Venezuelan Cardiologist Charged With Selling Ransomware Used by Iranian Hacking Group

U.S. government warns against inadvertently hiring N. Korean IT personnel, Apple releases zero-day fix, Irish council accuses Google and other ad players of 'biggest data breach,' much more

U.S. prosecutors brought charges against Moises Zagala, a Venezuelan cardiologist who taught himself computer programming and allegedly sold ransomware used by an Iranian hacking group MuddyWater to attack Israeli companies

Prosecutors say that Zagala licensed his software to cybercriminals who deployed it to extort victims for money. He allegedly advertised his Jigsaw v. 2 tool on an online forum for $500 and offered to sell the underlying source code for $3,000. In late 2019, Zagala started advertising a new tool online, a “Private Ransomware Builder” he called “Thanos.” Zagala faces two counts of attempted computer intrusions and conspiracy to commit computer intrusions. He lives in Ciudad Bolivar, Venezuela, and has not been arrested by U.S. authorities. (Luc Cohen / Reuters)

Related: Justice Department, PCMag.com, The Record by Recorded Future, Bleeping Computer, DataBreaches.net, Algemeiner.com, Cyberscoop, Jerusalem Post, Infosecurity Magazine, ZDNet Security, iTech Post, The Register, The Hacker News

John Hultquist🌻 @JohnHultquist

Tool used by Iranian state actors MuddyWater (Zagros) sold to them by a Venezuelan cardiologist. Good reminder that threats are the product of an ecosystem that stretches across countries and motives. U.S. charges Venezuelan doctor with selling ransomware used by Iranian groupA Venezuelan cardiologist who taught himself computer programming sold software that was used by an Iranian hacking group to attack Israeli companies, U.S. prosecutors said on Monday in bringing criminal charges against him.reuters.com

May 16th 2022

19 Retweets74 Likes

An advisory issued by the State and Treasury departments and the FBI warns businesses against inadvertently hiring IT staff from North Korea. The advisory says that rogue freelancers often pretend to be from South Korea, Japan, or other Asian countries to take advantage of remote work opportunities to hide their true identities and earn money for Pyongyang.

"These IT workers take advantage of existing demands for specific IT skills, such as software and mobile application development, to obtain freelance employment contracts from clients around the world, including in North America, Europe, and East Asia," the advisory says. (Paul Grant and Raphael Satter / Reuters)

Related: Treasury.gov, The Guardian, Coindesk, BBC News

Apple released security updates to address a zero-day vulnerability that threat actors can exploit in attacks targeting Macs and Apple Watch devices. Apple says it’s aware of reports this security bug "may have been actively exploited."

The flaw is an out-of-bounds write issue (CVE-2022-22675) in the AppleAVD (a kernel extension for audio and video decoding) that allows apps to execute arbitrary code with kernel privileges. (Sergiu Gatlan / Bleeping Computer)

Related: Naked Security, Forbes, IT News, Apple

Microsoft says a new upgraded version of the Sysrv botnet called Sysrv-K is now exploiting vulnerabilities in the Spring Framework and WordPress to ensnare and deploy cryptomining malware on vulnerable Windows and Linux servers.

"These vulnerabilities, which have all been addressed by security updates, include old vulnerabilities in WordPress plugins, as well as newer vulnerabilities like CVE-2022-22947,” a code injection vulnerability in the Spring Cloud Gateway library that can be abused for remote code execution on unpatched hosts, Microsoft said. (Sergiu Gatlan / Bleeping Computer)

Related: IT PRO, ZDNet, heise online News, Reddit-hacking, TechCentral.ie, Infosecurity Magazine, WinBuzzer, TechCentral.ie, WinBuzzer, Security Week, The Hacker News

Microsoft Security Intelligence @MsftSecIntel

A new behavior observed in Sysrv-K is that it scans for WordPress configuration files and their backups to retrieve database credentials, which it uses to gain control of the web server. Sysvr-K has updated communication capabilities, including the ability to use a Telegram bot.

May 13th 2022

5 Retweets15 Likes

A group of researchers from the Technical University of Darmstadt in Germany discovered that one of the wireless chips in an iPhone that enables Bluetooth can be exploited and hacked to install malware in the latest version of iOS even when it’s turned off.

The research is primarily theoretical, and there’s no evidence that this kind of attack has been used in the wild. Hackers would also need first to hack and jailbreak the iPhone to be able to access the Bluetooth chip and exploit it. The researchers disclosed the issue to Apple but did not receive a response. (Lorenzo Franceschi-Bicchierai / Motherboard)

Related: Security Affairs, Reddit - cybersecurity, Dark Reading, The Mac Observer, Ars Technica, Slashdot, The Hacker News, Arxiv.org

The Cybersecurity and Infrastructure Security Agency (CISA) removed a Windows security flaw from its catalog of known exploited vulnerabilities due to Active Directory (AD) authentication issues caused by the May 2022 updates that patch it.

The bug is an actively exploited Windows LSA spoofing zero-day tracked as CVE-2022-26925, confirmed as a new PetitPotam Windows NTLM Relay attack vector. CISA says the issue only affects May 10, 2022, updates installed on servers used as domain controllers. Organizations should continue to apply updates to client Windows devices and non-domain controller Windows Servers. (Sergiu Gatlan / Bleeping Computer)

Related: ZDNet, TechTimes, CISA.gov

The Irish Council for Civil Liberties (ICCL) released a report with new data about the real-time-bidding (RTB) system’s use of web users’ info for tracking and ad targeting. The data suggest Google and other key players in the high velocity, surveillance-based ad auction system are processing and passing people’s data billions of times per day.

“RTB is the biggest data breach ever recorded,” argues the ICCL. “It tracks and shares what people view online and their real-world location 294 billion times in the U.S. and 197 billion times in Europe every day.” According to the report, the data suggests that web users in Colorado and the U.K. are among the most exposed by the system, with 987 and 462 RTB broadcasts apiece per person per day. But even online individuals living at the bottom of the chart, District of Columbia or Romania, have their information exposed by RTB an estimated 486 times per day or 149 times per day, respectively. (Natasha Lomas / TechCrunch)

Related: The Irish Times, IB Times, iccl.ie

Researchers at Malwarebytes say that an unknown threat actor is targeting German users interested in the Ukraine crisis, infecting them with a custom PowerShell RAT (remote access trojan) and stealing their data.

The campaign uses a decoy site to lure users into fake news bulletins that supposedly contain unreleased information about the situation in Ukraine. The sites offer malicious documents that install a custom RAT that supports remote command execution and file operations. (Bill Toulas / Bleeping Computer)

Related: Security Affairs, Malwarebytes

Researchers at Trend Micro say that malware designed to steal an Android device user’s Facebook credentials called Facestealer continues to pop up in the Google Play Store.

The researchers say they recently identified more than 200 variants in the store designed to look like harmless apps, and Google took them down. Some of the bogus apps have been downloaded hundreds of thousands of times. (Joe Warminsky / The Record)

Related: The Hacker News, Phandroid, Trend Micro

Chinese telecom service provider China Telecom has reportedly launched a smartphone, Tianyi No.1 2022, using quantum technology to ensure the device's user chat is almost "unhackable."

A product of a joint venture between QuantumCTeck and China Telecom, the phone is reported to be mounted with a quantum-secured encryption module and purpose-built SIM card that can encrypt and decipher voice calls on the phone using the quantum key distribution. Chinese scientists, some of whom were part of the founding team of QuantumCTeck, tested the quantum key distribution with the world's first quantum satellite, Micius, launched in August 2016. (Xinhua)

Related: Ecns

An Ohio-based engineering company specializing in advanced motion and control technologies announced a data breach exposing employees' personal information after the Conti ransomware gang began publishing allegedly stolen data last month.

Parker determined that stolen data included a wide range of personally identifiable information related to current and former employees enrolled in Parker's Group Health Plans and their dependents. (Bill Toulas / Bleeping Computer)

Related: Secure Reading, PR Newswire

The UK government has launched a new app called the Think Before You Link app to help social media users to detect fake profiles and speed up their removal.

The app has been developed in cooperation with behavioral scientists and includes features such as a profile reviewer, which will help users identify fake profiles and report anything suspicious. Last year, MI5 warned that at least 10,000 people in the UK had been approached by spies posing behind fake profiles on LinkedIn to obtain and share secret information in the last five years. (Harry Taylor / The Guardian)

Related: BBC News, Sky News, Gov.uk, Telegraph, CPNI.gov.uk

Personal information about more than 300 people, some of it highly sensitive, was compromised by a “cyber-security incident” that knocked out Elgin County’s in Southwestern Ontario Canada’s website and email system for nearly a month.

The attack forced the county to deactivate its website and email system for most of April and led to the breach of personal and employment information of 330 people, including county employees, five long-term care residents, and former residents. (Calvi Leon / London Free Press)

Related: London Free Press, Global News

Image by Edward Lich from Pixabay