Sanctioned Iranian Airline Claims It Thwarted a Cyberattack
Iranian hackers broke into newspaper company Lee Enterprises, Wind turbine maker Vestas shut down by cyberattack, Second voting system breach discovered in Ohio, Meta to delay message encryption, more
Important Publishing Notice and Message of Gratitude: Metacurity will not be published from November 23 through November 30 as I take a much-anticipated Thanksgiving holiday. I wish our readers a warm, happy, and safe week. I’m grateful for your support.
An Iranian airline, Mahan Air, which has been under US sanctions since 2011, said it came under a cyberattack, which it claims to have thwarted.
Customers of Mahan Air, Mahan Air, which has ties to the Islamic Revolutionary Guard, received strange text messages on Sunday. A group calling itself Hoosyarane-Vatan, or Observants of Fatherland, claimed to have carried out the attack in the mass texts. Hooshyarane-Vatan’s Twitter account repeatedly invoked Ahvaz, a majority-Arab region in southwestern Iran that has seen separatist violence. (Times of Israel)
Related: Iran International | Home Page, Radio Free Europe / Radio Liberty, Middle East Monitor, Israel National News, Al Arabiya, IRNA English, Associated Press, Arutz Sheva News, Presstv, Reuters, Hamodia, The New Arab
The previously unidentified media company that Iranian hackers breached in the fall of 2020, cited in last week’s Justice Department indictment, has been identified as Lee Enterprises. The company is a prominent American newspaper owner with dozens of small city papers across the U.S.
The Justice Department said the alleged hackers broke into the digital systems of an unnamed media company in fall 2020 and tested how to create false news content. (Dustin Volz / Wall Street Journal)
One of the world’s biggest wind turbine makers, Vestas Wind Systems, shut down computer systems across several locations to deal with a cyber security incident.
“As part of our crisis management setup for cyber security, we are working together with our internal and external partners to contain the issue fully and recover our systems,” the company said in its statement. (Clive McKeef / Marketwatch)
An attempted breach occurred in Ohio occurred on May 4 inside the county office of John Hamercheck (R), chairman of the Lake County Board of Commissioners, according to two individuals with knowledge of the incident.
The breach bears striking similarities to an incident in Colorado earlier this year when government officials helped an outsider gain access to the county voting system to find fraud. Data obtained in both instances were distributed at an August “cyber symposium” on election fraud hosted by staunch Trump ally and MyPillow executive Mike Lindell. An FBI spokeswoman confirmed that the bureau is investigating the incident in Lake County but declined to comment further. (Amy Gardner, Emma Brown and Devlin Barrett / The Washington Post)
Related: The Guardian
The U.S. Internal Revenue Service (IRS) said it had seized $3.5 billion in cryptocurrency in nontax investigations over the past fiscal year, making up 93 percent of its overall seizures Oct. 1, 2020-Sept. 30, 2021, underscoring how criminals have embraced digital currency.
More than $1 billion of those funds came from more than 69,000 bitcoins that lingered from the Silk Road case, the first major law enforcement crackdown of a darknet black market. (Kevin Collier / NBC News)
The security team at DevOps platform JFrog discovered a set of eleven malicious Python libraries downloaded and installed more than 30,000 times before the packages were spotted and reported.
Two of the 11 packages abused a new technique called dependency confusion, where attackers register packages with names that might be used inside closed corporate networks. The operators of the Python Package Index (PyPI) removed 11 Python libraries from their portal. (Catalin Cimpanu / The Record)
Scammers are blasting out text messages about suspicious bank transfers as a pretext for immediately calling and scamming anyone who responds via text in clever fraud scams involving peer-to-peer payment service Zelle.
Phishing text messages that purportedly come from the targeted victims’ banks asking whether attempted payments via Zelle were made will elicit a phone call from a scammer pretending to be from the financial institution’s fraud department if the victim responds yes or no to the texts. To “verify the identity” of the customer, the fraudster, using the forgot password feature on banks’ sites, asks for their online banking username and then tells the customer to read back a passcode sent via text or email. Once the one-time passcode is obtained, the fraudster resets the victim’s password. Many financial institutions will claim they’re not required to reimburse the customer for financial losses related to these voice phishing schemes. (Brian Krebs / Krebs on Security)
The U.S. House of Representatives approved more than $500 million in cybersecurity funding last week as part of its version of President Biden’s roughly $2 trillion Build Back Better package.
The package gives $100 million to CISA for cybersecurity risk mitigation issues, $100 million for cybersecurity workforce and training, $50 million for moving to a secure cloud architecture, and a further $50 million to research and develop strategies to secure industrial control systems. (Maggie Miller / The Hill)
The U.S. Justice Department will sell off $56 million worth of cryptocurrency it seized as part of a massive Ponzi scheme case against a man who promoted the crypto lending program BitConnect.
The Justice Department said the liquidation of the cryptocurrency follows “the largest single recovery of a cryptocurrency fraud by the United States to date.” Department encouraged victims of that fraud to visit a website, https://www.justice.gov/usao-sdca/us-v-glenn-arcaro-21cr02542-twr, to submit claims for reimbursement from the sale. (Dan Mangan / CNBC)
Researchers at Group-IB say that Russian-speaking hacking group RedCurl has resurfaced after a seven-month hiatus with new intrusions targeting four companies this year, including one of the largest wholesale stores in Russia.
Since November 2018, RedCrul has been linked to 30 attacks to date with the goal of corporate cyber espionage and document theft aimed at 14 organizations spanning construction, finance, consulting, retail, insurance, and legal sectors and located in the U.K., Germany, Canada, Norway, Russia, and Ukraine. (Ravie Lakshmanan / The Hacker News)
Researchers at Trend Micro say that threat actors are hacking Microsoft Exchange servers using ProxyShell and ProxyLogon exploits to distribute malware and bypass detection using stolen internal reply-chain emails.
Trend Micro believes the threat actors behind the attack are 'TR’', a known threat actor which distributes emails with malicious attachments that drop malware, including Qbot, IcedID, Cobalt Strike, and SquirrelWaffle payloads. The threat actors use the compromised Exchange servers to reply to the company's internal emails in reply-chain attacks containing links to malicious documents that install various malware. Microsoft fixed the ProxyLogon vulnerabilities in March and the ProxyShell vulnerability in April and May. Admins are urged to apply these patches. (Bill Toulas / Bleeping Computer)
Researchers at Pen Test Partners revealed that about six million routers deployed by entertainment company Sky had a significant software bug that could have allowed hackers to take over home networks.
The vulnerability could have affected anyone who had not changed the router's default admin password. Sky took more than 17 months to fix the security flaw. Sky says that 99% of the affected routers have been updated. (Jane Wakefield / BBC News)
Facebook and Instagram will delay plans to encrypt users’ messages until 2023 amid warnings from child safety campaigners that their proposals would shield abusers from detection.
Meta, the parent company of Facebook and Instagram, announced that the encryption process would occur in 2023. The company had previously said the change would happen in 2022 at the earliest. (Dan Milmo / The Guardian)
Researchers at CrowdStrike discovered that a hacking gang called Stardust Chollima, which has suspected links to the North Korean government, has been going after Chinese security researchers in an apparent attempt to steal their hacking techniques and use them as their own.
North Korean hackers targeted Chinese security researchers with likely booby-trapped Chinese-language phishing documents labeled “Securitystatuscheck.zip” and “_signed.pdf,” hoping that the researchers would be compelled to click on them. It’s unclear from the CrowdStrike research if the North Koreans were able to claim any victims. (Shannon Vavra / Daily Beast)
After the recent spate of ransomware attacks, insurers have halved the cybersecurity coverage they provide to customers.
Sources say that Lloyd's of London, which has around a fifth of the global cyber market, has discouraged its 100-odd syndicate members from taking on cyber business next year. (Carolyn Cohn / Reuters)