CyberCrime - W/E - 12/13/19
x-Apple Exec Alleges Company Accessed His iPhone Messages (12/10/2019)
The formation of a new start-up by a former Apple executive has instigated a legal challenge from Cupertino and counter charges of invasion of privacy. Gerard Williams, who had been responsible for all chip design for Apple's mobile devices, alleges that phone and text messages between him and other Apple employees were illegally collected by the company as it sought to prevent him from competing with the firm. Two of those employees later joined Williams in his new venture, Nuvia, which creates processors for data center servers. In August, Apple filed a lawsuit against Williams, alleging "breach of contract and breach of duty of loyalty," contending that he drew on his work creating iPhone and iPad chips to start his new company and recruited other engineers from Apple. In response, Williams claims that Apple compromised his iPhone messages to gather information about his business intentions. According to CNBC, the filing against Apple notes, "To further intimidate any current Apple employee who might dare consider leaving Apple, Apple's complaint shows that it is monitoring and examining its employees' phone records and text messages, in a stunning and disquieting invasion of privacy."
The formation of a new start-up by a former Apple executive has instigated a legal challenge from Cupertino and counter charges of invasion of privacy. Gerard Williams, who had been responsible for all chip design for Apple's mobile devices, alleges that phone and text messages between him and other Apple employees were illegally collected by the company as it sought to prevent him from competing with the firm. Two of those employees later joined Williams in his new venture, Nuvia, which creates processors for data center servers. In August, Apple filed a lawsuit against Williams, alleging "breach of contract and breach of duty of loyalty," contending that he drew on his work creating iPhone and iPad chips to start his new company and recruited other engineers from Apple. In response, Williams claims that Apple compromised his iPhone messages to gather information about his business intentions. According to CNBC, the filing against Apple notes, "To further intimidate any current Apple employee who might dare consider leaving Apple, Apple's complaint shows that it is monitoring and examining its employees' phone records and text messages, in a stunning and disquieting invasion of privacy."
Lazarus Threat Group Teams Up with Trickbot's Anchor Project (12/11/2019)
Scientists at SentinelOne have identified a connection between the North Korean threat entity known as Lazarus and the Trickbot crimeware gang that created the Anchor Project framework. While assessing Anchor's tools, the researchers discovered that a Lazarus tool known as PowerRatankba was used in Anchor. "The specific evidence pointed out that this Lazarus group toolkit was loaded via the TrickBot Anchor project pointing to the now-unmasked relationship between the tools attributed to TrickBot 'Anchor' group and Lazarus," the SentinelOne team said.
Scientists at SentinelOne have identified a connection between the North Korean threat entity known as Lazarus and the Trickbot crimeware gang that created the Anchor Project framework. While assessing Anchor's tools, the researchers discovered that a Lazarus tool known as PowerRatankba was used in Anchor. "The specific evidence pointed out that this Lazarus group toolkit was loaded via the TrickBot Anchor project pointing to the now-unmasked relationship between the tools attributed to TrickBot 'Anchor' group and Lazarus," the SentinelOne team said.
Nigerian Man Extradited to US on Charges Stemming from BEC Scheme (12/10/2019)
A Nigerian citizen residing in Ghana has been extradited to stand trial for an indictment charging him with wire fraud, money laundering, computer fraud, and aggravated identity theft, according to the Justice Department (DOJ). The indictment alleges that Babatunde Martins and various Africa-based co-conspirators committed, or caused to be committed, a series of intrusions into the servers and email systems of a Memphis-based real estate company in June and July 2016. Using sophisticated anonymization techniques, including the use of spoofed email addresses and virtual private networks, the co-conspirators identified large financial transactions, initiated fraudulent email correspondence with relevant business parties, and then redirected closing funds through a network of US-based money mules to final destinations in Africa. This scheme, known as business-email compromise, caused hundreds of thousands in loss to companies and individuals in Memphis. Martins is also charged with perpetrating romance scams, fraudulent-check scams, gold-buying scams, advance-fee scams, and credit card scams.
A Nigerian citizen residing in Ghana has been extradited to stand trial for an indictment charging him with wire fraud, money laundering, computer fraud, and aggravated identity theft, according to the Justice Department (DOJ). The indictment alleges that Babatunde Martins and various Africa-based co-conspirators committed, or caused to be committed, a series of intrusions into the servers and email systems of a Memphis-based real estate company in June and July 2016. Using sophisticated anonymization techniques, including the use of spoofed email addresses and virtual private networks, the co-conspirators identified large financial transactions, initiated fraudulent email correspondence with relevant business parties, and then redirected closing funds through a network of US-based money mules to final destinations in Africa. This scheme, known as business-email compromise, caused hundreds of thousands in loss to companies and individuals in Memphis. Martins is also charged with perpetrating romance scams, fraudulent-check scams, gold-buying scams, advance-fee scams, and credit card scams.
Ransomware Attack on Colorado Services Provider Affects Over 100 Dental Offices (12/09/2019)
KrebsOnSecurity has learned that a Colorado IT services provider has been targeted by a ransomware attack which has caused operational issues at more than 100 dental practices served by that company, Complete Technology Solutions (CTS). The hack resulted in over 100 dentistry practices becoming infected with the Sodinokibi or rEvil ransomware. CTS provides various services including network security, data backup, and voice-over-IP phone service. The attack started on November 25 and as of December 9, clients are still impacted. Multiple sources told researcher Brian Krebs that it appears CTS refused to pay the $700,000 USD ransom demand to unlock the encrypted files.
KrebsOnSecurity has learned that a Colorado IT services provider has been targeted by a ransomware attack which has caused operational issues at more than 100 dental practices served by that company, Complete Technology Solutions (CTS). The hack resulted in over 100 dentistry practices becoming infected with the Sodinokibi or rEvil ransomware. CTS provides various services including network security, data backup, and voice-over-IP phone service. The attack started on November 25 and as of December 9, clients are still impacted. Multiple sources told researcher Brian Krebs that it appears CTS refused to pay the $700,000 USD ransom demand to unlock the encrypted files.
Ransomware Targeting Municipalities Spiked in 2019 (12/11/2019)
Kaspersky researchers observed at least 174 municipal institutions with more than 3,000 subset organizations have been targeted by ransomware during 2019. This represents a 60% increase from the same figure in 2018.
Kaspersky researchers observed at least 174 municipal institutions with more than 3,000 subset organizations have been targeted by ransomware during 2019. This represents a 60% increase from the same figure in 2018.
Romanian Nationals Receive Jail Time for Operating Bayrob Cybercriminal Enterprise (12/09/2019)
The Justice Department (DOJ) announced that Bogdan Nicolescu and Radu Miclaus, both from Bucharest, Romania, were sentenced to 20 years and 18 years, respectively, for their roles in a scheme to, among other things, infect more than 400,000 computers with malware and gain access to credit card and other information for later sale on dark market Web sites. Beginning in 2007, Nicolescu, Miclaus, and others operated a criminal enterprise referred to as the Bayrob Group from Bucharest, distributing malware purporting to be legitimate emails from entities and agencies such as Western Union, Norton AntiVirus, and the Internal Revenue Service (IRS). The malware harvested email addresses and then reached out via the harvested addresses to infect more systems, taking control of over 400,000 computers. They data mined infected computers and sold information in the cybercriminal underground, including passwords, computer access, and financial data. Bayrob's members also used cryptocurrency mining for their own nefarious purposes. Altogether, this criminal enterprise stole at least $4 million USD.
The Justice Department (DOJ) announced that Bogdan Nicolescu and Radu Miclaus, both from Bucharest, Romania, were sentenced to 20 years and 18 years, respectively, for their roles in a scheme to, among other things, infect more than 400,000 computers with malware and gain access to credit card and other information for later sale on dark market Web sites. Beginning in 2007, Nicolescu, Miclaus, and others operated a criminal enterprise referred to as the Bayrob Group from Bucharest, distributing malware purporting to be legitimate emails from entities and agencies such as Western Union, Norton AntiVirus, and the Internal Revenue Service (IRS). The malware harvested email addresses and then reached out via the harvested addresses to infect more systems, taking control of over 400,000 computers. They data mined infected computers and sold information in the cybercriminal underground, including passwords, computer access, and financial data. Bayrob's members also used cryptocurrency mining for their own nefarious purposes. Altogether, this criminal enterprise stole at least $4 million USD.
Two Russian Men Charged in Decade-Long Hacking Scheme Involving Bugat/Dridex Malware (12/11/2019)
The Department of Justice (DOJ) announced criminal charges against Maksim V. Yakubets of Russia related to two separate international computer hacking and bank fraud schemes spanning from May 2009 to the present. A second Russian individual, Igor Turashev, was also indicted for his role related to the Bugat malware conspiracy. A federal grand jury returned a 10-count indictment against Yakubets and Turashev charging them with conspiracy, computer hacking, wire fraud, and bank fraud, in connection with the distribution of Bugat, a multifunction malware package designed to automate the theft of confidential personal and financial information, such as online banking credentials, from infected computers. Bugat eventually evolved into the Dridex malware. Yakubets also has been charged with conspiracy to commit bank fraud in connection with the Zeus malware.
The Department of Justice (DOJ) announced criminal charges against Maksim V. Yakubets of Russia related to two separate international computer hacking and bank fraud schemes spanning from May 2009 to the present. A second Russian individual, Igor Turashev, was also indicted for his role related to the Bugat malware conspiracy. A federal grand jury returned a 10-count indictment against Yakubets and Turashev charging them with conspiracy, computer hacking, wire fraud, and bank fraud, in connection with the distribution of Bugat, a multifunction malware package designed to automate the theft of confidential personal and financial information, such as online banking credentials, from infected computers. Bugat eventually evolved into the Dridex malware. Yakubets also has been charged with conspiracy to commit bank fraud in connection with the Zeus malware.
Ukrainian Officials, Others Targeted by Russian Gamaredon Threat Group (12/10/2019)
Anomali identified malicious activity that is being conducted by the Russia-sponsored Advanced persistent threat group Gamaredon (also known as Primitive Bear). Based on lure documents that have been observed, Ukrainian diplomats, government officials and employees, journalists, law enforcement, and others are under attack. This campaign used weaponized documents distributed by spear phishing to initially infect the targets. The Gamaredon group has been active since at least 2013.
Anomali identified malicious activity that is being conducted by the Russia-sponsored Advanced persistent threat group Gamaredon (also known as Primitive Bear). Based on lure documents that have been observed, Ukrainian diplomats, government officials and employees, journalists, law enforcement, and others are under attack. This campaign used weaponized documents distributed by spear phishing to initially infect the targets. The Gamaredon group has been active since at least 2013.
Vietnamese Threat Group OceanLotus Hacked BMW, Hyundai (12/10/2019)
Car manufacturers BMW and Hyundai were both hacked by a Vietnamese cyberspy group and while information on the Hyundai attack is limited, the attackers used the Cobalt Strike penetration testing tool to infiltrate BMW. This information comes from SecurityWeek after it was first reported by German broadcaster Bayerischer Rundfunk (BR). BMW's systems were first hacked in the spring but the auto maker chose to monitor the attackers' activity for months before taking the infected devices offline. BMW does not suspect that any critical data was stolen or impacted. BR reported that the sophisticated and well-known OceanLotus (also known as APT32), a Vietnamese threat entity, is to blame for the cyber attacks.
Car manufacturers BMW and Hyundai were both hacked by a Vietnamese cyberspy group and while information on the Hyundai attack is limited, the attackers used the Cobalt Strike penetration testing tool to infiltrate BMW. This information comes from SecurityWeek after it was first reported by German broadcaster Bayerischer Rundfunk (BR). BMW's systems were first hacked in the spring but the auto maker chose to monitor the attackers' activity for months before taking the infected devices offline. BMW does not suspect that any critical data was stolen or impacted. BR reported that the sophisticated and well-known OceanLotus (also known as APT32), a Vietnamese threat entity, is to blame for the cyber attacks.