Treasury Department Urges Ransomware Victims to Work With the Feds, Sanctions Russian-Owned Suex Cryptocurrency Exchange for Facilitating Ransom Payments
FBI held back Kaseya decryption key for three weeks, Lithuania says Chinese phones are censorship devices, VMware warns customers to patch critical flaw, Microsoft discovers huge PHaaS operation, more
Check out my two most recent columns. The first outlines the challenges NIST faces in developing cybersecurity labels for software. The second spells out the implications for ransomware victims from the Treasury Department’s changes, announced yesterday, in its ransomware advisory.
Hoping to reduce the profitability of ransomware actors, the U.S. Treasury Department yesterday announced it is placing Czech Republic-registered but Russian national-owned-and-operated cryptocurrency exchange Suex on its sanctioned entity list for its role in facilitating illicit payments, including ransomware payments.
Treasury’s Office of Foreign Asset Control (OFAC) also released an updated version of its ransomware advisory urging ransomware victims to work with the federal government to gain some mitigation of potential penalties if the victims find themselves having to pay sanctioned ransomware entities. (Kartikay Mehrotra and Jennifer Jacobs / Bloomberg)
Related: Tech Xplore, CBSNews.com, Bloomberg Technology, Fortune, Axios, RT USA, Techmeme, Politico, The Block, Washington Examiner, CNBC, The Hill: Cybersecurity, DAILYSABAH, CNN.com - Politics, WSJ.com: WSJD, Wall Street Journal, Reuters: World News, Bleeping Computer, Cyberscoop, Voice of America, iTnews - Security, IT Pro, CSO Online, ZDNet Security, Security News | Tech Times, Washington Examiner, South China Morning Post, Data Protection Report, InsideCyberSecurity.com, Finextra Research news, DataBreaches.net, Engadget, SiliconANGLE, The Record by Recorded Future, Voice of America, Dark Reading, Engadget, Rferl, Bleeping Computer, The Register, Slashdot, Treasury Department
Current and former U.S. officials say that the FBI held back for almost three weeks from helping to unlock the computers of hundreds of businesses and institutions hobbled by Russian criminal gang REvil’s infiltration of ransomware into IT company Kaseya’s software.
The FBI held onto the key, with the agreement of other agencies, partly because it was planning to carry out an operation to disrupt the hackers. That operation never occurred because REvil went offline in mid-July. The FBI finally shared the key with Kaseya, the IT company whose software was infected with malware, on July 21. (Ellen Nakashima and Rachel Lerman / Washington Post)
Lithuania's Defense Ministry recommended that consumers avoid buying Chinese mobile phones, particularly flagship phones sold in Europe by China's smartphone giant Xiaomi Corp. It advised people to throw away the ones they have now after a government report found the devices had built-in censorship capabilities.
A report by the country’s National Cyber Centre found that the phones have a built-in ability to detect and censor terms such as "Free Tibet," “Long live Taiwan independence," or "democracy movement.” The report also said that the Xiaomi phone was sending encrypted phone usage data to a server in Singapore. A security flaw was also found in the P40 5G phone by China's Huawei, but none was found in the phone of another Chinese maker, OnePlus. (Andrius Sytas / Reuters)
Security researcher Park Minchan discovered a new vulnerability in Apple's macOS Finder, making it possible for attackers to run arbitrary commands on Macs running any macOS version up to the latest release, Big Sur.
The bug stems from how macOS processes inetloc files, which inadvertently causes it to run any commands embedded by an attacker inside without any warnings or prompts. Apple silently fixed the issue without assigning a CVE identification number, but Minchan discovered that Apple's patch only partially addressed the flaw because it can still be exploited. (Sergiu Gatlan / Bleeping Computer)
VMware is warning customers to immediately patch a critical arbitrary file upload vulnerability in vCenter Server, a server management solution that helps IT admins manage virtualized hosts and virtual machines in enterprise environments via a single console.
Attackers can exploit the flaw to execute commands and software on unpatched vCenter Server deployments by uploading a specially crafted file. VMware also provides a workaround for those who cannot immediately patch their appliances as a temporary solution. (Sergiu Gatlan / Bleeping Computer)
Microsoft’s security team uncovered a massive operation that provides phishing services to cybercrime gangs using a hosting-like infrastructure that the OS maker likened to a Phishing-as-a-Service (PHaaS) model.
The service, called BulletProofLink, BulletProftLink, or Anthrax, is currently advertised on underground cybercrime forums. The team also found that the service has been stealing from its customers by keeping copies of all the collected credentials, likely to sell later on underground markets. (Catalin Cimpanu / The Record)
Researchers at Recorded Future say that Chinese state-sponsored hackers likely infiltrated and stole data from the Unique Identification Authority of India (UIDAI), an Indian government agency responsible for a national identification database. The Chinese hackers also infiltrated and stole data from one of that country’s largest media conglomerates, Bennett Coleman & Co., also known as the Times Group, which publishes the Times of India.
Data was stolen from the UIDAI between June and July this year, though it’s unclear what data the hackers took. The hackers stole data from the media conglomerate between February and August, but it’s also unclear what data the hackers stole. (Jamie Tarabay / The Print)
Rostelecom-Solar, the cybersecurity division of Russian telecom giant Rostelecom, said that it sinkholed a part of the Meris DDoS botnet, the largest DDoS botnet on the internet, after identifying a mistake from the malware’s creators.
Rostelecom engineers found that some infected routers of the botnet were reaching out and asking for new instructions from an unregistered domain at cosmosentry[.]com, so they converted the mistake into a sinkhole. Right now, around 45,000 MikroTik devices are turning to Rostelecom-Solar as a sinkhole. (Catalin Cimpanu / The Record)
Israeli cloud and hybrid data cybersecurity firm Satori has raised $20 million in a Series A venture funding round.
B Capital Group and Evolution Equity Partners led the round, with participation from YL Ventures. (No Camels)
Related: Venture Beat
In a Series A funding round, Rome-based IoT cybersecurity firm Exein has raised €6 Million (around $7 million).
Future Industry Ventures led the round and deep-tech-focused eCAPITAL Entrepreneurial Partners, with existing Italian digital technologies investor United Ventures also participating. (Dan Taylor / Tech.eu)