North Korea's Lazarus Group Returns to Tornado Cash

Check out my latest piece for README on how the vulnerability disclosure process between Rapid7 and JetBrains went bad.

Blockchain analytics firm Elliptic revealed that the North Korea-backed hacker group Lazarus is once again using the sanctioned crypto mixer Tornado Cash to obfuscate its transactions, even after the group ceased using it following US government sanctions last year.

Lazarus had turned to Sinbad.io as its mixer of choice following sanctions on Tornado Cash in August 2022, but US authorities seized this service in November 2023

Elliptic also disclosed that the group recently moved approximately $23 million in funds stolen from the HTX Exploit. These funds were transferred through Tornado Cash in over 40 transactions within the last three days, marking their first movement since the November 2023 incident. (Oluwapelumi Adejumo / CryptoSlate)

Related: Elliptic, Coindesk, crypto.news, Unchained, CoinGape

The United States Attorney’s Office (USAO) in Massachusetts filed a civil forfeiture action to return $2.3 million in cryptocurrency to 37 online scams and fraud victims.

The cryptocurrencies, which include nearly 300,000 (USDC), 1.5 million (USDT), 102,000 (TRX), 3,000 (SOL), and 14,000 (ADA)m, were seized from two Binance accounts in January, following an investigation last spring into a “pig butchering” scam targeting a Massachusetts resident.

The scam victim was tricked into forking over $400,000 to the scammers, who transferred the funds to other wallets that investigators then connected to funds from the other 36 victims.

The USAO’s action closely follows last week’s news that the US Attorney’s Office in Chicago had seized $1.4 million in Tether from an unhosted virtual cryptocurrency wallet tied to a suspected tech support scam targeting older people. (Cheyenne Ligon / Coindesk)

Related: Justice.gov, The Crypto Times, Web3IsGoingJustGreat

France Travail, formerly known as Pôle Emploi, is the government agency responsible for registering unemployed individuals, providing financial aid, and assisting them in finding jobs, is warning that hackers breached its systems and may leak or exploit the personal details of an estimated 43 million individuals.

The agency disclosed that hackers stole details belonging to job seekers registered with the agency in the last 20 years in a cyberattack between February 6 and March 5. Data from individuals with a job candidate profile was also exposed.

France Travail clarified that the data breach incident does not impact people’s bank details or account passwords, but French data protection watchdog CNIL warns that cybercriminals may use what’s available to correlate with missing data points from other breaches.

Those impacted by the data breach incident at France Travail can file a complaint with the Paris prosecutor’s office to help with the investigation. (Bill Toulas / Bleeping Computer)

Related: France Travail, The Register - Security, RestorePrivacy, Reddit - Information Security News, Infosecurity Magazine, Computing, Slashdot, TechRadar, Databreaches.net

The US Federal Trade Commission fined Cyprus-based tech support companies Restoro and Reimage $26 million to settle charges that they used scare tactics to trick their customers into paying for unnecessary computer repair services.

Restoro and Reimage used online ads and pop-ups that impersonated Microsoft Windows pop-ups and system warnings, saying that the consumers' computers were infected with malware, had various performance issues, and needed urgent attention to avoid harm.

FTC investigators also paid for these services to replicate the consumers' experience with Restoro between May and June 2022 and Reimage during July and August 2022.

While the devices used to test the purchased software and services had no performance or security issues and were also running antivirus software, scanning them "revealed" hundreds of issues requiring repair, including "PC Privacy issues," "Junk files," "Crashed Programs," and "Broken Registry issues."

The FTC investigators were asked to pay up to $58 for a "PC Repair Plan" and, after paying, were urged to make "activation" calls to Restore and Reimage telemarketers, who told them the software couldn't actually fix all the issues.

These telemarketers then requested access to the investigators' computers. They claimed to find additional "errors, critical warnings, viruses, or malware" while pointing to regular log entries in the Microsoft Windows Event Viewer linked to standard and benign system errors and warnings.

"The telemarketers also use VirusTotal software to claim that consumers' computers have viruses. In reality, the way the telemarketers use VirusTotal does not show that the computer that the telemarketer accessed remotely has a virus," the FTC complaint says.

Samuel Levine, Director of the FTC's Bureau of Consumer Protection, said, "These companies used scare tactics and lies about threats to consumers' personal computers to bilk consumers, particularly older consumers, out of tens of millions of dollars.”

In addition to the $26 million fine, the proposed FTC order, which awaits a federal court's approval, also bans Restoro and Reimage from engaging in deceptive telemarketing and misrepresenting security or performance issues on consumers' devices to scare them into buying additional unnecessary computer repair services. (Sergiu Gatlan / Bleeping Computer)

Related: Federal Trade Commission, Courthouse News, The Register, Reuters, PC Mag

Web3 security platform Scam Sniffer discovered that a recent phishing attack stole 501 ETH, valued at approximately $2 million, staked through liquid restaking protocol Ether.Fi, from a single investor.

On-chain data reveals that the theft occurred in two transactions. In one transaction, 426 ETH were siphoned, followed by another 75 ETH in a subsequent transaction. At the time of the attack, these stolen assets were valued at roughly $1.6 million and $276,000, respectively.

The theft caused the wallet’s net worth to plummet by over 99.93%, leaving it with only $1,453. (Oluwapelumi Adejumo / CryptoSlate)

Related: Binance Square, Web3IsGoingJustGreat

The US Federal Communications Commission approved the S. Cyber Trust Mark, a voluntary label that denotes that consumer Internet of Things devices like “smart” home appliances meet baseline security standards.

The FCC approval is the culmination of a White House initiative and is somewhat modeled after the energy efficiency labeling program Energy Star. The program would create an easy-to-recognize label confirming that a product meets cybersecurity standards developed by the National Institute of Standards and Technology.

Biden administration officials have described the trust mark as addressing consumer safety and national security concerns. State-backed hackers often exploit IoT devices to provide the infrastructure for their campaigns. The US Cyber Trust Mark framework initially focuses on consumer IoT devices but may be broadened in the future.

“If your car explodes following a minor accident or if a table saw comes loose and maims you or your lightbulb overheats and causes a fire, you can take the negligent manufacturer to court and recover your damages,” Commissioner Nathan Simington said during the meeting. “But if an attacker hacks your smart home devices, let’s say your Alexa, listens in on your private conversations, you have little to no recourse against the manufacturer.”

To select which product will receive the mark, the FCC will choose a lead administrator to develop the program and third-party accredited labs for compliance testing.

Additionally, the mark would include a QR code linking to a “consumer-friendly” landing page for each product that details the current state of the device’s security. (Christian Vasquez / Cyberscoop)

Related: FCC, The Verge, The Record, Cybernews, Dark Reading

In a complaint against General Motors and LexisNexis Risk Solutions filed in the US District Court for the Southern District of Florida, Romeo Chicco accused GM and Lexis Nexis of violating privacy and consumer protection laws after Lexis Nexis shared details about his driving record, causing his auto insurance rates to double.

In his complaint, Mr. Chicco said he called GM and LexisNexis repeatedly to ask why his data had been collected without his consent. He was eventually told that his data had been sent via OnStar, GM’s connected services company, also named in the suit and that he had enrolled in OnStar’s Smart Driver program, a feature for getting driver feedback and digital badges for good driving.

Mr. Chicco said that he had not signed up for OnStar or Smart Driver, though he had downloaded MyCadillac, a General Motors app for his car. (Kashmir Hill / New York Times)

Related: New York Times, Insurance Business of America

The Chinese government is signaling that it won’t allow a forced sale of TikTok, limiting options for the app’s owners as buyers begin lining up to bid for its US operations.

During a routine news conference, a China’s Ministry of Commerce spokesman said the US should “stop unreasonably suppressing” TikTok, adding: “The relevant party should strictly abide by Chinese laws and regulations.”

Some ByteDance executives saw the comment as reinforcing Beijing’s message to the company that it would face regulatory hurdles if it sought to divest TikTok. Last year, China warned that a sale or divestiture of TikTok would involve exporting technology and must be approved by the government. (Raffaele Huang / Wall Street Journal)

Related: CNBC, CNN, Wall Street Journal, New York Times, Disconnect, Axios, West Observer, The Guardian, DataBreachToday.com, Business Insider, PaymentSecurity.io

The US has introduced a resolution at the United Nations promoting “safe, secure and trustworthy” artificial intelligence systems, an effort to align global regulations intended to address legal, national security, and human rights concerns over the technology’s rapid expansion.

The proposal to the General Assembly encourages members to support “responsible and inclusive” AI development through domestic regulations and governance. The resolution, which is co-sponsored by more than 50 nations, would be nonbinding.

It calls for creating “effective safeguards” for using AI, including physical and security systems and risk management. The draft also “encourages the private sector to adhere to applicable international and domestic laws.”

The US draft also focuses on closing the gaps between richer and poorer countries. It calls on UN members to “urgently” engage with developing nations on issues such as technology transfers, technical assistance, and financing. It doesn’t cover the military use of AI. (Augusta Saraiva / Bloomberg)

Related: United States Mission to the UN, Associated Press, Cryptopolitan, FinTech Global

The data privacy company Onerep.com bills itself as a Virginia-based service for helping people remove their personal information from almost 200 people-search websites, but an investigation into the history of onerep.com finds this company is operating out of Belarus and Cyprus and that its founder has launched dozens of people-search services over the years.

Onerep’s “Protect” service starts at $8.33 per month for individuals and $15/mo for families and promises to remove your personal information from nearly 200 people-search sites. Onerep also markets its service to companies seeking to offer their employees the ability to have their data continuously removed from people-search sites.

Onerep.com says its founder and CEO is Dimitri Shelest from Minsk, Belarus, as does Shelest’s profile on LinkedIn. Historic registration records indexed by DomainTools.com say Mr. Shelest was a registrant of onerep.com who used the email address [email protected].

Following a trail of domain registration breadcrumbs indicates that Shelest may have ties to Spamit, once the largest Russian-language pharmacy spam affiliate program in the world, which paid spammers a hefty commission every time someone bought male enhancement drugs from any of their spam-advertised websites. (Brian Krebs / Krebs on Security)

Russian cybersecurity firm FACCT reports that SIM swappers in the country and worldwide have been taking advantage of a shift to eSIMs to hijack phone numbers and bypass protections to access bank accounts.

Embedded Subscriber Identity Modules (eSIMs) are digital cards stored on the mobile device's chip. They serve the same role and purpose as a physical SIM card but can be remotely reprogrammed, provisioned, deactivated, swapped, or deleted.

FACCT's Fraud Protection said it had recorded more than a hundred attempts to access clients' personal accounts in online services at just one financial organization. (Bill Toulas / Bleeping Computer)

Related: FACCT, Times of India, Phone Arena

Researchers at SonicWall say they have spotted a new variant of StopCrypt ransomware (aka STOP) in the wild, employing a multi-stage execution process that involves shellcodes to evade security tools.

StopCrypt, also known as STOP Djvu, is the little-known but most widely distributed ransomware. It is commonly distributed via malvertising and shady sites that distribute adware bundles disguised as free software, game cheats, and software cracks.

The new variant uses a multi-stage execution mechanism that starts by loading a seemingly unrelated DLL file (msim32.dll), possibly as a diversion. It also implements a series of long time-delaying loops that may help bypass time-related security measures.

It ends with a payload that secures persistence for the ransomware, modifies access control lists (ACLs) to deny users permission to delete important malware files and directories, and a scheduled task is created to execute the payload every five minutes. (Bill Toulas / Bleeping Computer)

Related: SonicWall

Google has added real-time browsing protection to Chrome, which it claims should protect user privacy with an enhanced opt-in browsing mode.

The new feature uses Google’s Safe Browsing server-side database, which quickly catches unsafe URLs in real time. Yet users must provide Google with more security-related data for full protection, which is why it’s an opt-in mode.

The feature, which Google says hides users’ visited URLs, is now available in the default standard mode of Safe Browsing on Chrome. (Sheena Vasani / The Verge)

Related:  Google Online Security Blog, The Keyword, BleepingComputer, BGR, SecurityWeek, Google Help Center, SiliconANGLE, Thurrott, Engadget, BetaNews, Neowin, TechCrunch, PCMag, iPhone in Canada Blog, Lifewire, XDA Developers, Android Central, 9to5Google, Tom's Guide, iThinkDifferent, Android Authority, Cult of Mac, Forbes, The Register, Droid Life, Android Police, iDownloadBlog.com, MacRumors, PCWorld, GBHackers On Security

Web traffic management firm BotGuard OU announced it had raised €12 million ($13.1 million) in a Series A venture funding round.

MMC Ventures led the round with additional investment from Tera Ventures, Expeditions Fund, and angel investors. (Ionut Arghire / Security Week)

Related: EU Startups, FinSMEs, FinTech Global, Tech.eu

Redcoat AI, which uses AI innovations to build defenses against sophisticated cybersecurity attacks, emerged from stealth mode backed by $4.24 million in venture funding.

Pear VC led the round with participation from Leonis Capital, Sancus Ventures, Kyber Knight, and others. (Amit Chowdhry / Pulse 2.0)

Related: FinSMEs, Business Wire

Ballistic Ventures announced the close of its oversubscribed $360 million second fund.

The firm said that this second round, which follows an earlier $300 million round, reinforces its commitment to exclusively fund and incubate entrepreneurs and innovations shaping the future of our cybersecurity. (Julie Bort / TechCrunch)

Related: Security Week, PR Newswire, Venture Capital Journal, Crunchbase News

US cybersecurity company Zscaler announced that it is acquiring early-stage Israeli cybersecurity startup Avalor for $350 million.

Avalor, which has developed a platform for managing the enterprise data required by security managers, was founded two years ago and has raised just $30 million to date. It is almost unique in Israel's cybersecurity sector in that its founders did not come from one of the IDF intelligence units after specializing in the field. (Assaf Gilead / Globes)

Related: CTech, Bloomberg, SiliconANGLE, TechCrunch, Avalor, InfoRiskToday.com, Crunchbase News, CRN, SecurityWeek, Cryptopolitan, Constellation Research

Best Thing of the Day: Just in the Nick of Time

The League of Women Voters filed a lawsuit seeking to prevent Lingo Telecom and Life Corporation, which sent robocalls mimicking President Joe Biden’s voice to New Hampshire voters, from using artificial intelligence for future deceptions.

Worst Thing of the Day: Dishonoring Swartz’s Legacy

Harry Halpin, CEO of privacy infrastructure company Nym Technologies, argues in an op-ed that the late great Aaron Swartz, the co-founder of Reddit, would be spinning in his grave if he knew about Reddit’s $60 million deal to sell its users’ real-time data to train Google’s AI models.

Closing Thought