This week
The FBI has taken down the Qakbot operation
- An FBI-led operation has resulted in the complete take over and shut down of the ‘Qakbot’. The Qakbot malware is also known as QBot and Pinkslipbot, and was one of the most prolific malware families (see Stats below), with over 700,000 infected devices connected to the botnet.
- The malware helped facilitate over 40 ransomware attacks that generated $58 million in ransom payments over the last 18 months. The feds also seized $6.8 million in cryptocurrency as part of Operation Duck Hunt.
- The FBI explained that they were able to obtain a warrant to get a secret copy of the servers used by the cybercriminals. They used this to extract encryption keys and understand how Qakbot controlled the infected devices.
- On the evening of 25th August, the FBI issued a command instructing part of the network to replace its ‘super node’ modules used to control infected devices and change the encryption key to lock the Qakbot criminals out of their network. At the same time, they sinkholed the main command and control server. From there, a command was issued to all infected devices to download an uninstaller to remove the malicious files from affected devices.
Interesting stats
80% of early-stage malware infections so far this year are caused by just three malware families: QBot, SocGholish, and Raspberry Robin, according to ReliaQuest.
~50%~, the amount claimed by some UK politicians that “overall crime” has fallen since 2010, which is a little misleading because the Crime Survey of England and Wales (CSEW)didn’t ask or track fraud and computer misuse until 2017:
When adding the 3.7 million instances of fraud, and 764,000 instances of computer misuse in the year to December 2022 to the ~4.75 million other offences, it’s pretty much on par and shows a shift in the way that crimes are committed. H/t @PickardJE and Full Fact.
Related to those crime stats, here’s your reminder that cyber security is, at its core, a people problem, and the UN estimates (PDF) that 120,000 people in Myanmar and 100,000 people in Cambodia may be forcibly involved in online scams by organised crime gangs and people traffickers. It’s about as far from vendor fetishes for grand-sounding threat-actor names as possible. Forget ‘Voodoo Bear’ or ‘Seashell Blizzard’ or any other ludicrous names I’ll write below. (Perhaps we should start similarly naming cyber vendors? Let me know your suggestions on LinkedIn, Twitter and Mastodon 😇)
Other newsy bits / in brief
-
Polish rail services were disrupted last week. Over 20 freight and passenger trains were stopped, seemingly in support of Russia. Early on, reports circulated of a ‘cyberattack’, however it turns out that the emergency stop command for Poland’s railways is well known, unencrypted and unauthenticated radio signal. Polish police have arrested two Polish citizens in connection to the incidents. (It’s not the first time Poland has suffered from unprotected signals: in 2008 a 14-year-old used a programmable TV remote to control trams in the town of Lodz. Four vehicles were derailed and twelve people were injured.)
-
Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC) suffered a breach in August 2022 that was only detected in June this year. The nine-month infiltration is suspected to be the work of Chinese state interests, though China’s foreign ministry has dismissed the claims.
-
Met Police officers’ names, ranks, photos, vetting levels, and salaries have been exposed in at least the third data breach at a UK place force in as many weeks. All 47,000 of London’s police officers are believed to be affected by the breach, which occurred at a supplier. Police Service Northern Ireland (vol. 6, iss. 33) and Cumbria Constabulary (vol. 6, iss. 34) both reported breaches in August.
-
Netgear’s Orbi wireless routers are exploitable via its management interface without authentication.
-
FIN8 are behind the recent spate of attacks against Citrix NetScaler systems, says Sophos.
-
Okta customers are being targeted by a group called ‘Scattered Spider’, who were linked by Trellix to the Oktapus phishing campaign. The attackers encouraged service desk personnel to reset multi-factor authentication settings. Then they used a compromised Okta ‘super admin’ account to abuse Okta functionality and impersonate privileged users in the target organisation.
-
Juniper EX switches and SRX firewalls are being targeted. Attackers are using critical vulnerabilities in the J-Web configuration interface to gain remote code execution on devices that have not received patches for CVE-2023-36846 and CVE-2023-36845.
-
Russia’s GRU is targeting Android mobile devices in Ukraine with malware called ‘Infamous Chisel’. The UK’s NCSC and five eyes counterparts have published a new report outlining the capabilities of the malware and indicators of compromise.
-
Google has removed fake Signal and Telegram apps from its Google Play Store. Both apps were compiled from open source code for those projects, with the BadBazaar malware included. ‘Signal Plus’ was available for nine months, though it appears to have only been downloaded around 100 times.
-
X (Twitter) has updated its privacy policy and wants to collect biometric data of users. The policy says these will be used “for safety, security, and identification purposes,” though also refers to collecting employment history and offering job recommendations.
-
Cyber norms are challenging because not everyone can agree on what should, or shouldn’t, be considered a cybercrime, says Microsoft’s Associate General Counsel, Cybersecurity Policy & Protection, Amy Hogan-Burney. The comments come during the sixth round of negotiations of the UN Cybercrime Treaty, intended to agree aspects of international criminal law and improve cross-border powers.
”The risk is that the treaty will not be a tool for prosecuting criminals but rather a weapon that allows for intrusive data access and surveillance instruments. The result could be an international agreement granting authoritarian states the power to suppress dissent under the guise of fighting cybercrime.” — Amy Hogen-Burney, Associate General Counsel, Cybersecurity Policy & Protection at Microsoft
-
Industry news: Malwarebytes is laying off ‘100-110’ employees, CPO, CIO and CTO all gone, amidst plans to separate the business into two business units. NCSC has appointed Ollie Whitehouse as CTO. Whitehouse, formerly of NCC Group, joins following the departure of NCSC-veteran Ian Levy to AWS earlier this year.
-
Ransomware attacks: Rhysida (no, not that Rhysider) ransomware gang has claimed an August attack on Prospect Medical Holdings and to have stolen 500,000 social security numbers, corporate docs, and patient records. PurFoods, trading as Mom’s Meals in the US, is warning cybercriminals stolen 1.2 million customers and employees data in a ransomware attack. LockBit has taken credit for an attack against Montreal electricity company Commission des services electriques de Montréal (CSEM). The University of Michigan has taken its systems offline to deal with a cyber security incident, suspected to be a ransomware attack, and causing disruption on the eve of a new academic year.
And finally
- Lidl has recalled Paw Patrol-themed snacks because the web address printed on the packages was showing decided kid-unfriendly content. It’s unclear if the website was compromised, or the domain name was redirected or left to expire.