The once and future AlphaBay
In July 2017, global law enforcement coordinated on Operation Bayonet to take down the dark web marketplace AlphaBay, seizing servers in Lithuania and arresting its creator. At the time, AlphaBay was one of the largest and most active dark web marketplace. Usually when these go down, another gains popularity to take the top spot. However in August 2021, AlphaBay came back online, announced by its former number-two administrator, known as DeSnake. Now, thanks to takedowns of several other prominent marketplaces, it seems to have regained the number one spot on the dark web, showing 30,000 unique products from 1300 active vendors.
(Wired)
Karakurt adopts bill collector tactics
Ransomware is already pretty awful with the current double-extortion and leak site tactics adopted by numerous organizations. However a joint advisory from the FBI and CISA warns that the group Karakurt is using harassment tactics to encourage paying ransoms. The details of the ransomware are routine, running from $25,000 to $13 million in Bitcoin, with a one-week deadline, showing proof of access to the network and stolen data. They pair this with emails and phone calls to employees, business partners, and clients, warning that the company needs to pay the ransom, often exaggerating the amount of data exfiltrated.
(ZDNet)
China concludes its cybersecurity review of Didi
The Wall Street Journal’s sources say China will soon conclude its cybersecurity investigation into Didi Global, which will see regulators allow its mobile apps to return to domestic app stores and let it register new users again. While Didi received the biggest headlines for the Chinese crackdown after it went public, the logistics platform Full Truck Alliance and the recruitment firm Kanzhun also received similar security reviews after going public. Didi is expected to offer a 1% equity stake to the state, give the government a direct role in corporate decisions, and pay a relatively large fine. Didi recently voted to delist from the New York Stock Exchange to pursue a listing in Hong Kong.
(WSJ)
Follina hits local governments
Bleeping Computer reports that local governments in at least two US states have been targeted with phishing campaigns using malicious Rich Text Format documents designed to exploit the Follina zero-day. The researchers suspect this was a state-aligned campaign, noting that it also hit governments in Europe. Emails promise information on promised salary increases, which are used to deploy a Powershell script to exfiltrate information. This targets browser passwords, data from desktop apps, and local computer and network information, indicating the goal is overall reconnaissance. While Microsoft released mitigations for the MSDT flaw, it has yet to release a patch.
Thanks to today’s episode sponsor, PlexTrac
Check out PlexTrac.com/CISOSeries to learn how PlexTrac can help your team deliver results.
Binance used to launder billions
An investigation by Reuters found that between 2017 and 2021, the cryptocurrency exchange Binance processed at least $2.35 billion worth of transactions for funds received from cybercrime, investment fraud, and illegal drug sales. This echoes a report from Chainalysis, which found that in 2019, Binance received $770 million in criminal funds, more than any other exchange. In some cases, funds passed through multiple digital wallets before reaching Binance, something that generally raises red flags at financial institutions. While Binance has historically had weak money laundering protections, in August 2021, Binance strengthened its money-laundering checks, compelling new and existing users to submit identification. Binance described the reporting as “wildly outdated” and disputed Reuters’ findings.
(Reuters)
LastPass goes passwordless
LastPass began rolling out the ability to use its authenticator app to access a password vault on desktop, rather than using a master password. The company claims it is the first password manager to offer passwordless access on desktop. Master passwords will still be required for registering an account, adding new trusted devices, making account changes, or if a passwordless attempt fails. LastPass already offers ways to log into its mobile app with biometrics.
Critical flaws found in Unisoc chips
Checkpoint Research documented these stack overflow vulnerabilities, impacting Unisoc Tiger T700 SoCs found in recent budget Motorola phones. These flaws resulted in the phone skipping checks to make sure that its reading a valid subscriber ID when connecting over LTE, opening the door to a denial of service attack on LTE. Checkpoint alerted Unisoc in May and Google plans to release a patch in its next Android Security bulletin.
Just when you thought it was safe to sequence your DNA
CISA and the US FDA issued an advisory warning of critical security vulnerabilities in Illumina’s DNA sequencing software. These vulnerabilities are rated at 10 out of 10, letting an unauthenticated actor take control of the product remotely and “take any action at the operating system level.” This could impact settings, software, or data, leading attackers to show incorrect or altered results during diagnosis. There’s no evidence that these have been exploited in the wild, and Illumina released software patches for impacted devices.