Thanks for stopping by our blog again. It’s been yet another active week.
First up: To deter the torrent of cyber attacks, the US government has just issued new rules designed to prevent the export of hacking and surveillance tools to regimes guilty of human rights abuses. The “interim final rule” was released by the Commerce Department’s Bureau of Industry and Security (BIS) and will go into force in 90 days, According to a Commerce Department press release, the US government “opposes the misuse of technology to abuse human rights or conduct other malicious cyber activities, and these new rules will help ensure that U.S. companies are not fueling authoritarian practices.”
In Argentina, a hacker allegedly stole ALL the data from the country’s database holding IDs and information for all 45 million citizens. Following that, Twitter suspended a user going by the handle @aniballeaks. The hacker claims they managed to hack into Argentina's National Registry of Persons – also known as RENAPER or Registro Nacional de las Personas -- and offered to sell the data on a cybercriminal forum. The government of Argentina is denying the claim. However, Recorded Future blogger Catalin Cimpanu (formerly of ZDNet) says a new Twitter account for @AnibalLeaks posted the ID information for 44 Argentinian celebrities, including the beloved Lionel Messi.
In a posting on Wednesday, Google’s Threat Analysis Group announced that since late 2019 the team has “disrupted financially motivated phishing campaigns targeting YouTubers with Cookie Theft malware.” The group tracks threat actors running disinformation campaigns, government-backed hacked and financially motivated abuse. The cyber criminals being tracked are believed to be recruited from a Russian-speaking forum. The group says the perpetrators made money by taking over YouTube accounts to live-stream scams offering free cryptocurrency in exchange for money (a “contribution”), or selling hijacked channels for as much as $4,000.
On Monday, Acer confirmed yet another cyberattack on its servers in Taiwan after their offices in India were hit less than a week ago by the same group. The Desorden Group – which claimed responsibility for both attacks – contacted ZDNet and said part of why they conducted the second attack was to prove their point "that Acer is way behind in its cybersecurity effects on protecting its data and is a global network of vulnerable servers."
The ransomware attack late last week at Sinclair Broadcast Group appears to be the work of Evil Corp., one of the most notorious and prolific Russian cybercrime groups in recent years with a leader who has been accused of working with Russian intelligence. The U.S. Treasury department sanctioned the group in December 2019, making any U.S. company’s transactions with it illegal.
Also worth mentioning, late last week global consulting firm Accenture acknowledged a data breach in a filing to the Securities and Exchange Commission (SEC). The SEC filing filed last Friday provides additional detail on a breach first discovered on July 30 and disclosed in early August. Accenture says that while a breach did take place, the information obtain was not “of a highly sensitive nature.” The ransomware gang LockBit 2.0 was behind the attack.
That’s all for this week. Have a great weekend!
Top Global Security News
ZDNet (October 21, 2021) Google disrupts massive phishing and malware campaign
"Google has blocked 1.6 million phishing emails since May 2021 that were part of a malware campaign to hijack YouTube accounts and promote cryptocurrency scams.
According to Google's Threat Analysis Group (TAG), since late 2019 it's been disrupting phishing campaigns run by a network of Russian hacker subcontractors who've been targeting YouTubers with 'highly customized' phishing emails and cookie-stealing malware.
The main goal of the group has been to hijack YouTube accounts to live-stream scams that offer free cryptocurrency in exchange for an initial contribution. The group's other main revenue source was selling hijacked YouTube channels from $3 to $4,000 depending on how many subscribers a channel has."
InfoSecurity (October 21, 2021) US to Ban Export of Hacking Tools to Authoritarian States
"The US government has issued new rules designed to prevent the export of hacking and surveillance tools to regimes guilty of human rights abuses.
The 'interim final rule' was released by the Commerce Department’s Bureau of Industry and Security (BIS) and will go into force in 90 days.
Governments singled out by the proposals are 'of concern for national security reasons' or subject to an arms embargo.
Restrictions will also apply if the exporter knows that the product will be used to impact the confidentiality, integrity or availability of IT systems without the knowledge of their owner/administrator.
'The United States is committed to working with our multilateral partners to deter the spread of certain technologies that can be used for malicious activities that threaten cybersecurity and human rights,' said commerce secretary Gina Raimondo.
Cyberscoop (October 20, 2021) Notorious Russian ransomware gang Evil Corp. reportedly hit Sinclair Broadcast Group
"Evil Corp., one of the most notorious and prolific Russian cybercrime groups in recent years with a leader who has been accused of working with Russian intelligence, was reportedly behind last weekend’s cyberattack on Sinclair Broadcast Group.
The revelation, first reported by Bloomberg Wednesday, is noteworthy because the U.S. Treasury department sanctioned the group in December, 2o19, making any U.S. company’s transactions with it illegal. The group used a new strain of malware called Macaw in the Sinclair attack, said Allan Liska, a senior threat analyst at Recorded Future.
The Justice Department also announced a sealed indictment against Evil Corp. leader Maksim Yakubets in 2019 the same day as the Treasury sanctions. The U.S. government accused Yakubets and another Russian national, Igor Turashev, of being behind malware strains known as Bugat and Dridex, which authorities say hackers employed to target hundreds of banks in more than 40 countries and net the group at least $100 million."
ZDNet (October 19, 2021) Twitter suspends hacker who allegedly stole data of 45 million Argentinians
"Twitter has suspended a hacker who allegedly stole all of the data from Argentina's database holding the IDs and information of all 45 million citizens of the country.
A threat actor using the handle @aniballeaks said they managed to hack into Argentina's National Registry of Persons – also known as RENAPER or Registro Nacional de las Personas – and offered to sell the data on a cybercriminal forum.
The leaked data includes names, home addresses, birthdays, Trámite numbers, citizen numbers, government photo IDs, labor identification codes, ID card issuance and expiration dates."
CyberScoop (October 18, 2021) Accenture lost 'proprietary information' in summer ransomware attack
"Accenture has acknowledged in a filing to the Securities and Exchange Commission that outsiders extracted 'proprietary information' in a cyber incident this summer.
The SEC filing filed Friday provides additional detail on a breach the company first discovered on July 30 and disclosed in early August. The disclosure coincided with the ransomware gang LockBit 2.0 leaking information from the consulting giant after saying Accenture failed to pay a $50 million ransom by its deadline.
CyberScoop had previously reported other details of the intrusion.
'While the perpetrators were able to acquire certain documents that reference a small number of clients and certain work materials we had prepared for clients, none of the information is of a highly sensitive nature,' read an internal memo that CyberScoop obtained."
ZDNet (October 18, 2021) Acer hit with second cyberattack in less than a week, Taiwanese authorities notified
"Acer has confirmed yet another cyberattack on its servers in Taiwan after their offices in India were hit less than a week ago by the same group.
The Desorden Group – which claimed responsibility for both attacks – contacted ZDNet and said part of why they conducted the second attack was to prove their point 'that Acer is way behind in its cybersecurity effects on protecting its data and is a global network of vulnerable servers.'
Acer spokesman Steven Chung told ZDNet that the company recently detected 'an isolated attack on our local after-sales service system in India and a further attack in Taiwan.'
'Upon detection, we immediately initiated our security protocols and conducted a full scan of our systems. We are notifying all potentially affected customers in India, while the attacked Taiwan system does not involve customer data,' Chung said."