Hello and welcome to GlobalSign's weekly cybersecurity news round up.
There's been quite a lot of activity in Latin America, where one of the most talked about stories continues to be the Conti ransomware gang's hold on the government of Costa Rica. Conti has essentially terrorized Costa Rica, claiming that it has government insiders and threatening to inflict more damage by compromising "other systems". Conti's messages have also stated that Costa Rican officials "have no other option" but to pay the ransom and that they should not try to "find workarounds". In response, President Rodrigo Chaves says his country is at war with the hackers. Conti is now demanding $20 million in ransom. But...
Bleeping Computer posted a story late yesterday that the Conti gang is actually shutting down and splitting off into smaller groups. Lawrence Abrams writes "While it may seem strange for Conti to shut down in the middle of their information war with Costa Rica...Conti conducted this very public attack to create a facade of a live operation while the Conti members slowly migrated to other, smaller ransomware operations." File under: As the cybersecurity world turns.
Then there's the story that probably wasn't on anyone's bingo card -- "FBI charges Venezuelan doctor with using, selling 'Thanos' ransomware". Yet, on Monday the FBI announced charges against a Venezuelan cardiologist allegedly moonlighting as a cybercriminal mastermind. Moises Luis Zagala Gonzalez, also known as “Nosophoros,” “Aesculapius” and “Nebuchadnezzar", is charged with attempted computer intrusions and conspiracy to commit computer intrusions.
Also, late last week Brazilian e-commerce giant Americanas.com reported a multimillion-dollar loss in sales in its financial results after a major cyberattack earlier this year. The company lost 923 million Brazilian reais ($183 million) in sales following two attacks that took place between February 19 and 20 that left it unable to operate its e-commerce operation. It is believed that ransomware gang Lapsus$ Group is responsible. Lapsus$ is the gang whose ringleader may be a teenager. Several members of the group were arrested in late March by British police, though some of them were later released.
In Spain, police this week busted a phishing gang operating across the country, and have arrested 13 people with more expected. Police say there are nearly 150 victims of the phishing scam. To date, the gang stole at least 443,600 Euros from online bank accounts. Unsuspecting recipients of the phishing email which appeared to come from legitimate banks, clicked on a malicious link and were then tricked into handing over their login credentials. The criminals were able to gain access to the bank accounts as well as modify the mobile phone settings of the victims’ accounts in order to receive any authentication codes sent via SMS.
Here in the U.S., the Cybersecurity and Infrastructure Agency (CISA) issued an emergency directive this week to federal civilian executive branch agencies after learning that unpatched VMWare products pose “an unacceptable risk to federal network security”. CISA is requiring the agencies to update their VMware products impacted by a pair of new vulnerabilities or remove them from their networks. The VMware bugs – CVE-2022-22972 and CVE-2022-22973 – expose several VMware products to remote code-execution (RCE) attacks.
Also this week, the U.S. Department of Justice (DoJ) announced an important policy shift around the controversial anti-hacking law, the Computer Fraud and Abuse Act (CFAA). The result is that the DoJ will no longer prosecute good-faith security research that would have violated the country’s federal hacking law the Computer Fraud and Abuse Act (CFAA). In addition, prosecutors must also avoid charging people for simply violating a website’s terms of service — including minor rule-breaking like embellishing a dating profile — or using a work-related computer for personal tasks.
That's a wrap. Thanks for stopping by our blog. Stay cyber safe and have a great weekend!
Top Global Security News
Vice (May 19, 2022) DOJ Announces It Won’t Prosecute White Hat Security Researchers
On Thursday the Department of Justice announced a policy shift in that it will no longer prosecute good-faith security research that would have violated the country’s federal hacking law the Computer Fraud and Abuse Act (CFAA).
The move is significant in that the CFAA has often posed a threat to security researchers who may probe or hack systems in an effort to identify vulnerabilities so they can be fixed. The revision of the policy means that such research should not face charges.
“Computer security research is a key driver of improved cybersecurity,” Deputy Attorney General Lisa O. Monaco said in a statement published with the announcement. “The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”
Dark Reading (May 18, 2022) CISA to Federal Agencies: Patch VMware Products Now or Take Them Offline
The Cybersecurity and Infrastructure Agency (CISA) has issued an emergency directive requiring federal civilian executive branch agencies to update their VMware products impacted by a pair of new vulnerabilities or remove them from their networks.
The VMware bugs – CVE-2022-22972 and CVE-2022-22973 – expose several VMware products to remote code-execution (RCE) attacks.
CISA said that last month, within just 48 hours of VMware patching its VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager, advanced persistent threat (APT) actors were able to reverse-engineer the updates to launch attacks.
Bleeping Computer (May 18, 2022) Spanish police dismantle phishing gang that emptied bank accounts
The Spanish police have announced the arrest of 13 people and the launch of investigations on another seven for their participation in a phishing ring that stole online bank credentials.
The threat actors used phishing lures to trick their victims into believing they received an alert from their bank and proceeded to steal their account credentials.
Having access to banking accounts, the adversaries used their victims' money to make online purchases, direct transfers to "money mule" accounts, or request personal loans.
DataBreachToday (May 17, 2022) Conti Claims It Has 'Insiders' in Costa Rican Government
Ransomware group Conti, which has been holding to ransom crypto-locked Costa Rican government systems since April, has claimed on its leak site Conti News that it has "insiders" in the country's government, and they are working toward the compromise of "other systems."
"We have our insiders in your government. I recommend that you responsibly contact UNC1756. We are also working on gaining access to your other systems. You have no other option but to pay us. We know that you have hired a data recovery specialist. Don't try to find workarounds. Another attempt to get in touch through other services will be punished by deleting the key," the threat group's latest message says. UNC1756 is another name for the Conti group.
ZDNet (May 16, 2022) Brazilian e-commerce firm Americanas reports multimillion-dollar loss following cyberattack
Brazilian e-commerce conglomerate Americanas.com reported a multimillion-dollar loss in sales in its financial results on Friday after a major cyberattack earlier this year.
The company lost 923 million Brazilian reais ($183 million) in sales after two attacks that took place between February 19 and 20 and rendered its e-commerce operation unavailable. According to the company, physical stores continued to operate and the logistics arm of the company continued to deliver orders placed after the event.
According to Americanas, the operations started to be gradually restored on February 23 and activities fully resumed on the following day. "There is no evidence of other damages, beyond the fact that our e-commerce operations were suspended," the firm noted.
Cyberscoop (May 16, 2022) FBI charges Venezuelan doctor with using, selling 'Thanos' ransomware
The FBI announced charges Monday against a Venezuelan cardiologist that the bureau said was moonlighting as a cybercriminal mastermind, both designing and using ransomware that he bragged was deployed by Iranian state-sponsored hackers.
Moises Luis Zagala Gonzalez, who also went by the user names “Nosophoros,” “Aesculapius” and “Nebuchadnezzar,” is being charged with attempted computer intrusions and conspiracy to commit computer intrusions.
According to the complaint unsealed Monday, Zagala sold and rented out his ransomware software, providing cybercriminals with extensive training on how to use his product and even set up their own ransomware gangs.
Other thought provoking stories