FBI disrupts BlackCat, International operation nabs thousands, Sony data leak
December 24, 2023
FBI disrupts BlackCat ransomware network
On Tuesday, the US Justice Department announced that it has seized websites of the second most prolific ransomware-as-a-service operation, BlackCat, also called ALPHV or Noberus. The DoJ said the FBI has provided a decryptor to dozens of victims globally, saving approximately $68 million in ransom demands. The search warrant reveals law enforcement used a confidential informant to infiltrate BlackCat, observe its operations and obtain credentials to the gang’s backend affiliate panel used to manage extortion campaigns. Earlier this month, BlackCat’s Tor-based leak site disappeared in what was believed to be a law enforcement operation.
(SecurityWeek and Bleeping Computer)
International operation arrests thousands of cybercriminals
A coordinated global effort codenamed ‘Operation HAECHI IV’ has led to the arrest of 3,500 cybercrime suspects. South Korean authorities led the operation with support from agencies from 34 countries, including the US, the UK, Japan, Hong Kong (China), and India. Between July and December 2023, authorities targeted threat actors engaging in voice phishing, romance scams, AI impersonation scams, online sextortion, illegal online gambling, business email compromise, and e-commerce fraud. Interpol flagged and froze more than 82,000 bank accounts across 34 countries resulting in seizure of about $200 million in hard currency and $100 million in virtual assets (such as non-fungible tokens or NFTs).
Sony’s video game plans leaked by ransomware group
Hackers claimed to have leaked over 1.3 million files from Sony’s Insomniac Games division. The Rhysida ransomware group claimed the hack on December 12, threatening to auction the data for approximately $2 million in Bitcoin. The leak includes game road maps, budgets, and details about its Wolverine game slated for release in 2026. The leak also reveals Sony plans to release several Marvel-inspired titles over the next decade, including Spider-Man 3. Other leaked details include compensation and personal info of dozens of current and former employees, photos of an executive’s credit card, financial agreements and multimillion dollar executive parachute payment agreements based upon the studio’s sale to Sony.
Rite Aid banned from using AI facial recognition
The Federal Trade Commission (FTC) announced Tuesday that it has banned Rite Aid from using facial recognition technology for five years. The FTC alleged that between 2012 and 2020 Rite Aid used an often inaccurate AI-powered facial recognition database to identify customers it believed were shoplifters or “dishonest.” Rite Aid used grainy images drawn from security cameras, employee phone cameras and even news stories to populate its database. The company then forced employees to stalk and sometimes humiliate those who had been wrongly identified. The FTC said Rite Aid did not take “reasonable measures” to prevent harm to consumers.
Hackers abusing GitHub to control compromised hosts
Researchers at ReversingLabs have identified threat actors leveraging new techniques to host their command-and-control (C2) infrastructure in GitHub. The first technique abuses secret Gists, which are mini repositories that are hidden from GitHub’s discover feed and the author’s profile page. Threat actors are blending their malicious network traffic with genuine communications to make detection more challenging. Researchers discovered a second technique exploiting version control features and leveraging git commit messages to extract execution commands. The researchers said that while the use of GitHub to host command-and-control (C2) infrastructure is not new, the abuse of secret Gists and version control features is novel.
African telecom organizations targeted by Iran-linked hackers
A cyber-espionage group, dubbed MuddyWater and linked to Iran’s intelligence service, has been targeting telecommunications companies in Egypt, Sudan and Tanzania. The group’s activity in Africa is believed to be linked to the war between Israel and the Palestinian militant group Hamas, which is reportedly supported by Iran. Egypt, which bordersh Gaza, has been involved in the ongoing war and has also been the most targeted by the MuddyWater campaign. Over the past few months, MuddyWater’s activity has mostly been aimed at organizations in Israel.
Foreign actors targeted 2022 US elections
On December 11, US authorities declassified reports revealing that foreign actors attempted to use IT operations to influence 2022 midterm elections. Agencies, including the FBI, the CIA, the NSA, the Cybersecurity and Infrastructure Security Agency (CISA) and the Office of the Director of National Intelligence (ODNI), have high confidence that China approved efforts to influence races involving both Democratic and Republican parties. The report indicated moderate confidence that Iranian intelligence services conducted operations to undermine US democratic institutions while the Russian government and its proxies propagated a defamation campaign against the Democratic party. The agencies said they did not find evidence that malicious cyber activities successfully affected the 2022 election process.
Terrapin attacks can downgrade security of OpenSSH connections
Researchers have developed a new attack called Terrapin that allows attackers to downgrade the public key authentication algorithms or disable defenses against keystroke timing attacks in OpenSSH 9.5. The researchers say Terrapin “exploits weaknesses in the SSH transport layer protocol in combination with newer cryptographic algorithms and encryption modes introduced by OpenSSH over 10 years ago.” Attackers must be positioned at the network layer of a connection using specific encryption protocols to modify the handshake exchange. Despite Terrapin’s specific requirements, the 77% adoption rate of the noted encryption modes make the attack feasible in a real-world scenario. As vendors work to address the issue, the researchers have published a Terrapin vulnerability scanner on GitHub for admins to check their implementations.