint security and systems management firm Tanium, bringing the company's valuation to $9 billion, CNBC reports.
France-based business-to-consumer privacy app Jumbo Privacy has raised $8 million in a Series A round led by Balderton Capital.
London-based data privacy company Privitar has secured an additional $7 million for its Series C round from HSBC, Help Net Security reports. The funding round's total is now $87 million.
Belgium-based bug bounty platform and ethical hacking firm Intigriti has raised €4 million (US$4.5 million) in a Series A round led by ETF Partners, EU-Startups reports.
And security innovation.
The US Air Force Space Accelerator Program has kicked off the contest for its sixth cohort of technology startups, with this round focusing on cybersecurity in space, Air Force Magazine reports. The program is taking applicants until August 3rd, and eight winners will be given a three-month residency at the Colorado Springs campus of the Catalyst Space Accelerator.
More business news, including executive moves, can be found in the CyberWire Pro Business Briefing.