Newsletters

A caveat up front: The Daily Mail is not the most reliable newspaper, and the hack has not yet been independently confirmed by other sources, although it hasn't been denied either. The broad outline of the claims are that the phone was hacked some months ago and sensitive messages compromised, including to international foreign ministers about the war in Ukraine and also to Kwasi Kwarteng, a friend of Truss who subsequently became Chancellor of the Exchequer. According to The Daily Mail's report, after the hack was discovered, Prime Minister Johnson and the Cabinet Secretary suppressed the news.

Matt Tait, aka PwnAllTheThings on Twitter, has written up a decent analysis of the story including an examination of why it might have been published now, the bona fides of the authors, and the possible motivations of sources. His conclusion: there are some red flags, but it could be true, and he goes on to examine the implications of the hack of a minister's phone.

Regardless of the underlying truth, The Daily Mail story highlights an uncomfortable reality — politicians absolutely need to use phones nowadays even though phones are insecure.

The leaked chat logs reveal several things. The first is the names of core members in charge of the Yanluowang RaaS and their identities on cybercrime forums.

The second is that the Yanluowang ransomware gang began operations in October 2021, which is around the same time Broadcom's Symantec first reported on their activities.

Third is that the gang and its members are really bad at coding, which now explains why Kaspersky researchers were able to find a vulnerability in its encryption algorithm and release a free decrypter back in April. And if that wasn't bad enough, the leaker also shared a screenshot allegedly containing the ransomware's decryption routine source code.

Amazon server leak: Amazon said there was a "deployment error" with one of its Amazon Prime analytics servers that was left exposed online without a password for more than two weeks and leaked 215 million entries containing pseudonymized user data. According to TechCrunch, which first reported on the leak, the leaked data contained the name of the show or movie that a user was streaming, on what device it was streamed, Prime subscription details, and network quality.

Aurubis attack: Aurubis, the second-largest copper producer in the world, disclosed a cybersecurity incident on Friday in what the company described as "apparently part of a larger attack on the metals and mining industry." The company said the incident didn't impact its production or environmental protection systems at smelter sites.

Telegram gets a one-day block in Russia: Russia's telecommunications watchdog, the Roskomnadzor, blocked Telegram's t.me short URL on Saturday after a copy of a video was uploaded on the platform containing instructions on how Russian soldiers could surrender to the Ukrainian Armed Forces, once deployed in Ukraine. The URL was not in Roskomnadzor's blocklist on Sunday, suggesting the block was lifted after only one day.

The new "number matching" feature works to protect accounts by showing a number inside the push notification message received by account owners. Even if the user clicks "yes/approve" by accident, the attacker won't be able to log in without entering this number as well, which most attackers would not be able to do.

Microsoft announced this feature earlier this year—after Lapsus$ compromised its network—but a similar number matching feature has also been available in other secure authentication providers like Cisco Duo, Okta, and others.

However, it must be mentioned that this technique is not foolproof, and attackers who contact employees posing as IT staff have been known to extract these numbers from employees in some attacks. But if you're forcing employees into MFA that rely on push notifications, it's better to have numbers matching enabled than not. Either way, if FIDO-based MFA is an option, better use that, as that form of cryptographic device-based authentication is not vulnerable to MFA fatigue attacks.

A hacktivist group calling itself Guacamaya has been very active in recent months, leaking large quantities of data from mining companies and several Latin American governments. But looking closer, Guacamaya's actions align in a few ways with Chinese aims. So, a question we've been kicking around at Risky Business HQ is whether Guacamaya is indeed a legitimate hacktivist group or just someone's sock puppet. Spoiler alert: We think it's probably the real deal but there are a few red flags.

Guacamaya has been active since at least March this year, and in its first publicly known hack it compromised a mining company operating in Guatemala and shared documents obtained in the hack with Forbidden Stories, a collaboration network for journalists, which subsequently published a "Mining Secrets" series of articles.

The group has been on a tear across Latin America ever since. It compromised more mining and oil companies but also government departments and national police and military forces. These police and military breaches include the General Command of the Military Forces of Colombia, Mexico's Secretariat of National Defense, El Salvador's National Civil Police, the Peruvian Army, and the Joint Chiefs of Staff of the Chilean Armed Forces.

But—surprise, surprise—it turns out that the developer didn't die in the war, and he stopped responding to his co-workers because he was arrested in the Netherlands at the request of the FBI.

All of this came to light yesterday when the US Department of Justice unsealed charges against Mark Sokolovsky, 26, a Ukrainian national, for his role in maintaining the Raccoon Infostealer (also known as Raccoon Stealer) malware-as-a-service (MaaS).

The DOJ said that together with Dutch and Italian authorities, the FBI also seized servers operated by the Raccoon gang, effectively taking offline that older version of the Raccoon operation.

The infosec community went past its childish naivety stage a long time ago, so most researchers and IT admins don't run PoCs directly on their production systems these days (hopefully 🤞). This study just puts a number on the chances of getting infected with malware if you're running PoCs shared by some unknown account named PapaSmurf, rather than waiting for someone like Rapid7 or TrustedSec to release one.

Argentina's army gets ransomwared: Argentina's Joint Chief of Staff of the Armed Forces disconnected its IT network last week after the agency suffered a ransomware attack. Local media reported that the incident prevented army officials from holding their regular security meetings, including ones with international partners.

$60mil ransom demand: Pendragon, one of the UK's largest car dealerships, said it was hacked and held for ransom by the LockBit ransomware gang, which requested a whopping $60 million to decrypt the company's files—one of the largest ransomware demands ever reported.

Mandiant cites several reasons for URSNIF's new radical redesign. At least two leaks of its codebase, multiple branches of the same codebase that had slowly diverged and were making it harder to support features across different botnets, but also an ancient codebase that had finally reached the end of the road when IE was removed from Windows.

Honestly, it's a surprise that URSNIF lasted this long still operating on a banking trojan model. It had become obvious in the mid-2010s that the banking malware scene was dying, at least on the desktop.

Banks, tired of a decade of heists from customer accounts, had rolled out advanced multi-factor authentication and transaction verification systems. While not foolproof, these systems did their job and made it more time-consuming for banking malware operators to steal money from compromised accounts.

Being "overemployed" — secretly working multiple full-time jobs — is a trend. Equifax used one of its own products, called The Work Number, to identify employees that had overlapping pay periods from other companies. This information was then combined with other data including VPN usage, manager reports and unexplained absences during the workday to identify 25 employees working multiple full-time jobs. In addition to 25 employees, 283 contractors were also identified as potentially working two jobs, although it is not clear what happened to them.

While The Work Number product has existed since 2007, it has massively grown in scope over the last couple of years. The company's 2021 annual report states The Work Number is now "now receiving records every pay period from 2.5 million companies, up from 1 million when we started 2021 and 27,000 contributors a short two-plus years ago".

The authors of the Business Insider report state:

Kashfi obtained multiple copies of the malware—which he later identified as a version of the L3MON Android remote access trojan—and found that all samples were communicating with a VPS server based in Germany, on which the BSI acted this week.

The researcher is now warning that even if this server is now down, the danger to protesters continues, as IRGC operators are most likely to set up a new one for subsequent deployments.

Iranians detained by the IRCG are advised to reset their smartphones as Kashfi says that the L3MON RAT has no advanced persistence capabilities, and this will remove it from compromised devices.