Foreign Actors Attacked U.S. Courts' Document System in 2020 Causing Security Failure
German police identify alleged energy and water company hacker, US MSP suffers cyberattack, Questions surround Sky Mavis CEO's pre-hack transactions, 'Proxy service' exposes user database, more
At a committee hearing on oversight of the Justice Department’s National Security Division, House Judiciary Committee Chair Jerrold Nadler (D-NY) told fellow lawmakers that “three hostile foreign actors” attacked the U.S. Courts’ document filing system as part of a breach in early 2020 causing a “system security failure.”
Nadler said the committee learned in March about the “startling breadth and scope” of the breach, which was separate from the SolarWinds hack revealed in late 2020. Assistant Attorney General for National Security Matthew Olsen testified to the committee that NSD is “working very closely with the judicial conference and judges around the country to address this issue” and committed to updating the committee on the investigation as it progressed. (Maggie Miller / Politico)
Related: Reuters, Courthouse News Service, iTnews - Security, WashingtonExaminer.com, The Record by Recorded Future, Bloomberg. iTnews - Security, Cyberscoop, ZDNet, NextGov, US Courts, IT Pro, CyberNews, The Register
Hours before a hearing on “scams and risks in crypto and securities markets,” the chairman of the Senate Banking Committee, Sherrod Brown (D-OH), sent nearly identical letters to Apple and Google, seeking explanations as to how these tech giants are evaluating and ultimately allowing these types of trading apps that seemingly enable cryptocurrency fraud.
One such app, Metatrader 5, which is still available on both companies’ app stores, has been linked to alleged cryptocurrency scams. One California-based victim, whose identity Forbes is withholding at his request, said that after he lost $1.2 million late last year via a scam and purported trades made on Metatrader, he had suicidal thoughts. Neither Apple nor Google immediately responded to a request for comment. (Cyrus Farivar / Forbes)
In the hours before Sky Mavis, the startup that makes the video game Axie Infinity, announced it had suffered a devastating hack and froze user assets, a digital wallet belonging to its chief executive officer and co-founder, Trung Nguyen, made a significant transaction that included about $3 million worth of Axie Infinity’s primary token, AXS.
Kalie Moore, a company spokeswoman, said that Nguyen had been working to shore up the company’s finances during the crisis and had to do so in a way that wasn’t obvious to the broader crypto market for the good of the overall Axie Infinity economy. By moving AXS to the Binance cryptocurrency exchange, said Moore, the company could provide liquidity to its users as it restored access to funds via Binance.
An analysis by someone who uses only their screen name Asobs revealed that other Sky Mavis employees made large transactions during the same period that the 0x113c wallet moved out its tokens. Moore said the company wouldn’t confirm that the wallets belonged to Sky Mavis employees and described any suggestion they made as speculation, noting that contractors and business partners may also receive tokens. (Joshua Brustein / Bloomberg)
The Baden-Württemberg State Criminal Police Office in Germany has identified one of the alleged perpetrators in a wide-ranging espionage operation in which more than 150 companies, particularly power and wastewater utilities, were targeted after years of investigation.
The suspect, Pawel A., is said to belong to a hacker group called Berserk Bear or Dragonfly, which U.S. authorities say has ties to the Russian secret service FSB. Pawel A. is accused of hacking the network of Netcom BW, which is part of the EnBW power group, in the summer of 2017. In September 2021, more than four years later, the Attorney General in Karlsruhe obtained an arrest warrant. (Hakan Tanriverdi and Florian Flade / Tagesschau)
hakan @hatr🇩🇪 federal prosecutor issued arrest warrant against Pawel A., member of hacking group "Berserk Bear". They tried to infiltrate critical infrastructure with special focus on power/wastewater utilities. Short thread, including phishing doc w/ @FlorianFlade https://t.co/NHq3HqaOKZ https://t.co/suJ13GuNXj
The Cybersecurity and Infrastructure Security Agency (CISA) signed a Memorandum of Cooperation (MoC) with the Ukrainian State Service of Special Communications and Information Protection of Ukraine (SSSCIP). It will extend an existing relationship between the two agencies.
Under the agreement, the two organizations will exchange information and best practices relating to cyber incidents. They will also share technical information about critical infrastructure security in real time, said Oleksandr Potii, deputy chairman of the SSSCIP. The MoC also authorizes the two agencies to conduct joint exercises and training sessions. (Danny Bradbury / Infosecurity Magazine)
Microleaves, a proxy service that lets customers route their web traffic through millions of Microsoft Windows computers, recently fixed a vulnerability in their website that exposed their entire user database.
The service, which is in the process of being rebranded to “Shifter.io,” says it has leased 20-30 million IP addresses to shift each customer’s address every five minutes, leading some to speculate that Microleaves was just a botnet that was being resold as a commercial proxy service. However, data exposed in the breach shows the service has a lengthy history of being supplied with new proxies by affiliates incentivized to distribute the software any way they can, such as by secretly bundling it with other titles.
Shifter.io’s website also exposed information about its customer base and most active users, indicating that Shifter has earned more than $11.7 million in direct payments, although it’s unclear how far back in time those payment records go or how complete they are. The bulk of Shifter customers who spent more than $100,000 on the proxy service appears to be digital advertising companies, including some in the United States. (Brian Krebs / Krebs on Security)
U.S. managed service provider NetStandard suffered a cyberattack causing the company to shut down its MyAppsAnywhere cloud services, consisting of hosted Dynamics G.P., Exchange, Sharepoint, and CRM services.
The company detected signs of a cyberattack on Tuesday morning and quickly shut down cloud services to prevent the attack's spread. In what may be a coincidence, Huntress Lab's CEO Kyle Hanslovan tweeted a screenshot yesterday of a threat actor looking for partners to conduct an attack on a managed service provider. (Lawrence Abrams / Bleeping Computer)
In a write-up for MANRS (Mutually Agreed Norms for Routing Security), a public interest group that looks after internet routing, Internet Society senior internet technology manager Aftab Siddiqui said that Russia's Rostelecom started announcing routes for part of Apple's network on Tuesday, in a practice referred to as BGP (Border Gateway Protocol) hijacking.
Siddiqui said Rostelecom (AS12389) has been involved in previous BGP hijackings and emphasized that network operators implement effective route filtering based on reliable information to thwart these shenanigans. Apple did not respond to a request for comment. (Thomas Claburn / The Register)
Kansas City Police and the U.S. Department of Justice are using a controversial “geofence” warrant to gain access to Google’s vast pool of location data that they hope will help prosecute two men for a series of crimes in 2015, including murder.
Two men, Shawn Burkhalter and Joshua Nesbitt, were suspected of being involved in the crime. The FBI states in its warrant for the geofence location data that “Google maintains these records indefinitely for accounts created before June 2020, unless the user deletes it or opts to automatically delete their location history and web and app activity after three or eighteen months.”
Google confirms that it currently does not keep information on a user’s historical location by default, but that for anyone who had location history turned on before mid-2020, you have to actively turn on auto-delete for Google to erase the information. (Thomas Brewster / Forbes)
After a six-month investigation of allegations that Israeli police used NSO Pegasus spyware against the country’s citizens, the panel, and inquiry panel, which included two former members of the Shin Bet and one retired Mossad member, said all intercomputer communications initiated by the police, were within their legal purview.
The panel’s findings presented to Attorney General Gali Baharav-Miara said that although the police overstepped the authority given by the courts in a small number of cases, there was no mass infection of phones with the Pegasus or its more limited version, Saifan. (Tova Tzimuki / Ynet News)
Metacurity is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.
Anne Neuberger, White House deputy national security advisor (DNSA) for cyber and emerging technologies, traveled to Seoul, Republic of Korea to discuss ways to enhance the countries' cooperation in countering cybercrimes committed by actors such as North Korea.
An NSC spokesperson noted that President Biden and South Korean President Yoon Suk-yeol had agreed to expand their "bilateral cooperation on regional and international cyber issues and confront cyber threats, including from the Democratic People's Republic of Korea.” (Byun Duk-kun / Yonhap News)
A Twitter user who goes by the handle @pancak3stack was locked out of his account for a screenshot of a tweet sent earlier that day containing the name, nickname, date of birth, and passport of the alleged developer behind Predator the Thief, credential stealing malware dating back to 2018.
Then, after launching a Substack newsletter called Who’s Behind The Keyboard? dedicated to doxxing people allegedly associated with cybercrime, Substack removed @pancak3stack’s newsletter. Pictures of the suspects in the newsletter look to be taken from social media sites as they smile into the camera or pose alongside nice cars. The information is “all open-source,” pancak3 said, noting that both the Conti leaks and the much larger leaks from TrickBot helped “tremendously.” (A.J. Vicens / Cyberscoop)
Hong Kong’s government rejected a security audit by Polish cybersecurity firm 7ASecurity of the country’s COVID-19 LeaveHomeSafe app that found flaws that could expose sensitive user information.
7ASecurity said it detected vulnerabilities in the software that could allow hackers to access I.D. numbers, visit records, or vaccination and testing information. Researchers from 7ASecurity said they shared their work, funded by the U.S. non-profit Open Technology Fund, in June with the app’s developer, Hong Kong-based Cherrypicks, a Netdragon Websoft Holdings Ltd subsidiary. The government, however, said there had never been security or privacy incidents related to the LeaveHomeSafe app, which has undergone third-party assessments. (Sarah Zheng / Bloomberg)
Innocuous-seeming “wrong number” texts are, in fact, scams that ultimately lead to pitches for bad cryptocurrency scams and other ways to bilk people for money.
Erin West, the deputy district attorney in charge of the high technology crimes unit in Santa Clara County, California, said “accidental” text messages have become one of the most common new ways to trick people in the same crypto scams her office has tracked for several years. The Federal Communications Commission warned about spam and scam texts saying ignoring them is the most effective way to ensure users are not scammed. (Kevin Collier / NBC News)
Tom Namako @TomNamako.@kevincollier struck up a conversation with someone sending those weird random texts: https://t.co/9B839XFC8r via @nbcnews