Corellium Offered Its Phone Virtualization Tools to Controversial Spyware Makers
Estonian nationals busted for Ponzi scheme, DOJ seized pig butchering domains, AXLocker steals Discord tokens, AirAsia hit by ransomware attack, Lunar Moth group invests in call centers, more
Metacurity is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber
According to a leaked document, cybersecurity startup Corellium, which sells phone-virtualization software for catching security bugs and portrays itself as a defender against software bugs, offered or sold its tools to controversial government spyware and hacking-tool makers in Israel, the United Arab Emirates, and Russia, and a cybersecurity firm with potential ties to the Chinese government.
The 507-page document, apparently prepared by Apple to use it in the company’s 2019 copyright lawsuit against Corellium, shows that the security firm, whose software lets users perform security analysis using virtual versions of Apple’s iOS and Google’s Android, has dealt with companies that have a track record of selling their tools to repressive regimes and countries with poor human rights records.
According to the document, Corellium in 2019 offered a trial of its product to notorious spyware maker NSO Group. Similarly, Corellium’s sales staff offered to provide a quote to purchase its software to DarkMatter, a now-shuttered cybersecurity company with ties with the UAE government that hired several former U.S. intelligence members who reportedly helped it spy on human rights activists and journalists.
Corellium says NSO Group and Dark Matter had access to “a limited time/limited functionality trial version of Corellium's software” and that both were later denied requests to purchase the full version following its vetting process. (Lorenzo Franceschi-Bicchierai / Wired)
Two Estonian nationals, Sergei Potapenko and Ivan Turõgin, were arrested in Estonia after being indicted in the U.S. for running a massive cryptocurrency Ponzi scheme that led to more than $575 million in losses.
The pair are accused of defrauding hundreds of thousands of victims together with four other co-conspirators residing in Estonia, Belarus, and Switzerland between December 2013 and August 2019. They are accused of allegedly funneled victims' funds through a complex network of shell companies, bank accounts, virtual asset services, and cryptocurrency wallets designed to help them launder the money.
The two are charged with 16 counts of wire fraud, one count of conspiracy to commit money laundering, and conspiracy to commit wire fraud. Each of them faces a maximum penalty of 20 years in prison if convicted. (Sergiu Gatlan / Bleeping Computer)
Related: Bleeping Computer, Fox Business, Euro News, The Record by Recorded Future, BeInCrypto, Justice Department, Infosecurity Magazine, Tech Xplore, geekinteger, Security Affairs, Gadgets 360, Coindesk, BBC News, Bloomberg Law
The Justice Department announced that it seized seven domain names used in so-called pig butchering schemes, where cybercriminals develop relationships with victims before exploiting them, resulting in a combined loss to five victims of over $10 million from at least May to August 2022.
Each of the domains masqueraded as the Singapore International Monetary Exchange. The scams involved tricking the victims into believing that web addresses or emails were associated with the exchange when they were controlled by hackers. (Jonathan Greig / The Record)
Researchers at Cyble say that the new AXLocker ransomware family is not only encrypting victims' files and demanding a ransom payment but also stealing the Discord accounts of infected users.
When a user logs into Discord with their credentials, the platform sends back a user authentication token saved on the computer. This token can then be used to log in as the user or to issue API requests that retrieve information about the associated account.
To steal the Discord token, AxLocker will scan two directories and extract the tokens. Victims are given 48 hours to contact the attackers with their victim I.D., but the ransom amount isn't mentioned in the note. Users who find that AxLocker encrypted their computers should immediately change their Discord passwords to invalidate the token stolen by the ransomware. (Bill Toulas / Bleeping Computer)
AirAsia Group fell victim to a ransomware attack by Daixin Team, which claim they obtained the personal data of 5 million unique passengers and all employees.
According to Daixin’s spokesperson, AirAsia responded to the attack. They reportedly entered the chat quickly, asked Daixin’s negotiator for an example of the data, and after receiving the sample, “asked in great detail how we would delete their data in case of payment.” However, AirAsia reportedly did not try to negotiate the amount, which may indicate that they never intended to pay anything.
Daixin’s spokesperson stated that poor organization on AirAsia Group’s network spared the company further attacks. (Dissent Doe / Databreaches.net)
Researchers at Palo Alto’s Unit 42 discovered that the threat actors behind the Lunar Moth group, who leverage extortion without malware-based encryption, have significantly invested in call centers and infrastructure unique to attack targets and are evolving their tactics over time.
Unit 42 said the campaign has cost victims hundreds of thousands of dollars and is expanding in scope. The initial lure of this campaign is a phishing email to a corporate email address with an attached PDF invoice indicating the recipient’s credit card has been charged for a subscription service, usually under $1,000.
When the victim calls a customer service number in the email, they are routed to a threat actor-controlled call center and connected to a live agent, who then runs a support tool on the victim’s computer in the guise of helping them. However, the tool allows the attacker to achieve persistence and steal data. After stealing the data, the attacker sends an extortion email demanding victims pay a fee or the information will be released. (Michael Hill / CSO Online)
Facebook announced it would enable more private settings by default for anyone under the age of 16 who signs up for the platform.
For teens who already have accounts, Facebook will display a prompt encouraging them to use these settings and a toggle that turns them on in a single tap. The more private” settings restrict details on an account so that only a teen’s friends can view the posts they’re tagged in, their friends’ list, and the pages, people, and lists they follow. They also require users to review their tagged posts and allow only friends to comment on their public posts. (Emma Roth / The Verge)
After firing or losing his entire security team, Elon Musk hired George Hotz, the security hacker known for developing iOS jailbreaks and reverse engineering the PlayStation 3 before founding a Tesla-like auto-driving tech startup Comma.ai.
Hotz founded Comma.ai after getting into a fight with Musk after Musk allegedly tried to hire him at Tesla but “kept changing the terms,” as Hotz told Bloomberg in 2015. (Connie Loizos / TechCrunch)
Korean foreign ministry spokesperson Lim Soo-suk said that Seoul is considering additional unilateral sanction measures that target North Korea's cyberspace activities, given the continued provocations by North Korea.
Lim said if the North pushes ahead with a major provocation such as a seventh nuclear test, the government believes that an unprecedentedly strong response is due. As part of such possible responses, he said the government would consider designating North Koreans involved in illegal cyber activities and imposing economic sanctions against them. (KBS World)
Related: N.K. News