Google Sues Two Russian Nationals for Their Role in Creating Login-Stealing Glupteba Botnet

Senate cuts mandatory cyber incident requirements from NDAA, Ottawa man charged with ransomware attacks, Crypto wallet scammers expand their attacks, Kamala Harris is right about Bluetooth, more

Dec 8, 2021

In a complaint unsealed Tuesday in the U.S. District Court for the Southern District of New York, Google is suing two Russian nationals it claims are part of a criminal enterprise that has` infiltrated more than a million computers and devices worldwide.

Google names two defendants, Dmitry Starovikov and Alexander Filippov, as well as 15 unnamed individuals, for their role in creating a “botnet” known as Glupteba, used by threat actors for illicit purposes, including the theft and unauthorized use of Google users’ login and account information. Google said the Glupteba botnet stands out for its “technical sophistication.” As part of the investigation, Google used Chainalysis products and investigative services to help understand the botnet. (Jamie Tarabay / Bloomberg)

A compromise version of the fiscal 2022 National Defense Authorization Act (NDAA) released Tuesday leaves out what had been bipartisan language that would have mandated many companies to report significant cyberattacks and ransomware payments to federal officials.

Chairman Bennie Thompson of Mississippi and New York’s Yvette Clarke blamed Republicans for failing what had been considered an easy passage of a popular provision. Senate Homeland Chairman Gary Peters (D-MI) said he would continue to press to pass the reporting mandates. (Tim Starks / Politico)

Eric Geller @ericgeller

Breaking: A cyber incident reporting mandate won't be in the NDAA, House Homeland Dem leaders announce. "Ultimately the clock ran out on getting it in the NDAA. There was dysfunction and disagreement stemming from Senate Republican leadership...We are profoundly disappointed..."

Chris Painter @C_Painter

Disappointing indeed. This is long overdue and I had hoped the conversation had changed given Colonial Pipeline & other incidents. An unfortunate triumph of an untenable status quo.

Eric Geller @ericgeller

An Ottawa man, Matthew Philbert, has been charged following a nearly two-year investigation spurred by the U.S. FBI into several ransomware attacks on targets in Canada and the U.S. The RCMP and Europol assisted the investigation along with the FBI.

Authorities say Philbert was responsible for numerous ransomware attacks affecting businesses, government agencies, and private individuals throughout Canada, as well as cyber-related offenses in the U.S. Philbert was also charged in the U.S. for conspiring with others to damage computers, "and in the course of that conspiracy did damage a computer belonging to the State of Alaska in April 2018." (Michael Woods / CTV News)

Scammers who monitor every tweet containing requests for support on MetaMask, TrustWallet, and other popular crypto wallets and then respond to them with scam links in just seconds to steal users’ recovery phrases are now expanding their attacks.

Tweets containing the words “support,” “help,” or “assistance” along with the keywords like “MetaMask,” “Phantom,” “Yoroi,” and “Trust Wallet” will result in almost instantaneous replies from Twitter bots with fake support forms or accounts. To steal the recovery phrases (also known as seed phrases), the threat actors create support forms on Google Docs and other cloud platforms. Twitter said that using Twitter APIs to spam is against the rules and that they are actively working on new methods to prevent these attacks. (Lawrence Abrams / Bleeping Computer)

Related: Tech Times, The Indian Express

Researchers at Proofpoint say that threat actors are targeting universities in multiple phishing attacks designed to impersonate college login portals to steal valuable Office 365 credentials.

The campaigns leverage fears over the COVID-19 Delta and Omicron variants and mention how the health crisis impacts educational programs. Some of the universities targeted in these attacks include the University of Central Missouri, Vanderbilt, Arkansas State University, Purdue, Auburn, West Virginia University, and the University of Wisconsin-Oshkosh. (Bill Toulas / Bleeping Computer)

Related: MSN, TechTimes, Proofpoint

An article that appeared in Politico mocking Vice President Kamala Harris’ preference for wired head headphones over Bluetooth devices runs counter to the wisdom of cybersecurity professionals who have argued for years that wireless headphones pose a significant security risk.

A malicious actor can track someone using a Bluetooth device within 200 feet of the user. As a result, the National Security Agency’s defensive cybersecurity branch recommended last year that if users want to avoid the risk of data exposure seeping out to unwanted eavesdroppers, they ought to disable Bluetooth altogether. (Lorenzo Franceschi-Bicchierai / Motherboard)

SwiftOnSecurity @SwiftOnSecurity

If I was high-level government I wouldn't use Bluetooth either. It's not just the Bluetooth device or communications being insecure. The fact you have Bluetooth turned on exposes an obscure weirdo ancient firmware interface on your device for attack. Screw that.

sean brooks @seanwbrooks

If you're the first black, woman VP your threat model is off the CHARTS and this approach to security is 100% correct. After years of breathless coverage about senior US officials' caviler use of sensitive data, you'd think she'd get a little more credit.

Alex Thompson @AlexThomp

Former aides say that VP has long been careful about security — w/ some describing it as prudent & others suggesting it’s a bit paranoid. A former aide from AG days said when a person arrived for a meeting, staff were instructed not to allow them to wait in Harris' office alone.

Hackers reportedly attempted to shut down two Queensland, Australia power stations at the end of November owned by CS Energy. The two stations have the capacity to light three million homes.

CS Energy confirmed a ransomware incident on its ICT network on Saturday, November 27, but did not explicitly link it to the newly reported attacks. Company CEO Andrew Bills said in an earlier statement that “This incident may have affected our corporate network, but we are fortunate to have a resilient and highly skilled workforce who remain focused on ensuring CS Energy continues to deliver electricity to Queenslanders.” (7 News)

Emotet research group Cryptolaemus warns that the notorious Emotet malware now skips its primary malware payload of TrickBot or Qbot and directly installs Cobalt Strike beacons on infected devices, making ransomware attacks imminent.

Email security firm Cofense says in a flash alert that a limited number of Emotet infections installed Cobalt Strike, attempted to contact a remote domain, and then was uninstalled. By skipping the malware payloads, the threat actors will have immediate access to a network to spread laterally, steal data, and quickly deploy ransomware. (Lawrence Abrams / Bleeping Computer)

Cryptolaemus @Cryptolaemus1

🚨🚨WARNING 🚨🚨 We have confirmed that #Emotet is dropping CS Beacons on E5 Bots and we have observed the following as of 10:00EST/15:00UTC. The following beacon was dropped: tria.ge/211207-t5l24sb… Note the traffic to lartmana[.]com. This is an active CS Teams Server. 1/x

Hatching Triage | Malware sandboxing report by Hatching TriageHave a look at the Hatching Triage automated malware analysis report for this cobaltstrike sample, with a score of 10 out of 10.tria.ge

A new report from Analyst1 details activities of an underground cybercriminal court where cybercriminals have set up their own system for settling disputes, handing over ultimate decision-making to senior underground forum administrators who have awarded claims totaling as much as $20 million.

Analyst1 researchers have found more than 600 requests for mediation on just one Russian-language forum alone, tackling disputes ranging from missing affiliate payments to contract violations. Failure to comply with verdicts will lead to the cybercriminal getting banned from the forum. (Becky Bracken / Threatpost)

Related: Analyst1, Candid Technology

Catalin Cimpanu @campuscodi

Although some might think this is new and related to recent ransomware affiliate disputes, arbitration sections have been a staple on hacking forums for more than a decade, especially on carding forums.

Techmeme @Techmeme

Researchers discover cybercrime forums acting as an informal court system on the Dark Web, where criminals can file grievances and settle disputes with peers (Analyst1) https://t.co/fqpBWCLEMH https://t.co/OlifkGKbtV

Senior Biden administration officials, including Homeland Security Secretary Alejandro Mayorkas, Cybersecurity and Infrastructure Security Agency Director Jen Easterly, National Cyber Director Chris Inglis, and others, met Monday with executives from 13 companies, including Google, networking vendor Juniper Networks and security firm Mandiant.

The goal of the meeting was to solicit help in fending off aggressive hackers working for adversarial regimes and criminal gangs and deepen relationships between government and industry that security professionals see as vital for protecting the nation’s critical infrastructure. (Eric Geller / Politico)

Related: Daily Mail, UrduPoint, Big News Network, Slashdot

In new FISMA guidance issued Monday, the Office of Management and Budget called on the Cybersecurity and Infrastructure Security Agency to establish a strategy for automating the collection of federal agencies’ cybersecurity metrics by April of next year.

The guidance also orders CISA to set timelines for collecting the data. By December 2022, OMB expects to begin grading agencies with a compliance scorecard based on the data. (John Hewitt Jones / Fedscoop)

Israeli industrial cybersecurity startup Claroty announced it had raised $400 million in a Series E venture funding round.

SoftBank Vision Fund 2 and existing investors Bessemer Venture Partners and Schneider Electric co-led the round. Other existing investors, including ISTARI (a global cybersecurity platform established by Temasek), Team8, and Standard Investments, participated. (Thomas Brewster / Forbes)

Related: PR Newswire, Globes, Calcalist, Venture Beat

Email security company Ironscales announced it had raised $64 million in a Series C venture funding round.

PSG led the round with participation from existing investors K1 Investment Management and Jump Capital. (Erin Schilling / Atlanta INNO)

Related: Calcalist, Business Wire, Pitchbook

Torq, a no-code security automation startup formerly known as StackPulse, announced that it had raised a $50 million Series B venture funding round.

Insight Partners led the round with participation from new investor SentinelOne and existing investors GGV Capital and Bessemer Venture Partners. (Frederic Lardinois / TechCrunch)

Photo by Pawel Czerwinski on Unsplash

Metacurity