Russia's Cozy Bear Targeted German Political Parties With a Party Invitation

IMPORTANT PUBLISHING NOTICE: Metacurity will be on a break from 3/26/24 through 4/2/24. We will resume publication on 4/3/24. May the force be with you.

Researchers at Mandiant report that Russian threat group APT29, also known as Cozy Bear, Midnight Blizzard, and NOBELIUM, an arm of the country’s Foreign Intelligence Service (SVR), is targeting Germany’s political parties using a new backdoor variant publicly tracked as WINELOADER.

The campaign uses a lure with a theme tied to the Christian Democratic Union of Germany (CDU), a Christian Democratic and liberal-conservative political party. Since February 26, the attackers have been sending emails with malicious attachments.

The awkwardly phrased messages were sent in the name of the CDU and disguised as invitations to a party dinner that was supposed to take place on March 1 at 7 p.m. The attackers also included the current CDU logo in the email.

The German-language message said, “To take part in the event, please fill out a questionnaire and send it by email in the next few days.” It even specified the appropriate outfit: “Dress code: business smart.”

However, anyone who clicked on one of the links in the email would have infected their computer with malware. The CDU confirmed that it had not planned a dinner party for March 1.

The Federal Office for the Protection of the Constitution (BfV) and the Federal Office for Information Security (BSI) are already dealing with the attack. Together, they sent a warning message in the form of a so-called awareness letter. It says that “the campaign aims to establish long-term access to the targets’ networks.” It's about stealing data.

The attempted attacks on political parties marks a shift in APT29’s tactics. In the past, the group has primarily attacked government offices and international embassies. (Der Spiegel)

Related: Mandiant, Reuters, Bleeping Computer, DW, SC Magazine, Financial Times, Cyberscoop, Bloomberg, Security Week, Cybernews, Help Net Security, The Register

Germany’s Federal Criminal Police Office said in a joint statement with Frankfurt prosecutors they have taken down Nemesis Market, a major online marketplace for drugs, cybercrime services, and fraudulently obtained credit card data.

Investigators seized the Nemesis Market platform’s server infrastructure in Germany and Lithuania, as well as cryptocurrency worth 94,000 euros ($102,000).

The seizure followed an investigation in cooperation with the FBI, the U.S. Drug Enforcement Administration, and Internal Revenue Service Criminal Investigation.

The platform was active on the darknet, a part of the internet accessible only through specialized tools that provide more anonymity. According to German authorities, it was founded in 2021 and had more than 150,000 user accounts and over 1,100 seller accounts worldwide, nearly 20% of the latter in Germany. (Associated Press)

Related: The Record, Bleeping Computer, Security Affairs, GBHackers on Security, Cybernews, The Cyber Express, Cyber Daily, Security Affairs

UK ministers will report that the personal details of millions of voters are believed to have been accessed in an attack by China on Britain’s democratic process.

MPs and peers are thought to be among 43 people who the government looks set to confirm have been targeted by cyber-attacks backed by the Chinese state. The attack is reported to have begun in August 2021 but was not identified until October 2022.

The hackers are said to have accessed the names and addresses of anyone in Britain registered to vote between 2014 and 2022.

The UK could impose sanctions on individuals believed to be involved in these acts of state-backed interference, one of which was a separate attack on the Electoral Commission in which Beijing accessed the personal details of about 40 million voters.

Ministers will set out full details today, with the deputy prime minister, Oliver Dowden, expected to tell parliament that Beijing is behind this wave of cyber-attacks. (Cash Boyle / The Guardian and Matt Mathers / The Independent)

Related: BBC News, The Independent, Sky News, Daily Mail, iNews, The Sun, Daily Express, The Mirror, The Times, Reuters, China News

Following a New York Times investigation, General Motors said it had stopped sharing details about how people drove its cars with two data brokers that created risk profiles for the insurance industry.

The investigation revealed that GM had been sharing data about drivers’ mileage, braking, acceleration, and speed with the insurance industry for years. The drivers were enrolled, some unknowingly, they said, in OnStar Smart Driver, a feature in GM’s internet-connected cars that collected data about how the car had been driven and promised feedback and digital badges for good driving.

Some drivers said their insurance rates had increased because of the captured data, which GM shared with two brokers, LexisNexis Risk Solutions and Verisk. The firms then sold the data to insurance companies.

“OnStar Smart Driver customer data is no longer being shared with LexisNexis or Verisk,” GM spokeswoman Malorie Lucich said in an emailed statement. Customer trust is a priority for us, and we are actively evaluating our privacy processes and policies.” (Kashmir Hill / New York Times)

Related: Ars Technica, The Verge, Detroit Free Press, The Drive, PYMNTS

Following an investigation by journalist Brian Krebs, Mozilla, the nonprofit organization that supports the Firefox web browser, said it is winding down its new partnership with Onerep, an identity protection service recently bundled with Firefox that offers to remove users from hundreds of people-search sites.

Krebs’ investigation showed that Onerep’s Belarusian CEO and founder, Dimitiri Shelest, launched dozens of people-search services since 2010, including a still-active data broker called Nuwber that sells background reports on people.

Mozilla only began bundling Onerep in Firefox last month when it announced the reputation service would be offered on a subscription basis as part of Mozilla Monitor Plus. Launched in 2018 under the name Firefox Monitor, Mozilla Monitor also checks data from the website Have I Been Pwned to inform users when their email addresses or passwords are leaked in data breaches.

“Though customer data was never at risk, the outside financial interests and activities of Onerep’s CEO do not align with our values,” Mozilla said. “We’re working now to solidify a transition plan that will provide customers with a seamless experience and will continue to put their interests first.” (Brian Krebs / Krebs on Security)

Related: The Verge, OS News, Gigazine, Slashdot, r/Privacy, Hacker News (ycombinator)

Researchers at Proofpoint report that the Iran-aligned threat actor TA450, also called MuddyWater, Mercury, and Static Kitten, is using fake salary, compensation, and financial incentive emails to trick Israeli employees at multinational organizations into clicking malicious links.

Proofpoint said the campaign is a continuation of attacks against Israeli organizations since the start of the Israel-Hamas war in October 2023.

The campaign is targeting regional technology providers to gain access to downstream users at small to midsized firms through supply chain attacks against vulnerable regional managed services providers.

The phishing campaign began on March 7 and persisted through the week of March 11. TA450 sent emails containing PDF attachments with malicious links. Although this tactic isn't new to TA450, recent observations indicated the group prefers to include malicious links directly in the body of emails.

The PDF attachments have slightly varied embedded links leading to file-sharing sites such as Egnyte, Onehub, Sync, and TeraBox. The emails originated from likely compromised .IL sender accounts, consistent with TA450's recent activities, Poofpoint said.

Initial access downloads a ZIP archive containing a compressed MSI file, which installs AteraAgent, a remote administration software typically abused by TA450.

Emails from a compromised email address at a midsized financial services firm included a link to the cloud hosting provider Onehub. This link directs the victim to a ZIP archive that contains a legitimate installer executable file for the remote administration tool Syncro. (Prajeet Nair / Infosecurity Magazine)

Related: Proofpoint

US law enforcement in Henderson, NV, has apprehended Robert Robb, an MEV (maximum extractable value) engineer known in the crypto community as “pokerbrat,” according to records from the Henderson Police authority.

The reason for the arrest is unknown, but it could be related to an earlier rug pull allegedly masterminded by Robb.

According to crypto sleuth ZachXBT, Robb orchestrated a sophisticated scheme, swindling over $1.2 million from eleven unsuspecting individuals.

The victims had invested in various Miner Extractable Value (MEV) bots, which Robb claimed would soon be operational. However, instead of delivering on his promises, the on-chain sleuth claims Robb vanished with investors’ funds. (Wahid Pessarlay / crypto.news)

Related: Techopedia, Web3IsGoingJustGreat, Coinfomania, Cryptopolitan, Coin Edition

Crypto expert Patrick Hansen, head of Crypto, Policy & Europe and Director of EU Strategy & Policy @circle, claims that despite a flurry of reports to the contrary, the EU has not banned anonymous crypto wallets and transactions in its recently enacted Anti Money Laundering Regulation (AMLR).

The AMLR does not single out cryptocurrency regulations. Instead, it serves as a broad anti-money laundering and counter-terrorism financing (AML/CFT) framework applicable to a range of institutions deemed "obliged entities" (OEs).

These entities span financial sectors, including crypto-asset service providers (CASPs). They also extend to non-financial institutions prone to AML/CFT risks (such as sports clubs and gambling services). Notably, the regulation explicitly exempts providers of non-custodial wallets from its obligations.

The regulation explicitly exempts providers of non-custodial wallets from its obligations. It has not introduced radically new restrictions on self-custody payments, wallets, or peer-to-peer transfers.

A crucial aspect of the AMLR is its application to CASPs, including exchanges and brokers regulated under the Markets in Crypto-Assets (MiCA) framework. These providers must adhere to standard KYC/AML procedures, including customer due diligence (CDD).

This requirement prohibits anonymous accounts and services for users of custodial crypto businesses. Additionally, CASPs are barred from offering accounts for privacy coins, a practice already commonplace in the global crypto exchange landscape due to existing AML rules.

Related: Cointelegraph, Cryptoslate, The Paypers, BeInCrypto, Coinpedia, crypto.news, Bitcoin.com

On March 16, someone with access to the blockchain-based racing game Wilder World’s deployer's private key upgraded legacy contracts and transferred the project's $WILD and $MEOW tokens to themselves, stealing around $1.8 million in ETH, which they then laundered through the Tornado Cash cryptocurrency tumbler.

The project blamed the theft on a previous contractor who had the private key. They also explained that the attacker seemed to be a developer based on the fact that they had "specialized knowledge of ZERO's internal ” (Molly White / Web3IsGoingJustGreat)

Related: Certik

On March 14, 2024, the decentralized lending protocol MOBOX on the Optimism blockchain was attacked, resulting in a loss of approximately $750,000.

The core of this attack was the exploitation of the borrow() function’s mechanism, where part of the tokens in the pool were burned, continually borrowing assets to inflate the price of the tokens in the pool and gaining referrer rewards. The attacker then transferred these tokens back to themselves to borrow again, thus continuously stacking rewards and manipulating prices. (SlowMist)

Related: Web3IsGoingJustGreat

Hackers who exploited the Heco Bridge last year have laundered more than 40,000 ether worth $145.7 million via Tornado Cash over the past eight days.

“As of today (March 22 2024, UTC), HECO bridge exploiters have transferred ~$40,391.8 ETH (equivalent to ~$145.7 million) to Tornado Cash within the last 8 days,” the blockchain security and data analytics firm PeckShield said. (James Hunt / The Block)

Related: CryptoPotato, Bitcoin.com, crypto.news, The Daily Hodl

Hong Kong police have warned businesses to tighten their security after cyberattacks rose last year, advising them to keep their software updated and prevent hackers from breaking into their systems.

There were 37 reports of cyberattacks on businesses last year, a 54 percent rise from 24 cases in 2022. Reported losses trebled to HK$2.1 million (US$268,400) from HK$700,000 in 2022.

During a five-month online trawl between last September and last month, police found and removed more than 210,000 devices with serious internet safety lapses and fraudulent websites. They included the servers and computers of both corporate and individual users.

“Having discovered these safety hazards in our investigation, the force has contacted 80 local internet service providers to rectify the loopholes,” Joe Lau Ngo-chung, chief inspector of the force’s cybersecurity division, said. (Jess Ma / South China Morning Post)

Related: rthk.hk

Software risk management firm Finite State said it had raised $20 million in a venture funding growth round.

Energy Impact Partners (EIP) led the round. (Security Week)

Related: FinSMEs. PRWeb, FinTechGlobal

Best Thing of the Day: Leaving the Spyware Biz Behind

Paladin Capital Group, which has previously invested in a company that developed malware, said it has gotten out of the spyware game and joined the White House’s effort to fight the proliferation of commercial spyware.

Worst Thing of the Day: He Didn’t Mean He Is Against All Forms of Creepy Surveillance

Republican Representative Mike Gallagher of Wisconsin, who led the congressional effort to ban TikTok, announced he is retiring to join American surveillance company and defense contractor Palantir.

Closing Thought