Iran-Friendly Hackers Carried Out Disruptive Attacks on Albanian Government Websites

Nomad says attackers who return 90% of stolen funds will be considered 'white hat,' Russian national who profited from cybercrime extradited to U.S., Bitter APT has spied on thousands, much more

Aug 5

Mandiant researchers say that hackers working to further the Iranian government’s goals who are angry over the Iranian opposition group Mojahedin-e Khalq’s (MEK) upcoming conference in Albania carried out disruptive cyberattacks on Albanian government sites last month.

The attacks, which forced the government of Albania to shut down online access to multiple government services, may have included a previously unknown backdoor called ChimneySweep and a newly discovered ransomware tool known as RoadSweep to attack the government systems.

In addition, the day after the initial attacks, malware known as ZeroClear, previously linked to Iranian hackers, was uploaded to a public malware registry. It’s unclear whether that sample was used as part of the July 17 attack, but a video uploaded to a website claiming responsibility for the hacks purports to show Albanian government files being deleted. (AJ Vicens / Cyberscoop)

Emiel Haeghebaert @EHaeghebaert

New Mandiant research on disruptive activity against Albanian government organizations in mid-July 2022. Mandiant assesses with moderate confidence that one or multiple threat actors operating in support of Iranian goals are responsible: 1/11

mandiant.comLikely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations | MandiantMandiant attributes the ransomware attack against the Albanian government network in July of 2022 to an Iranian threat actor.

John Hultquist🌻 @JohnHultquist

This incident reminds us that cyberattackers are not deterred. Attacks that disrupt the lives of everyday citizens are definitely on the table. They see this capability as a valid means of coercion.

John Hultquist🌻 @JohnHultquist

BREAKING: Mandiant is attributing the ransomware attack that took down Albanian government networks and cut off public services in mid-July to Iranian actors. Albania is a NATO member. This is an escalation from previous focus on Middle East targets. 1/x https://t.co/eSeciMCUqy

Cryptocurrency company Nomad is offering a bounty to recoup funds stolen in a $190 million hack and will consider anyone returning at least 90% of stolen tokens to be a so-called white-hat hacker that seeks to spotlight vulnerabilities rather than make malicious gains.

“We will not prosecute white hats,” Pranay Mohan, chief executive officer of Nomad, said in the statement. “But we will continue to work with our partners, intelligence firms, and law enforcement to pursue all other malicious actors to the fullest extent under the law.”

Nomad said it is working with crypto forensics specialist TRM Labs and law enforcement to identify hackers. Nomad has partnered with crypto platform Anchorage Digital to accept and safeguard retrievable funds. (Joanna Ossinger / Bloomberg)

Nomad (⤭⛓🏛) @nomadxyz_

Update: Nomad Bridge Hack Bounty (see below for details) Please send the funds to the official Nomad recovery wallet address on Ethereum: 0x94A84433101A10aEda762968f6995c574D1bF154

Nomad (⤭⛓🏛) @nomadxyz_

Nomad Bridge Funds Recovery Process Dear white hat hackers and ethical researcher friends who have been safeguarding ETH/ERC-20 tokens, Please send the funds to the following wallet address on Ethereum: 0x94A84433101A10aEda762968f6995c574D1bF154 https://t.co/UF623JSZ8u

In a significant win for U.S. law enforcement, a Russian national, Alexander Vinnik, accused of running a multibillion-dollar cryptocurrency exchange that allegedly profited from various hacking and extortion schemes, has been extradited from Greece and is on his way to the U.S.

Vinnik is accused of operating a cryptocurrency exchange known as BTC-e that allegedly did business with ransomware gangs, drug dealers, and identity thieves, according to the Justice Department. He faces charges in the Northern District Court of California of money laundering and operating an unlicensed money service business in the U.S., among other charges. (Sean Lyngaas / CNN)

Zev Shalev @ZevShalev

Huge development and a big win for US prosecutors - Alexander Vinnik deported to the US.

cnn.comRussian accused of money laundering and running $4B bitcoin exchange extradited to US | CNN PoliticsA Russian national accused of running a multibillion-dollar cryptocurrency exchange that allegedly profited from various hacking and extortion schemes has been extradited from Greece and is on his way to the US, according to the suspect’s lawyer.

Meta’s quarterly adversarial threat report says that Cyber Front Z, a pro-Russian troll operation exposed in the days after the Russian invasion of Ukraine, “was clumsy and largely ineffective — definitely not ‘A team’ work.”

The group is a “poorly executed attempt, publicly coordinated via a Telegram channel, to create a perception of grassroots online support for Russia’s invasion by using fake accounts to post pro-Russia comments on content by influencers and media.” Cyber Front Z remains active on Telegram, with 110,692 subscribers as of August 4. (AJ Vicens / Cyberscoop)

Related: CBS News, Protocol, Rolling Stone

According to Meta’s quarterly adversarial threat report, a cyber espionage group believed to be operating out of India and Pakistan, known as Bitter APT, has been spying on thousands of people by using malware that masquerades as popular secure-messaging apps, according to a new report from Facebook.

The group has been installing malware dubbed Dracarys on Android devices via fake versions of encrypted messaging apps WhatsApp, Signal, and Telegram, which has surged in popularity among Ukrainians as a tool for communicating information about the Russian invasion.

The malware, which has been propagated on Meta’s social media sites, Facebook and Instagram, by hackers posing as attractive young women, journalists, or activists, can siphon off information from an Android device, including call logs, contacts, files, text messages, and geolocation data. It can also access a device’s camera and microphone. (Thomas Brewster / Forbes)

Cybersecurity researcher Ken Pyle provided the Federal Emergency Management Agency with "compelling evidence to suggest certain unpatched and unsecured EAS [Emergency Alert System] devices are indeed vulnerable.”

The agency this week urged operators of the devices to update their software to address the issue, saying that the false alerts could, in theory, be issued over TV, radio, and cable networks. However, there is no evidence that malicious hackers have exploited the vulnerabilities.

Digital Alert Systems, Inc., the New York-based firm that makes the emergency-alert software, said that Pyle first reported the vulnerabilities to the firm in 2019. At that time, the firm issued updated software to address the issue. Pyle said that subsequent versions of the Digital Alert Systems software were still susceptible to some of the security issues he discovered. (Sean Lyngaas / CNN)

The Indian government unexpectedly withdrew a proposed bill on data protection, Personal Data Protection Bill, 2019, that a panel of lawmakers had worked on for more than two years, saying it was working on a new law.

The legislation would have required internet companies like Meta and Google to get specific permission for most uses of a person’s data and would have eased the process of asking for such personal data to be erased. Privacy advocates and some lawmakers complained that the bill would have given the government expansive powers over personal data while exempting law enforcement agencies and public entities from the law’s provisions, ostensibly for national security reasons. (Sameer Yasir and Karan Deep Singh / New York Times)

Two brothers, Ian Macalinao and Dylan Macalinao, used many pseudonymous developer profiles to inflate the TVL (total value locked) on Solana by $7.5 billion in what amounted to a Sybil attack, which is when a computer in a network uses bogus identities to gain disproportionate influence over the whole.

The two brothers have moved on to Aptos, an up-and-coming blockchain porting Saber. Many Solana developers are in tow, a venture capital source said. Three sources said they now head a VC firm anchored in Aptos. Their VC is called Protagonist. Its old name was “Ship Capital.” (Danny Nelson and Tracy Wang / CoinDesk)

Related: Cryptoslate

Leaked screenshots show the Linn-Mar School District in Iowa is dealing with a ransomware attack by a group called Vice Society that is much more severe than the “technical difficulties” the district has described to staff and parents.

The screenshots show a warning message stating, “Vice Society has encrypted all your files.” The warning threatens to upload those files to the dark web unless the user contacts them to purchase a key within seven days. The notice does not give the cost of that key. The district, however, has told parents and staff that it is suffering “technical difficulties” with its computer network that has prompted it to limit physical access to district buildings for the rest of this week. (Adam Carros and Ethan Stein / KCRG)

Related: Kwwl

Brett Callow @BrettCallow

Linn-Mar School District in Iowa appears to have been hit by Vice Society. So far this year, 18 districts with 330 schools between them and 19 colleges have been impacted by ransomware. 1/2

kcrg.comLeaked image shows ransomware attack hit Linn-Mar School DistrictA leaked image sent to TV9 shows a ransomware notice on a Linn-Mar School District warning “all your files have been encrypted by Vice Society”.

The National Labor Relations Board (NLRB) filed an application to compel two McDonald’s employees who used to work on the company’s team responsible for security and intelligence gathering, known as Global Intelligence Team, to provide evidence to the agency.

The agency sued the employees to compel them to respond to a subpoena related to a case of alleged surveillance against the company’s workers involved with the labor activist campaign Fight for $15. The lawsuit stems from a Motherboard investigation that revealed McDonald’s had labeled Fight for $15 activists a security threat for years and spied on them to figure out which workers were involved in the movement and who they were working with to organize protests, strikes, and attempt to form unions. (Lorenzo Franceschi-Bicchierai / Motherboard)

Related: Law360

Senator Ron Wyden (D-OR) sent a letter to U.S. Supreme Court Chief Justice John Roberts urging him to address the federal court system’s decades-long failure to secure Americans’ most sensitive personal information in court filings.

The letter follows a recent report by the court system’s top policy-making body showing that the body has been inconsistent in enforcing existing privacy rules and enacting new ones. (Tonya Riley / Cyberscoop)

Related: Washington Examiner, U.S. Courts

Deputy Assistant Attorney General for National Security Adam Hickey said the Justice Department has filed its most sensitive court documents on paper since January 2021 to avoid any chance of a breach or vulnerability in electronic filing systems compromising its high-stakes cases.

Hickey said the department implemented the policy last year but did not connect that change to any specific breach or cybersecurity event. However, the Administrative Office of the U.S. Courts did reveal “an apparent compromise” of the court system’s electronic case files on January 6, 2021. (Suzanne Smiley / Cyberscoop)

Dante Brown @DanteELDBrown

Yes, there are cases when even digitising something is beyond the risk appetite. #riskmanagement #datahandling #dataprivacy

lnkd.inDOJ now relies on paper for its most sensitive court documents, official saysA top DOJ official said potential vulnerabilities in the online case management system means that “going online is not always the best thing.”

Details and screenshots of a prototype version of the Pegasus spyware designed for Israeli police in 2014 reveal the tools and far-reaching capabilities of a system slated to be deployed in everyday police work.

In response to a story in Calcalist that said Israeli police used NSO Group’s Pegasus spyware against the country’s citizens, an investigative committee led by Deputy Attorney General Amit Merari sought to examine police use of attack spyware, particularly Pegasus. The Merari team discovered that even though there had been no eavesdropping without court orders, spyware had been used, though the police referred to it by a different name: Seifan. (Josh Breiner and Omer Benjakob /Haaretz)

Zack Whittaker @zackwhittaker

An interesting, rare look at what Pegasus used to look like from an operator's point of view, in this case Israeli police. Seems in line with previously leaked screenshots and existing reporting, like @KimZetter's timeless deep-dive on how Pegasus works: zetter.substack.com/p/pegasus-spyw…

Omer Benjakob @omerbenj

SCOOP We got our hands on screen shots of an early prototype of Pegasus, called Syaphan and intended for use by the Israeli police These photos are the closest we’ve gotten to seeing real working Pegasus system THREAD @JoshBreiner @haaretzcom https://t.co/73duo7QNEg https://t.co/Sk0CHD5gc1

DuckDuckGo announced it will now block all third-party Microsoft tracking scripts in their privacy browser after failing to block them in the past.

This change comes after the company faced massive blowback in May for not blocking some third-party Microsoft trackers in the DuckDuckGo browser due to a syndicated search content agreement between the two companies. (Lawrence Abrams / Bleeping Computer)

Related: DuckDuckGo, 9to5Mac

Cybersecurity firm Deepwatch says it is highly likely a threat actor exploited a security flaw in an outdated Atlassian Confluence server to deploy a never-before-seen backdoor against an unnamed organization in the research and technical services sector.

They attribute the attack to a threat activity cluster known as TAC-040. The Atlassian vulnerability suspected to have been exploited is CVE-2022-26134, an Object-Graph Navigation Language (OGNL) injection flaw that paves the way for arbitrary code execution on a Confluence Server or Data Center instance. Little is known about TAC-040 other than the fact that the adversarial collective's goals could be espionage-related. However, the possibility that the group could have acted out of financial gain hasn't been ruled out, citing the presence of a loader for an XMRig crypto miner on the system. (Ravie Lakshmanan / The Hacker News)

Related: Teiss, Decipher, Deepwatch

Researchers at Fortinet discovered that a new botnet called RapperBot has been used in attacks since mid-June 2022, brute-forcing its way into Linux SSH servers to establish a foothold on the device.

RapperBot is based on the Mirai trojan but deviates from the original malware's normal behavior, which is uncontrolled propagation to as many devices as possible because it is more tightly controlled, has limited DDoS capabilities, and its operation appears geared towards initial server access, likely to be used as stepping stones for lateral movement within a network. (Bill Toulas / Bleeping Computer)

Related: Security Affairs, TechRadar, Fortinet

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a list of the topmost detected malware strains last year in a joint advisory with the Australian Cyber Security Centre (ACSC).

The top malware strains observed in 2021 include Agent Tesla, AZORult, Formbook, Ursnif, LokiBot, MOUSEISLAND, NanoCore, Qakbot, Remcos, TrickBot, and GootLoader. (Sergiu Gatlan / Bleeping Computer)

Related: CISA, The Record

As the era of quantum computing comes closer to reality, the tech industry is developing plans to deal with the challenges to encryption and other security problems that quantum technology poses.

Software developers have had decades to figure out how to deploy existing forms of encryption, such as RSA, properly, but now they will have to contend with the implementation of largely untested new algorithms that are based on different techniques. This foreshortened timeframe will likely create a significant source of vulnerabilities in the five years after these things are first widely deployed. (Kyle Alspach / Protocol)

Nick Sullivan @grittygrease

Great article by @KyleAlspach at @protocol about the challenges of upgrading all the cryptographic software in the world in preparation for quantum computers.

protocol.comPrepping for quantum computing could create security issues of its ownThe tech industry is scrambling to implement new “quantum-resistant” algorithms, which could be a “significant source of vulnerabilities” for years.

Talon Cyber Security, the developer of a specialized browser designed to help enterprises reduce the risk of data breaches, announced that it had raised an additional $83 million in Series A funding on top of the $17 million reported earlier this year.

Evolution Equity Partners led the round, with participation from Ballistic Ventures, CrowdStrike’s Falcon Fund, Merlin Ventures, SYN Ventures, and previous investors CrowdStrike co-founder and CEO George Kurtz, Lightspeed Venture Partners, Sorenson Ventures and Team8. (Maria Deutscher / Silicon Angle)

Cybersecurity risk management startup Axio Global Inc. announced today that it had raised $25 million in a Series B venture funding round.

ISTARI, a Temasek-founded global cybersecurity firm dedicated to helping clients build cyber resilience, led the round with additional participation from existing investors, including Distributed Ventures, IA Capital Group, and Bob Dudley, Axio Chairman and former CEO of BP. (Duncan Riley / Silicon Angle)

Lumu, a Miami, FL-based creator of the Continuous Compromise Assessment cybersecurity model that empowers organizations to measure compromise in real-time, raised $8 million in a new venture funding round.

Panoramic Ventures led the round, with participation from KnowBe4 Ventures, Lane Bess, former Zscaler and Palo Alto Networks executive, and Tom Noonan, former CEO at Internet Security Systems and the SoftBank Group’s SB Opportunity Fund. (FinSMEs)

Related: PR Newswire

Munich-based IDnow, a startup that provides machine-learning technology for its Identity Verification-as-a-Service (IVaaS) platform, announced it had raised €60M ($61.4 million) in a new debt facility from funds and accounts managed by BlackRock.

According to IDnow, the new funds will help scale the company by introducing new identity-proofing solutions, expanding its services in new markets, and potential acquisitions. (Vishal Singh / Silicon Canals)

Related: PR Newswire, FinSMEs

Business risk intelligence startup Flashpoint has acquired open-source intelligence startup Echosec Systems Ltd. for an undisclosed price.

Flashpoint says the acquisition will expand its OSINT capabilities to drive on-the-ground situational awareness, executive protection, geopolitical risk assessments, counterterrorism, misinformation and disinformation identification, and response and crisis response. (Duncan Riley / Silicon Angle)