Two men from Eastern Europe have been imprisoned in the United States for helping cyber-criminals carry out cyber-attacks against individuals and financial institutions in America. 

Pavel Stassi, a 30-year-old Estonian, and 33-year-old Aleksandr Skorodumov, of Lithuania, received custodial sentences for providing bulletproof hosting services that were used to distribute malware from 2009 to 2015.

Court documents state that the two men were members of a bulletproof hosting organization founded and led by two Russian co-defendants, Aleksandr Grichishkin and Andrei Skvortsov, both aged 34.

Cyber-criminals use bulletproof hosting services because they exist to ensure the anonymity of users. According to the US Department of Justice, these criminals did more than simply turn a blind eye to what their users were up to. 

“The defendants also helped their clients evade detection by law enforcement and continue their crimes uninterrupted by monitoring sites used to blocklist technical infrastructure used for crime, moving ‘flagged’ content to new infrastructure, and registering all such infrastructure under false or stolen identities,” said the DOJ’s Office of Public Affairs in a statement released October 20. 

Inside the criminal organization, Skorodumov was a lead systems administrator, performing tasks that included managing clients’ domains and IP addresses, and providing technical assistance to help clients optimize their malware and botnets. 

Stassi was brought on board as an administrator and marketer. One of his jobs was using false and/or stolen personal information to register webhosting and financial accounts used by the organization.

In May, each member of the cyber-criminal quartet pleaded guilty to one count of Racketeer Influenced and Corrupt Organizations (RICO) conspiracy. The men admitted renting out Internet Protocol (IP) addresses, servers, and domains to cyber-criminal clients, who used them to steal banking credentials, spread malware and form botnets.

Among the malware hosted by the organization was Zeus, SpyEye, Citadel, and the Blackhole Exploit Kit, which caused or attempted to cause victims based in the United States to lose millions of dollars.

On June 28 and October 20, Chief Judge Denise Page Hood of the US District Court for the Eastern District of Michigan passed custodial sentences of 24 months upon Stassi and 48 months upon Skorodumov. Grichishkin and Skvortsov are pending sentencing.

The United States’ Department of Justice (DOJ) is seeking to recover a financial penalty of nearly $10m that was imposed on a man from Montana for operating malicious robocalling campaigns. 

The Federal Communication Commission (FCC) fined Libby resident Scott Rhodes $9,918,000 in January 2021 after discovering that he had illegally used caller ID spoofing with the intent to cause harm.

An investigation by the FCC found that between May 2018 and December 2018 Rhodes had made thousands of spoofed robocalls targeting specific communities with malicious pre-recorded messages.  

“The robocalls included xenophobic fearmongering (including to a victim’s family), racist attacks on political candidates, an apparent attempt to influence the jury in a domestic terrorism case, and threatening language toward a local journalist,” stated the FCC in a news release.

On Wednesday, the DOJ filed a complaint against Rhodes in the US District Court for the District of Montana that seeks to recover the financial penalty and obtain an injunction that would prevent Rhodes from committing any further violations of the Truth in Caller ID Act. 

The complaint accuses 52-year-old Rhodes of making 4,959 illegal robocalls in multiple states with falsified caller ID information, with the intent to cause harm. For each state he targeted, Rhodes crafted unique campaigns that referenced local events. 

Residents of Brooklyn, Iowa, were targeted with xenophobic messages referring to the arrest of an illegal alien for the murder of a local college student, Mollie Tibbetts, in July 2018. Meanwhile, victims in Charlottesville, Virginia, were harassed with robocalls based on a false conspiracy theory in an apparent attempt to influence the jury in a local murder trial. 

Rhodes harassed people in Florida and Georgia with spoofed robocalls that attacked gubernatorial candidates, while in Idaho, he robocalled residents of Sandpoint City, attacking the local newspaper and its publisher.

“It is unlawful to spoof caller ID numbers to trick consumers into answering unwanted phone calls with the intent to defraud, cause harm or wrongfully obtain anything of value,” said Acting Assistant Attorney General Brian Boynton for the Justice Department’s Civil Division. 

“The department will work with its agency partners to vigorously enforce the telemarketing laws that prohibit these practices.”

The United States’ Cybersecurity and Infrastructure Security Agency (CISA) has awarded two organizations $2m to develop cybersecurity workforce training programs. 

Award recipients NPower and CyberWarrior will use the cash injection to bring cybersecurity training to the unemployed and to underemployed communities.

CISA announced the awards yesterday to coincide with the third week of its Cybersecurity Summit, organized on the theme, “Team Awesome: The Cyber Workforce.” The awards are the first of their kind for the agency, whose mission includes recruiting diverse cybersecurity talent and building the workforce of the future.

“Addressing the cyber workforce shortage requires us to proactively seek out, find, and foster prospective talent from nontraditional places,” said CISA Director Jen Easterly.  

“CISA is dedicated to recruiting and training individuals from all areas and all backgrounds with the aptitude and attitude to succeed in this exciting field.”

The programs will focus on training underserved communities in urban and rural areas and seek to recruit traditionally underrepresented groups in the cybersecurity industry, such as military spouses, women, and people of color. 

“It’s not just the right thing to do; it’s the smart thing to do – for the mission and the country,” said Easterly.  

“We’re best positioned to solve the cyber challenges facing our nation when we have a diverse range of thought bringing every perspective to the problem.”

CyberWarrior Foundation founder Reinier Moquete said CyberWarrior will work with CISA and other stakeholders to train persons from underserved populations via a 28-week cybersecurity bootcamp program. 

“We encourage prospective students, employers and workforce stakeholders to reach out and join us in building opportunities for these individuals,” said Moquete.

NPower CEO Bertina Ceccarelli said CISA’s support will enable NPower to expand the reach of its training program across the United States. 

She said: “NPower’s cybersecurity program offers young adults and veterans the opportunity to advance their careers and deepen their specialties. This is particularly important for individuals coming from underrepresented communities that systemically lack access to those specialized skills.”

Other workforce development efforts made by CISA include the CYBER.org initiative and the K-12 student- and teacher-oriented Cyber Education and Training Assistance Program.

Nearly three-quarters (72%) of organizations have suffered a domain name system (DNS) attack in the last 12 months, according to a new study by the Neustar International Security Council (NISC).

Of those organizations affected, 61% were targeted on multiple occasions, while 11% have been victimized regularly.

While Neustar noted that DNS attacks are generally a lower concern for security pros than vectors like ransomware, distributed denial-of-service (DDoS) and targeted account hacking, they are becoming increasingly menacing to organizations. According to its latest study, 55% of security professionals consider DNS compromise an increasing threat; this compares to 47% in October 2020.

The most common types of DNS attacks experienced were DNS hijacking (47%), DNS flood, reflection or amplification attacks that segued into DDoS (46%), DNS tunneling (35%) and cache poisoning (33%).

The 302 security professionals from six EMEA and US markets included in the survey were also asked about the damage caused by these incidents. Among those organizations targeted, 58% saw their businesses disrupted for over an hour, 14% took several hours to recover. However, around one-third were able to recover within minutes.

Website disruptions are becoming increasingly damaging to businesses amid the digital shift during COVID-19. More than nine in 10 (92%) respondents agreed their organization’s website is vital to business continuity and customer fulfillment at some level, with 16% entirely enabled by it. Over half (56%) said their website has a significant role in day-to-day activity, and only 8% of organizations believe they can continue conducting business without their website.

Despite this, just 31% of respondents were confident in their organization’s ability to deal with a DNS attack that could take their website offline. Furthermore, over a quarter (27%) admitted they were not confident.

Michael Kaczmarek, vice president of product management for Neustar Security Solutions, commented: “Organizations are challenged to keep pace with emerging security threats in an increasingly borderless digital landscape. Although some attack vectors may not be as visible or pose as imminent a threat as others, it is clear bad actors will exploit any vulnerability they can find sooner rather than later, and they will cost organizations valuable time, resources and business.”

He added: “The latest data indicates that organizations need to remain vigilant, close security gaps, and patrol for potential breaches around the clock.”

The changing nature of insider threats was described by Lisa Forte, founder, Red Goat Cyber Security, during a keynote presentation at this week’s virtual ISC2 Security Congress 2021.

Forte began by noting that traditionally, insider threat actors are seen as ‘bad apples’ within a business, but we have now “moved quite far away from that.” Indeed, many perpetrators do so without malicious intent. She also pointed out that it has become far easier for employees to carry out these acts of espionage on their employers’ thanks to new technologies. For example, mobile phones can be used to take photos of important data, and thousands of documents can be transferred to an SD card. These acts are far easier to conceal than previously when insider threat actors would “have to physically copy large quantities of files.”

Additionally, the rise of social media means that the “biggest threat comes from insider people who get socially manipulated online to hand over information,” according to Forte. She then described a recent case that highlights this tactic. This involved a scientist (John) who was in charge of a team working on sensitive research for a major UK company. He had recently been divorced and was looking to meet a new partner who shared his passion for science, and signed up to dating websites.

John made a professional post on LinkedIn and received a question in the comments from a lady called Sveti. He responded to her via the private message function, and they engaged in scientific discussion before exchanging numbers and continuing the conversation on WhatsApp. Sveti was from Bulgaria and an aspiring environmental scientist. She continued to ask John questions about science and his research and began requesting diagrams and documents to help explain certain concepts. John obliged, flattered by the interest Sveti was showing in him and his work, and they became closer, with the messages taking a romantic turn. Sveti was also an aspiring dancer and would often ask John to critique her performances.

One day, while working at his organization’s lab during the COVID-19 lockdown, John received a message from Sveti asking him to watch a video of her dancing that she was planning to publish online. However, he couldn’t open it on his phone or a PC in his company’s office. She then begged him to try to play the video on an older device, of which there were several in the lab. He attempted this, but the video still failed to play. Yet suddenly, everything started crashing on the lab computer, alerting the company’s security team, who discovered the file was actually malware. After that, John never heard from ‘Sveti’ again – he had been duped by a highly tailored social engineering campaign to steal information and sabotage his organization.

Forte explained: “Likely, John was carefully and meticulously targeted the data and the systems that he had access to.”

She added that the method of attacking organizations by manipulating their employees is a growing problem. It is also highly effective as high-profile insiders will have access to sensitive systems and data. For example, UK intelligence agency MI5 believes at least 10,000 UK nationals have been approached by fake profiles linked to hostile states on LinkedIn in the past five years.

Other insider threats are conducted intentionally. These fall across three categories: theft, sabotage and fraud. Forte pointed out that even these actors are not always motivated by malice; for example, it may be to pay for a health bill.

Alongside strategies like monitoring, training and collaboration between internal departments, Forte emphasized the importance of culture and well-being in reducing the risk of intentional insider threats. She highlighted ‘City 40,’ a secret city created in 1946 by the Soviet Union for the workers for its nuclear program to illustrate this point. While the residents were not allowed to leave the city or communicate with anyone outside, they developed a strong sense of community and loyalty to the area, which remains to this day. This is because it had the best facilities, services and quality of life of anywhere in the Soviet Union, ensuring the residents were content despite the restrictions they lived under. The purpose was to make the people “personally invested in keeping our secrets,” and it proved to be highly effective.

Forte believes organizations should apply a similar principle to their staff, focusing on their happiness and well-being. While it is impossible to eliminate the risk of insider threats, employees are very unlikely to engage in such activities “as long as they feel valued and that they’ve got a good deal.”

Researchers have discovered new multi-function malware abusing the core functions of popular group app platform Discord.

Check Point explained in a blog post this morning that it found several malicious GitHub repositories featuring malware based on the Discord API and malicious bots. It included various features, including keylogging, taking screenshots and executing files.

Discord bots help users automate tasks on the Discord server. However, they can also be used for malicious ends, the researchers warned.

For example, the Discord Bot API can easily be manipulated to turn a bot into a simple Remote Access Trojan (RAT). This doesn’t even require the Discord app to be downloaded to a target’s machine.

What’s more, communications between attacker, Discord server and victim’s machine are encrypted by Discord, making it much harder to detect any malware, Check Point claimed. It said that this could provide attackers with an “effortless” way to infect machines and turn them into malicious bots.

“The Discord API does not require any type of confirmation or approval and is open for everyone to use,” the researchers wrote.

“Due to these Discord API freedoms, the only way to prevent Discord malware is by disabling all Discord bots. Preventing Discord malware can’t be done without harming the Discord community. As a result, it’s up to the users’ actions to keep their devices safe.”

Check Point also found dozens of instances where threat actors used Discord as a malicious file hosting service, with their privacy protected by the app.

“As of now, any type of file, malicious or not, whose size is less than 8MB can be uploaded and sent via Discord. Because the file content isn’t analyzed, malware can be easily spread via Discord,” it concluded.

“As Discord’s cache is not monitored by modern AVs, which alert a user in case a received file is considered malicious, the files remain available for download. Until relevant mechanisms are implemented, users must apply safety measures and only download trusted files.”

The US government has issued new rules designed to prevent the export of hacking and surveillance tools to regimes guilty of human rights abuses.

The “interim final rule” was released by the Commerce Department’s Bureau of Industry and Security (BIS) and will go into force in 90 days,

Governments singled out by the proposals are “of concern for national security reasons” or subject to an arms embargo.

Restrictions will also apply if the exporter knows that the product will be used to impact the confidentiality, integrity or availability of IT systems without the knowledge of their owner/administrator.

“The United States is committed to working with our multilateral partners to deter the spread of certain technologies that can be used for malicious activities that threaten cybersecurity and human rights,” said commerce secretary Gina Raimondo.

“The Commerce Department’s interim final rule imposing export controls on certain cybersecurity items is an appropriately tailored approach that protects America’s national security against malicious cyber actors while ensuring legitimate cybersecurity activities.”

The move will do nothing to impact the export of hacking tools from other countries to authoritarian regimes. Controversial spyware developer NSO Group is headquartered in Israel, for example.

The cybersecurity community has 45 days to comment on the proposals. They include a License Exception Authorized Cybersecurity Exports (ACE) designed to ensure products can still be sold to “most destinations” unhindered.

The latest action by BIS comes as a result of BIS’s negotiations in the multilateral Wassenaar Arrangement, which governs export controls. The long-running treaty has been criticized in the past for adding unnecessary red tape for cybersecurity vendors wanting to export their products abroad.

Several years ago, it was claimed the rules could even restrict the sharing of vulnerability information globally between legitimate threat researchers.

Full details of the new BIS interim final rule are available here.

Security researchers have discovered over two million social media user profiles scraped from the internet after they were unwittingly exposed online by an analytics firm, Infosecurity can reveal.

A team at reviews site SafetyDetectives led by Anurag Sen found the data located on a misconfigured Elasticsearch server, left exposed without any password protection or encryption in place.

It quickly traced the 3.6GB trove of more than 2.6 million TikTok and Instagram profiles to IGBlade, a firm that provides marketing insights on social media users for its customers.

“The scraped data of users on the server is the same data that features each user’s corresponding IGBlade.com page, and the database often provides links back to IGBlade,” the researchers wrote. “This is how we know the database belongs to IGBlade.com.”

Although data scraping is not illegal, and all of the user info contained in the exposed database was publicly available, it breaks the terms of service for TikTok and Instagram.

The leak could also be a boon for cyber-criminals, who can accelerate mass social engineering and fraud campaigns with large volumes of user information collected in one place.

According to the report, the exposed information was left publicly available online for over a month before the research team found it and reached out to IGBlade. The Romanian firm secured it on the same day, July 5.

The trove included full names and usernames, profile pictures, “about” details, email addresses, phone numbers and location data. Celebrities including Alicia Keys, Ariana Grande, Kim Kardashian, Kylie Jenner, and Loren Gray were caught in the privacy issue.

SafetyDetectives claimed the revelation could land IGBlade in trouble with the two social media giants.

Beyond this, if criminals got hold of the trove, they could use it in follow-on phishing attacks and mass robocalling scams. The researchers claimed that they could even use the scraped profile pics to create new fake accounts for misinformation and scam campaigns.

“Data scraping can make information for thousands or millions of users instantly accessible, as it’s all stored in the same place. For example, navigating logs in a database is a far quicker solution than navigating between each user on a social media site,” said SafetyDetectives.

“In this case, cyber-criminals can use data scraping as a cybercrime accelerant rather than an enabler. It can accelerate the speed and scope of hackers’ criminal activities.”

Cybersecurity firm Kaspersky today released research on Russian-speaking cyber-criminal activity and how it has changed over the past six years.

The study by Kaspersky’s Computer Incident Investigation Department found that historically favored attacks targeting banks and other financial organizations with money-stealing malware have largely been replaced. Nowadays, cyber-criminals prefer to hit their targets with ransomware and data-stealing attacks delivered via spear-phishing emails with malicious attachments.

“Back in 2016, our primary focus was on big cyber-gangs that targeted financial institutions, especially banks,” said Ruslan Sabitov, security expert at Kaspersky. “Big names such as Lurk, Buhtrap, Metel, RTM, Fibbit, and Carbanak boldly terrorized banks nation-wide, and in some cases internationally. Yet, they have eventually fallen apart or ended up behind bars – with our help.”

Researchers observed that the old attack method was reliant on security holes in popular web browsers and suggested that improvements to the security of browser and other technology were behind the switch. 

Another critical change recorded was a move away from developing malware in-house and toward public cloud infrastructure. Researchers found that cyber-criminals now prefer to use publicly available penetration testing and remote access software to bypass security defenses by appearing legitimate.

Cyber-criminals were found to be working together in much smaller groups than before. And, instead of hitting Russia and the Commonwealth of Independent States territories, they are striking targets overseas.

“No longer needing to create their own malicious tools together with active usage of cloud infrastructure allows them to conduct malicious activity in much smaller groups than was previously possible,” noted researchers. 

“With the exploit mitigations put in place by browser vendors, the difficulty of weaponizing a one-day vulnerability is substantially higher. Simultaneously, the lifetime of any weaponized exploit is much lower thanks to automatic updates,” BreachQuest co-founder and CTO, Jake Williams, told Infosecurity Magazine. 

He added: “We expect over time to see groups continue to become more specialized in the targeting of their operations. And given the difficulty of weaponizing exploits, it’s a near certainty that we’ll contend with more social engineering as an initial entry vector.”