Threat Actor Collective Fin11 Has Shifted to Financial Crimes

Twitter hackers began with tech support scam, FinFisher offices raided, Zoom to offer end-to-end encryption, Google and Intel warn of Bleeding Tooth Flaw in Linux, Trickbot network is still alive

Oct 15

(Check out our special report this morning on the New York Post’s article and the prospect of late-game cyberattacks and disinformation campaigns.)

A financially motivated threat actor collective called Fin11, known for its malware distribution campaigns has shifted focus to financial crimes including ransomware and extortion, researchers at FireEye’s Mandiant report. The gang has been involved in cybercrime activities since 2016 and has a significant overlap in TTPs (tactics, techniques, and procedures) with another threat group that cybersecurity researchers call TA505, which is behind the infamous Dridex banking Trojan and Locky ransomware. (Ravie Lakshmanan / The Hacker News)

Mandiant @Mandiant

Agile campaigns from the newly graduated FIN11 threat group have reached as much as $10 million USD. Get briefed now: feye.io/34PAd4U

Hackers Who Took Over High Profile Twitter Accounts Started Out With Tech Support Scam

The young hackers who took over a number of high-profile Twitter accounts last summer such as those belonging to Barack Obama and Elon Musk began their spree by posing as company IT officials making a support call, according to a report by New York’s Department of Financial Services. The state officials behind the report are calling for addition cybersecurity regulation of major tech platforms, particularly large social media platforms, which they call “systemically important.” (Brian Fung / CNN)

Law Enforcement Raided Around a Dozen Offices Belonging to Spyware Company FinFisher

Public prosecutors have carried out raids in about a dozen offices belonging to the Munich-based spyware manufacturer FinFisher, public broadcasting news Tagesschau revealed early on Wednesday, following criminal charges that RSF Germany (Reporters Without Borders) and other civil society organizations filed against the FinFisher conglomerate in 2019. RSF argued that FinFisher illegally sold FinSpy intrusion software to the repressive government of Turkey. (RSF / Reporters Without Borders)

John Scott-Railton @jsrailton

BIG NEWS: German police raided the offices of spyware developer FinFisher. Comes after investigation into export violations triggered by civil society complaint.

German spyware company FinFisher searched by public prosecutors | Reporters without bordersReporters Without Borders (RSF) welcomes news of significant progress in the criminal investigation of illegal exports of surveillance technology by German spyware company FinFisher. Public prosecutors have searched about a dozen offices belonging to the Munich-based spyware manufacturer, public bro…rsf.org

hakan @hatr

Repost for the U.S. crowd: In connection with the #Finfisher investigation police have carried out raids against 15 residential and business premises in Germany and abroad last week, we (BR/NDR) found out. Main question is how and if FF exported Finspy without proper licenses.

hakan @hatr

Neu: Im Zuge der Ermittlungen gegen #Finfisher haben Ermittler des Zollkriminalamts in der vergangenen Woche Wohn- und Geschäftsräume durchsuchen lassen. Verdacht: Verstoß gegen das Außenwirtschaftsgesetz https://t.co/FXpZM3QswO Story mit @B_Strunz und @jlstro

Zoom Plans to Launch End-to-End Encryption for All Users Following Testing Period

As part of its Zoomtopia event, meteoric video conferencing company Zoom said that it will roll out end-to-end encryption, following a three-phase testing period. Zoom has stumbled on delivering end-to-end encryption a couple of times. First, it initially claimed it offered end-to-end encryption, which turned out to be inaccurate. Then it promised to deliver the security measure to premium subscribers only but backtracked on that plan. (Paul Sawers / Venture Beat)

Google and Intel Warn of High-Severity BleedingTooth Flaw in Linux Bluetooth Core Protocols and Layers

Google and Intel are warning of a high-severity Bluetooth flaw called BleedingTooth, a name given by Google engineer Andy Nguyen, that resides in BlueZ, the software stack that by default implements all Bluetooth core protocols and layers for Linux. In addition to Linux laptops, BlueZ is used in many consumer or industrial Internet-of-things devices. It works with Linux versions 2.4.6 and later. Although Nguyen plans to offer more details soon, the bug seemingly provides a reliable way for nearby attackers to execute malicious code of their choice on vulnerable Linux devices that use BlueZ for Bluetooth. (Dan Goodin / Ars Technica)

Andy Nguyen @theflow0

BleedingTooth: Linux Bluetooth Zero-Click Remote Code Execution Blog post available soon on: security.googleblog.com Google Security Research Repository: github.com/google/securit… Intel Security Advisory: intel.com/content/www/us… Video:

BleedingTooth: Linux Bluetooth Zero-Click Remote Code ExecutionMore information: Blog post available soon on: https://security.googleblog.com/ Google Security Research Repository: https://github.com/google/security-resea...youtu.be

Other Cybersecurity News

The number of ads on hacking forums selling access to compromised IT networks tripled in September 2020 compared to the previous month, according to a report by cybersecurity firm KELA. KELA said it indexed 108 "network access" listings posted on popular hacking forums last month, collectively valued at a total asking price of around $505,000. (Catalin Cimpanu / ZDNet)

Despite the best efforts of U.S. CyberCommand and a team of organizations headed by Microsoft to cripple the TrickBot botnet ahead of the U.S. elections, TrickBot is still continuing to cause new infections, according to Alex Holden, chief information security officer of Hold Security, a Milwaukee-based company that tracks TrickBot. Even so, the number of infections appears to have dropped into the hundreds, as opposed to the thousands prior to the two efforts to dismantle it. (Sean Lyngaas / Cyberscoop)
MalwareTech @MalwareTechBlog
Had a feeling this would happen. Emotet often drops TrickBot, and a few month ago TrickBot was dropping Emotet. As a result they are able to recover some old bots, as well as infect new systems via Emotet.
Cofense Labs @CofenseLabs
We are currently seeing #emotet dropping #trickbot on all 3 Epochs. Spam is active again.
October 14th 2020
17 Retweets84 Likes

State chief information security officers have grappled with a range of new and old cybersecurity issues since the pandemic began, according to a report by the National Association of State Chief Information Officers. The state CISOs expanded the use of VPNs, firewalls, and multi-factor authentication and responded to widespread financial fraud targeting overworked unemployment benefits systems, in addition to grappling with ransomware and other threats that predate the pandemic. (Benjamin Freed / StateScoop)
Related: InsideCyberSecurity.com
Free graphics design website Canva is being abused by threat actors to create and host intricate phishing landing pages, according to a report by cybersecurity firm Cofense. Cofense says that hosted HTML landing pages that are used to redirect phishing victims to fake login forms. (Lawrence Abrams / Bleeping Computer)
Related: Cofense
Cyber warriors based in Estonia say that the growing number of people working from home globally due to the COVID-19 crisis are increasingly vulnerable to cyber-attacks. “Large scale use of remote work has attracted spies, thieves and thugs,” Jaak Tarien, head of NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCOE) said. (AFP)
Related: SecurityWeek, Tech Xplore
Share Metacurity

Podcast of the Day

The great Darknet Diaries podcast by Jack Rhysider talks about hackers, “better known as knaves,” hacked into JP Morgan Chase, one of the biggest financial institutions in the world. Take a listen. (Photo by Matt Botsford on Unsplash)

Today in Secret Thumb Drive News

Boo!oraaa!! @H0tdish

Data Dentata.

Photo by Dmitry Demidko on Unsplash