Hello and welcome back to GlobalSign’s weekly wrap up about what’s happening in cybersecurity.
The big story this week was the multi country, global law enforcement agency smackdown of VPNLab.net, forcing the VPN provider offline.
On Tuesday, Europol announced it had seized or disrupted 15 servers that hosted VPNLab.net on claims it facilitated numerous cybercrimes, including the distribution of ransomware. Led by the Central Criminal Office of the Hannover Police Department in Germany, the massive operation involved the Netherlands, Canada, the Czech Republic, France, Hungary, Latvia, Ukraine, the United States and the United Kingdom. The action took place under the EMPACT security framework objective Cybercrime - Attacks Against Information Systems.
According to Europol, law enforcement began investigating VPNLab.net after multiple investigations uncovered criminals using the service to facilitate illicit activities such as malware distribution. In addition, it discovered other cases of the VPNLab.net service involvement in various ransomware campaigns. At the same time, investigators found the service advertised on the dark web itself.
As a result of the investigation, more than one hundred businesses have been identified as at risk of cyberattacks. Law enforcement is working directly with these potential victims to mitigate their exposure. The impacted organizations have not been named.
VPNLab.net was unique in that, its tool offered an advanced level of anonymity by offering double VPN connections to its clients — routing internet traffic through two VPN servers located in different countries.
In other news:
- The International Committee of the Red Cross (ICRC) announced it is the victim of a cyber attack. According to the organization, the incident compromised the confidential data of more than 515,000 it described as “extremely vulnerable” people. According to Ars Technica, the data belongs to people who used a program that works to reunite family members separated by conflict, disaster or migration. Those impacted had used Restore Family Links, a service the Red Cross operates in cooperation with the Red Crescent to reunite families. On Wednesday, the site was down. The Internet Archive last updated it on December 27, raising the possibility of the breach occurring a few weeks ago.
- Cybersecurity researchers have uncovered a Remote Access Trojan (RAT) that’s has gone unnoticed for at least a year. The RAT’s Dubbed SysJoker by researchers from Intezer, who first discovered the malware on a Linux-based webserver belonging to a “leading educational institution”. However, they still do not know who built SysJoker, when they built it, or how they distribute it.
- On January 14th the White House revealed that the person responsible for the Colonial Pipeline attack was arrested as part of the larger raid against the REvil ransomware group by Russian law enforcement.
- Report findings from law firm DLA Piper show that fines for violations of the General Data Protection Regulation (GDPR), the EU’s landmark privacy, soared past the $1 billion mark in 2021. The report says that EU data protection authorities handed out a total of $1.25 billion in fines for breaches last year. That’s up from about $180 million a year earlier.
- According to Check Point Research, for the final quarter of 2021, DHL surpassed Microsoft as the brand most spoofed in phishing campaigns. Check Point says DHL was spoofed in 23% of all brand phishing attempts, up from just 9% in the year's previous quarter. At the same time, Microsoft appeared in 20% of all attempts, down from 23% in the prior quarter.
That’s all for this week. Thanks for stopping by our blog!
Top Global Security News
Computing (January 20, 2022) Red Cross pleads with hackers not to leak data on 515,000 vulnerable people
The International Committee of the Red Cross (ICRC) has announced that a cyber attack on Wednesday compromised confidential data on more than 515,000 extremely vulnerable people.
The Geneva-based humanitarian agency said the breach, by unknown intruders, targeted an external contractor in Switzerland that stores data for ICRC.
The hackers targeted servers holding information on people who have been separated from their families due to migration, conflict, and disaster, as well as missing persons, their families, and people in detention.
The stolen data includes names, contact details and location information. It came from at least 60 Red Cross and Red Crescent National Societies: the networks of volunteers and personnel worldwide the Red Cross uses as first responders to disasters.
PCMag (January 18, 2022) VPNLab.net Shut Down for Helping Hackers Spread Ransomware
Law enforcement has shut down a VPN provider called VPNLab.net for allegedly supplying services to hackers.
On Tuesday, Europol announced it had seized or disrupted 15 servers that hosted VPNLab.net on claims it facilitated numerous cybercrimes, including the distribution of ransomware.
The FBI and law enforcement agencies across Europe were involved in the takedown, which forced the VPN provider offline on Monday. The homepage for VPNLab.net has now been replaced with a notice declaring the domain has been seized.
TechRepublic (January 18, 2022) DHL takes top spot as most imitated brand in phishing attacks
For the final quarter of 2021, DHL surpassed Microsoft as the brand most spoofed in phishing campaigns, says Check Point Research.
Phishing attacks often impersonate a popular brand or product to try to trick people into falling for their scams. But the brands that are most exploited change depending on events in the news, the time of year and other factors. A report released Monday by cyber threat intelligence provider Check Point Research reveals how and why international shipping company DHL was the most spoofed brand in phishing campaigns at the close of 2021.
For the final quarter of 2021, DHL took over the top spot from Microsoft as the most impersonated brand by cybercriminals using phishing tactics. For the quarter, DHL was spoofed in 23% of all brand phishing attempts, up from just 9% in the year's previous quarter. At the same time, Microsoft appeared in 20% of all attempts, down from 23% in the prior quarter.
DataBreachToday (January 18, 2022) Privacy Fines: GDPR Sanctions in 2021 Exceeded $1 Billion
Privacy regulators in Europe last year imposed known fines totaling more than 1 billion euros ($1.2 billion) under the EU's General Data Protection Regulation, bolstered in part by two record-breaking sanctions, according to the law firm DLA Piper.
The amount of fines levied in the 12 months since Jan. 28, 2021, marked a sharp increase from the 159 million euros ($181 million) in fines seen for the preceding 12 months, according to DLA Piper's latest GDPR and data breach report. Not all of those GDPR violations involved data breaches.
Another increase from 2020 to 2021 was seen in the quantity of breach notifications. Those grew by 8%, with regulators last year receiving notifications for more than 130,000 data breaches, it says.
TechRadar (January 17, 2022) This dangerous malware affects nearly all devices, and somehow remained undetected until now
Cybersecurity researchers have uncovered a Remote Access Trojan (RAT), that’s been flying under antivirus programs’ radars for at least half a year and targeting, at least, education institutions.
As reported by Ars Technica, the RAT’s been dubbed SysJoker by researchers from Intezer who discovered it. When they first discovered it, on a Linux-based Webserver belonging to a “leading educational institution”, they learned it was written from scratch.
They don’t know who built it, when they built it, or how they distribute it. Their best guess is that it was built in the second half of last year, by an advanced threat actor with “significant resources”. They came to this conclusion knowing the fact that fully cross-platform malware, with four separate C2 servers, are a rare sight.
ZDNet (January 14, 2022) White House confirms person behind Colonial Pipeline ransomware attack nabbed during Russian REvil raid
White House officials told reporters on Friday that the person behind the ransomware attack on Colonial Pipeline last year was arrested as part of the larger raid against the REvil ransomware group by Russian law enforcement on Friday, confirming reporting from The Washington Post.
On Friday afternoon, Washington Post reporter Ellen Nakashima said a US official told her that the person specifically behind the Colonial Pipeline attack was seen in a video shared by Russia's Federal Security Service (FSB) of the raid on an apartment building.
Multiple men are seen in the video, so it is unclear exactly which man is being referred to, but the White House later held a call with reporters and confirmed that one of those arrested was the specific person behind the Colonial Pipeline attack.