A Hacker Sent Thousands of Fake Emails From FBI System Warning of a Cyberattack

Russian entrepreneur faces extradition to U.S. in connection with Ryuk ransomware, Israel and U.S. form initiative to fight ransomware, China will impose "cybersecurity" review on Hong Kong IPOs, more

Check out my book coming on December 14 from Wiley, Cybersecurity Risk Management: Mastering the Fundamentals Using the NIST Cybersecurity Framework. We will extend special offers for Metacurity’s premium subscribers to get the book at substantially reduced prices or even at no cost. Stay tuned. But sign up for a premium subscription today so that you don’t miss out!

A hacker who calls themself Pompompurin hacked an email address that corresponds to the FBI’s Criminal Justice Information Services Division (CJIS) to send out emails about a fake cyberattack. The attacker proclaimed the hack was designed to point out a glaring vulnerability in the FBI’s system.

The attacker started with an exploration of its Law Enforcement Enterprise Portal (LEEP), which the bureau describes as “a gateway providing law enforcement agencies, intelligence groups, and criminal justice entities access to beneficial resources.” Until Saturday, November 13, the LEEP portal allowed anyone to apply for an account. In signing up, the FBI’s website leaked a one-time passcode in the HTML code of the web page.

The FBI said in a statement that “While the illegitimate email originated from an FBI operated server, that server was dedicated to pushing notifications for LEEP and was not part of the FBI’s corporate email service. No actor was able to access or compromise any data or PII on the FBI’s network.” The FBI added that “we quickly remediated the software vulnerability, warned partners to disregard the fake emails, and confirmed the integrity of our networks.”

In the fake cyberattack email, the hacker attempted to smear the name of Vinny Troia, the founder of the dark web intelligence companies NightLion and Shadowbyte. (Brian Krebs / Krebs on Security)

Related: Bleeping Computer, Newsweek, The Sun, CNN.com, HotHardware.com, Bloomberg, Devdiscourse News Desk, Al Arabiya, Israel National News, Reuters: World News, MSSP Alert, Arutz Sheva News, NBC News, UPI.com, The Hill: Cybersecurity, Hamodia, UrduPoint, The New Daily, CNN.com, Hacker News, Voice of America, Big News Network, Engadget, The Record, Israel National News, The New Daily, Presstv, Dhaka Tribune, Teller Report, Arutz Sheva News, Deutsche Welle, Slate, The Verge, FBI

Marking the first arrest in connection with the Ryuk ransomware group, Moscow entrepreneur Denis Dubnikov was detained during a vacation abroad this month and is now facing extradition to the U.S. on charges that he helped the notorious group launder payments.

Dubnikov is accused of receiving more than $400,000 in bitcoin out of the millions paid to the Ryuk gang by ransomware victims, according to an extradition request sent to Dutch authorities by the Justice Department. Dubnikov was charged in a sealed indictment in Portland, Oregon, in August after the FBI traced a portion of Ryuk’s ransom income to bitcoin wallets operated under Mr. Dubnikov’s name at financial exchanges. (Robert McMillan and Kevin Poulsen / Wall Street Journal)

Related: WSJ.com: WSJD, Radio Free Europe / Radio Liberty, CNN.com, Bitcoin News

The U.S. and Israel established a joint cybersecurity initiative to fight ransomware in hacking incidents and threats to the global financial system.

U.S. Deputy Treasury Secretary Wally Adeyemo met Israeli Finance Minister Avigdor Lieberman and National Cyber Director General Yigal Unna to establish the partnership, which will include information-sharing between the two allies about cybersecurity regulations and guidance, hacking incidents, and intelligence on cyber threats, according to the Treasury Department. (Daniel Flatley / Bloomberg News)

Related: Cybersecurity| Reuters.com, Jerusalem Post, Haaretz.com, Arutz Sheva News, Al Arabiya, Algemeiner

According to a draft regulation titled “Network Data Security Management Regulations” released by the Cyberspace Administration of China (CAC), China will impose a cybersecurity review on mainland companies seeking initial public offerings in Hong Kong on national security grounds.

Marking the first time some IPOs in Hong Kong will be subject to data security reviews, the regulation stipulates that “data-processing entities seeking a listing in Hong Kong that will influence or may influence national security” must apply for a cybersecurity check. (Josh Ye / South China Morning Post)

Related: Global Times, Big News Network, The Korea Times News, Cybersecurity| Reuters.com, Cybersecurity| Reuters.com, BNN Bloomberg, South China Morning Post, Al Arabiya, The Korea Times News, Chinanews.net, BNN Bloomberg, DataBreaches.net, City A.M. - Technology, Financial Times, ZDNet, The Record by Recorded Future, TechNode, BusinessWorld

In notification letters sent this month, retail giant Costco has warned customers that their payment card information might have been stolen while recently shopping at one of its stores.

Costco discovered the breach after finding a payment card skimming device in one of its warehouses during a routine check conducted by Costco personnel. While the company didn't reveal the exact timeline of the incident, its customers have complained about unauthorized transactions on their payment cards since at least February. (Sergiu Gatlan / Bleeping Computer)

Related: Forbes, ZDNet Security, Security Affairs, CNN.com, Threatpost, PYMNTS.com, SecureReading, Security News | Tech Times, WIRED, SecureReading, Security Affairs, PYMNTS.com, teiss

Spain's second-biggest beer maker, Damm, halted output at its main brewery outside Barcelona after a cyber attack hit its computer systems earlier this week.

The attack hit the brewery on Tuesday night, and for a few hours, the plant in El Prat de Llobregat, which produces 7 million hectolitres of beer a year, was "entirely paralyzed.” The company declined to say whether the attacker demanded a ransom or if the maker of Estrella Damm lager had paid anything to the hackers. (Inti Landauro and Nathan Allen / Reuters)

Related: Infosecurity Magazine, The Olive Press, European Supermarket Magazine

Chinese telecom tech giant Huawei, whose smartphone business has been devastated by U.S. sanctions, is planning to license its handset designs to third parties as a way to gain access to critical components, people with knowledge of the matter said. 

According to one source, Huawei is considering licensing its designs to a unit of state-owned China Postal and Telecommunications Appliances, called Xnova, which will then seek to buy parts barred under the Trump-era denylisting. Chinese telecom equipment maker T.D. Tech will also sell some phones featuring Huawei’s designs under its brand, according to another source. (Bloomberg News)

The Dutch Data Protection Agency levied a €400,000 ($455,000) fine against Transavia, a Dutch airline that operates low-cost routes across Europe, for a security breach that allowed a hacker to steal the personal details of more than 83,000 passengers.

Officials said that Transavia used weak security practices, such as easy-to-guess passwords and no two-factor authentication (2FA), which allowed a hacker to gain control over the accounts of two of its I.T. staff employees. The hacker stole a file with the personal details of 83,000 passengers that traveled with the airline between January 21 and January 31, 2015. (Catalin Cimpanu / The Record)

Related: DataBreaches.net

The Cybersecurity and Infrastructure Security Agency (CISA) released a notice urging administrators to apply updates to a variety of industrial control systems after discovering vulnerabilities in multiple open-source and proprietary Object Management Group (OMG) Data-Distribution Service (DDS) implementations.

CISA said issues were found in equipment from Eclipse, eProsima, GurumNetworks, Object Computing, Inc. (OCI), Real-Time Innovations (RTI), and TwinOaks Computing. "Successful exploitation of these vulnerabilities could result in denial-of-service or buffer-overflow conditions, which may lead to remote code execution or information exposure," CISA said. (Jonathan Greig / ZDNet)

Related: CISA

Microsoft has seen a surge in malware campaigns using HTML smuggling to distribute banking malware and remote access trojans (RAT). Microsoft observed the Nobelium hacking group behind the SolarWinds attack using this technique in the new surge.

HTML smuggling is a highly evasive malware delivery technique that leverages legitimate HTML5 and JavaScript features. It is increasingly used in email campaigns that deploy banking malware, remote access Trojans (RATs), and other payloads related to targeted attacks. Microsoft said it has also seen this technique deliver the banking Trojan Mekotio and AsyncRAT/NJRAT and Trickbot, malware that attackers utilize to gain control of affected devices and deliver ransomware payloads and other threats. (Bill Toulas / Bleeping Computer)

Related: The Daily Swig, The Hacker News, Techradar, Microsoft

Semiconductor giant AMD fixed a long list of security vulnerabilities found in its graphics driver for Windows 10 devices that can allow attackers to execute arbitrary code and elevate privileges on vulnerable systems.

AMD tagged more than a dozen bugs as high severity. (Sergiu Gatlan / Bleeping Computer)

Related: Techspot, Neowin, The Register, AMD

A free and unofficial patch is now available for a zero-day local privilege escalation vulnerability in the Windows User Profile Service that lets attackers gain SYSTEM privileges under certain conditions.

The bug, tracked as CVE-2021-34484, was incompletely patched by Microsoft during the August Patch Tuesday. (Sergiu Gatlan / Bleeping Computer)

Related: Threatpost, Forbes

Researchers from Qihoo 360's Netlab security team released details of a new evolving botnet called "Abcbot" observed in the wild with worm-like propagation features to infect Linux systems and launch distributed denial-of-service (DDoS) attacks against targets.

Once installed on a compromised host, the malware triggers the execution of a series of steps that results in the infected device being repurposed as a web server. It also reports the system information to a command-and-control (C2) server, spreading the malware to new devices by scanning for open ports and self-updating itself when its operators make new features. (Ravie Lakshmanan / The Hacker News)

Related: Security Affairs, Netlab

Researchers at Cyble say that the GravityRAT remote access trojan is being distributed in the wild again, this time under the guise of an end-to-end encrypted chat application called SoSafe Chat.

This go-around, the RAT targets predominately Indian users, particularly high-profile individuals like officers of the Armed Forces, and is distributed by Pakistani actors. (Bill Toulas / Bleeping Computer)

Related: Security Affairs, Cyble

At the height of this year’s damaging and high-profile ransomware attacks, the perpetrators seemed untouchable, able to operate freely from Russia and nearby countries, all the while pocketing huge payments safely using cryptocurrency.

Western governments, mainly the U.S., are fighting back by arresting the attackers and disrupting operations. However, “a sustained effort to force economies to become more digitally resilient is what’s needed” to deal with ransomware attackers effectively. (Ciaran Martin / The Prospect)