US Disrupted Chinese Malicious Botnet Flax Typhoon

Metacurity proudly announces that our new sponsor, Anchore, helped bring you today's issue.

Anchore enables organizations to secure software supply chains and automate compliance to save time and reduce risk. Built for cloud-native applications and air-gapped environments, organizations can generate SBOMs and fix vulnerabilities while maintaining continuous government and industry compliance.

US Federal Bureau of Investigation Director Christopher Wray revealed at the Aspen Cyber Summit that the FBI led an operation last week to disrupt a global botnet called Flax Typhoon with connections to the Chinese government, much like its action against the Volt Typhoon hacking group earlier this year.

Wray said the group infected “hundreds of thousands” of devices worldwide as part of an operation to compromise organizations and exfiltrate data.

Flax Typhoon is associated with Integrity Technology Group, a Chinese company publicly acknowledging its connections to China’s government. Unlike Volt Typhoon, which focused on internet routers to build its botnet, Flax Typhoon infected Internet of Things (IoT) hardware like “cameras, video recorders, and storage devices — things typically found across big and small organizations,” he said.

Wray said the FBI used court authorization, under a procedure known as Rule 41, to remove the malware from infected devices and take control of Flax Typhoon’s internet infrastructure. The bureau has used that power previously against Russian and Chinese operations. 

“Now when the bad guys realized what was happening, they tried to migrate their botnets to new servers, and even conducted a DDoS attack against us,” Wray said, referring to an attack that floods servers with junk traffic to knock them offline.

The FBI mitigated that attack and identified the group’s new infrastructure “in just a matter of hours,” Wray said. “At that point, as we began pivoting to their new servers, we think the bad guys finally realized it was the FBI and our partners that they were up against, and with that realization, they essentially burned down their new infrastructure and abandoned their botnet.”

Flax Typhoon cast a wide net, targeting “everyone from corporations and media organizations to universities and government agencies,” Wray said. He said about half of the hijacked devices were in the US. (Joe Warminsky / The Record)

Related: NSA, Lumen, TechCrunch, Ars Technica, Department of Justice, Washington Post, PCMag, The Register, The Cyber Express, Security Affairs, Reuters, SiliconANGLE, Associated Press, SecurityWeek, The Hacker News, Voice of America, CyberScoop, Associated Press, Cybernews.com, Tech Newsday, Slashdot, Chinanews.net, NCSC.nl, NL Times

The FBI and officials from the Office of the Director of National Intelligence and the Cybersecurity and Infrastructure Security Agency said Iranians sent “unsolicited emails” that included stolen material that was not publicly available from former President Donald Trump’s campaign to people associated with his Democratic political rival.

The agencies said there was "currently no information" indicating that recipients associated with President Joe Biden's campaign had responded to the emails, which the government officials condemned as part of an effort "to stoke discord and undermine confidence in our electoral process."

Harris campaign spokesperson Morgan Finkelstein said the campaign has cooperated with law enforcement since it learned about the hacking effort.

"We’re not aware of any material being sent directly to the campaign; a few individuals were targeted on their personal emails with what looked like a spam or phishing attempt," Finkelstein said.

Three federal law enforcement sources confirmed the accuracy of the Harris campaign's statement. They said law enforcement agencies tracked the stolen information from the Trump campaign and determined that several people linked to Biden's campaign received emails containing the information. The sources added that the recipients never responded to the emails and may not have even opened them because they appeared to be phishing attempts.

The sources said law enforcement agencies contacted those people and the Biden campaign to inform them of the emails. The recipients did not contact law enforcement agencies to alert them of what they had, but sources said that is not an indication of hiding anything or wrongdoing and that the staffers most likely did not realize what was in the emails. (Michael Kosnar and Zoë Richards / NBC News)

Related: FBI, Al Jazeera, CNN, Politico, Axios, New York Times,  FortuneThe Mirror, WHDH-TV, ABC News, Metro.co.uk, CyberScoop, Le·gal In·sur·rec·tion, Newsbusters, RTÉ, The Indian Express, CBS News,  Le Monde.fr, Associated Press, USA Today, The Hill, KVIA-TV, The Daily Beast, The Hill, The Sydney Morning Herald, UPI, Ynet News, Deutsche Welle, The Guardian, Bloomberg, The Daily Beast, France24, The Telegraph, The Mirror, The Daily Mail

Craigslist founder Craig Newmark believes hacking by foreign governments is a major risk to the US and plans to donate $100 million to bolster the country’s cybersecurity.

Half the money will protect infrastructure, such as power grids, from cyberattacks. The other half will educate people about the importance of simple safeguards often ignored, such as password managers and updating software.

“The country is under attack,” said Newmark in an interview. He said those working to strengthen America’s cybersecurity “need people to champion them.”

Newmark, who is 71 years old, retired from Craigslist in 2018. He worries that connected products like household appliances are vulnerable to attacks that could, for example, cause simultaneous fires, overwhelming a fire department’s ability to respond.

The commitment is part of Newmark’s plan to give away nearly all his wealth. Including the gift he announced at the Aspen Cyber Summit in Washington, DC, Newmark will have given or pledged to give more than $400 million since he started Craig Newmark Philanthropies in 2015, mainly to causes he views as protecting America. (He also donates to groups protecting pigeons, which he is fond of.) (Juliet Chung / The Wall Street Journal)

Related: PYMNTS.com, San Francisco Business Times, CBS News, Cyberscoop

Please support Metacurity. Metacurity is a labor of love, but as they say, love don't pay the bills. We need your help. Please consider upgrading your subscription today!

Sources say the Dark Angels, a Russian hacking group believed to be behind the cyberattack against drug distributor Cencora, received $75 million, the largest known cyber extortion payment ever made.

They say the payment for the Cencora hack occurred in three installments in Bitcoin in March. The initial ransom demand was $150 million. According to a regulatory filing, Cencora learned that data was stolen from its systems in February.

A representative for Cencora said the company doesn’t comment on rumor or speculation. The representative added that the company stands by publicly available information, pointing to a July quarterly report that included expenses incurred by a cybersecurity event.

Blockchain sleuth ZachXBT believes he found the on-chain payments made to Dark Angels.

“I think it’s a bad look when a large publicly traded company like Cencora does not share the BTC transactions for the $75M payment to Dark Angels ransomeware [sic] group, so I will just post it for them,” he wrote on X.

It is unclear whether Dark Angels deleted the stolen data—including Cencora clients’ names, addresses, dates of birth, diagnoses, and prescriptions—or how many people were affected. (Katrina Manson / Bloomberg) and Daniel Kuhn / The Block)

Related: Coinpedia Fintech News, Cryptopolitan, The Block, The Crypto Times, CoinGape, Crypto Briefing, crypto.news, CoinPedia,

Indonesia's tax agency is investigating an alleged data breach that exposed the taxpayer identification numbers of millions of Indonesians, including President Joko "Jokowi" Widodo, his ministers, and his two sons.

Cybersecurity expert Teguh Aprianto posted a screenshot on social media platform X containing samples of the national identity and taxpayer identification numbers of 6 million Indonesians, including Jokowi and some of his ministers. Dwi Astuti, an official with the tax agency, said without providing details that the agency is looking into the "circulating information of a data breach."

The alleged breach follows a June ransomware attack that paralyzed several government services, such as immigration and operations at major airports, prompting the government to conduct an audit. (Ananda Teresia and Stanley Widianto / Reuters)

Related: Jakarta Globe, Tempo.co, The Star

Dakota Cary, a strategic advisory consultant at security firm Sentinel One, and Eugenio Benincasa, senior cyber defense researcher at the Center for Security Studies at ETH Zurich University in Switzerland, discovered that China may have used a Capture the Flag contest as a secret espionage operation to get participants to collect intelligence from an unknown target.

According to the two Western researchers who translated documentation for China’s Zhujian Cup, also known as the National Collegiate Cybersecurity Attack and Defense Competition, one part of the three-part competition, held last year for the first time, they had several unusual characteristics that suggest its potentially secretive and unorthodox purpose.

Capture the Flag (CTF) and other hacking competitions are generally hosted on closed networks or “cyber ranges”—dedicated infrastructure for the contest so that participants don’t risk disrupting real networks. These ranges provide a simulated environment that mimics real-world configurations, and participants are tasked with finding vulnerabilities in the systems, obtaining access to specific parts of the network, or capturing data.

Two major companies in China set up cyber ranges for competitions. Most competitions give a shout-out to the company that designed their range. Notably, Zhujian Cup didn’t mention any cyber range or cyber range provider in its documentation, leaving the researchers to wonder if this is because the contest was held in a real environment rather than a simulated one.

The competition also required students to sign a document agreeing to several unusual terms. They were prohibited from discussing the nature of the tasks they were asked to do in the competition with anyone; they had to agree not to destroy or disrupt the targeted system; and at the end of the competition, they had to delete any backdoors they planted on the system and any data they acquired from it. Unlike other competitions in China, the researchers examined participants in this portion of the Zhujian Cup, who were prohibited from publishing social media posts revealing the competition's nature or tasks.

Participants were also prohibited from copying any data, documents, or printed materials that were part of the competition, disclosing information about vulnerabilities they found, or exploiting those vulnerabilities for personal purposes. According to the pledge that participants signed, if a leak of any of this data or material occurred and caused harm to the contest organizers or to China, they could be held legally responsible.

Northwestern Polytechnical University, a science and engineering university in Xi'an, Shaanxi, hosted the contest last December. The university is affiliated with China’s Ministry of Industry and Information Technology and holds a top-secret clearance to conduct work for the Chinese government and military. China’s People’s Liberation Army oversees the university.

The researchers have written a report for the Atlantic Council and plan to present their findings at the Labscon security conference in Arizona. (Kim Zetter / Wired)

Related: r/technews

A day after pagers exploded in a deadly attack on Hezbollah in Lebanon, a similar explosion occurred on IC-V82 two-way radios manufactured by Japan’s Icom, which said it halted production a decade ago of the model allegedly used in the attacks and is still investigating the situation.

Icom exported its IC-V82 two-way radio to regions including the Middle East until October 2014, when it stopped making and selling the devices, the Osaka-based company said in a statement Thursday. It has also discontinued production of the batteries needed to operate the main unit. The company earlier warned customers that almost all IC-V82s on the market are counterfeit.

Thousands of electronic devices, including pagers and walkie-talkies, exploded over the last two days, killing at least 26 people and wounding more than 3,000. The militant group Hezbollah has accused the Israeli government of orchestrating the attacks, with tensions escalating further in the region. Israel has declined to comment.

Among the many outstanding questions is how explosive materials were planted in the devices. If the Icom walkie-talkies are genuine and manufactured a decade ago, they were likely modified well after sale to their original customers. The company can’t determine if the walkie-talkies are its own, but it said the exploded devices appear to lack the hologram labels attached to their products.

Icom director Yoshiki Enomoto said that, given that photographs of the devices show severe damage around the battery compartment, the batteries may have been retrofitted with explosives. (Eddy Duan / Bloomberg)

Related: Washington Post, New York Times, BBC News, Reuters, Marketwatch, Al Jazeera, CNN, AFP, 47 News, The Guardian, Business Insider, Vox, Reddit cybersecurity, Metro.co.uk, PC Risk, The Washington Examiner, The420CyberNews

German media outlets ARD political magazine Panorama and STRG_F (funk/NDR) report that law enforcement agencies in Germany have servers in the Tor network, which are monitored for months at a time to deanonymize Tor users.

The de-anonymization process occurs through what experts call "timing analysis": the more nodes in the Tor network are monitored by authorities, the more likely a user will try to conceal their connection via one of the monitored nodes. By assigning time to individual data packets ("timing"), anonymized connections can be traced back to the Tor user, even though data connections in the Tor network are encrypted multiple times.

According to the news outlets,  the Federal Criminal Police Office (BKA) and the Public Prosecutor's Office in Frankfurt am Main were successful with this method: In the investigation against the pedophile darknet platform "Boystown," they managed several times to identify Tor nodes that one of the masterminds used to anonymize himself.

The BKA twice identified Tor nodes that were used to connect platforms operated by the then "Boystown" administrator Andreas G. to the Tor network. One such example was a chat in which leading members of various pedophile forums exchanged information. Twice it was also possible to identify so-called "entry servers" from the chat service "Ricochet" that G. used.

For the final identification, the Frankfurt am Main District Court ordered the provider Telefónica to determine which customer connected to one of the identified Tor nodes.

The investigation led to Andreas G.'s arrest in North Rhine-Westphalia. In December 2022, he was sentenced to a long prison term. The verdict is not yet final. (Robert Bongen and Daniel Moßbrucker / NDR)

Related: Tor Forum, r/privacy, PrivacyGuides.net

Best Thing of the Day: Giving Schools the Cyber Tools They Need

The Federal Communications Commission opened its application portal for schools and libraries to partake in a three-year pilot $200 million program to help subsidize the costs of cybersecurity services and equipment.

Worst Thing of the Day: No One Is Surprised

X owner Elon Musk repeatedly amplified content from a company that appears to be at the center of an alleged Russian covert operation to manipulate US public opinion ahead of the 2024 election. 

Closing Thought