Judge Sentences Bitfinex Hacker to Five Years

Biden releases critical infrastructure AI framework, INC ransomware gang attacks Hungarian defense agency, Hackers stole customer data from German electricity provider, NIST addresses NVD backlog, FinCEN warns of deepfake frauds, Palo Alto reports another zero day, much more

Cynthia B Brumfield

Nov 15, 2024 — 10 min read

Photo by Tim Photoguy / Unsplash

brown and white short coated dog in cage — Photo by Umanoide / Unsplash

Sponsor Message

In today's digital landscape, protecting your software supply chain from rising threats is essential. This free whitepaper offers five key strategies for enhancing container security, one of the main attack surfaces in dynamic software development practices. Learn about using SBOMs for transparency, shifting vulnerability detection left, and automating policy enforcement, all for a superior developer experience and securing third-party code.

Learn more

Interested in reaching the elite audience of cybersecurity decision-makers, public policy professionals, and journalists who read Metacurity? Send an email to info [at] Metacurity.com with the subject line "Sponsorship."

Ilya Lichtenstein, half of the married couple whose 2016 hack of Bitfinex drained nearly 120,000 bitcoin from that cryptocurrency exchange, was sentenced to five years in prison for a money laundering scheme he and his wife employed to hide the stolen crypto.

The value of that bitcoin stolen by Ilya Lichtenstein was just $70 million when he executed the cyberattack on Bitfinex and initiated more than 2,000 unauthorized transactions to siphon off the cryptocurrency.

That crypto is currently worth $10.5 billion due to Bitcoin’s rise in price since 2016.

“I want to take full responsibility for my actions and make amends any way I can,” Lichtenstein reportedly told Judge Colleen Kollar-Kotelly in US District Court in Washington, D.C., before she sentenced him to the prison term and three years of supervised release that prosecutors had requested.

Lichtenstein, 35, and his wife, Heather Rhiannon Morgan, pleaded guilty to money laundering conspiracy in August 2023, 18 months after their arrest in New York City, where they lived.

Lichtenstein will get credit for the 29 months he has served in custody since his arrest. And with credit for good behavior, which is standard in the federal penal system, Lichtenstein could be released in less than two years.

Morgan is scheduled to be sentenced Monday in Washington. (Dan Mangan / CNBC)

The Biden administration released a framework for using artificial intelligence in the power grid, water system, air travel network, and other critical infrastructure.

Private industry would have to adopt and implement the guidelines the Homeland Security Department announced. The guidelines were developed in consultation with the department’s advisory Artificial Intelligence Safety and Security Board.

Homeland Security Secretary Alejandro Mayorkas told reporters, "We intend the framework to be, frankly, a living document and to change as developments in the industry change as well.”

The framework recommends that AI developers evaluate potentially dangerous capabilities in their products, ensure their products align with “human-centric values,” and protect users’ privacy. The cloud-computing infrastructure would need to vet hardware and software suppliers and protect the physical security of data centers. (Josh Boak / Associated Press)

The critical infrastructure framework. Source: DHS.

Hungarian officials confirmed that an “international group of hackers” attacked the country’s defense procurement agency (VBÜ).

The cybercrime group, INC Ransomware or INC Ransom, claimed access to the agency's data and posted sample screenshots on its dark web portal.

The Hungarian Ministry of National Defense declined to disclose potential information leaks, citing an ongoing investigation. The ministry added that VBÜ does not store sensitive military data. Hungary is a member of the NATO alliance.

Prime Minister Viktor Orbán's chief of staff, Gergely Gulyás, attributed the attack to a "hostile foreign, non-state hacker group" without naming the group.
Gulyás said that the most sensitive data that could be potentially accessed included "plans and data about military procurement."

Hungarian news outlet Magyar Hang reported that INC Ransomware breached the agency’s servers, downloading and encrypting all files. Hackers allegedly published screenshots of documents containing data on the Hungarian army’s air and land capabilities, as well as documents marked "non-public." (Daryna Antoniuk / The Record)

Hackers attacked German electricity provider Tibber and reportedly stole data affecting over 50,000 customers, which they are now selling on the dark web.

Since November 11, a data set titled "Tibber Data Breach—Leaked, Download" has been available on a popular darknet forum. Some sample lines contain the name, email address, order amount, and incomplete address data.

The scope of the stolen data records differs from the hackers' account. They claim to have found 243,000 lines of data, but according to Tibber, only 50,000 customers were affected. The discrepancy could be explained by multiple entries or data records split into several lines.

"We immediately began investigating the incident and reported it to the Berlin police," says Merlin Lauenburg, Managing Director of Tibber Germany. On Wednesday morning, Tibber also informed the affected customers of the leak. The company is also working with the authorities and internal and external experts to clarify the incident and take improvement measures. (Dr. Christopher Kunz / Heise Online)

Related: Energate Messenger

The National Institute of Standards and Technology (NIST) said that it now " has a full team of analysts on board” and is “addressing all incoming CVEs as they are uploaded into our system” following backlash when it became clear that thousands of critical vulnerabilities had not been enriched in its National Vulnerability Database (NVD) since the agency announced cutbacks in February.

NIST said, “In addition, we have addressed all Known Exploited Vulnerabilities (KEVs) that were in the backlog, and we are processing all new KEVs as they come in."

As of September 21, researchers at VulnCheck said 72.4% of all CVEs — more than 18,000 — in the database had yet to be thoroughly analyzed, and 46.7% of all exploited vulnerabilities remained unanalyzed.

Despite the substantial progress, NIST said its previous goal of clearing the entire backlog of exploited and unexploited bugs by the end of the year will not be met. (Jonathan Greig / The Record)

IBM X-Force researchers report that ongoing campaigns by cybercriminal group Hive0145 have launched a series of attacks across Europe, deploying the sophisticated Strela Stealer malware to steal sensitive email credentials.

This wave primarily targets Spain, Germany, and Ukraine and employs stolen, authentic invoices in phishing emails to deceive recipients and boost infection success.

Hive0145 has likely operated as a financially motivated initial access broker (IAB) since late 2022. It focuses on credential theft through its Strela Stealer malware, which extracts data stored in Microsoft Outlook and Mozilla Thunderbird.

Hive0145’s campaign volume and technical complexity have significantly increased since mid-2023. It has evolved from generic phishing emails to more complex attacks using stolen emails from various industries, including finance, technology, and e-commerce.

In July 2024, Hive0145 shifted tactics, replacing simple phishing messages with stolen, legitimate emails that included real invoice attachments.

Recent campaigns have been designed to bypass detection through various methods, such as using uncommon file extensions (.com, .pif) for malicious executables and incorporating heavily obfuscated scripts to evade security tools. (Alessandro Mascellino / Infosecurity Magazine)

*Banco Santander-themed email campaign*. Source: IBM X-Force.

Metacurity needs your help! Upgrade your subscription today.

The US Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) has issued a warning to support financial institutions in identifying fraud schemes involving deepfake media.

The alert, which comes from an analysis of the Bank Secrecy Act (BSA), open-source reporting, and information received from law enforcement, focuses on fraud schemes associated with the use of deepfake media developed with generative artificial intelligence (GenAI) tools and explains the typologies linked with these organizations.

In addition, the alert delivers red flag indicators to support the identification and reporting of suspicious activity and underlines financial institutions’ reporting requirements under the BSA.

Since 2023, FinCEN has identified a substantial increase in suspicious activity reporting related to the use of deepfake media in fraud schemes focusing on financial institutions and their customers. In these schemes, criminals mostly modified or developed fraudulent identity documents to bypass identity verification processes and authentication methods.

Moreover, these fraud schemes comprised online scams and consumer fraud, including checks, credit cards, authorized push payments, loans, and unemployment fraud. At the same time, bad actors opened fraudulent accounts leveraging GenAI-developed identity documents and utilized them as funnel accounts. (The Paypers)

In a series of video chats, Moscow resident Mikhail Shefel confirmed using the identity of a Russian cybercriminal, Rescator, who sold over 100 million payment cards stolen from Target and Home Depot between 2013 and 2014.

He claims the true mastermind behind the Target and other retail breaches was Dmitri Golubov, an infamous Ukrainian hacker known as the co-founder of Carderplanet, among the earliest Russian-language cybercrime forums focused on payment card fraud. Golubov could not be reached for comment, and Shefel says he no longer has the laptop containing evidence to support that claim.

Shefel asserts that he and his team were responsible for developing the card-stealing malware that Golubov’s hackers installed on Target and Home Depot payment terminals and that, at the time, he was technical director of a long-running Russian cybercrime community called Lampeduza.

“My nickname was MikeMike, and I worked with Dmitri Golubov and made technologies for him,” Shefel said. “I’m also godfather of his second son.”

Mr. Shefel says he stopped selling stolen payment cards after being pushed out of business and invested his earnings in a now-defunct Russian search engine called tf[.]org. He also apparently ran a business called click2dad[.]net that paid people to click on ads for Russian government employment opportunities.

When those enterprises fizzled out, Shefel reverted to selling malware coding services for hire under the nickname “Getsend“; this claim checks out, as Getsend for many years advertised the same Telegram handle that Shefel used in our recent chats and video calls. (Brian Krebs / Krebs on Security)

BlackBerry researchers report that the China-linked APT actor APT41 (also known as Barium, Brass Typhoon, Bronze Atlas, Wicked Panda, and Winnti) behind the LightSpy iOS malware has expanded its toolset with a Windows-based surveillance framework.

LightSpy was initially detailed in 2020 when it was used in attacks against iPhone users in Hong Kong.

Multiple reports this year have shown that LightSpy’s operators have expanded their toolset to target Android and macOS and expanded the malware’s capabilities, including by adding destructive modules.

With the addition of the DeepData surveillance framework for Windows and its 12 plugins specialized in information theft, the threat actor now has comprehensive cross-platform espionage capabilities backed by a sophisticated command-and-control (C&C) infrastructure.

According to BlackBerry, APT41’s surveillance capabilities target communication platforms such as WhatsApp, Telegram, Signal, WeChat, Outlook, DingDing, and Feishu, as well as browsers, password managers, and a large amount of system and network data.

The APT can also record audio to spy on victims. (Ionut Arghire / Security Week)

DeepData plugin overview. Source: BlackBerry.

After informing customers that it’s investigating claims of a new firewall remote code execution vulnerability, Palo Alto Networks confirmed that a new zero-day is being exploited in attacks.

The cybersecurity giant published an advisory on November 8, urging customers to ensure that access to the PAN-OS management interface is secured in light of claims about a remote code execution vulnerability.

Palo Alto Networks initially said it had not seen any indication of a zero-day being exploited. However, it has now updated its advisory to say it “has observed threat activity exploiting an unauthenticated remote command execution vulnerability against a limited number of firewall management interfaces which are exposed to the Internet."

Although a CVE identifier has yet to be assigned to the vulnerability, its CVSS score of 9.3 puts it in the ‘critical severity’ category.

Palo Alto told customers it’s working on patches and threat prevention signatures, which it hopes to release soon. (Eduard Kovacs / Security Week)

Switzerland’s Federal Office for Cybersecurity (OFCS) issued a warning about “fake letters” from the country’s meteorological agency being used to spread malware.

The postal letters, dated 12 November, claim to offer people in the country a new weather app developed by the agency MeteoSwiss. However, they contain a QR code redirecting people to a malicious application developed by fraudsters.

According to OFCS, “by scanning the QR code in the letter, the phone user downloads malware known as ‘Coper’ and ‘Octo2’. When installing the fake app, the program attempts to steal sensitive data such as login details for more than 383 mobile apps, including e-banking apps.”

Using real-world lures to infect people with malware is unusual due to the additional overheads that physical operations involve compared to online hacking. (Alexander Martin / The Record)

Related: Swiss NCSC

Six years after the virtual private network company NordVPN started searching for data breaches for the 200 most-used passwords, things have been as bad as when the company started, with the most insecure passwords still topping the list.

NordVPN says that it analyzed 2.5TB worth of credentials across 44 countries. Even number 200 on the list is ‘letmein,' a password that can be cracked in under a second. (Ben Lovejoy / 9to5Mac)

Related: NordPass, PCMag, Mashable, ZDNet, 9to5Mac, Firstpost

Cybersecurity startup Bitsight is acquiring Cybersixgill for $115 million.

Bitsight’s focus is cyber risk management, while Cybersixgill analyzes dark web activity specifically to look for data leaks, indicators of potential breaches, and new techniques proactively. (Ingrid Lunden / TechCrunch)

Best Thing of the Day: Getting Ahead of the Curve on AI Risks

The Financial Stability Board (FSB), an international body that monitors and makes recommendations on the global financial system, has called for stricter regulation of fraud, data governance, and systemic vulnerabilities in AI systems.

Worst Thing of the Day: Pick Your Pregnancy Tracking App Carefully

Security researcher Ovi Liber discovered that What To Expect, a popular pregnancy tracking app on iOS and Android is ignoring multiple serious vulnerabilities in its app, including one that allows a complete takeover of a user’s account, exposing their sensitive reproductive health information.

Bonus Worst Thing of the Day: Always Know Where Your Level2 Engineer Is

Air traffic control chaos that struck British airlines last summer, stranding thousands of customers and costing around £100m in refunds, rebookings, hotel rooms, and refreshments, was made worse by delays in verifying a password for an engineer working from home.