Russian military cyber-unit behind large-scale brute-force attacks
A press release issued by the National Security Agency on Thursday indicates that the Russian military cyber unit used a Kubernetes cluster to, “conduct widespread, distributed, and anonymized brute force access attempts against hundreds of government and private sector targets worldwide.” The advisory indicates that the threat actors used the brute force capability to access sensitive data and identify account credentials. The actors exploited well-known vulnerabilities, including Microsoft Exchange bugs, for remote code execution and further access to target networks. The advisory notes that the attacks are ongoing and lists mitigating steps that network administrators should adopt including use of multi-factor authentication, implementing time-out and lockout features, use of strong passwords and deploying Zero Trust security models.
Authorities seize DoubleVPN service used by cybercriminals
A coordinated operation by authorities in nine countries from North America and Europe, resulted in the takedown of the DoubleVPN service which allegedly served as a hideout of ransomware operators and phishing scammers. DoubleVPN, which was heavily advertised on both Russian and English-speaking underground cybercrime forums, offered its customers single, double, triple, and even quadruple VPN connections for as little as $25 per month to help them hide their misdeeds. A seizure notice appearing on the now-defunct site indicates that law enforcement has taken possession DoubleVPN servers including details of all its customers, and goes on to state, “DoubleVPN’s owners failed to provide the services they promised.”
Microsoft research team reveals critical vulns in Netgear routers
On Wednesday, Microsoft’s 365 Defender Research Team, revealed three critical authentication vulnerabilities impacting Netgear routers. The first bug allows unauthenticated access to any page on susceptible devices by appending GET variables in substring requests, while the second flaw permits side-channel attacks which allow attackers to extract stored credentials and the final bug allows extraction of the “NtgrBak” encryption key allowing remote attackers to decrypt and access stored secrets. The vulnerabilities affect Netgear DGN-2200v1 series routers running firmware prior to v1.0.0.60. Netgear has patched the issues which it was made aware of privately by Microsoft and advises customers to install the latest router firmware by visiting Netgear Support.
(ZDNet)
Judge stalls new Florida law that penalizes social media giants for blocking politicians’ posts
On Wednesday, U.S. District Judge Robert Hinkle temporarily blocked a new Florida law that sought to punish large social media platforms including Facebook and Twitter if they remove content or ban politicians. The law, which was due to take effect on Thursday, enabled the state to fine the companies $25,000 per day for removing an account of someone running for a local office and $250,000 per day for removing an account of a statewide political candidate. The bill was signed into law in May by Gov. Ron DeSantis who said that Silicon Valley companies were exerting unprecedented power over the American people. Judge Hinkle said the new law was aimed only at large social media businesses, not smaller ones providing the same services, and stated, “The legislation compels providers to host speech that violates their standards.”
(NPR)
Thanks to our episode sponsor,
Keyavi
VirusTotal ordered to reveal private info of stolen HSE data downloaders
Following up on a story we brought to you last Friday, the High Court of Ireland ordered VirusTotal to provide information related to subscribers who accessed data stolen as part of the ransomware attack on Ireland’s publicly funded healthcare system, HSE. According to the Financial Times, the stolen HSE files which the Conti ransomware gang posted as proof of the breach, were uploaded to the VirusTotal malware scanning site. On Tuesday, the Irish court ordered VirusTotal owners, Chronicle Security Ireland and Chronicle LLC, to provide the private information of subscribers who downloaded or uploaded the HSE data. The Financial Times has returned a sample of the stolen data which they had come into possession of but refused to reveal the source of the samples.
High-profile women want action to stop online abuse
A letter signed by high-profile women including former Australian prime minister Julia Gillard, ex-US tennis player Billie Jean King and British actresses Thandiwe Newton and Emma Watson implores social media giants to prioritize the safety of women on their platforms. The letter addressed to the heads of Facebook, Google, TikTok and Twitter characterizes the social media platforms as unsafe and pointed to a 2020 study by The Economist Intelligence Unit, which found that 38% of women in 51 countries have had direct experience of online intimidation. Both Twitter and Facebook committed to combatting online abuse at the UN’s Generation Equality Forum in Paris with Twitter vowing to give users greater control over their online safety and Facebook newly introducing its Women’s Safety Hub which will monitor and make recommendations for fighting online abuse. The World Wide Web Foundation says it will track the tech companies against their commitments and report their progress annually.
(BBC)
“HackMachine” helps automate cybercriminal operations
Hacking techniques such as phishing, keylogging, and developing exploits for vulnerabilities can prove time-consuming and require significant technical expertise. According to a recent report from Gemini Advisory, their fraud intelligence specialists have identified a tool called HackMachine, which first appeared on the dark web in late 2019, and scans large volumes of websites, automatically exploiting vulnerabilities in their content management systems or web hosting control panel to steal credentials. Attackers can leverage this access to inject digital payment skimmers, steal stored payment card data, and exfiltrate user databases containing personally identifiable information. The report indicates that HackMachine is a particular threat to cardholders, financial institutions, and merchants due to its card fraud applications, but also warns of its potential for use in ransomware attacks which pose a threat to all organizations.
(Recorded Future and Gemini Advisory)
US Secret Service brings back its Cyber Most Wanted list
The US Secret Service has updated its official website this month with a new page listing the agency’s most sought-after fugitives involved in financially related cybercrime investigations. The new Most Wanted Fugitives page was re-added to the agency’s site after being demised several years back. The agency’s page is very similar to the FBI’s Cyber Most Wanted list, with some names found on both lists and the key difference being that the Secret Service limits its list to a subset cases focusing solely on financial fraud.