US and Microsoft Seized 107 Sites Used by FSB Threat Group Star Blizzard

Check our sponsor, Anchore. who helped bring you today's issue:

Anchore enables organizations to secure software supply chains and automate compliance to save time and reduce risk. Built for cloud-native applications and air-gapped environments, organizations can generate SBOMs and fix vulnerabilities while maintaining continuous government and industry compliance.

According to the Department of Justice and the tech giant, the US government and Microsoft seized 107 websites used by Russian intelligence agents and their proxies in the US that are part of a group that Microsoft calls Star Blizzard.

The Justice Department seized 41 internet domains used to commit computer fraud and abuse in the US, while Microsoft seized another 66 under a civil action, they said. The US and allies say Star Blizzard works for the Russian Federal Security Service (FSB) and has been active since at least 2016.

According to Steven Masada, assistant general counsel of Microsoft's Digital Crimes Unit, Star Blizzard attacked Microsoft customers using email campaigns containing phishing links to extract sensitive information and interfere in their activities. He said that Microsoft identified more than 30 targets, including journalists, think tanks, and non-governmental organizations.

According to the government's affidavit, US-based companies, former employees of the US intelligence community, personnel at US defense contractors, and officials at the Departments of Defense, State, and Energy were also targeted.

Microsoft said that Star Blizzard’s ability to adapt and obfuscate its identity presents a continuing challenge for cybersecurity professionals. Once their active infrastructure is exposed, they swiftly transition to new domains to continue their operations.

For example, on August 14, 2024, The Citizen Lab of the University of Toronto’s Munk School and digital rights group Access Now, a nonprofit member of NGO-ISAC, which filed a declaration in support of this civil action, published a comprehensive research paper highlighting the persistent threat posed by this actor.

The US in December indicted two Russian nationals, alleging they were members of the group and had stolen information used in foreign malign influence campaigns designed to influence the UK’s 2019 elections on behalf of the Russian government.

The FSB-affiliated group remains active, but Masada said that the takedowns would slow them down by forcing attackers to dedicate time and resources to updating their techniques. According to the company, Microsoft’s Digital Crimes Unit has previously filed 28 lawsuits to enable similar takedowns.

Masada said the group is meticulous in studying high-value targets and develops personalized online relationships to gain their trust before sending infected links intended to steal the victim’s passwords and other information. One successful phishing email from 2022, published in redacted form by Microsoft, included an attachment that the unidentified sender encouraged recipients to open, describing it as guidance for improving cybersecurity. (Katrina Manson / Bloomberg)

Related: Microsoft On the Issues, US Department of Justice, The Record, Access Now, The Register, PCMag, CNN, SiliconANGLE, CRN, Associated Press, The Hill, Nextgov/FCW, BankInfoSecurity.com, ComputerWeekly.com, NBC Bay Area, SecurityWeek, The Citizen Lab, CyberScoop, BleepingComputer, CBS News, AFP, TechRadar, Notice of Pleadings

The UK's Office for Nuclear Regulation (ONR) fined nuclear waste processing firm Sellafield Ltd 332,500 pounds ($440,795) for cybersecurity shortfalls over four years.

According to the regulator, the vast nuclear waste dump in Cumbria exposed information that could threaten national security for four years. It was also found that 75% of its computer servers were vulnerable to cyber-attacks.

Sellafield failed to protect vital nuclear information, and Westminster magistrates' court in London heard about it on Wednesday. Chief magistrate Paul Goldspring said that after considering Sellafield’s guilty plea and its public funding model, he would find it £332,500 for cybersecurity breaches and £53,200 for prosecution costs.

The state-owned company has already apologized for the cybersecurity failings. It pleaded guilty to the charges, which relate to IT security offenses spanning four years from 2019 to 2023 when they were brought by the Office for Nuclear Regulation (ONR) in June. (Anna Isaac and Alex Lawson / The Guardian)

Related: The Record, Infosecurity Magazine, ITPro, BBC News, Reuters, NucNet, Financial Times, SC Media UK, New Civil Engineer, Teiss

The US Justice Department announced that two Chinese nationals, Haotian Sun and Pengfei Xue, were sentenced to prison for scamming Apple out of more than $2.5 million after exchanging over 6,000 counterfeit iPhones for authentic ones.

Between July 2017 and December 2019, the two men and their co-conspirators, Wen Jin Gao and Dian Luo, exploited Apple's device replacement policy to replace non-functioning fake iPhones with genuine devices.

The counterfeit iPhones were shipped from Hong Kong to commercial mail receiving agency (CMRA) mailboxes in United Parcel Service (UPS) stores in the United States. The recipients opened the mailboxes using their university identification cards and driver's licenses.

The investigators discovered that they submitted fake iPhones with spoofed IMEIs and serial numbers to Apple retail stores and Authorized Service Providers.

Apple sent them replacement iPhones via private and commercial interstate carriers (including FedEx, DLH, and UPS). The devices were then shipped back to Hong Kong, where they were sold, and the proceeds were shared among the conspirators.

U.S. postal inspectors arrested Sun and Xue in December 2019, and they were both convicted of mail fraud and conspiracy to commit mail fraud in February. (Sergiu Gatlan / Bleeping Computer)

Related: Justice Department, TechCrunch, Cult of Mac, WUSA9, Times of India, PCMag, Infosecurity Magazine

Researchers at Securonix reported that North Korean government hackers have targeted several Southeast Asian countries as part of a campaign they call Shrouded Sleep, even perceived allies like Cambodia, with a malware campaign over the last year designed to create backdoors into systems at essential organizations. 

Securonix did not name or describe the victim organizations in detail, but they are inundated with phishing emails containing malware in a zip file. The attached backdoor, which they named VeilShell, “allows the attacker full access to the compromised machine.”

“Some features include data exfiltration, registry, and scheduled task creation or manipulation,” they said.

The researchers said that the threat actors were quite patient and methodical overall. Each attack stage features very long sleep times to avoid traditional heuristic detections. Once VeilShell is deployed, it doesn’t execute until the next system reboot.

The files within the zip are made to look legitimate because they ended in .pdf.lnk or .xlsx.lnk and typically had fake shortcut icons to match the extension.

The researchers said each shortcut file they analyzed contained a lure document — an Excel file in one case and a PDF in another — opened to distract the user while the malware was dropped in the background.

Securonix shared one of the lure documents, written in Khmer, the national language of Cambodia.

The researchers said the document relates income across economic sectors. “The document is rather uninteresting and is not malicious in any way. Its sole purpose is to present something legitimate to the user. This way, the intended action (clicking an Excel file) produces an expected result,” they said. (Jonathan Greig / The Record)

Related: Securonix, Dark Reading

California Gov. Gavin Newsom signed into law legislation on Saturday that protects the privacy of neural data, which is information collected from the brain, spinal cord, or nervous system, under which consumers can now request, erase, correct, and limit what neural data companies collect from them. 

Rafael Yuste, who is a professor of neuroscience and the director of the NeuroTechnology Center at Columbia University, said that absent strong regulation, data brokers could soon be able to sell neural data they have harvested and stored in databases cataloging individuals and their “brain fingerprints” on a mass scale.

Inspired to launch an organization dedicated to protecting humans' neural data, Yuste partnered with a prominent human rights lawyer to establish the NeuroRights Foundation in 2021 and has since engaged with lawmakers nationwide on the need for regulation.

Under California's law, consumers can now request, erase, correct, and limit what neural data companies collect about them. 

Colorado Gov. Jared Polis signed the nation’s first such law or nerve network in April.

Yuste played a key role in passing the California and Colorado laws and said he is now speaking with legislators in four other states about passing similar measures. At his urging, Sen. Maria Cantwell (D-WA) has included a neural data privacy provision in the latest draft of a comprehensive data privacy bill she introduced in April, Yuste said. (Suzanne Smalley / The Record)

Related: MIT Tech Review, Bloomberg Law, PC Mag, ExtremeTech

Researchers at Aqua Security report that thousands of machines running Linux have been infected by a malware strain they call Perfctl, notable for its stealth, the number of misconfigurations it can exploit, and the breadth of malicious activities it can perform.

The malware has been circulating since at least 2021. It gets installed by exploiting more than 20,000 common misconfigurations, a capability that may make millions of machines connected to the Internet potential targets,

It can also exploit CVE-2023-33426, a vulnerability with a severity rating of 10 out of 10 that was patched last year in Apache RocketMQ, a messaging and streaming platform found on many Linux machines.

Perfctl is the name of a malicious component that secretly mines cryptocurrency. The unknown developers of the malware gave the process a name that combines the perf Linux monitoring tool and ctl, an abbreviation commonly used with command-line tools. A signature characteristic of Perfctl is its use of processes and file names that are identical or similar to those commonly found in Linux environments. The naming convention is one of the many ways the malware attempts to escape notice of infected users.

Perfctl further cloaks itself using a host of other tricks. One is that it installs many of its components as rootkits, a special class of malware that hides its presence from the operating system and administrative tools.

While some antivirus software detects Perfctl and some of the malware it installs, Aqua Security researchers could not find any research reports on the malware. However, they could find a wealth of threads on developer-related sites that discussed infections that were consistent with it. (Dan Goodin / Ars Technica)

Related: Aqua, ChannelE2E, TechTarget, Bleeping Computer, HackRead

Researchers at Group-IB report that fake trading apps on Google Play and Apple's App Store lure victims into “pig butchering” scams with a global reach.

The fraudulent apps, which Group-IB categorizes under the “UniShadowTrade” malware family, are built using the UniApp framework and were first spotted in May.

After accumulating several thousand downloads, the apps have been removed from the official Android and iOS stores. Their names are SBI-INT (iOS), Finans Insights (Android), and Finans Trader6 (Android). The download counter for the last two shows that they were downloaded 5,000 times.

Group-IB also warns that the UniShadow Trade apps can mimic various legitimate cryptocurrency and trading platforms, providing an extensive list of potential names that could be used in impersonation attempts.

According to the researchers, the fraudsters groomed their victims in conversations over dating apps and used social engineering to gain their trust.

The apps requested that users upload several documents, such as national IDs and passports, to legitimize the investment process and further empower threat actors with sensitive information theft. (Bill Toulas / Bleeping Computer)

Related: Group-IB, TechRadar, HackRead, MSSP Alert, Cybernews

Researchers at security firm Permiso Security say that organizations that get relieved of credentials to their cloud environments can quickly find themselves part of a disturbing new trend: Cybercriminals using stolen cloud credentials to operate and resell sexualized AI-powered chat services.

The researchers say these illicit chatbots, which use custom jailbreaks to bypass content filtering, often veer into darker role-playing scenarios, including child sexual exploitation and rape.

Permiso found attackers had seized on stolen AWS credentials to interact with the large language models (LLMs) available on Bedrock. However, they also soon discovered none of these AWS users had enabled full logging of LLM activity (by default, logs don’t include model prompts and outputs), and thus, they lacked any visibility into what attackers were doing with that access.

So Permiso researchers decided to leak their own test AWS key on GitHub while turning on logging so that they could see exactly what an attacker might ask for and what the responses might be.

Within minutes, their bait key was scooped up and used in a service that offers AI-powered sex chats online. (Brian Krebs / Krebs on Security)

Related: Permiso

Buck Shlegeris, CEO at Redwood Research, a nonprofitnonprofitg AI's risks, recently asked his LLM-powered agent to open a secure connection from his laptop to his desktop machine.

He discovered that after the LLM found the computer, it decided to continue taking action, first examining the system and then deciding to do a software update, which it then botched.

He created his AI agent himself. It's a Python wrapper consisting of a few hundred lines of code that allows Anthropic's powerful large language model Claude to generate some commands to run in bash based on an input prompt, run those commands on Shlegeris' laptop, and then access, analyze, and act on the output with more commands.

Once Shlegeris's AI agent established a secure shell connection to the Linux desktop, it decided to play sysadmin and install a series of updates using the package manager Apt. Then, things went wrong.

"It looked around at the system info, decided to upgrade a bunch of stuff, including the Linux kernel, got impatient with Apt, and so investigated why it was taking so long then eventually the update succeeded but the machine doesn’t have the new kernel so edited my Grub [bootloader] config," he explained.

"At this point I was amused enough to just let it continue. Unfortunately, the computer no longer boots."

Indeed, the bot got as far as messing up the boot configuration, so following a reboot by the agent for updates and changes to take effect, the desktop machine wouldn't successfully start. (Thomas Claburn / The Register)

Related: Decrypt, The Crypto Times, Neowin, WinBuzzer

Web performance and security firm Cloudflare recently mitigated another record-breaking DDoS attack, which, according to Matthew Prince, the company’s CEO, peaked at 3.8 terabits per second (Tbps) and 2.14 billion packets per second (Pps).

The attack was aimed at an unidentified customer of an unnamed hosting provider that uses Cloudflare services.

The previous volumetric DDoS record was set in late 2021 when Microsoft saw an attack that peaked at 3.47 Tbps and a packet rate of 340 million Pps. The biggest attack previously seen by Cloudflare peaked at 2.6 Tbps.

In terms of network protocol attacks, cloud provider OVHcloud reported seeing a record-breaking attack peaking at 840 million Pps in July 2024. (Eduard Kovacs / Security Week)

Related: Cloudflare, SC Magazine, The Stack, r/cybersecurity, Security Affairs, Bleeping Computer, PC Perspective, CSO Online

According to data from IANS Research and recruitment firm Artico, nearly 700 CISOs in the US and Canada have found their pay has risen over the past year to an average of $565,000 and a median of $403,000, with the top 10 percent of execs pulling in over $1 million.

The data showed that the most effective way to boost CISO pay was to switch jobs, or at least threaten to, and get a counteroffer from the original employer. Both moves brought an average compensation increase of 31 percent. By contrast, just doing your job and getting an annual raise would increase the average compensation by 6.3 percent, according to data from IANS Research and recruitment firm Artico.

However, fewer CISOs are considering this route. This fifth-annual survey found that staff turnover has nearly halved since the heady days of the 2022s when 21 percent of those surveyed had moved jobs in the previous 12 months. (Iain Thomson / The Register)

Related: IANS Research, PR Newswire, MSSP Alert, Security Week

Republican Texas Attorney General Ken Paxton sued TikTok for sharing and selling minors’ personal information, violating a new state law that seeks to protect children who are active on social media, accusations that the company denied hours later.

The Securing Children Online through Parental Empowerment Act prohibits social media companies from sharing or selling a minor’s personal information unless a parent or guardian approves. The law, which passed by the Legislature last year and partially went into effect Sept. 1, also requires companies to create tools that let verified parents supervise their minor child’s account.

Paxton argues in the legal filing that TikTok, a short-form video app, has failed to comply with these requirements. Although TikTok has a “family pairing” feature that allows parents to link their account to their teen’s account and set controls, parents don’t have to verify their identity using a “commercially reasonable method,” as required by Texas law. The minor also has to consent to the pairing.

Paxton also argues that TikTok unlawfully shares and sells minors’ personal identifying information to third parties, including advertisers and search engines, and illegally displays targeted advertising to known minors.

A TikTok spokesperson denied Paxton's allegations, pointing to online information about how parents in certain states, including Texas, can contact TikTok to request that their teen's account be deleted. Parents are asked to verify their identity by submitting a photograph of themselves holding their government-issued ID. According to TikTok's privacy policies, the company does not sell personal information. And personal data is not shared "where restricted by applicable law." (Pooja Salhotra / The Texas Tribune)

Related: SiliconANGLE, Engadget, Texas Attorney General, The Hill, Texas Attorney General, Fox Business, Cybernews.com, Dallas Morning News, Reuters, MediaPost, Joe.My.God., The Daily Caller, Bloomberg Law

Best Thing of the Day: It's Not Nice to Mess with Democracy

Former County Clerk for Mesa County, Colorado, Tina Peters, was sentenced to nine years in prison after being convicted earlier this year on seven felony counts for facilitating a data breach involving voting system data in the wake of the 2020 presidential election.

Worst Thing of the Day: Now Is Not the Time to Cut Back on Ransomware Investigations

As ransomware data breaches reach record levels across the United Kingdom, the number of incidents investigated by the Information Commissioner's Offices, the country’s data protection regulator, is dwindling to record lows.

Bonus Worst Thing of the Day: Is He Rotten to the Core?

Telegram CEO Pavel Durov is not only in trouble for allegedly paying no heed to criminal activity on his messaging app, but his ex-partner has also accused him of being physically abusive to his small children.

Closing Thought