Feds Issue BlackMatter Ransomware Warning

BlackByte decrypter released, Chinese-linked hacking group is targeting telecom companies, Google CEO wants a cyber Geneva Convention, Alleged Turkish hackers deface Trump's website, more

In a joint alert from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the FBI, and the National Security Agency, the government warns of ransomware known as BlackMatter. BlackMatter is likely the successor to the DarkSide ransomware, which shut down earlier this year.

The agencies say the ransomware has hit two unnamed food and agricultural organizations, likely Iowa’s New Cooperative grain collective and Minnesota agriculture supplier Crystal Valley Cooperative. BlackMatter seeks between $80,000 and $15 million in cryptocurrency, including bitcoin and Monero, to unlock its victims’ systems. This alert follows a September Private Industry Notification from the FBI about ransomware threats to the food and agriculture industry. (Tim Starks / Cyberscoop)

Related: isssource.com, Homeland Security Today, Nextgov, DataBreaches.net, MSSP Alert, Meritalk, The Hill: Cybersecurity, DataBreachToday.com, Executive Gov, US-CERT Current Activity

Cybersecurity firm Trustwave released a free utility that victims of the BlackByte ransomware can use to decrypt and restore their files without paying the ransom demand.

The decrypter automates reading a raw cryptographic key discovered by Trustwave researchers from the forest.png file and then computing the decryption key needed to recover and restore the victim’s files. (Catalin Cimpanu / The Record)

Related: ZDNet, BankInfoSecurity, Trustwave, Trustwave

Researchers at CrowdStrike say they discovered a hacking group, dubbed LightBasin, with suspected ties to China that burrowed into mobile telephone networks worldwide. The group then used specialized tools to grab calling records and text messages from telecommunication carriers.

The researchers linked the attack to China through cryptography relying on Pinyin phonetic versions of Chinese language characters and techniques that echoed previous attacks by the Chinese government. (Joseph Menn / Reuters)

Related: CrowdStrike, Cyberscoop

Share Metacurity

Chief executive of Google and parent company Alphabet Inc. Sundar Pichai said the U.S. government should take a more active role in policing cyberattacks and encouraging innovation with policies and investments.

Speaking at the Wall Street Journal’s Tech Live conference, Pichai called for a “Geneva convention” that outlines international standards for cyber aggression as cyberattacks intensify. (Tripp Mickle / Wall Street Journal)

Related: Business Insider, CNBC Technology, PYMNTS.com

Last month a hacker breached the Argentinian government’s IT network and stole ID card details for the country’s entire population, which are now for sale in private circles.

The hackers stole the data from RENAPER, Registro Nacional de las Personas, translated as National Registry of Persons. Government officials say that the RENAPER database did not experience a hack or leak. Authorities are investigating eight government employees who might have had a possible role in the breach. (Catalin Cimpanu / The Record)

Related: DataBreaches.net

Twitter avatar for @campuscodiCatalin Cimpanu @campuscodi
The DB belongs to RENAPER, the agency which issues ID cards for all Argentinians:
argentina.gob.ar/interior/renap… The government acknowledged the incident release last week, said it "did not suffer any data breach or leak," and started investigating 8 employees: argentina.gob.ar/noticias/el-re…

Hackers that call themselves RootAyyildiz, allegedly from Turkey, defaced a section of Donald Trump's website known as the "action" subdomain. That section is where the Trump campaign issues calls to action, such as petitions or asking the campaign a question.

The message read in part, "Do not be like those who forget Allah, so Allah made them forget themselves. Here they really went astray.” The hacker told Motherboard they defaced the Trump site using Server Side Template Injection (SSTI), a technique where an attacker can put their arbitrary code into a site's template. They said they had control over that part of the site for three months. (Joseph Cox / Motherboard)

Related: Newsweek, The Sun, Newsweek, New York Daily News, NBC News, The Independent, CNN.com, SC Media | Breach, Insider Paper, Mediaite, Gizmodo, Engadget

The Justice Department announced that a California man, Hao Kuo Chi, also known as “icloudripper4you,” pleaded guilty to conspiracy and computer fraud after he hacked into hundreds of iCloud accounts and stole nude photos.

Starting around September 2014, Chi shared and traded these images with other persons using the internet or kept those images for his personal collection. But certain members of his “conspiracy” released the pictures to the public. As part of a plea deal, Chi agreed to cooperate with authorities and testify against others involved in the crime. (Joseph Cox / Motherboard)

Related: Justice Department, Charlotte Observer

Security firm ET Labs discovered a new phishing campaign, dubbed MirrorBlast, targeting employees in financial services using links that download 'weaponized' Excel documents. 

Another security firm, Morphisec, says that the Excel files could bypass malware-detection systems because it contains "extremely lightweight" embedded macros, making it "particularly dangerous" for organizations that depend on detection-based security and sandboxing. Morphisec says that the attack mirrors the techniques used by financially motivated Russian cybercrime gang TA505. (Liam Tung / ZDNet)

Related: Techradar, Morphisec

The UK’s Information Commissioner’s Office (ICO) is intervening following a report in the Financial Times that nine schools in North Ayrshire began taking payments for school lunches this week by scanning the faces of their pupils.

The ICO said it would be contacting the North Ayrshire council about the move and urged a “less intrusive” approach where possible. (Sally Weale / The Guardian)

Related: The Independent, Radio Free Europe / Radio Liberty, PYMNTS.com, NS Tech, The Verge, Business Insider, IT Pro, NS Tech, TheDigitalHacker, Security Magazine, POLITICO EU, Financial Times

Follow Us on Twitter

An internal audit of the popular WordPress plugin Fastest Cache by Jetpack Security discovered that vulnerabilities in Fastest Cache could allow an attacker to gain access to credentials and takeover an admin account.

Jetpack reported the vulnerabilities to this plugin’s author, who released version 0.9.5 to address them. (Jessica Haworth / The Daily Swig)

Related: Malwarebytes Labs, Jetpack

Private data sharing solutions startup Triple Blind, which offers a platform to train models on encrypted data, has raised $24 million in an oversubscribed Series A venture funding round.

General Catalyst led the round with participation from Mayo Clinic, AVG Basecamp Fund, Accenture Ventures, Clocktower Technology Ventures, Dolby Family Ventures, Flyover Capital, KCRise Fund, NextGen Venture Partners, and Wavemaker Three-Sixty Health. (Ingrid Lunden / TechCrunch)

Related: Security Week, BizJournals

Valence, a cybersecurity startup focused on delivering a security platform to bring zero trust principles to the Business Application Mesh, raised $7 million in a seed funding round.

YL Ventures led the round with participation from Phil Venables, former CISO at Goldman Sachs; Justin Somaini, CSO at Unity Technologies; Karl Mattson, former CISO at PennyMac; Maarten Van Horenbeeck, CISO at Zendesk; Michael Sutton, former CISO at Zscaler; Shay Banon, co-founder and CEO at Elastic, and Benny Schnaider, co-founder and Chairman at Salto. (Frederic Lardinois / TechCrunch)

Related: Business Wire

Automotive and IoT cybersecurity software company Dellfer has raised $8 million in a Series C investment round.

Investors in the round include DENSO, a leading mobility supplier, and Option3, a specialist cybersecurity private equity firm. (Business Wire)

Photo by Muhannad Ajjan on Unsplash