Authorities bust up phishing kit peddler HeartSender

Please consider supporting Metacurity with an upgraded subscription so that you can continue receiving our daily missives, packed with the top infosec developments you should know.

If you can't commit to a subscription today, consider tipping or donating to help keep Metacurity going.

Dutch and US authorities dismantled a sophisticated Pakistan-based cybercrime network called Saim Raza or HeartSender in an operation dubbed Operation Heart Blocker, which seized 39 domains and servers.

Saim Raza was responsible for developing and selling phishing kits, with the Department of Justice claiming the software resulted in over $3 million in victim losses.

HeartSender’s network operates through a wide array of criminal web shops, advertising its malicious tools across platforms like YouTube and selling an arsenal of tools that enable users to send large amounts of phishing emails, steal login credentials, and access hacked infrastructure.

The investigation uncovered datasets containing millions of victim records, including approximately 100,000 sets of Dutch credentials. (Greg Otto / Cyberscoop)

Related: Justice Department, US Attorney's Office, Politie.nl

According to cybersecurity firms, companies and government agencies worldwide are moving to restrict their employees’ access to the tools recently released by the Chinese artificial intelligence startup DeepSeek.

Nadir Izrael, chief technology officer of the cyber firm Armis Inc., said “Hundreds” of companies, particularly those associated with governments, have worked to block access to DeepSeek due to concerns about potential data leaks to the Chinese government and what they view as weak privacy safeguards."

Most customers of Netskope Inc., a network security firm that companies use to restrict employees' access to websites, among other services, are similarly moving to limit connections.

According to Ray Canzanese, director of Netskope’s threat labs, roughly 70% of Armis customers have requested blocks, and 52% of Netskope clients are blocking access to the site entirely.

“The biggest concern is the AI model’s potential data leakage to the Chinese government,” Armis’s Izrael said. “You don’t know where your information goes.” (Julie Zhu and Debby Wu / Bloomberg)

Related: Reuters, SiliconANGLE, NBC News, Moneycontrol

The US Cybersecurity and Infrastructure Security Agency (CISA) is warning that Contec CMS8000 devices, a widely used healthcare patient monitoring device, include a backdoor that quietly sends patient data to a remote IP address and downloads and executes files on the device.

CISA learned of the malicious behavior from an external researcher who disclosed the vulnerability to the agency. When CISA tested three Contec CMS8000 firmware packages, the researchers discovered anomalous network traffic to a hard-coded external IP address, which is not associated with the company but rather a university.

This discovery led to the further discovery of a backdoor in the company's firmware that would quietly download and execute files on the device, allowing for remote execution and the complete takeover of the patient monitors.

CISA says that patient data is typically transmitted across a network using the Health Level 7 (HL7) protocol. However, these devices sent the data to the remote IP over port 515, usually associated with the Line Printer Daemon (LPD) protocol.

The transmitted data includes the doctor's name, patient ID, patient's name, patient's date of birth, and other information. After contacting Contec about the backdoor, CISA was sent multiple firmware images that were supposed to have mitigated the backdoor.

However, each one continued to contain the malicious code.

There is no available patch for devices that removes the backdoor, and CISA recommends that all healthcare organizations disconnect these devices from the network if possible. (Lawrence Abrams / Bleeping Computer)

Related: CISA, BankInfoSecurity, HealthExec, FDA

New York Blood Center Enterprises (NYBCe) has been hit by a ransomware attack, disrupting critical blood donation services across the US and forcing the organization to take certain systems offline.

NYBCe provides blood donations and products to 70 area hospitals and serves over 75 million people nationwide. It has centers across the US, including New York, Nebraska, Delmarva, Kansas and Connecticut.

On January 26, the NYBCe identified suspicious activity affecting its IT systems. An investigation coordinated with third-party cybersecurity experts confirmed that this activity resulted from a ransomware attack.

The non-profit is now working with experts to restore systems as quickly as possible, although there is currently no timetable for this process to be completed. (James Coker / Infosecurity Magazine)

Related: Cybernews

Cybersecurity and AI researcher David Kuszmar discovered that a ChatGPT jailbreak flaw, dubbed "Time Bandit," allows anyone to bypass OpenAI's safety guidelines when asking for detailed instructions on sensitive topics, such as weapon creation, information on nuclear issues, and malware creation.

Kuszmar found that ChatGPT suffered from "temporal confusion," making it possible to put the LLM into a state where it did not know whether it was in the past, present, or future.

After realizing the significance of his findings and the potential harm they could cause, the researcher anxiously contacted OpenAI but could not reach anyone to disclose the bug. He was referred to BugCrowd to disclose the flaw, but he felt that the flaw and the type of information it could reveal were too sensitive to file a report with a third party.

However, after contacting CISA, the FBI, and government agencies and not receiving help, Kuszmar said. "Horror. Dismay. Disbelief. For weeks, it felt like I was physically being crushed to death," Kuszmar said.

After BleepingComputer attempted to contact OpenAI on the researcher's behalf in December and did not receive a response, we referred Kuzmar to the CERT Coordination Center's VINCE vulnerability reporting platform, which successfully initiated contact with OpenAI. (Lawrence Abrams / Bleeping Computer)

Related: SC Media, WinBuzzer

Researchers at Silent Push discovered a sprawling network tied to Chinese organized crime gangs named “Funnull,” a two-year-old Chinese content delivery network that hosts a wide variety of fake trading apps, pig butchering scams, gambling websites, and retail phishing pages that has been funneling its operations through Amazon AWS and Microsoft Azure.

Silent Push’s Zach Edwards said Funnull is a textbook example of an increasing trend Silent Push calls “infrastructure laundering,” in which crooks selling cybercrime services relay some or all of their malicious traffic through US cloud providers.

Amazon said that, contrary to the implications in the Silent Push report, it has every reason to police its network against this activity aggressively. The accounts tied to Funnull used “fraudulent methods to temporarily acquire infrastructure, for which it never pays. Thus, AWS incurs damages as a result of the abusive activity.”

Microsoft likewise said it takes such abuse seriously and encouraged others to report suspicious activity found on its network.

“We are committed to protecting our customers against this kind of activity and actively enforce acceptable use policies when violations are detected,” Microsoft said in a written statement. “We encourage reporting suspicious activity to Microsoft so we can investigate and take appropriate actions.” (Brian Krebs / Krebs on Security)

Related: Silent Push

Google blocked 2.3 million Android app submissions to the Play Store in 2024 due to violations of its policies that made them potentially risky for users.

In addition, 158,000 developer accounts were banned for attempting to publish harmful apps, such as malware and spyware, on Android's official app store.

In comparison, Google blocked 2,280,000 risky apps in 2023 and 1,500,000 apps in 2022, while the figures for blocked Play developer accounts were 333,000 and 173,000, respectively.

The larger number of blocked apps in 2024 is partly attributed to AI assisting human reviews, which was used in 92% of the violating cases. (Bill Toulas / Bleeping Computer)

Related: Google Security Blog, Tom's Guide, Forbes

Intelligence Online, a group that monitors the organization and functioning of the domestic and foreign intelligence services of key governments, said that it found a Chengdu-based cyber security contractor with China’s public security ministry to be behind recent IT hacking operations carried out in China and abroad against Tibetans and Uyghurs.

Sichuan Dianke Network Security Technology (aka Sichuan UPSEC Technology or simply UPSEC) and its subsidiary, Chengdu Anmo Technology, and their 150-strong team of engineers, 90% of whom work on research and development, claim to be contributing to China’s cyber security effort.

However, according to Intelligence Online, the firm provides cyber penetration tools used to target the Tibetans and Uyghurs, two ethnic groups especially reviled by Beijing. (Tibetan Review)

Related: Intelligence Online

Indian automotive and aerospace engineering technology company Tata Technologies confirmed it had suffered a ransomware incident that led to the suspension of some of its IT services, which have now been restored.

Tata said, "As a precautionary measure, some of the IT services were suspended temporarily and have now been restored. Our Client delivery services have remained fully functional and unaffected throughout." (Aman Gupta / Mint)

Related: Times of India, The Economic Times, The Hindu, Business Standard, NewsBytes, TimesNow, Financial Express, India TV News, Moneycontrol

Researchers at NCC Group report that the company observed the highest number of ransomware attacks last year since it began tracking them in 2021: 5,263 attacks in total, up 15% from 2023 levels.

The industrial sector was the most targeted overall in 2024, with 1,424 observed attacks compared to 1,240 in 2023.

RansomHub surfaced as the most active criminal gang in 2024, with hundreds of victims. During the first half of last year, LockBit claimed 433 victims, compared to RansomHub's 123. In the second half, however, RansomHub's victim count shot to 378, compared to LockBit's 93, according to NCC. (Jessica Lyons / The Register)

Related: NCC Group, Forbes

Researchers at Web3 bug bounty firm ImmuneFi report that crypto hackers stole over $73 million of digital assets across 19 individual incidents in January, a 44% decrease from the $133 million stolen in January 2024.

Nevertheless, January’s $73 million was a ninefold month-over-month increase from December, when hackers only stole $3.8 million worth of cryptocurrency.

The attack on Singapore-based crypto exchange Phemex was the biggest hit, accounting for over $69 million of stolen value. The $2.5 million hack on the Moby Trade options platform was second. (Zoltan Vardai / Cointelegraph)

Related: ImmuneFi, Coinspeaker, The Block, crypto.news

Sources say cyber specialists from Ukraine’s Military Intelligence Agency (HUR) launched a DDoS attack against Russian natural gas companies Gazprom and Gazpromneft on Jan. 29, disrupting the firms' digital services.

This operation was symbolically carried out on Jan. 29, the anniversary of the Battle of Kruty, where Ukrainian cadets and volunteers fought against the Bolshevik advance in 1918. (Sonya Bandouil / The Kyiv Independent)

Related: Kyiv Post

Oligo Security, a Tel Aviv, Israel-based Application Detection and Response (ADR) company, announced it had raised $50 million in a Series B venture funding round.

Greenfield Partners led the round with participation from Red Dot Capital Partners, Strait Capital, and existing investors Ballistic Ventures, Lightspeed Venture Partners, and TLV Partners. (Maria Deutscher / Silicon Angle)

Related: Oligo Security, Crowdfund Insider, CTech, Endor Labs, FinSMEs, FinTech Global

Clutch Security, a non-human (machine) identity firm, announced it had raised $20 million in a Series A venture funding round.

SignalFire led the round with participation from existing investors Lightspeed Venture Partners and Merlin Ventures. (Ingrid Lunden / TechCrunch)

Related: Security Week, Maginative, CTech, Tech in Asia

Best Thing of the Day: Saving the Modern-Day Library of Alexandria From Destruction

Harvard University researcher Jack Cushman has been taking snapshots of Data.gov’s datasets both before and after Trump's inauguration to keep a full archive of government data, much of which the current administration has been actively destroying.

Worst Thing of the Day: Another Object Lesson in Why MFA Is Critical

The hack of educational tech contractor PowerSchool, which resulted in the largest breach of American children’s personal information to date, might have been prevented if the organization had enabled multi-factor authentication.

Closing Thought