LockBit disrupted by global police operation
On Monday, an operation led by the FBI and the UK’s National Crime Agency and other international partners, seized servers and disrupted the infrastructure used by the LockBit ransomware syndicate. LockBit’s leak sites displayed messages that they had been seized while a representative of the gang confirmed on X, “FBI pwned me.” The takedown is the latest FBI global operation targeting cybercrime infrastructure under Rule 41, a legal framework that enables the agency to access computers across multiple jurisdictions. LockBit first emerged in September 2019 and is believed to be the world’s most widely used ransomware variant.
(CyberScoop and Bleeping Computer)
Cactus leaks Schneider Electric data on dark web
Following up on a story we brought to you late last month on Cyber Security Headlines, the Cactus ransomware gang have leaked a 25 MB sample of the French energy giant’s stolen data onto their dark web leak site. Cactus gained access to Schneider Electric’s Sustainability Business division on January 17th. The gang is now threatening to leak all the allegedly stolen data if their ransom demand is not paid. The nature of the stolen data is still unknown but Schneider Electric’s Sustainability Business provides services to many high-profile companies worldwide.
ALPHV gang takes credit for LoanDepot, Prudential attacks
On Friday, the notorious ransomware group known as BlackCat and ALPHV named the financial giants as their latest victims on their leak site. Based on messages published by the hackers, both companies have refused to pay a ransom. ALPHV said it’s in the process of selling the stolen LoanDepot data, which allegedly includes more information than what was mentioned in the company’s breach notification. The gang indicated Friday that it still had access to Prudential’s systems and that they are considering leaking Prudential’s data for free, “so journalists can investigate financial wrongdoing.” This comes just after US authorities announced a reward of up to $10 million for information on the BlackCat group’s leaders and up to $5 million for any affiliate.
(SecurityWeek and The Register)
Wyze camera breach let customers see into other people’s homes
Last week, the webcam company announced that 14 people reported briefly seeing into a stranger’s property using their Wyze camera. The number of affected customers has now ballooned to 13,000. Wyze sent an email to customers apologizing for the breach, but also said its web hosting provider Amazon Web Services is partly to blame. Wyze claims AWS is behind their hours-long camera outage on Friday and indicated the incident stemmed from “a third-party caching client library” mixing up device ID and user ID mappings while bringing all cameras back online all at the same time. Wyze says about 1,500 people tapped to enlarge the thumbnail to get a better look through someone else’s camera. The company is scrambling to add additional verification and caching protocols to prevent this from occurring again in the future.
(The Verge and Bleeping Computer)
Huge thanks to our sponsor, Conveyor
Mention this podcast for 5 free questionnaire credits when you purchase an Enterprise plan.
Hacker arrested for selling US and Canadian bank accounts
On Valentine’s day, Ukraine’s cyber police arrested a 31-year-old for distributing trojan malware he promoted as free resource downloads on websites that he administered. The payload infected desktop and Android devices and siphoned user data which the hacker then used to gain access to online banking and Google accounts of the victims. The hacker sold account access on the dark web, arranging Bitcoin payments over the phone using a Russian number. Authorities arrested the subject at his home and confiscated assets including a luxury Mercedes-Benz SUV. The suspect now faces up to 8 years in prison and confiscation of all property, for violations of Ukraine’s Criminal Code. Ukrainian authorities say that the suspect had accomplices whose identities they hope to obtain during the ongoing investigation.
India and Meta introduce deepfake hotline
On Monday, India’s Misinformation Combat Alliance and Meta said they plan to launch a dedicated fact-checking helpline on WhatsApp to combat deceptive artificial intelligence-generated deepfakes. The initiative will establish a network of independent fact-checkers and research organisations called the Deepfakes Analysis Unit (DAU) to address viral misinformation. Beginning in March 2024, the public can flag deepfakes through the WhatsApp chatbot which will offer multilingual support in English and three regional languages (Hindi, Tamil, Telugu).
Internet access disrupted with one DNS packet
Researchers have discovered a serious vulnerability in the Domain Name System Security Extensions (DNSSEC) that could be exploited to deny internet access. The flaw (CVE-2023-50387) has been dubbed “KeyTrap” and stems from the DNSSEC validation requirement to send all relevant cryptographic keys for supported ciphers. The researchers developed an algorithmic complexity attack that can increase by 2 million times the CPU instruction count in a DNS resolver, thus delaying its response from anywhere between 56 seconds and 16 hours.The researchers claim that, using KeyTrap, an attacker could completely disable large parts of the worldwide Internet. The flaw has been present since 1999 and impacts all popular Domain Name System (DNS) implementations and services. Since November 2023, the researchers have worked with DNS service providers, such as Google and Cloudflare, to deploy mitigations which limit the number of allowable cryptographic failures.
Two Israeli aircraft hijacked via cyber attack
According to the Jerusalem Post, two passenger aircraft flying from Thailand to Israel fell victim to cyber hijacking. The two EL AL flights were temporarily diverted from their original course when hijackers briefly gained control of the aircraft communication service. Fortunately, the pilots worked with international air traffic officials to regain control and safely reached their destination with only a minor delay. Some aircraft are equipped with two-way, multi-mode, communication systems which enable pilots to switch between communication channels if anomalies are detected. The incident occurred in airspace controlled by an Iran-backed militant group (Houthis).