Risky Biz News: Feds seize BreachForums again
09:31 Share

The Fed sees breach forums again. Microsoft require MFA for all Azure accounts, whatever that means. The US arrests a woman running a laptop farm for North Korean IT workers and a major hack at Australian healthcare org MediSecure. This is Risky Business News, prepared by Katalin Kimpanu and read by me, Claire Aird. Today is the 17th of May and this podcast episode is brought to you by Okta.

In today's top story, law enforcement agencies have seized the second incarnation of the Breach Forum's cybercrime platform. The takedown took place five days after one of the forum members advertised data stolen from a Europol system. Officials did not make a formal announcement, but it's unclear if anyone was arrested.

Authorities seized the first version of Breach Forums in March of last year when they also detained its administrator. The first Breach Forums admin has since been sentenced to 20 years of supervised release.

In other news, Microsoft has announced that all Azure accounts will be required to enable multi-factor authentication from July 2024. The announcement came with no additional details and has alarmed many of the company's customers who wonder what will happen to their service accounts and K-12 student users.

The company has promised to provide more details at a later date via email and Azure portal notifications. Several Redditors have claimed Microsoft representatives told them that the enforcement will apply only to Azure portal accounts and not to all Azure accounts, which, if true, makes this a delightful example of botched corporate comms.

An upcoming Android security feature will be to detect when a user's Android phone has been stolen. The feature is named Theft Detection Lock and works by using AI to sense sudden jerks and movements, a sign a thief has snatched and is running with a user's phone. Theft Detection Lock will be available for all Android 10 and later devices through a Google Play update later this year. The new feature was announced at this year's Google I.O. Security Conference

Another Android feature announced this year is an AI assistant that will actively listen to phone conversations and warn of possible scams.

The Dutch House of Representatives has passed legislation to criminalise more forms of espionage, including cyber and digital espionage. Under the new law, persons who carry out espionage for foreign governments can face up to 12 years in prison. The bill applies to Dutch citizens, but also specifically addresses foreign diasporas present in the country. The bill has moved to the Dutch Senate, where it is expected to pass.

The UK Cyber Security Agency has launched a new service to protect the phones of political candidates and election officials. The new Personal Internet Protection Service is a DNS block list that prevents users from accessing known malicious sites. The NCSC has been maintaining the block list since 2017 and has been using it to protect government agencies and major contractors.

The new Personal Internet Protection Service extends this capability to non-government individuals who participate in elections. The slam block list is also at the heart of another new NCSC service the agency launched earlier this week named Share and Defend. The NCSC says it will work with major telcos to block known malicious sites at the provider level, extending its malware block list to most of the UK population.

Norway's Cyber Security Agency has published official guidance this week recommending that companies replace web-based SSL VPN solutions with more secure alternatives. The NCSC cited the high number of critical vulnerabilities in these products over the past years. The agency recommended solutions using the IPsec protocol.

The NCSC recommended that companies transition from SSL VPNs by the end of 2025. Organisations subject to the country's Safety Act will have to transition to alternatives by the end of the year. The US FCC wants the country's nine largest telcos to file reports on BGP internet routing security incidents. All broadband providers will also have to report to the FCC on their progress towards implementing BGP security features.

The new reporting requirement is at the proposal stage and will need to pass a vote on the FCC board. The FCC started working on the new reporting requirement in February 2022 in the aftermath of reports of Chinese and Russian telcos hijacking US internet traffic. The DoD and DoJ backed the FCC's efforts to improve BGP security, seeing it as a national security threat.

Chinese company OS China has launched a Russian version of its GITI code hosting platform to serve as Russia's GitHub clone. The new platform will run at GITI.ru and will store data in a Moscow data center. Russian officials announced plans to build a Russian GitHub alternative at the end of 2022. The project was scheduled to go live in April this year but failed after officials didn't provide any funding to a local Russian software company to build it.

Gitti launched in 2013 and has been endorsed by the Chinese government as the country's preferred code hosting platform.

U.S. authorities have charged two brothers from New York for allegedly stealing over $25 million worth of cryptocurrency. The two suspects allegedly used exploits to steal assets from MEV bots on the Ethereum blockchain. The suspects allegedly set up shell companies, created fake wallets and attempted to launder the stolen assets in the aftermath of the hack.

US officials say the attack took months to plan and was executed in just 12 seconds. The two brothers both face up to 20 years in prison if found guilty.

The U.S. government has charged five individuals in a money laundering scheme designed to generate revenue for North Korea's weapons program. Charges were filed against an Arizona woman, a Ukrainian man and three North Korean nationals. The five ran a complex scheme to allow North Korean IT workers to apply for remote software development jobs inside the U.S.,

The group allegedly used the identities of over 60 U.S. citizens to gain employment at over 300 U.S. companies. The Arizona woman hosted multiple laptops inside her home to make it appear that the North Korean workers were based in the U.S.

Together with a Ukrainian suspect, she allegedly helped launder the salaries back to North Korea. The US State Department says the North Korean suspects are linked to the DPRK's Munitions Industry Department. The scheme generated more than $6.8 million for the country's ballistic missiles and weapons program.

Australian electronic prescription provider MediSecure has fallen victim to a large-scale ransomware attack. MediSecure says early evidence suggests the incident originated from one of its third-party vendors. The company says the hack impacted the personal and health information of individuals. Until last year, MediSecure was one of the two electronic prescription providers for the Australian government and the company likely has data about most Australians.

Australian financial services provider Iris says that a threat actor gained access to its OneView investment platform. The company says an attacker breached its GitHub account and then used a password stored in a Git repository to move into the production OneView environment. The company told Australian financial authorities it is investigating what data the hacker accessed.

A threat actor has stolen over $20 million worth of assets from the Son Finance cryptocurrency platform. The company has offered the attacker a reward to return the stolen funds, but there's been no reply so far. In a post-mortem, Son Finance described the incident as a donation attack.

Bitdefender researchers have identified four vulnerabilities in the ThruTech Kale IoT platform. The platform and its SDK are used in more than 100 million smart devices. The vulnerabilities allow for unauthorized route access from within the local network and for remote code execution attacks. Devices that use the ThruTech Kale platform include the Wyze Cam, the Roku Indoor Camera and the Owlet Cam.

ThruTech released patches for all reported issues in April this year. And finally, Google has released an update for its Chrome browser to fix another zero-day exploited in the wild. The zero-day is a vulnerability in Chrome's V8 JavaScript engine and was discovered by Vasily Berdnikov and Boris Larin from Russia's security firm Kaspersky. The two researchers say the zero-day was used in targeted attacks...

This is the third Chrome Zero Day patched over the past week and Google's seventh Chrome Zero Day this year. And that is all for this podcast edition. Today's show was brought to you by our sponsor, Okta. Find them at okta.com. Thanks to your company.