International sting operation brings down RagnarLocker
Agencies from the US, Japan and the EU have successfully seized the dark web portal used by the gang. RagnarLocker has been active since 2020 and some cybersecurity experts believe it is connected to Russia. As of this recording the full scale of the takedown is not yet known. According to a Europol spokesperson, more details will be made public today, Friday.
More 23andMe records leaked
The hacker who leaked records two weeks ago prompting a password reset request from the company on October 10, has leaked information on 4 million members onto a cybercrime forum. TechCrunch has confirmed that samples of this data match known 23andme membership data. The hacker claims that this dataset “contains information on people who come from Great Britain, including data from the wealthiest people living in the U.S. and Western Europe on this list.” The company is continuing its investigation into the breach.
Casio discloses data breach
Electronics manufacturer Casio has announced a data breach that is affecting customers from 149 countries. This follows an attack on its ClassPad education platform. The attack occurred between October 11 and 12 and involved PII such as names, email addresses, countries of residence, purchase information and license codes, but no credit card information. The majority of the customers affected, over 91,000 are from Japan and with 35,000 belonging to customers in 148 other countries. Representatives from Casio state they believe “some of the network security settings in the development environment were disabled due to an operational error of the system by the department in charge, and insufficient operational management, and this allowed an external party to gain unauthorized access.”
How Iran’s MuddyWater APT spied on a Middle Eastern government for 8 months
An article in Dark Reading released yesterday and based on a report from Symantec, reveals how the Iran state-aligned group successfully spied on the government of an unnamed Middle Eastern country using new tools largely unknown to the cybersecurity community. The report describes how on February 1, the group deployed an unknown PowerShell script, followed by four custom malware tools as well as two popular open-source hacking tools: Mimikatz for credential dumping, and Plink for remote shell capabilities. MuddyWater, which Symantec tracks as Crambus, and is also known as APT34, Helix Kitten, and OilRig, was at one time thought to have disappeared after suffering a leak of its own in 2019, but as Dick O’Brien, principal intelligence analyst for Symantec, says, “they’re definitely back.”
Huge thanks to this week’s episode sponsor, Vanta
Ex-Navy IT manager jailed for selling people’s data on the dark web
A 32-year-old former chief petty officer in the US Navy’s Seventh Fleet, Marquis Hooper, of Selma, California, opened an account in 2018 with a company that maintains a PII database for millions of people including the US government. Cooper claimed he had been required to do this in order to perform background checks on people. Using this access, Hooper and his wife stole the PII of 9,000 individuals and allegedly made $160,000 in bitcoin through its sale. He was sentenced to five years and five months earlier this week, and his wife is scheduled to be sentenced on November 20.
Trigona ransomware website taken down
A group called the Ukrainian Cyber Alliance claims to have shut down the gang’s leak site, wiping out 10 of its servers, defacing its website and exfiltrated data about the cybercrime operation. This is according to The Record, which describes Trigona Leaks as a “name-and-shame” extortion blog that advertised stolen data. The Trigona ransomware has been active since June 2022, and generally targets tech, healthcare, and banking companies in the U.S., India, Israel, Turkey, Brazil, and Italy, according to a report by Trend Micro.
JetBrains vulnerability exploited by North Korea says Microsoft says
Two groups allegedly tied to the North Korean government and named by Microsoft as Diamond Sleet and Onyx Sleet have been observed exploiting a bug in TeamCity, a product manufactured by the Czech company JetBrains and used by developers for testing software code before release. Tracked as CVE-2023-42793, JetBrains published a patch on September 20, but, according to researchers at PRODRAFT, “the subsequent release of technical details led to immediate exploitation by a range of ransomware groups. More than 1,200 unpatched servers vulnerable to the issue were discovered.” Microsoft warns that both groups are likely exploiting vulnerable servers each using unique toolsets.
IT Leaders concerned about quantum computing readiness
A study by the Ponemon Institute for the security firm DigiCert reveals that 61 percent of its respondents say their organizations “are not and will not be prepared to address the security implications of a post-quantum computing future. The Ponemon Institute surveyed more than 1,400 IT practitioners and IT security practitioners from numerous countries around the world. Forty-nine percent of the respondents say their organization’s leadership is “only somewhat aware or not aware of the security implications of quantum computing, and only 30% of respondents say their organizations are allocating budget for PQC readiness.” A link to the DigiCert announcement is available in the show notes to this episode.
(DigiCert)