Risky Biz News: Crypto-wallet service seized for helping ransomware gangs launder stolen funds
10:05 Share

US and German authorities seize a crypto wallet service used by ransomware gangs. DARPA launches a program to convert C code to Rust. A Chinese APT hacks an ISP to hijack software updates. And lawsuits are filed after a massive breach at a background check company. This is Risky Business News, prepared by Katalin Kimpanu and read by me, Claire Aird. Today is

Today is the 5th of August, and this podcast episode is brought to you by Material Security, the company that secures the cloud office with unified email security, user behavior analytics, and data loss prevention for Microsoft 365 and Google Workspace. In today's top story, German and US authorities have seized crypto wallet service, Cryptonator, on charges of money laundering and operating an unlicensed money service business.

Authorities seized the site's domain and charged its founder and CEO, Roman Pikalev, a Russian from the city of Perm. Officials say Cryptonative failed to implement anti-money laundering protections and allowed its servers to be used for illegal activities. It also allowed users to register without proof of identity and even built features to anonymise customer funds.

According to court documents, the service has been involved in transactions worth around $1.4 billion. Blockchain tracking company TRM Labs has linked more than $306 million to ransomware gangs, online scams, darknet markets, crypto heists and sanctioned entities.

In other news, the Chinese APT group named Storm Bamboo has compromised an internet service provider to infect targets with malware. The attacks took place earlier this year and targeted both macOS and Windows users.

Security firm Valexity says Storm Bamboo modified the unnamed ISP's DNS service to redirect software updates to malicious servers that installed malware. Only software that used unencrypted connections and didn't validate digital signatures was targeted. Users were infected with backdoors and in some cases with malicious browser extensions.

Russian cyber espionage group APT28 has been using ads for the sale of diplomatic cars as fishing lures to infect diplomats across the EU. The email is advertised in Audi Q7 Quattro for diplomats being stationed in Romania. The lure appears to have been borrowed from fellow Russian espionage group APT29, which used it to target diplomats working in Ukraine in early 2023, that time with a BMW. APT28 has been using ads for the sale of diplomatic cars as fishing lures to infect diplomats across the EU.

According to Palo Alto Networks, the APT28 group is known for repurposing successful tactics, even continuously exploiting known vulnerabilities for 20 months after their cover was blown.

Background check company Jericho Pitchers is being sued in three class action lawsuits over an alleged data breach that exposed 2.9 billion personal records. The company does business as National Public Data. A threat actor named USDOD claimed to have hacked the company in April and advertised its data on an underground hacking forum for a whopping $3.5 million. The

The plaintiffs claim the company has failed to address the hack rumours. The leaked data allegedly includes entire family trees and information on dead people.

AI startup Rabbit says that a contentious security breach from earlier this year was caused by a now-fired employee. In late June, a group of security researchers named Rabbitude claimed that Rabbit was exposing API keys that granted access to its source code and passed AI agent responses. The group claimed that the AI startup did not reply to attempts to disclose the incident and only rotated the API keys after the breach became public.

Rabbit now says that the incident was caused by one of its employees who leaked the API keys to the group, which the company chose to describe as a self-proclaimed hacktivist group. The US Federal Trade Commission and the Department of Justice have sued social media giant TikTok for violating US children's online privacy. The agencies say TikTok failed to notify and obtain parental consent before collecting and using personal information from children under the age of 13.

TikTok later allegedly used the data to target kids with advertising. The FTC says it learned of TikTok's practices from the company's own employees. TikTok broke the same rules and was previously subject to a 2019 FTC restraining order, which has now fast-tracked the current lawsuit.

Meanwhile, the UK's Privacy Watchdog has called on 11 social media and online streaming platforms to improve their children's privacy practices or face possible fines.

The ICO says it audited 34 platforms and found that 11 used default settings for children's accounts that break UK privacy laws. Platforms were caught using children's data for targeted advertising, enabling data and geolocation tracking settings, and not requiring parental controls for setting up new accounts for children under the age of 13. The ICO did not name the platforms.

CISA says that Taiwanese company AVTech has failed to address a major vulnerability in the firmware of its AVM security cameras. The vulnerability was discovered by Akamai researcher Larry Cashdollar and independently confirmed by a third party. The issue can allow remote attackers to inject commands in internet-connected AVTech AVM cameras and take over the device without needing to authenticate. Public exploits are already available and are trivial to execute.

Cicela says AVTech network video recorders may also be vulnerable.

Threat actors have started exploiting a major vulnerability in the Apache OFBiz open source ERP solution. The attack's leverage of vulnerability that was initially patched in May, but went under the radar for two months before the attack started. The vulnerability is a simple path traversal that allows threat actors to execute code on unpatched OFBiz systems. According to the SANS Internet Storm Center, one of the threat actors exploiting the bug is a Mirai botnet.

Some hosting providers are running misconfigured email servers that allow threat actors on the same service to impersonate other hosted domains.

According to a security advisory by CertCC at Carnegie Mellon University, the issue resides in how hosting providers have configured their SPF and DKIM settings. The misconfiguration has already been used in the wild this year for a campaign known as Echo Spoofing that abused Proofpoint products and Microsoft customers. Two other shared hosting providers have now also confirmed they are vulnerable.

Canadian authorities have detained 10 suspects for their roles in a sim-swapping gang. The suspects are believed to have stolen more than a million Canadian dollars from 1,500 people by taking over phone numbers and then emptying financial accounts. Most of the gang's members operated out of Toronto. Two suspects are also still at large and wanted by police.

US authorities have sentenced an Indian man to seven years in prison for his role in a large-scale tech support scam operation. Vinoth Ponmaran was the leader of a scam group that used pop-up windows to trick victims into calling tech support numbers and paying for IT services they didn't need. According to US officials, Ponmaran's group earned more than $6 million from over 6,500 elderly victims across the US and Canada.

The Russian National Coordination Centre for Computer Incidents has told Russian companies and users to stop using a Russian-made browser known as Sputnik. The agency has designated the browser as a security risk after the company behind it went bankrupt in 2023. The centre says the browser's domain is now owned by American company Global Internet Telemetry Measurement Collective and may be used to deliver malicious updates to Russians.

The Indonesian government has blocked access to the DuckDuckGo search engine because the site allows users to find pornography and gambling sites. DuckDuckGo said on Reddit there's no way to fight the block. The site has been blocked in China for more than a decade for not complying with Beijing's strict censorship rules.

DoD researcher agency DARPA has launched a new program named TRACTOR to translate old C source code to the newer Rust programming language. The program will target C code used in DoD legacy apps. DARPA says it aims to create an automated solution to translate old C code to safe and idiomatic Rust code.

CISA has named Lisa Einstein as the agency's first ever chief AI officer. Einstein previously served as executive director of CISA's Cybersecurity Advisory Committee. The new position will govern CISA's own use of AI and ensure critical infrastructure partners develop and adopt AI in secure ways.

In addition, the US Senate also confirmed last week Michael Sulmayer as Assistant Secretary of Defence for Cyber Policy at the Pentagon. He becomes the first individual to hold the position.

And finally, security firm SentinelOne has named Alex Stamos as its new Chief Information Security Officer. Stamos previously served as CISO for Yahoo and Facebook. Stamos joined SentinelOne last year after the security firm acquired the Krebs Stamos Group. He's been SentinelOne's Chief Trust Officer since the acquisition.

And that is all for this podcast edition. Today's show was brought to you by our sponsor, Material Security. Find them at material.security. Thanks for your company.