Risky Biz News: Ebury gang compromises entire ISPs and hosting providers
06:43 Share

The Ebre malware gang compromises entire ISPs and hosting providers. The UK announces its Share and Defend project. The city of Helsinki discloses a security breach. And a new DOS attack can bring down websites using their firewalls against them. This is Risky Business News, prepared by Katalin Kimpanu and read by me, Claire Ayred. Today is the 15th of May, and this podcast episode is brought to you by Okta.

In today's top story, security firm ESET says that 15 years after it launched, the Ebre botnet is still operating and installed on more than 100,000 Linux servers. The botnet is currently being used to spread spam, perform web traffic redirections and steal credentials. It was recently modified to also plant web skimmer malware to steal payment card details, SSH credentials and crypto wallet keys.

ESET says eBree operators are also selling access to infected hosts as part of initial access schemes. Recent eBree attacks involved the use of zero days in administrator software to compromise servers in bulk. Some eBree campaigns gained access to large ISPs and well-known hosting providers, and the group also hacked the server infrastructure and stole data from other cybercrime crews.

In other news, the UK's Cyber Security Agency will work with local ISPs as part of a new project named Share and Defend to block access to malicious websites.

The UK NCSC will create block lists of malicious sites using data from threat intelligence and security vendors. The block list will primarily contain links to known phishing, fraud and malware sites. The NCSC will share this data with local ISPs to block customers from accessing any of the malicious sites. Meanwhile, the UK's Cyber Security Agency has published new guidance recommending that victims of ransomware attacks not pay ransom demands.

The NCSC worked on the new guidance with three of the UK's insurance industry bodies. The guide recommends that victims leave a paper trail of their decision involving authorities and consider that payment won't guarantee data privacy or recovery. The three insurance industry bodies have pledged to help the NCSC to reduce the number of payments and promote alternatives to payments.

The city of Helsinki in Finland has disclosed a data breach of its education division. The hack took place at the end of April through a vulnerability in a remote access server. Helsinki officials say the intruder gained access to files and personal data of both students and city education personnel. Officials say some of the stolen files contain sensitive information.

South Korea's intelligence agency, NIS, says North Korean hackers stole over a terabyte of documents from the country's courts. The intrusion took place between January 2021 and February 2023 and impacted the network of the Seoul court. Officials linked the hack to the Lazarus Group APT.

The Santander Banking Group says a threat actor accessed the personal information of some of its customers. The breach impacted a database hosted by a third-party provider. The bank says the threat actor accessed data on its customers and employees in Spain, Chile and Uruguay. Santander says the database did not hold any information that could permit financial transactions.

Apple and Google have released updates to iOS and Android this week with a new security feature to warn users about unauthorized Bluetooth trackers in their vicinity. The

The new feature works by showing an alert if a Bluetooth device is consistently moving with a user's phone. Apple added the new alert system to iOS 17.5 and Google backported the functionality to all Android 6 and later devices. The new security feature is a direct response to the increasing usage of AirTag-like devices to secretly track a person's movements.

Dutch authorities have sentenced a Russian national to five years and four months in prison on money laundering charges. Officials say Alexei Pertsev worked with two other Russian nationals to develop and operate the Tornado Cash crypto mining platform. Criminal organizations and cybercrime groups abused the platform to launder more than $2 billion worth of cryptocurrency.

Persev was arrested in August 2022, days after the US sanctioned the Tornado cash platform. The sentence is exactly what the prosecution requested last month.

The US Institute of Peace estimates that cybercrime groups based in Southeast Asia are making $64 billion per year from online scams. Most of the gangs are from China, but they base their operations in Myanmar, Cambodia and Laos. Researchers say there's evidence to suggest that some groups receive political protection because of their profitability.

The estate fishing as a service operation has misconfigured a database and leaked information on its owner and operations. The service uses automated phone calls to trick users into sharing a multi-factor authentication code. Two security researchers found the server and shared the data with TechCrunch. According to the news outlet, the estate platform launched in mid-2023, launched over 90,000 attacks and was created by a Danish programmer in their early 20s.

Secura Next researcher Andrea Menin has discovered a new denial-of-service attack that impacts websites protected by a web application firewall. The technique leverages an attacker's ability to post content, such as comments or reviews, to trick a WAF into blocking the server it's meant to be protecting. The firewall's behavior is intended to detect SQL injection or other verbose debug messages, but can be abused to cause denial-of-service.

And closing today's edition, yesterday was Patch Tuesday. More than 10 major vendors released security updates ranging from Adobe to Schneider Electric. The most critical updates are from Google and Microsoft, which released security updates to patch zero days in their products. Microsoft fixed two zero days, including one abuse by the QuackBot net. While Google patched its sixth zero day in Chrome this year, just days after it patched another Chrome zero day last week.

And that is all for this podcast edition. Today's show was brought to you by our sponsor, Okta. Find them at okta.com. Thanks for your company.