Commerce Department Sanctions Spyware Company NSO Group, Three Other Foreign Firms

Cybercom's hijacking spooked REvil gang into shutting down, Australia bans Clearview AI, Hackers reportedly laundered $10 million using Twitch, Sinclair still suffers from ransomware attack, much more

Nov 4, 2021

Check out my latest column in CSO that delves into the Binding Operational Directive issued yesterday by CISA.

The Commerce Department added the Israeli spyware company NSO Group and three other companies to its “entity list,” a federal denylist that bars the companies from receiving American technologies. Commerce imposed the sanctions after determining the firms engage in activities contrary to the national security or foreign policy interests of the United States.

The department determined that NSO Group and Israel’s Candiru developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, business people, activists, academics, and embassy workers. Commerce added Russia’s Positive Technologies and Singapore’s Computer Security Initiative Consultancy PTE. LTD. to the Entity List based on a determination that they traffic in cyber tools used to gain unauthorized access to information systems, threatening the privacy and security of individuals and organizations worldwide. (Drew Harwell, Ellen Nakashima, and Craig Timberg / Washington Post)

Nicole Perlroth @nicoleperlroth

HUGE: The Biden Administration has just blacklisted #NSO. This was one of the key recommendations of my book "This Is How They Tell Me The World Ends," and is an emotional development for me after years of covering NSO's harms. Today I am thinking of Ahmed Mansoor.

David Kaye @davidakaye

@JoeBiden three cheers for human rights work and independent journalism! something like this does not happen without the forensic reporting of @citizenlab & @AmnestyTech & the journalism of @FbdnStories @skirchy @nicoleperlroth & many others worldwide.

profdeibert @RonDeibert

Everyone is likely aware of NSO Group. For Candiru, here is a recent @citizenlab report on the company "Hooking Candiru: Another Mercenary Spyware Vendor Comes into Focus":

Hooking Candiru: Another Mercenary Spyware Vendor Comes into Focus - The Citizen LabCandiru is a secretive Israel-based company that sells spyware exclusively to governments. Using Internet scanning, we identified more than 750 websites linked to Candiru’s spyware infrastructure. We found many domains masquerading as advocacy organizations such as Amnesty International, the Black L…citizenlab.ca

According to officials, the REvil ransomware gang shut down last month after a pair of operations by U.S. Cyber Command and a foreign government targeting the criminals’ servers left its leaders too frightened of identification and arrest to stay in business.

The unnamed foreign government hacked the gang’s servers this summer. Still, the Russian-speaking criminal group only discovered the hack after Cybercom last month blocked its website by hijacking its traffic. Cybercom cloned the group’s webpage, having obtained the private keys to its server, which is reachable only through Tor. In the hours after the Cybercom operation, one of REvil’s leaders saw the site’s traffic had been redirected and got spooked. He said on October 17 on a Russian-language forum popular with cybercriminals, “Good luck everyone, I’m taking off.” After that, REvil shut down operations. (Ellen Nakashima and Dalton Bennett / Washington Post)

Dmitri Alperovitch @DAlperovitch

Cyber Command launched a distortion operation against REvil last month, as I called to do in my NYT oped over 6 weeks ago 🧵

Ellen Nakashima @nakashimae

REvil shut down last month after CyberCom hijacked its site and the group discovered it had been hacked (by a foreign govt). Was not a take-down, but the pair of actions spooked REvil, officials & analysts say. My latest w/ @DDaltonBennett https://t.co/MR5IdxDUBD

Horkos @ the Centre for Unilateral Analysis @WylieNewmark

This is apparently the first concrete example we have of CYBERCOM engaging in what would traditionally be classified in "degradation" operations meant to disrupt the operations of a ransomware group—namely a denial of service coupled with undermining their sense of security. 1/2

Ellen Nakashima @nakashimae

The Office of the Australian Information Commissioner (OAIC) ordered U.S. facial recognition software company Clearview AI to stop collecting images from websites and destroy data collected in the country after an investigation found it breached privacy laws.

The OAIC said that Clearview collected Australians' sensitive information without consent and without checking its matches were accurate. The OAIC also noted that it is finalizing its probe of the Australian Federal Police (AFP) over a trial of Clearview software it ran between October 2019 and March 2020. (Byron Kaye / Reuters)

Kashmir Hill @kashhill

Wow, Australia's information commissioner rules that Clearview AI breached privacy laws, and has to delete photos and faceprints of Australians. oaic.gov.au/updates/news-a… Clearview plans to appeal the decision:

Australia says U.S. facial recognition software firm Clearview breached privacy lawAn Australian regulator on Wednesday ordered U.S. facial recognition software company Clearview AI Inc to stop collecting images from websites and destroy data collected in the country after an investigation found it breached privacy laws.reuters.com

Following the leak of Amazon Twitch’s source code and user payout information last month by an anonymous hacker, a group of Turkish live streamers exposed an alleged fraud and money laundering ring that used Twitch. The scheme reportedly netted the hackers nearly $10 million.

Streamers with little to almost no following were earning thousands of dollars through a platform called Bit, which allows viewers to express their appreciation to the hosts with special paid emojis. Twitch transfers one percent of income obtained through Bit to the individual streamers. Some of the streamers were found to be earning up to $1,800 a day, despite having just 40 to 50 viewers. The streamers then refund 80 percent of the money they received to different bank accounts belonging to the hackers, effectively laundering the money. (Muhdan Saglam / Middle East Eye)

Related: Gamegar, Kotaku

In preparation for the day when quantum computing becomes a reality, attackers are collecting sensitive, encrypted data now, hoping that they’ll be able to unlock it at some point in the future.

Government experts, including those at the Department of Homeland Security and the National Institute of Standards and Technology, are trying to develop and deploy new encryption algorithms to protect encrypted information against an emerging class of quantum computers, which can break prevailing forms of encryption methods. Other experts, however, are pessimistic about how the transition from today’s computing systems to quantum systems will protect digital data. (Patrick Howell O’Neill / MIT Technology Review)

Trey Rutledge 🇺🇸 @treyrutledge3

“The threat of a nation-state adversary getting a large quantum computer and being able to access your information is real,” says Dustin Moody, a mathematician at NIST. #QuantumEncryptedCyber #NIST #DRGN 🇺🇸#USA technologyreview.com/2021/11/03/103…

Hackers are stealing data today so quantum computers can crack it in a decadeThe US government is starting a generation-long battle against the threat next-generation computers pose to encryption.technologyreview.com

The crown jewel of Moscow’s business district, a 97-story glass tower known alternately as Federation Tower East or Vostok, has been home to more than a dozen companies since 2018 that convert cryptocurrencies to cash, judging from the addresses listed on company websites.

Experts have linked at least four of the companies in Vostok to money laundering associated with the ransomware industry, which has generated $1.6 billion in ransom payments since 2011. (Kartikay Mehrotra and Olga Kharif / Bloomberg)

Jorge Orchilles 🦄 @jorgeorchilles

BOTTOM LINE - Companies are enabling the Russian ransomware industry with brazen openness in a prestigious building in the country’s capital city. Bloomberg - Are you a robot?bloomberg.com

Sinclair Broadcast Group said this week when releasing its Q3 2021 financial statement that last month’s ransomware attack on its TV stations is still affecting daily operations.

Sinclair also said it “is working diligently to restore operations quickly and securely. Because the investigation is still ongoing, the full extent of the impact on the Company's business, operations and financial results is still not known. (Tom Butts / TV Tech)

Related: Cyberscoop

Catalin Cimpanu @campuscodi

In SEC documents filed today, Sinclair said the recent ransomware attack has not been fully resolved and "certain disruptions to its business and operations remain"

The U.K.’s Labour party said that due to a cybersecurity incident affecting a third party that handles its data, a “significant quantity” of members’ and supporters’ data became inaccessible.

The data “includes information provided to the party by its members, registered and affiliated supporters and other individuals who have provided their information.” The “full scope and impact” of the incident is being “urgently investigated,” Labour said in an email to members and supporters. (Dan Sabbagh / The Guardian)

Speaking at the Web Summit 2021, Apple senior vice president Craig Federighi said that sideloading of apps outside Apple’s app store is “a cyber criminal’s best friend and requiring that on iPhone would be a gold rush for the malware industry.”

Federighi was referencing the European Commission’s proposed Digital Markets Act, which would require Apple to let users install apps outside of the iOS App Store. He said that the lack of sideloading is what separates Apple’s relatively low rate of malware on iOS from the “5 million Android attacks per month,” and that if Apple were forced to let users install their own apps, “the floodgates are open for malware.” (Chaim Gartenberg / The Verge)

Hackers tricked Investor Calvin Becerra, who was selling three NFT (non-fungible token) images from the luxe-tier Bored Ape Yacht Club (BAYC) collection, into giving the images up for free. Becerra claims the stolen NFTs were worth "over a million dollars."

Becerra said the criminals deceived him and posed as interested buyers in a Discord channel and pretended to help him fix a problem with his cryptocurrency wallet. (Lorenzo Franceschi-Bicchierai / Motherboard)

ᴅᴇʀᴇᴋ ᴍᴇᴀᴅ @derektmead

This is like when you'd pose as support in Runescape and tell players to drop valuable items and then hit "alt-F4" to upgrade then or whatever. Except for adults with comical amounts of money

Man Upset That Hackers Stole His Bored Ape NFTsHackers tricked an investor into giving away their valuable NFTs, he claimed on Twitter, and tried convincing the rest of the internet not to buy them.vice.com

Bots that send automated calls to victims manage to evade two-factor authentication methods to protect users’ accounts.

Using a victim’s email address and passwords usually obtained from data breaches, the hackers enter the information into a platform of choice, for example, PayPal. When the bot places an automated call and asks the victim to enter a code they just received, the hacker will simultaneously trigger a legitimate code sent from the targeted platform to the victim’s phone. The hacker then uses the code to enter the platform. (Joseph Cox / Motherboard)

Related: Motherboard

Photo by Brandon Mowinkel on Unsplash