US, Dutch Authorities Shutter Websites and Sanction Russian Cybercrime Crypto Exchanges

Please support Metacurity. If you're enjoying Metacurity's daily delivery of the top infosec developments you should know, please consider upgrading your subscription. Thank you!

US government and Dutch law enforcement seized the websites and took other technical actions against a handful of Russian cryptocurrency exchanges accused of laundering cybercrime proceeds and a man allegedly involved in their operations.

The US Treasury’s Office of Foreign Assets Control sanctioned the exchange Cryptex and Russian national Sergey Sergeevich Ivanov.  

Ivanov is also allegedly connected to the virtual currency exchange PM2BTC, which the Treasury’s Financial Crimes Enforcement Network (FinCEN) classified as a “primary money laundering concern.” The designation prohibits “certain transmittals of funds” involving PM2BTC by financial institutions.

As part of the coordinated action against the exchanges, the U.S. Secret Service’s Cyber Investigative Section, along with the Dutch Fiscal Intelligence and Investigation Service (FIOD) and Netherlands police, seized web domains and infrastructure connected to PM2BTC, Cryptex and UAPS — a payment processor allegedly connected to Ivanov. 

According to the Treasury Department, Cryptex has received more than $51.2 million resulting from ransomware attacks, and over $720 million in transactions were linked to services “frequently used by Russia-based ransomware actors and cybercriminals” like fraud shops, mixing services and the previously sanctioned virtual currency exchange Garantex.

The Treasury found links to suspected crime in half of PM2BTC’s exchange activity, meanwhile, including over $600,000 in transactions involving darknet markets between July 22, 2023, and January 14, 2024.    

The Treasury alleges that Ivanov has “laundered hundreds of millions of dollars’ worth of virtual currency for ransomware actors, initial access brokers, darknet marketplace vendors, and other criminal actors for approximately the last 20 years.”

The Department of State also announced a reward of up to $10 million for information leading to the arrest or conviction of Ivanov and Russian national Timur Shakhmametov, who is allegedly the creator of Joker’s Stash, a massive online marketplace for stolen credit card data and personally identifiable information that shut down in 2021. (James Reddick / The Record)

Related: Justice Department, Treasury Department, State Department, Fincen.gov, CNN, Cyberscoop, Associated Press, Krebs on Security, The Hill, Blockonomi, Ukrinform, Chainalysis, Cybernews

Sources say a grand jury has indicted multiple Iranians on charges related to hacking Donald Trump’s 2024 presidential campaign.

The federal charges stem from an Iranian operation that allegedly stole internal Trump campaign communications this summer.

Stolen materials from the Trump campaign were later sent to journalists and individuals associated with President Joe Biden’s reelection campaign before Kamala Harris became the Democratic nominee.

The defendants' names and the specific criminal charges were not immediately available. A grand jury secretly approved the indictment on Thursday afternoon. The Justice Department is expected to announce the charges as soon as Friday. (Betsy Woodruff Swan and Josh Gerstein)

Related: ABC News, CBS News, Reuters, ABC.net.au

Security researcher Simone Margaritelli discovered that under certain conditions, attackers could chain vulnerabilities in multiple CUPS open-source printing system components to execute arbitrary code remotely on vulnerable machines.

CUPS (short for Common UNIX Printing System) is Linux's most widely used printing system. It is also generally supported on devices running Unix-like operating systems such as FreeBSD, NetBSD, and OpenBSD and their derivates.

Tracked as CVE-2024-47076 (libcupsfilters), CVE-2024-47175 (libppd), CVE-2024-47176 (cups-browsed) and CVE-2024-47177 (cups-filters), the flaws don't affect systems in their default configuration.

One of its components is the cups-browsed daemon, which searches the local network for advertised network or shared printers and makes them available for printing on the machine. This is similar to how Windows and Macs can search the network for remote network printers to print to.

Margaritelli found that if the cups-browsed daemon is enabled, which is not on most systems, it will listen on UDP port 631. It will also, by default, allow remote connections from any device on the network to create a new printer.

He discovered he could create a malicious PostScript Printer Description (PPD) printer that could be manually advertised to an exposed cups-browsed service running on UDP port 631.

This causes the remote machine to automatically install the malicious printer and make it available for printing. If the user on that exposed server prints to the new printer, the malicious command in the PPD will be executed locally on the computer.

However, attackers must overcome some obstacles to exploit the vulnerabilities and achieve remote code execution.

The first is that the targeted systems must have the cups-browsed daemon enabled, which is usually not enabled by default, to expose their UDP ports on a network. Then, the attacker has to trick a user into printing from a malicious printer server on their local network that suddenly appears on their machine.

While patches are still in development, Red Hat shared mitigation measures requiring admins to stop the cups-browsed service from running and prevent it from being started on reboot. (Sergiu Gatlan / Bleeping Computer)

Related: The Stack, Evil Socket, GitHub, The Stack, Security Intelligence, The Register, Phoronix, Gaming on Linux, Red Hat, r/linux, OMG! Ubuntu, Security Week, Ilkka Turunen

A man has been arrested on suspicion of computer misuse offenses after UK railway stations' Wi-Fi networks were hit with defacement cyberattacks.

On Wednesday, public wi-fi services were suspended at 19 railway stations managed by Network Rail after messages about past terrorist attacks appeared on people's devices.

British Transport Police (BTP) said the man held is an employee of Global Reach Technologies, which provides internet access to some Network Rail stations. The force said the man had been arrested on suspicion of the computer misuse act offenses and malicious communications.

The network is run by a third party, Telent, with the actual internet service provided by Global Reach. Network Rail believed other organizations, not just railway stations, had been affected.

A Network Rail spokesperson said, "This service is provided via a third party and has been suspended while an investigation is underway." (Gemma Sherlock & Sean Dilley / BBC News)

Related: British Transport Police, Infosecurity Magazine, SC Media UK, Computer Weekly, The Independent, The Sun, The Mirror, Manchester Evening News, Liverpool Echo

According to military intelligence sources, computer specialists from Ukraine's military intelligence (HUR) carried out cyberattacks against more than 800 servers in various regions of the Russian Federation between Monday, Sept. 23 to Thursday, Sept. 26.

HUR’s cyber corps destroyed documents and data stored on the affected servers belonging to military, administrative, and financial institutions that support Russia's operations against Ukraine.

“The loss of data and documentation has led to a partial or complete halt in the operations of service providers and consumers across various sectors. Additionally, it will require significant resources to search for and recover lost data, further demonstrating to the local population the poor technical infrastructure of the Russian Federation," the source said.

It was noted that all data on the attacked servers was deleted without the possibility of recovery. (Kateryna Zakharchenko / Kyiv Post)

Related: Ukrinform

A small group of hackers demonstrated an easy technique for hacking and tracking millions of vehicles and revealed a flaw in a web portal operated by the carmaker Kia that let the researchers reassign control of the internet-connected features of most modern Kia vehicles from the smartphone of a car’s owner to the hackers’ phone or computer. 

By exploiting that vulnerability and building their own custom app to send commands to target cars, they were able to scan virtually any internet-connected Kia vehicle’s license plate and within seconds gain the ability to track that car’s location, unlock the car, honk its horn, or start its ignition at will.

After the researchers alerted Kia to the problem in June, Kia appears to have fixed the vulnerability in its web portal. However, it said that it was still investigating the group’s findings.

The web bug the researchers used to hack Kias is the second they’ve reported to the Hyundai-owned company; they found a similar technique for hijacking Kias' digital systems last year. Those bugs are just two among a slew of similar web-based vulnerabilities they’ve discovered within the last two years that have affected cars sold by Acura, Genesis, Honda, Hyundai, Infiniti, Toyota, and more.

“Over and over again, these one-off issues keep popping up,” says Sam Curry, another member of the car hacking group, who works as a security engineer for Web3 firm Yuga Labs but says he did this research independently. “It's been two years, there's been a lot of good work to fix this problem, but it still feels really broken.” (Andy Greenberg / Wired)

Related: Sam Curry, Bleeping Computer, Road and Track, ZDNet, Security Week, Sherwood News, The Register, Hacker News (ycombinator)

Ireland's Data Protection Commission (DPC), the lead European Union privacy regulator, fined social media giant Meta 91 million euros ($101.5 million) for inadvertently storing some users' passwords without protection or encryption.

The inquiry was opened five years ago after Meta notified Ireland's Data Protection Commission (DPC) that it had stored some passwords in 'plaintext'. Meta publicly acknowledged the incident at the time, and the DPC said the passwords were not made available to external parties.

"It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data," Irish DPC Deputy Commissioner Graham Doyle said in a statement.

A Meta spokesperson said the company took immediate action to fix the error after identifying it during a security review in 2019 and that there is no evidence the passwords were abused or accessed improperly. (Padraic Halpin / Reuters)

Related: The Record, 9to5Mac, Wall Street Journal, Euractiv, RTÉ, Irish Independent, The Irish Times, Euronews, Irish Examiner, Data Protection Commission, Engadget

The Cybernews research team and Bob Dyachenko, a cybersecurity researcher and owner of SecurityDiscovery.com, uncovered an open Elasticsearch server containing 95 million personal data records on French citizens.

“This database is dedicated to compiling information from multiple French-related data breaches and includes previously known and unknown leaks,” researchers said.

In most cases, the exposed data included full names, phone numbers, addresses, emails, IP addresses, partial payment information, and many more data points.

“Likely, a threat actor collected a range of data from well-known companies and services breaches. The exposed files cover telecommunications, e-commerce, social media, and other sectors, reflecting the widespread nature of a breach,” the researchers said.

The owner of this database is unclear. The cluster appears to be exposed unintentionally due to misconfiguration or error. (Ernestas Naprys / Cybernews)

Related: Databreaches.net, The Express Tribune, CoinTribune

And now, a word from our sponsor, Anchore

Learn the building blocks for adopting a secure software factory model in this webinar. The Department of Defense (DoD) software factory model has emerged as a cornerstone of innovation and security for national defense and cybersecurity. Software factories represent an integration of principles and practices found within the DevSecOps movement, with technical guidelines to support continuous cyber-readiness with real-time visibility. 

According to blockchain sleuth ZachXBT, about $5.23 million was lost from Truflation’s treasury multi-signature and personal wallets on Ethereum, while around $100,000 was lost on seven other chains.

Truflation added it was monitoring the incident and is taking measures to protect funds while working with “leading industry partners” and law enforcement.

The project, backed by Coinbase Ventures, Chainlink and others, is also trying to contact the hacker and is open to negotiating. It added that it would reward white hats offering assistance.

According to blockchain sleuth ZachXBT, about $5.23 million was lost from Truflation’s treasury multi-signature and personal wallets on Ethereum, while around $100,000 was lost on seven other chains.

A separate assessment by blockchain security firm Cyvers found that Truflation lost $4.95 million.

Trueflation is offering a $500,000 bounty to retrieve the stolen funds.

The bounty will be awarded for either the retrieval or return of stolen funds or “to the person who can identify the hacker in a way that leads to a conviction in the courts.” (Brayden Lindrea / Cointelegraph and Squiffs / The Defiant)

Related: The Defiant, Cryptoslate, The Crypto Times, Cybernews, BankInfoSecurity, cryptonews

The Tor Project is merging operations with Tails, a portable Linux-based operating system focused on preserving user privacy and anonymity.

The merger occurs amid ongoing digital surveillance and regulatory maneuvers to break end-to-end encryption, while censorship of online services also remains firmly on the global agenda.

According to a blog post published today by Pavel Zoneff, the Tor Project’s PR and communications director, Tails will be incorporated “into the Tor Project’s structure,” allowing for “easier collaboration, better sustainability, reduced overhead, and expanded training and outreach programs to counter a larger number of digital threats.”

According to the blog post, the merger came about following Tails' approach to the Tor Project at the tail end of 2023. Tails noted that it had “outgrown its existing structure.”

By pooling their resources, including technology and personnel, the Tor Project says it will be better equipped to address the “threat of global mass surveillance and censorship to a free Internet.” This will include broadening the scope of the Tor Project to “address a wider range of privacy needs and security scenarios,” which will include closer technological alignment, in addition to boosting education, training and outreach programs. (Paul Sawers / TechCrunch)

Related: Tor Project blog, How-To Geek, The Register, Boing Boing, WebProNews, LWN.net

The Delaware Division of Libraries is coping with an ongoing cyberattack, likely a ransomware incident, that struck libraries across the state on Friday, September 20.

The breach has forced some libraries to lose internet access and temporarily close their doors and computer labs. Delaware has over 30 libraries.

"Delaware Libraries are experiencing an extended system/internet outage which is affecting library services at some of the public libraries," the division said. "A few libraries are closed at this time. Recovery efforts & temporary solutions are in process."

Some individual libraries, like Wilmington Public Library, have posted on social media letting visitors know their computer labs aren't available. (Andre Lamar / Delaware Online)

Related: Delaware Libraries, NBC Philadelphia, Newark Post

Best Thing of the Day: Clear Your Brain With a 10-Minute Walk

Visionary Steve Jobs believed that if you're stuck on solving a problem, the best option is to take a 10-minute walk, which neuroscientist Mithu Storoni now says does make brains work more efficiently.

Worst Thing of the Day: Social Workers, Please Don't Do This

A case worker at the Department of Families, Fairness and Housing (DFFH) in Victoria, Australia, used ChatGPT to draft a child abuse protection application report in December 2023, sending a pile of stupendously sensitive information off to OpenAI.

Closing Thought