US Accuses China of Multiple Telecom Networks Breach Affecting Government Officials

Delhi cops bust WazirX hack suspect, S. Korea busts 215 in crypto scam, Embargo gang claims attack on US pharmacy organization, CIA official charged for leaking top-secret docs, Google rolls out real-time Pixel scam detection. Bitdefender releases ShrinkLocker decryptor, much more

Cynthia B Brumfield

Nov 14, 2024 — 11 min read

Sponsor Message

Armed with a complete view of your organization’s software assets, Anchore allows you to find and prevent malicious content from reaching your users. Anchore’s end-to-end, SBOM-powered software supply chain security management platform protects you and your customers at every step, from SBOM monitoring to policy enforcement to remediation. Anchore integrates at every stage of the software development process, from source code to build to runtime. Every package, every library, every version is cataloged and stored. This enables organizations to find out where content is, where it came from, and how it changed.

Prevent software attacks with Anchore.

In a joint statement, CISA and the FBI confirmed that Chinese hackers compromised the "private communications" of a "limited number" of government officials after breaching multiple US broadband providers.

The attackers also stole other information from the companies' compromised systems, including information related to customer call records and law enforcement requests.

"Specifically, we have identified that PRC-affiliated actors have compromised networks at multiple telecommunications companies to enable the theft of customer call records data," the agencies said.

They added that the attackers also compromised the "private communications of a limited number of individuals who are primarily involved in government or political activity" and stole "certain information that was subject to US law enforcement requests pursuant to court orders."

This comes after CISA and the FBI confirmed the hack in late October after reports that a Chinese hacking group tracked as Salt Typhoon (aka Earth Estries, FamousSparrow, Ghost Emperor, and UNC2286) breached multiple broadband providers, including AT&T, Verizon, and Lumen Technologies.

The joint statement also confirms reports that the threat group had access to US federal government systems used for court-authorized network wiretapping requests. (Sergiu Gatlan / Bleeping Computer)

In a breakthrough in the investigation of a $235 million hack on the WazirX cryptocurrency exchange, Delhi Police arrested a man from the Bengal region suspected of involvement in the theft.

According to a charge sheet, the breach didn’t arise from internal system vulnerabilities. It was executed through a fake account sold via Telegram to a third party who exploited it.

During the investigation, WazirX reportedly cooperated by providing hardware, Know Your Customer records, and transaction logs required for the inquiry. The chargesheet also said that the hackers accessed WazirX’s multisignature wallet, depleting it of crypto tokens valued at $235 million.

According to the chargesheet, the suspect disclosed that a “buyer of crypto account through Telegram” offered him a “good amount” for Wazir X crypto accounts.

The Indian Cyber Crime Coordination Centre (IFSO) confirmed that WazirX’s internal systems were uncompromised, offering validation of the exchange’s security measures, which had faced scrutiny. (Josh O'Sullivan / Cointelegraph)

South Korean police arrested 215 people on suspicion of stealing 320 billion won ($228.4 million) in the country's biggest cryptocurrency investment scam.

Gyeonggi Nambu Provincial Police said the arrests included the alleged mastermind of the organized crime group accused of selling 28 virtual tokens to about 15,000 people by promising high returns.

Police said the group had issued six of the 28 tokens on overseas crypto exchanges and managed a team of market makers to push up prices. Police described the tokens as "worthless."

The police statement said the group had set up investment consulting companies and sales teams to sell the virtual assets to people who subscribed to a YouTube channel. (Cynthia Kim / Reuters)

The Embargo ransomware operation claimed responsibility for allegedly stealing 1.469 TB from US healthcare organization American Associated Pharmacies (AAP).

Embargo's own site claims AAP paid $1.3 million to have its systems decrypted and is demanding an additional $1.3 million to keep a lid on the stolen documents.

Although AAP hasn't confirmed the attack, its website warns that all user passwords were recently force reset. It does not explain why the resets were forced or mention a cyberattack.

The notice also states that API Warehouse, an AAP subsidiary devoted to helping partners save on branded and generic prescription drugs through wholesale buying plans, had some nondescript inventory issues, which are now resolved.

In an unusual twist for a ransomware group, in a number of cases, Embargo has listed the names, email addresses, and phone numbers of key figures in the organization that it believes hindered the payment and negotiation process. (Connor Jones / The Register)

Related: TweakTown

Statement on AAP website. Source: The Register.

According to court documents and sources, a CIA official Asif William Rahman, has been charged with leaking top-secret classified documents that revealed information last month about Israel’s plans for a military strike against Iran.

He was arrested in Cambodia on Tuesday and transported to a federal court in Guam to be charged. He was indicted last week in federal court in Virginia on two counts of willful transmission of national defense information, charges that can result in years in prison.

Court documents say Rahman possessed a top-secret security clearance and had access to sensitive compartmented information. The documents don’t state that he worked at the Central Intelligence Agency, but people familiar with the matter confirmed his employment there.

One of the people said Rahman worked for the CIA overseas in Cambodia and elsewhere. What sort of work he did for the agency isn't publicly known. According to court charging papers, Rahman has previously lived in eastern Virginia. (Dustin Volz and Warren P. Strobel / Wall Street Journal)

Google is rolling out real-time Scam Detection for phone calls on Pixel devices.

Scam Detection listens for “conversation patterns commonly associated with scams.” Once recognized, an audio and haptic alert will prompt you to look at your phone for a “Likely scam” visual warning. “Suspicious activity detected for this call” is accompanied by an “End call” button or the ability to mark “Not a scam.”

Gemini Nano powers Scam Detection on the Pixel 9 series. Thanks to “other robust Google on-device machine learning models,” this safety feature is also available on the Pixel 6-8a.

Google says, “No conversation audio or transcription is stored on the device, sent to Google servers or anywhere else, or retrievable after the call.” Scam Detection is off by default and has to be enabled by the user. It can be disabled from Phone app settings, with the option to turn it off “during a particular call.” (Abner Li / 9to5Google)

Researchers at watchTowr Labs are publicizing a proof of concept (PoC) exploit for an unauthenticated remote code execution (RCE) vulnerability in Citrix's Virtual Apps and Desktops.

The exploit can be carried out using only an HTTP request, handing an attacker system privileges on the vendor's virtual desktop infrastructure (VDI) product.

The vulnerability lies in Virtual Apps and Desktops' Session Recording Manager feature, which records a video stream of any user's session, keystrokes, and mouse movements. This feature is ideal for monitoring, troubleshooting, compliance, etc.

Citrix has urged customers to install hotfixes and rejects watchTowr's assertion that the vulnerability can be described as an unauthenticated RCE.

"Please note that based on the analysis by the security team, this is not an unauthenticated RCE. It is an authenticated RCE that can be done only as a NetworkService account," said a spokesperson.

Citrix reportedly plans to publish a blog later today outlining exactly why it disagrees with the researchers over at watchTowr (Connor Jones / The Register)

Please, please consider upgrading your subscription to support Metacurity.

Alan Winston Filion, an 18-year-old from Lancaster, California, has pleaded guilty to federal charges stemming from a nationwide spree of hundreds of shooting and bomb threat hoaxes that sent police scrambling to high schools, courthouses, and the homes of law enforcement officials.

Filion was arrested and extradited early this year to Seminole County, Florida. At the time, state prosecutors charged Filion with four state-level felony counts stemming from a single incident in which, prosecutors allege, Filion told a Sanford Police Department dispatcher that he was armed with pipe bombs and an AR-15 rifle and was walking into Masjid Al Hayy Mosque to kill everyone he saw.

Authorities believe Filion operated online as “Torswats,” he has been in jail for nearly a year without a trial. He entered a plea of not guilty to the state charges.

The federal charges announced on Wednesday, along with interviews from people connected to the investigation and Filion himself, allege his swatting activities reached far beyond Florida’s borders.

Filion now faces a maximum penalty of five years in prison for each of four counts of making interstate threats to injure the person of another. (Dhruv Mehrotra / Wired)

Bitdefender released a decryptor for the 'ShrinkLocker' ransomware strain, which uses Windows' built-in BitLocker drive encryption tool to lock victim's files.

Discovered in May 2024 by researchers at cybersecurity company Kaspersky, ShrinkLocker lacks the sophistication of other ransomware families but integrates features that can maximize an attack's damage.

According to Bitdefender's analysis, the malware appears to have been repurposed from benign ten-year-old code using VBScript, and it leverages generally outdated techniques.

The researchers note that ShrinkLocker's operators seem low-skilled. They use redundant code and typos, leave behind reconnaissance logs in text files, and rely on readily available tools.

In its latest report, Bitdefender highlights a ShrinkLocker attack against a healthcare organization where attackers encrypted Windows 10, Windows 11, and Windows Server devices across the network, including backups. (Bill Toulas / Bleeping Computer)

Anatomy of a ShrinkLocker attack. Source: Bitdefender.

A trader who recently revealed they had lost $26 million back in June after copying in the wrong deposit address says the experience has been “max pain.”

Pseudonymous crypto investor qklpjeth said they accidentally transferred 7,912 Renzo restaked ETH (ezETH), worth $26.4 million at current pricesm to a safe contract address on June 19.

Unfortunately, they said they entered the incorrect address and sent the funds to a safe module instead of his own safe, meaning that the tokens were “locked and unable to be withdrawn.”

While the mishap occurred nearly five months ago, they only recently called out to white hat hackers on X after exhausting all the traditional avenues for recovering their funds.

Qklpjeth said they asked for help publicly in the hope that someone would be able to identify and exploit a smart contract bug that would allow them to recover their funds in full. In addition, they are offering ethical hackers a $2.6 million reward to get their money back. (Tom Mitchelhill / Cointelegraph)

Related: Web3IsGoingJustGreat

Andreu Van den Eynde, an attorney and university professor specializing in cybersecurity, was allegedly hacked with government-grade spyware made by the infamous surveillance tech maker NSO Group and filed a court complaint against two of the company’s founders and one executive.

The Barcelona-based human rights nonprofit Iridia, which represents Van den Eynde, announced that it had filed a complaint in a Catalan court accusing NSO’s founders Omri Lavie and Shalev Hulio, as well as Yuval Somekh, an executive of two affiliate companies, of hacking crimes.

According to a 2022 investigation by Citizen Lab, a nonprofit that has been investigating government spyware for more than a decade, Van den Eynde was among the victims of a wide-ranging hacking campaign against at least 65 Catalans linked to the region’s attempts to become independent from Spain. The campaign was carried out using NSO’s Pegasus software. Amnesty International independently confirmed Citizen Lab’s findings.

Van den Eynde and Iridia filed a lawsuit against NSO in a Barcelona court in 2022. Until this week, the lawsuit named NSO and Osy Technologies and Q Cyber Technologies, two Luxembourg-based affiliates of NSO, as defendants. Today, the nonprofit and the lawyer asked the judge presiding over the lawsuit to expand it to include Lavie, Hulio, and Somekh. (Lorenzo Franceschi-Bicchierai / TechCrunch)

Related: Infosecurity Magazine

According to sources, Amazon discontinued a secretive effort to develop an at-home fertility tracker as part of a project codenamed “Encore" in the company's moonshot incubator, Grand Challenge.

In October, Amazon told people working on the tracker that it was disbanding the team. Those being laid off will remain on Amazon’s payroll until Dec. 27 but won’t be expected to work during that time.

If staffers don’t secure another job by that date, Amazon will provide them with a “lump sum” severance payment equal to one week of salary for every six months of tenure at the company. (Annie Palmer / CNBC)

Related: Benzinga, CNBC, NewsBytes, TechCrunch

A group of scientists at the University of Pennsylvania has identified various security vulnerabilities for LLMs used in AI models and has developed RoboPAIR, an algorithm designed to attack any LLM-controlled robot.

So-called jailbreaking attacks discover ways to develop prompts that can bypass LLM safeguards and fool the AI systems into generating unwanted content, such as instructions for building bombs, recipes for synthesizing illegal drugs, and guides for defrauding charities.

In experiments with three different robotic systems—the Go2, the wheeled ChatGPT-powered Clearpath Robotics Jackal, and Nvidia‘s open-source Dolphins LLM self-driving vehicle simulator, they found that RoboPAIR needed just days to achieve a 100 percent jailbreak rate against all three systems.

One finding the scientists found concerning was how jailbroken LLMs often went beyond complying with malicious prompts by actively offering suggestions. For example, when asked to locate weapons, a jailbroken robot described how everyday objects like desks and chairs could be used to bludgeon people. (Charles Q. Choi / IEEE Spectrum)

Related: RoboPAIR, arXiv

Best Thing of the Day: Name the Three Main Chinese State Cyber Actors

Sekoia has mapped out the ecosystem behind Chinese state-sponsored cyber threats in a 40-page report.

Bonus Best Thing of the Day: This Is What You Get for Being a Dark Overlord

Chief Judge Timothy C. Batten of the US District Court for the Northern District of Georgia sentenced former information technology specialist for Ada County, Idaho, Robert A. Purbeck, aka Lifelock, and aka “Studmaster” and “Studmaster1," to ten years in prison followed by three years of supervised release and the restitution of $1,048,702.98 for hacking medical offices and threatening his victims if they didn’t pay his ransom demands.

Worst Thing of the Day: The Only Thing Worse Would Be If Matt Gaetz Were Nominated as Attorney General

Donald Trump has nominated former Representative Tulsi Gabbard, a well-recognized national security risk, as the director of national intelligence.

Bonus Worth Thing of the Day: 123456 Why Can't I Quit You

For the sixth year in a row, "123456" has ranked number one in terms of world passwords, with over three million people opting for this ridiculously east-to-crack password.