Newsletters

A hacktivist group calling itself Guacamaya has been very active in recent months, leaking large quantities of data from mining companies and several Latin American governments. But looking closer, Guacamaya's actions align in a few ways with Chinese aims. So, a question we've been kicking around at Risky Business HQ is whether Guacamaya is indeed a legitimate hacktivist group or just someone's sock puppet. Spoiler alert: We think it's probably the real deal but there are a few red flags.

Guacamaya has been active since at least March this year, and in its first publicly known hack it compromised a mining company operating in Guatemala and shared documents obtained in the hack with Forbidden Stories, a collaboration network for journalists, which subsequently published a "Mining Secrets" series of articles.

The group has been on a tear across Latin America ever since. It compromised more mining and oil companies but also government departments and national police and military forces. These police and military breaches include the General Command of the Military Forces of Colombia, Mexico's Secretariat of National Defense, El Salvador's National Civil Police, the Peruvian Army, and the Joint Chiefs of Staff of the Chilean Armed Forces.

But—surprise, surprise—it turns out that the developer didn't die in the war, and he stopped responding to his co-workers because he was arrested in the Netherlands at the request of the FBI.

All of this came to light yesterday when the US Department of Justice unsealed charges against Mark Sokolovsky, 26, a Ukrainian national, for his role in maintaining the Raccoon Infostealer (also known as Raccoon Stealer) malware-as-a-service (MaaS).

The DOJ said that together with Dutch and Italian authorities, the FBI also seized servers operated by the Raccoon gang, effectively taking offline that older version of the Raccoon operation.

The infosec community went past its childish naivety stage a long time ago, so most researchers and IT admins don't run PoCs directly on their production systems these days (hopefully 🤞). This study just puts a number on the chances of getting infected with malware if you're running PoCs shared by some unknown account named PapaSmurf, rather than waiting for someone like Rapid7 or TrustedSec to release one.

Argentina's army gets ransomwared: Argentina's Joint Chief of Staff of the Armed Forces disconnected its IT network last week after the agency suffered a ransomware attack. Local media reported that the incident prevented army officials from holding their regular security meetings, including ones with international partners.

$60mil ransom demand: Pendragon, one of the UK's largest car dealerships, said it was hacked and held for ransom by the LockBit ransomware gang, which requested a whopping $60 million to decrypt the company's files—one of the largest ransomware demands ever reported.

Mandiant cites several reasons for URSNIF's new radical redesign. At least two leaks of its codebase, multiple branches of the same codebase that had slowly diverged and were making it harder to support features across different botnets, but also an ancient codebase that had finally reached the end of the road when IE was removed from Windows.

Honestly, it's a surprise that URSNIF lasted this long still operating on a banking trojan model. It had become obvious in the mid-2010s that the banking malware scene was dying, at least on the desktop.

Banks, tired of a decade of heists from customer accounts, had rolled out advanced multi-factor authentication and transaction verification systems. While not foolproof, these systems did their job and made it more time-consuming for banking malware operators to steal money from compromised accounts.

Being "overemployed" — secretly working multiple full-time jobs — is a trend. Equifax used one of its own products, called The Work Number, to identify employees that had overlapping pay periods from other companies. This information was then combined with other data including VPN usage, manager reports and unexplained absences during the workday to identify 25 employees working multiple full-time jobs. In addition to 25 employees, 283 contractors were also identified as potentially working two jobs, although it is not clear what happened to them.

While The Work Number product has existed since 2007, it has massively grown in scope over the last couple of years. The company's 2021 annual report states The Work Number is now "now receiving records every pay period from 2.5 million companies, up from 1 million when we started 2021 and 27,000 contributors a short two-plus years ago".

The authors of the Business Insider report state:

Kashfi obtained multiple copies of the malware—which he later identified as a version of the L3MON Android remote access trojan—and found that all samples were communicating with a VPS server based in Germany, on which the BSI acted this week.

The researcher is now warning that even if this server is now down, the danger to protesters continues, as IRGC operators are most likely to set up a new one for subsequent deployments.

Iranians detained by the IRCG are advised to reset their smartphones as Kashfi says that the L3MON RAT has no advanced persistence capabilities, and this will remove it from compromised devices.

Tata Power: Tata Power, one of the largest electrical power producers in India, disclosed a security breach in a document [PDF] filed with India's national stock exchange. The company said the incident only impacted its IT systems—which is currently in the process of restoring—and that all other critical systems are operating as normal. [Additional coverage in TechCrunch]

Woolworths breach: Australian retail chain Woolworths said that a threat actor compromised an employee's credentials and accessed the backend of its MyDeal portal. The company is currently sending email notifications to all affected customers. Exposed data includes names, dates of birth, phone numbers, and home addresses, according to a notification seen by ABC.

Advanced incident: Advanced, one of the biggest IT providers for the UK NHS, disclosed a security breach last week, admitting they had their IT network compromised following an infection with the LockBit 3.0 ransomware.

We call it lameness because anyone with a basic understanding and foothold in the cybersecurity industry saw through this in the first five seconds.

Obviously, this disinformation campaign wasn't meant for the big-brains in the infosec industry, but because it was caught on early on and ridiculed into the ground, it was also almost immediately yeeted into the sun by the time of this newsletter, with the vast majority of the participating accounts being wiped clean (see list of accounts here, compiled by Stairwell security researcher Silas Cutler).

All of this fits in some bizarre trend that we've observed this year from the Chinese government, which has been obsessed with painting the US government, and the NSA in particular, as some sort of Dick Dastardly of the cyber-espionage world, responsible for all sorts of bad things, like... spying. Because that's obviously not what an intelligence agency does.

US President Joe Biden signed an executive order last Friday aimed at implementing a new privacy framework for data sharing between the European Union and the US (The EU-US Data Privacy Framework or EU-US DPF). The Executive Order on "Enhancing Safeguards For United States Signals Intelligence Activities" is intended to square the circle and balance US national security requirements for signals intelligence (SIGINT) against European Union human rights protections.

The goal of the privacy framework is to make transatlantic data flows between the EU and US legal and relatively easy by ensuring that EU citizens' user data is appropriately protected when it is transferred to the US. Two previous agreements — Safe Harbor and Privacy Shield — were both struck down by the European Court of Justice in 2015 and 2020 respectively for not adequately protecting users from US intelligence collection practices.

The EO adds new safeguards for US SIGINT activities, including:

STAX Finance hack: DeFi platform STAX Finance said it lost $2.3 million after an attacker exploited a bug in TempleDAO, the backbone of its service.

Forced to delete notebooks and files: Peiter "Mudge" Zatko, Twitter's former head of security, alleged that Twitter management forced him to burn notebooks and delete files in order to get his severance package. According to Bloomberg, citing court documents unsealed this week, this included 10 handwritten notebooks and deleted 100 computer files.

Brute-force protection for local admin accounts now generally available: With yesterday's Patch Tuesday security updates, Microsoft has also enabled a new feature by default for all Windows OS versions that will lock and freeze all local admin accounts for 10 minutes after 10 failed login attempts. The feature is meant to be Microsoft's best protection against brute-force attacks, including those carried out via RDP, that have served as an initial entry for many cybercrime and cyber-espionage operations over the past years. A similar feature to block SMB-based brute-force attacks is also in the works.