Treasury Department warns that ransom payments could violate US sanctions.
The US Treasury Department's Office of Terrorism and Financial Intelligence issued two advisories last week warning that ransomware payments could potentially violate US sanctions if the money ends up in the hands of sanctioned individuals or entities.
Treasury's Office of Foreign Assets Control (OFAC) stated that it "may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC." The statement goes on to say, "As a general matter, OFAC encourages financial institutions and other companies to implement a risk-based compliance program to mitigate exposure to sanctions-related violations. This also applies to companies that engage with victims of ransomware attacks, such as those involved in providing cyber insurance, digital forensics and incident response, and financial services that may involve processing ransom payments (including depository institutions and money services businesses). In particular, the sanctions compliance programs of these companies should account for the risk that a ransomware payment may involve an SDN or blocked person, or a comprehensively embargoed jurisdiction. Companies involved in facilitating ransomware payments on behalf of victims should also consider whether they have regulatory obligations under Financial Crimes Enforcement Network (FinCEN) regulations."
The Treasury Department's Financial Crimes Enforcement Network issued a separate statement regarding the role of financial institutions and companies that assist victims of ransomware attacks:
"The prevalence of ransomware attacks has led to the creation of companies that provide protection and mitigation services to victims of ransomware attacks. Among these entities are digital forensics and incident response (DFIR) companies and cyber insurance companies (CICs). Some DFIR companies and CICs, as well as some MSBs [money services businesses] that offer CVCs [convertible virtual currencies], facilitate ransomware payments to cybercriminals, often by directly receiving customers’ fiat funds, exchanging them for CVC, and then transferring the CVC to criminal-controlled accounts. Depending on the particular facts and circumstances, this activity could constitute money transmission. Entities engaged in money services business activities (such as money transmission) are required to register as an MSB with FinCEN, and are subject to BSA obligations, including filing suspicious activity reports (SARs). Persons involved in ransomware payments must also be aware of any Office of Foreign Assets Control (OFAC)-related obligations that may arise from that activity."
The Record notes that the US government as a whole has offered mixed guidance on paying ransoms. The FBI has officially maintained that victims shouldn't pay the ransom because it funds further criminal behavior, but the Bureau has acknowledged that "executives, when faced with inoperability issues, will evaluate all options to protect their shareholders, employees, and customers." The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) similarly advises against paying ransom, but asks victims to notify the government if they do decide to pay.
The Treasury Department's statements represent the strongest counsel to date against paying ransom demands. OFAC cites North Korea's Lazarus Group and the Russian cybercriminal group Evil Corp as two examples of sanctioned entities that have engaged in ransomware activities in the past, but the advisory doesn't address the difficulties of attribution or suggest how organizations can determine whether they're dealing with a sanctioned attacker. One of the key actionable takeaways, however, is OFAC's exhortation that victims and intermediaries be transparent and cooperative with law enforcement. OFAC states that it will "consider a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus. OFAC will also consider a company’s full and timely cooperation with law enforcement both during and after a ransomware attack to be a significant mitigating factor when evaluating a possible enforcement outcome."
New ransomware gang incorporates data theft.
Researchers at Appgate have identified a new ransomware family dubbed "Egregor," that appears to be based on the Sekhmet ransomware. The gang behind the ransomware operates a deep web "news" site which it uses to publish stolen data to punish victims who refuse to pay up within three days. There are currently thirteen victims listed on the gang's leak site.
For more, see the CyberWire Pro Privacy Briefing.
SlothfulMedia RAT tied to Beijing.
CyberScoop has a follow-up to earlier warnings by CISA and US Cyber Command’s Cyber National Mission Force. Last week’s warnings concerned SlothfulMedia, a remote access Trojan used in cyberespionage campaigns. CyberScoop reports that sources in the US Government have told it, on background, that SlothfulMedia is associated with the Chinese government. It's been used against both India and Russia, and the US officials who spoke with CyberScoop are particularly interested in seeing it become generally known that Beijing is actively and aggressively spying on Moscow.
Hacking Team bootkit used by APT group.
Researchers at Kaspersky discovered a modified version of a leaked Hacking Team tool used against two diplomatic targets in Asia, WIRED reports. Hacking Team was a controversial offensive security company based in Italy that suffered a devastating data breach in 2015 that exposed many of its hacking tools. One of these tools, a bootkit dubbed "VectorEDK," served as the basis for the malware found by Kaspersky. The new bootkit differs only slightly from VectorEDK, but it deploys a previously unobserved strain of malware rather than one of Hacking Team's backdoors. This malware is designed to steal data, and is part of a larger malware framework that Kaspersky has named "MosaicRegressor."
BleepingComputer observes that this is only the second UEFI bootkit ever discovered in the wild (the first being LoJax, attributed by ESET to Russia's APT28). This type of malware modifies the device's Unified Extensible Firmware Interface (UEFI)—the firmware that boots up the operating system—so that the device will be reinfected even if the hard drive or operating system is replaced. The researchers don't know how the bootkit is placed on a system, although they note that Hacking Team's VectorEDK relied on an attacker plugging a USB key into the device. They also point out that the malware could have been placed remotely if the attackers were able to compromise the firmware update mechanism, but this remains speculation.
MosaicRegressor, the malware installed by the bootkit, has been used to target "several dozen victims" between 2017 and 2019, all of whom had some connection to North Korea. The victims were diplomatic and NGO targets in Asia, Africa, and Europe. The UEFI bootkit was used against two of these targets. The researchers believe a Chinese-speaking actor is behind the attacks, and they estimate "with low confidence" that the actor has previously used a Winnti backdoor.
For more, see the CyberWire Pro Research Briefing.
Sophisticated hacker-for-hire group identified.
BlackBerry has published a report on Bahamut, a threat actor believed to be an unusually sophisticated and patient group of hackers-for-hire. The group makes use of "a vast empire of fake news websites, social media accounts, and personas," as well as custom-made and publicly available malware, above-average social engineering tactics, and an in-house zero-day exploit developer. Bahamut displays "truly impressive operational security," and its operations are marked by extensive reconnaissance, concentration on particular targets, and attention to detail.
Bahamut was first noticed (and named) by Bellingcat in 2017 as the actor behind a series of spearphishing emails in English and Farsi directed to human rights activists in the Middle East, and BlackBerry ties the group to multiple other reports by different security companies.
While the group's sophistication is on par with nation-state espionage services, "the lack of discernible pattern or unifying motive moved BlackBerry to confirm the group is likely acting as Hack-for-Hire mercenaries." Bellingcat noted in 2017 that the dissimilarity in targeting "only grew with the further enumeration of other targets, describing a broad targeting across the Middle East without wholly implicating any particular interest, despite clear political intent."
US seizes 92 domains used by the IRGC.
The US Justice Department on Wednesday announced the seizure of ninety-two domains that were being used by Iran's Islamic Revolutionary Guard Corps (IRGC) as part of "a global disinformation campaign." The sites posed as legitimate news outlets but were actually used to push Tehran's line. Four of the sites targeted the US "in an attempt to influence the American people to change United States foreign and domestic policy toward Iran and the Middle East." The other eighty-eight sites targeted users in Western Europe, the Middle East, and Southeast Asia.
Justice credits Google with alerting them to the campaign, citing it as a good instance of public-private cooperation. The takedown itself was a cooperative effort of the FBI, Google, Twitter, and Facebook. The FBI Special Agent in Charge who directed the Bureau’s part of the operation said, "This case is a perfect example of why the FBI San Francisco Division prioritizes maintaining an ongoing relationship with a variety of social media and technology companies. These relationships enable a quick exchange of information to better protect against threats to the nation’s security and our democratic processes."
For more, see the CyberWire Pro Disinformation Briefing.
US Congress releases results of Big Tech antitrust inquiry.
The US House has released the results of its antitrust inquiry into Alphabet, Amazon, Apple, and Facebook. The 449-page report concludes that the four companies possess monopoly power and should have portions of their businesses broken up:
"Although these four corporations differ in important ways, studying their business practices has revealed common problems. First, each platform now serves as a gatekeeper over a key channel of distribution. By controlling access to markets, these giants can pick winners and losers throughout our economy. They not only wield tremendous power, but they also abuse it by charging exorbitant fees, imposing oppressive contract terms, and extracting valuable data from the people and businesses that rely on them. Second, each platform uses its gatekeeper position to maintain its market power. By controlling the infrastructure of the digital age, they have surveilled other businesses to identify potential rivals, and have ultimately bought out, copied, or cut off their competitive threats. And, finally, these firms have abused their role as intermediaries to further entrench and expand their dominance. Whether through self-preferencing, predatory pricing, or exclusionary conduct, the dominant platforms have exploited their power in order to become even more dominant.
"To put it simply, companies that once were scrappy, underdog startups that challenged the status quo have become the kinds of monopolies we last saw in the era of oil barons and railroad tycoons."
CNBC explains that US lawmakers must now rewrite antitrust laws to apply to companies that, to a large extent, offer their products for free while "raking in advertising revenue." While Republicans and Democrats aren't in complete agreement about the nature of the reforms to be made, CNBC says there's enough bipartisan consensus to make some action likely at some point in the future.
More business news, including executive moves, can be found in the CyberWire Pro Business Briefing.
Crime and punishment.
Cybersecurity pioneer and incorrigible bad boy John McAfee has been arrested in Spain and is awaiting extradition to the US, Ars Technica reports. The US Justice Department unsealed an indictment on Monday alleging that Mr. McAfee failed to pay taxes from 2014 through 2018 and attempted to hide his wealth from the IRS. Forbes notes that the news doesn't exactly come as a surprise: Mr. McAfee tweeted last year that he hadn't filed a tax return in eight years and that he was "a prime target for the IRS." It's worth noting that, while McAfee founded the security firm that still bears his name, he's had no connection with it for the past 25 years.
Also on Monday, the US Securities and Exchange Commission filed a civil complaint against Mr. McAfee, alleging that, "From at least November 2017 through February 2018, McAfee leveraged his fame to make more than $23.1 million U.S. Dollars ('USD') in undisclosed compensation by recommending at least seven 'initial coin offerings' or ICOs to his Twitter followers." The SEC alleges that Mr. McAfee's ICO recommendations were "materially false and misleading" for four reasons: first, he didn't reveal that he was being paid by the companies behind the ICOs, and his tweets were actually paid promotions; second, he "falsely claimed to be an investor and/or a technical advisor when he recommended several ICOs," leading his followers to believe he was offering impartial investment advice; third, when a blogger exposed these dealings, Mr. McAfee "encouraged investors to purchase the securities sold in certain of the ICOs without disclosing that he was simultaneously trying to sell his own holdings and had paid another third-party promoter to tout the securities"; fourth, in at least one case he engaged in a scalping scheme "by accumulating large amounts of the digital asset security and touting it on Twitter without disclosing his intent to sell it."
The SEC wants Mr. McAfee to "disgorge" the millions he made, and seeks to ban him from "participating, directly or indirectly, in the issuance, purchase, offer, or sale of any digital asset security."
Forbes describes the "dumbest cyber attack ever," which was uncovered by Darktrace in 2018. Hackers gained access to a fingerprint scanner used by a luxury goods store, and thought the best course of action would be to upload their own fingerprints to the scanning system's database, while deleting other, legitimate fingerprints. Darktrace picked up on this activity within minutes. Darktrace's Max Heinemeyer told Forbes that this "is potentially the first hack where the perpetrators purposely left their fingerprints at the crime scene."
Courts and torts.
Network security startup Centripetal Networks has won a large judgment in its patent infringement case against Cisco. The US District Court for the Eastern District of Virginia has ordered Cisco to pay $1.9 billion to Centripetal, plus six years of royalty payments, according to Bloomberg. The court ruled that "the infringement was willful and egregious." IPWatchdog notes that this "is believed to be one of the highest damages awards ever issued in a patent case."
Policies, procurements, and agency equities.
The Wall Street Journal sees the international mood shifting against Huawei, as Germany moves toward restricting the Shenzhen company’s participation in its 5G infrastructure. Other European nations are also shying away from Huawei. Sky News summarizes a report from the UK’s Huawei oversight group to the effect that GCHQ had discovered what it characterized as “nationally significant vulnerabilities” in Huawei kit. Nikkei Asia reports that Greece is also "joining the anti-Huawei camp."
CISA warns that it's seen a "significant increase" in Emotet phishing emails targeting US state and local governments since August, stressing that in September "Cyber agencies and researchers alerted the public of surges of Emotet, including compromises in Canada, France, Japan, New Zealand, Italy, and the Netherlands."
For more, see the CyberWire Pro Policy Briefing.